Jeremy,
My understanding is that even AD 2016 will support arcfour-hmac (even
though it's deprecated and not recommended). Local company AD teams will
make the decision to stop supporting arcfour-hmac or not. (for instance,
our company's team tried -- and it broke something to do with cross-domain
auth. So they reverted.)
I don't know when AD quit supporting 3des-cbc.
Spike
On Sun, May 9, 2021 at 5:09 PM Jeremy Monnet <jmonnet(a)gmail.com> wrote:
Hi,
> To allow all the old (weak) RHEL7 crypto ciphers (like 3des-cbc and
arcfour-hmac).
>
> It's not advisable to leave crypto-polcies at LEGACY -- that accepts
some truly weak ciphers.
>
>
You are right, only I do not decide the AD version used... 2012R2 is
still supported by Microsoft, so people are not eager to migrate to
2016 or 2019. That brings me to another question :
- Is there a reference to supported ciphers, eg will rhel without
enabling weak ciphers will work out of the box with an AD 2016 (that
could another argument to upgrade) ?
And yes you are right, the issue is pure kerberos, sssd just sits on top...
Regards,
Jeremy
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure