[OpenAFS] Summary: AFS and Active Directory interoperability

Matthias Gerstner Matthias.Gerstner@student.fh-nuernberg.de
Sat, 3 Sep 2005 13:55:01 +0200


After about two weeks of work I got it working to authenticate against 
an Active Directory for gaining access to AFS. As there are many little 
details about the procedure of doing this and there is much obsolete and 
incomplete information on the internet about the topic I'm giving an 
overview of the steps that need to be done.

First I want to remark that I got much help from Sergio Gelato from the 
mailing list to get this working.

As a special condition I did a completely new setup of AFS and thus 
didn't have to migrate any user data etc.

1) You have to use an up to date OpenAFS version. I got it working with 
OpenAFS 1.4.0-rc2 from CVS. In respect to stability you don't need to 
worry. I didn't realise any problems except sometimes for the kernel 
module (using kernel 2.6) when playing around to much with the AFS 
configuration.

2) Additional software: There are two tools I needed to use Active 
Directory instead of kaserver.

asetkey: This utility can read a kerberos5 keyfile and write it into the 
OpenAFS KeyFile

aklog: An alternative to klog for getting an AFS token when not using 
kaserver.

At least aklog is shipped with the OpenAFS source code but not built by 
default. In OpenAFS 1.4.0-rc2 it is built when using the configure 
option "--with-krb5" but it didn't compile successfully for me.

asetkey is (or should I say 'once was' ...) part of the AFS-Kerberos5 
migration kit.

For my purpose I used the following binary package from debian:

http://packages.debian.org/stable/net/openafs-krb5

If you don't use debian and can't use .deb packages try the deb2targz 
utility.

This binary package contains both aklog and asetkey.

3) Create a principal in the Active Directory for afs@<your cellname>. 
The passphrase for the principal doesn't matter. Note that it is simpler 
to choose the same name for the afs cellname as for your realm. If you 
don't you have to configure your AFS servers to use the correct realm 
name in krb5.conf

When you created the afs principal extract the key for this principal 
using the ktpass command on the windows command line. You should tell 
ktpass to export the key using the encryption type DES_CBC_CRC (MD4/MD5 
should also be okay).

A very important thing is that you have to tell Active Directory 
explicitly to "use DES encryption types" for the afs principal. This is 
done in the account properties for afs@<your cellname>

4) Copy the key extracted by ktpass from active directory on your AFS 
servers. Now you have to use asetkey to convert the key into an AFS 
KeyFile. This is done like this:

asetkey add <kvno> /path/to/AD-Keyfile afs@<your cellname>

Note that you have to specify the correct key version number. Also the 
binaries from debian search for OpenAFS configuration files in 
/etc/openafs and /etc/openafs/server. I had to create a symbolic link 
from the path of the OpenAFS KeyFile and ThisCell, CellServDB to 
/etc/openafs/server for asetkey to work.

As I had a clean and new OpenAFS setup I didn't need any old keys from 
OpenAFS so I delete all existing keys using asetkey delete before 
issuing the above command.

Make sure the key version numbers of AFS and the Active Directory match 
after you've written the new key into AFS. You can check this by using

asetkey list

for the AFS KeyFile and ktutil (syntax depends on wheter you use Heimdal 
or mit-kerberos5) for the kerberos-key extracted from AD.

5) Now the communication between AFS and Active Directory should already 
work. The only difference now is that you have to use aklog instead of 
klog to get your AFS token.

To manually test if it works I first get a kerberos5 ticket from AD for 
my user:

kinit testuser
<password>

Then I use aklog with verbose output to see if everything is okay 
getting the token:

aklog -d
<debug output>

The output should say that it got the correct kerberos realm to 
authenticate to and that aklog is using the kerberos5 ticket natively.

In the past it was needed to use something like krb542d to convert 
kerberos5 tickets into kerberos4 tickets before aklog could be used but 
this is not needed any more as I see it.

aklog then should have generated an AFS token from the kerberos5 ticket. 
You can check this using the normal 'tokens' command from AFS.

At this point you should be successfully authenticate as 'testuser' and 
be able to work with testuser's homedirectory on AFS for example.

If you get an error like "key version number mismatch" or "unknown key 
version number" when trying to access AFS directories after you issued 
the aklog command then it is very likely that you either really got a 
key version number mismatch for the keys in AD and AFS or the DES 
encryption is not correctly enabled on the AD side (which was a problem 
that cost me some days of debugging ...).

Well, that's it. I hope this little howto will be useful and saves 
someone some time.

Best Regards,

Matthias Gerstner