[OpenAFS] AFS without DES on users' KDCs?

[Jayen Ashar]

Hi,

We have a file server on which we are using [unkerberized] NFS, and we
want to move to something with user-level security.  We are currently
considering AFS and Kerberized NFS.  We are leaning towards AFS for a
number of reasons, but we are having some trouble setting up a pilot
server.  We have no control over the KDC and the KDC administrators
are unwilling to enable DES encryption for Kerberos.  (The KDCs are
running Windows 2008 R2 with Active Directory.)  We are trying to
figure out what to do so we can use OpenAFS in this environment, but
we are unfamiliar with the server side of Kerberos and AFS and are
learning as we go.

Would setting up our own realm for the AFS server work?  Could all
users would be authenticated cross-realm?  (We are not concerned with
cross-realm attacks at the moment.)  Would any changes be needed to
the users' KDCs?

We saw rxgk on the OpenAFS roadmap.  Would rxgk solve our problem?
What is the status of rxgk?  Could we use it in production?  Where can
we get the source?

What patches need to be made to support encryptions other than DES?
Right now, we are stuck with asetkey not handling AES-encrypted
keytabs, but other than patching asetkey, would we have to patch aklog
or anything else?  If we built off of OpenAFS 1.7, could we use the
AES code in external/heimdal/hcrypto?  Might patches be accepted
upstream?

Thanks,
Jayen