[OpenAFS] Kerberos 5, AFS, and no krb524d
Rodney Dyer
rmdyer@uncc.edu
Sun, 08 Jun 2003 14:53:24 -0400
At 12:20 PM 6/8/03 +0200, you wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
> > 3. Do you have Win2k/XP installed on one of your machines?
>
>Yes. Currently our network is built on Novell Netware. I'm experimenting
>with AFS/K5 on one Windows 98 and one Windows XP machine. I tried both,
>let the Netware's client installed there and also uninstall it to see,
>whether it is of some importance or not.
When testing in your situation always use "clean" machines with the minimum
neccessary for things to work. Never complicate issues like installing the
Novell client until you have your primary goal working.
> > 5. Does the OpenAFS client work...out of the box, on the Win2k/XP machine?
>
>What do you mean by "does work"? For Windows XP: I installed it
>successfully, restarted and added the cell name and server mapping. I can
>start the service. I can not mount anything. AFS Client pops up a window
>"Error Mapping Network Drive" telling me to check available drive
>letters. But starting from E: all are unused.
I mean...
* Can you logon with AFS logon authentication enabled?
* Can you mount the AFS cell by hand from the command line with a "NET
USE" command?
* Can you run "klog" and get a token?
This is going to be impossible because you aren't running the
kaserver. The most you should be able to do is logon to the Win2k/XP
machine and mount your AFS cell with "net use x:
\\%computername%-afs\all". If this doesn't work then you need to solve
this first. Take one problem at a time. It doesn't do you a bit of good
to try and get authentication working if you can't mount the cell first.
> > 6. Have you installed the MIT Kerberos for Windows software to get
> > Kerberos 5 tickets?
>
>Yes and I'm getting the tickets.
>On Windows XP: I get my user's ticket. Then I run aklog.exe and it
>crashes. But after that I have the afs@REALM ticket addet to my ticket
>list.
I think I've seen this issue...hmm...my memory is that the "aklog.exe"
needed to be recompiled for the version of AFS that I was using. I can't
quite remember if that was the only problem. Have you tried "aklog -d"?
> > 7. Are your Win2k/XP machines members of a Windows Active Directory
> domain?
>
>No. I would like to use OpenLDAP instead.
I can't be any help here. The "big" issue is that if you don't use an
Active Directory domain to group all of your Win2k/XP machines into one
administrative unit, then you will need to create some process that creates
local accounts on every Win2k/XP machine. This is much like the management
of unix workstations where you have a password file on every box, but much
worse. I would advise against this kind of setup since it leads to an
unnecessarily complicated network. This is especially true if you get into
roaming user profiles and folder redirection. Going further, the AD group
policy features make securing each workstation much easier. You can also
setup AD shares, and a "dfs" tree for files that require byte-range-locking
and sharing. We are doing this at our site now. (There does however seem
to be an issue (bug) with "dfs" shares and "trusts" which I'm currently
working on with Microsoft.)
If you absolutely insist on managing each Win2k/XP machine as an individual
unit, then you might try something like the Gina that was developed at
Notre Dame...
http://www.nd.edu/~dobbins/ntarch/nd_gina_doc.html
or the program Wake from...
http://www.rose-hulman.edu/TSC/software/wake
I think the ND gina creates a local account "on-the-fly" for the logon
session, then removes the account at logout. This might work, although I
can see issues with roaming profiles and the like.
> > 9. Irregardless of AFS, can you logon to your Win2k/XP machines with your
> > Kerberos realm password?
>
>Not for now. I also don't know how to configure Windows to use the
>credentials user types into winlogon for Kerberos authentication. I'll
>need this feature.
This is described at...
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
Again, I do-not-advise setting up a Win2k/XP workstation environment
without setting up an AD domain. You will probably end up limiting
yourself greatly in the future.
Rodney