[OpenAFS] Re: Creating service principal and keytab from active directory for afs/cell

Arne Wiebalck Arne.Wiebalck@cern.ch
Thu, 26 Sep 2013 15:28:16 +0000


--Apple-Mail=_890E2477-3DBA-426E-A05B-18C6859100EB
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_F08B479A-45BD-45C7-A4A9-152C68A6C476"


--Apple-Mail=_F08B479A-45BD-45C7-A4A9-152C68A6C476
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii


On Sep 26, 2013, at 5:02 PM, Andrew Deason <adeason@sinenomine.net>
 wrote:

> On Thu, 26 Sep 2013 09:54:56 +0100
> Owen Le Blanc <LeBlanc@mcc.ac.uk> wrote:
>=20
>> Can the user now be afs/cell/cellname@REALM?
>=20
> I'm not sure which parts of this you meant to be literal and which =
parts
> are the actual cell name. The principal name hasn't changed; it's =
always
> afs/<cell>@<REALM>
>=20
>> Do you still need to use DES encryption types?
>=20
> No. The DES checkbox needs to be _off_ to use the new stronger
> encryption.
>=20
>> Shouldn't the crypto be not DES but arcfour-hmac-md5?
>>=20
>> What other changes should or could be made to this page?
>=20
> For Windows 2003 I believe it should be RC4-HMAC-NT, yes. But for =
newer
> versions, you need an AES (this starts with 2008 or 2008 R2). But =
there

Does that mean access to updated AFS servers would fail if AD handed out
ArcFour encrypted service tickets for AFS? With our 2008 R2 test domain =
controller
I see that not-yet-updated clients get ArcFour service tickets (and DES =
session
keys) while new clients get AES service tickets (and AES session keys). =
I don't
have a test AFS cell at hand though, hence the question.

Thanks!
 Arne




--Apple-Mail=_F08B479A-45BD-45C7-A4A9-152C68A6C476
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div =
apple-content-edited=3D"true"><div style=3D"color: rgb(0, 0, 0); =
font-family: Helvetica; font-size: medium; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; =
word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><div style=3D"color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: =
none; white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; =
word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><br></div></div></div><div><div>On Sep 26, 2013, at =
5:02 PM, Andrew Deason &lt;<a =
href=3D"mailto:adeason@sinenomine.net">adeason@sinenomine.net</a>&gt;</div=
><div>&nbsp;wrote:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite">On Thu, 26 =
Sep 2013 09:54:56 +0100<br>Owen Le Blanc &lt;<a =
href=3D"mailto:LeBlanc@mcc.ac.uk">LeBlanc@mcc.ac.uk</a>&gt; =
wrote:<br><br><blockquote type=3D"cite">Can the user now be =
afs/cell/cellname@REALM?<br></blockquote><br>I'm not sure which parts of =
this you meant to be literal and which parts<br>are the actual cell =
name. The principal name hasn't changed; it's =
always<br>afs/&lt;cell&gt;@&lt;REALM&gt;<br><br><blockquote =
type=3D"cite">Do you still need to use DES encryption =
types?<br></blockquote><br>No. The DES checkbox needs to be _off_ to use =
the new stronger<br>encryption.<br><br><blockquote type=3D"cite">Shouldn't=
 the crypto be not DES but arcfour-hmac-md5?<br><br>What other changes =
should or could be made to this page?<br></blockquote><br>For Windows =
2003 I believe it should be RC4-HMAC-NT, yes. But for newer<br>versions, =
you need an AES (this starts with 2008 or 2008 R2). But =
there<br></blockquote><div><br></div><div>Does that mean access to =
updated AFS servers would fail if AD handed out</div><div>ArcFour =
encrypted&nbsp;service tickets for AFS? With our 2008 R2 test domain =
controller</div><div>I see that not-yet-updated&nbsp;clients get ArcFour =
service tickets (and DES session</div><div>keys) while new clients get =
AES service tickets (and AES session keys). I don't</div><div>have =
a&nbsp;test AFS cell at hand though, hence the =
question.</div><div><br></div><div>Thanks!</div><div>&nbsp;Arne</div></div=
><br><div><br></div><div><br></div></body></html>=

--Apple-Mail=_F08B479A-45BD-45C7-A4A9-152C68A6C476--

--Apple-Mail=_890E2477-3DBA-426E-A05B-18C6859100EB
Content-Disposition: attachment; filename="smime.p7s"
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINuDCCBi4w
ggUWoAMCAQICCmEPqkwAAAAAAAMwDQYJKoZIhvcNAQEFBQAwQTESMBAGCgmSJomT8ixkARkWAmNo
MRQwEgYKCZImiZPyLGQBGRYEY2VybjEVMBMGA1UEAxMMQ0VSTiBSb290IENBMB4XDTA2MTAwMzA5
MzYxM1oXDTE2MTAwMzA5NDYxM1owWTESMBAGCgmSJomT8ixkARkWAmNoMRQwEgYKCZImiZPyLGQB
GRYEY2VybjEtMCsGA1UEAxMkQ0VSTiBUcnVzdGVkIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwdFGqthhWlgUOSZ6C6hReNEVGzbjf2IQgxo7
/rOfOQHZH3krQPQ37fqFroEr46PrruymZ/U+QAzmESZQ4Z+nCfBhm7cEi0TIhihHd4cEPaPxawGR
T9Ck7BBk9za8TUljF6c/JodnIcmIrpbazEbSAS1KEXwETHDsTrQ7lJ+6SzDP4/oOwrHrgJx+tKsm
gOsFSbBEK4OYx1UYQpYS9OJQk2Sc0q4a/SCSu+xbN8ppmgV3WFytN8NW20n3NpCCWYPzo9rXmPRA
7a/c6mf+RV5gPCnUqeW6KUvix5kz9+X8/4SQV/fU12OPdRvtkqcC+PpiePK7bjMLQJEYwvchJrSz
AwIDAQABo4IDDjCCAwowDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUmMyS0EYwNoyw7ZgNclGp
R0zdviEwCwYDVR0PBAQDAgGGMBAGCSsGAQQBgjcVAQQDAgECMCMGCSsGAQQBgjcVAgQWBBT/Rljl
vgfrVK8GmAaYe+TbiXbJ7DBRBgNVHSAESjBIMEYGCisGAQQBYAoCAQEwODA2BggrBgEFBQcCARYq
aHR0cDovL2NhLmNlcm4uY2gvY2EvY3JsL3BvbGljeS9jcC1jcHMucGRmMBkGCSsGAQQBgjcUAgQM
HgoAUwB1AGIAQwBBMB8GA1UdIwQYMBaAFJgK9+w+7FnWHa2ZvLUBPt7spudQMIH8BgNVHR8EgfQw
gfEwge6ggeuggeiGLWh0dHA6Ly9jYS5jZXJuLmNoL2NhL2NybC9DRVJOJTIwUm9vdCUyMENBLmNy
bIaBtmxkYXA6Ly8vQ049Q0VSTiUyMFJvb3QlMjBDQSxDTj1jZXJucm9vdGNhLENOPUNEUCxDTj1Q
dWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWNl
cm4sREM9Y2g/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERp
c3RyaWJ1dGlvblBvaW50MIIBBAYIKwYBBQUHAQEEgfcwgfQwRAYIKwYBBQUHMAKGOGh0dHA6Ly9j
YS5jZXJuLmNoL2NhL2NybC9jZXJucm9vdGNhX0NFUk4lMjBSb290JTIwQ0EuY3J0MIGrBggrBgEF
BQcwAoaBnmxkYXA6Ly8vQ049Q0VSTiUyMFJvb3QlMjBDQSxDTj1BSUEsQ049UHVibGljJTIwS2V5
JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1jZXJuLERDPWNoP2NB
Q2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqG
SIb3DQEBBQUAA4IBAQAfEzvOeYohKndmJqnVdiCqZ38tSBxOOPsKUHW4UY1jBfYMXbnZ9keFQFlK
/g5X4aZPNBEHXw0eKpQVsMhEPWQrvx8T/f7GwtU+JNQhkgK9tnezmHxYzWgEC9MXZhfYzFSwMIF6
kSKllmUTnN35uF1EnT8+64daje+yEVcpmM34p8Fw125/WpKnRmwNp0YkUk6uMti6Y6vOTHttzIN5
P6elGoat8sadMqrVnaMNzG8hGUvSkYivYBs7msAPuwmXgLvIkXWPW+MDFs+x5Kzx75ZHv3c2WoKg
UxL5KZH9QqiR7t8P6YBfYW6SpzyGRi4QHN/iOLhXZ06R6aPljLEOn41JMIIHgjCCBmqgAwIBAgIK
HYLrgQACAAHOszANBgkqhkiG9w0BAQUFADBZMRIwEAYKCZImiZPyLGQBGRYCY2gxFDASBgoJkiaJ
k/IsZAEZFgRjZXJuMS0wKwYDVQQDEyRDRVJOIFRydXN0ZWQgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
dHkwHhcNMTMwMzI2MDkxNjM1WhcNMTQwMzI2MDkxNjM1WjCBjjESMBAGCgmSJomT8ixkARkWAmNo
MRQwEgYKCZImiZPyLGQBGRYEY2VybjEWMBQGA1UECxMNT3JnYW5pYyBVbml0czEOMAwGA1UECxMF
VXNlcnMxETAPBgNVBAMTCHdpZWJhbGNrMQ8wDQYDVQQDEwY1NTg1MTAxFjAUBgNVBAMTDUFybmUg
V2llYmFsY2swggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKWiuJsxwe2ZAkHn+FKzTT
VBNe7lhl2PmTjPmZsedrVI0gZkUpjlb6x21avo3S+kacxPpVdNVmidE1k7Dmn+MLLwli8Ha+ePqN
e2kD33K01bjf8G1l5KquZwMsJKB2gSwSs1JK5uq3qcB5b1mrzPVOqOqNPUMg1NUkEjYql4ooG5Cj
GfVwlAhRarBssM07JtnToszp/fiCqttCR4pAAjURvQKV3T+Epiexwgzkv57mLAXe3vNf8giDigJP
zvNc+3pGqA8faVOGSqOo+9m6NheYPH4pcYcnhgA177HRfHxJ9fqzEahLNzXjoa9vtW8cpbSxyzY1
wbOCvQW1hz/uCP/5AgMBAAGjggQUMIIEEDAdBgNVHQ4EFgQUFIvKPnfKzu1UVQjsxgpwQPtpkwAw
HwYDVR0jBBgwFoAUmMyS0EYwNoyw7ZgNclGpR0zdviEwggEyBgNVHR8EggEpMIIBJTCCASGgggEd
oIIBGYZHaHR0cDovL2NhLmNlcm4uY2gvY2EvY3JsL0NFUk4lMjBUcnVzdGVkJTIwQ2VydGlmaWNh
dGlvbiUyMEF1dGhvcml0eS5jcmyGgc1sZGFwOi8vL0NOPUNFUk4lMjBUcnVzdGVkJTIwQ2VydGlm
aWNhdGlvbiUyMEF1dGhvcml0eSxDTj1DRVJOUEtJLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBT
ZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWNlcm4sREM9Y2g/Y2VydGlm
aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50
MIIBLwYIKwYBBQUHAQEEggEhMIIBHTCBxQYIKwYBBQUHMAKGgbhsZGFwOi8vL0NOPUNFUk4lMjBU
cnVzdGVkJTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhvcml0eSxDTj1BSUEsQ049UHVibGljJTIwS2V5
JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1jZXJuLERDPWNoP2NB
Q2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MFMGCCsG
AQUFBzAChkdodHRwOi8vY2EuY2Vybi5jaC9jYS9jcmwvQ0VSTiUyMFRydXN0ZWQlMjBDZXJ0aWZp
Y2F0aW9uJTIwQXV0aG9yaXR5LmNydDAOBgNVHQ8BAf8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYm
KwYBBAGCNxUIg73QCYLtjQ2G7Ysrgd71N4WA0GIehb+6A4TEzEwCAWQCAQowKQYDVR0lBCIwIAYI
KwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3CgMEMCUGA1UdIAQeMBwwDAYKKwYBBAFgCgIBAjAM
BgoqhkiG90wFAgIBMDUGCSsGAQQBgjcVCgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYK
KwYBBAGCNwoDBDBHBgNVHREEQDA+oCUGCisGAQQBgjcUAgOgFwwVYXJuZS53aWViYWxja0BjZXJu
LmNogRVBcm5lLldpZWJhbGNrQGNlcm4uY2gwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgIC
AIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMHMA0GCSqGSIb3DQEBBQUAA4IB
AQBPiPoalqg44BSHOfc5XKMLl8dbU2ixH84cWFWmv8WrkM1oTVOopGUi9dO2qiN3PbzgkW3h4yB6
hEvTn7CVCfuzPXjEb9dQEJEmVheW8xA96GYWYWdXqdNHWtPMJB4tFh0skOMo35DwavZlrE30LLR+
BK8faePfnQ6PgPrdBESQaU4ZemLS5Q/eKfz2d4kSt5+70rj8ypD7pmMdUu/n1TFxuG3UNCFSMs6G
SUV0/PBjyV1O8jGtVbE9vNZE+NTuzWiYgI5Z6Pl6cHefI6miSn++PDjHzfaIPi0san0KMOXLqvA8
ZfjtAb2QMEvvKziTdg9Q4Y7wHCdi7aqKWmTbwyqUMYIC4TCCAt0CAQEwZzBZMRIwEAYKCZImiZPy
LGQBGRYCY2gxFDASBgoJkiaJk/IsZAEZFgRjZXJuMS0wKwYDVQQDEyRDRVJOIFRydXN0ZWQgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkCCh2C64EAAgABzrMwCQYFKw4DAhoFAKCCAU8wGAYJKoZIhvcN
AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwOTI2MTUyOTA5WjAjBgkqhkiG9w0B
CQQxFgQU3zX0hnmIFUPfEJ9oEoBK4niBxUswdgYJKwYBBAGCNxAEMWkwZzBZMRIwEAYKCZImiZPy
LGQBGRYCY2gxFDASBgoJkiaJk/IsZAEZFgRjZXJuMS0wKwYDVQQDEyRDRVJOIFRydXN0ZWQgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkCCh2C64EAAgABzrMweAYLKoZIhvcNAQkQAgsxaaBnMFkxEjAQ
BgoJkiaJk/IsZAEZFgJjaDEUMBIGCgmSJomT8ixkARkWBGNlcm4xLTArBgNVBAMTJENFUk4gVHJ1
c3RlZCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQIKHYLrgQACAAHOszANBgkqhkiG9w0BAQEFAASC
AQCa6AX2hAc3NeKP3a7hHt2r9AQHH5fAZ7peynfFxIRWLFOgNs/gxXzaNkLzURmYR+IgflQlLBfC
mVf8ApxnAA2pvOEUJ2B/7iGEbs0XpYXXUnX51GxzUqqii7ZAITWEh6F1yaIqMJIkxOkrPUPu+HgL
rr4ayTLvz6nBeCWEHQw/PgI7D7YAjdL1XrRw38nuiadJSe656/IOSK8yiJlP6RTIKxz4na08U2je
b3MX5MGf85pGZpmJmnmNZij0IvI+iv8W6ztbnO/ez6f6yoqBRhc8shsJ6o3o8WbJyaeN3Z0jtHlo
Iddf0OgezqJSPMON/jLJL1rSjLG/A+sDD1hcqrhvAAAAAAAA

--Apple-Mail=_890E2477-3DBA-426E-A05B-18C6859100EB--