[OpenAFS] Re: Creating service principal and keytab from active directory for afs/cell

[Andrew Deason]

On Thu, 26 Sep 2013 17:21:47 +0000
Arne Wiebalck <Arne.Wiebalck@cern.ch> wrote:

> Do you happen to know what controls which enc type AD will pick when
> issuing an AFS service ticket?

I don't know if this is an exhaustive list, but at least these things
impact it:

 - The userAccountControl and msDS-SupportedEncryptionTypes attributes
   on the account (these are the DES/AES checkboxes in the account
   properties thing in the gui)
 
 - In the policy settings: "Security Options" -> "Network security:
   Configure encryption types allowed for Kerberos".

 - The option I mentioned earlier, in
   <http://lists.openafs.org/pipermail/openafs-info/2013-July/039763.html>

There may be other things that affect the decision, but those are the
only ones I know of. If you are asking how AD chooses which specific
enctype to use after it has calculated the set of enctypes that are
available, then no, I don't know (except for that last bullet point
above). I assume it is a hard-coded preference for "stronger" enctypes,
or maybe there's an option to set preferred enctypes that I don't know
about.

-- 
Andrew Deason
adeason@sinenomine.net