[OpenAFS] AFS without DES on users' KDCs?
Sun, 3 Jun 2012 15:33:18 +0200
Content-Type: text/plain; charset=utf-8
Subject: Re: [OpenAFS] AFS without DES on users' KDCs? Date: Sun, Jun 03, 2=
012 at 03:18:37PM +1000 Quoting Jayen Ashar (email@example.com):
> On Sat, Jun 2, 2012 at 11:07 PM, Simon Wilkinson
> <firstname.lastname@example.org> wrote:
> > On 2 Jun 2012, at 01:47, Jayen Ashar wrote:
> > Yes. This should work, provided you can set up a cross realm trust betw=
een the active directory realm, and the one in which your AFS service lives=
=2E The only change necessary to the user's KDCs would be to enable this cr=
oss realm trust.
> Would this work as a one-way trust? The AFS service realm trusting
> the users' AD Domain? I doubt the AD admins would allow a two-way
Trust and cross-realm aren't the same thing.=20
AD people frequently get this wrong, because AD docs do not admit there
is something else than trust between ADen. The cross-realm is only an
authentication pre-requisite to the full-blown authorisation user-mapping
that is an AD trust. If one does some research this old document surfaces:
http://technet.microsoft.com/en-us/library/bb742433.aspx#ECAA -- but I'm
led to believe that it is more or less valid for present-day Windowses.
One-way trust is quite ok, yes.=20
M=C3=A5ns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Now that I have my "APPLE", I comprehend COST ACCOUNTING!!
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----