On Thu, 26 Sep 2013 15:28:16 +0000 Arne Wiebalck <[email protected]> wrote:
> > For Windows 2003 I believe it should be RC4-HMAC-NT, yes. But for > > newer versions, you need an AES (this starts with 2008 or 2008 R2). > > But there > > Does that mean access to updated AFS servers would fail if AD handed out > ArcFour encrypted service tickets for AFS? No no, sorry, I think I was trying to simplify too much and that came out wrong. You just need to get the same enctype as AD issues, whatever that is. Windows 2003 I believe will give rc4 by default (as that is the strongest enctype it supports), but later versions can give you aes. The instructions I linked earlier have some information on how to handle it. > With our 2008 R2 test domain controller I see that not-yet-updated > clients get ArcFour service tickets (and DES session keys) while new > clients get AES service tickets (and AES session keys). I don't have a > test AFS cell at hand though, hence the question. I'm not sure what you mean by this, though; if there's no afs cell, I'm not sure what clients you're talking about, and what they're receiving a service ticket for. The client should not be able to impact the enctype selection of the service ticket, and it can be a security issue if they can. There is an option in AD that lets you do that, but it's a really bad idea to turn it on unless you really really need it. (Previously brought up here: <http://lists.openafs.org/pipermail/openafs-info/2013-July/039763.html>) -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
