[OpenAFS] MSKLOG - Acquiring AFS tokens on Windows using Microsoft Security

Douglas E. Engert deengert@anl.gov
Thu, 22 Jan 2004 16:26:08 -0600


Chris McClimans wrote:
> 
> I currenty use a cross realm trust (one-way) where the users are in
> TTU.EDU (a MS AD realm) and the service ticket is
> afs/cs.ttu.edu@CS.TTU.EDU. If I get TTU.EDU to generate me an
> afs/cs.ttu.edu@TTU.EDU, will I be able to use both the old method and
> MSKLOG at the same time using the different tickets from the two
> different realms?

Yes it should work. You will want to have different key version nombers
for the afs/cs.ttu.edu@CS.TTU.EDU and afs/cs.ttu.edu@TTU.EDU as the K5
ticket created by each will be encryt in different keys. By the time
AFS look these up in the /usr/afs/etc/KeyFile it only has the knvo,
and does not know what principal was actually used. 

But the client principal is user@TTU,EDU,and may then appear to 
AFS as a foreign user.  

Our situation is a little differnet, in the users are in a ANL.GOV
(a MS AD realm) and our AFS cell is also named anl.gov. 

Micrsoft is still working on the NO-PAC hotfix, which is really needed
to get this to work with AD. 

> -chris
> 
> On Jan 8, 2004, at 2:11 PM, Douglas E. Engert wrote:
> 
> >
> > Acquiring AFS tokens on Windows using Microsoft Security
> > I would like to submit to the OpenAFS community a simplified
> > method of obtaining AFS tokens on Windows using the built in
> > Microsoft security.
> >
> >  The readme is attached and at:
> >    ftp://achilles.ctd.anl.gov/pub/DEE/README.MSKLOG
> >  The source is at:
> >    ftp://achilles.ctd.anl.gov/pub/DEE/msklog-0.1.tar
> >
> > There are many sites that have run AFS on Windows and would like to
> > use AD authentication for AFS but don't want to have to run any
> > additional Kerberos set of tools. I know there is a lot of work going
> > on improving the MIT KfW packages, but in many situations this may be
> > more then a user or site wants to run. Some site may be using Hiemdal
> > or other Kerberos on Windows and don't want to switch.
> >
> > Msklog does not use any of these Kerberos packages, but uses the SSPI
> > and LSA code of W2K and XP which allow the msklog program to get a
> > Kerberos V5 ticket without having any additional Kerberos code on
> > the Windows machine.
> >
> > I am sending this note today, as Microsoft is close to releasing
> > a Hotfix for AD which will allow for much smaller tickets to be
> > produced, which has been a problem in the past with AFS on all
> > platforms.
> > The msklog can take advantage of this Hotfix when it becomes available
> > but
> > can also be used today if built with the -DNO_MS_PAC option.
> >
> > I would like to see the mslog_ms.c added to OpenAFS and callable
> > from afscreds.exe. I am willing to do this if there is interest.
> >
> >
> > --------------------README------------------------
> >
> >    MSKLOG - Get an AFS Token on Windows OpenAFS Client - release 0.1
> >
> >
> > INTRODUCTION
> >
> > AFS has evolved over the years, and recent capabilities have been
> > added to OpenAFS to allow it to use Kerberos V5 tickets in the AFS
> > token.
> > The MSKLOG program takes advantage of this, and is designed to use
> > as much of the Microsoft built in Kerberos code as possible. When
> > run on a machine as part of a domain the User's login credentials can
> > be used to obtain the AFS token.
> >
> > Unlike aklog or gssklog, no additional Kerberos libraries are needed
> > on the client, and no additional daemons like krb524d or gssklogd are
> > needed.
> >
> > The program relies only on the Microsoft DLLs and OpenAFS libraries.
> > No changes are needed to the AFS servers. (The servers need to be at
> > 1.2.8
> > at least.) So the program can easily be used in a Microsoft only
> > environment,
> > as well as a mixed environment.
> >
> > Current assumptions are that the AFS user name matches the Kerberos
> > principal, and the cell name matches the Kerberos Realm name.
> >
> > GETTING AN AFS TOKEN
> >
> > Msklog can be used in two modes. If you have use the integrated login,
> > to login to the workstation, you can just run msklog, and it will use
> > your login credentials.
> >
> > If you did not login, you can use the msklog -principal and -password
> > options. See: msklog -help for the options.
> >
> >
> > BUILDING
> >
> > Unzip, and edit the msklog.mak to change the locations of some
> > directories.
> >
> >  SRC_D   - source (default .)
> >  BIN_D   - output file of msklog.exe
> >  OBJ_D   - output object files
> >
> >  MSSDK_INC_D  - Microsoft SDK include
> >  AFS_INC_D    - AFS includes
> >  AFS_LIB_D    - AFS libs
> >  FIX_KVNO_INC_D - the AFS src\rxkad (See Below)
> >
> > Then do:
> >
> >   nmake -f msklog.mak
> >
> > DEBUG NOTE
> >
> > As a testing and debugging aid, the code can be compiled with a
> > -DFIX_KVNO
> > to allow the -fixkvno n option to be used to set the key version
> > number.
> > I needed this for testing, as the OpenAFS-1.2.8 would not accept a
> > ticket with
> > default/missing kvno=0, and I had set the kvno to a different number,
> > but the
> > Microsoft KDC always returns kvno=0.
> >
> >
> > HOTFIX FOR DOMAIN CONTROLLER
> >
> > Microsoft is working on hotfix xxxxxxxx for the Windows Domain
> > controllers
> > to allow tickets to be issued without a PAC. This  greatly reduces the
> > size of the ticket, so it can be used by AFS. (AFS does not use the
> > PAC information anyway.)
> >
> > See: http://......
> >
> > Until this hotfix is available, msklog can be used without this
> > hotfix, if
> > it is compiled with the -DNO_MS_PAC option. But this uses an MS only
> > feature
> > and will not work against an MIT KDC.
> >
> > USING MSKLOG with an MIT KDC
> >
> > See
> > http://www.microsoft.com/windows2000/techinfo/planning/security/
> > kerbsteps.asp
> > Section:  "Using an MIT KDC with a Standalone Windows 2000 Workstation"
> >
> > You will need to run the ktsetup command to define the Realm and
> > location of
> > the KDCs at least. If you want to use the integrated login, you will
> > need to
> > follow the other steps as well.
> >
> > SETTING UP THE KEYS
> >
> > The Kerberos KDC will need a principal, key and kvno for "afs/<cell>"
> > and the AFS servers will need this key and kvno entered into the
> > /usr/afs/etc/KeyFile
> >
> > I will only describe adding a key when using the Windows Domain
> > controller as the KDC. Similar command can be used with MIT based KDC.
> >
> > The Kerberos realm name is the same as the Windows Domain name.
> >
> > The domain admin would use the Active Directory Management tools to
> > create
> > a user account for the AFS service. Then would use the ktpass tool to
> > set an identity mapping to afs/<cell> and to set the key.
> >
> > See:
> > http://www.microsoft.com/windows2000/techinfo/planning/security/
> > kerbsteps.asp
> > Section "Support for Kerberos Services"
> > "To create a service instance account in the Active Directory"
> >
> > This will create a user account and service principal and enter a key
> > based on the password provided into the Windows Domain.
> >
> > To add a matching key to the AFS KeyFile, the  OpenAFS "bos_util
> > adddes"
> > command can be used. There may be other ways to add this key, but I
> > will describe one.
> >
> > There are some restrictions:
> >
> >  o Microsoft always wants to use a key version number of 0.
> >
> >  o You must use a password to generate the key. But you can view the
> >    keys generated by the ktpass and the bos_util adddes command to
> >    verify that that they match.
> >
> >  o Since ktpass is using a salt with the password, and adddes is not,
> >    you will need to use <password> with ktpass and
> >    <password><realm>afs<cell> with the adddes
> >
> > For example, the cell is named anl.gov and the W2K Domain is ANL.GOV
> > and we will use a password of @#wsRbv3 as an example.
> >
> > On Windows:
> >    Create the account serviceAFS
> >    Set the xxxxxxxxx flag (See Hotfix comments above)
> >    then run:
> >    ktpass -princ afs/anl.gov@ANL.GOV -mapuser serviceAFS -pass
> > "@#wsRbv3"
> >
> >    This will list key in hex. Remember this hex value and the password
> > used.
> >
> > On AFS:
> >    /usr/afs/bin/bos_util adddes 0
> >    Then when prompted for a password enter:
> >        @#wsRbv3ANL.GOVafsanl.gov
> >
> > You can verify the keys with the unix "od -x /usr/afs/KeyFile"
> > command. You should see the same key in hex in the file.
> >
> >
> > COMMENTS
> >
> > This is the second release, and I am looking for comments. If the
> > program
> > of the main function is useful, I would like to submit this to
> > OpenAFS.
> >
> > The program is a modified version of the cklog.c program found in
> > OpenAFS,
> > and it calls the msklog_ms.c routines. The MIT ms2mit program was
> > helpful
> > in understanding the workings of SSPI and LSA. The long term intent is
> > the
> > msklog_ms.c routines could be called from the OpenAFS afscreds.exe
> > directly,
> > making its use transparent to the user.
> >
> > Doug Engert <deengert@anl.gov>    8/6/2003
> >                                 1/8/2004
> > --
> >
> >  Douglas E. Engert  <DEEngert@anl.gov>
> >  Argonne National Laboratory
> >  9700 South Cass Avenue
> >  Argonne, Illinois  60439
> >  (630) 252-5444
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444