Comment 4 for bug 1195871

Description of problem:
When joining an AD domain with "net ads join" and smb.conf contains "kerberos method = secrets and keytab", the host keytab /etc/krb5.keytab is being created and a valid host principal of form HOSTNAME$@REALM in included in the file. However, only des-cbc-crc, des-cbc-md5, and arcfour-hmac enctypes are included, no aes256 or aes128 even in AD 2008R2 domain which has full AES support.

Aside from weaker security, with the aforementioned three enctypes things like "kinit -k -t /etc/krb5.keytab 'HOSTNAME$@REALM'" fail with the default krb5.conf (default_{tkt,tgs}_enctypes must be adjusted to be able to kinit).

"net ads join" should provide AES keys in the host keytab at least optionally if the domain controller supports AES, not only the previously mentioned three types (which are currently hard-coded in the source code).

Version-Release number of selected component (if applicable):
RHEL 6.2