[OpenAFS] AFS Token not renewable after integrated login

Dr. Hendrik Naumann naumann@tu-berlin.de
Fri, 12 Dec 2014 22:48:17 +0100


--nextPart3042453.ha1vROqxS3
Content-Type: text/plain;
  charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable

Hi Jeffray

Thanks for you detailed answer. Questions below.

Am Freitag, 12. Dezember 2014 schrieb Jeffrey Altman:
> On 12/5/2014 1:31 PM, Dr. Hendrik Naumann wrote:
> > Hi
> >=20
> > I am looking for a way to setup the Integrated Logon in such a
> > way, that the aquired AFS Tokens can be renewed.
> >
> >[...]
> >
> > Is there any way to get access to the Kerberos Tickets from the
> > integrated logon? Under Linux Kerberos can be configured to store
> > its Tickets in a file und thus the TGT and also the Token can be
> > renewed later.
>=20
> The AFS Integrated Logon functionality is implemented as a WinLogon
> Authentication Provider function.  The purpose of this function is
> to obtain credentials necessary for the logon process to access
> the user's profile data that might be stored in a remote file
> system.  This function is called before the creation of the logon
> session. Credentials obtained in the Authentication Provider can
> be injected into the AFS Authentication Group (my Windows variant
> of PAGs on UNIX) that will be inherited by the logon session. =20
> However, there is no place to store the Kerberos TGT that was
> obtained.
>=20
> Prior to Windows Vista there were two other hook functions that
> would be executed within the logon session.  One when the desktop
> shell started and the other when it shutdown.  These functions ran
> with elevated permissions so in XP I used them to permit WinLogon
> to write the Kerberos TGT to a protected file and then extract it
> and store the contents into the logon session credential cache. =20
> This trick no longer works.  Microsoft removed the hooks because
> their presence was an exploitable security hole.

Some months ago were still using OpenAFS 1.7.21, and the  MIT Kerberos=20
3.2.2 together with the old Network Identity Manager on Windows7=20
32bit. In this setup we never had the problem of run out AFS Tokens.=20
How does that fit into the picture? Because we change the session=20
encryption on the servers we had to upgrade to higher than 1.7.26 and=20
in that process we also upgraded the whole kerberos stack.
=20
> If the TGT obtained by Integrated Logon is for the same Kerberos
> principal that will later be found in the MSLSA: credential cache,
> then all that is required for NIM to obtain a new AFS token is to
> configure the data for your cell in NIM.  If the AFS token is
> obtained using a different Kerberos principal, then your users
> must enter the password again when the initial token expires.

This is very ugly, because normal users don't want to be bothered with=20
details like that and thus tend to forget it or just cancel unkown=20
dialogs. Especially dialogs asking for the password, which is actually=20
a good thing.

Your users are a very heterogeniuos and international group of=20
scientists focust to there projects. Some of them even don't speak=20
good english, nor german. Thus it is very hard for us the get though=20
with this kind of information.=20

Is there any chance to implement a feature that the TGT ist just=20
stored to some file, that later can be importet by the NIM, by a logon=20
script?

Thanks

Hendrik Naumann

=2D-=20
Dr. Hendrik Naumann
Technische Universit=E4t Berlin
Institut f=FCr Chemie, Sekr. C3
Leiter EDV Chemie
Strasse des 17. Juni 115
10623 Berlin
Tel.: +49 30 314 29892  Mobil: +49 172 314 0410  Fax: +49 30 314 29309
WWW: http://www.chemie.tu-berlin.de/it
E-Mail: naumann@tu-berlin.de

--nextPart3042453.ha1vROqxS3
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEABECAAYFAlSLYqEACgkQIfCsAmXJIGEz8gCdEAYRNEbLiGPQbF1UCXZJ5XRE
ftgAn2Rg05byBFJo8zIwzPzLB1lJ9JZZ
=bfKC
-----END PGP SIGNATURE-----

--nextPart3042453.ha1vROqxS3--