HP CIFS Server Administrator Guide Version A.03.01.03 (5900-2006, October 2011)
Table Of Contents
- HP CIFS Server Administrator Guide Version A.03.01.03
- Contents
- About this document
- 1 Introduction to the HP CIFS Server
- 2 Installing and configuring HP CIFS Server
- HP CIFS Server requirements and limitations
- Step 1: Installing HP CIFS Server software
- Step 2: Running the configuration script
- Step 3: Modify the configuration
- Step 4: Starting HP CIFS Server
- Other Samba configuration issues
- 3 Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows 7
- Introduction
- UNIX file permissions and POSIX ACLs
- Using the Windows NT Explorer GUI to create ACLs
- Using the Windows Vista Explorer GUI to create ACLs
- POSIX ACLs and Windows 2000, Windows XP, Windows Vista, and Windows 7 clients
- HP CIFS Server Directory ACLs and Windows 2000, Windows XP, Windows Vista, and Windows 7 clients
- In conclusion
- 4 Windows style domains
- Introduction
- Configure HP CIFS Server as a PDC
- Configure HP CIFS Server as a BDC
- Domain member server
- Create the Machine Trust Accounts
- Configure domain users
- Join a Windows client to a Samba domain
- Roaming profiles
- Configuring user logon scripts
- Home drive mapping support
- Trust relationships
- 5 Windows 2003 and Windows 2008 domains
- 6 LDAP integration support
- Overview
- Network environments
- Summary of installing and configuring
- Installing and configuring your Directory Server
- Installing LDAP-UX Client Services on an HP CIFS Server
- Configuring the LDAP-UX Client Services
- Enabling Secure Sockets Layer (SSL)
- Extending the Samba subschema into your Directory Server
- Migrating your data to the Directory Server
- Configuring the HP CIFS Server
- Creating Samba users in directory
- Management tools
- 7 Winbind support
- 8 Kerberos support
- 9 HP CIFS deployment models
- Introduction
- Samba Domain Model
- Windows Domain Model
- Unified Domain Model
- 10 Securing HP CIFS Server
- 11 Configuring HA HP CIFS
- 12 HP-UX configuration for HP CIFS
- 13 Tool reference
- Glossary
- Index
8 Kerberos support
Introduction
The Kerberos protocol is regulated by the IETF RFC 1510. Kerberos was adopted by Microsoft for
Windows 2000, and is the default authentication protocol for Windows 2000, Windows 2003,
Windows XP, and Windows Vista clients. For the HP CIFS Server, Kerberos authentication is limited
exclusively to server membership in a Windows 2003 and Windows 2008 domain, and only
when the HP CIFS Server is configured with "security = ads".
This chapter provides a brief overview of Kerberos and a variety of Kerberos configuration
information including configuration detail which can be used when HP CIFS Server co-exists with
other HP-UX applications that make use of the Kerberos security protocol. For basic Windows
2003 and Windows 2008 domain membership configuration, see “Windows 2003 and Windows
2008 domains” (page 68). For more detailed CIFS related Kerberos information, refer to the HP
white paper HP CIFS Server and Kerberos, at the following web site:
http://docs.hp.com/en/netcom.html
then navigate to CIFS.
Kerberos overview
Kerberos is an authentication protocol which utilizes shared secrets and encryption to decode keys
between an authenticator, authenticatee, and some resource that the authenticatee requires access
to. In the particular case of HP CIFS Server, the following applies
• Windows Key Distribution Center (KDC): Authenticator
• Windows client: Authenticatee
• HP CIFS Server: Resource
The protocol exchanges do not include actual passwords passed over the wire, therefore a password
cannot be sniffed and unencrypted to gain access to a resource. Instead, encrypted keys are passed
over the wire and the 3 principals (KDC, Windows client, and CIFS server) each use pre-arranged
secrets to decode the keys and allow access. The secrets are not transferred. The critical components
of the exchanges are:
• Windows Key Distribution Center (KDC): Central Kerberos Authority for a domain
• Long-Term Key: Persistent key that is derived from a client's password
• Session Key: Short-term key that is used for authentication before it expires
• Ticket Granting Ticket (TGT): Allows a client access to the KDC to get a service ticket from
TGS
• Ticket Granting Service (TGS): Exchange that provides client access to a CIFS server's service
• Authentication Service: Exchange that actually allows client access to the KDC
For a comprehensive Microsoft Kerberos implementation white paper, refer to the following web
site:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/kerbers.mspx
110 Kerberos support