Jason Edgecombe wrote: > Hi, > > We run an AFS cell with a kerberos 5 kdc and still have krb5/kas > authentication in parallel. I'm looking to upgrade the kerberos server > to version 1.6. This works well in my test setup. My question is "how > does adding supporting encryption types interact with AFS and windows?" > > Here is part of the kdc.conf > supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 > > Does adding more encryption types hose AFS or windows? I'd like to start > enabling stronger crypto types so that we have the option of using them > in the future.
For AFS the enctype of the afs service principal must be single DES based. For everything else AFS doesn't care. Microsoft Windows only supports single DES and RC4-HMAC based enctypes prior to Vista. Vista also supports AES based enctypes. > What do I need to lookout for with this? > > BTW, we're still running krb524d because our aklog still needs it. Get a new aklog? > What do I need to do on the clients to enable use of the stronger crypto > types? Just make sure that you don't have enctype restrictions in the client's krb5.conf. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
