[OpenAFS] The removal of afscreds.exe and afs_config.exe on Windows Vista and Windows 7: Seeking Opinions

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 30 Sep 2009 23:11:41 +0200

This is a cryptographically signed message in MIME format.

Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit


1. afscreds simply doesn't work reliably.  as a result, its continued
   use is in my opinion not an option on Vista, 2008 and Windows 7.

2. it is true that Network Identity Manager cannot assume that it
   should obtain an afs token automatically for the default workstation
   cell in the case where the realm name and cell name do not match.
   However, the fact that realm FOO.EXAMPLE.COM should be used for
   cell bar.example.com can be specified in the registry as part of
   your transformed OpenAFS installer or pushed via group policy in
   managed environments.

   afscreds requires that the user provide three values:
     a. cellname
     b. user@REALM
     c. password
   in order to make the cross-realm case work.

   The Network Identity Manager v2 user interface changes and in
   particular the new identity wizard that forces a user to walk
   through the process of configuring the installed credential
   provider setup screens.   However, v2 is not ready for distribution.
   There is no funding to complete the work at present.  Secure
   Endpoints continues to work on it but I'm not willing to make
   a commitment to finish it on any particular schedule.

   In early versions of the AFS provider, tokens for the workstation
   cell were obtained for any Kerberos identity that was used for
   logon.  This caused serious support headaches for sites that use
   Network Identity Manager with multiple identities in realms.
   In the case where two active identities could both obtain a token
   for the default workstation cell the token that was in use at any
   given time would be random.

   If Cornell would like to support the development of Network
   Identity Manager v2, that assistance would be welcome.

3. Network Identity Manager's Kerberos v5 support permits the user
   to specify their own values for lifetime, renew-lifetime, forwarding,
   etc.  This is the same behavior as all previous Kerberos ticket
   managers such as krb5 and leash32.  I have never seen a request
   filed with MIT or Secure Endpoints to suppress this ability.  It
   is certainly something that could easily be added as a local machine
   option that could be added to the KFW installer via a transform or
   pushed via global policy.

I hope my comments have addressed your concerns.  If they haven't
then we need to discuss how the creation of another replacement
for afscreds.exe should be pursued.  The design of the existing
tool is flawed and cannot be distributed for use with modern versions
of Windows.

Another issue I forgot to mention in the original post is that the
help system used by afscreds.exe and afs_config.exe is no longer
available on Vista, 2008, and Windows 7.

Jeffrey Altman

Dave B wrote:
> While I haven't looked in about a year, with the current version of MIT KfW
> netidmgr (I believe the v2 beta may fix this), users doing cross-realm authn
> to get afs tokens have to manually set up the mapping between the cross-realm
> kerberos user and the afs user. Otherwise, it doesn't work. afs_creds just
> works for seeing token status and getting new tokens (which is the only
> functionality of tokens we care about). Doing the setup in netidmgr would
> sometimes also by virtue of setting something write in user-specific registry
> settings for things like ticket lifetime, overriding the krb5.ini system
> defaults. 
> In other words, non-afscreds for display/getting/destroying tokens is an added
> administrative burden. 
> Perhaps the above has been fixed and is no longer a concern.
> On Wed, Sep 30, 2009 at 10:19:04PM +0200, Jeffrey Altman wrote:
>> Ever since the release of Windows Vista I have been worried about the
>> continued shipment of afscred.exe (AFS Authentication Tool) and
>> afs_config.exe (AFS Client Manager Configuration Tool) in the OpenAFS
>> installers.
>> The Problem:
>> Beginning with Windows Vista, Microsoft implemented a security barrier
>> referred to as User Account Control which tightens the noose on normal
>> user accounts and prevents them from being used to perform a variety of
>> operations such as starting and stopping services or writing to the
>> local machine registry hive which they were able to do in previous
>> Windows releases.   In addition, user accounts that are members of the
>> "Administrators" group always log on to the machine as normal users.  In
>> order for a process to be started with the extra special Administrators
>> bits and explicit click through approval is required by the user.  A
>> process that is started as an Administrative process shares the desktop
>> but is effectively in a separate logon session.
>> afscreds.exe and afs_config.exe perform some functionality that must be
>> executed in the standard logon session and other functions that must be
>> performed as an administrative process.  A process cannot be both.  As a
>> result, depending on the user account type used and the mode the process
>> is started with different function sets will misbehave.  If the process
>> is started with Administrative bits, the process is unable to:
>>  * access the MIT Kerberos v5 credential caches to obtain tokens
>>  * create drive mappings
>> If the process is started without the Administrative bits, the process:
>>  * silently discards configuration changes that are saved in the registry
>>  * is unable to start or stop the afsd service
>> Based upon feedback received at the European AFS Workshop the shipment
>> and installation of these tools are creating a significant support burden. 
>> The Proposal:
>> I propose that beginning with 1.5.66 (whenever that is) that the
>> afscreds.exe and afs_config.exe tools not be installed at all on any
>> Windows version Vista or beyond and that on 2000, XP and 2003 that these
>> tools not be installed as part of the default configuration.
>> The Impact:
>> The afscreds tool provides three sets of functionality:
>>  * token acquisition (and renewal if MIT KFW is present)
>>  * drive mapping
>>  * start/stop the afsd service
>> Network Identity Manager has long been available as a replacement for
>> the token acquisition functionality and it is available on any system on
>> which MIT KFW is present.  The only systems that wouldn't have it are
>> clients of cells that are still using kaserver.  
>> The drive mapping functionality has been documented as deprecated since
>> the addition of the loopback installation permitted the use of a
>> standard \\AFS UNC server name.  The recommended method for a user to
>> create a drive mapping is the Windows Drive Mapping user interface
>> provided as part of "[My] Computer" and the Explorer Shell.
>> Starting and stopping the afsd service is an administration function
>> that can be performed using the Windows Service MMC.
>> The afs_config.exe tool provides:
>>  * configuration management including cell name, server preferences,
>> cellservdb editing,
>>    cache size, and advanced tuning parameters
>>  * start/stop functionality
>>  * drive mapping
>> While it is not ready for general purpose use, Brant Gurganus has made
>> significant progress on his OpenAFS Cache Manager MMC snap-in.  This
>> tool has the potential to perform the first two functions in a more
>> complete manner than the afs_config tool ever did.  As for the drive
>> mapping, the Explorer Shell interface can be used.  As soon as this tool
>> is deemed ready for incorporation in the distribution it will be added.
>> Please Provide Feedback:
>> If you are a Windows user or a system administrator that has a large
>> number of Windows users, please comment on whether or not you agree with
>> the proposed action.
>> Thank you.
>> Jeffrey Altman

Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature