[OpenAFS] Kerberos + Windows

Benjamin Kaduk kaduk@mit.edu
Mon, 15 Aug 2022 22:11:06 -0700


On Tue, Aug 16, 2022 at 04:43:19AM +0000, Ben Huntsman wrote:
> Hi guys-
>    Does anyone have a recipe for making OpenAFS work with AD 2012 R2 or 2016 as a KDC?
> 
>    I've seen a few articles on using it with 2008 R2, which mostly involve re-enabling des-cbc-crc on the AD side...  Does OpenAFS support the current schemes like aes256-cts-hmac-sha1-96, and has anyone gotten that to work?
> 
>    Or is one better off by setting up their own Kerbreos just for OpenAFS?

In the aftermath of
https://www.openafs.org/pages/security/OPENAFS-SA-2013-003.txt the state of
the art became using current kerberos enctypes for the service principal,
with the KDF to get back to fcrypt keys contained within the AFS boundary.
The main thing that has come up with using Windows as the KDC is the possible
need to disable or trim down the PACs issued for AFS principals ... though
in the wake of some of the more recent AD/Kerberos vulnerabilities maybe
that is less advisable, I have forgotten the details.

https://datatracker.ietf.org/doc/html/draft-kaduk-afs3-rxkad-k5-kdf-00
discuss the protocol details,
https://www.openafs.org/pages/security/install-rxkad-k5-1.6.txt talks about
the process of converting an existing cell to use the new mechanisms, and
http://docs.openafs.org/QuickStartUnix/ has (IIRC) been updated to cover
installing with rxkad-k5 from scratch.

Hopefully others can chime in if there are more AD-specific bits than just
rxkad-k5; I don't actually run any such environments myself.

-Ben