Manualshelf

HP CIFS Server 3.0f Administrator's Guide verison A.02.03

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
111112113114115116117118119120
Kerberos CIFS Authentication Example
Figure 8-1 Kerberos Authentication Environment
indows 2000/2003 KDC
AS TGS
HP CIFS Server
Resource
1
234
6
5
W
Authenticatee
Authenticator
Windows 2000 or XP Client
The following describes a typical Kerberos logon and share service exchange using Kerberos authentication
in an Windows 2000/2003 domain environment shown in Figure 8-1:
1. The Windows Client sends the principal name and password to the Authentication Server (AS) when
running a user netlogon command.
2. The AS validates the principal and sends credentials to the Windows client, including a Ticket Granting
Ticket (TGT) and associated session key that allows the client to access the Windows KDC.
3. The Windows client uses the session key and the TGT to request a service ticket for a share service from
Ticket Granting Service (TGS).
4. TGS sends the service ticket and other information to the Windows client.
5. The Windows client sends the service ticket to the HP CIFS Server for a share service.
6. The HP CIFS Server verifies the received information and authorizes the Windows client to access the
server's share.
HP-UX Kerberos Application Co-existence
Because the HP CIFS Server stores the Kerberos secret key in /var/opt/samba/private/secrets.tdb
by default, the standard CIFS Kerberos configuration can only be used by HP CIFS Server users. If other
HP-UX applications use the /etc/krb5.keytab file, a mismatch of keys occurs resulting in failure for CIFS
or the other applications depending upon which key is the latest. Moreover, HP-UX Internet Services users
cannot use system Kerberos libraries to access system resources because of a mismatch in Kerberos libraries.
The Internet Services (IS) product utilizes its own Kerberos library set which is delivered with the Internet
Service product.
HP CIFS Server can co-exist with other Kerberos applications through modified configuration as described
in the “Configuring kerb5.keytaband “Kerberos Modification for Internet Servicessections.
116 Kerberos Support