[OpenAFS] Active Directory as KDC documentation

Jeffrey Altman jaltman@columbia.edu
Wed, 09 Jun 2004 18:45:08 -0400


This is a cryptographically signed message in MIME format.

--------------ms060300090105070205070602
Content-Type: multipart/alternative;
 boundary="------------050309070309000303040403"

This is a multi-part message in MIME format.
--------------050309070309000303040403
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

If your AFS servers are 1.2.11 and your clients have tools to set 
kerberos 5 tickets as tokens
then you do not require krb524d.  This is true for the 1.3.64 Windows 
AFS client.  This is
not true for the Unix clients.  At the moment, the ak5log for Unix/Linux 
still requires krb524d
be running on the KDC.  However, running krb524d on a MIT or Heimdal KDC 
is trivial compared
to doing so with a Windows 2003 Server.

Jeffrey Altman

P.S. - rewriting ak5log to use pure Kerberos 5 tickets as tokens would 
not be hard to do either.

Justice, William (WJJ.) wrote:

> Jeff,
>
>  
>
> Just making sure... so you don't need to run krb524 with the set up in 
> your last paragraph below?
>
>-- Bill
>
>  
>
>  
>
> -----Original Message-----
> *From:* Jeffrey Altman [mailto:jaltman@columbia.edu]
> *Sent:* Tuesday, June 08, 2004 10:36 AM
> *To:* Justice, William (WJJ.)
> *Cc:* openafs-info@openafs.org
> *Subject:* Re: [OpenAFS] Active Directory as KDC documentation
>
>  
>
> Justice, William (WJJ.) wrote:
>
> Is there any documentation on using Active Directory as the KDC in an 
> OpenAFS installation?  Google gave some news group postings from a 
> couple of years ago, figure there is some more up to date info?
>
>  
>
> Thanks!
>
>  
>
>-- Bill 
>
> Things really have not changed all that much. 
> The primary issue with using Windows 20003 Active Directory as the KDC
> is that Windows 2003 will not issue tickets using the DES-CBC-CBC enctype.
> It will issue tickets using the DES-CBC-MD5 enctype.  This is fine if 
> your are
> using a krb524 service to translate your Kerberos 5 tickets to 
> Kerberos 4 tickets
> (not supported by Active Directory but you can host the MIT Kerberos 
> version
> on the machine use keytabs); or if you are using gssklog (again you 
> would need
> to add this but more importantly support for this is not integrated 
> with the
> Windows AFS client.)
>
> The long term direction is to internally support Kerberos 5 tickets as 
> AFS tokens
> everywhere they are needed including the large tickets produced by 
> Active Directory.
> This support is built into both the Windows versions and the 
> Unix/Linux version
> as of 1.3.64.   Athough the Windows version is the recommended product 
> to use
> because it is the best we have; the Unix/Linux 1.3 branch is still 
> considered a development
> branch and you would need to think long and hard before using it.
>
> The way that I have setup my cells for use with Active Directory is 
> that I have an
> MIT KDC which stores the service principal for the AFS cell.  Then 
> there is a cross-realm
> trust between Active Directory and the MIT realm.   Therefore, I can 
> force the
> service tickets to be DES-CBC-CRC and be of small enough size to be 
> used directly
> with the 1.2.11 AFS servers while still using pure Kerberos 5.
>
> Jeffrey Altman
>

--------------050309070309000303040403
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
If your AFS servers are 1.2.11 and your clients have tools to set
kerberos 5 tickets as tokens<br>
then you do not require krb524d.&nbsp; This is true for the 1.3.64 Windows
AFS client.&nbsp; This is <br>
not true for the Unix clients.&nbsp; At the moment, the ak5log for
Unix/Linux still requires krb524d<br>
be running on the KDC.&nbsp; However, running krb524d on a MIT or Heimdal
KDC is trivial compared<br>
to doing so with a Windows 2003 Server.<br>
<br>
Jeffrey Altman<br>
<br>
P.S. - rewriting ak5log to use pure Kerberos 5 tickets as tokens would
not be hard to do either.<br>
<br>
Justice, William (WJJ.) wrote:<br>
<blockquote
 cite="mid752E6D5014672D458A593B5E7A3CD5F508A8F960@na1fcm51.dearborn.ford.com"
 type="cite">
  <meta http-equiv="Content-Type" content="text/html; ">
  <meta name="Generator" content="Microsoft Word 10 (filtered)">
  <style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Times New Roman";
	color:black;}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:#606420;
	text-decoration:underline;}
pre
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";
	color:black;}
span.emailstyle17
	{font-family:Arial;
	color:windowtext;}
span.EmailStyle19
	{font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
	{page:Section1;}
-->
  </style>
  <div class="Section1">
  <p class="MsoNormal"><font color="navy"><span
 style="font-size: 10pt; font-family: Arial; color: navy;">Jeff,</span></font></p>
  <p class="MsoNormal"><font color="navy"><span
 style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>
  <p class="MsoNormal"><font color="navy"><span
 style="font-size: 10pt; font-family: Arial; color: navy;">Just making
sure&#8230; so you don't need
to run krb524 with the set up in your last paragraph below? </span></font></p>
  <div>
  <pre><font color="black"><span style="font-size: 10pt;">-- Bill</span></font></pre>
  </div>
  <p class="MsoNormal"><font color="black"><span
 style="font-size: 10pt; font-family: Tahoma; color: windowtext;">&nbsp;</span></font></p>
  <p class="MsoNormal"><font color="black"><span
 style="font-size: 10pt; font-family: Tahoma; color: windowtext;">&nbsp;</span></font></p>
  <p class="MsoNormal"><font color="black"><span
 style="font-size: 10pt; font-family: Tahoma; color: windowtext;">-----Original
Message-----<br>
  <b><span style="font-weight: bold;">From:</span></b> Jeffrey Altman
[<a class="moz-txt-link-freetext" href="mailto:jaltman@columbia.edu">mailto:jaltman@columbia.edu</a>] <br>
  <b><span style="font-weight: bold;">Sent:</span></b> </span></font><font
 color="black"><span style="font-family: Tahoma; color: windowtext;">Tuesday,
June 08, 2004</span></font><font color="black"><span
 style="font-family: Tahoma; color: windowtext;"> </span></font><font
 color="black"><span style="font-family: Tahoma; color: windowtext;">10:36
AM</span></font><font color="black"><span
 style="font-family: Tahoma; color: windowtext;"><br>
  <b><span style="font-weight: bold;">To:</span></b> </span></font><font
 color="black"><span style="font-family: Tahoma; color: windowtext;">Justice,
William</span></font><font color="black"><span
 style="font-family: Tahoma; color: windowtext;"> (WJJ.)<br>
  <b><span style="font-weight: bold;">Cc:</span></b>
<a class="moz-txt-link-abbreviated" href="mailto:openafs-info@openafs.org">openafs-info@openafs.org</a><br>
  <b><span style="font-weight: bold;">Subject:</span></b> Re: [OpenAFS]
Active
Directory as KDC documentation</span></font></p>
  <p class="MsoNormal"><font color="black"><span
 style="font-size: 10pt;">&nbsp;</span></font></p>
  <p class="MsoNormal"><font color="black"><span
 style="font-size: 10pt;">Justice, William (WJJ.) wrote: </span></font></p>
  <p class="MsoNormal"><font color="black"><span
 style="font-size: 10pt; font-family: Arial;">Is there any
documentation on using Active Directory
as the KDC in an OpenAFS installation?&nbsp; Google gave some news group
postings from a couple of years ago, figure there is some more up to
date info?</span></font></p>
  <p class="MsoNormal"><font color="black"><span
 style="font-size: 10pt; font-family: Arial;">&nbsp;</span></font></p>
  <p class="MsoNormal"><font color="black"><span
 style="font-size: 10pt; font-family: Arial;">Thanks!</span></font></p>
  <p class="MsoNormal"><font color="black"><span
 style="font-size: 10pt; font-family: Arial;">&nbsp;</span></font></p>
  <pre><font color="black"><span style="font-size: 10pt;">-- Bill </span></font></pre>
  <p class="MsoNormal" style="margin-bottom: 12pt;"><font color="black"><span
 style="font-size: 12pt;">Things really have not
changed all that much.&nbsp; <br>
The primary issue with using Windows 20003 Active Directory as the KDC<br>
is that Windows 2003 will not issue tickets using the DES-CBC-CBC
enctype.<br>
It will issue tickets using the DES-CBC-MD5 enctype.&nbsp; This is fine if
your
are<br>
using a krb524 service to translate your Kerberos 5 tickets to Kerberos
4
tickets<br>
(not supported by Active Directory but you can host the MIT Kerberos
version<br>
on the machine use keytabs); or if you are using gssklog (again you
would need<br>
to add this but more importantly support for this is not integrated
with the <br>
Windows AFS client.)<br>
  <br>
The long term direction is to internally support Kerberos 5 tickets as
AFS
tokens<br>
everywhere they are needed including the large tickets produced by
Active
Directory.<br>
This support is built into both the Windows versions and the Unix/Linux
version
  <br>
as of 1.3.64.&nbsp;&nbsp; Athough the Windows version is the recommended
product to use<br>
because it is the best we have; the Unix/Linux 1.3 branch is still
considered a
development<br>
branch and you would need to think long and hard before using it.<br>
  <br>
The way that I have setup my cells for use with Active Directory is
that I have
an<br>
MIT KDC which stores the service principal for the AFS cell.&nbsp; Then
there
is a cross-realm<br>
trust between Active Directory and the MIT realm.&nbsp;&nbsp; Therefore, I can
force the <br>
service tickets to be DES-CBC-CRC and be of small enough size to be
used
directly<br>
with the 1.2.11 AFS servers while still using pure Kerberos 5.<br>
  <br>
Jeffrey Altman<br>
  <br>
  </span></font></p>
  </div>
</blockquote>
</body>
</html>

--------------050309070309000303040403--

--------------ms060300090105070205070602
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJPzCC
AvowggJjoAMCAQICAwxk8TANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNTI3MTc1ODU4WhcNMDUwNTI3MTc1ODU4
WjBrMQ8wDQYDVQQEEwZBbHRtYW4xFTATBgNVBCoTDEplZmZyZXkgRXJpYzEcMBoGA1UEAxMT
SmVmZnJleSBFcmljIEFsdG1hbjEjMCEGCSqGSIb3DQEJARYUamFsdG1hbkBjb2x1bWJpYS5l
ZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc3JqO5AsZrozd+mJ2mPuCTYo2
+nJ9Qq6jtUYtp7YTMW4d2Q6GLhNaHb1l9m74SxuY4f5vP6JtZjr6p9+LCCxD0w0NVLKRgUDp
z+tKFitbkJe9BSCxCURRvY3vdWA71gSCUvZAN3346hHb4oGVqgdpmfFJXYAHWpC46wiL72N9
WxySzY17/0eU0c8+r9dNoLpPQeL43O66O80jCl1qnXMaXaakZPsfm+5W90MYXhpQ1WIQpv02
lBn3BH5YE8xwbsNrw5AF4v7pjMuW85GI6FrDmfbpJX473Rpl5rmv3TpXkJ+7UsIIO1puyS8r
1o7kjDZ5EUYJxxglTGR6XL/RNzqHAgMBAAGjMTAvMB8GA1UdEQQYMBaBFGphbHRtYW5AY29s
dW1iaWEuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAZYeVFCMP0iV+UVa0
eFoXkzMVl61CNAVY2YQ9/QQazO3G4qNiif35ArrnjPRDRj5M7WTeOCFqPVuvCttyJRiDKsEe
L4Yah22mRA3mR7x52j2FquPYZ9qCr1IhrNGzsMk+gopX5G0fTHZb6+uDu5SeMPNNcIznGA7M
CMpXAJ2PcKgwggL6MIICY6ADAgECAgMMZPEwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMC
WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro
YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA0MDUyNzE3NTg1OFoXDTA1
MDUyNzE3NTg1OFowazEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVyaWMx
HDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xIzAhBgkqhkiG9w0BCQEWFGphbHRtYW5A
Y29sdW1iaWEuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3NyajuQLGa6M
3fpidpj7gk2KNvpyfUKuo7VGLae2EzFuHdkOhi4TWh29ZfZu+EsbmOH+bz+ibWY6+qffiwgs
Q9MNDVSykYFA6c/rShYrW5CXvQUgsQlEUb2N73VgO9YEglL2QDd9+OoR2+KBlaoHaZnxSV2A
B1qQuOsIi+9jfVscks2Ne/9HlNHPPq/XTaC6T0Hi+NzuujvNIwpdap1zGl2mpGT7H5vuVvdD
GF4aUNViEKb9NpQZ9wR+WBPMcG7Da8OQBeL+6YzLlvORiOhaw5n26SV+O90aZea5r906V5Cf
u1LCCDtabskvK9aO5Iw2eRFGCccYJUxkely/0Tc6hwIDAQABozEwLzAfBgNVHREEGDAWgRRq
YWx0bWFuQGNvbHVtYmlhLmVkdTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAGWH
lRQjD9IlflFWtHhaF5MzFZetQjQFWNmEPf0EGsztxuKjYon9+QK654z0Q0Y+TO1k3jghaj1b
rwrbciUYgyrBHi+GGodtpkQN5ke8edo9harj2Gfagq9SIazRs7DJPoKKV+RtH0x2W+vrg7uU
njDzTXCM5xgOzAjKVwCdj3CoMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TEL
MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
MRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT
ZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENB
MSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcx
NzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0
ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVl
bWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7TrnK
mVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/
cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8
YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0fBDwwOjA4
oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxDQS5j
cmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwy
LTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4
Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowg
T2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAzswggM3AgEB
MGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0
ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMZPEw
CQYFKw4DAhoFAKCCAacwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUx
DxcNMDQwNjA5MjI0NTA4WjAjBgkqhkiG9w0BCQQxFgQU3KiyPP4AE6kQxxfrYZBOo/tzUFsw
UgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcN
AwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgweAYJKwYBBAGCNxAEMWswaTBiMQswCQYD
VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE
AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwxk8TB6BgsqhkiG9w0B
CRACCzFroGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQ
dHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENB
AgMMZPEwDQYJKoZIhvcNAQEBBQAEggEAqpdsXSscp0EQsUlry/TmR2TEvQyebS0cUPDy8+x9
SXGp3XyJ6RfboYvN/2XatEd+NhALDblShUTk/+5hrCMJ3+GGftqPZunSEey4W1Kcvjasc/Cc
eWsHFCKgF8XkWyRrEsMHuasSt2jiTg0b75lZDg+6AjKE+EMn1kMzCP7wVp6ngc5u6CPtOUSJ
dtmgaxPROzk/lPd5Sv2hY37HVdOMm6rivUobEi3/pJAippRES7n/oFhdcejT8mBdZ4Wlpceu
iBBRyqwKJNNiYEX0POktWc+J/og95nSIyGSeXubK5Rhc+bMMhHiWQpf7rxPIF89Ky/suUARh
mxP0hgKDYjModAAAAAAAAA==
--------------ms060300090105070205070602--