Manualshelf

HP CIFS Server and Kerberos

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
12345678910
6
Chapter 2 Kerberos, CIFS, and Samba Overview
The Kerberos protocol is regulated by the IETF RFC 1510. Kerberos was adopted by Microsoft for
Windows 2000, and is the default authentication protocol for Windows 2000, 2003. and 2008 domains
(including the Windows 2000, XP, and Vista clients that inhabit those domains). Microsoft has
modified the Kerberos protocol for better synergy with the Windows domain concept, and thus
proclaims that their implementation is “Based upon an industry standard.” This divergence from the
IETF spec allows for some additional domain features, including:
Re-Use of credentials. A client must be authenticated to use a service, and then can
disconnect from the service and re-connect without re-authenticating. Kerberos allows
the re-use of existing credentials
The client *AND* the server are authenticated, providing a more secure connection.
Authentication proxy, allowing applications to impersonate clients and actually have the
application authenticate
Transitive trusts sound like an ADS feature, but really are enabled by the usage of
Kerberos
Encryption: the Kerberos encryption methods are more secure and flexible than older
Windows authentication encryption.
For Samba 3.0 and HP CIFS Server A.02.01 and later (currently A.02.03.04), Kerberos
authentication is limited exclusively to server membership in a Windows 2000 or 2003
domain, and only when the CIFS/Samba server is configured with “security = ads”.
Note: HP CIFS Server does not support joining Windows 2008 domains as of version A.02.03.04.
Work is progressing on a new version that will support Windows 2008.
This particular limitation of Samba 3.0 is especially confusing because while it can function as a
standalone domain controller with an LDAP interface to a user data store (similarly to ADS), Samba
itself cannot interface with a non-Windows MIT or Heimdal Kerberos Distribution Center (KDC) to
authenticate users in this configuration (as of A.02.03.04).
NOTE: LDAP servers are capable of performing user authentication of resident LDAP database users,
and can be configured to authenticate using a MIT or Heimdal Kerberos Distribution Center (KDC).
However, this is purely a function of the LDAP server, and not associated with Samba in any way.
2.1 Kerberos Primer
Here is a very quick primer and Kerberos protocol review. For a comprehensive Microsoft Kerberos
implementation whitepaper, see:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/kerberos.mspx
Kerberos is an authentication protocol that utilizes shared secrets and encryption to decode keys
between an authenticator, authenticatee, and some resource that the authenticatee requires access
to. In the particular case of CIFS/Samba, the following applies:
Windows KDC: Authenticator