On Tue, Aug 16, 2022 at 04:43:19AM +0000, Ben Huntsman wrote: > Hi guys- > Does anyone have a recipe for making OpenAFS work with AD 2012 R2 or 2016 > as a KDC? > > I've seen a few articles on using it with 2008 R2, which mostly involve > re-enabling des-cbc-crc on the AD side... Does OpenAFS support the current > schemes like aes256-cts-hmac-sha1-96, and has anyone gotten that to work? > > Or is one better off by setting up their own Kerbreos just for OpenAFS?
In the aftermath of https://www.openafs.org/pages/security/OPENAFS-SA-2013-003.txt the state of the art became using current kerberos enctypes for the service principal, with the KDF to get back to fcrypt keys contained within the AFS boundary. The main thing that has come up with using Windows as the KDC is the possible need to disable or trim down the PACs issued for AFS principals ... though in the wake of some of the more recent AD/Kerberos vulnerabilities maybe that is less advisable, I have forgotten the details. https://datatracker.ietf.org/doc/html/draft-kaduk-afs3-rxkad-k5-kdf-00 discuss the protocol details, https://www.openafs.org/pages/security/install-rxkad-k5-1.6.txt talks about the process of converting an existing cell to use the new mechanisms, and http://docs.openafs.org/QuickStartUnix/ has (IIRC) been updated to cover installing with rxkad-k5 from scratch. Hopefully others can chime in if there are more AD-specific bits than just rxkad-k5; I don't actually run any such environments myself. -Ben _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info