[OpenAFS] The removal of afscreds.exe and afs_config.exe on Windows Vista and Windows 7: Seeking Opinions

Dave B botsch@cnf.cornell.edu
Wed, 30 Sep 2009 18:38:21 -0400

A good discussion happening here...

On Wed, Sep 30, 2009 at 11:11:41PM +0200, Jeffrey Altman wrote:
> David:
> 1. afscreds simply doesn't work reliably.  as a result, its continued
>    use is in my opinion not an option on Vista, 2008 and Windows 7.

Fortunately, we use it very simply, and at the moment, mainly on XP  and on
Server 2003 (there are < 5 vista machines using it, and of those, the folk
dont' really use afs). Since it will still be an optional install in XP, that
keeps us happy for the moment. We will probably be going to Windows 7,
assuming that Windows 7 doesn't break things worse than XP in early 2010.

> 2. it is true that Network Identity Manager cannot assume that it
>    should obtain an afs token automatically for the default workstation
>    cell in the case where the realm name and cell name do not match.
>    However, the fact that realm FOO.EXAMPLE.COM should be used for
>    cell bar.example.com can be specified in the registry as part of
>    your transformed OpenAFS installer or pushed via group policy in
>    managed environments.

That would be a good thing. Need to spend some time with the docs and test
this registry value. I seem to recall that even with the afs provider
installed, the obtain afs tokens bit was also turned off by default (perhaps
an installtion of order thing). But, my memory is fuzzy since it's been a
while, and maybe, once again, there's a registry setting that sets this.

>    afscreds requires that the user provide three values:
>      a. cellname
>      b. user@REALM
>      c. password
>    in order to make the cross-realm case work.

for those users that need to login, value a is automagically filled in with
the registry name. That's good. valule b may automagically fill in with the
last thing they used, I don't recall. If not, users know to use the user@REALM
format. And, of course, they darn well better know value c :)

>    The Network Identity Manager v2 user interface changes and in
>    particular the new identity wizard that forces a user to walk
>    through the process of configuring the installed credential
>    provider setup screens.   However, v2 is not ready for distribution.
>    There is no funding to complete the work at present.  Secure
>    Endpoints continues to work on it but I'm not willing to make
>    a commitment to finish it on any particular schedule.

Good to know not to wait around for it.

>    In early versions of the AFS provider, tokens for the workstation
>    cell were obtained for any Kerberos identity that was used for
>    logon.  This caused serious support headaches for sites that use
>    Network Identity Manager with multiple identities in realms.
>    In the case where two active identities could both obtain a token
>    for the default workstation cell the token that was in use at any
>    given time would be random.

as long as this doesn't make it more complicated for sites only dealing with a
single kerberos identity.

>    If Cornell would like to support the development of Network
>    Identity Manager v2, that assistance would be welcome.
> 3. Network Identity Manager's Kerberos v5 support permits the user
>    to specify their own values for lifetime, renew-lifetime, forwarding,
>    etc.  This is the same behavior as all previous Kerberos ticket
>    managers such as krb5 and leash32.  I have never seen a request
>    filed with MIT or Secure Endpoints to suppress this ability.  It
>    is certainly something that could easily be added as a local machine
>    option that could be added to the KFW installer via a transform or
>    pushed via global policy.

Will have to put filing such a request on my TODO list. If someone even says
"oh what's this" and moneksy with the sliders, they've just broken my system
defaults. In some scenarios that is a good thing. Not in our case.

> I hope my comments have addressed your concerns.  If they haven't
> then we need to discuss how the creation of another replacement
> for afscreds.exe should be pursued.  The design of the existing
> tool is flawed and cannot be distributed for use with modern versions
> of Windows.

I think with a couple of simple changes/hacks/settings/etc, network identity
manager can be made to work well.

> Another issue I forgot to mention in the original post is that the
> help system used by afscreds.exe and afs_config.exe is no longer
> available on Vista, 2008, and Windows 7.

Fortunately, that doesn't affect us, since help=someone knocking on my door.

> Jeffrey Altman
> Dave B wrote:
> > While I haven't looked in about a year, with the current version of MIT KfW
> > netidmgr (I believe the v2 beta may fix this), users doing cross-realm authn
> > to get afs tokens have to manually set up the mapping between the cross-realm
> > kerberos user and the afs user. Otherwise, it doesn't work. afs_creds just
> > works for seeing token status and getting new tokens (which is the only
> > functionality of tokens we care about). Doing the setup in netidmgr would
> > sometimes also by virtue of setting something write in user-specific registry
> > settings for things like ticket lifetime, overriding the krb5.ini system
> > defaults. 
> > 
> > In other words, non-afscreds for display/getting/destroying tokens is an added
> > administrative burden. 
> > 
> > Perhaps the above has been fixed and is no longer a concern.
> > 
> > On Wed, Sep 30, 2009 at 10:19:04PM +0200, Jeffrey Altman wrote:
> >> Ever since the release of Windows Vista I have been worried about the
> >> continued shipment of afscred.exe (AFS Authentication Tool) and
> >> afs_config.exe (AFS Client Manager Configuration Tool) in the OpenAFS
> >> installers.
> >>
> >> The Problem:
> >>
> >> Beginning with Windows Vista, Microsoft implemented a security barrier
> >> referred to as User Account Control which tightens the noose on normal
> >> user accounts and prevents them from being used to perform a variety of
> >> operations such as starting and stopping services or writing to the
> >> local machine registry hive which they were able to do in previous
> >> Windows releases.   In addition, user accounts that are members of the
> >> "Administrators" group always log on to the machine as normal users.  In
> >> order for a process to be started with the extra special Administrators
> >> bits and explicit click through approval is required by the user.  A
> >> process that is started as an Administrative process shares the desktop
> >> but is effectively in a separate logon session.
> >>
> >> afscreds.exe and afs_config.exe perform some functionality that must be
> >> executed in the standard logon session and other functions that must be
> >> performed as an administrative process.  A process cannot be both.  As a
> >> result, depending on the user account type used and the mode the process
> >> is started with different function sets will misbehave.  If the process
> >> is started with Administrative bits, the process is unable to:
> >>
> >>  * access the MIT Kerberos v5 credential caches to obtain tokens
> >>
> >>  * create drive mappings
> >>
> >> If the process is started without the Administrative bits, the process:
> >>
> >>  * silently discards configuration changes that are saved in the registry
> >>
> >>  * is unable to start or stop the afsd service
> >>
> >> Based upon feedback received at the European AFS Workshop the shipment
> >> and installation of these tools are creating a significant support burden. 
> >>
> >>
> >> The Proposal:
> >>
> >> I propose that beginning with 1.5.66 (whenever that is) that the
> >> afscreds.exe and afs_config.exe tools not be installed at all on any
> >> Windows version Vista or beyond and that on 2000, XP and 2003 that these
> >> tools not be installed as part of the default configuration.
> >>
> >>
> >> The Impact:
> >>
> >> The afscreds tool provides three sets of functionality:
> >>
> >>  * token acquisition (and renewal if MIT KFW is present)
> >>
> >>  * drive mapping
> >>
> >>  * start/stop the afsd service
> >>
> >> Network Identity Manager has long been available as a replacement for
> >> the token acquisition functionality and it is available on any system on
> >> which MIT KFW is present.  The only systems that wouldn't have it are
> >> clients of cells that are still using kaserver.  
> >>
> >> The drive mapping functionality has been documented as deprecated since
> >> the addition of the loopback installation permitted the use of a
> >> standard \\AFS UNC server name.  The recommended method for a user to
> >> create a drive mapping is the Windows Drive Mapping user interface
> >> provided as part of "[My] Computer" and the Explorer Shell.
> >>
> >> Starting and stopping the afsd service is an administration function
> >> that can be performed using the Windows Service MMC.
> >>
> >> The afs_config.exe tool provides:
> >>
> >>  * configuration management including cell name, server preferences,
> >> cellservdb editing,
> >>    cache size, and advanced tuning parameters
> >>
> >>  * start/stop functionality
> >>
> >>  * drive mapping
> >>
> >> While it is not ready for general purpose use, Brant Gurganus has made
> >> significant progress on his OpenAFS Cache Manager MMC snap-in.  This
> >> tool has the potential to perform the first two functions in a more
> >> complete manner than the afs_config tool ever did.  As for the drive
> >> mapping, the Explorer Shell interface can be used.  As soon as this tool
> >> is deemed ready for incorporation in the distribution it will be added.
> >>
> >>
> >> Please Provide Feedback:
> >>
> >> If you are a Windows user or a system administrator that has a large
> >> number of Windows users, please comment on whether or not you agree with
> >> the proposed action.
> >>
> >> Thank you.
> >>
> >> Jeffrey Altman
> >>
> > 
> > 
> > 

David William Botsch
CNF Computing