[OpenAFS] The removal of afscreds.exe and afs_config.exe on Windows Vista and Windows 7: Seeking Opinions

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 30 Sep 2009 23:11:41 +0200 

This is a cryptographically signed message in MIME format.

--------------ms010707040303080800070504
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

David:

1. afscreds simply doesn't work reliably.  as a result, its continued
   use is in my opinion not an option on Vista, 2008 and Windows 7.

2. it is true that Network Identity Manager cannot assume that it
   should obtain an afs token automatically for the default workstation
   cell in the case where the realm name and cell name do not match.
   However, the fact that realm FOO.EXAMPLE.COM should be used for
   cell bar.example.com can be specified in the registry as part of
   your transformed OpenAFS installer or pushed via group policy in
   managed environments.

   afscreds requires that the user provide three values:
     a. cellname
     b. user@REALM
     c. password
   in order to make the cross-realm case work.

   The Network Identity Manager v2 user interface changes and in
   particular the new identity wizard that forces a user to walk
   through the process of configuring the installed credential
   provider setup screens.   However, v2 is not ready for distribution.
   There is no funding to complete the work at present.  Secure
   Endpoints continues to work on it but I'm not willing to make
   a commitment to finish it on any particular schedule.

   In early versions of the AFS provider, tokens for the workstation
   cell were obtained for any Kerberos identity that was used for
   logon.  This caused serious support headaches for sites that use
   Network Identity Manager with multiple identities in realms.
   In the case where two active identities could both obtain a token
   for the default workstation cell the token that was in use at any
   given time would be random.

   If Cornell would like to support the development of Network
   Identity Manager v2, that assistance would be welcome.

3. Network Identity Manager's Kerberos v5 support permits the user
   to specify their own values for lifetime, renew-lifetime, forwarding,
   etc.  This is the same behavior as all previous Kerberos ticket
   managers such as krb5 and leash32.  I have never seen a request
   filed with MIT or Secure Endpoints to suppress this ability.  It
   is certainly something that could easily be added as a local machine
   option that could be added to the KFW installer via a transform or
   pushed via global policy.

I hope my comments have addressed your concerns.  If they haven't
then we need to discuss how the creation of another replacement
for afscreds.exe should be pursued.  The design of the existing
tool is flawed and cannot be distributed for use with modern versions
of Windows.

Another issue I forgot to mention in the original post is that the
help system used by afscreds.exe and afs_config.exe is no longer
available on Vista, 2008, and Windows 7.

Jeffrey Altman

Dave B wrote:
> While I haven't looked in about a year, with the current version of MIT KfW
> netidmgr (I believe the v2 beta may fix this), users doing cross-realm authn
> to get afs tokens have to manually set up the mapping between the cross-realm
> kerberos user and the afs user. Otherwise, it doesn't work. afs_creds just
> works for seeing token status and getting new tokens (which is the only
> functionality of tokens we care about). Doing the setup in netidmgr would
> sometimes also by virtue of setting something write in user-specific registry
> settings for things like ticket lifetime, overriding the krb5.ini system
> defaults. 
> 
> In other words, non-afscreds for display/getting/destroying tokens is an added
> administrative burden. 
> 
> Perhaps the above has been fixed and is no longer a concern.
> 
> On Wed, Sep 30, 2009 at 10:19:04PM +0200, Jeffrey Altman wrote:
>> Ever since the release of Windows Vista I have been worried about the
>> continued shipment of afscred.exe (AFS Authentication Tool) and
>> afs_config.exe (AFS Client Manager Configuration Tool) in the OpenAFS
>> installers.
>>
>> The Problem:
>>
>> Beginning with Windows Vista, Microsoft implemented a security barrier
>> referred to as User Account Control which tightens the noose on normal
>> user accounts and prevents them from being used to perform a variety of
>> operations such as starting and stopping services or writing to the
>> local machine registry hive which they were able to do in previous
>> Windows releases.   In addition, user accounts that are members of the
>> "Administrators" group always log on to the machine as normal users.  In
>> order for a process to be started with the extra special Administrators
>> bits and explicit click through approval is required by the user.  A
>> process that is started as an Administrative process shares the desktop
>> but is effectively in a separate logon session.
>>
>> afscreds.exe and afs_config.exe perform some functionality that must be
>> executed in the standard logon session and other functions that must be
>> performed as an administrative process.  A process cannot be both.  As a
>> result, depending on the user account type used and the mode the process
>> is started with different function sets will misbehave.  If the process
>> is started with Administrative bits, the process is unable to:
>>
>>  * access the MIT Kerberos v5 credential caches to obtain tokens
>>
>>  * create drive mappings
>>
>> If the process is started without the Administrative bits, the process:
>>
>>  * silently discards configuration changes that are saved in the registry
>>
>>  * is unable to start or stop the afsd service
>>
>> Based upon feedback received at the European AFS Workshop the shipment
>> and installation of these tools are creating a significant support burden. 
>>
>>
>> The Proposal:
>>
>> I propose that beginning with 1.5.66 (whenever that is) that the
>> afscreds.exe and afs_config.exe tools not be installed at all on any
>> Windows version Vista or beyond and that on 2000, XP and 2003 that these
>> tools not be installed as part of the default configuration.
>>
>>
>> The Impact:
>>
>> The afscreds tool provides three sets of functionality:
>>
>>  * token acquisition (and renewal if MIT KFW is present)
>>
>>  * drive mapping
>>
>>  * start/stop the afsd service
>>
>> Network Identity Manager has long been available as a replacement for
>> the token acquisition functionality and it is available on any system on
>> which MIT KFW is present.  The only systems that wouldn't have it are
>> clients of cells that are still using kaserver.  
>>
>> The drive mapping functionality has been documented as deprecated since
>> the addition of the loopback installation permitted the use of a
>> standard \\AFS UNC server name.  The recommended method for a user to
>> create a drive mapping is the Windows Drive Mapping user interface
>> provided as part of "[My] Computer" and the Explorer Shell.
>>
>> Starting and stopping the afsd service is an administration function
>> that can be performed using the Windows Service MMC.
>>
>> The afs_config.exe tool provides:
>>
>>  * configuration management including cell name, server preferences,
>> cellservdb editing,
>>    cache size, and advanced tuning parameters
>>
>>  * start/stop functionality
>>
>>  * drive mapping
>>
>> While it is not ready for general purpose use, Brant Gurganus has made
>> significant progress on his OpenAFS Cache Manager MMC snap-in.  This
>> tool has the potential to perform the first two functions in a more
>> complete manner than the afs_config tool ever did.  As for the drive
>> mapping, the Explorer Shell interface can be used.  As soon as this tool
>> is deemed ready for incorporation in the distribution it will be added.
>>
>>
>> Please Provide Feedback:
>>
>> If you are a Windows user or a system administrator that has a large
>> number of Windows users, please comment on whether or not you agree with
>> the proposed action.
>>
>> Thank you.
>>
>> Jeffrey Altman
>>
> 
> 
> 

--------------ms010707040303080800070504
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJeTCC
AxcwggKAoAMCAQICEAMF9RTCGOz151fTpHLih+cwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDgyODA0MDExOVoX
DTEwMDgyODA0MDExOVowczEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVy
aWMxHDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDZNscYIvF6xzGSAfa/QUIqiElyn0EUxL2b86eKiYqe91bj0gLr/MJoErLnb+OmokxqSAH6
y0zlFqSbiFwgNM8m69K6m/6YO+x3+5zBc+u6snwTWMEWygnhx3rQ/lMhoQOgArraL+/k9aWL
kNdaXQKk6EZVW9pfV2A4Lk4DoZGFjY8tJRWWDLlFkYnxDuIEpLYwJpwakv3QHOaq/G8KW0iE
jVhVzPobuZzwD2tuepY/bsClwqxz/gfAEpUvAn/lYTqnoT7RYljZlCIdbrgcG/HSYMxAy1Zp
Yh8Fx+9cqsG8O4nqo26SVfYZvrYhh8m6OqW8Vakdt7vBLCTa/QhIdJ4hAgMBAAGjOTA3MCcG
A1UdEQQgMB6BHGphbHRtYW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADAN
BgkqhkiG9w0BAQUFAAOBgQBvbvJNXUJ4atv1CExIe0J38jZqoEUTttkXOfCDT9e3mSmVboOK
ifHDyLZQC4qSsCUfP7vdwAXjKtjak22HbfX2sEKCUgtnOkxRqXMM2V/NW/ESNVQZF0TO7L/Z
cW3icObO9FIZCSmgFMt2Al7VPfMQmaJNlqu9SLmXSwbRFJ5b4zCCAxcwggKAoAMCAQICEAMF
9RTCGOz151fTpHLih+cwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoT
HFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25h
bCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDgyODA0MDExOVoXDTEwMDgyODA0MDExOVow
czEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVyaWMxHDAaBgNVBAMTE0pl
ZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRtYW5Ac2VjdXJlLWVuZHBv
aW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZNscYIvF6xzGSAfa/
QUIqiElyn0EUxL2b86eKiYqe91bj0gLr/MJoErLnb+OmokxqSAH6y0zlFqSbiFwgNM8m69K6
m/6YO+x3+5zBc+u6snwTWMEWygnhx3rQ/lMhoQOgArraL+/k9aWLkNdaXQKk6EZVW9pfV2A4
Lk4DoZGFjY8tJRWWDLlFkYnxDuIEpLYwJpwakv3QHOaq/G8KW0iEjVhVzPobuZzwD2tuepY/
bsClwqxz/gfAEpUvAn/lYTqnoT7RYljZlCIdbrgcG/HSYMxAy1ZpYh8Fx+9cqsG8O4nqo26S
VfYZvrYhh8m6OqW8Vakdt7vBLCTa/QhIdJ4hAgMBAAGjOTA3MCcGA1UdEQQgMB6BHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOB
gQBvbvJNXUJ4atv1CExIe0J38jZqoEUTttkXOfCDT9e3mSmVboOKifHDyLZQC4qSsCUfP7vd
wAXjKtjak22HbfX2sEKCUgtnOkxRqXMM2V/NW/ESNVQZF0TO7L/ZcW3icObO9FIZCSmgFMt2
Al7VPfMQmaJNlqu9SLmXSwbRFJ5b4zCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAw
gdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg
VG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp
bCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0w
MzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxU
aGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwg
RnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV
+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfAr
hVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/
p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8
MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWls
Q0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxh
YmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/
TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amc
OY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNxMIID
bQIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5
KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQ
AwX1FMIY7PXnV9OkcuKH5zAJBgUrDgMCGgUAoIIB0DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0wOTA5MzAyMTExNDFaMCMGCSqGSIb3DQEJBDEWBBT+ARJS
uhROMOod76YJ3O2yG3RpVjBfBgkqhkiG9w0BCQ8xUjBQMAsGCWCGSAFlAwQBAjAKBggqhkiG
9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcN
AwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0
ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVl
bWFpbCBJc3N1aW5nIENBAhADBfUUwhjs9edX06Ry4ofnMIGHBgsqhkiG9w0BCRACCzF4oHYw
YjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x
LDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhADBfUUwhjs
9edX06Ry4ofnMA0GCSqGSIb3DQEBAQUABIIBAHuonXYmktFfPuqkqtPaa+eiHsOIDqxW0Nw0
R7Nz2UZGKUY2cEA0NJj3RjigN7RTr6aLoTy03x/XZnZgQRw4LMdxC+k2KC5NOE7bGSRL0PWO
MREg8Bu6kfHuqtvCUMgL3hnIYSL2V0K/xRMCtiRzFgy9mwd4tG6KyhBeppAX3EET8r+Qr0W2
rxPrNxPTlUIDXxELyaMxbbDsF+70GPuGv2mP0knWjQJjmewbTkWGZWQHsMGqBTiwiCmvmveh
yCTJMAmQe1S/gYWSYhGg3+uCKK9Y1h3OsleAy/tKoGCsCmABQ8txeTM4j0l8C1bJbcOODEjZ
JQT5AqkiRWX4IvCvZ9YAAAAAAAA=
--------------ms010707040303080800070504--