[OpenAFS] AFS without DES on users' KDCs?

Måns Nilsson mansaxel@besserwisser.org
Sun, 3 Jun 2012 15:33:18 +0200

Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Subject: Re: [OpenAFS] AFS without DES on users' KDCs? Date: Sun, Jun 03, 2=
012 at 03:18:37PM +1000 Quoting Jayen Ashar (jayen@science.unsw.edu.au):
> On Sat, Jun 2, 2012 at 11:07 PM, Simon Wilkinson
> <simonxwilkinson@gmail.com> wrote:
> > On 2 Jun 2012, at 01:47, Jayen Ashar wrote:
> >
> > Yes. This should work, provided you can set up a cross realm trust betw=
een the active directory realm, and the one in which your AFS service lives=
=2E The only change necessary to the user's KDCs would be to enable this cr=
oss realm trust.
> Would this work as a one-way trust?  The AFS service realm trusting
> the users' AD Domain?  I doubt the AD admins would allow a two-way
> trust.

Trust and cross-realm aren't the same thing.=20

AD people frequently get this wrong, because AD docs do not admit there
is something else than trust between ADen. The cross-realm is only an
authentication pre-requisite to the full-blown authorisation user-mapping
that is an AD trust. If one does some research this old document surfaces:
http://technet.microsoft.com/en-us/library/bb742433.aspx#ECAA -- but I'm
led to believe that it is more or less valid for present-day Windowses.

One-way trust is quite ok, yes.=20

M=C3=A5ns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
Now that I have my "APPLE", I comprehend COST ACCOUNTING!!

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

Version: GnuPG v1.4.10 (GNU/Linux)