Re: [Samba] Samba 4 and new Kerberos version
2012-02-08 09:29 keltezéssel, steve írta: On 07/02/12 20:52, Gémes Géza wrote: 2012-02-07 16:07 keltezéssel, steve írta: On 07/02/12 12:01, Andrew Bartlett wrote: On Tue, 2012-02-07 at 10:24 +0100, steve wrote: I just got this from the mit list: quote DES transition == The krb5-1.8 release disables single-DES cryptosystems by default. As a result, you may need to add the libdefaults setting allow_weak_crypto = true to communicate with existing Kerberos infrastructures if they do not support stronger ciphers. /quote Does/will this apply to us? Heimdal did this a long time ago, so yes. If you wish to use DES, you have to set that in your krb5.conf. Andrew Bartlett Hi I'm using S4 out of the box on openSUSE 12.1. All the Kerberos transactions seem to choose arcfour. Does the des stuff apply to me? Thanks, Steve Hi, You need to enable weak crypto if you want to use kerberos with apps which depends on des (e.g nfs, openafs). Regards Geza Mmm. That's what I thought. I added that line to krb5.conf before using nfs. I commented it and it still works. The s4 nfs transactions seem to choose arcfour, not des. I can't find this documented anywhere but noises on the nfs kernel list suggest that the weak crypto is not now necessary. Will leave the line commented until nfs explodes at some stage. Cheers, Steve Could have been fixed I've used nfs with gss/krb a few years ago when it ws working with des-cbc-crc only, have migrated to openafs since then. Cheers Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and new Kerberos version
On 07/02/12 20:52, Gémes Géza wrote: 2012-02-07 16:07 keltezéssel, steve írta: On 07/02/12 12:01, Andrew Bartlett wrote: On Tue, 2012-02-07 at 10:24 +0100, steve wrote: I just got this from the mit list: quote DES transition == The krb5-1.8 release disables single-DES cryptosystems by default. As a result, you may need to add the libdefaults setting allow_weak_crypto = true to communicate with existing Kerberos infrastructures if they do not support stronger ciphers. /quote Does/will this apply to us? Heimdal did this a long time ago, so yes. If you wish to use DES, you have to set that in your krb5.conf. Andrew Bartlett Hi I'm using S4 out of the box on openSUSE 12.1. All the Kerberos transactions seem to choose arcfour. Does the des stuff apply to me? Thanks, Steve Hi, You need to enable weak crypto if you want to use kerberos with apps which depends on des (e.g nfs, openafs). Regards Geza Mmm. That's what I thought. I added that line to krb5.conf before using nfs. I commented it and it still works. The s4 nfs transactions seem to choose arcfour, not des. I can't find this documented anywhere but noises on the nfs kernel list suggest that the weak crypto is not now necessary. Will leave the line commented until nfs explodes at some stage. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 and new Kerberos version
I just got this from the mit list: quote DES transition == The krb5-1.8 release disables single-DES cryptosystems by default. As a result, you may need to add the libdefaults setting allow_weak_crypto = true to communicate with existing Kerberos infrastructures if they do not support stronger ciphers. /quote Does/will this apply to us? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and new Kerberos version
On Tue, 2012-02-07 at 10:24 +0100, steve wrote: I just got this from the mit list: quote DES transition == The krb5-1.8 release disables single-DES cryptosystems by default. As a result, you may need to add the libdefaults setting allow_weak_crypto = true to communicate with existing Kerberos infrastructures if they do not support stronger ciphers. /quote Does/will this apply to us? Heimdal did this a long time ago, so yes. If you wish to use DES, you have to set that in your krb5.conf. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and new Kerberos version
On 07/02/12 12:01, Andrew Bartlett wrote: On Tue, 2012-02-07 at 10:24 +0100, steve wrote: I just got this from the mit list: quote DES transition == The krb5-1.8 release disables single-DES cryptosystems by default. As a result, you may need to add the libdefaults setting allow_weak_crypto = true to communicate with existing Kerberos infrastructures if they do not support stronger ciphers. /quote Does/will this apply to us? Heimdal did this a long time ago, so yes. If you wish to use DES, you have to set that in your krb5.conf. Andrew Bartlett Hi I'm using S4 out of the box on openSUSE 12.1. All the Kerberos transactions seem to choose arcfour. Does the des stuff apply to me? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and new Kerberos version
2012-02-07 16:07 keltezéssel, steve írta: On 07/02/12 12:01, Andrew Bartlett wrote: On Tue, 2012-02-07 at 10:24 +0100, steve wrote: I just got this from the mit list: quote DES transition == The krb5-1.8 release disables single-DES cryptosystems by default. As a result, you may need to add the libdefaults setting allow_weak_crypto = true to communicate with existing Kerberos infrastructures if they do not support stronger ciphers. /quote Does/will this apply to us? Heimdal did this a long time ago, so yes. If you wish to use DES, you have to set that in your krb5.conf. Andrew Bartlett Hi I'm using S4 out of the box on openSUSE 12.1. All the Kerberos transactions seem to choose arcfour. Does the des stuff apply to me? Thanks, Steve Hi, You need to enable weak crypto if you want to use kerberos with apps which depends on des (e.g nfs, openafs). Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
