kfw-hklm-registry-fix-20040922

Fix the registry query in afskfw.lib to read the HKLM machine value
even if the HKCU key is present.

Update text in the install notes to better describe the krb524
issues

diff --git a/doc/txt/winnotes/afs-changes-since-1.2.txt b/doc/txt/winnotes/afs-changes-since-1.2.txt
index 17738ed8ddad85f722b96af588db17c0afa5045c..a864e197bfa4a0c58000e933048c46564aefc38d 100644 (file)
--- a/doc/txt/winnotes/afs-changes-since-1.2.txt
+++ b/doc/txt/winnotes/afs-changes-since-1.2.txt
@@ -1,4 +1,9 @@
 Since 1.3.71:
+  * Fix bug in loading of registry value HKLM\SOFTWARE\OpenAFS\Client
+    "EnableKFW".  This value will not be read if the key
+    HKCU\SOFTWARE\OpenAFS\Client exists; even if the "EnableKFW" 
+    value under that key does not.
+
   * provide mechanisms to force the use of krb524d for Kerberos 5
     ticket to AFS token conversion.  For afslogon.dll and afscreds.exe
     there is a new registry value "Use524" and for aklog.exe a new

diff --git a/doc/txt/winnotes/afs-install-notes.txt b/doc/txt/winnotes/afs-install-notes.txt
index f2166d5f5a484d4b8211d58ebdb52d6e4d70941e..8330170a17dbea2fee520ff89f670b3a1d28f5ec 100644 (file)
--- a/doc/txt/winnotes/afs-install-notes.txt
+++ b/doc/txt/winnotes/afs-install-notes.txt
@@ -341,6 +341,34 @@ or fs.exe.  During installation this group is created and the current
 contents of the Administrators group is copied.
 
 
+26. Some organizations which have AFS cell names and Kerberos realm names
+which differ by more then just lower and upper case rely on a modification
+to krb524d which maps a Kerberos 5 ticket from realm FOO to a Kerberos 4
+ticket in realm BAR.  This allows user@FOO to appear to be user@bar for
+the purposes of accessing the AFS cell.  As of OpenAFS 1.2.8, support was
+added to allow the immediate use of Kerberos 5 tickets as AFS (2b) tokens.
+This is the first building block necessary to break away from the 
+limitations of Kerberos 4 with AFS.  By using Kerberos 5 directly we
+avoid the security holes inherent in Kerberos 4 cross-realm.  We also
+gain access to cryptographically stronger algorithms for authentication
+and encryption. 
+
+Another reason for using Kerberos 5 directly is because the krb524 service
+runs on a port (4444) which has become increasingly blocked by ISPs.  The
+port was used to spread a worm which attacked Microsoft Windows in the 
+summer of 2003.  When the port is blocked users find that they are unable
+to authenticate.
+
+Replacing the Kerberos 4 ticket with a Kerberos 5 ticket is a win in all
+situations except when the cell name does not match the realm name and
+the principal names placed into the ACLs are not the principal names from
+the Kerberos 5 ticket.  To support this transition, OpenAFS for Windows
+in 1.3.72 adds a new registry value to force the use of krb524d.  However,
+the availability of this option should only be used by individuals until
+such time as their organizations can provide a more permanent solution.
+
+
+
 ------------------------------------------------------------------------
 
 Reporting Bugs:

diff --git a/src/WINNT/afsd/afskfw.c b/src/WINNT/afsd/afskfw.c
index dce6739a561c8858ceb94046e9420c315a74f3fe..823c60cf190b1a33cd567cbb91674c1aace59eab 100644 (file)
--- a/src/WINNT/afsd/afskfw.c
+++ b/src/WINNT/afsd/afskfw.c
@@ -453,19 +453,25 @@ KFW_use_krb524(void)
 
     code = RegOpenKeyEx(HKEY_CURRENT_USER, OpenAFSConfigKeyName,
                          0, KEY_QUERY_VALUE, &parmKey);
-    if (code != ERROR_SUCCESS)
-        code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
-                             0, KEY_QUERY_VALUE, &parmKey);
     if (code == ERROR_SUCCESS) {
         len = sizeof(use524);
         code = RegQueryValueEx(parmKey, "Use524", NULL, NULL,
                                 (BYTE *) &use524, &len);
         if (code != ERROR_SUCCESS) {
-            use524 = 0;
+            RegCloseKey(parmKey);
+
+            code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
+                                 0, KEY_QUERY_VALUE, &parmKey);
+            if (code == ERROR_SUCCESS) {
+                len = sizeof(use524);
+                code = RegQueryValueEx(parmKey, "Use524", NULL, NULL,
+                                        (BYTE *) &use524, &len);
+                if (code != ERROR_SUCCESS)
+                    use524 = 0;
+            }
         }
         RegCloseKey (parmKey);
     }
-
     return use524;
 }
 
@@ -478,19 +484,25 @@ KFW_is_available(void)
 
     code = RegOpenKeyEx(HKEY_CURRENT_USER, OpenAFSConfigKeyName,
                          0, KEY_QUERY_VALUE, &parmKey);
-    if (code != ERROR_SUCCESS)
-        code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
-                             0, KEY_QUERY_VALUE, &parmKey);
     if (code == ERROR_SUCCESS) {
         len = sizeof(enableKFW);
         code = RegQueryValueEx(parmKey, "EnableKFW", NULL, NULL,
                                 (BYTE *) &enableKFW, &len);
         if (code != ERROR_SUCCESS) {
-            enableKFW = 1;
+            RegCloseKey(parmKey);
+
+            code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
+                                 0, KEY_QUERY_VALUE, &parmKey);
+            if (code == ERROR_SUCCESS) {
+                len = sizeof(enableKFW);
+                code = RegQueryValueEx(parmKey, "EnableKFW", NULL, NULL,
+                                        (BYTE *) &enableKFW, &len);
+                if (code != ERROR_SUCCESS)
+                    enableKFW = 1;
+            }
         }
         RegCloseKey (parmKey);
     }
-
     if ( !enableKFW )
         return FALSE;