[OpenAFS] Kerberos5 and afs
Russ Allbery
rra@stanford.edu
Thu, 15 Nov 2007 15:20:25 -0800
Jeffrey Altman <jaltman@secure-endpoints.com> writes:
> Russ Allbery wrote:
>> Steve Devine <sdevine@msu.edu> writes:
>>> This is my current kdc.conf entry:
>>> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
>>> des-cbc-crc:v4 des-cbc-crc:afs3
>> you need to explicitly specify -e des-cbc-crc:normal when creating the
>> krbtgt cross-realm keys. Otherwise you'll get a des3 key in your KDC
>> and since Windows doesn't support des3, you'll lose.
> Windows 2003 SP1 and later supports RC4-HMAC cross-realm keys.
Yeah, I just didn't mention that because his kdc.conf doesn't. Adding
rc4-hmac to your supported_enctypes is another alternative (although you
still need to use -e, in this case with rc4-hmac, to limit the enctypes of
the created key).
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>