[OpenAFS] MSKLOG - Acquiring AFS tokens on Windows using Microsoft Security

Douglas E. Engert deengert@anl.gov
Thu, 08 Jan 2004 14:11:17 -0600 

Acquiring AFS tokens on Windows using Microsoft Security
I would like to submit to the OpenAFS community a simplified 
method of obtaining AFS tokens on Windows using the built in
Microsoft security. 

 The readme is attached and at: 
   ftp://achilles.ctd.anl.gov/pub/DEE/README.MSKLOG
 The source is at:
   ftp://achilles.ctd.anl.gov/pub/DEE/msklog-0.1.tar

There are many sites that have run AFS on Windows and would like to
use AD authentication for AFS but don't want to have to run any 
additional Kerberos set of tools. I know there is a lot of work going 
on improving the MIT KfW packages, but in many situations this may be 
more then a user or site wants to run. Some site may be using Hiemdal 
or other Kerberos on Windows and don't want to switch. 

Msklog does not use any of these Kerberos packages, but uses the SSPI 
and LSA code of W2K and XP which allow the msklog program to get a 
Kerberos V5 ticket without having any additional Kerberos code on 
the Windows machine. 
 
I am sending this note today, as Microsoft is close to releasing 
a Hotfix for AD which will allow for much smaller tickets to be
produced, which has been a problem in the past with AFS on all platforms.
The msklog can take advantage of this Hotfix when it becomes available but
can also be used today if built with the -DNO_MS_PAC option. 

I would like to see the mslog_ms.c added to OpenAFS and callable 
from afscreds.exe. I am willing to do this if there is interest.  


--------------------README------------------------

   MSKLOG - Get an AFS Token on Windows OpenAFS Client - release 0.1


INTRODUCTION

AFS has evolved over the years, and recent capabilities have been
added to OpenAFS to allow it to use Kerberos V5 tickets in the AFS token.
The MSKLOG program takes advantage of this, and is designed to use
as much of the Microsoft built in Kerberos code as possible. When 
run on a machine as part of a domain the User's login credentials can
be used to obtain the AFS token. 
 
Unlike aklog or gssklog, no additional Kerberos libraries are needed
on the client, and no additional daemons like krb524d or gssklogd are
needed.  

The program relies only on the Microsoft DLLs and OpenAFS libraries.
No changes are needed to the AFS servers. (The servers need to be at 1.2.8 
at least.) So the program can easily be used in a Microsoft only environment,
as well as a mixed environment.

Current assumptions are that the AFS user name matches the Kerberos 
principal, and the cell name matches the Kerberos Realm name.  

GETTING AN AFS TOKEN

Msklog can be used in two modes. If you have use the integrated login,
to login to the workstation, you can just run msklog, and it will use
your login credentials. 

If you did not login, you can use the msklog -principal and -password 
options. See: msklog -help for the options.


BUILDING

Unzip, and edit the msklog.mak to change the locations of some directories.

 SRC_D   - source (default .)
 BIN_D   - output file of msklog.exe
 OBJ_D   - output object files

 MSSDK_INC_D  - Microsoft SDK include 
 AFS_INC_D    - AFS includes
 AFS_LIB_D    - AFS libs
 FIX_KVNO_INC_D - the AFS src\rxkad (See Below)

Then do:

  nmake -f msklog.mak

DEBUG NOTE
 
As a testing and debugging aid, the code can be compiled with a -DFIX_KVNO  
to allow the -fixkvno n option to be used to set the key version number.
I needed this for testing, as the OpenAFS-1.2.8 would not accept a ticket with 
default/missing kvno=0, and I had set the kvno to a different number, but the 
Microsoft KDC always returns kvno=0.


HOTFIX FOR DOMAIN CONTROLLER

Microsoft is working on hotfix xxxxxxxx for the Windows Domain controllers 
to allow tickets to be issued without a PAC. This  greatly reduces the
size of the ticket, so it can be used by AFS. (AFS does not use the
PAC information anyway.)  

See: http://......

Until this hotfix is available, msklog can be used without this hotfix, if 
it is compiled with the -DNO_MS_PAC option. But this uses an MS only feature
and will not work against an MIT KDC.  

USING MSKLOG with an MIT KDC

See 
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
Section:  "Using an MIT KDC with a Standalone Windows 2000 Workstation"

You will need to run the ktsetup command to define the Realm and location of 
the KDCs at least. If you want to use the integrated login, you will need to
follow the other steps as well.  

SETTING UP THE KEYS

The Kerberos KDC will need a principal, key and kvno for "afs/<cell>" 
and the AFS servers will need this key and kvno entered into the
/usr/afs/etc/KeyFile

I will only describe adding a key when using the Windows Domain
controller as the KDC. Similar command can be used with MIT based KDC. 

The Kerberos realm name is the same as the Windows Domain name. 

The domain admin would use the Active Directory Management tools to create
a user account for the AFS service. Then would use the ktpass tool to 
set an identity mapping to afs/<cell> and to set the key. 

See:
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
Section "Support for Kerberos Services" 
"To create a service instance account in the Active Directory"

This will create a user account and service principal and enter a key
based on the password provided into the Windows Domain.  

To add a matching key to the AFS KeyFile, the  OpenAFS "bos_util adddes" 
command can be used. There may be other ways to add this key, but I 
will describe one.

There are some restrictions:

 o Microsoft always wants to use a key version number of 0.

 o You must use a password to generate the key. But you can view the
   keys generated by the ktpass and the bos_util adddes command to
   verify that that they match.  

 o Since ktpass is using a salt with the password, and adddes is not,
   you will need to use <password> with ktpass and 
   <password><realm>afs<cell> with the adddes

For example, the cell is named anl.gov and the W2K Domain is ANL.GOV
and we will use a password of @#wsRbv3 as an example. 

On Windows:
   Create the account serviceAFS 
   Set the xxxxxxxxx flag (See Hotfix comments above) 
   then run:
   ktpass -princ afs/anl.gov@ANL.GOV -mapuser serviceAFS -pass "@#wsRbv3"

   This will list key in hex. Remember this hex value and the password used. 

On AFS:
   /usr/afs/bin/bos_util adddes 0 
   Then when prompted for a password enter:
       @#wsRbv3ANL.GOVafsanl.gov
 
You can verify the keys with the unix "od -x /usr/afs/KeyFile" 
command. You should see the same key in hex in the file. 


COMMENTS

This is the second release, and I am looking for comments. If the program
of the main function is useful, I would like to submit this to
OpenAFS. 

The program is a modified version of the cklog.c program found in OpenAFS, 
and it calls the msklog_ms.c routines. The MIT ms2mit program was helpful
in understanding the workings of SSPI and LSA. The long term intent is the
msklog_ms.c routines could be called from the OpenAFS afscreds.exe directly,
making its use transparent to the user.  

Doug Engert <deengert@anl.gov>    8/6/2003
   			    	  1/8/2004
-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444