This parameter determines the encryption types to use when operating
as a Kerberos client. Possible values are all,
strong, and legacy.
Samba uses a Kerberos library (MIT or Heimdal) to obtain Kerberos
tickets. This library is normally configured outside of Samba, using
the krb5.conf file. This file may also include directives to configure
the encryption types to be used. However, Samba implements Active Directory
protocols and algorithms to locate a domain controller. In order to
force the Kerberos library into using the correct domain controller,
some Samba processes, such as
winbindd
8 and
net
8, build a private krb5.conf
file for use by the Kerberos library while being invoked from Samba.
This private file controls all aspects of the Kerberos library operation,
and this parameter controls how the encryption types are configured
within this generated file, and therefore also controls the encryption
types negotiable by Samba.
When set to all, all active directory
encryption types are allowed.
When set to strong, only AES-based encryption
types are offered. This can be used in hardened environments to prevent
downgrade attacks.
When set to legacy, only RC4-HMAC-MD5
is allowed. AVOID using this option, because of
CVE-2022-37966 see
https://bugzilla.samba.org/show_bug.cgi?id=15237.
all