Cross cell AFS authentication using Kerberos 5

Information about Cross cell AFS authentication using Kerberos 5

Published on November 2, 2007

Author: Wanderer

Source: authorstream.com

Content

Cross cell AFS authentication using Kerberos 5:  Cross cell AFS authentication using Kerberos 5 HEPiX-HEPNT Vancouver, October 21st 2003 Enrico M.V. Fasanelli Agenda:  Agenda Why? Theory and practice on Kerberos5 cross realm transitive hierarchical authentication AFS cross cell authentication K5 @ INFN.IT Last minute tests Future Once upon a time…:  Once upon a time… Tree AFS cells: pi.infn.it, infn.it, le.infn.it (1996) A “bad” day (1996) Transarc said: “Dear customer, forget your AFS, and look at the new DCE/DFS” DCE/DFS “new” features Per file ACL Transitive hierarchical cross cell authentication INFN DCE/DFS WG (born in 09/96)  Not usable (see Gomezel @ HTASC # 7) …in the meantime…:  …in the meantime… Transarc modifies the support policy for AFS Two revisions to the US export regulations (Jannuary and October 2000) made Kerberos5 MIT code available outside US The release of the AFS source code to Open Source world (Halloween 2000) leads to the OpenAFS project. …and now:  …and now Local AFS cells also in INFN labs (LNGS and LNF) and in a lab, one cell for the KLOE experiment. New AFS cell roma1.infn.it is ready to start in production AFS, in the INFN, is losing the original “goal” of single distributed filesystem, for transparent resource sharing among INFN sections and labs The “needs” of MIT Kerberos 5:  The “needs” of MIT Kerberos 5 The current AFS setup, allows “restricted” file sharing (ACL) only between users belonging to the same cell  we need AFS cross cell authentication Cross cell AFS authentication using KerberosIV is de facto prohibited after MITKRB5-SA-2003-004 (March 17th).  we need Kerberos5 OpenAFS is moving toward Kerberos5 rxkad2d protocol MIT Kerberos5 provides support for AFS authentication fakeka is now included in Kerberos5 1.3 distribution Windows 2000/XP works with MIT KDCs Agenda:  Agenda Why? Theory and practice on Kerberos5 cross realm transitive hierarchical authentication AFS cross cell authentication K5 @ INFN.IT Last minute tests Future K5 cross realm trust relationships:  K5 cross realm trust relationships Any principal in one REALM is authenticated against any other principal in the other realm resource access (and then sharing) is “transparent” REALM A REALM B krbtgt/[email protected] krbtgt/[email protected] K5 cross realm trust relationships:  K5 cross realm trust relationships REALM.B REALM A principal [email protected] telnet –a server.realm.B K5 cross realm transitive trust relationships:  K5 cross realm transitive trust relationships Trust relationship IS transitive Hierarchical (set-up by default in an automatic way within the same domain) Via [CAPATH] Kerberos5 configuration AFS cross cell authentication:  AFS cross cell authentication First define the appropriate PTS entries in each cell Use kinit to obtain your Kerberos5 TGT aklog obtain the AFS token using the K5 TGT aklog <externalcell> create entry in the PTS database of externalcell (if not already) obtain an AFS tokens belonging to externalcell AFS cell cell.A AFS cell cell.B system:[email protected] system:[email protected] [email protected] AFS id 4 for [email protected] [email protected] AFS id 4 for [email protected] Practice:  Practice Preliminary tests in April 2003 RedHat 7.3/8.0 MIT Kerberos5 1.2.7 OpenAFS 1.2.8 Configured 5 REALMS and corresponding AFS cells [le. cnaf. pi. lnf.]krb5test.infn.it Defined bi-directional trusts between Top Level REALM and any other below It works !:  It works ! krb5test.infn.it LE.krb5test.infn.it LNF.krb5test.infn.it CNAF.krb5test.infn.it PI.krb5test.infn.it Agenda:  Agenda Why? Theory and practice on Kerberos5 cross realm transitive hierarchical authentication AFS cross cell authentication K5 @ INFN.IT Last minute tests Future K5 @ INFN.IT:  K5 @ INFN.IT Pilot (and then production) for INFN.IT WAN Kerberos5 REALM to be used at least for cross cell AFS authentication 10 people involved in 6 INFN Sections/Lab (CNAF, LNF, LE, PI, Roma1, TS) Presented, discussed, approved, funded in the last meeting (2003/10/7-9) of INFN “Commissione Calcolo e Reti” (Computing and Network Committee) Will start soon (we are buying the HW) Agenda:  Agenda Why? Theory and practice on Kerberos5 cross realm transitive hierarchical authentication AFS cross cell authentication K5 @ INFN.IT Last minute tests Future Last minute tests: environment:  Last minute tests: environment Started last week (after the OK of CCR) Kerberos5 1.3.1 (available since July 31st 2003)  Includes fakeka  krb524 library missing (library functions available in libkrb5 now) OpenAFS 1.2.10 available since August 5th 2003  Includes kerberos5-related executables (aklog) Linked against 1.2.7 kerberos libraries Configuration hacking for pointing to new Kerberos5 library layout RedHat 9  krb5-1.3.1 src.rpm available on the rawhide and is “tuned” on the RH9 Last minute tests: results:  Last minute tests: results At today 7:00 PM GMT+1 (10:00 AM local time) Three new Kerberos5 REALMs, and corresponding AFS cells: [LE. CNAF.]KRB5TEST.INFN.IT LE and CNAF Kerberos REALMs are cross authenticated against the parent AFS cross cell authentication between LE and CNAF cells established Everything seems work well (even better than previous version) Agenda:  Agenda Why? Theory and practice on Kerberos5 cross realm transitive hierarchical authentication AFS cross cell authentication K5 @ INFN.IT Last minute tests Future Future:  Future INFN will have his INFN.IT Kerberos5 REALM spread on WAN Every INFN section or lab with a local AFS cell can use it for cross-authenticating their AFS cells In such a Kerberized environment we could use TELNET and FTP again, in a secure way. ?

Related presentations


Other presentations created by Wanderer

RCM2 Ganesan
17. 08. 2007
0 views

RCM2 Ganesan

System Architect
21. 09. 2007
0 views

System Architect

Customer Retention
28. 09. 2007
0 views

Customer Retention

intrusion detection monitoring
07. 10. 2007
0 views

intrusion detection monitoring

baptista
10. 10. 2007
0 views

baptista

YoungEntrepreneurs China
11. 10. 2007
0 views

YoungEntrepreneurs China

presentation proposed programme
12. 10. 2007
0 views

presentation proposed programme

ch19 lecture
12. 10. 2007
0 views

ch19 lecture

balla reinhart F100 1 pres
18. 10. 2007
0 views

balla reinhart F100 1 pres

Erasmus Charte Universitarie
23. 10. 2007
0 views

Erasmus Charte Universitarie

essayformatTHESIS
26. 08. 2007
0 views

essayformatTHESIS

Sharon
26. 08. 2007
0 views

Sharon

7 Panama Esp
22. 10. 2007
0 views

7 Panama Esp

preference
07. 11. 2007
0 views

preference

Go Forth
17. 08. 2007
0 views

Go Forth

sf wireless
29. 10. 2007
0 views

sf wireless

Convulsoes Neonatais e Epilepsia
28. 12. 2007
0 views

Convulsoes Neonatais e Epilepsia

ch7F07govt2302
31. 12. 2007
0 views

ch7F07govt2302

Presidential character
03. 01. 2008
0 views

Presidential character

potma
03. 01. 2008
0 views

potma

Maitland
09. 10. 2007
0 views

Maitland

overweight obesity
08. 08. 2007
0 views

overweight obesity

Minority Stress Gray APA2006
08. 08. 2007
0 views

Minority Stress Gray APA2006

MoAc0304
08. 08. 2007
0 views

MoAc0304

japanese02s gyro
26. 08. 2007
0 views

japanese02s gyro

Bjorn AFCEATTN CDRNeurath
19. 11. 2007
0 views

Bjorn AFCEATTN CDRNeurath

Rosenzweig Presentation
29. 12. 2007
0 views

Rosenzweig Presentation

martin weller lams
20. 07. 2007
0 views

martin weller lams

26221
26. 08. 2007
0 views

26221

NAATPN Presentation
11. 12. 2007
0 views

NAATPN Presentation

D Levy Transp
21. 09. 2007
0 views

D Levy Transp

NicosiaRaymondPawson
26. 08. 2007
0 views

NicosiaRaymondPawson

646family
24. 02. 2008
0 views

646family

AfricanSlaveTrades
26. 02. 2008
0 views

AfricanSlaveTrades

mms 04 13 elearning
27. 06. 2007
0 views

mms 04 13 elearning

Mathematical Moodle final
27. 06. 2007
0 views

Mathematical Moodle final

inbrieffeb07
28. 02. 2008
0 views

inbrieffeb07

LaWeyl
08. 08. 2007
0 views

LaWeyl

hurricane katrina
13. 03. 2008
0 views

hurricane katrina

meaning
27. 11. 2007
0 views

meaning

transparents Berleur
18. 03. 2008
0 views

transparents Berleur

ChinaandJapanPt2
25. 03. 2008
0 views

ChinaandJapanPt2

BroadbandServies
26. 03. 2008
0 views

BroadbandServies

sinclair prc precip
03. 10. 2007
0 views

sinclair prc precip

8 Mru Patel
07. 04. 2008
0 views

8 Mru Patel

COE 9 Jan 06
28. 03. 2008
0 views

COE 9 Jan 06

060928 Energy Challenges Thun
30. 03. 2008
0 views

060928 Energy Challenges Thun

program
27. 11. 2007
0 views

program

adam smith
09. 04. 2008
0 views

adam smith

crcagu03
10. 04. 2008
0 views

crcagu03

Susan Wachter
13. 04. 2008
0 views

Susan Wachter

MickLilley MacquarieBank
14. 04. 2008
0 views

MickLilley MacquarieBank

experiencia
19. 06. 2007
0 views

experiencia

Europa desde el Cielo 2126
19. 06. 2007
0 views

Europa desde el Cielo 2126

Estrategia empresarial
19. 06. 2007
0 views

Estrategia empresarial

Estadio Allianz Arena 2125
19. 06. 2007
0 views

Estadio Allianz Arena 2125

Esculturas hechas con Arena 2124
19. 06. 2007
0 views

Esculturas hechas con Arena 2124

sesame
26. 11. 2007
0 views

sesame

pierre danon
22. 04. 2008
0 views

pierre danon

Globos Aerostaticos 2133
19. 06. 2007
0 views

Globos Aerostaticos 2133

Gaturro oficina
19. 06. 2007
0 views

Gaturro oficina

Frases para reflexionar 2131
19. 06. 2007
0 views

Frases para reflexionar 2131

Football
19. 06. 2007
0 views

Football

twilight
26. 08. 2007
0 views

twilight

WW
04. 01. 2008
0 views

WW

EvidenceMatters
19. 06. 2007
0 views

EvidenceMatters

p6 alina
26. 08. 2007
0 views

p6 alina

Fantasia 2042
19. 06. 2007
0 views

Fantasia 2042

older adults nut
08. 08. 2007
0 views

older adults nut

mellange presentation en
27. 06. 2007
0 views

mellange presentation en

SH Presentation Sunny Hills
26. 08. 2007
0 views

SH Presentation Sunny Hills

lecture23
08. 08. 2007
0 views

lecture23

IAFC IndiaPresentation
17. 08. 2007
0 views

IAFC IndiaPresentation

00017079
26. 08. 2007
0 views

00017079

04RandomVariables
07. 12. 2007
0 views

04RandomVariables

Lecture 24 Muhammed and Islam
17. 08. 2007
0 views

Lecture 24 Muhammed and Islam

00 norby
26. 08. 2007
0 views

00 norby

CN7 Learning2
14. 12. 2007
0 views

CN7 Learning2

Fumar Mata
19. 06. 2007
0 views

Fumar Mata

do dont show
16. 06. 2007
0 views

do dont show

Direc TV
16. 06. 2007
0 views

Direc TV

BAM CIDOC 2006 folien
16. 06. 2007
0 views

BAM CIDOC 2006 folien

Dr Anwar1
16. 06. 2007
0 views

Dr Anwar1

biouml gcb 2003
16. 11. 2007
0 views

biouml gcb 2003

PPConference 28 02 07 E Marcova
14. 03. 2008
0 views

PPConference 28 02 07 E Marcova

dominguezhills
26. 08. 2007
0 views

dominguezhills

Festival de hielo Harbin
19. 06. 2007
0 views

Festival de hielo Harbin

ePHocus update Rebecca Hills
26. 08. 2007
0 views

ePHocus update Rebecca Hills

Gerenciamiento 2132
19. 06. 2007
0 views

Gerenciamiento 2132

30 mw a si machine
26. 08. 2007
0 views

30 mw a si machine

excursions
19. 06. 2007
0 views

excursions

tl outcomes
12. 10. 2007
0 views

tl outcomes

MIC 03 Dodge WebQuest
27. 06. 2007
0 views

MIC 03 Dodge WebQuest

mms 04 16 dim
27. 06. 2007
0 views

mms 04 16 dim

PRESENTACION PROGRESO
22. 10. 2007
0 views

PRESENTACION PROGRESO

Errores irreparables 1988
19. 06. 2007
0 views

Errores irreparables 1988

EDLafcoPresent092805 chew
26. 08. 2007
0 views

EDLafcoPresent092805 chew

AH summer 07
26. 08. 2007
0 views

AH summer 07

1 Intro class1
26. 08. 2007
0 views

1 Intro class1

Murrieta PKS
08. 08. 2007
0 views

Murrieta PKS