[33001] in Kerberos
Re: some cross-realm trust questions
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Tue Dec 28 17:22:35 2010
Date: Tue, 28 Dec 2010 16:22:11 -0600
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: "Wilper, Ross A" <rwilper@stanford.edu>
Message-ID: <20101228222211.GF1091@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <C6BF43271ABC924B9A7057FAD2B4953F08BD85E9BF@ITS-ExchMB02.stanford.edu>
Cc: Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Dec 28, 2010 at 01:34:17PM -0800, Wilper, Ross A wrote:
> > Our adjoin[0] script (which was referenced in a BigAdmin paper by Baban
> > Kenkre[1]) implements a heuristic to detect what enctypes are available
> > based on, IIRC, trying to add an LDAP attribute named
> > "msDS-SupportedEncryptionTypes" to the machine account object. Failure
> > denotes older AD supporting 1DES and RC4 only; success denotes support
> > for AES-128 and AES-256.
>
> This is actually a bit dangerous. If an Active Directory has the
> schema upgraded to Windows 2008 or later, but not all domain
> controllers have been upgraded to Windows 2008 or later, then this
> will give the wrong response.
I did say "heuristic". There are, potentially, if not actually, other
ways in which it could fail.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
