Re: CIFS / Kerberos question

From: Mike (mjl000@hotmail.com)
Date: 02/04/03 

From: "Mike" <mjl000@hotmail.com>
Date: Tue, 04 Feb 2003 07:59:21 GMT

Here's some info that may help with your second and third questions.
http://support.microsoft.com/default.aspx?scid=kb;en-us;279815
http://support.microsoft.com/default.aspx?scid=kb;en-us;180548
http://support.microsoft.com/default.aspx?scid=kb;en-us;266080
http://support.microsoft.com/default.aspx?scid=kb;en-us;274062

http://web.mit.edu/is/help/kerberos/
http://web.mit.edu/kerberos/www/
news:comp.protocols.kerberos
http://www.ornl.gov/~jar/HowToKerb.html

There are many other web pages which can provide appropriate info like
military sites.
Packet sniffing from a connected hub (for server, clients and network
sniffer) is also a way to observe actual operations of traffic.
Additionally a network monitor or packet capture utility can operate from a
server to capture traffic from a server.

"Naomaru Itoi" <nitoi@activcard.com> wrote in message
news:6c96015.0212131536.2f8ab8c7@posting.google.com...
> Hi,
>
> This is a rather complicated question related to many subjects, so
> please allow me to crosspost ...
>
> I am trying to achieve PKI authentication and SMB access to Windows
> Domain from a UNIX box. In other words:
> - From a UNIX box (let's say MacOS X), a user gets authenticated by a
> Domain Controller (which uses Active Directory for authenticating
> users) with digital signature with a smartcard
> - The user mounts a directory on a Windows PC, which is in the domain,
> through SMB/CIFS.
> - The user accesses the files through SMB/CIFS.
>
> To achieve this, I need to gather some information about Kerberos and
> SMB/CIFS on Windows.
>
> By reading documents in MSDN Library and on the Internet, I am
> guessing the following are the architectures of Windows filesystem
> client and server.
>
> Microsoft Client Microsoft Server
>
> Filesystem Filesystem
> -------------- --------------
> SSPI-Krb5 SSPI-Krb5
> -------------- --------------
> Kerberos | CSP Kerberos
> --------------
> TCP/IP | PC/SC
>
> - Filesystem relies on SSPI-KerberosV to provide security services.
> - SSPI-KerberosV5 uses KerberosV5 (and its PKI extension, PKINIT) to
> authenticate a user (and maybe establish a secure channel).
> - SSPI-KerberosV5 uses CSP/CAPI for smartcard services.
>
> [Question 1. Is this guess correct?]
>
> Assuming the answer to Question 1. is yes or almost yes, I believe I
> can achieve the goal with an architecture like this:
>
> My Client MicroSoft Server
>
> Filesystem Filesystem
> -------------- --------------
> GSSAPI-Krb5 SSPI-Krb5
> -------------- --------------
> Kerberos | PC/SC Kerberos
> --------------
> TCP/IP
>
> - Fortunately, since there are open source implementations of SMB/CIFS
> filesystems (e.g. on MacOS X and on Linux), I don't have to write a
> filesystem.
>
> Then, the next question is, what exactly do I have to do in
> Kerberizing SMBFS.
>
> [Question 2. What exactly does Kerberos do in the server? If Kerberos
> is used only for initial authentication, then all I need to do is
> PKINIT in the filesystem on UNIX, right? Or, does the fileserver
> actually check a ticket per each message, and even more, encrypt the
> data transferred between the client and the server? If so, what
> exactly do I have to do? Encrypt packets with Kerberos functions
> (krb5_mk_priv(), etc.)?]
>
> [Question 3. Is there any documents, or maybe piece of code, which
> describe internals of SSPI, Microsoft filesystem implementation,
> etc.?]
>
> As these are very detailed questions, I will appreciate any help ...
> advices on how I should proceed, where to get more information, etc.
>
> Thank you.
>
>
> -------------------
> Naomaru Itoi, Ph.D.
> ActivCard, Inc.
> Researcher / Architect
> Phone: 510-745-6270

Relevant Pages

  • Re: Kerberos logon to Terminal Server prevents folder redirection
    ... Pass-through refers to the client browser passing through credentials to the Web Interface server; so you can still use Pass-through without enabling the option "Use Kerberos authentication to connect to servers". ...
    (microsoft.public.windows.server.security)
  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: iis problems with some xp clients - kerberos issue?
    ... is the browser even attempting Kerberos Authentication? ... the webserver failing to get a service ticket for the SQL Server etc. ... Check that the site is in IE's Intranet zone (IE doesn't attempt to Kerberos ... Both access SQL ...
    (microsoft.public.inetserver.iis.security)
  • Re: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage
    ... >are using to authentication. ... Kerberos tickets target a service ... >authenticate to IIS from the client browser. ... structure on a Win2K server. ...
    (microsoft.public.inetserver.iis)
  • Update: Problems authenticating users via AD with Kerberos on Solaris 9
    ... However, since MIT does not implement TCP, the request fails. ... We have a Solaris 9 server that we configured to authenticate users via ... Active Directory using Kerberos. ... up but recently for whatever reason, Kerberos authentication does not ...
    (SunManagers)