On Wed, Jan 27, 2010 at 05:13:37PM +0100, Volker Lendecke wrote: > > > > OK. Then I currently have no idea why allow_weak_crypto would be > > > > desirable for Samba.
> > > In the case of AD realms that were continuously upgraded from NT4 domains, > > > you may have accounts only using RC4 as an enctype for > > > backwards-compatibility with pre-AD systems. I don't know if this is the > > > reason these users are seeing problems, but it's the only case I can think > > > of why allow_weak_crypto should be needed. > > Sorry, having looked at the source now, I see that the weak crypto handling > > is specific to DES, not RC4; and if Samba were *only* using RC4, this error > > would not happen. > > However, Samba requests both RC4 and DES, a historical remnant of the time > > when DES was the only enctype in common between all Kerberos > > implementations. > Referring to the SUBJECT: Where is this leading to a panic > in Samba 3.4, I got lost in the meantime. I'm afraid I don't know. I was cc:ed on this somewhat mid-thread, and haven't seen any panics; what I know about is http://bugs.debian.org/566977, which reports that after upgrade to MIT Kerberos 1.8alpha1, samba domain joins are failing because of the need for allow_weak_crypto to be set before setting DES tgs enctypes is permitted. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: Digital signature
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
