[OpenAFS] MSKLOG - Acquiring AFS tokens on Windows using Microsoft Security

Chris McClimans openafs-info@mcclimans.net
Thu, 22 Jan 2004 14:59:32 -0600


I currenty use a cross realm trust (one-way) where the users are in  
TTU.EDU (a MS AD realm) and the service ticket is  
afs/cs.ttu.edu@CS.TTU.EDU. If I get TTU.EDU to generate me an  
afs/cs.ttu.edu@TTU.EDU, will I be able to use both the old method and  
MSKLOG at the same time using the different tickets from the two  
different realms?
-chris

On Jan 8, 2004, at 2:11 PM, Douglas E. Engert wrote:

>
> Acquiring AFS tokens on Windows using Microsoft Security
> I would like to submit to the OpenAFS community a simplified
> method of obtaining AFS tokens on Windows using the built in
> Microsoft security.
>
>  The readme is attached and at:
>    ftp://achilles.ctd.anl.gov/pub/DEE/README.MSKLOG
>  The source is at:
>    ftp://achilles.ctd.anl.gov/pub/DEE/msklog-0.1.tar
>
> There are many sites that have run AFS on Windows and would like to
> use AD authentication for AFS but don't want to have to run any
> additional Kerberos set of tools. I know there is a lot of work going
> on improving the MIT KfW packages, but in many situations this may be
> more then a user or site wants to run. Some site may be using Hiemdal
> or other Kerberos on Windows and don't want to switch.
>
> Msklog does not use any of these Kerberos packages, but uses the SSPI
> and LSA code of W2K and XP which allow the msklog program to get a
> Kerberos V5 ticket without having any additional Kerberos code on
> the Windows machine.
>
> I am sending this note today, as Microsoft is close to releasing
> a Hotfix for AD which will allow for much smaller tickets to be
> produced, which has been a problem in the past with AFS on all  
> platforms.
> The msklog can take advantage of this Hotfix when it becomes available  
> but
> can also be used today if built with the -DNO_MS_PAC option.
>
> I would like to see the mslog_ms.c added to OpenAFS and callable
> from afscreds.exe. I am willing to do this if there is interest.
>
>
> --------------------README------------------------
>
>    MSKLOG - Get an AFS Token on Windows OpenAFS Client - release 0.1
>
>
> INTRODUCTION
>
> AFS has evolved over the years, and recent capabilities have been
> added to OpenAFS to allow it to use Kerberos V5 tickets in the AFS  
> token.
> The MSKLOG program takes advantage of this, and is designed to use
> as much of the Microsoft built in Kerberos code as possible. When
> run on a machine as part of a domain the User's login credentials can
> be used to obtain the AFS token.
>
> Unlike aklog or gssklog, no additional Kerberos libraries are needed
> on the client, and no additional daemons like krb524d or gssklogd are
> needed.
>
> The program relies only on the Microsoft DLLs and OpenAFS libraries.
> No changes are needed to the AFS servers. (The servers need to be at  
> 1.2.8
> at least.) So the program can easily be used in a Microsoft only  
> environment,
> as well as a mixed environment.
>
> Current assumptions are that the AFS user name matches the Kerberos
> principal, and the cell name matches the Kerberos Realm name.
>
> GETTING AN AFS TOKEN
>
> Msklog can be used in two modes. If you have use the integrated login,
> to login to the workstation, you can just run msklog, and it will use
> your login credentials.
>
> If you did not login, you can use the msklog -principal and -password
> options. See: msklog -help for the options.
>
>
> BUILDING
>
> Unzip, and edit the msklog.mak to change the locations of some  
> directories.
>
>  SRC_D   - source (default .)
>  BIN_D   - output file of msklog.exe
>  OBJ_D   - output object files
>
>  MSSDK_INC_D  - Microsoft SDK include
>  AFS_INC_D    - AFS includes
>  AFS_LIB_D    - AFS libs
>  FIX_KVNO_INC_D - the AFS src\rxkad (See Below)
>
> Then do:
>
>   nmake -f msklog.mak
>
> DEBUG NOTE
>
> As a testing and debugging aid, the code can be compiled with a  
> -DFIX_KVNO
> to allow the -fixkvno n option to be used to set the key version  
> number.
> I needed this for testing, as the OpenAFS-1.2.8 would not accept a  
> ticket with
> default/missing kvno=0, and I had set the kvno to a different number,  
> but the
> Microsoft KDC always returns kvno=0.
>
>
> HOTFIX FOR DOMAIN CONTROLLER
>
> Microsoft is working on hotfix xxxxxxxx for the Windows Domain  
> controllers
> to allow tickets to be issued without a PAC. This  greatly reduces the
> size of the ticket, so it can be used by AFS. (AFS does not use the
> PAC information anyway.)
>
> See: http://......
>
> Until this hotfix is available, msklog can be used without this  
> hotfix, if
> it is compiled with the -DNO_MS_PAC option. But this uses an MS only  
> feature
> and will not work against an MIT KDC.
>
> USING MSKLOG with an MIT KDC
>
> See
> http://www.microsoft.com/windows2000/techinfo/planning/security/ 
> kerbsteps.asp
> Section:  "Using an MIT KDC with a Standalone Windows 2000 Workstation"
>
> You will need to run the ktsetup command to define the Realm and  
> location of
> the KDCs at least. If you want to use the integrated login, you will  
> need to
> follow the other steps as well.
>
> SETTING UP THE KEYS
>
> The Kerberos KDC will need a principal, key and kvno for "afs/<cell>"
> and the AFS servers will need this key and kvno entered into the
> /usr/afs/etc/KeyFile
>
> I will only describe adding a key when using the Windows Domain
> controller as the KDC. Similar command can be used with MIT based KDC.
>
> The Kerberos realm name is the same as the Windows Domain name.
>
> The domain admin would use the Active Directory Management tools to  
> create
> a user account for the AFS service. Then would use the ktpass tool to
> set an identity mapping to afs/<cell> and to set the key.
>
> See:
> http://www.microsoft.com/windows2000/techinfo/planning/security/ 
> kerbsteps.asp
> Section "Support for Kerberos Services"
> "To create a service instance account in the Active Directory"
>
> This will create a user account and service principal and enter a key
> based on the password provided into the Windows Domain.
>
> To add a matching key to the AFS KeyFile, the  OpenAFS "bos_util  
> adddes"
> command can be used. There may be other ways to add this key, but I
> will describe one.
>
> There are some restrictions:
>
>  o Microsoft always wants to use a key version number of 0.
>
>  o You must use a password to generate the key. But you can view the
>    keys generated by the ktpass and the bos_util adddes command to
>    verify that that they match.
>
>  o Since ktpass is using a salt with the password, and adddes is not,
>    you will need to use <password> with ktpass and
>    <password><realm>afs<cell> with the adddes
>
> For example, the cell is named anl.gov and the W2K Domain is ANL.GOV
> and we will use a password of @#wsRbv3 as an example.
>
> On Windows:
>    Create the account serviceAFS
>    Set the xxxxxxxxx flag (See Hotfix comments above)
>    then run:
>    ktpass -princ afs/anl.gov@ANL.GOV -mapuser serviceAFS -pass  
> "@#wsRbv3"
>
>    This will list key in hex. Remember this hex value and the password  
> used.
>
> On AFS:
>    /usr/afs/bin/bos_util adddes 0
>    Then when prompted for a password enter:
>        @#wsRbv3ANL.GOVafsanl.gov
>
> You can verify the keys with the unix "od -x /usr/afs/KeyFile"
> command. You should see the same key in hex in the file.
>
>
> COMMENTS
>
> This is the second release, and I am looking for comments. If the  
> program
> of the main function is useful, I would like to submit this to
> OpenAFS.
>
> The program is a modified version of the cklog.c program found in  
> OpenAFS,
> and it calls the msklog_ms.c routines. The MIT ms2mit program was  
> helpful
> in understanding the workings of SSPI and LSA. The long term intent is  
> the
> msklog_ms.c routines could be called from the OpenAFS afscreds.exe  
> directly,
> making its use transparent to the user.
>
> Doug Engert <deengert@anl.gov>    8/6/2003
>    			    	  1/8/2004
> -- 
>
>  Douglas E. Engert  <DEEngert@anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>