Manualshelf

HP CIFS Windows 2000 Interoperability (October 2002)

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
21222324252627282930
CIFS/9000 and Windows 2000 Interoperability
Hewlett-Packard
25
The Network Monitor trace shows that the Native Mode protocol authentication exchange is
the same as Mixed Mode:
1. Packet 16: The Windows 2000 Pro client ROS87208ERIC proposes NTLM v1 to the
CIFS/9000 member server EMONSTER
2. Packet 17: The CIFS/9000 Server EMONSTER confirms NTLM v1
3. Packet 32: The CIFS/9000 member server EMONSTER proposes NTLM v1 to the
Windows 2000 domain controller ROS87252OLK
4. Packet 33: The Windows 2000 domain controller ROS87252OLK confirms NTLM v1.
The diagrams and traces for client logons and CIFS/9000 Server share mappings show that
the CIFS/9000 Server can integrate into the Windows 2000 domain in either Mixed Mode or
Native Mode and use the same authentication protocol that is standard in NT4.0. Windows
2000 Pro clients in the domain can log in to the Windows 2000 domain using Kerberos
authentication, and map shares to CIFS/9000 using NTLM.
4.4 Why Does CIFS/9000 Use NTLM?
HP offers HP-UX integration with the Windows 2000 Advanced Directory, and provides
services to integrate HP-UX account data and route authentication requests to the ADS.
However, CIFS/9000 which exists on HP-UX does not provide pass-through
authentication to the ADS using Kerberos. This is due to the way that Windows 2000
implements the Kerberos ticket layout to add a proprietary structure to the ticket, and
therefore bypass the open systems industry standard aspect of the protocol.
Microsoft extends the Kerberos V5 specification by adding a “Privilege Access Certificate”
(PAC) to an undefined field in the ticket specification. The PAC contains security identifiers
(SIDs) in the actual ticket that allow the client’s resource permissions to be readily available
when requesting domain resources. The PAC structure is licensed, and although the
specification is published, the license specifically prohibits usage of the structure. This
restriction prevents the very open systems interoperability that the Kerberos RFC 1510
specification intends to provide. As a result, other server vendors are unable to interoperate
with Windows 2000 clients using the Kerberos authentication protocol.
HP is aware that Kerberos provides important security benefits, and that these benefits are
a high priority for CIFS/9000 customers. HP is actively pursuing solutions that will provide
Kerberos authentication for CIFS/9000.
4.5 Windows 2000 Authentication: CIFS/9000
Interoperability
CIFS/9000 Server authentication using NTLM v1 is valid and effective in a Windows 2000
Mixed Mode or Native Mode domain. As a member server, CIFS/9000 passes through any
authentication request to the domain controller. This pass-through mechanism is unaffected
by the domain mode due to the member server status of the CIFS/9000 Server. Native Mode
by itself does not affect pass-through authentication.
For the CIFS/9000 Server pass-through authentication mechanism to work, NetBIOS must
be enabled in the domain. This topic will be covered in the “Name Resolution” module.