On 9/26/2013 11:28 AM, Arne Wiebalck wrote: > > On Sep 26, 2013, at 5:02 PM, Andrew Deason <[email protected] > <mailto:[email protected]>> > wrote: > >> On Thu, 26 Sep 2013 09:54:56 +0100 >> Owen Le Blanc <[email protected] <mailto:[email protected]>> wrote: >> >>> Can the user now be afs/cell/cellname@REALM? >> >> I'm not sure which parts of this you meant to be literal and which parts >> are the actual cell name. The principal name hasn't changed; it's always >> afs/<cell>@<REALM> >> >>> Do you still need to use DES encryption types? >> >> No. The DES checkbox needs to be _off_ to use the new stronger >> encryption. >> >>> Shouldn't the crypto be not DES but arcfour-hmac-md5? >>> >>> What other changes should or could be made to this page? >> >> For Windows 2003 I believe it should be RC4-HMAC-NT, yes. But for newer >> versions, you need an AES (this starts with 2008 or 2008 R2). But there > > Does that mean access to updated AFS servers would fail if AD handed out > ArcFour encrypted service tickets for AFS? With our 2008 R2 test domain > controller > I see that not-yet-updated clients get ArcFour service tickets (and DES > session > keys) while new clients get AES service tickets (and AES session keys). > I don't > have a test AFS cell at hand though, hence the question. > > Thanks! > Arne
As with any Kerberos service, the keytab deployed on the service host must include all of the keys that can be generated for that service by the KDC. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
