[OpenAFS] Active Directory as KDC documentation

Douglas E. Engert deengert@anl.gov
Wed, 09 Jun 2004 19:40:18 -0500


--------------CED3CC6F5586C5CC4F8F7F5C
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit



Jeffrey Altman wrote:

> If your AFS servers are 1.2.11 and your clients have tools to set kerberos 5 tickets as tokens
> then you do not require krb524d.  This is true for the 1.3.64 Windows AFS client.  This is
> not true for the Unix clients.  At the moment, the ak5log for Unix/Linux still requires krb524d
> be running on the KDC.  However, running krb524d on a MIT or Heimdal KDC is trivial compared
> to doing so with a Windows 2003 Server.
>

With the 1.3.x, the krb524d can run on any machine. The krb5.conf file can have
krb524_server =  for the realm or the DNS can have a  _krb524._udp.<realm> SRV record
So it is easy to run a krb524d on a Unix server for use with a Windows KDC. For example
it could be run on one of more AFS servers.

>
> Jeffrey Altman
>
> P.S. - rewriting ak5log to use pure Kerberos 5 tickets as tokens would not be hard to do either.
>

Yes it was not hard. The ak5log I have does this. Its  was a holdover from the DCE/DFS days where the
AFS/DFS translator took a K5 ticket much like OpenAFS does. So right now the option is -dfs  :-)

But if the KDC is windows, 2000,   The ticket will be large, and if its 2003 it will have have the MD5,
so need mods to 1.2.11 servers or 1.3.64 servers which are not production.


>
> Justice, William (WJJ.) wrote:
>
>> Jeff,
>>
>> Just making sure… so you don't need to run krb524 with the set up in your last paragraph below?
>>
>> -- Bill
>>
>> -----Original Message-----
>> From: Jeffrey Altman [mailto:jaltman@columbia.edu]
>> Sent:Tuesday, June 08, 200410:36 AM
>> To:Justice, William (WJJ.)
>> Cc:openafs-info@openafs.org
>> Subject: Re: [OpenAFS] Active Directory as KDC documentation
>>
>> Justice, William (WJJ.) wrote:
>>
>> Is there any documentation on using Active Directory as the KDC in an OpenAFS installation?  Google gave some news group postings from a couple of years ago, figure there is some more up to date info?
>>
>> Thanks!
>>
>> -- Bill
>>
>> Things really have not changed all that much.
>>
>> The primary issue with using Windows 20003 Active Directory as the KDC
>> is that Windows 2003 will not issue tickets using the DES-CBC-CBC enctype.
>> It will issue tickets using the DES-CBC-MD5 enctype.  This is fine if your are
>> using a krb524 service to translate your Kerberos 5 tickets to Kerberos 4 tickets
>> (not supported by Active Directory but you can host the MIT Kerberos version
>> on the machine use keytabs); or if you are using gssklog (again you would need
>> to add this but more importantly support for this is not integrated with the
>> Windows AFS client.)
>>
>> The long term direction is to internally support Kerberos 5 tickets as AFS tokens
>> everywhere they are needed including the large tickets produced by Active Directory.
>> This support is built into both the Windows versions and the Unix/Linux version
>> as of 1.3.64.   Athough the Windows version is the recommended product to use
>> because it is the best we have; the Unix/Linux 1.3 branch is still considered a development
>> branch and you would need to think long and hard before using it.
>>
>> The way that I have setup my cells for use with Active Directory is that I have an
>> MIT KDC which stores the service principal for the AFS cell.  Then there is a cross-realm
>> trust between Active Directory and the MIT realm.   Therefore, I can force the
>> service tickets to be DES-CBC-CRC and be of small enough size to be used directly
>> with the 1.2.11 AFS servers while still using pure Kerberos 5.
>>
>> Jeffrey Altman
>>
--

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444


--------------CED3CC6F5586C5CC4F8F7F5C
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<body text="#000000" bgcolor="#FFFFFF">
&nbsp;
<p>Jeffrey Altman wrote:
<blockquote TYPE=CITE>If your AFS servers are 1.2.11 and your clients have
tools to set kerberos 5 tickets as tokens
<br>then you do not require krb524d.&nbsp; This is true for the 1.3.64
Windows AFS client.&nbsp; This is
<br>not true for the Unix clients.&nbsp; At the moment, the ak5log for
Unix/Linux still requires krb524d
<br>be running on the KDC.&nbsp; However, running krb524d on a MIT or Heimdal
KDC is trivial compared
<br>to doing so with a Windows 2003 Server.
<br>&nbsp;</blockquote>
With the 1.3.x, the krb524d can run on any machine. The krb5.conf file
can have
<br>krb524_server =&nbsp; for the realm or the DNS can have a&nbsp; _krb524._udp.&lt;realm>
SRV record
<br>So it is easy to run a krb524d on a Unix server for use with a Windows
KDC. For example
<br>it could be run on one of more AFS servers.
<blockquote TYPE=CITE>&nbsp;
<br>Jeffrey Altman
<p>P.S. - rewriting ak5log to use pure Kerberos 5 tickets as tokens would
not be hard to do either.
<br>&nbsp;</blockquote>
Yes it was not hard. The ak5log I have does this. Its&nbsp; was a holdover
from the DCE/DFS days where the
<br>AFS/DFS translator took a K5 ticket much like OpenAFS does. So right
now the option is -dfs&nbsp; :-)
<p>But if the KDC is windows, 2000,&nbsp;&nbsp; The ticket will be large,
and if its 2003 it will have have the MD5,
<br>so need mods to 1.2.11 servers or 1.3.64 servers which are not production.
<br>&nbsp;
<blockquote TYPE=CITE>&nbsp;
<br>Justice, William (WJJ.) wrote:
<blockquote 
 cite="mid752E6D5014672D458A593B5E7A3CD5F508A8F960@na1fcm51.dearborn.ford.com"
 type="cite"><style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Times New Roman";
	color:black;}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:#606420;
	text-decoration:underline;}
pre
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";
	color:black;}
span.emailstyle17
	{font-family:Arial;
	color:windowtext;}
span.EmailStyle19
	{font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
	{page:Section1;}
-->
  </style>

<div class="Section1">
<div class="MsoNormal"><span 
 style="font-size: 10pt; font-family: Arial; color: navy;"><font color="#000080">Jeff,</font></span></div>


<p class="MsoNormal"><span 
 style="font-size: 10pt; font-family: Arial; color: navy;"></span>

<p class="MsoNormal"><span 
 style="font-size: 10pt; font-family: Arial; color: navy;"><font color="#000080">Just
making sure… so you don't need to run krb524 with the set up in your last
paragraph below?&nbsp;</font></span>
<pre><span style="font-size: 10pt;"><font color="#000000">-- Bill</font></span></pre>

<div class="MsoNormal"><span 
 style="font-size: 10pt; font-family: Tahoma; color: windowtext;"></span></div>


<p class="MsoNormal"><span 
 style="font-size: 10pt; font-family: Tahoma; color: windowtext;"></span>

<p class="MsoNormal"><span 
 style="font-size: 10pt; font-family: Tahoma; color: windowtext;"><font color="#000000">-----Original
Message-----</font>
<br><span style="font-weight: bold;"><font color="#000000"><b>From:</span></b>
Jeffrey Altman [<a href="mailto:jaltman@columbia.edu" class="moz-txt-link-freetext">mailto:jaltman@columbia.edu</a>]</font>
<br><span style="font-weight: bold;"><font color="#000000"><b>Sent:</span></span><span style="font-family: Tahoma; color: windowtext;"></b>Tuesday,
June 08, 2004</span><span 
 style="font-family: Tahoma; color: windowtext;"></span><span style="font-family: Tahoma; color: windowtext;">10:36
AM</font></span><span 
 style="font-family: Tahoma; color: windowtext;">
<br><span style="font-weight: bold;"><font color="#000000"><b>To:</span></span><span style="font-family: Tahoma; color: windowtext;"></b>Justice,
William</span><span 
 style="font-family: Tahoma; color: windowtext;">
(WJJ.)</font>
<br><span style="font-weight: bold;"><font color="#000000"><b>Cc:</span></b><a href="mailto:openafs-info@openafs.org" class="moz-txt-link-abbreviated">openafs-info@openafs.org</a></font>
<br><span style="font-weight: bold;"><font color="#000000"><b>Subject:</span></b>
Re: [OpenAFS] Active Directory as KDC documentation</font></span>

<p class="MsoNormal"><span 
 style="font-size: 10pt;"></span>

<p class="MsoNormal"><span 
 style="font-size: 10pt;"><font color="#000000">Justice,
William (WJJ.) wrote:&nbsp;</font></span>

<p class="MsoNormal"><span 
 style="font-size: 10pt; font-family: Arial;"><font color="#000000">Is
there any documentation on using Active Directory as the KDC in an OpenAFS
installation?&nbsp; Google gave some news group postings from a couple
of years ago, figure there is some more up to date info?</font></span>

<p class="MsoNormal"><span 
 style="font-size: 10pt; font-family: Arial;"></span>

<p class="MsoNormal"><span 
 style="font-size: 10pt; font-family: Arial;"><font color="#000000">Thanks!</font></span>

<p class="MsoNormal"><span 
 style="font-size: 10pt; font-family: Arial;"></span>
<pre><span style="font-size: 10pt;"><font color="#000000">-- Bill&nbsp;</font></span></pre>

<div class="MsoNormal" style="margin-bottom: 12pt;"><span 
 style="font-size: 12pt;"><font color="#000000">Things
really have not changed all that much.</font></div>

<br><font color="#000000">The primary issue with using Windows 20003 Active
Directory as the KDC</font>
<br><font color="#000000">is that Windows 2003 will not issue tickets using
the DES-CBC-CBC enctype.</font>
<br><font color="#000000">It will issue tickets using the DES-CBC-MD5 enctype.&nbsp;
This is fine if your are</font>
<br><font color="#000000">using a krb524 service to translate your Kerberos
5 tickets to Kerberos 4 tickets</font>
<br><font color="#000000">(not supported by Active Directory but you can
host the MIT Kerberos version</font>
<br><font color="#000000">on the machine use keytabs); or if you are using
gssklog (again you would need</font>
<br><font color="#000000">to add this but more importantly support for
this is not integrated with the</font>
<br><font color="#000000">Windows AFS client.)</font>
<p><font color="#000000">The long term direction is to internally support
Kerberos 5 tickets as AFS tokens</font>
<br><font color="#000000">everywhere they are needed including the large
tickets produced by Active Directory.</font>
<br><font color="#000000">This support is built into both the Windows versions
and the Unix/Linux version</font>
<br><font color="#000000">as of 1.3.64.&nbsp;&nbsp; Athough the Windows
version is the recommended product to use</font>
<br><font color="#000000">because it is the best we have; the Unix/Linux
1.3 branch is still considered a development</font>
<br><font color="#000000">branch and you would need to think long and hard
before using it.</font>
<p><font color="#000000">The way that I have setup my cells for use with
Active Directory is that I have an</font>
<br><font color="#000000">MIT KDC which stores the service principal for
the AFS cell.&nbsp; Then there is a cross-realm</font>
<br><font color="#000000">trust between Active Directory and the MIT realm.&nbsp;&nbsp;
Therefore, I can force the</font>
<br><font color="#000000">service tickets to be DES-CBC-CRC and be of small
enough size to be used directly</font>
<br><font color="#000000">with the 1.2.11 AFS servers while still using
pure Kerberos 5.</font>
<p><font color="#000000">Jeffrey Altman</font>
<p></span></div>
</blockquote>
</blockquote>

<p>--
<p>&nbsp;Douglas E. Engert&nbsp; &lt;DEEngert@anl.gov>
<br>&nbsp;Argonne National Laboratory
<br>&nbsp;9700 South Cass Avenue
<br>&nbsp;Argonne, Illinois&nbsp; 60439
<br>&nbsp;(630) 252-5444
<br>&nbsp;
</body>
</html>

--------------CED3CC6F5586C5CC4F8F7F5C--