[OpenAFS] Kerberos 5, AFS, and no krb524d

Rodney Dyer rmdyer@uncc.edu
Sun, 08 Jun 2003 14:53:24 -0400


At 12:20 PM 6/8/03 +0200, you wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
> > 3.  Do you have Win2k/XP installed on one of your machines?
>
>Yes. Currently our network is built on Novell Netware. I'm experimenting
>with AFS/K5 on one Windows 98 and one Windows XP machine. I tried both,
>let the Netware's client installed there and also uninstall it to see,
>whether it is of some importance or not.

When testing in your situation always use "clean" machines with the minimum 
neccessary for things to work.  Never complicate issues like installing the 
Novell client until you have your primary goal working.

> > 5.  Does the OpenAFS client work...out of the box, on the Win2k/XP machine?
>
>What do you mean by "does work"? For Windows XP: I installed it
>successfully, restarted and added the cell name and server mapping. I can
>start the service. I can not mount anything. AFS Client pops up a window
>"Error Mapping Network Drive" telling me to check available drive
>letters. But starting from E: all are unused.

I mean...

*  Can you logon with AFS logon authentication enabled?
*  Can you mount the AFS cell by hand from the command line with a "NET 
USE" command?
*  Can you run "klog" and get a token?

This is going to be impossible because you aren't running the 
kaserver.  The most you should be able to do is logon to the Win2k/XP 
machine and mount your AFS cell with "net use x: 
\\%computername%-afs\all".  If this doesn't work then you need to solve 
this first.  Take one problem at a time.  It doesn't do you a bit of good 
to try and get authentication working if you can't mount the cell first.

> > 6.  Have you installed the MIT Kerberos for Windows software to get
> > Kerberos 5 tickets?
>
>Yes and I'm getting the tickets.
>On Windows XP: I get my user's ticket. Then I run aklog.exe and it
>crashes. But after that I have the afs@REALM ticket addet to my ticket
>list.

I think I've seen this issue...hmm...my memory is that the "aklog.exe" 
needed to be recompiled for the version of AFS that I was using.  I can't 
quite remember if that was the only problem.  Have you tried "aklog -d"?

> > 7.  Are your Win2k/XP machines members of a Windows Active Directory 
> domain?
>
>No. I would like to use OpenLDAP instead.

I can't be any help here.  The "big" issue is that if you don't use an 
Active Directory domain to group all of your Win2k/XP machines into one 
administrative unit, then you will need to create some process that creates 
local accounts on every Win2k/XP machine.  This is much like the management 
of unix workstations where you have a password file on every box, but much 
worse.  I would advise against this kind of setup since it leads to an 
unnecessarily complicated network.  This is especially true if you get into 
roaming user profiles and folder redirection.  Going further, the AD group 
policy features make securing each workstation much easier.  You can also 
setup AD shares, and a "dfs" tree for files that require byte-range-locking 
and sharing.  We are doing this at our site now.  (There does however seem 
to be an issue (bug) with "dfs" shares and "trusts" which I'm currently 
working on with Microsoft.)

If you absolutely insist on managing each Win2k/XP machine as an individual 
unit, then you might try something like the Gina that was developed at 
Notre Dame...

http://www.nd.edu/~dobbins/ntarch/nd_gina_doc.html

or the program Wake from...

http://www.rose-hulman.edu/TSC/software/wake

I think the ND gina creates a local account "on-the-fly" for the logon 
session, then removes the account at logout.  This might work, although I 
can see issues with roaming profiles and the like.

> > 9.  Irregardless of AFS, can you logon to your Win2k/XP machines with your
> > Kerberos realm password?
>
>Not for now. I also don't know how to configure Windows to use the
>credentials user types into winlogon for Kerberos authentication. I'll
>need this feature.

This is described at...

http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

Again, I do-not-advise setting up a Win2k/XP workstation environment 
without setting up an AD domain.  You will probably end up limiting 
yourself greatly in the future.

Rodney