Cross cell AFS authentication using Kerberos 5 HEPiX-HEPNT Vancouver, October 21 st 2003 Enrico M.V. Fasanelli
HEPiX-HEPNT Autumn Agenda Why? Theory and practice on – Kerberos5 cross realm transitive hierarchical authentication – AFS cross cell authentication INFN.IT Last minute tests Future
HEPiX-HEPNT Autumn Once upon a time… Tree AFS cells: pi.infn.it, infn.it, le.infn.it (1996) A “bad” day (1996) Transarc said: “Dear customer, forget your AFS, and look at the new DCE/DFS” DCE/DFS “new” features – Per file ACL – Transitive hierarchical cross cell authentication – INFN DCE/DFS WG (born in 09/96) Not usable (see HTASC # 7)
HEPiX-HEPNT Autumn …in the meantime… Transarc modifies the support policy for AFS Two revisions to the US export regulations (Jannuary and October 2000) made Kerberos5 MIT code available outside US The release of the AFS source code to Open Source world (Halloween 2000) leads to the OpenAFS project.
HEPiX-HEPNT Autumn …and now Local AFS cells also in INFN labs (LNGS and LNF) and in a lab, one cell for the KLOE experiment. New AFS cell roma1.infn.it is ready to start in production AFS, in the INFN, is losing the original “goal” of single distributed filesystem, for transparent resource sharing among INFN sections and labs
HEPiX-HEPNT Autumn The “needs” of MIT Kerberos 5 The current AFS setup, allows “restricted” file sharing (ACL) only between users belonging to the same cell we need AFS cross cell authentication Cross cell AFS authentication using KerberosIV is de facto prohibited after MITKRB5-SA (March 17 th ). we need Kerberos5 OpenAFS is moving toward Kerberos5 – rxkad2d protocol MIT Kerberos5 provides support for AFS authentication – fakeka is now included in Kerberos5 1.3 distribution Windows 2000/XP works with MIT KDCs
HEPiX-HEPNT Autumn Agenda Why? Theory and practice on – Kerberos5 cross realm transitive hierarchical authentication – AFS cross cell authentication INFN.IT Last minute tests Future
HEPiX-HEPNT Autumn K5 cross realm trust relationships Any principal in one REALM is authenticated against any other principal in the other realm resource access (and then sharing) is “transparent” REALM A REALM B
HEPiX-HEPNT Autumn K5 cross realm trust relationships ~/.k5login REALM.B REALM A principal telnet –a server.realm.B
HEPiX-HEPNT Autumn K5 cross realm transitive trust relationships Trust relationship IS transitive – Hierarchical (set-up by default in an automatic way within the same domain) – Via [CAPATH] Kerberos5 configuration
HEPiX-HEPNT Autumn AFS cross cell authentication 1)First define the appropriate PTS entries in each cell 2)Use kinit to obtain your Kerberos5 TGT 3)aklog – obtain the AFS token using the K5 TGT 4)aklog –create entry in the PTS database of externalcell (if not already) –obtain an AFS tokens belonging to externalcell AFS cell cell.A AFS cell cell.B AFS id 4 for AFS id 4 for
HEPiX-HEPNT Autumn Practice Preliminary tests in April 2003 – RedHat 7.3/8.0 – MIT Kerberos – OpenAFS Configured 5 REALMS and corresponding AFS cells [le. cnaf. pi. lnf.]krb5test.infn.it Defined bi-directional trusts between Top Level REALM and any other below
HEPiX-HEPNT Autumn It works ! krb5test.infn.it LE.krb5test.infn.itLNF.krb5test.infn.itCNAF.krb5test.infn.itPI.krb5test.infn.it
HEPiX-HEPNT Autumn Agenda Why? Theory and practice on – Kerberos5 cross realm transitive hierarchical authentication – AFS cross cell authentication INFN.IT Last minute tests Future
HEPiX-HEPNT Autumn INFN.IT Pilot (and then production) for INFN.IT WAN Kerberos5 REALM to be used at least for cross cell AFS authentication 10 people involved in 6 INFN Sections/Lab (CNAF, LNF, LE, PI, Roma1, TS) Presented, discussed, approved, funded in the last meeting (2003/10/7-9) of INFN “Commissione Calcolo e Reti” (Computing and Network Committee) Will start soon (we are buying the HW)
HEPiX-HEPNT Autumn Agenda Why? Theory and practice on – Kerberos5 cross realm transitive hierarchical authentication – AFS cross cell authentication INFN.IT Last minute tests Future
HEPiX-HEPNT Autumn Last minute tests: environment Started last week (after the OK of CCR) – Kerberos (available since July 31 st 2003) Includes fakeka krb524 library missing (library functions available in libkrb5 now) – OpenAFS available since August 5 th 2003 Includes kerberos5-related executables (aklog) Linked against kerberos libraries Configuration hacking for pointing to new Kerberos5 library layout – RedHat 9 krb src.rpm available on the rawhide and is “tuned” on the RH9
HEPiX-HEPNT Autumn Last minute tests: results At today 7:00 PM GMT+1 (10:00 AM local time) – Three new Kerberos5 REALMs, and corresponding AFS cells: [LE. CNAF.]KRB5TEST.INFN.IT – LE and CNAF Kerberos REALMs are cross authenticated against the parent – AFS cross cell authentication between LE and CNAF cells established – Everything seems work well (even better than previous version)
HEPiX-HEPNT Autumn Agenda Why? Theory and practice on – Kerberos5 cross realm transitive hierarchical authentication – AFS cross cell authentication INFN.IT Last minute tests Future
HEPiX-HEPNT Autumn Future INFN will have his INFN.IT Kerberos5 REALM spread on WAN Every INFN section or lab with a local AFS cell can use it for cross-authenticating their AFS cells In such a Kerberized environment we could use TELNET and FTP again, in a secure way. ?