Presentation is loading. Please wait.

Presentation is loading. Please wait.

UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce.

Published byPreston Chambers Modified over 9 years ago

Similar presentations

Presentation on theme: "UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce."— Presentation transcript:

1 UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce

2 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 2 Outline The starting point The target The integration strategy Problems encountered and the adopted solutions The overall glue To do

3 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 3 The Starting Point System-oriented –Unix world AFS (Transarc) based cell le.infn.it NIS for user/netgroup –Windows world NT4 (and some W95/W98): –INFN-NICE Italy wide domain W2K –Workgroup based Professional installation –Common services (mail, print, web,…) Unix based –Requires an AFS account

4 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 4 The Target User-oriented –Single sign-on –Single home directory/user profile –OS (Unix/Windows) independent Easy to manage –Save (as much as possible) the existing way we use to perform user management

5 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 5 The Integration Strategy Save the existing AFS Unix infrastructure Don’t care about W9x/NT4 Use existing Software  Search for a Common Infrastructure

6 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 6 Common Infrastructure ? UNIX –AFS authentication (KAS Server) –NIS for user/netgroup data publishing/store Windows 2000 –Authentication via Kerberos5 –User data store/publishing via LDAP (AD) No one !

7 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 7 Common Infrastructure ! Kerberos V NIS LDAP UNIX Windows If we can change the default way AFS uses to authenticate –KAS Server  Kerberos5

8 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 8 Which Kerberos ? 1.Use the Windows 2000 Kerberos 5 implementation (obtained from the MIT version 1.0.5) 2.Use the latest MIT Kerberos 5 implementation (version 1.2.2 at the date of tests – June/July 2001) 3.Use the KTH heimdal implementation

9 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 9 W2K Kerberos 5 PROS –Native authentication for the Win world –Can authenticate a Unix Kerberos5 client CONS –No way to authenticate any AFS user

10 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 10 MIT Kerberos 5 PROS –Compatible with Windows There is a Microsoft step-by-step guide to do this –An older version (1.0.6) is used as base of the Ken Hornstein’s migration kit –Can authenticate AFS users CONS –Windows AFS clients think to be in the year 1601 if the tokens lifetime is greater than 12 hours –Old Unix AFS clients (afs3.4 build 5.28) do not authenticate

11 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 11 KTH Heimdal PROS –Integrated and well behaved AFS support –Authenticate Windows login CONS –Authenticated users cannot access the shared resources in the W2K domain –Windows AFS clients work in a strange way Get the tokens, but Windows say that AFS service cold not be started!!!

12 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 12 Which Kerberos ! The only way to work in the W2K world (without AFS) is to have MIT Kerberos5 The only way for a Windows AFS client to get a valid AFS token is to refer to a KTH heimdal KDC The only way to have an AD domain is to have a W2K Kerberos 5 From the Unix point of view, the KTH heimdal is a better choice because their native AFS support

13 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 13 Solution!!! The ONLY WAY is to have all three (MIT, W2K & KTH) –The Windows 2000 domain w2k.le.infn.it is based on AD (W2K Kerberos 5) and there is a trust relationship with the LE.INFN.IT K5 Realm (MIT K5 based) –The Windows 2000 users authenticate in the LE.INFN.IT Kerberos5 Realm via MIT K5 –The AFS clients get the tokens in the le.infn.it AFS cell in which KAS has been substituted by KTH heimdal KDC (slave of the MIT one!)

14 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 14 Implementation A Windows2000 AD domain w2k.le.infn.it in which we define machines & users An MIT K5 (v1.2.2) master KDC for the LE.INFN.IT realm A trust relationship between w2k.le.infn.it and LE.INFN.IT One (to become two) KTH heimdal slave KDC for the LE.INFN.IT realm running on the AFS db-server(s)

15 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 15 AFS KAS to Kerberos 5 We populated the MIT K5 KDC db using afs2k5db tool The replica to the slave(s) KDC(s) (KTH heimdal KDC running in the AFS db server) makes the AFS db server(s) able to respond to an AFS token request

16 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 16 Windows Setup Add the LE.INFN.IT realm and corresponding KDC (the MIT one) –Actually we are using ksetup once on any new machine –We plan to export the corresponding registry key from the server Configure the AFS client in order to get the user AFS token at login

17 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 17 Windows User Logon When a user log into a w2k in the LE.INFN.IT K5 Realm it gains –the windows user data from the AD server –a tgt from the MIT KDC –an AFS token for the le.infn.it cell –The logon script maps some AFS directories to assigned network drives

18 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 18 Unix User When a user log into a Unix workstation in the le.infn.it AFS cell it gets –the user information from NIS –the AFS token from the AFS db server “kpasswd” is substituted by the MIT one and refers to MIT KDC

19 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 19 User-oriented Single user account –User’s accounts (Kerberos principals) are defined in the le.infn.it AFS cell (LE.INFN.IT Realm) AND in the AD domain w2k.le.infn.it –A mapping between them is defined in the w2k domain

20 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 20 Easy To Manage We generate a lot of disabled dummy users inside the AD domain. The user-add process is simply done via an LDAP call that modifies users attributes We have inserted the extensions needed for Windows 2000 user management, in the GUI front-end netuser

21 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 21 Netuser main

22 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 22 Netuser setup

23 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 23 Netuser Group screenshot

24 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 24 Netuser edit

25 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 25 Netuser maildrop

26 Enrico M.V. Fasanelli W2K Coordination Group - CERN 4-12-2001 26 To Do Use LDAP for the UNIX world too Make netuser shell-, awk-, sed-free in order to use it also from Windows Evaluate the exportability (mainly inside infn.it cell)

Download ppt "UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce."

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
AD User Import From SIMS.NET

AD User Import From SIMS.NET
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Active Directory and NT Kerberos Rooster JD Glaser.

Active Directory and NT Kerberos Rooster JD Glaser.
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
1 Preparing Windows 2000 installation (Week 3, Wednesday 2/25/2006) © Abdou Illia, Spring 2006.

1 Preparing Windows 2000 installation (Week 3, Wednesday 2/25/2006) © Abdou Illia, Spring 2006.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Cross cell AFS authentication using Kerberos 5 HEPiX-HEPNT Vancouver, October 21 st 2003 Enrico M.V. Fasanelli.

Cross cell AFS authentication using Kerberos 5 HEPiX-HEPNT Vancouver, October 21 st 2003 Enrico M.V. Fasanelli.
James Johnson. What is it?  A system of authenticating securely over open networks  Developed by MIT in 1983  Based on Needham-Schroeder Extended to.

James Johnson. What is it?  A system of authenticating securely over open networks  Developed by MIT in 1983  Based on Needham-Schroeder Extended to.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.

Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.

Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Securing Access in a Heterogeneous Network Environment Providing Interoperability between Microsoft Windows 2000 and Heterogeneous Networks Securing Authentication.

Securing Access in a Heterogeneous Network Environment Providing Interoperability between Microsoft Windows 2000 and Heterogeneous Networks Securing Authentication.
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS

ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
31/10/2000NT Domain - AD Migration - JLab 2000 NT DOMAIN - ACTIVE DIRECTORY MIGRATION Michel Jouvin LAL Orsay

31/10/2000NT Domain - AD Migration - JLab 2000 NT DOMAIN - ACTIVE DIRECTORY MIGRATION Michel Jouvin LAL Orsay
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at.

Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at.

Similar presentations

Ads by Google