Ticket #488 (closed defect: fixed)

Opened 12 years ago

Last modified 12 years ago

kerberos-config needs to set allow_weak_crypto

Reported by: broder Owned by:
Priority: blocker Milestone:
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:

Description

The ATHENA.MIT.EDU KDC seems to only support the des-cbc-crc enctype. As of krb5 1.8, that's defined as "weak crypto", and the krb5 clients won't talk to the KDC by default.

Until the KDC is upgraded or reconfigured to allow shinier enctypes, we need to set allow_weak_crypto = true in the [libdefaults] section of krb5.conf.

From some preliminary testing, it looks like that setting has no affect in the older versions of krb5 we still support.

Change History

comment:1 Changed 12 years ago by broder

  • Status changed from new to proposed

r24287 (with supplemental fix in r24288), in proposed.

comment:2 Changed 12 years ago by geofft

  • Status changed from proposed to closed
  • Resolution set to fixed

Evan moved this to production on January 25.

Note: See TracTickets for help on using tickets.