kfw-hklm-registry-fix-20040922

Fix the registry query in afskfw.lib to read the HKLM machine value
even if the HKCU key is present.

Update text in the install notes to better describe the krb524
issues

diff --git a/doc/txt/winnotes/afs-changes-since-1.2.txt b/doc/txt/winnotes/afs-changes-since-1.2.txt
index 17738ed..a864e19 100644 (file)
--- a/doc/txt/winnotes/afs-changes-since-1.2.txt
+++ b/doc/txt/winnotes/afs-changes-since-1.2.txt
@@ -1,4 +1,9 @@
 Since 1.3.71:
+  * Fix bug in loading of registry value HKLM\SOFTWARE\OpenAFS\Client
+    "EnableKFW".  This value will not be read if the key
+    HKCU\SOFTWARE\OpenAFS\Client exists; even if the "EnableKFW" 
+    value under that key does not.
+
   * provide mechanisms to force the use of krb524d for Kerberos 5
     ticket to AFS token conversion.  For afslogon.dll and afscreds.exe
     there is a new registry value "Use524" and for aklog.exe a new

diff --git a/doc/txt/winnotes/afs-install-notes.txt b/doc/txt/winnotes/afs-install-notes.txt
index f2166d5..8330170 100644 (file)
--- a/doc/txt/winnotes/afs-install-notes.txt
+++ b/doc/txt/winnotes/afs-install-notes.txt
@@ -341,6 +341,34 @@ or fs.exe.  During installation this group is created and the current
 contents of the Administrators group is copied.
 
 
+26. Some organizations which have AFS cell names and Kerberos realm names
+which differ by more then just lower and upper case rely on a modification
+to krb524d which maps a Kerberos 5 ticket from realm FOO to a Kerberos 4
+ticket in realm BAR.  This allows user@FOO to appear to be user@bar for
+the purposes of accessing the AFS cell.  As of OpenAFS 1.2.8, support was
+added to allow the immediate use of Kerberos 5 tickets as AFS (2b) tokens.
+This is the first building block necessary to break away from the 
+limitations of Kerberos 4 with AFS.  By using Kerberos 5 directly we
+avoid the security holes inherent in Kerberos 4 cross-realm.  We also
+gain access to cryptographically stronger algorithms for authentication
+and encryption. 
+
+Another reason for using Kerberos 5 directly is because the krb524 service
+runs on a port (4444) which has become increasingly blocked by ISPs.  The
+port was used to spread a worm which attacked Microsoft Windows in the 
+summer of 2003.  When the port is blocked users find that they are unable
+to authenticate.
+
+Replacing the Kerberos 4 ticket with a Kerberos 5 ticket is a win in all
+situations except when the cell name does not match the realm name and
+the principal names placed into the ACLs are not the principal names from
+the Kerberos 5 ticket.  To support this transition, OpenAFS for Windows
+in 1.3.72 adds a new registry value to force the use of krb524d.  However,
+the availability of this option should only be used by individuals until
+such time as their organizations can provide a more permanent solution.
+
+
+
 ------------------------------------------------------------------------
 
 Reporting Bugs:

diff --git a/src/WINNT/afsd/afskfw.c b/src/WINNT/afsd/afskfw.c
index dce6739..823c60c 100644 (file)
--- a/src/WINNT/afsd/afskfw.c
+++ b/src/WINNT/afsd/afskfw.c
@@ -453,19 +453,25 @@ KFW_use_krb524(void)
 
     code = RegOpenKeyEx(HKEY_CURRENT_USER, OpenAFSConfigKeyName,
                          0, KEY_QUERY_VALUE, &parmKey);
-    if (code != ERROR_SUCCESS)
-        code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
-                             0, KEY_QUERY_VALUE, &parmKey);
     if (code == ERROR_SUCCESS) {
         len = sizeof(use524);
         code = RegQueryValueEx(parmKey, "Use524", NULL, NULL,
                                 (BYTE *) &use524, &len);
         if (code != ERROR_SUCCESS) {
-            use524 = 0;
+            RegCloseKey(parmKey);
+
+            code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
+                                 0, KEY_QUERY_VALUE, &parmKey);
+            if (code == ERROR_SUCCESS) {
+                len = sizeof(use524);
+                code = RegQueryValueEx(parmKey, "Use524", NULL, NULL,
+                                        (BYTE *) &use524, &len);
+                if (code != ERROR_SUCCESS)
+                    use524 = 0;
+            }
         }
         RegCloseKey (parmKey);
     }
-
     return use524;
 }
 
@@ -478,19 +484,25 @@ KFW_is_available(void)
 
     code = RegOpenKeyEx(HKEY_CURRENT_USER, OpenAFSConfigKeyName,
                          0, KEY_QUERY_VALUE, &parmKey);
-    if (code != ERROR_SUCCESS)
-        code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
-                             0, KEY_QUERY_VALUE, &parmKey);
     if (code == ERROR_SUCCESS) {
         len = sizeof(enableKFW);
         code = RegQueryValueEx(parmKey, "EnableKFW", NULL, NULL,
                                 (BYTE *) &enableKFW, &len);
         if (code != ERROR_SUCCESS) {
-            enableKFW = 1;
+            RegCloseKey(parmKey);
+
+            code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
+                                 0, KEY_QUERY_VALUE, &parmKey);
+            if (code == ERROR_SUCCESS) {
+                len = sizeof(enableKFW);
+                code = RegQueryValueEx(parmKey, "EnableKFW", NULL, NULL,
+                                        (BYTE *) &enableKFW, &len);
+                if (code != ERROR_SUCCESS)
+                    enableKFW = 1;
+            }
         }
         RegCloseKey (parmKey);
     }
-
     if ( !enableKFW )
         return FALSE;