diff options
author | Gerald W. Carter <jerry@samba.org> | 2008-01-28 11:32:09 -0600 |
---|---|---|
committer | Günther Deschner <gd@samba.org> | 2008-01-31 10:30:52 +0100 |
commit | 945bbd14bb1c8ec11365d52a7897ca17e95c9053 (patch) | |
tree | e69bad4cea7f38176fc582977e306435c8c9d06f | |
parent | 2ced9b906fe9044edf6efbca6175aa481c2a4451 (diff) | |
download | samba-945bbd14bb1c8ec11365d52a7897ca17e95c9053.tar.gz |
Restrict the enctypes in the generated krb5.conf files to Win2003 types.
This fixes the failure observed on FC8 when joining a Windows 2008 RC1
domain. We currently do not handle user session keys correctly
when the KDC uses AES in the ticket replies.
-rw-r--r-- | source/libads/kerberos.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/source/libads/kerberos.c b/source/libads/kerberos.c index 890ea2bcb51..089540536cc 100644 --- a/source/libads/kerberos.c +++ b/source/libads/kerberos.c @@ -676,11 +676,15 @@ BOOL create_local_private_krb5_conf_for_domain(const char *realm, const char *do TALLOC_FREE(dname); return False; } - - file_contents = talloc_asprintf(fname, "[libdefaults]\n\tdefault_realm = %s\n\n" - "[realms]\n\t%s = {\n" - "\t%s\t}\n", - realm_upper, realm_upper, kdc_ip_string); + + file_contents = talloc_asprintf(fname, + "[libdefaults]\n\tdefault_realm = %s\n" + "default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" + "default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" + "preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n" + "[realms]\n\t%s = {\n" + "\t%s\t}\n", + realm_upper, realm_upper, kdc_ip_string); if (!file_contents) { TALLOC_FREE(dname); |