Manualshelf

HP CIFS Server and Kerberos

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
12345678910
7
Windows Client: Authenticatee
HP CIFS Server: Resource
The protocol exchanges do not include actual passwords passed over the wire, therefore a password
cannot be sniffed and unencrypted to gain access to a resource. Instead, encrypted keys are passed
over the wire, and the 3 principals (KDC, Client, Server) each use pre-arranged secrets to decode the
keys and allow access. The secrets are not transferred. The critical components of the exchanges
are:
Windows KDC: Key Distribution Center (central Kerberos Authority for a domain)
Long-Term Key: Persistent key derived from a client’s password
Session Key: Short-term key that is used for authentication before it expires
Ticket-Granting Ticket: Allows a client access to the KDC to get a TGS (see next)
Ticket-Granting Service: Exchange that provides client access to a service (CIFS Server)
Authentication Service: Exchange that actually allows client access to the KDC
In Chapter 6 traces and diagrams will show exactly how these components interact. A unique aspect
of CIFS is that the Kerberos protocol (as observed in a network trace) does not provide the method
for the client to send its service ticket to the CIFS Server. Instead, the ticket is sent through the
native service protocol, which in this case is SMB (or CIFS). This also will be illustrated in Chapter 6.