On Wed, Jan 27, 2010 at 04:05:46AM -0800, Steve Langasek wrote: > On Tue, Jan 26, 2010 at 02:22:36PM -0800, Steve Langasek wrote: > > On Tue, Jan 26, 2010 at 05:03:51PM -0500, Sam Hartman wrote: > > > >>>>> "Steve" == Steve Langasek <vor...@debian.org> writes: > > > > Steve> On Tue, Jan 26, 2010 at 01:29:08PM -0500, Sam Hartman wrote: > > > >> OK. Can someone on the Samba side confirm that the Linux kernel > > > >> only supports DES for some Samba related Kerberos operation? > > > >> Specific details on what is going on would be useful. > > > > Steve> The kernel is only involved when one is using CIFS mounts, > > > Steve> which aren't relevant to winbind and domain joining; so this > > > Steve> shouldn't be a kernel issue. > > > > OK. Then I currently have no idea why allow_weak_crypto would be > > > desirable for Samba. > > > In the case of AD realms that were continuously upgraded from NT4 domains, > > you may have accounts only using RC4 as an enctype for > > backwards-compatibility with pre-AD systems. I don't know if this is the > > reason these users are seeing problems, but it's the only case I can think > > of why allow_weak_crypto should be needed. > > Sorry, having looked at the source now, I see that the weak crypto handling > is specific to DES, not RC4; and if Samba were *only* using RC4, this error > would not happen. > > However, Samba requests both RC4 and DES, a historical remnant of the time > when DES was the only enctype in common between all Kerberos > implementations.
Referring to the SUBJECT: Where is this leading to a panic in Samba 3.4, I got lost in the meantime. Volker
signature.asc
Description: Digital signature
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
