[Authentication] [adcli] kerberos enctypes
Philipp Gesang
philipp.gesang at intra2net.com
Wed Mar 28 10:03:27 UTC 2018
-<| Quoting Sumit Bose <authentication at lists.freedesktop.org>, on Tuesday, 2018-03-27 06:51:48 PM |>-
> On Tue, Mar 27, 2018 at 05:01:04PM +0200, Philipp Gesang wrote:
> > Hi,
> >
> > I’m looking for a way to control the encryption types that end up
> > in the host’s keytab. The goal is to prevent anything other than
> > AES based crypto from ever being used.
> >
> > AFAICS, adcli join does not have a command line option nor does
> > it heed the *_enctypes settings in /etc/krb5.conf: the defaults
> > are always taken from a predefined set “v60_later_enctypes”.
> >
> > Worse, after setting “msDS-SupportedEncryptionTypes” to 8 or 24
> > on the server, adcli update still writes keys for all five
> > enctypes for each principal.
> >
> > Is there a way I might have overlooked to get rid of those RC4
> > and DES keys?
Hi Sumit,
thanks for your reply!
> I think you are right. adcli will currently unconditionally use
> v60_later_enctypes. There is some logic that would only use the enctypes
> which are used in the keytab and are known to AD, but this fails because
> the enctypes are not read from the keytab at all.
>
> Would you mind to file a ticket on bugs.freedesktop.org?
Done: https://bugs.freedesktop.org/show_bug.cgi?id=105782
Best,
Philipp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/authentication/attachments/20180328/6e506ccf/attachment.sig>
More information about the Authentication
mailing list