Restrict the enctypes in the generated krb5.conf files to Win2003 types.

This fixes the failure observed on FC8 when joining a Windows 2008 RC1 domain. We currently do not handle user session keys correctly when the KDC uses AES in the ticket replies.
author: Gerald W. Carter <jerry@samba.org> 2008-01-28 11:32:09 -0600
committer: Günther Deschner <gd@samba.org> 2008-01-31 10:30:52 +0100
commit: 945bbd14bb1c8ec11365d52a7897ca17e95c9053 (patch)
tree: e69bad4cea7f38176fc582977e306435c8c9d06f
parent: 2ced9b906fe9044edf6efbca6175aa481c2a4451 (diff)
download: samba-945bbd14bb1c8ec11365d52a7897ca17e95c9053.tar.gz
1 files changed, 9 insertions, 5 deletions
diff --git a/source/libads/kerberos.c b/source/libads/kerberos.c
index 890ea2bcb51..089540536cc 100644
--- a/source/libads/kerberos.c
+++ b/source/libads/kerberos.c
@@ -676,11 +676,15 @@ BOOL create_local_private_krb5_conf_for_domain(const char *realm, const char *do
 		TALLOC_FREE(dname);
 		return False;
 	}
-		
-	file_contents = talloc_asprintf(fname, "[libdefaults]\n\tdefault_realm = %s\n\n"
-				"[realms]\n\t%s = {\n"
-				"\t%s\t}\n",
-				realm_upper, realm_upper, kdc_ip_string);
+
+	file_contents = talloc_asprintf(fname,
+					"[libdefaults]\n\tdefault_realm = %s\n"
+					"default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
+					"default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
+					"preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
+					"[realms]\n\t%s = {\n"
+					"\t%s\t}\n",
+					realm_upper, realm_upper, kdc_ip_string);
 
 	if (!file_contents) {
 		TALLOC_FREE(dname);
author	Gerald W. Carter <jerry@samba.org>	2008-01-28 11:32:09 -0600
committer	Günther Deschner <gd@samba.org>	2008-01-31 10:30:52 +0100
commit	945bbd14bb1c8ec11365d52a7897ca17e95c9053 (patch)
tree	e69bad4cea7f38176fc582977e306435c8c9d06f
parent	2ced9b906fe9044edf6efbca6175aa481c2a4451 (diff)
download	samba-945bbd14bb1c8ec11365d52a7897ca17e95c9053.tar.gz