Manualshelf

HP CIFS Server 3.0f Administrator's Guide verison A.02.03

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
111112113114115116117118119120
8 Kerberos Support
Introduction
The Kerberos protocol is regulated by the IETF RFC 1510. Kerberos was adopted by Microsoft for Windows
2000, and is the default authentication protocol for Windows 2000 and 2003 domains (including the
Windows 2000 and XP clients that inhabit those domains). For the HP CIFS Server, Kerberos authentication
is limited exclusively to server membership in a Windows 2000/2003 domain, and only when the HP CIFS
Server is configured with "security = ads".
This chapter provides a brief overview of Kerberos and a variety of Kerberos configuration information
including configuration detail which can be used when HP CIFS Server co-exists with other HP-UX applications
that make use of the Kerberos security protocol. For basic Windows 2000/2003 domain membership
configuration, see Chapter 5 “Windows 2000/2003 Domains”. For more detailed CIFS related Kerberos
information, refer to the HP white paper
HP CIFS Server and Kerberos
, at the following web site:
http://docs.hp.com/en/netcom.html
then navigate to CIFS.
Kerberos Overview
Kerberos is an authentication protocol which utilizes shared secrets and encryption to decode keys between
an authenticator, authenticatee, and some resource that the authenticatee requires access to. In the particular
case of HP CIFS Server, the following applies
Windows Key Distribution Center (KDC): Authenticator
Windows client: Authenticatee
HP CIFS Server: Resource
The protocol exchanges do not include actual passwords passed over the wire, therefore a password cannot
be sniffed and unencrypted to gain access to a resource. Instead, encrypted keys are passed over the wire
and the 3 principals (KDC, Windows client, and CIFS server) each use pre-arranged secrets to decode the
keys and allow access. The secrets are not transferred.The critical components of the exchanges are:
Windows Key Distribution Center (KDC): Central Kerberos Authority for a domain
Long-Term Key: Persistent key that is derived from a client's password
Session Key: Short-term key that is used for authentication before it expires
Ticket Granting Ticket (TGT): Allows a client access to the KDC to get a service ticket from TGS
Ticket Granting Service (TGS): Exchange that provides client access to a CIFS server's service
Authentication Service: Exchange that actually allows client access to the KDC
For a comprehensive Microsoft Kerberos implementation white paper, refer to the following web site:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/kerbers.mspx
Introduction 115