some cross-realm trust questions
Nicolas Williams
Nicolas.Williams at oracle.com
Tue Dec 28 17:22:11 EST 2010
On Tue, Dec 28, 2010 at 01:34:17PM -0800, Wilper, Ross A wrote:
> > Our adjoin[0] script (which was referenced in a BigAdmin paper by Baban
> > Kenkre[1]) implements a heuristic to detect what enctypes are available
> > based on, IIRC, trying to add an LDAP attribute named
> > "msDS-SupportedEncryptionTypes" to the machine account object. Failure
> > denotes older AD supporting 1DES and RC4 only; success denotes support
> > for AES-128 and AES-256.
>
> This is actually a bit dangerous. If an Active Directory has the
> schema upgraded to Windows 2008 or later, but not all domain
> controllers have been upgraded to Windows 2008 or later, then this
> will give the wrong response.
I did say "heuristic". There are, potentially, if not actually, other
ways in which it could fail.
Nico
--
More information about the Kerberos
mailing list