[OpenAFS-win32-devel] AFS Server on Windows now works - pleasetest
new builds
Douglas E. Engert
deengert@anl.gov
Fri, 02 Apr 2004 09:59:39 -0600
Jeffrey Altman wrote:
>
> Douglas E. Engert wrote:
>
> >I read somewhere that in 2003 the Microsoft max ticket size was increased from
> >8000 to 12000 bytes. You may wish to consider this too.
> >
> >As a side note, Microsoft has been promissing a mod for AD 2003 to be able
> >to issue service tickets without a PAC. We even tested it. But it is still
> >not packaged as a hotfix I have been asking for this since August.
> >(I will bug them again.) Your above change makes this mod less critical,
> >at least for AFS.
> >
> Such a fix is really meaningless unless MS agrees to back
> port it to Windows 2000. Upgrading from 2000 to 2003
> is not something a majority of sites will be willing to
> do. The effort is too great. Sites running 2000 will
> more than likely wait for the next major Server OS
> release to make a decision.
I think more people are moving to 2003 then you think. At least the option
will be available. We have a mixture of 2000 and 2003 servers in our ANL.GOV
domain, and will be at all 2003 very soon.
Well either all applications that have been expecting to use small tickets,
like AFS, kx509 and any udp apps will need to be able to handle large tickets.
>
> >> * When obtaining AFS Tokens via KFW, krb524 is no longer required.
> >> Instead the raw Kerberos 5 ticket is used in its entirety. This
> >> is extremely important as it allows us to use pure Kerberos 5 KDCs
> >> as the source of the AFS authentication. The use of 4096 byte long
> >> tickets will allow tickets produced by all versions of Microsoft
> >> Active Directory to be used.
> >>
> >> create a user account.
> >> designate it DES only
> >> disable pre-auth
> >> specify its UPN to be "afs@realm"
> >> assign a SPN of "afs/cellname" to the UPN with setspn.exe
> >>
> >> *
> >>
> >
> >Working on msklog yesterday, which almost does the same thing as above, I think
> >I found a bug in openafs src/rxkad/ticket5.c This is used on the
> >AFS servers. In the krb5_des_decrypt routine, the variable ret is not initilized.
> >If the etype is not ETYPE_DES_CBC_CRC, no cksum_fun is set,
> >so ret is never set. ret is then used as the return code which may be garbage.
> >
> >This means that a des-cbc-md5 ticket may be rejected.
> >I am still looking at this.
> >
> Although I certainly can examine this issue, this list is
> not the appropriate place for this report. Please file
> bug reports to openafs-bugs@openafs.org so they may be
> tracked in RT and not be forgotten.
>
I did just after writing the first note.
[grand.central.org #3864] AutoReply: src/rxkad/ticket5.c uninitilized return variable
I did not meat to imply you needed to fix this, but that if you do try
and use a k5 ticket directly it best be des-cbc-crc or the AFS servers may
reject it.
> Thanks.
>
> _______________________________________________
> OpenAFS-Win32-devel mailing list
> OpenAFS-Win32-devel@openafs.org
> http://lists.openafs.org/mailman/listinfo/openafs-win32-devel
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444