[Pkg-samba-maint] Bug#566977: Bug#566977: Acknowledgement (samba-common-bin: 'net ads join' fails against Windows 2003 domain with 'Program lacks support for encryption type')

[Steve Langasek]

On Wed, Jan 27, 2010 at 02:47:05AM -0500, Etienne Goyer wrote:
> Steve Langasek wrote:
> > On Tue, Jan 26, 2010 at 11:00:28AM -0500, Etienne Goyer wrote:
> >> That sounds like a regression to me, if previously working setup are
> >> broken on update.  Is there any way the behavior could be reversed to be
> >> backward-compatible?

> > It's a deliberate behavior change to disable weak encryption types by
> > default, so the only things broken are those that depend on weak encryption
> > types.  You're welcome to try to persuade the Kerberos guys to revert
> > this...

> I do not see the point in trying; they must be aware of the consequence
> of that behavior change already.  That being said, from the distribution
> point of view, would it be appropriate to take measure to ensure the
> user base is not left to figure out why their Kerberos authentication is
> broken on update by themselves?

Given that samba is using its own private krb5.conf for each domain trust, I
think it's appropriate for samba to either remove the dependency on
allow_weak_crypto or to include this setting in all its configs.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20100127/ee6643aa/attachment.pgp>