unix & w2k a single sign-on solution for a kerberos v based afs cell enrico m.v. fasanelli &...

UNIX & W2K

A single sign-on solution for a Kerberos V based AFS cell

Enrico M.V. Fasanelli &

Fulvio Ricciardi

I.N.F.N. – Sezione di Lecce

Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001

2

Outline• The starting point

• The target

• The integration strategy

• Problems encountered and the adopted solutions

• The overall glue

• To do


3

The Starting Point• System-oriented

– Unix world• AFS (Transarc) based cell le.infn.it• NIS for user/netgroup

– Windows world• NT4 (and some W95/W98):

– INFN-NICE Italy wide domain

• W2K– Workgroup based Professional installation

– Common services (mail, print, web,…)• Unix based

– Requires an AFS account


4

The Target• User-oriented

– Single sign-on– Single home directory/user profile– OS (Unix/Windows) independent

• Easy to manage– Save (as much as possible) the existing way we

use to perform user management


5

The Integration Strategy• Save the existing AFS Unix infrastructure

• Don’t care about W9x/NT4

• Use existing Software

Search for a Common Infrastructure


6

Common Infrastructure ?• UNIX

– AFS authentication (KAS Server)

– NIS for user/netgroup data publishing/store

• Windows 2000– Authentication via

Kerberos5

– User data store/publishing via LDAP (AD)

• No one !


7

Common Infrastructure !

Kerberos VNIS LDAP

UNIX Windows

• If we can change the default way AFS uses to authenticate– KAS Server Kerberos5


8

Which Kerberos ?1. Use the Windows 2000 Kerberos 5

implementation (obtained from the MIT version 1.0.5)

2. Use the latest MIT Kerberos 5 implementation (version 1.2.2 at the date of tests – June/July 2001)

3. Use the KTH heimdal implementation


9

W2K Kerberos 5• PROS

– Native authentication for the Win world– Can authenticate a Unix Kerberos5 client

• CONS– No way to authenticate any AFS user


10

MIT Kerberos 5• PROS

– Compatible with Windows• There is a Microsoft step-by-step guide to do this

– An older version (1.0.6) is used as base of the Ken Hornstein’s migration kit

– Can authenticate AFS users

• CONS– Windows AFS clients think to be in the year 1601 if the

tokens lifetime is greater than 12 hours

– Old Unix AFS clients (afs3.4 build 5.28) do not authenticate


11

KTH Heimdal• PROS

– Integrated and well behaved AFS support– Authenticate Windows login

• CONS– Authenticated users cannot access the shared

resources in the W2K domain– Windows AFS clients work in a strange way

• Get the tokens, but Windows say that AFS service cold not be started!!!


12

Which Kerberos !• The only way to work in the W2K world

(without AFS) is to have MIT Kerberos5• The only way for a Windows AFS client to

get a valid AFS token is to refer to a KTH heimdal KDC

• The only way to have an AD domain is to have a W2K Kerberos 5

• From the Unix point of view, the KTH heimdal is a better choice because their native AFS support


13

Solution!!!• The ONLY WAY is to have all three (MIT,

W2K & KTH)– The Windows 2000 domain w2k.le.infn.it is

based on AD (W2K Kerberos 5) and there is a trust relationship with the LE.INFN.IT K5 Realm (MIT K5 based)

– The Windows 2000 users authenticate in the LE.INFN.IT Kerberos5 Realm via MIT K5

– The AFS clients get the tokens in the le.infn.it AFS cell in which KAS has been substituted by KTH heimdal KDC (slave of the MIT one!)


14

Implementation• A Windows2000 AD domain w2k.le.infn.it

in which we define machines & users

• An MIT K5 (v1.2.2) master KDC for the LE.INFN.IT realm

• A trust relationship between w2k.le.infn.it and LE.INFN.IT

• One (to become two) KTH heimdal slave KDC for the LE.INFN.IT realm running on the AFS db-server(s)


15

AFS KAS to Kerberos 5• We populated the MIT K5 KDC db using

afs2k5db tool

• The replica to the slave(s) KDC(s) (KTH heimdal KDC running in the AFS db server) makes the AFS db server(s) able to respond to an AFS token request


16

Windows Setup• Add the LE.INFN.IT realm and

corresponding KDC (the MIT one) – Actually we are using ksetup once on any new

machine– We plan to export the corresponding registry

key from the server

• Configure the AFS client in order to get the user AFS token at login


17

Windows User Logon• When a user log into a w2k in the

LE.INFN.IT K5 Realm

it gains– the windows user data from the AD server – a tgt from the MIT KDC– an AFS token for the le.infn.it cell

– The logon script maps some AFS directories to assigned network drives


18

Unix User• When a user log into a Unix workstation in

the le.infn.it AFS cell

it gets– the user information from NIS– the AFS token from the AFS db server

• “kpasswd” is substituted by the MIT one and refers to MIT KDC


19

User-oriented• Single user account

– User’s accounts (Kerberos principals) are defined in the le.infn.it AFS cell (LE.INFN.IT Realm) AND in the AD domain w2k.le.infn.it

– A mapping between them is defined in the w2k domain


20

Easy To Manage• We generate a lot of disabled dummy users

inside the AD domain.

• The user-add process is simply done via an LDAP call that modifies users attributes

• We have inserted the extensions needed for Windows 2000 user management, in the GUI front-end netuser


21

Netuser main


22

Netuser setup


23

Netuser Group screenshot


24

Netuser edit


25

Netuser maildrop


26

To Do• Use LDAP for the UNIX world too

• Make netuser shell-, awk-, sed-free in order to use it also from Windows

• Evaluate the exportability (mainly inside infn.it cell)

unix & w2k a single sign-on solution for a kerberos v based afs cell enrico m.v. fasanelli &...

Documents

unix w2k

w2k kerberos

afs user slide

afs cell enrico

w2k world

afs account slide

w2k domain windows afs

default way afs