[OpenAFS] AFS without DES on users' KDCs?

Jeffrey Altman jaltman@secure-endpoints.com
Sat, 02 Jun 2012 17:46:06 -0400


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig52EEDBC330ED5D064D2546D5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 6/2/2012 9:07 AM, Simon Wilkinson wrote:
> On 2 Jun 2012, at 01:47, Jayen Ashar wrote:
>=20
>> Would setting up our own realm for the AFS server work?  Could all
>> users would be authenticated cross-realm?  (We are not concerned with
>> cross-realm attacks at the moment.)  Would any changes be needed to
>> the users' KDCs?
>=20
> Yes. This should work, provided you can set up a cross realm trust betw=
een the active directory realm, and the one in which your AFS service liv=
es. The only change necessary to the user's KDCs would be to enable this =
cross realm trust.

When you create the new realm be sure to also create a new DNS
subdomain.  The cross realm from Windows to the MIT/Heimdal realm will
not work properly if the AFS database servers have names which are in
the DNS domain which is served by the Active Directory domain.

Jeffrey Altman


--------------enig52EEDBC330ED5D064D2546D5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJPyomgAAoJENxm1CNJffh41RoH/2KOw7y/RBCZWpcMEs2Xhj07
Mds3Lbpz6e35lhZFhKVe7Sm5XoEBTiLS7cSobUXCxvgyWPC+GWh3FjtbLjQ9It3e
SsLt4v5893tXgatzjtkpgKRZOTWNrtul8FOVMaKBJLD5QYzBp4cRqFyn/3G3TQHk
aWEkc+74JyR5B8ULIymMkkOM+zVx4ONTQWrZVGwGZ9LaSu1yRIyxmaYpo5HJ3byH
Sa4grursrtBvuc7jZzLwRv7sTnp3r79ki4wm8md91ctYJaRH31qUrgIi1E9QRQpI
hLrRIGqG3YjIRO1QdokOppBdBWdVTtl9YFsvHMUb8IsNYmSyz7oOts0ZuQipUYs=
=w9rD
-----END PGP SIGNATURE-----

--------------enig52EEDBC330ED5D064D2546D5--