[OpenAFS] Kerberos5 and afs

Russ Allbery rra@stanford.edu
Thu, 15 Nov 2007 15:20:25 -0800

Jeffrey Altman <jaltman@secure-endpoints.com> writes:
> Russ Allbery wrote:
>> Steve Devine <sdevine@msu.edu> writes:

>>> This is my current kdc.conf entry:
>>> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
>>> des-cbc-crc:v4 des-cbc-crc:afs3

>> you need to explicitly specify -e des-cbc-crc:normal when creating the
>> krbtgt cross-realm keys.  Otherwise you'll get a des3 key in your KDC
>> and since Windows doesn't support des3, you'll lose.

> Windows 2003 SP1 and later supports RC4-HMAC cross-realm keys.

Yeah, I just didn't mention that because his kdc.conf doesn't.  Adding
rc4-hmac to your supported_enctypes is another alternative (although you
still need to use -e, in this case with rc4-hmac, to limit the enctypes of
the created key).

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>