[OpenAFS] MSKLOG - Acquiring AFS tokens on Windows using Microsoft Security

Chris McClimans chris@mcclimans.net
Thu, 22 Jan 2004 15:09:40 -0600


Do you have any information on the hotfix number yet? I'd like to be  
able to ask the MS AD admins when they will install the patch. If the  
do it without notifying me, will MSKLOG cease to function if I don't  
perform an upgrade at the same time the patch is applied to the AD  
servers?
-chris


On Jan 22, 2004, at 2:59 PM, Chris McClimans wrote:

> I currenty use a cross realm trust (one-way) where the users are in  
> TTU.EDU (a MS AD realm) and the service ticket is  
> afs/cs.ttu.edu@CS.TTU.EDU. If I get TTU.EDU to generate me an  
> afs/cs.ttu.edu@TTU.EDU, will I be able to use both the old method and  
> MSKLOG at the same time using the different tickets from the two  
> different realms?
> -chris
>
> On Jan 8, 2004, at 2:11 PM, Douglas E. Engert wrote:
>
>>
>> Acquiring AFS tokens on Windows using Microsoft Security
>> I would like to submit to the OpenAFS community a simplified
>> method of obtaining AFS tokens on Windows using the built in
>> Microsoft security.
>>
>>  The readme is attached and at:
>>    ftp://achilles.ctd.anl.gov/pub/DEE/README.MSKLOG
>>  The source is at:
>>    ftp://achilles.ctd.anl.gov/pub/DEE/msklog-0.1.tar
>>
>> There are many sites that have run AFS on Windows and would like to
>> use AD authentication for AFS but don't want to have to run any
>> additional Kerberos set of tools. I know there is a lot of work going
>> on improving the MIT KfW packages, but in many situations this may be
>> more then a user or site wants to run. Some site may be using Hiemdal
>> or other Kerberos on Windows and don't want to switch.
>>
>> Msklog does not use any of these Kerberos packages, but uses the SSPI
>> and LSA code of W2K and XP which allow the msklog program to get a
>> Kerberos V5 ticket without having any additional Kerberos code on
>> the Windows machine.
>>
>> I am sending this note today, as Microsoft is close to releasing
>> a Hotfix for AD which will allow for much smaller tickets to be
>> produced, which has been a problem in the past with AFS on all  
>> platforms.
>> The msklog can take advantage of this Hotfix when it becomes  
>> available but
>> can also be used today if built with the -DNO_MS_PAC option.
>>
>> I would like to see the mslog_ms.c added to OpenAFS and callable
>> from afscreds.exe. I am willing to do this if there is interest.
>>
>>
>> --------------------README------------------------
>>
>>    MSKLOG - Get an AFS Token on Windows OpenAFS Client - release 0.1
>>
>>
>> INTRODUCTION
>>
>> AFS has evolved over the years, and recent capabilities have been
>> added to OpenAFS to allow it to use Kerberos V5 tickets in the AFS  
>> token.
>> The MSKLOG program takes advantage of this, and is designed to use
>> as much of the Microsoft built in Kerberos code as possible. When
>> run on a machine as part of a domain the User's login credentials can
>> be used to obtain the AFS token.
>>
>> Unlike aklog or gssklog, no additional Kerberos libraries are needed
>> on the client, and no additional daemons like krb524d or gssklogd are
>> needed.
>>
>> The program relies only on the Microsoft DLLs and OpenAFS libraries.
>> No changes are needed to the AFS servers. (The servers need to be at  
>> 1.2.8
>> at least.) So the program can easily be used in a Microsoft only  
>> environment,
>> as well as a mixed environment.
>>
>> Current assumptions are that the AFS user name matches the Kerberos
>> principal, and the cell name matches the Kerberos Realm name.
>>
>> GETTING AN AFS TOKEN
>>
>> Msklog can be used in two modes. If you have use the integrated login,
>> to login to the workstation, you can just run msklog, and it will use
>> your login credentials.
>>
>> If you did not login, you can use the msklog -principal and -password
>> options. See: msklog -help for the options.
>>
>>
>> BUILDING
>>
>> Unzip, and edit the msklog.mak to change the locations of some  
>> directories.
>>
>>  SRC_D   - source (default .)
>>  BIN_D   - output file of msklog.exe
>>  OBJ_D   - output object files
>>
>>  MSSDK_INC_D  - Microsoft SDK include
>>  AFS_INC_D    - AFS includes
>>  AFS_LIB_D    - AFS libs
>>  FIX_KVNO_INC_D - the AFS src\rxkad (See Below)
>>
>> Then do:
>>
>>   nmake -f msklog.mak
>>
>> DEBUG NOTE
>>
>> As a testing and debugging aid, the code can be compiled with a  
>> -DFIX_KVNO
>> to allow the -fixkvno n option to be used to set the key version  
>> number.
>> I needed this for testing, as the OpenAFS-1.2.8 would not accept a  
>> ticket with
>> default/missing kvno=0, and I had set the kvno to a different number,  
>> but the
>> Microsoft KDC always returns kvno=0.
>>
>>
>> HOTFIX FOR DOMAIN CONTROLLER
>>
>> Microsoft is working on hotfix xxxxxxxx for the Windows Domain  
>> controllers
>> to allow tickets to be issued without a PAC. This  greatly reduces the
>> size of the ticket, so it can be used by AFS. (AFS does not use the
>> PAC information anyway.)
>>
>> See: http://......
>>
>> Until this hotfix is available, msklog can be used without this  
>> hotfix, if
>> it is compiled with the -DNO_MS_PAC option. But this uses an MS only  
>> feature
>> and will not work against an MIT KDC.
>>
>> USING MSKLOG with an MIT KDC
>>
>> See
>> http://www.microsoft.com/windows2000/techinfo/planning/security/ 
>> kerbsteps.asp
>> Section:  "Using an MIT KDC with a Standalone Windows 2000  
>> Workstation"
>>
>> You will need to run the ktsetup command to define the Realm and  
>> location of
>> the KDCs at least. If you want to use the integrated login, you will  
>> need to
>> follow the other steps as well.
>>
>> SETTING UP THE KEYS
>>
>> The Kerberos KDC will need a principal, key and kvno for "afs/<cell>"
>> and the AFS servers will need this key and kvno entered into the
>> /usr/afs/etc/KeyFile
>>
>> I will only describe adding a key when using the Windows Domain
>> controller as the KDC. Similar command can be used with MIT based KDC.
>>
>> The Kerberos realm name is the same as the Windows Domain name.
>>
>> The domain admin would use the Active Directory Management tools to  
>> create
>> a user account for the AFS service. Then would use the ktpass tool to
>> set an identity mapping to afs/<cell> and to set the key.
>>
>> See:
>> http://www.microsoft.com/windows2000/techinfo/planning/security/ 
>> kerbsteps.asp
>> Section "Support for Kerberos Services"
>> "To create a service instance account in the Active Directory"
>>
>> This will create a user account and service principal and enter a key
>> based on the password provided into the Windows Domain.
>>
>> To add a matching key to the AFS KeyFile, the  OpenAFS "bos_util  
>> adddes"
>> command can be used. There may be other ways to add this key, but I
>> will describe one.
>>
>> There are some restrictions:
>>
>>  o Microsoft always wants to use a key version number of 0.
>>
>>  o You must use a password to generate the key. But you can view the
>>    keys generated by the ktpass and the bos_util adddes command to
>>    verify that that they match.
>>
>>  o Since ktpass is using a salt with the password, and adddes is not,
>>    you will need to use <password> with ktpass and
>>    <password><realm>afs<cell> with the adddes
>>
>> For example, the cell is named anl.gov and the W2K Domain is ANL.GOV
>> and we will use a password of @#wsRbv3 as an example.
>>
>> On Windows:
>>    Create the account serviceAFS
>>    Set the xxxxxxxxx flag (See Hotfix comments above)
>>    then run:
>>    ktpass -princ afs/anl.gov@ANL.GOV -mapuser serviceAFS -pass  
>> "@#wsRbv3"
>>
>>    This will list key in hex. Remember this hex value and the  
>> password used.
>>
>> On AFS:
>>    /usr/afs/bin/bos_util adddes 0
>>    Then when prompted for a password enter:
>>        @#wsRbv3ANL.GOVafsanl.gov
>>
>> You can verify the keys with the unix "od -x /usr/afs/KeyFile"
>> command. You should see the same key in hex in the file.
>>
>>
>> COMMENTS
>>
>> This is the second release, and I am looking for comments. If the  
>> program
>> of the main function is useful, I would like to submit this to
>> OpenAFS.
>>
>> The program is a modified version of the cklog.c program found in  
>> OpenAFS,
>> and it calls the msklog_ms.c routines. The MIT ms2mit program was  
>> helpful
>> in understanding the workings of SSPI and LSA. The long term intent  
>> is the
>> msklog_ms.c routines could be called from the OpenAFS afscreds.exe  
>> directly,
>> making its use transparent to the user.
>>
>> Doug Engert <deengert@anl.gov>    8/6/2003
>>    			    	  1/8/2004
>> -- 
>>
>>  Douglas E. Engert  <DEEngert@anl.gov>
>>  Argonne National Laboratory
>>  9700 South Cass Avenue
>>  Argonne, Illinois  60439
>>  (630) 252-5444
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>