On Thu, 26 Sep 2013 09:54:56 +0100 Owen Le Blanc <[email protected]> wrote:
> Can the user now be afs/cell/cellname@REALM? I'm not sure which parts of this you meant to be literal and which parts are the actual cell name. The principal name hasn't changed; it's always afs/<cell>@<REALM> > Do you still need to use DES encryption types? No. The DES checkbox needs to be _off_ to use the new stronger encryption. > Shouldn't the crypto be not DES but arcfour-hmac-md5? > > What other changes should or could be made to this page? For Windows 2003 I believe it should be RC4-HMAC-NT, yes. But for newer versions, you need an AES (this starts with 2008 or 2008 R2). But there are some caveats when extracting keytabs with ktpass; you should be able to provide mostly the same instructions as the "Basic" procedure for AD on <http://openafs.org/pages/security/how-to-rekey.txt>. But that has some additional stuff for transitioning from DES, which you can leave out of this is supposed to be instructions for a new installation. Also note the section in there about msktutil; it's a lot shorter and has fewer steps and caveats :) -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
