HP CIFS Server 3.0g Administrator's Guide verison A.02.03.01

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software

121

122

123

124

125

126

127

128

129

130

8 Kerberos Support

Introduction

The Kerberos protocol is regulated by the IETF RFC 1510. Kerberos was adopted by Microsoft

for Windows 2000, and is the default authentication protocol for Windows 2000 and 2003 domains

(including the Windows 2000 and XP clients that inhabit those domains). For the HP CIFS Server,

Kerberos authentication is limited exclusively to server membership in a Windows 2000/2003

domain, and only when the HP CIFS Server is configured with "security = ads".

This chapter provides a brief overview of Kerberos and a variety of Kerberos configuration

information including configuration detail which can be used when HP CIFS Server co-exists

with other HP-UX applications that make use of the Kerberos security protocol. For basic Windows

2000/2003 domain membership configuration, see Chapter 5 “Windows 2000/2003 Domains”.

For more detailed CIFS related Kerberos information, refer to the HP white paper HP CIFS Server

and Kerberos, at the following web site:

http://docs.hp.com/en/netcom.html

then navigate to CIFS.

Kerberos Overview

Kerberos is an authentication protocol which utilizes shared secrets and encryption to decode

keys between an authenticator, authenticatee, and some resource that the authenticatee requires

access to. In the particular case of HP CIFS Server, the following applies

• Windows Key Distribution Center (KDC): Authenticator

• Windows client: Authenticatee

• HP CIFS Server: Resource

The protocol exchanges do not include actual passwords passed over the wire, therefore a

password cannot be sniffed and unencrypted to gain access to a resource. Instead, encrypted

keys are passed over the wire and the 3 principals (KDC, Windows client, and CIFS server) each

use pre-arranged secrets to decode the keys and allow access. The secrets are not transferred.The

critical components of the exchanges are:

• Windows Key Distribution Center (KDC): Central Kerberos Authority for a domain

• Long-Term Key: Persistent key that is derived from a client's password

• Session Key: Short-term key that is used for authentication before it expires

• Ticket Granting Ticket (TGT): Allows a client access to the KDC to get a service ticket from

TGS

• Ticket Granting Service (TGS): Exchange that provides client access to a CIFS server's service

• Authentication Service: Exchange that actually allows client access to the KDC

For a comprehensive Microsoft Kerberos implementation white paper, refer to the following

web site:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/kerbers.mspx

Introduction 123