Manualshelf

HP CIFS Server 3.0g Administrator's Guide verison A.02.03.01

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
121122123124125126127128129130
Kerberos CIFS Authentication Example
Figure 8-1 Kerberos Authentication Environment
indows 2000/2003 KDC
AS TGS
HP CIFS Server
Resource
1
234
6
5
W
Authenticatee
Authenticator
Windows 2000 or XP Client
The following describes a typical Kerberos logon and share service exchange using Kerberos
authentication in an Windows 2000/2003 domain environment shown in Figure 8-1:
1. The Windows Client sends the principal name and password to the Authentication Server
(AS) when running a user netlogon command.
2. The AS validates the principal and sends credentials to the Windows client, including a Ticket
Granting Ticket (TGT) and associated session key that allows the client to access the Windows
KDC.
3. The Windows client uses the session key and the TGT to request a service ticket for a share
service from Ticket Granting Service (TGS).
4. TGS sends the service ticket and other information to the Windows client.
5. The Windows client sends the service ticket to the HP CIFS Server for a share service.
6. The HP CIFS Server verifies the received information and authorizes the Windows client to
access the server's share.
HP-UX Kerberos Application Co-existence
Because the HP CIFS Server stores the Kerberos secret key in
/var/opt/samba/private/secrets.tdb by default, the standard CIFS Kerberos
configuration can only be used by HP CIFS Server users. If other HP-UX applications use the
/etc/krb5.keytab file, a mismatch of keys occurs resulting in failure for CIFS or the other
applications depending upon which key is the latest. Moreover, HP-UX Internet Services users
cannot use system Kerberos libraries to access system resources because of a mismatch in Kerberos
libraries. The Internet Services (IS) product utilizes its own Kerberos library set which is delivered
with the Internet Service product.
HP CIFS Server can co-exist with other Kerberos applications through modified configuration
as described in the “Configuring kerb5.keytab” and “Kerberos Modification for Internet Services”
sections.
124 Kerberos Support