Justice, William (WJJ.) wrote:
Things really have not changed all that much. The primary issue with using Windows 20003 Active Directory as the KDC is that Windows 2003 will not issue tickets using the DES-CBC-CBC enctype. It will issue tickets using the DES-CBC-MD5 enctype. This is fine if your are using a krb524 service to translate your Kerberos 5 tickets to Kerberos 4 tickets (not supported by Active Directory but you can host the MIT Kerberos version on the machine use keytabs); or if you are using gssklog (again you would need to add this but more importantly support for this is not integrated with the Windows AFS client.) The long term direction is to internally support Kerberos 5 tickets as AFS tokens everywhere they are needed including the large tickets produced by Active Directory. This support is built into both the Windows versions and the Unix/Linux version as of 1.3.64. Athough the Windows version is the recommended product to use because it is the best we have; the Unix/Linux 1.3 branch is still considered a development branch and you would need to think long and hard before using it. The way that I have setup my cells for use with Active Directory is that I have an MIT KDC which stores the service principal for the AFS cell. Then there is a cross-realm trust between Active Directory and the MIT realm. Therefore, I can force the service tickets to be DES-CBC-CRC and be of small enough size to be used directly with the 1.2.11 AFS servers while still using pure Kerberos 5. Jeffrey Altman |
smime.p7s
Description: S/MIME Cryptographic Signature
