[Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04

[Tom Yu]

jean-yves chateaux <jean-yves.chateaux at sagemcom.com> writes:

> The errors are the results of MIT resolution to exclude DES/DES3 from
the supported enctypes (security reasons).

DES3 was not marked as "weak".  Neither was rc4-hmac (enctype 23).
The "export-grade" rc4-hmac-exp is enctype 24 and was marked as weak,
but that doesn't explain the "KRB5KDC_ERR_ETYPE_NOSUPP" when
requesting rc4-hmac (23).

> The parameter "allow_weak_crypto = true" should be added in the
default [libdefaults] section of /etc/krb5.conf.

> Adding this parameter solved the errors of the original bug report but
leads to a new one: likewise+krb5 cannot get the authenticated user
groups correctly from the ADS when trying to browse samba shares using
tickets.

The user groups problem probably has nothing to do with disabling weak
crypto.

I think more information is needed.  In particular, what package
versions for the krb5 packages are in each configuration?

-- 
krb5 and ADS error using 10.04, not 9.04
https://bugs.launchpad.net/bugs/567188
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.