[OpenAFS] Re: Creating service principal and keytab from active directory for afs/cell

Andrew Deason adeason@sinenomine.net
Thu, 26 Sep 2013 10:52:21 -0500


On Thu, 26 Sep 2013 15:28:16 +0000
Arne Wiebalck <Arne.Wiebalck@cern.ch> wrote:

> > For Windows 2003 I believe it should be RC4-HMAC-NT, yes. But for
> > newer versions, you need an AES (this starts with 2008 or 2008 R2).
> > But there
> 
> Does that mean access to updated AFS servers would fail if AD handed out
> ArcFour encrypted service tickets for AFS?

No no, sorry, I think I was trying to simplify too much and that came
out wrong. You just need to get the same enctype as AD issues, whatever
that is. Windows 2003 I believe will give rc4 by default (as that is the
strongest enctype it supports), but later versions can give you aes. The
instructions I linked earlier have some information on how to handle it.

> With our 2008 R2 test domain controller I see that not-yet-updated
> clients get ArcFour service tickets (and DES session keys) while new
> clients get AES service tickets (and AES session keys). I don't have a
> test AFS cell at hand though, hence the question.

I'm not sure what you mean by this, though; if there's no afs cell, I'm
not sure what clients you're talking about, and what they're receiving a
service ticket for. The client should not be able to impact the enctype
selection of the service ticket, and it can be a security issue if they
can. There is an option in AD that lets you do that, but it's a really
bad idea to turn it on unless you really really need it. (Previously
brought up here:
<http://lists.openafs.org/pipermail/openafs-info/2013-July/039763.html>)

-- 
Andrew Deason
adeason@sinenomine.net