[OpenAFS] Active Directory Kerberos ticket allowing to access OpenAFS cell?

Douglas E. Engert deengert@anl.gov
Thu, 03 Nov 2011 09:18:31 -0500 

On 11/3/2011 1:58 AM, Stanislaw Kaminski wrote:
> 2011/11/2 Douglas E. Engert<deengert@anl.gov>:
>>
>>
>> On 11/2/2011 11:17 AM, stasheck wrote:
>>>
>>> Hi,
>>> I'm still trying to solve some issues regarding proper integration of
>>> ActiveDirectory into our IT environment. One thing I learned, it's
>>> impossible to forgo AD Kerberos for MIT Kerberos. Now, I cannot resign
>>> from MIT Kerberos, so I need some workarounds.
>>
>> When you say "Impossible to forgo AD Kerberos for MIT Kerberos."
>> do you mean Windows machine and uses require AD accounts. Which is
>> true. AD uses Krb5, and adds a PAC to the Krb5 tickets.
>>
>> I don't know what you mean by "I cannot resign".
>
> Sorry, I meant "I have to use AD and MIT at the same time, for various reasons".
>
>> I would also assume that the AD domain name is *NOT* the same as the
>> MIT Kerberos realm name. If they are, this is going to be a major
>> conversion. (The afs cell name could match either one, or be different
>> from both.)
>
> No, actually MIT Kerberos uses our domain name, and AD will use a subdomain.
>
>>> First, I'm going to block password change from Windows boxes and force
>>> everyone to change their password on MIT Kerboros - because I can sync
>>> that to AD.
>>
>> There should be no reason that the password have to be in sync.
>
> Unless I have users who will at one time of another use both of those
> services, and I want my users to remember just one password for that.

You may also want to consider the Kerberos authentication to AD and
account mapping. This allow your users to authenticate to the KRB5
realm, and the this authentication is then trusted by the AD domain.

So users and your existing Unix system and AFS cell all have principals
in your Kerberos realm. New Windows machines are then joined to
the Windows Domain. User have account in the domain as well, but
they don't need to use the password, as they will logon using their
Kerberos principal.

Google for: site:microsoft.com kerberos trust account mapping 2008

This leads to many articles, including this one:
  http://technet.microsoft.com/en-us/library/cc773178(WS.10).aspx

In the "Realm Trust" section:
  "When the direction of trust is from a Windows Server 2003 domain to
   a non-Windows Kerberos realm, account mappings in Active Directory are
   used to map a foreign Kerberos identity in a trusted non-Windows Kerberos
   realm to a local account identity in a Windows Server 2003 domain.

   The Windows Server 2003 domain uses only the account to which the
   non-Windows principal is mapped (the proxy account) to evaluate access
   to domain objects that have security descriptors. This is required because
   non-Windows Kerberos tickets do not contain all of the authorization data
   that is needed for Windows Server 2003. All such Windows Server 2003 proxy
   accounts can be used in groups and on access control lists (ACLs) to control
   access on behalf of the non-Windows security principal. MIT account mappings
   are managed through Active Directory Users and Computers."

I must admin I have not tried the trust this way. When we introduced AD
into an existing small Kerberos environment, we did just to opposite.
The AFS cell and AD domain name matched and the Kerberos realm was
a subdomain name. So we went with all users being in the AD domain,
and we migrated the Kerberos service principals to AD. We do not
run any Kerberos KDCs any more, using AD as the KDCs.

>
>>> Second problem/idea is to create SingleSignOn to OpenAFS just by
>>> logging into Windows account.
>>
>> Yes, do it all the time. See the KfW or the Network Identity Manager
>> from Secure-endpoints.
>> http://www.secure-endpoints.com/#Network Identity Manager
>> and
>> http://www.secure-endpoints.com/#openafs
>
> Well, I am using KfW, but since I have no domain yet I wasn't able to
> test if KfW automagically gets Kerberos tickes while user logs on. I
> don't want it to ask for a password second time, after AD logon.
>
>>> Is there any way to use AD ticket to get into MIT-based AFS?
>>
>> Yes cross realm, or since you are trying to sync passwords between the two,
>> that implies a user in one realm is the same user in the other realm.
>> As Andrew said in his note, the AFS cell could be in both realms
>> at the same time. (There might be some issues as to how a client
>> determines the default Kerberos realm of the afs cell.)
>
> Yes, of course those are the same. I wasn't aware that AFS allows
> multiple Kerberos domains (so thanks, Andrew) - still have much
> learning to do. That'd of course solve one part of the problem.
>
> So, does KfW automatically get AD ticket? (back to my VMs)
>
> /br
> Stan
>
>

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444