Comment 5 for bug 567188
Revision history for this message
| Taylor Yu (tlyu) wrote Re: [Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04 | #5 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
jean-yves chateaux <email address hidden> writes:
> The errors are the results of MIT resolution to exclude DES/DES3 from the supported enctypes (security reasons).
DES3 was not marked as "weak". Neither was rc4-hmac (enctype 23).
The "export-grade" rc4-hmac-exp is enctype 24 and was marked as weak,
but that doesn't explain the "KRB5KDC_
requesting rc4-hmac (23).
> The parameter "allow_weak_crypto = true" should be added in the default [libdefaults] section of /etc/krb5.conf.
> Adding this parameter solved the errors of the original bug report but leads to a new one: likewise+krb5 cannot get the authenticated user groups correctly from the ADS when trying to browse samba shares using tickets.
The user groups problem probably has nothing to do with disabling weak
crypto.
I think more information is needed. In particular, what package
versions for the krb5 packages are in each configuration?