Hi, We have a file server on which we are using [unkerberized] NFS, and we want to move to something with user-level security. We are currently considering AFS and Kerberized NFS. We are leaning towards AFS for a number of reasons, but we are having some trouble setting up a pilot server. We have no control over the KDC and the KDC administrators are unwilling to enable DES encryption for Kerberos. (The KDCs are running Windows 2008 R2 with Active Directory.) We are trying to figure out what to do so we can use OpenAFS in this environment, but we are unfamiliar with the server side of Kerberos and AFS and are learning as we go.
Would setting up our own realm for the AFS server work? Could all users would be authenticated cross-realm? (We are not concerned with cross-realm attacks at the moment.) Would any changes be needed to the users' KDCs? We saw rxgk on the OpenAFS roadmap. Would rxgk solve our problem? What is the status of rxgk? Could we use it in production? Where can we get the source? What patches need to be made to support encryptions other than DES? Right now, we are stuck with asetkey not handling AES-encrypted keytabs, but other than patching asetkey, would we have to patch aklog or anything else? If we built off of OpenAFS 1.7, could we use the AES code in external/heimdal/hcrypto? Might patches be accepted upstream? Thanks, Jayen _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
