From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 18 Nov 2019 14:00:03 +0000 (+0100)
Subject: whatsnew: announce removal of DES encryption type in Kerberos
X-Git-Tag: ldb-2.1.0~679
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d2b5aa16500835471692c8e1fe6cd1584da89785;p=thirdparty%2Fsamba.git

whatsnew: announce removal of DES encryption type in Kerberos

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Tue Nov 19 16:12:39 UTC 2019 on sn-devel-184
---

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 376cd2862f1..f84cfcf7623 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -93,6 +93,26 @@ make changes to the DNS Zone and nudging the 'named' server if a new
 DC was added to the domain.  Administrators using BIND9_FLATFILE will
 need to maintain this manually from now on.
 
+
+Retiring DES encryption types in Kerberos.
+------------------------------------------
+With this release, support for DES encryption types has been removed from
+Samba, and setting DES_ONLY flag for an account will cause Kerberos
+authentication to fail for that account (see RFC-6649).
+
+Samba-DC: DES keys no longer saved in DB.
+-----------------------------------------
+When a new password is set for an account, Samba DC will store random keys
+in DB instead of DES keys derived from the password.  If the account is being
+migrated to Windbows or to an older version of Samba in order to use DES keys,
+the password must be reset to make it work.
+
+Heimdal-DC: removal of weak-crypto.
+-----------------------------------
+Following removal of DES encryption types from Samba, the embedded Heimdal
+build has been updated to not compile weak crypto code (HEIM_WEAK_CRYPTO).
+
+
 smb.conf changes
 ================