2012-02-08 09:29 keltezéssel, steve írta: > On 07/02/12 20:52, Gémes Géza wrote: >> 2012-02-07 16:07 keltezéssel, steve írta: >>> On 07/02/12 12:01, Andrew Bartlett wrote: >>>> On Tue, 2012-02-07 at 10:24 +0100, steve wrote: >>>>> I just got this from the mit list: >>>>> >>>>> <quote> >>>>> DES transition >>>>> ============== >>>>> >>>>> The krb5-1.8 release disables single-DES cryptosystems by >>>>> default. As >>>>> a result, you may need to add the libdefaults setting >>>>> "allow_weak_crypto = true" to communicate with existing Kerberos >>>>> infrastructures if they do not support stronger ciphers. >>>>> >>>>> </quote> >>>>> >>>>> Does/will this apply to us? >>>> Heimdal did this a long time ago, so yes. If you wish to use DES, you >>>> have to set that in your krb5.conf. >>>> >>>> Andrew Bartlett >>>> >>> Hi >>> I'm using S4 out of the box on openSUSE 12.1. All the Kerberos >>> transactions seem to choose arcfour. >>> Does the des stuff apply to me? >>> Thanks, >>> Steve >>> >> Hi, >> You need to enable weak crypto if you want to use kerberos with apps >> which depends on des (e.g nfs, openafs). >> Regards >> Geza > Mmm. That's what I thought. I added that line to krb5.conf before > using nfs. I commented it and it still works. The s4 nfs transactions > seem to choose arcfour, not des. I can't find this documented anywhere > but noises on the nfs kernel list suggest that the weak crypto is not > now necessary. Will leave the line commented until nfs explodes at > some stage. > Cheers, > Steve > Could have been fixed I've used nfs with gss/krb a few years ago when it ws working with des-cbc-crc only, have migrated to openafs since then.
Cheers Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba