ER: Don't create host keytabs with vulnerable encryption type RC4.
When vasd resets the computer object password, the keytab is written with RC4 encryption, now considered vulnerable. I would like an enhancement to write keytab entries in only the encryption methods listed in vas.conf libdefaults default_etypes.
Enhancement request number 799858 has been submitted to Development for consideration in a future release of Authentication Services.
As long as vas.conf is set up to not use arcfour, QAS shouldn't use it. This can be confirmed if you have default_etypes set to aes, by running the following two commands and confirming that nothing related to arcfour-hmac-md5 is shown:
/opt/quest/bin/vastool kinit -S host/ host/
/opt/quest/bin/vastool klist -v