CIFS and Kerberos question
Naomaru Itoi
nitoi at activcard.com
Fri Dec 13 15:23:00 GMT 2002
Hi,
Thanks for your great work as always. This question is slightly an
off-topic, but you guys know a lot about SMB/CIFS and Microsoft Active
Directory & Kerberos, so let me ask ...
I am trying to achieve PKI authentication and SMB access to Windows Domain
from a UNIX box. In other words:
- From a UNIX box (let's say MacOS X), a user gets authenticated by a Domain
Controller (which uses Active Directory for authenticating users) with
digital signature with a smartcard
- The user mounts a directory on a Windows PC, which is in the domain,
through SMB/CIFS.
- The user accesses the files through SMB/CIFS.
To achieve this, I need to gather some information about Kerberos and
SMB/CIFS on Windows.
By reading documents in MSDN Library and on the Internet, I am guessing the
following are the architectures of Windows filesystem client and server.
Microsoft Client Microsoft Server
Filesystem Filesystem
-------------- --------------
SSPI-Krb5 SSPI-Krb5
-------------- --------------
Kerberos | CSP Kerberos
--------------
TCP/IP | PC/SC
- Filesystem relies on SSPI-KerberosV to provide security services.
- SSPI-KerberosV uses KerberosV5 (and its PKI extension, PKINIT) to
authenticate a user (and maybe establish a secure channel).
- SSPI-KerberosV uses CSP/CAPI for smartcard services.
[Question 1. Is this guess correct?]
Assuming the answer to Question 1. is correct, I believe here's what I have
to implement:
My Client Microsoft Server
Filesystem Filesystem
-------------- --------------
GSSAPI-Krb5 SSPI-Krb5
-------------- --------------
Heimdal | PC/SC Kerberos
--------------
TCP/IP
- Fortunately, since there are open source implementations of SMB/CIFS
filesystems (e.g. on MacOS X and on Linux), I don't have to write a
filesystem.
- Also fortunately, Heimdal seems to have PKINIT tested with Microsoft KDC,
so I don't have to implement this, either.
- My concern is that there is no SSPI on UNIX. However, I believe SSPI and
GSSAPI are similar.
[Question 2. Is there a chance GSSAPI on UNIX client and SSPI on Windows
server interoperate, with reasonable amount of changes?]
Assuming the answer to Q2 is NO, then I guess I have to Kerberize the
filesystem.
[Question 3. What exactly does Kerberos do in the server? If Kerberos is
used only for initial authentication, then all I need to do is PKINIT in the
filesystem on UNIX, right? Or, does Kerberos actually check a ticket per
each message, and even more, encrypt the data transferred between the client
and the server? If so, what exactly do I have to do? Encrypt packets with
Kerberos functions?]
[Question 4. Is there any documents which describe internals of SSPI,
Microsoft filesystem implementation, etc.?]
As these are very detailed questions, I will appreciate any help ... advices
on how I should proceed, where to get more information, whom else to ask,
etc.
Thank you.
--
Concentration ... Naomaru Itoi
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the samba-technical
mailing list