Jeremy,

My understanding is that even AD 2016 will support arcfour-hmac (even though it's deprecated and not recommended). Local company AD teams will make the decision to stop supporting arcfour-hmac or not. (for instance, our company's team tried -- and it broke something to do with cross-domain auth. So they reverted.)

I don't know when AD quit supporting 3des-cbc.

Spike

On Sun, May 9, 2021 at 5:09 PM Jeremy Monnet <jmonnet@gmail.com> wrote:

Hi,

> To allow all the old (weak) RHEL7 crypto ciphers (like 3des-cbc and arcfour-hmac).
>
> It's not advisable to leave crypto-polcies at LEGACY -- that accepts some truly weak ciphers.
>
>
You are right, only I do not decide the AD version used... 2012R2 is
still supported by Microsoft, so people are not eager to migrate to
2016 or 2019. That brings me to another question :
- Is there a reference to supported ciphers, eg will rhel without
enabling weak ciphers will work out of the box with an AD 2016 (that
could another argument to upgrade) ?

And yes you are right, the issue is pure kerberos, sssd just sits on top...

Regards,

Jeremy
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure