> The errors are the results of MIT resolution to exclude DES/DES3 from the supported enctypes (security reasons).
DES3 was not marked as "weak". Neither was rc4-hmac (enctype 23).
The "export-grade" rc4-hmac-exp is enctype 24 and was marked as weak,
but that doesn't explain the "KRB5KDC_ERR_ETYPE_NOSUPP" when
requesting rc4-hmac (23).
> The parameter "allow_weak_crypto = true" should be added in the default [libdefaults] section of /etc/krb5.conf.
> Adding this parameter solved the errors of the original bug report but leads to a new one: likewise+krb5 cannot get the authenticated user groups correctly from the ADS when trying to browse samba shares using tickets.
The user groups problem probably has nothing to do with disabling weak
crypto.
I think more information is needed. In particular, what package
versions for the krb5 packages are in each configuration?
jean-yves chateaux <email address hidden> writes:
> The errors are the results of MIT resolution to exclude DES/DES3 from the supported enctypes (security reasons).
DES3 was not marked as "weak". Neither was rc4-hmac (enctype 23). ERR_ETYPE_ NOSUPP" when
The "export-grade" rc4-hmac-exp is enctype 24 and was marked as weak,
but that doesn't explain the "KRB5KDC_
requesting rc4-hmac (23).
> The parameter "allow_weak_crypto = true" should be added in the default [libdefaults] section of /etc/krb5.conf.
> Adding this parameter solved the errors of the original bug report but leads to a new one: likewise+krb5 cannot get the authenticated user groups correctly from the ADS when trying to browse samba shares using tickets.
The user groups problem probably has nothing to do with disabling weak
crypto.
I think more information is needed. In particular, what package
versions for the krb5 packages are in each configuration?