[OpenAFS] MSKLOG - Acquiring AFS tokens on Windows using Microsoft
Security
Douglas E. Engert
deengert@anl.gov
Thu, 22 Jan 2004 16:32:43 -0600
Chris McClimans wrote:
>
> Do you have any information on the hotfix number yet?
No, but Iam BCCing Micrsoft on thois note.
> I'd like to be
> able to ask the MS AD admins when they will install the patch. If the
> do it without notifying me, will MSKLOG cease to function if I don't
> perform an upgrade at the same time the patch is applied to the AD
> servers?
The admin would have to turn on a bit in AD for the afs/cs.ttu.edu
account. This would cause tickets for it to be generated without
a PAC, and cut the size of the ticket down from over 1000 bytes
to 240 bytes or so. msklog can work with or without the PAC. The problem
is a large ticket may not work with the AFS cache manager. This
has some limit of how large a ticket can be. If your account today is
not in to many groups, it could work without the hot fix.
> -chris
>
> On Jan 22, 2004, at 2:59 PM, Chris McClimans wrote:
>
> > I currenty use a cross realm trust (one-way) where the users are in
> > TTU.EDU (a MS AD realm) and the service ticket is
> > afs/cs.ttu.edu@CS.TTU.EDU. If I get TTU.EDU to generate me an
> > afs/cs.ttu.edu@TTU.EDU, will I be able to use both the old method and
> > MSKLOG at the same time using the different tickets from the two
> > different realms?
> > -chris
> >
> > On Jan 8, 2004, at 2:11 PM, Douglas E. Engert wrote:
> >
> >>
> >> Acquiring AFS tokens on Windows using Microsoft Security
> >> I would like to submit to the OpenAFS community a simplified
> >> method of obtaining AFS tokens on Windows using the built in
> >> Microsoft security.
> >>
> >> The readme is attached and at:
> >> ftp://achilles.ctd.anl.gov/pub/DEE/README.MSKLOG
> >> The source is at:
> >> ftp://achilles.ctd.anl.gov/pub/DEE/msklog-0.1.tar
> >>
> >> There are many sites that have run AFS on Windows and would like to
> >> use AD authentication for AFS but don't want to have to run any
> >> additional Kerberos set of tools. I know there is a lot of work going
> >> on improving the MIT KfW packages, but in many situations this may be
> >> more then a user or site wants to run. Some site may be using Hiemdal
> >> or other Kerberos on Windows and don't want to switch.
> >>
> >> Msklog does not use any of these Kerberos packages, but uses the SSPI
> >> and LSA code of W2K and XP which allow the msklog program to get a
> >> Kerberos V5 ticket without having any additional Kerberos code on
> >> the Windows machine.
> >>
> >> I am sending this note today, as Microsoft is close to releasing
> >> a Hotfix for AD which will allow for much smaller tickets to be
> >> produced, which has been a problem in the past with AFS on all
> >> platforms.
> >> The msklog can take advantage of this Hotfix when it becomes
> >> available but
> >> can also be used today if built with the -DNO_MS_PAC option.
> >>
> >> I would like to see the mslog_ms.c added to OpenAFS and callable
> >> from afscreds.exe. I am willing to do this if there is interest.
> >>
> >>
> >> --------------------README------------------------
> >>
> >> MSKLOG - Get an AFS Token on Windows OpenAFS Client - release 0.1
> >>
> >>
> >> INTRODUCTION
> >>
> >> AFS has evolved over the years, and recent capabilities have been
> >> added to OpenAFS to allow it to use Kerberos V5 tickets in the AFS
> >> token.
> >> The MSKLOG program takes advantage of this, and is designed to use
> >> as much of the Microsoft built in Kerberos code as possible. When
> >> run on a machine as part of a domain the User's login credentials can
> >> be used to obtain the AFS token.
> >>
> >> Unlike aklog or gssklog, no additional Kerberos libraries are needed
> >> on the client, and no additional daemons like krb524d or gssklogd are
> >> needed.
> >>
> >> The program relies only on the Microsoft DLLs and OpenAFS libraries.
> >> No changes are needed to the AFS servers. (The servers need to be at
> >> 1.2.8
> >> at least.) So the program can easily be used in a Microsoft only
> >> environment,
> >> as well as a mixed environment.
> >>
> >> Current assumptions are that the AFS user name matches the Kerberos
> >> principal, and the cell name matches the Kerberos Realm name.
> >>
> >> GETTING AN AFS TOKEN
> >>
> >> Msklog can be used in two modes. If you have use the integrated login,
> >> to login to the workstation, you can just run msklog, and it will use
> >> your login credentials.
> >>
> >> If you did not login, you can use the msklog -principal and -password
> >> options. See: msklog -help for the options.
> >>
> >>
> >> BUILDING
> >>
> >> Unzip, and edit the msklog.mak to change the locations of some
> >> directories.
> >>
> >> SRC_D - source (default .)
> >> BIN_D - output file of msklog.exe
> >> OBJ_D - output object files
> >>
> >> MSSDK_INC_D - Microsoft SDK include
> >> AFS_INC_D - AFS includes
> >> AFS_LIB_D - AFS libs
> >> FIX_KVNO_INC_D - the AFS src\rxkad (See Below)
> >>
> >> Then do:
> >>
> >> nmake -f msklog.mak
> >>
> >> DEBUG NOTE
> >>
> >> As a testing and debugging aid, the code can be compiled with a
> >> -DFIX_KVNO
> >> to allow the -fixkvno n option to be used to set the key version
> >> number.
> >> I needed this for testing, as the OpenAFS-1.2.8 would not accept a
> >> ticket with
> >> default/missing kvno=0, and I had set the kvno to a different number,
> >> but the
> >> Microsoft KDC always returns kvno=0.
> >>
> >>
> >> HOTFIX FOR DOMAIN CONTROLLER
> >>
> >> Microsoft is working on hotfix xxxxxxxx for the Windows Domain
> >> controllers
> >> to allow tickets to be issued without a PAC. This greatly reduces the
> >> size of the ticket, so it can be used by AFS. (AFS does not use the
> >> PAC information anyway.)
> >>
> >> See: http://......
> >>
> >> Until this hotfix is available, msklog can be used without this
> >> hotfix, if
> >> it is compiled with the -DNO_MS_PAC option. But this uses an MS only
> >> feature
> >> and will not work against an MIT KDC.
> >>
> >> USING MSKLOG with an MIT KDC
> >>
> >> See
> >> http://www.microsoft.com/windows2000/techinfo/planning/security/
> >> kerbsteps.asp
> >> Section: "Using an MIT KDC with a Standalone Windows 2000
> >> Workstation"
> >>
> >> You will need to run the ktsetup command to define the Realm and
> >> location of
> >> the KDCs at least. If you want to use the integrated login, you will
> >> need to
> >> follow the other steps as well.
> >>
> >> SETTING UP THE KEYS
> >>
> >> The Kerberos KDC will need a principal, key and kvno for "afs/<cell>"
> >> and the AFS servers will need this key and kvno entered into the
> >> /usr/afs/etc/KeyFile
> >>
> >> I will only describe adding a key when using the Windows Domain
> >> controller as the KDC. Similar command can be used with MIT based KDC.
> >>
> >> The Kerberos realm name is the same as the Windows Domain name.
> >>
> >> The domain admin would use the Active Directory Management tools to
> >> create
> >> a user account for the AFS service. Then would use the ktpass tool to
> >> set an identity mapping to afs/<cell> and to set the key.
> >>
> >> See:
> >> http://www.microsoft.com/windows2000/techinfo/planning/security/
> >> kerbsteps.asp
> >> Section "Support for Kerberos Services"
> >> "To create a service instance account in the Active Directory"
> >>
> >> This will create a user account and service principal and enter a key
> >> based on the password provided into the Windows Domain.
> >>
> >> To add a matching key to the AFS KeyFile, the OpenAFS "bos_util
> >> adddes"
> >> command can be used. There may be other ways to add this key, but I
> >> will describe one.
> >>
> >> There are some restrictions:
> >>
> >> o Microsoft always wants to use a key version number of 0.
> >>
> >> o You must use a password to generate the key. But you can view the
> >> keys generated by the ktpass and the bos_util adddes command to
> >> verify that that they match.
> >>
> >> o Since ktpass is using a salt with the password, and adddes is not,
> >> you will need to use <password> with ktpass and
> >> <password><realm>afs<cell> with the adddes
> >>
> >> For example, the cell is named anl.gov and the W2K Domain is ANL.GOV
> >> and we will use a password of @#wsRbv3 as an example.
> >>
> >> On Windows:
> >> Create the account serviceAFS
> >> Set the xxxxxxxxx flag (See Hotfix comments above)
> >> then run:
> >> ktpass -princ afs/anl.gov@ANL.GOV -mapuser serviceAFS -pass
> >> "@#wsRbv3"
> >>
> >> This will list key in hex. Remember this hex value and the
> >> password used.
> >>
> >> On AFS:
> >> /usr/afs/bin/bos_util adddes 0
> >> Then when prompted for a password enter:
> >> @#wsRbv3ANL.GOVafsanl.gov
> >>
> >> You can verify the keys with the unix "od -x /usr/afs/KeyFile"
> >> command. You should see the same key in hex in the file.
> >>
> >>
> >> COMMENTS
> >>
> >> This is the second release, and I am looking for comments. If the
> >> program
> >> of the main function is useful, I would like to submit this to
> >> OpenAFS.
> >>
> >> The program is a modified version of the cklog.c program found in
> >> OpenAFS,
> >> and it calls the msklog_ms.c routines. The MIT ms2mit program was
> >> helpful
> >> in understanding the workings of SSPI and LSA. The long term intent
> >> is the
> >> msklog_ms.c routines could be called from the OpenAFS afscreds.exe
> >> directly,
> >> making its use transparent to the user.
> >>
> >> Doug Engert <deengert@anl.gov> 8/6/2003
> >> 1/8/2004
> >> --
> >>
> >> Douglas E. Engert <DEEngert@anl.gov>
> >> Argonne National Laboratory
> >> 9700 South Cass Avenue
> >> Argonne, Illinois 60439
> >> (630) 252-5444
> >> _______________________________________________
> >> OpenAFS-info mailing list
> >> OpenAFS-info@openafs.org
> >> https://lists.openafs.org/mailman/listinfo/openafs-info
> >>
> >
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444