STABLE14-kfw-hklm-registry-fix-20040922

Fix the registry query in afskfw.lib to read the HKLM machine value even if the HKCU key is present. Update text in the install notes to better describe the krb524 issues (cherry picked from commit d69e6641e5)
2025-01-19 15:30:14 +00:00 · 2004-09-22 16:07:40 +00:00 · 2004-09-22 16:07:40 +00:00 · 4dcdbec005
commit 4dcdbec005
parent 4044366199
3 changed files with 55 additions and 10 deletions
--- a/doc/txt/winnotes/afs-changes-since-1.2.txt
+++ b/doc/txt/winnotes/afs-changes-since-1.2.txt
@ -1,4 +1,9 @@
 Since 1.3.71:
+  * Fix bug in loading of registry value HKLM\SOFTWARE\OpenAFS\Client
+    "EnableKFW".  This value will not be read if the key
+    HKCU\SOFTWARE\OpenAFS\Client exists; even if the "EnableKFW" 
+    value under that key does not.
+
  * provide mechanisms to force the use of krb524d for Kerberos 5
    ticket to AFS token conversion.  For afslogon.dll and afscreds.exe
    there is a new registry value "Use524" and for aklog.exe a new
--- a/doc/txt/winnotes/afs-install-notes.txt
+++ b/doc/txt/winnotes/afs-install-notes.txt
@ -352,6 +352,34 @@ or fs.exe.  During installation this group is created and the current
 contents of the Administrators group is copied.


+26. Some organizations which have AFS cell names and Kerberos realm names
+which differ by more then just lower and upper case rely on a modification
+to krb524d which maps a Kerberos 5 ticket from realm FOO to a Kerberos 4
+ticket in realm BAR.  This allows user@FOO to appear to be user@bar for
+the purposes of accessing the AFS cell.  As of OpenAFS 1.2.8, support was
+added to allow the immediate use of Kerberos 5 tickets as AFS (2b) tokens.
+This is the first building block necessary to break away from the 
+limitations of Kerberos 4 with AFS.  By using Kerberos 5 directly we
+avoid the security holes inherent in Kerberos 4 cross-realm.  We also
+gain access to cryptographically stronger algorithms for authentication
+and encryption. 
+
+Another reason for using Kerberos 5 directly is because the krb524 service
+runs on a port (4444) which has become increasingly blocked by ISPs.  The
+port was used to spread a worm which attacked Microsoft Windows in the 
+summer of 2003.  When the port is blocked users find that they are unable
+to authenticate.
+
+Replacing the Kerberos 4 ticket with a Kerberos 5 ticket is a win in all
+situations except when the cell name does not match the realm name and
+the principal names placed into the ACLs are not the principal names from
+the Kerberos 5 ticket.  To support this transition, OpenAFS for Windows
+in 1.3.72 adds a new registry value to force the use of krb524d.  However,
+the availability of this option should only be used by individuals until
+such time as their organizations can provide a more permanent solution.
+
+
+
 ------------------------------------------------------------------------

 Reporting Bugs:
--- a/src/WINNT/afsd/afskfw.c
+++ b/src/WINNT/afsd/afskfw.c
@ -453,19 +453,25 @@ KFW_use_krb524(void)

    code = RegOpenKeyEx(HKEY_CURRENT_USER, OpenAFSConfigKeyName,
                         0, KEY_QUERY_VALUE, &parmKey);
-    if (code != ERROR_SUCCESS)
-        code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
-                             0, KEY_QUERY_VALUE, &parmKey);
    if (code == ERROR_SUCCESS) {
        len = sizeof(use524);
        code = RegQueryValueEx(parmKey, "Use524", NULL, NULL,
                                (BYTE *) &use524, &len);
        if (code != ERROR_SUCCESS) {
-            use524 = 0;
+            RegCloseKey(parmKey);
+
+            code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
+                                 0, KEY_QUERY_VALUE, &parmKey);
+            if (code == ERROR_SUCCESS) {
+                len = sizeof(use524);
+                code = RegQueryValueEx(parmKey, "Use524", NULL, NULL,
+                                        (BYTE *) &use524, &len);
+                if (code != ERROR_SUCCESS)
+                    use524 = 0;
+            }
        }
        RegCloseKey (parmKey);
    }
-
    return use524;
 }

@ -478,19 +484,25 @@ KFW_is_available(void)

    code = RegOpenKeyEx(HKEY_CURRENT_USER, OpenAFSConfigKeyName,
                         0, KEY_QUERY_VALUE, &parmKey);
-    if (code != ERROR_SUCCESS)
-        code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
-                             0, KEY_QUERY_VALUE, &parmKey);
    if (code == ERROR_SUCCESS) {
        len = sizeof(enableKFW);
        code = RegQueryValueEx(parmKey, "EnableKFW", NULL, NULL,
                                (BYTE *) &enableKFW, &len);
        if (code != ERROR_SUCCESS) {
-            enableKFW = 1;
+            RegCloseKey(parmKey);
+
+            code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
+                                 0, KEY_QUERY_VALUE, &parmKey);
+            if (code == ERROR_SUCCESS) {
+                len = sizeof(enableKFW);
+                code = RegQueryValueEx(parmKey, "EnableKFW", NULL, NULL,
+                                        (BYTE *) &enableKFW, &len);
+                if (code != ERROR_SUCCESS)
+                    enableKFW = 1;
+            }
        }
        RegCloseKey (parmKey);
    }
-
    if ( !enableKFW )
        return FALSE;