--- /dev/null
+<samba:parameter name="kdc force enable rc4 weak session keys"
+ type="boolean"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ <constant>RFC8429</constant> declares that
+ <constant>rc4-hmac</constant> Kerberos ciphers are weak and
+ there are known attacks on Active Directory use of this
+ cipher suite.
+ </para>
+ <para>
+ However for compatibility with Microsoft Windows this option
+ allows the KDC to assume that regardless of the value set in
+ a service account's
+ <constant>msDS-SupportedEncryptionTypes</constant> attribute
+ that a <constant>rc4-hmac</constant> Kerberos session key (as distinct from the ticket key, as
+ found in a service keytab) can be used if the potentially
+ older client requests it.
+ </para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
"kdc default domain supported enctypes",
"rc4-hmac aes256-cts-hmac-sha1-96-sk");
+ lpcfg_do_global_parameter(lp_ctx,
+ "kdc force enable rc4 weak session keys",
+ "no");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
Globals.kdc_default_domain_supported_enctypes =
KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
+ Globals.kdc_force_enable_rc4_weak_session_keys = false;
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();