Michigan State University AFS Migration to Kerberos 5

MSU's Migration to Kerberos 5

MSU is preparing the migration from AFS user authentication to Kerberos 5 May 11, 2005.
We are using MIT's Kerberos software.
The intended audience for this document and the links included are System Administrators and other Information Technology types and as such may not be of interest to the general community.
You can find some more details here: Timelines & Plans.
Some notes on testing and creating the kdc: Notes.
The ACNS Help Desk now has a Kerberos 5 Migration FAQ.

Goals:

This migration is intended to be backwards compatible.
Here are some results from our ongoing test. You must test this before we make the final migration on May 11, 2005!!!!
Even if you think you will not use Kerberos 5 you have to test this cell with your existing auth methods
to ensure that your service(s) will continue to function.
Migrate the entire cell to Kerberos 5 on May 11, 2005.

Testing:

If you are willing to test this new cell please contact migrate@jax.cl.msu.edu
Tell us the MSU netid(s) that you want to use in this testing. The netid must have been in
use prior to November 30, 2004. You will use whatever the password was on November 30, 2004.
Testing against existing pts groups are also possible just tell us what you need.
Participating in this test will NOT affect your netid or password in the Official msu.edu realm.
Tell us who the contact person will be for your department and include that person's
email address to be included in a list serve that is being created for this purpose.
If you need to be able to test file server operations ( write, create , delete .. etc.) let us know the details.
Once your netid is in place in the new cell you will be able to use your existing netid password.

Details:

The test cell is running on a pair of Dell 650's The Os is SuSE 9.0.
Rather then migrate all msu netids we are choosing to move over
only those id's needed for testing. At some point we will move
all the netids into the KDC.
The test Kerberos 5 Realm is MSU.EDU. The test afs cell is msu.edu.
This will not interfere with the existing 'Real' Msu afs cell.
Any testing against the test cell will require reconfiguring the name of your database
server / admin server. Once authenticated you will NOT see the customary /afs/msu ... file structure. It will be
/afs/kerb5.cl.msu.edu ...
This actual file space on this cell is limited so all user volume quotas will be 5 meg unless a larger quota is requested.
This is a test cell and as such you can bet on outages and other annoyances. Once the list serve is in place we will try to notify
you of upcoming events. The volumes on the test cell are not being backed up so don't put anything on it you are not willing to lose.
We are excited to be taking these first steps and we look forward to working with you in the near future.

Principals / Netids:

There will be three types of principals during the first months after the migration:

The migrated afs netid. This is the bulk of the principals. These are netids that have been loaded / migrated from the afs cell.
The user has not reset their password yet.
The migrated netid w/ password reset.
This user had reset their password since the migration.
The new user. This user's principal was created after the migration.

It is suggested that you test each user. We have created a few test user ids to represent the new user. Contact us for the details.

Password Maintenance.

There are a couple of ways you can reset your password on the test kdc.
The kpasswd utility (if you are on a UNIX machine with a afs client.)
MIT Kerberos for Windows (Windows 98/98SE/Me/NT/2000/XP/2003 Server) See config example below for krb5.ini file.

Configurations Tested:

Kerberos 5

Solaris 9 with openafs client version 1.2.8. Use this /etc/krb5.conf file.
/usr/bin/kinit netid@msu.edu will prompt you for a password.
/usr/bin/klist will list available tickets.
/usr/bin/kdestroy will remove your tickets.

Windows Using MIT Kerberos for Windows available here.
You should end up with a config file C:\windows\krb5.ini like this.
This will install a nice GUI titled Leash that will display tickets and allow you to change your password etc.
Several command line utilitys are installed as well.
Try "kinit -5 netid@msu.edu" .. this will get you a ticket. Don't forget to use the -5 switch or it will waste a lot of
time trying to get a Kerberos 4 ticket. Then type aklog and if you have an afs client configured you will be able to map drives to the cell.

Traditional Afs

Solaris 9 with openafs client version 1.2.8. Use this /etc/krb5/krb5.conf file. In order to test an existing afs client just change /usr/vice/etc/CellServDB to this.

Window XP Openafs Version 1.3.65 available here.
Follow general instructions for install however when this screen appears:

Once installed double click afs icon located in System Tray .. click "Advanced" and then click button labeled "Configure Afs Client"
Under AFS Cells tab you will find an entry for msu.edu already in there. Edit this entry so it looks like the example below:
You may want to jot down the default settings for the 'Real' msu.edu settings. Notice the only thing that changes is the name and ip address of the Cell Database server.

Suggested Unix krb5.conf:

[libdefaults]
        default_realm = MSU.EDU
        clockskew = 300
        ticket_lifetime = 600

[realms]
        MSU.EDU = {
                kdc = open-afsdb2.cl.msu.edu
                master_kdc = open-afsdb2.cl.msu.edu
                admin_server = open-afsdb2.cl.msu.edu:749
                kpasswd_server = open-afsdb2.cl.msu.edu
                default_domain = MSU.EDU
                        }

Suggested CellServDB file:
>msu.edu
35.9.6.209      #open-afsdb2.cl.msu.edu

Suggested Windows krb5.ini file.     Located at c:\windows\krb5.ini

[domain_realm]
        .msu.edu = MSU.EDU
        msu.edu = MSU.EDU

[libdefaults]

        default_realm = MSU.EDU
        dns_lookup_kdc = true

[logging]

        kdc = CONSOLE

[realms]
        MSU.EDU = {
                 admin_server = open-afsdb2.cl.msu.edu
                default_domain = MSU.EDU
                kdc = open-afsdb2.cl.msu.edu
                v4_instance_convert = {
                        msu = msu.edu
                }

        }

        MSU.EDU = {
                admin_server = open-afsdb2.cl.msu.edu
                kdc = open-afsdb2.cl.msu.edu
        }

The Storage Systems group.
Academic Computing and Network Services.