some cross-realm trust questions

Nicolas Williams Nicolas.Williams at oracle.com
Tue Dec 28 17:22:11 EST 2010


On Tue, Dec 28, 2010 at 01:34:17PM -0800, Wilper, Ross A wrote:
> > Our adjoin[0] script (which was referenced in a BigAdmin paper by Baban
> > Kenkre[1]) implements a heuristic to detect what enctypes are available
> > based on, IIRC, trying to add an LDAP attribute named
> > "msDS-SupportedEncryptionTypes" to the machine account object.  Failure
> > denotes older AD supporting 1DES and RC4 only; success denotes support
> > for AES-128 and AES-256.  
> 
> This is actually a bit dangerous. If an Active Directory has the
> schema upgraded to Windows 2008 or later, but not all domain
> controllers have been upgraded to Windows 2008 or later, then this
> will give the wrong response. 

I did say "heuristic".  There are, potentially, if not actually, other
ways in which it could fail.

Nico
-- 



More information about the Kerberos mailing list