From a93000db56569f3f5fd4f274c1ee0d11aa3ae1ab Mon Sep 17 00:00:00 2001 From: "https://www.google.com/accounts/o8/id?id=AItOawngalVp80sbyVLyVE1VNzzegSc_f3OKQsc" Date: Thu, 15 Dec 2011 06:35:46 -0800 Subject: [PATCH] --- AFSLore/win2008r2adaskdc.mdwn | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/AFSLore/win2008r2adaskdc.mdwn b/AFSLore/win2008r2adaskdc.mdwn index f1da770..256a3bb 100644 --- a/AFSLore/win2008r2adaskdc.mdwn +++ b/AFSLore/win2008r2adaskdc.mdwn @@ -1,17 +1,16 @@ - HowTo setup OpenAFS with Windows 2008 R2 AD server as krb5 auth This is a bit rough and not clean, as I did wrote this out of memory. But it does work fine over here. Preparation for the AD Server: -- Set the policy option "Network security: Configure encryption types allowed for Kerberos" and select which enctypes to allow (at least DES-CBC-CRC) -- In the DC's Local Security Policy, enable all ciphers by checking all 6 boxes at Security Settings \ Local Policies \ Security Options \ "Network security: Configure +* Set the policy option "Network security: Configure encryption types allowed for Kerberos" and select which enctypes to allow (at least DES-CBC-CRC) +* In the DC's Local Security Policy, enable all ciphers by checking all 6 boxes at Security Settings \ Local Policies \ Security Options \ "Network security: Configure encryption types allowed for Kerberos" -- In AD in the Default Domain Controllers Policy, set Computer Configuration \ Policies \ Administrative Templates \ Sytem/Net Logon \ "Allow cryptography algorithms compatible +* In AD in the Default Domain Controllers Policy, set Computer Configuration \ Policies \ Administrative Templates \ Sytem/Net Logon \ "Allow cryptography algorithms compatible with Windows NT 4.0" to enable (maybe not needed) -- Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with value 1 at HKLM\SYSTEM\CurrentControlSet\services\kdc. Without this, the DC won't talk DES to clients, +* Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with value 1 at HKLM\SYSTEM\CurrentControlSet\services\kdc. Without this, the DC won't talk DES to clients, even if you do extract a DES-only keytab (you'll see "KDC has no support for encryption type" messages). -- Reboot the DC (at least restart the KDC process is required) +* Reboot the DC (at least restart the KDC process is required) Now to create the AFS principle: -- 1.9.4