[Authentication] [adcli] kerberos enctypes
Philipp Gesang
philipp.gesang at intra2net.com
Tue Mar 27 15:01:04 UTC 2018
Hi,
I’m looking for a way to control the encryption types that end up
in the host’s keytab. The goal is to prevent anything other than
AES based crypto from ever being used.
AFAICS, adcli join does not have a command line option nor does
it heed the *_enctypes settings in /etc/krb5.conf: the defaults
are always taken from a predefined set “v60_later_enctypes”.
Worse, after setting “msDS-SupportedEncryptionTypes” to 8 or 24
on the server, adcli update still writes keys for all five
enctypes for each principal.
Is there a way I might have overlooked to get rid of those RC4
and DES keys?
Best,
Philpp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/authentication/attachments/20180327/12357c19/attachment.sig>
More information about the Authentication
mailing list