[OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

Andrew Deason adeason@sinenomine.net
Thu, 5 Jan 2012 10:33:38 -0500


On Thu, 05 Jan 2012 10:07:09 -0500
Jeff White <jaw171@pitt.edu> wrote:

> I noticed there is a box which says 'Use Kerberos DES encryption types 
> for this account' in the settings of each account, do I need to set 
> that?

Yes.

> Just on the afs principal/user or on every user of AFS in the 
> realm?

Just on the afs/pitt.edu princ. It is also advisable to turn off the PAC
for that principal if you haven't already (though that doesn't have
anything to do with the current error). That is, turn this on:
<http://support.microsoft.com/kb/832572>.

> Do I need to do the export and asetkey again after the changes I made?

Not sure on this one. I would guess "no", but I've never done this in
that order.

> Also, is there a way to have all our users in AD without enabling DES?
> I recall hearing that it was possible by having an MIT Kerberos box to
> hold the AFS principal alone with DES enabled but have all the user
> principals in AD without DES.

You can do this, but either way the afs/pitt.edu princ is the only one
that has DES enabled. But yeah, if you just want to be able to turn off
the "enable DES" checkbox in AD to be able to show someone that you're
mostly not running with DES, that's an option.

-- 
Andrew Deason
adeason@sinenomine.net