unix & w2k a single sign-on solution for a kerberos v based afs cell enrico m.v. fasanelli &...
TRANSCRIPT
UNIX & W2K
A single sign-on solution for a Kerberos V based AFS cell
Enrico M.V. Fasanelli &
Fulvio Ricciardi
I.N.F.N. – Sezione di Lecce
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
2
Outline• The starting point
• The target
• The integration strategy
• Problems encountered and the adopted solutions
• The overall glue
• To do
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
3
The Starting Point• System-oriented
– Unix world• AFS (Transarc) based cell le.infn.it• NIS for user/netgroup
– Windows world• NT4 (and some W95/W98):
– INFN-NICE Italy wide domain
• W2K– Workgroup based Professional installation
– Common services (mail, print, web,…)• Unix based
– Requires an AFS account
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
4
The Target• User-oriented
– Single sign-on– Single home directory/user profile– OS (Unix/Windows) independent
• Easy to manage– Save (as much as possible) the existing way we
use to perform user management
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
5
The Integration Strategy• Save the existing AFS Unix infrastructure
• Don’t care about W9x/NT4
• Use existing Software
Search for a Common Infrastructure
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
6
Common Infrastructure ?• UNIX
– AFS authentication (KAS Server)
– NIS for user/netgroup data publishing/store
• Windows 2000– Authentication via
Kerberos5
– User data store/publishing via LDAP (AD)
• No one !
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
7
Common Infrastructure !
Kerberos VNIS LDAP
UNIX Windows
• If we can change the default way AFS uses to authenticate– KAS Server Kerberos5
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
8
Which Kerberos ?1. Use the Windows 2000 Kerberos 5
implementation (obtained from the MIT version 1.0.5)
2. Use the latest MIT Kerberos 5 implementation (version 1.2.2 at the date of tests – June/July 2001)
3. Use the KTH heimdal implementation
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
9
W2K Kerberos 5• PROS
– Native authentication for the Win world– Can authenticate a Unix Kerberos5 client
• CONS– No way to authenticate any AFS user
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
10
MIT Kerberos 5• PROS
– Compatible with Windows• There is a Microsoft step-by-step guide to do this
– An older version (1.0.6) is used as base of the Ken Hornstein’s migration kit
– Can authenticate AFS users
• CONS– Windows AFS clients think to be in the year 1601 if the
tokens lifetime is greater than 12 hours
– Old Unix AFS clients (afs3.4 build 5.28) do not authenticate
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
11
KTH Heimdal• PROS
– Integrated and well behaved AFS support– Authenticate Windows login
• CONS– Authenticated users cannot access the shared
resources in the W2K domain– Windows AFS clients work in a strange way
• Get the tokens, but Windows say that AFS service cold not be started!!!
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
12
Which Kerberos !• The only way to work in the W2K world
(without AFS) is to have MIT Kerberos5• The only way for a Windows AFS client to
get a valid AFS token is to refer to a KTH heimdal KDC
• The only way to have an AD domain is to have a W2K Kerberos 5
• From the Unix point of view, the KTH heimdal is a better choice because their native AFS support
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
13
Solution!!!• The ONLY WAY is to have all three (MIT,
W2K & KTH)– The Windows 2000 domain w2k.le.infn.it is
based on AD (W2K Kerberos 5) and there is a trust relationship with the LE.INFN.IT K5 Realm (MIT K5 based)
– The Windows 2000 users authenticate in the LE.INFN.IT Kerberos5 Realm via MIT K5
– The AFS clients get the tokens in the le.infn.it AFS cell in which KAS has been substituted by KTH heimdal KDC (slave of the MIT one!)
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
14
Implementation• A Windows2000 AD domain w2k.le.infn.it
in which we define machines & users
• An MIT K5 (v1.2.2) master KDC for the LE.INFN.IT realm
• A trust relationship between w2k.le.infn.it and LE.INFN.IT
• One (to become two) KTH heimdal slave KDC for the LE.INFN.IT realm running on the AFS db-server(s)
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
15
AFS KAS to Kerberos 5• We populated the MIT K5 KDC db using
afs2k5db tool
• The replica to the slave(s) KDC(s) (KTH heimdal KDC running in the AFS db server) makes the AFS db server(s) able to respond to an AFS token request
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
16
Windows Setup• Add the LE.INFN.IT realm and
corresponding KDC (the MIT one) – Actually we are using ksetup once on any new
machine– We plan to export the corresponding registry
key from the server
• Configure the AFS client in order to get the user AFS token at login
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
17
Windows User Logon• When a user log into a w2k in the
LE.INFN.IT K5 Realm
it gains– the windows user data from the AD server – a tgt from the MIT KDC– an AFS token for the le.infn.it cell
– The logon script maps some AFS directories to assigned network drives
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
18
Unix User• When a user log into a Unix workstation in
the le.infn.it AFS cell
it gets– the user information from NIS– the AFS token from the AFS db server
• “kpasswd” is substituted by the MIT one and refers to MIT KDC
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
19
User-oriented• Single user account
– User’s accounts (Kerberos principals) are defined in the le.infn.it AFS cell (LE.INFN.IT Realm) AND in the AD domain w2k.le.infn.it
– A mapping between them is defined in the w2k domain
Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001
20
Easy To Manage• We generate a lot of disabled dummy users
inside the AD domain.
• The user-add process is simply done via an LDAP call that modifies users attributes
• We have inserted the extensions needed for Windows 2000 user management, in the GUI front-end netuser