Download presentation
Presentation is loading. Please wait.
Published bySamuel Summers Modified over 9 years ago
1
Cross cell AFS authentication using Kerberos 5 HEPiX-HEPNT Vancouver, October 21 st 2003 Enrico M.V. Fasanelli
2
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 2 Agenda Why? Theory and practice on – Kerberos5 cross realm transitive hierarchical authentication – AFS cross cell authentication K5 @ INFN.IT Last minute tests Future
3
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 3 Once upon a time… Tree AFS cells: pi.infn.it, infn.it, le.infn.it (1996) A “bad” day (1996) Transarc said: “Dear customer, forget your AFS, and look at the new DCE/DFS” DCE/DFS “new” features – Per file ACL – Transitive hierarchical cross cell authentication – INFN DCE/DFS WG (born in 09/96) Not usable (see Gomezel @ HTASC # 7)
4
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 4 …in the meantime… Transarc modifies the support policy for AFS Two revisions to the US export regulations (Jannuary and October 2000) made Kerberos5 MIT code available outside US The release of the AFS source code to Open Source world (Halloween 2000) leads to the OpenAFS project.
5
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 5 …and now Local AFS cells also in INFN labs (LNGS and LNF) and in a lab, one cell for the KLOE experiment. New AFS cell roma1.infn.it is ready to start in production AFS, in the INFN, is losing the original “goal” of single distributed filesystem, for transparent resource sharing among INFN sections and labs
6
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 6 The “needs” of MIT Kerberos 5 The current AFS setup, allows “restricted” file sharing (ACL) only between users belonging to the same cell we need AFS cross cell authentication Cross cell AFS authentication using KerberosIV is de facto prohibited after MITKRB5-SA-2003-004 (March 17 th ). we need Kerberos5 OpenAFS is moving toward Kerberos5 – rxkad2d protocol MIT Kerberos5 provides support for AFS authentication – fakeka is now included in Kerberos5 1.3 distribution Windows 2000/XP works with MIT KDCs
7
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 7 Agenda Why? Theory and practice on – Kerberos5 cross realm transitive hierarchical authentication – AFS cross cell authentication K5 @ INFN.IT Last minute tests Future
8
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 8 K5 cross realm trust relationships Any principal in one REALM is authenticated against any other principal in the other realm resource access (and then sharing) is “transparent” REALM A REALM B krbtgt/REALM.B@REALM.A
9
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 9 K5 cross realm trust relationships user@REALM.A ~/.k5login REALM.B REALM A principal user@REALM.A telnet –a server.realm.B
10
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 10 K5 cross realm transitive trust relationships Trust relationship IS transitive – Hierarchical (set-up by default in an automatic way within the same domain) – Via [CAPATH] Kerberos5 configuration
11
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 11 AFS cross cell authentication 1)First define the appropriate PTS entries in each cell 2)Use kinit to obtain your Kerberos5 TGT 3)aklog – obtain the AFS token using the K5 TGT 4)aklog –create entry in the PTS database of externalcell (if not already) –obtain an AFS tokens belonging to externalcell AFS cell cell.A AFS cell cell.B system:authuser@cell.B system:authuser@cell.A user@cell.A AFS id 4 for afs@cell.B user@cell.B AFS id 4 for afs@cell.A
12
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 12 Practice Preliminary tests in April 2003 – RedHat 7.3/8.0 – MIT Kerberos5 1.2.7 – OpenAFS 1.2.8 Configured 5 REALMS and corresponding AFS cells [le. cnaf. pi. lnf.]krb5test.infn.it Defined bi-directional trusts between Top Level REALM and any other below
13
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 13 It works ! krb5test.infn.it LE.krb5test.infn.itLNF.krb5test.infn.itCNAF.krb5test.infn.itPI.krb5test.infn.it
14
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 14 Agenda Why? Theory and practice on – Kerberos5 cross realm transitive hierarchical authentication – AFS cross cell authentication K5 @ INFN.IT Last minute tests Future
15
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 15 K5 @ INFN.IT Pilot (and then production) for INFN.IT WAN Kerberos5 REALM to be used at least for cross cell AFS authentication 10 people involved in 6 INFN Sections/Lab (CNAF, LNF, LE, PI, Roma1, TS) Presented, discussed, approved, funded in the last meeting (2003/10/7-9) of INFN “Commissione Calcolo e Reti” (Computing and Network Committee) Will start soon (we are buying the HW)
16
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 16 Agenda Why? Theory and practice on – Kerberos5 cross realm transitive hierarchical authentication – AFS cross cell authentication K5 @ INFN.IT Last minute tests Future
17
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 17 Last minute tests: environment Started last week (after the OK of CCR) – Kerberos5 1.3.1 (available since July 31 st 2003) Includes fakeka krb524 library missing (library functions available in libkrb5 now) – OpenAFS 1.2.10 available since August 5 th 2003 Includes kerberos5-related executables (aklog) Linked against 1.2.7 kerberos libraries Configuration hacking for pointing to new Kerberos5 library layout – RedHat 9 krb5-1.3.1 src.rpm available on the rawhide and is “tuned” on the RH9
18
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 18 Last minute tests: results At today 7:00 PM GMT+1 (10:00 AM local time) – Three new Kerberos5 REALMs, and corresponding AFS cells: [LE. CNAF.]KRB5TEST.INFN.IT – LE and CNAF Kerberos REALMs are cross authenticated against the parent – AFS cross cell authentication between LE and CNAF cells established – Everything seems work well (even better than previous version)
19
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 19 Agenda Why? Theory and practice on – Kerberos5 cross realm transitive hierarchical authentication – AFS cross cell authentication K5 @ INFN.IT Last minute tests Future
20
HEPiX-HEPNT Autumn 2003 - VancouverEnrico.M.V.Fasanelli@le.infn.it 20 Future INFN will have his INFN.IT Kerberos5 REALM spread on WAN Every INFN section or lab with a local AFS cell can use it for cross-authenticating their AFS cells In such a Kerberized environment we could use TELNET and FTP again, in a secure way. ?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.