[OpenAFS] Re: Creating service principal and keytab from active directory for afs/cell

Andrew Deason adeason@sinenomine.net
Thu, 26 Sep 2013 10:02:48 -0500

On Thu, 26 Sep 2013 09:54:56 +0100
Owen Le Blanc <LeBlanc@mcc.ac.uk> wrote:

> Can the user now be afs/cell/cellname@REALM?

I'm not sure which parts of this you meant to be literal and which parts
are the actual cell name. The principal name hasn't changed; it's always

> Do you still need to use DES encryption types?

No. The DES checkbox needs to be _off_ to use the new stronger

> Shouldn't the crypto be not DES but arcfour-hmac-md5?
> What other changes should or could be made to this page?

For Windows 2003 I believe it should be RC4-HMAC-NT, yes. But for newer
versions, you need an AES (this starts with 2008 or 2008 R2). But there
are some caveats when extracting keytabs with ktpass; you should be able
to provide mostly the same instructions as the "Basic" procedure for AD
on <http://openafs.org/pages/security/how-to-rekey.txt>. But that has
some additional stuff for transitioning from DES, which you can leave
out of this is supposed to be instructions for a new installation.

Also note the section in there about msktutil; it's a lot shorter and
has fewer steps and caveats :)

Andrew Deason