On 07/02/12 20:52, Gémes Géza wrote:
2012-02-07 16:07 keltezéssel, steve írta:
On 07/02/12 12:01, Andrew Bartlett wrote:
On Tue, 2012-02-07 at 10:24 +0100, steve wrote:
I just got this from the mit list:
<quote>
DES transition
==============
The krb5-1.8 release disables single-DES cryptosystems by default. As
a result, you may need to add the libdefaults setting
"allow_weak_crypto = true" to communicate with existing Kerberos
infrastructures if they do not support stronger ciphers.
</quote>
Does/will this apply to us?
Heimdal did this a long time ago, so yes. If you wish to use DES, you
have to set that in your krb5.conf.
Andrew Bartlett
Hi
I'm using S4 out of the box on openSUSE 12.1. All the Kerberos
transactions seem to choose arcfour.
Does the des stuff apply to me?
Thanks,
Steve
Hi,
You need to enable weak crypto if you want to use kerberos with apps
which depends on des (e.g nfs, openafs).
Regards
Geza
Mmm. That's what I thought. I added that line to krb5.conf before using
nfs. I commented it and it still works. The s4 nfs transactions seem to
choose arcfour, not des. I can't find this documented anywhere but
noises on the nfs kernel list suggest that the weak crypto is not now
necessary. Will leave the line commented until nfs explodes at some stage.
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
