[Authentication] [adcli] kerberos enctypes
Sumit Bose
sbose at redhat.com
Tue Mar 27 16:51:48 UTC 2018
On Tue, Mar 27, 2018 at 05:01:04PM +0200, Philipp Gesang wrote:
> Hi,
>
> I’m looking for a way to control the encryption types that end up
> in the host’s keytab. The goal is to prevent anything other than
> AES based crypto from ever being used.
>
> AFAICS, adcli join does not have a command line option nor does
> it heed the *_enctypes settings in /etc/krb5.conf: the defaults
> are always taken from a predefined set “v60_later_enctypes”.
>
> Worse, after setting “msDS-SupportedEncryptionTypes” to 8 or 24
> on the server, adcli update still writes keys for all five
> enctypes for each principal.
>
> Is there a way I might have overlooked to get rid of those RC4
> and DES keys?
I think you are right. adcli will currently unconditionally use
v60_later_enctypes. There is some logic that would only use the enctypes
which are used in the keytab and are known to AD, but this fails because
the enctypes are not read from the keytab at all.
Would you mind to file a ticket on bugs.freedesktop.org?
bye,
Sumit
>
> Best,
> Philpp
>
> _______________________________________________
> Authentication mailing list
> Authentication at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/authentication
More information about the Authentication
mailing list