docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml

   1 <samba:parameter name="kdc force enable rc4 weak session keys"
   2                  type="boolean"
   3                  context="G"
   4                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
   5 <description>
   6         <para>
   7           <constant>RFC8429</constant> declares that
   8           <constant>rc4-hmac</constant> Kerberos ciphers are weak and
   9           there are known attacks on Active Directory use of this
  10           cipher suite.
  11         </para>
  12         <para>
  13           However for compatibility with Microsoft Windows this option
  14           allows the KDC to assume that regardless of the value set in
  15           a service account's
  16           <constant>msDS-SupportedEncryptionTypes</constant> attribute
  17           that a <constant>rc4-hmac</constant> Kerberos session key (as distinct from the ticket key, as
  18           found in a service keytab) can be used if the potentially
  19           older client requests it.
  20         </para>
  21 </description>
  22
  23 <value type="default">no</value>
  24 </samba:parameter>