Subject: Re: [OpenAFS] AFS without DES on users' KDCs? Date: Sun, Jun 03, 2012 at 03:18:37PM +1000 Quoting Jayen Ashar ([email protected]): > On Sat, Jun 2, 2012 at 11:07 PM, Simon Wilkinson > <[email protected]> wrote: > > On 2 Jun 2012, at 01:47, Jayen Ashar wrote: > > > > Yes. This should work, provided you can set up a cross realm trust between > > the active directory realm, and the one in which your AFS service lives. > > The only change necessary to the user's KDCs would be to enable this cross > > realm trust. > > Would this work as a one-way trust? The AFS service realm trusting > the users' AD Domain? I doubt the AD admins would allow a two-way > trust.
Trust and cross-realm aren't the same thing. AD people frequently get this wrong, because AD docs do not admit there is something else than trust between ADen. The cross-realm is only an authentication pre-requisite to the full-blown authorisation user-mapping that is an AD trust. If one does some research this old document surfaces: http://technet.microsoft.com/en-us/library/bb742433.aspx#ECAA -- but I'm led to believe that it is more or less valid for present-day Windowses. One-way trust is quite ok, yes. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Now that I have my "APPLE", I comprehend COST ACCOUNTING!!
signature.asc
Description: Digital signature
