diff --git a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
index e93650ac3e0..984611167b5 100644
--- a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
+++ b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
@@ -38,5 +38,5 @@
-36equivalent to: rc4-hmac aes256-cts-hmac-sha1-96-sk
+0maps to what the software supports currently: arcfour-hmac-md5 aes256-cts-hmac-sha1-96-sk
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index b712609e3a7..d55df1f4f80 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3076,10 +3076,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
"min domain uid",
"1000");
- lpcfg_do_global_parameter(lp_ctx,
- "kdc default domain supported enctypes",
- "rc4-hmac aes256-cts-hmac-sha1-96-sk");
-
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/python/samba/tests/krb5/etype_tests.py b/python/samba/tests/krb5/etype_tests.py
index 1a16518df94..9725d544c2a 100755
--- a/python/samba/tests/krb5/etype_tests.py
+++ b/python/samba/tests/krb5/etype_tests.py
@@ -63,6 +63,8 @@ class EtypeTests(KdcTgsBaseTests):
lp = self.get_lp()
self.default_supported_enctypes = lp.get(
'kdc default domain supported enctypes')
+ if self.default_supported_enctypes == 0:
+ self.default_supported_enctypes = rc4_bit | aes256_sk_bit
def _server_creds(self, supported=None, force_nt4_hash=False,
account_type=None):
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 44ebd6cb61b..1a554016b1e 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -58,6 +58,9 @@ from samba.ndr import ndr_pack, ndr_unpack
from samba import net
from samba.samdb import SamDB, dsdb_Dn
+rc4_bit = security.KERB_ENCTYPE_RC4_HMAC_MD5
+aes256_sk_bit = security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK
+
from samba.tests import delete_force
import samba.tests.krb5.kcrypto as kcrypto
from samba.tests.krb5.raw_testcase import (
@@ -633,7 +636,8 @@ class KDCBaseTest(RawKerberosTest):
if supported_enctypes is None:
lp = self.get_lp()
supported_enctypes = lp.get('kdc default domain supported enctypes')
-
+ if supported_enctypes == 0:
+ supported_enctypes = rc4_bit | aes256_sk_bit
supported_enctypes = int(supported_enctypes)
if extra_bits is not None:
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index ea1686e8aa0..fb2035449c4 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -982,9 +982,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.min_domain_uid = 1000;
- Globals.kdc_default_domain_supported_enctypes =
- KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
-
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();
}
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 9bcfd7b8c85..ae32634735d 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -953,7 +953,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
bool force_rc4 = lpcfg_kdc_force_enable_rc4_weak_session_keys(lp_ctx);
struct ldb_message_element *objectclasses;
struct ldb_val computer_val;
- uint32_t default_supported_enctypes = lpcfg_kdc_default_domain_supported_enctypes(lp_ctx);
+ uint32_t config_default_supported_enctypes = lpcfg_kdc_default_domain_supported_enctypes(lp_ctx);
+ uint32_t default_supported_enctypes =
+ config_default_supported_enctypes != 0 ?
+ config_default_supported_enctypes :
+ ENC_RC4_HMAC_MD5 | ENC_HMAC_SHA1_96_AES256_SK;
uint32_t supported_enctypes
= ldb_msg_find_attr_as_uint(msg,
"msDS-SupportedEncryptionTypes",