W2K Integration in the Kerberos5 based AFS cell le.infn.it Enrico M. V. Fasanelli I.N.F.N. – Sezione di Lecce Catania, 15-4-2002.

Slides:



Advertisements
Similar presentations
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Advertisements

Active Directory and NT Kerberos Rooster JD Glaser.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Windows Server 2008 Kerberos Michiko Short Program Manager Microsoft Corporation.
Cross cell AFS authentication using Kerberos 5 HEPiX-HEPNT Vancouver, October 21 st 2003 Enrico M.V. Fasanelli.
UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
© 2006 Cisco Systems, Inc. All rights reserved. CUDN v1.1—4-1 Migrating from Voice Mail to Unified Messaging Migrating Voice Mail to Unified Messaging.
Administering Active Directory
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.
Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
VMware vCenter Server Module 4.
Securing Access in a Heterogeneous Network Environment Providing Interoperability between Microsoft Windows 2000 and Heterogeneous Networks Securing Authentication.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
Chapter 7 WORKING WITH GROUPS.
Windows 2000 and Active Directory Services at UQ Scott Sinclair Senior Systems Programmer Software Infrastructure Group
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
A crash course in njit’s Afs
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Introduction to Active Directory December 10th, pm Daniels 407.
Test Review. What is the main advantage to using shadow copies?
Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at.
1 SAMBA. 2 Module - SAMBA ♦ Overview The presence of diverse machines in the network environment is natural. So their interoperability is critical. This.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Web Server Administration Chapter 5 Managing a Server.
BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,
Copyright © 2007, SAS Institute Inc. All rights reserved. SAS Activity-Based Management Survey Kit (ASK): User Management & Security.
User Management in LHCb Gary Moine, CERN 29/08/
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
Windows interoperability with Unix/Linux. Introduction to Active Directory Integration for Unix and Linux Systems Unix/Linux interoperability components.
The University of Akron Summit College Business Technology Dept.

Chapter 7: Using Windows Servers to Share Information.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
User Manager for Domains.  Manages the user accounts in a domain  It is located in the PDC  While User Manager exists in each NT machine, but it is.
Welcome to HEPNT Gian Piero Siroli, Physics Dept., Univ. of Bologna LAL, HEPiX-HEPNT 2001.
Techy Information Anandha Gopalan September 13, 2006.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Two Installing and Configuring Exchange Server 2003.
HEPiX-HEPNT 2000 Report Enrico M.V. Fasanelli & Gian Piero Siroli.
W2K and Kerberos at FNAL Jack Mark
Scaling NT To The Campus Integrating NT into the MIT Computing Environment Danilo Almeida, MIT.
® Gradient Technologies, Inc. Inter-Cell Interworking Access Control Across the Boundary Open Group Members Meeting Sand Diego, CA USA April 1998 Brian.
Introduction to AFS IMSA Intersession 2003 AFS Servers and Clients Brian Sebby, IMSA ‘96 Copyright 2003 by Brian Sebby, Copies of these.
Henry B. HotzKerberos 5 Upgrade JPL’s Kerberos 5 Upgrade Henry B. Hotz Jet Propulsion Laboratory California Institute of Technology.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka.
Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.
Claudio Bisegni the OpenAFS preference panel for OSX AFS Preference.
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.
IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Kerberos 5 for DESY Wolfgang Friebel. Sep 20, Useful URL’s K5 protocol: FAQ:
Linux Operations and Administration
Advanced Authentication Campus-Booster ID: Copyright © SUPINFO. All rights reserved Kerberos.
Introduction to AFS IMSA Intersession 2003 An Overview of AFS Brian Sebby, IMSA ’96 Copyright 2003 by Brian Sebby, Copies of these slides.
Active Directory and NT Kerberos. Introduction to NT Kerberos v5 What is NT Kerberos? How is it different from NTLM NT Kerberos vs MIT Kerberos Delegation.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,
Windows interoperability with Unix/Linux
Chapter 7: Using Windows Servers
ACTIVE DIRECTORY ADMINISTRATION
Windows NT to 2000/XP Migration at SLAC
CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN
Kerberos in an ISP environment
Presentation transcript:

W2K Integration in the Kerberos5 based AFS cell le.infn.it Enrico M. V. Fasanelli I.N.F.N. – Sezione di Lecce Catania,

2 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce Outline A bit of history The integration “idea” Summary of results from various tests The solution adopted Future work

3 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce The framework Completely separate UNIX & Windows worlds –le.infn.it Transarc AFS cell Mainly UNIX clients –AIX, HP-UX, DUX, Linux Some WNT4 workstation clients in workgroup –CASPUR version of MS-GINA for AFS authentication –Login with AFS username mapped to Guest Windows account –INFN-NICE WNT4 environment Limited to administrative and CADM users –No password synchronization –Common services (Web, mail) belongs to unix world Need of a AFS account Some operations (change of password) can be done only in a UNIX machine

4 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce The goal Single account database for –UNIX & Windows –Mail (IMAP4, POP) Single shared file system –Web personal home pages Password synchronization –Windows users can forget the existence of unix

5 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce Constraints for the new solution From the UNIX point of view –Must save existing AFS infrastructure –Must be available on all platform in use –Better if free/OpenSource From Windows side –Must works with Windows 2000 –Don’t care about W9x & WNT4 Don’t write ad hoc code

6 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce Kerberos ! Seems to be the only common infrastructure –Windows authentication in

7 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce W2K Kerberos PROS –Native authentication for the Windows world –Can authenticate a properly configured Unix Kerberos5 client CONS –No way to get AFS tokens

8 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce MIT Kerberos 5 PROS –Is known to works with Windows 2000 There is a Microsoft step-by-step guide to do this [1] –Can provide AFS tokens (via external “ fakeka ” [2] utility) CONS –Windows AFS clients think to be in the year 1601 if the tokens lifetime is greater than 12 hours –Old Unix AFS clients (afs3.4 build 5.28) do not authenticate

9 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce KTH Heimdal PROS –Native and well behaved AFS support –Authenticate Windows login CONS –Authenticated users cannot access the shared resources in the W2K domain –Windows AFS clients work in a strange way Get the tokens, but Windows say that AFS service cold not be started!!!

10 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce Null intersection Windows 2000 AD need Windows Kerberos5 Windows 2000 works ONLY with MIT Kerberos5 based realm The AFS client in a W2K machine works ONLY with HEIMDAL Kerberos5 Unix AFS clients works with both MIT and HEIMDAL –The inter-cell communication is done in native way in HEIMDAL and instead needs the “external” fakeka in MIT

11 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce Union: Windows + MIT + HEIMDAL AD Windows 2000 domain w2k.le.infn.it –We need a domain name (realm) different from the one hosting AFS cell in order to make the trust relationship Kerberos5 realm LE.INFN.IT served by an MIT KDC –AFS cell is le.infn.it Define a trust relationship between them –On Windows side (W2K.LE.INFN.IT KRB5 realm) Ksetup Active Directory Domains and Trusts –On LE.INFN.IT KDC Kadmin for adding principals and

12 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce From AFS KAserver to MIT KDC I Configured the LE.INFN.IT Kerberos5 realm based to the MIT master KDC –We use MIT Kerberos 5 version on a Linux RH 7.2 Populated the KDC principal database with AFS database entries using afs2k5db, a tool from Ken Hornstein’s migration kit [2] Configured the AFS db servers in order to run HEIMDAL in slave mode –This is done inside BOS configuration

13 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce From AFS KAserver to MIT KDC II Configured the master LE.INFN.IT KDC in order to propagate any database change to the slaves ones (HEIMDAL based) Modify database related commands (klog, kpasswd, ecc.) in all unix AFS clients with the corresponding kerberized ones

14 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce A simple picture

15 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce Windows configuration Windows 2000/XP professional belongs to w2k.le.infn.it AD domain Ksetup at installation time advertise the LE.INFN.IT kerberos realm Users login in the LE.INFN.IT realm with their AFS username/password –The windows authentication is done via the trust relationship of two realms –The AFS client get the token at login time Startup script maps AFS home to assigned network drive

16 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce Windows user administration Mapping between AFS user and the Windows one allow AD resources usage By default users have a pre-assigned (unknown to the user) password in the AD domain and then their can login only in the LE.INFN.IT realm Ctrl+Alt+Del sequence permit to change the Kerberos password

17 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce A more complicated view

18 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce w2k.le.infn.it domain Windows AD domain is used to –Share resources (printers) –Deploying anti virus Is not used for login –Users login in the LE.INFN.IT Kerberos realm –Users don’t know their AD domain password Problems with laptop disconnected from the network –Workaround: enable domain login

19 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce Opened issues Laptops –Disconnected login –OpenAFS client on Windows XP

20 HEPiX-HEPNT Catania, Enrico M.V. Fasanelli I.N.F.N. – Sezione di Lecce References/Useful links [1] Microsoft step-by-step guide to kerberos [2] Ken Hornstein migration kit ftp://ftp.cmf.nrl.navy.mil/pub/kerberos5/afs-krb5-1.3.tar.gz [3] KTH HEIMDAL ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.4b.tar.gz [4] KTH Kerberos 4 ftp://ftp.pdc.kth.se/pub/krb/src/krb tar.gz [5] MIT Kerberos 5

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.