Manualshelf

HP CIFS Windows 2000 Interoperability (October 2002)

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
11121314151617181920
CIFS/9000 and Windows 2000 Interoperability
Hewlett-Packard
16
Chapter 4 Authentication: Kerberos and NTLM
Authentication technology is a key feature of Windows 2000. The adoption of Kerberos as
the default Windows authentication protocol is a primary differentiator from NT4.0 and a
compelling motivation to upgrade. The NT4.0 authentication protocol is NTLM, and it is
important to understand the benefits that Kerberos provides over NTLM so that the
migration implications are fully understood. CIFS/9000 authentication is based upon NTLM
at this time, so a clear understanding of how NTLM integrates into a Windows 2000 Mixed
or Native Mode domain is critical for assessing potential installations.
4.1 CIFS/9000 Server and NTLM
CIFS/9000 Server is based upon Samba, and Samba has 4 basic authentication (or “security”)
modes:
Share
User
Server
Domain
Since integration with Windows 2000 is predicated upon domain security, domain is the only
Samba security mode that will be considered here.
The CIF S/9000 server uses pass-through domain authentication for users. When a user
maps a share (\\CIFS9000servername\sharename), the CIFS/9000 server must look for an
authentication entity within the domain, because the CIFS/9000 server does not carry an
authenticating database (either the NT4.0 SAM or Windows 2000 ADS). In domain mode,
the server will search for a domain controller to pass-through the authentication request in
order to validate that the client user is legitimate. The authenticating protocol that the
CIFS/9000 server uses is NTLM v1. The server will negotiate the protocol with the client
that is mapping the share, then negotiate again with the domain controller that it will pass
the authentication request to. This behavior will be displayed in a subsequent diagram.
4.1.1 NTLM Details
At the time NTLM Challenge-Response authentication protocol was introduced for NT4.0, it
was considered state-of-the-art. NTLM v1 provided:
Improved security over LAN Manager
o 14 Character Passwords (note that if the passwords do not actually
contain the additional characters that 14-char allows, then there is no
security gained)
Encryption across the wire
Passwords fragmented across the wire (harder to decrypt)
Like most technology, what was state-of-the-art then is now obsolete. The current status of
NTLM:
Proprietary protocol
Performance bottleneck
One-way authentication only (client user is validated)
No authentication delegation (no service proxy)