[OpenAFS] Re: Creating service principal and keytab from active directory for
afs/cell
Andrew Deason
adeason@sinenomine.net
Thu, 26 Sep 2013 10:02:48 -0500
On Thu, 26 Sep 2013 09:54:56 +0100
Owen Le Blanc <LeBlanc@mcc.ac.uk> wrote:
> Can the user now be afs/cell/cellname@REALM?
I'm not sure which parts of this you meant to be literal and which parts
are the actual cell name. The principal name hasn't changed; it's always
afs/<cell>@<REALM>
> Do you still need to use DES encryption types?
No. The DES checkbox needs to be _off_ to use the new stronger
encryption.
> Shouldn't the crypto be not DES but arcfour-hmac-md5?
>
> What other changes should or could be made to this page?
For Windows 2003 I believe it should be RC4-HMAC-NT, yes. But for newer
versions, you need an AES (this starts with 2008 or 2008 R2). But there
are some caveats when extracting keytabs with ktpass; you should be able
to provide mostly the same instructions as the "Basic" procedure for AD
on <http://openafs.org/pages/security/how-to-rekey.txt>. But that has
some additional stuff for transitioning from DES, which you can leave
out of this is supposed to be instructions for a new installation.
Also note the section in there about msktutil; it's a lot shorter and
has fewer steps and caveats :)
--
Andrew Deason
adeason@sinenomine.net