On Sep 26, 2013, at 5:02 PM, Andrew Deason <[email protected]> wrote:
> On Thu, 26 Sep 2013 09:54:56 +0100 > Owen Le Blanc <[email protected]> wrote: > >> Can the user now be afs/cell/cellname@REALM? > > I'm not sure which parts of this you meant to be literal and which parts > are the actual cell name. The principal name hasn't changed; it's always > afs/<cell>@<REALM> > >> Do you still need to use DES encryption types? > > No. The DES checkbox needs to be _off_ to use the new stronger > encryption. > >> Shouldn't the crypto be not DES but arcfour-hmac-md5? >> >> What other changes should or could be made to this page? > > For Windows 2003 I believe it should be RC4-HMAC-NT, yes. But for newer > versions, you need an AES (this starts with 2008 or 2008 R2). But there Does that mean access to updated AFS servers would fail if AD handed out ArcFour encrypted service tickets for AFS? With our 2008 R2 test domain controller I see that not-yet-updated clients get ArcFour service tickets (and DES session keys) while new clients get AES service tickets (and AES session keys). I don't have a test AFS cell at hand though, hence the question. Thanks! Arne
smime.p7s
Description: S/MIME cryptographic signature
