Comment 7 for bug 567188

>>>>> "jean-yves" == jean-yves chateaux <email address hidden> writes:

    jean-yves> The errors are the results of MIT resolution to exclude
    jean-yves> DES/DES3 from the supported enctypes (security reasons).
    jean-yves> The parameter "allow_weak_crypto = true" should be added
    jean-yves> in the default [libdefaults] section of /etc/krb5.conf.

That's very strange. All versions of Windows have supported rc4
(arcfour-hmac-md5 in MIT terms), and no version of Windows should
require DES to work.

If Allow_weak_crypto = true is making things work better with Windows,
    something is broken somewhere else to cause this.

    jean-yves> Adding this parameter solved the errors of the original
    jean-yves> bug report but leads to a new one: likewise+krb5 cannot
    jean-yves> get the authenticated user groups correctly from the ADS
    jean-yves> when trying to browse samba shares using tickets. It
    jean-yves> looks like a bug in krb5 when using "allow_weak_crypto =
    jean-yves> true" in the des/des3 "old school" support. This support
    jean-yves> is _not_ like the previous des/des3 krb version support.

That's very strange. There have been some changes in DES support
surrounding reorganization of libk5crypto, however at this point, I
think we have fairly high confidence in that code.

Note that allow_weak_crypto is not new in 1.8; the thing that is new in
1.8 is that the default changed from true to false.

--Sam