Penguin

Getting WinXP to authenticate to a MIT Kerberos5 KDC and use AFS, all with single-sign-on, is not too difficult. However it does not appear to be completely (or correctly) documented anywhere.

You will need a correctly configured Kerberos5 domain and AFS server, which is probably its own set of headaches. I haven't done that; it was already setup correctly. I simply connected a WinXP client. The OpenAFS network here is using Kerberos5 natively. There is no krb524 type things going on.

Software I used:

As of Sep 5 2006, new versions of KfW and the OpenAFS NetIDMgr plugin are available. You must always get the OpenAFS NetIDMgr plugin built for the version of KfW you are installing.

The approach documented here is a very basic configuration with some caveats:

  • This does not use Active Directory (ldap), the client still needs a local user account
  • This cannot use NT roaming profiles

The overall process:

  1. Get WinXP to authenticate to MIT Kerberos5 domain
  2. Installing and configuring MIT Kerberos; obtaining regular Krb5 tickets from the WinXP ones
  3. Installing and configuring OpenAFS
  4. Tieing it all together

Authenticating using Kerberos5

Some useful background reading, if you care:

To authenticate your WinXP client against an external MIT Kerberos5 server, you need:

  • A user principal in the Kerberos domain (duh :))
  • A host principal account in the Kerberos domain for the WinXP client
  • A local account on the WinXP client for the user

The host principal (called a "machine account" by Microsoft) is needed by WinXP. If this is absent or incorrect, you cannot login. I'm not sure what WinXP uses the host prinicipal for; perhaps it is some form of mutual authentication, where WinXP uses the machine account to protect against a fake domain controller.

The host principle must be encrypted with the des-cbc-crc method; nothing else seems to work. Yeah, I know, its a really weak encryption method. If you want to use a random password (which is probably reccomended), make sure you write it down; you need to type this into the WinXP client too. This restriction on encryption methods applies only to the host principal; my own user principal is encypted with with des3-cbc-sha1 method, and that works just fine.

The local account on the WinXP client is part of the odd "trust" relationship that ends up in place between the Kerberos5 domain and the WinXP client. The client maps the Kerberos principal to a local account for the purposes of file permissions, group membership, and so on. (The stuff typically kept in ldap). I added myself the "Administrators" built-in group, and did not worry about it; AFS enforces its own permissions.

The host prinicipal is added using the kadmin tool like any regular Kerberos5 principal:

    kadmin q "addprinc -edes-cbc-crc:normal pw {passwd} host/{fqdn}"

On the WinXP client, execute the following in a command prompt window:

    ksetup /setdomain {REALM}
    ksetup /setmachpassword {passwd}
    ksetup /mapuser * *
    ksetup /addkdc {REALM} {kdc}
passwd
The host prinicipal password for the machine account
fqdn
The fully-qualified domain name for the WinXP client. I've only tested a situation where the DNS domain is the same as the Kerberos domain, where the mapping is trivial.
REALM
The Kerberos realm. These are typically all uppercase version of the the domain name.
kdc
The DNS name of a KDC for {REALM}. Using SRV records does not work correctly.

The ksetup program has lots of options; you can see them all by using ksetup /h.

Finally you must reboot your WinXP client. When it starts up again, you should hopefully have the option to login to your Kerberos realm. Even better, if you did everything right, it should work! Woohoo!

Installing KfW

Next, you need to install KfW. The OpenAFS client for Windows cannot use the WinXP credentials directly; KfW will import the WinXP credentials into a traditional Kerberos5 ticket for regular Kerberos software, such as OpenAFS.

The latest version (3.0) of KfW comes with a new pluggable framework called the "Network Identity Manager". The idea is that different packages or authentication schemes can install their own plugins into the NetIDMgr; then the user can manage all of their credentials from a single place. Personally I find it very quirky. However, once configured, it will grab your WinXP credentials and convert them into regular Kerberos5 ones.

Unfortunately, I find that is the only useful thing it does, and isnt particularly good at that, either; but you need it, so you live with it.

Once you have installed KfW, start the Network Identity Manager. Use the View -> Layout -> By Location menu sequence; you should see some credentials under the MSLSA: location. It may have already imported them, too; I cant remember the default configuration. If you select the MSLSA: credential, and use the Credential -> Import Credentials menu option you'll get Kerberos API credentials, which are called API: credentials in the list.

Open up the NetIDMgr configuration dialogue using the Options -> General menu option. Under the "Kerberos 5" tree item, there is an "Import Tickets" option. Set it to "always".

We aren't quite finished with this yet, we'll be coming back to it later.

Installing OpenAFS client for WinXP

Installing the OpenAFS client asks you a few questions:

  1. You are given the option of installing AFS' own MS Loopback interface. I must have done this when I first installed OpenAFS; now I have a strange "AFS" network adapter with the IP address 10.254.254.253 with netmask 255.255.255.252. If this bugs you, try unchecking it. The strange thing is that 127.0.0.1 still seems to work, dispite not being bound to any network adapter (!).
  2. When asked about the CellServDB configuration, if you are given the "Use existing" option, then use it. Otherwise, select the "Use packaged" option.
  3. It will then prompt for the cell name. Enter your AFS cell name here. The settings for the other options are:

    • Crypt security - no
    • Freelance client - yes
    • Use DNS - yes
    • Integrated logon - no
  4. Then you are presented a "AFS Credentials Configuration" dialogue:

    • Start at login - yes
    • Auto initialise - yes
    • Renew mappings - yes
    • IP address change detection - yes
    • Quiet - yes
    • Show credentials on startup - no

Our AFS SRV records in DNS are working, so configuration is quite simple. Once the obligatory reboot is over, you'll be offered a "Obtain new AFS tokens" dialogue when you login. Just press cancel; AFS native authentication is not being used (its going to come from Kerberos). Don't worry! This dialogue is offered only once, not every time you login.

If your SRV records are not working, you'll need to manually edit the CellServDB file. If you have a working unix client, the same file should work. Probably you'll need to restart the AFS client after changing/replacing the CellServDB file.

Once the AFS client has started, you should be able to Run the \\afs\all location, and see your cell.

Tieing it all together

By now there should be:

  1. WinXP authenticates using Kerberos
  2. KfW imports the WinXP tickets automatically
  3. OpenAFS client starts, and gives you access to \\afs\all

The last step remains: getting Kerberos5 tickets into OpenAFS. OpenAFS for Windows client comes with the familar aklog.exe program that does just that. Find it using the Windows Explorer, and run it. The AFS Client window should change from saying "You do not have tokens" to listing the token imported from Kerberos5.

If you install the OpenAFS plugin for NetIDMgr, then when you use the NetIDMgr to get new Kerberos5 credentials you can automatically get OpenAFS credentials. However I find this approach has quite a few limitations:

  • It doesn't work when you import credentials
  • It doesn't work when you renew credentials
  • it doesn't notice when the MSLSA: credential is renewed (eg, password-protected screen saver)
  • It works only when you use NetIDMgr to get new credentials

However, installing the plugin allows you to see the tokens in the AFS cache, as well as the copy stored by Kerberos.

To work around those absurd problems, I use the following friendly batch file called afs.bat which has a shortcut in the "Startup" folder:

    c:
    cd "\program files\mit\kerberos\bin"
    ms2mit
    cd "\program files\openafs\client\program"
    aklog

The ms2mit program forces KfW to import the MSLSA credentials. The useful feature is that it does not exit until that is done, so makes a useful synchronisation point. Then aklog puts the ticket into OpenAFS.

Bugs, issues, gotchas, etc

  • I have experienced AFS cache corruption. The symptom of this were strange failures when accessing commonly accessed AFS directories. Empty listings, strange errors, etc, are all symptoms of this. The solution is to shutdown the AFS client, delete the AFS cache file (which is %TEMP%\AFSCache by default).
  • The limitations of NetIDMgr are really a pain. The afs.bat file is going to be your friend. You might like to shortcut it from the desktop or quick start bar.
  • WinXP decided, fairly arbitarily, it would like to synchronise my AFS home directory and make an offline copy. If your client starts doing the same, open up Windows Explorer, use the Tools -> Synchronize menu option, and un-check the AFS paths.
  • AFS tokens tend to expire. Don't use it for long-running processes like BitTorrent, and so on.
  • Do not run the "Network Setup Wizard" ever again, it will trash your configuration and leave you unable to login!