[OpenAFS] MSKLOG - Acquiring AFS tokens on Windows using Microsoft Security
Chris McClimans
openafs-info@mcclimans.net
Thu, 22 Jan 2004 17:09:36 -0600
On Jan 22, 2004, at 4:26 PM, Douglas E. Engert wrote:
> Yes it should work. You will want to have different key version nombers
> for the afs/cs.ttu.edu@CS.TTU.EDU and afs/cs.ttu.edu@TTU.EDU as the K5
> ticket created by each will be encryt in different keys. By the time
> AFS look these up in the /usr/afs/etc/KeyFile it only has the knvo,
> and does not know what principal was actually used.
MS keytabs apparently always use kvno 0, and MIT starts with 1, so we
should be safe.
> But the client principal is user@TTU,EDU,and may then appear to
> AFS as a foreign user.
I'm currently using gssklog[d] which works with manually entered MIT
credentials. ms2mit and gssklog however fail.
> Our situation is a little differnet, in the users are in a ANL.GOV
> (a MS AD realm) and our AFS cell is also named anl.gov.
>
> Micrsoft is still working on the NO-PAC hotfix, which is really needed
> to get this to work with AD.
I thought that getting rid of the cross-realm trust might clear up a
few issues for us, but using an MS AD for the afs key is looking like
it may be unusable for now.
>
>
>> -chris
>>
>> On Jan 8, 2004, at 2:11 PM, Douglas E. Engert wrote:
>>
>>>
>>> Acquiring AFS tokens on Windows using Microsoft Security
>>> I would like to submit to the OpenAFS community a simplified
>>> method of obtaining AFS tokens on Windows using the built in
>>> Microsoft security.
>>>
>>> The readme is attached and at:
>>> ftp://achilles.ctd.anl.gov/pub/DEE/README.MSKLOG
>>> The source is at:
>>> ftp://achilles.ctd.anl.gov/pub/DEE/msklog-0.1.tar
>>>
>>> There are many sites that have run AFS on Windows and would like to
>>> use AD authentication for AFS but don't want to have to run any
>>> additional Kerberos set of tools. I know there is a lot of work going
>>> on improving the MIT KfW packages, but in many situations this may be
>>> more then a user or site wants to run. Some site may be using Hiemdal
>>> or other Kerberos on Windows and don't want to switch.
>>>
>>> Msklog does not use any of these Kerberos packages, but uses the SSPI
>>> and LSA code of W2K and XP which allow the msklog program to get a
>>> Kerberos V5 ticket without having any additional Kerberos code on
>>> the Windows machine.
>>>
>>> I am sending this note today, as Microsoft is close to releasing
>>> a Hotfix for AD which will allow for much smaller tickets to be
>>> produced, which has been a problem in the past with AFS on all
>>> platforms.
>>> The msklog can take advantage of this Hotfix when it becomes
>>> available
>>> but
>>> can also be used today if built with the -DNO_MS_PAC option.
>>>
>>> I would like to see the mslog_ms.c added to OpenAFS and callable
>>> from afscreds.exe. I am willing to do this if there is interest.
>>>
>>>
>>> --------------------README------------------------
>>>
>>> MSKLOG - Get an AFS Token on Windows OpenAFS Client - release 0.1
>>>
>>>
>>> INTRODUCTION
>>>
>>> AFS has evolved over the years, and recent capabilities have been
>>> added to OpenAFS to allow it to use Kerberos V5 tickets in the AFS
>>> token.
>>> The MSKLOG program takes advantage of this, and is designed to use
>>> as much of the Microsoft built in Kerberos code as possible. When
>>> run on a machine as part of a domain the User's login credentials can
>>> be used to obtain the AFS token.
>>>
>>> Unlike aklog or gssklog, no additional Kerberos libraries are needed
>>> on the client, and no additional daemons like krb524d or gssklogd are
>>> needed.
>>>
>>> The program relies only on the Microsoft DLLs and OpenAFS libraries.
>>> No changes are needed to the AFS servers. (The servers need to be at
>>> 1.2.8
>>> at least.) So the program can easily be used in a Microsoft only
>>> environment,
>>> as well as a mixed environment.
>>>
>>> Current assumptions are that the AFS user name matches the Kerberos
>>> principal, and the cell name matches the Kerberos Realm name.
>>>
>>> GETTING AN AFS TOKEN
>>>
>>> Msklog can be used in two modes. If you have use the integrated
>>> login,
>>> to login to the workstation, you can just run msklog, and it will use
>>> your login credentials.
>>>
>>> If you did not login, you can use the msklog -principal and -password
>>> options. See: msklog -help for the options.
>>>
>>>
>>> BUILDING
>>>
>>> Unzip, and edit the msklog.mak to change the locations of some
>>> directories.
>>>
>>> SRC_D - source (default .)
>>> BIN_D - output file of msklog.exe
>>> OBJ_D - output object files
>>>
>>> MSSDK_INC_D - Microsoft SDK include
>>> AFS_INC_D - AFS includes
>>> AFS_LIB_D - AFS libs
>>> FIX_KVNO_INC_D - the AFS src\rxkad (See Below)
>>>
>>> Then do:
>>>
>>> nmake -f msklog.mak
>>>
>>> DEBUG NOTE
>>>
>>> As a testing and debugging aid, the code can be compiled with a
>>> -DFIX_KVNO
>>> to allow the -fixkvno n option to be used to set the key version
>>> number.
>>> I needed this for testing, as the OpenAFS-1.2.8 would not accept a
>>> ticket with
>>> default/missing kvno=0, and I had set the kvno to a different number,
>>> but the
>>> Microsoft KDC always returns kvno=0.
>>>
>>>
>>> HOTFIX FOR DOMAIN CONTROLLER
>>>
>>> Microsoft is working on hotfix xxxxxxxx for the Windows Domain
>>> controllers
>>> to allow tickets to be issued without a PAC. This greatly reduces
>>> the
>>> size of the ticket, so it can be used by AFS. (AFS does not use the
>>> PAC information anyway.)
>>>
>>> See: http://......
>>>
>>> Until this hotfix is available, msklog can be used without this
>>> hotfix, if
>>> it is compiled with the -DNO_MS_PAC option. But this uses an MS only
>>> feature
>>> and will not work against an MIT KDC.
>>>
>>> USING MSKLOG with an MIT KDC
>>>
>>> See
>>> http://www.microsoft.com/windows2000/techinfo/planning/security/
>>> kerbsteps.asp
>>> Section: "Using an MIT KDC with a Standalone Windows 2000
>>> Workstation"
>>>
>>> You will need to run the ktsetup command to define the Realm and
>>> location of
>>> the KDCs at least. If you want to use the integrated login, you will
>>> need to
>>> follow the other steps as well.
>>>
>>> SETTING UP THE KEYS
>>>
>>> The Kerberos KDC will need a principal, key and kvno for "afs/<cell>"
>>> and the AFS servers will need this key and kvno entered into the
>>> /usr/afs/etc/KeyFile
>>>
>>> I will only describe adding a key when using the Windows Domain
>>> controller as the KDC. Similar command can be used with MIT based
>>> KDC.
>>>
>>> The Kerberos realm name is the same as the Windows Domain name.
>>>
>>> The domain admin would use the Active Directory Management tools to
>>> create
>>> a user account for the AFS service. Then would use the ktpass tool to
>>> set an identity mapping to afs/<cell> and to set the key.
>>>
>>> See:
>>> http://www.microsoft.com/windows2000/techinfo/planning/security/
>>> kerbsteps.asp
>>> Section "Support for Kerberos Services"
>>> "To create a service instance account in the Active Directory"
>>>
>>> This will create a user account and service principal and enter a key
>>> based on the password provided into the Windows Domain.
>>>
>>> To add a matching key to the AFS KeyFile, the OpenAFS "bos_util
>>> adddes"
>>> command can be used. There may be other ways to add this key, but I
>>> will describe one.
>>>
>>> There are some restrictions:
>>>
>>> o Microsoft always wants to use a key version number of 0.
>>>
>>> o You must use a password to generate the key. But you can view the
>>> keys generated by the ktpass and the bos_util adddes command to
>>> verify that that they match.
>>>
>>> o Since ktpass is using a salt with the password, and adddes is not,
>>> you will need to use <password> with ktpass and
>>> <password><realm>afs<cell> with the adddes
>>>
>>> For example, the cell is named anl.gov and the W2K Domain is ANL.GOV
>>> and we will use a password of @#wsRbv3 as an example.
>>>
>>> On Windows:
>>> Create the account serviceAFS
>>> Set the xxxxxxxxx flag (See Hotfix comments above)
>>> then run:
>>> ktpass -princ afs/anl.gov@ANL.GOV -mapuser serviceAFS -pass
>>> "@#wsRbv3"
>>>
>>> This will list key in hex. Remember this hex value and the
>>> password
>>> used.
>>>
>>> On AFS:
>>> /usr/afs/bin/bos_util adddes 0
>>> Then when prompted for a password enter:
>>> @#wsRbv3ANL.GOVafsanl.gov
>>>
>>> You can verify the keys with the unix "od -x /usr/afs/KeyFile"
>>> command. You should see the same key in hex in the file.
>>>
>>>
>>> COMMENTS
>>>
>>> This is the second release, and I am looking for comments. If the
>>> program
>>> of the main function is useful, I would like to submit this to
>>> OpenAFS.
>>>
>>> The program is a modified version of the cklog.c program found in
>>> OpenAFS,
>>> and it calls the msklog_ms.c routines. The MIT ms2mit program was
>>> helpful
>>> in understanding the workings of SSPI and LSA. The long term intent
>>> is
>>> the
>>> msklog_ms.c routines could be called from the OpenAFS afscreds.exe
>>> directly,
>>> making its use transparent to the user.
>>>
>>> Doug Engert <deengert@anl.gov> 8/6/2003
>>> 1/8/2004
>>> --
>>>
>>> Douglas E. Engert <DEEngert@anl.gov>
>>> Argonne National Laboratory
>>> 9700 South Cass Avenue
>>> Argonne, Illinois 60439
>>> (630) 252-5444
>>> _______________________________________________
>>> OpenAFS-info mailing list
>>> OpenAFS-info@openafs.org
>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>
>>
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>
> --
>
> Douglas E. Engert <DEEngert@anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444