Cross cell AFS authentication using Kerberos 5 HEPiX-HEPNT Vancouver, October 21 st 2003 Enrico M.V. Fasanelli.

Slides:



Advertisements
Similar presentations
Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.
Advertisements

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Chapter 10 Real world security protocols
> Nicolas FISCHBACH Senior IP&Security Engineer - Professional Services Team - > Sébastien LACOSTE-SERIS.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Active Directory and NT Kerberos Rooster JD Glaser.
SCSC 455 Computer Security
PantherSoft Financials Smart Internal Billing. Agenda  Benefits  Security and User Roles  Definitions  Workflow  Defining/Modifying Items  Creating.
UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce.
Strong Authentication Project CD/DCD/Computer Security Team Fermi National Accelerator Laboratory Mark Kaletka Matt Crawford.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
Password?. Project CLASP: Common Login and Access rights across Services Plan
Introduction to Active Directory
1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Customizing Installers for OpenAFS and MIT Kerberos for Windows Asanka C Herath Secure Endpoints Inc.
By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.
Understanding Active Directory
1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
BZUPAGES.COM An Introduction to. BZUPAGES.COM Introduction Large corporations today face the following problems Finding a certain file. Seeing everything.
11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.
Session 6 Windows Platform Dina Alkhoudari. Learning Objectives What is Active Directory Logical components of active directory Physical components of.
Information Security Depart. of Computer Science and Engineering 刘胜利 ( Liu Shengli) Tel:
Final Report Workshop in Information Security – Distributed Databases Project Access Control Security vs. Performance By: Yosi Barad, Ainat Chervin and.
Welcome to HEPNT Gian Piero Siroli, Physics Dept., Univ. of Bologna LAL, HEPiX-HEPNT 2001.
Site Report HEPiX/HEPNT 17 April 2002 Catania Paul Kuipers.
Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.
Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References.
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
Configuring Active Directory Objects and Trusts
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
DFS & Active Directory Joshua Hedges |Brandon Maxfield | Robert Rivera | Will Zilch.
Module 7 Active Directory and Account Management.
HEPiX-HEPNT 2000 Report Enrico M.V. Fasanelli & Gian Piero Siroli.
Module 9: Fundamentals of Securing Network Communication.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
W2K and Kerberos at FNAL Jack Mark
Scaling NT To The Campus Integrating NT into the MIT Computing Environment Danilo Almeida, MIT.
7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -0/17- OfficeServ 7400 Enterprise IP Solutions Quick Install Guide.
Secure Networking Windows 2000 Distributed Security Services Sandeep Joshi Group 4.
Key Management. Given a computer network with n hosts, for each host to be able to communicate with any other host would seem to require as many as n*(n-1)
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka.
Claudio Bisegni the OpenAFS preference panel for OSX AFS Preference.
W2K Integration in the Kerberos5 based AFS cell le.infn.it Enrico M. V. Fasanelli I.N.F.N. – Sezione di Lecce Catania,
MA194Using WindowsNT1 Topics for the day… WindowsNT Security WindowsNT File System (NTFS) Viewing/Setting Document and Folder Permissions Access Control.
Kerberos 5 for DESY Wolfgang Friebel. Sep 20, Useful URL’s K5 protocol: FAQ:
Week 4 Objectives Overview of Group Policy Group Policy Processing Implementing a Central Store for Administrative Templates.
CSCI 530 Lab Authorization. Review Authentication: proving the identity of someone Passwords Smart Cards DNA, fingerprint, retina, etc. Authorization:
Introduction to Active Directory
Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.
Kerberos in an ISP environment
Review on Active Directory. Aim Enable users to find network resources easily Central and easy administration of users and resources in a domain Improve.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Advanced Authentication Campus-Booster ID: Copyright © SUPINFO. All rights reserved Kerberos.
Strong Authentication Matt Crawford CD/DCD/Computer Security Team.
Introduction to AFS IMSA Intersession 2003 An Overview of AFS Brian Sebby, IMSA ’96 Copyright 2003 by Brian Sebby, Copies of these slides.
KERBEROS SYSTEM Kumar Madugula.
Status of W2K at INFN Gian Piero Siroli, Dept. of Physics, Univ. of Bologna and INFN HEPiX-HEPNT 2000, Jefferson Lab.
20 October 2005 LCG Generator Services monthly meeting, CERN Validation of GENSER & News on GENSER Alexander Toropin LCG Generator Services monthly meeting.
Active Directory and NT Kerberos. Introduction to NT Kerberos v5 What is NT Kerberos? How is it different from NTLM NT Kerberos vs MIT Kerberos Delegation.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
1 Example security systems n Kerberos n Secure shell.
What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.
Active Directory Stored collection of information about objects
Computer Security Distributed System Security
CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN
Kerberos in an ISP environment
User Manual/Guideline
Active Directory Trusts
Presentation transcript:

Cross cell AFS authentication using Kerberos 5 HEPiX-HEPNT Vancouver, October 21 st 2003 Enrico M.V. Fasanelli

HEPiX-HEPNT Autumn Agenda Why? Theory and practice on – Kerberos5 cross realm transitive hierarchical authentication – AFS cross cell authentication INFN.IT Last minute tests Future

HEPiX-HEPNT Autumn Once upon a time… Tree AFS cells: pi.infn.it, infn.it, le.infn.it (1996) A “bad” day (1996) Transarc said: “Dear customer, forget your AFS, and look at the new DCE/DFS” DCE/DFS “new” features – Per file ACL – Transitive hierarchical cross cell authentication – INFN DCE/DFS WG (born in 09/96)  Not usable (see HTASC # 7)

HEPiX-HEPNT Autumn …in the meantime… Transarc modifies the support policy for AFS Two revisions to the US export regulations (Jannuary and October 2000) made Kerberos5 MIT code available outside US The release of the AFS source code to Open Source world (Halloween 2000) leads to the OpenAFS project.

HEPiX-HEPNT Autumn …and now Local AFS cells also in INFN labs (LNGS and LNF) and in a lab, one cell for the KLOE experiment. New AFS cell roma1.infn.it is ready to start in production AFS, in the INFN, is losing the original “goal” of single distributed filesystem, for transparent resource sharing among INFN sections and labs

HEPiX-HEPNT Autumn The “needs” of MIT Kerberos 5 The current AFS setup, allows “restricted” file sharing (ACL) only between users belonging to the same cell  we need AFS cross cell authentication Cross cell AFS authentication using KerberosIV is de facto prohibited after MITKRB5-SA (March 17 th ).  we need Kerberos5 OpenAFS is moving toward Kerberos5 – rxkad2d protocol MIT Kerberos5 provides support for AFS authentication – fakeka is now included in Kerberos5 1.3 distribution Windows 2000/XP works with MIT KDCs

HEPiX-HEPNT Autumn Agenda Why? Theory and practice on – Kerberos5 cross realm transitive hierarchical authentication – AFS cross cell authentication INFN.IT Last minute tests Future

HEPiX-HEPNT Autumn K5 cross realm trust relationships Any principal in one REALM is authenticated against any other principal in the other realm  resource access (and then sharing) is “transparent” REALM A REALM B

HEPiX-HEPNT Autumn K5 cross realm trust relationships ~/.k5login REALM.B REALM A principal telnet –a server.realm.B

HEPiX-HEPNT Autumn K5 cross realm transitive trust relationships Trust relationship IS transitive – Hierarchical (set-up by default in an automatic way within the same domain) – Via [CAPATH] Kerberos5 configuration

HEPiX-HEPNT Autumn AFS cross cell authentication 1)First define the appropriate PTS entries in each cell 2)Use kinit to obtain your Kerberos5 TGT 3)aklog – obtain the AFS token using the K5 TGT 4)aklog –create entry in the PTS database of externalcell (if not already) –obtain an AFS tokens belonging to externalcell AFS cell cell.A AFS cell cell.B AFS id 4 for AFS id 4 for

HEPiX-HEPNT Autumn Practice Preliminary tests in April 2003 – RedHat 7.3/8.0 – MIT Kerberos – OpenAFS Configured 5 REALMS and corresponding AFS cells [le. cnaf. pi. lnf.]krb5test.infn.it Defined bi-directional trusts between Top Level REALM and any other below

HEPiX-HEPNT Autumn It works ! krb5test.infn.it LE.krb5test.infn.itLNF.krb5test.infn.itCNAF.krb5test.infn.itPI.krb5test.infn.it

HEPiX-HEPNT Autumn Agenda Why? Theory and practice on – Kerberos5 cross realm transitive hierarchical authentication – AFS cross cell authentication INFN.IT Last minute tests Future

HEPiX-HEPNT Autumn INFN.IT Pilot (and then production) for INFN.IT WAN Kerberos5 REALM to be used at least for cross cell AFS authentication 10 people involved in 6 INFN Sections/Lab (CNAF, LNF, LE, PI, Roma1, TS) Presented, discussed, approved, funded in the last meeting (2003/10/7-9) of INFN “Commissione Calcolo e Reti” (Computing and Network Committee) Will start soon (we are buying the HW)

HEPiX-HEPNT Autumn Agenda Why? Theory and practice on – Kerberos5 cross realm transitive hierarchical authentication – AFS cross cell authentication INFN.IT Last minute tests Future

HEPiX-HEPNT Autumn Last minute tests: environment Started last week (after the OK of CCR) – Kerberos (available since July 31 st 2003) Includes fakeka  krb524 library missing (library functions available in libkrb5 now) – OpenAFS available since August 5 th 2003 Includes kerberos5-related executables (aklog)  Linked against kerberos libraries  Configuration hacking for pointing to new Kerberos5 library layout – RedHat 9  krb src.rpm available on the rawhide and is “tuned” on the RH9

HEPiX-HEPNT Autumn Last minute tests: results At today 7:00 PM GMT+1 (10:00 AM local time) – Three new Kerberos5 REALMs, and corresponding AFS cells: [LE. CNAF.]KRB5TEST.INFN.IT – LE and CNAF Kerberos REALMs are cross authenticated against the parent – AFS cross cell authentication between LE and CNAF cells established – Everything seems work well (even better than previous version)

HEPiX-HEPNT Autumn Agenda Why? Theory and practice on – Kerberos5 cross realm transitive hierarchical authentication – AFS cross cell authentication INFN.IT Last minute tests Future

HEPiX-HEPNT Autumn Future INFN will have his INFN.IT Kerberos5 REALM spread on WAN Every INFN section or lab with a local AFS cell can use it for cross-authenticating their AFS cells In such a Kerberized environment we could use TELNET and FTP again, in a secure way. ?