svn commit: lorikeet r94 - in trunk/samba4-ad-thesis: .

abartlet at samba.org abartlet at samba.org
Tue Oct 19 03:05:58 GMT 2004 

Author: abartlet
Date: 2004-10-19 03:05:57 +0000 (Tue, 19 Oct 2004)
New Revision: 94

WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=lorikeet&path=/trunk/samba4-ad-thesis&rev=94&nolog=1

Log:
Detail DCE-RPC, LDAP, CLDAP and NTP.

Andrew Bartlett

Modified:
   trunk/samba4-ad-thesis/chapters.lyx


Changeset:
Modified: trunk/samba4-ad-thesis/chapters.lyx
===================================================================
--- trunk/samba4-ad-thesis/chapters.lyx	2004-10-19 01:56:57 UTC (rev 93)
+++ trunk/samba4-ad-thesis/chapters.lyx	2004-10-19 03:05:57 UTC (rev 94)
@@ -429,21 +429,47 @@
  as an IPC transport layer, in domain logon services.
 \layout Section
 
-CLDAP
-\layout Subsection
+LDAP
+\layout Standard
 
-Sites
+The Lightweight Directory Access Protocol (LDAP
+\begin_inset LatexCommand \citet{rfc2251,rfc2252,rfc2253,rfc2254,rfc2255,rfc2256}
+
+\end_inset 
+
+) has become the Internet standard for access to structured infomration,
+ in particular information in the format of an X.500-like tree.
+ Active Directory exports much of it's information in the form of an LDAP
+ tree, and a wide variety of tools are available to query and in some cases
+ modify that information.
 \layout Section
 
-LDAP
+CLDAP
 \layout Standard
 
+CLDAP originally was an internet standards-track proposal to allow LDAPv3
+ queries over UDP, a process that may be useful for service discovery.
+ While Microsoft does implement CLDAP, they do not follow the proposed standard,
+ and do not particularly use LDAP at all.
+ As will be discussed in Section 
+\begin_inset LatexCommand \ref{sub:CLDAP}
 
-\begin_inset LatexCommand \citet{rfc2251,rfc2252,rfc2253,rfc2254,rfc2255,rfc2256}
-
 \end_inset 
 
+, CLDAP has become nothing more than an Internet Protocol transport for
+ a proprietory blob of data.
+ However, the implemention of CLDAP is important, because it forms a critical
+ role in DC and domain location.
+\layout Subsection
 
+Sites
+\layout Standard
+
+Sites are a concept closely tied to CLDAP and DNS - a workstation will try
+ to use servers found at it's own site, rather than one futher away (over
+ potentially expensive WAN links).
+ The CLDAP reply includes information on Sites, and clients can use this,
+ as well as packet timing information, to determine which DC to use.
 \layout Section
 
 DCE-RPC
@@ -454,35 +480,80 @@
 
 \end_inset 
 
+DCE-RPC is a long-established standard for the operation of Remote Procedure
+ Calls (RPC), and is published publicly by the Open Group
+\begin_inset LatexCommand \citep{opengroupdce}
 
+\end_inset 
+
+.
+ However, the complexity in DCE-RPC is not in the transport or basic operation
+ (not that the difficultly in writing a DCE-RPC marsalling and control library
+ should be underestimated), but in the interface definitions - written in
+ the Interface Definition Language (IDL) - and the proprietory security
+ mechnisms, such as NTLMSSP: 
+\layout Subsection
+
+Interface Definitions
 \layout Standard
 
+Each function exposed over DCE-RPC has an associated interface definition,
+ and if you were to make a particular interface public, all you would need
+ to do is publish the IDL file - a file that you would compile yourself
+ to create the `stub' library on which you build your client or server work.
+ 
+\layout Standard
 
-\begin_inset LatexCommand \citep{opengroupdce}
+One of the big changes in Samba4 is PIDL, our own IDL compiler, detailed
+ in Section 
+\begin_inset LatexCommand \ref{sec:PIDL---Midl}
 
 \end_inset 
 
+.
+\layout Subsection
 
+DCE-RPC Security
+\layout Standard
+
+NTLMSSP and Schannel are the two predominat security mechanisms applied
+ to DCE-RPC in a Microsoft environment, and both are considered proprietory
+ by Microsoft (there is a growing body of documentation on both however).
+ These mechanisms authenticate clients (by means of an authenticated `bind')
+ and can secure the traffic as it passes over the network.
 \layout Section
 
 DNS
 \layout Standard
 
 Active Directory provides and uses an extensive amount of information in
- DNS.
+ DNS, particualrly based around the new SRV record type.
+ Under the 
+\family typewriter 
+_msdcs
+\family default 
+ subdomain, Microsoft stores infomration about each of the domain controllers
+ on the network, both by DC name and more imporatantly by the network service
+ they provide.
  
 \layout Standard
 
-Custom DNS configuration
-\layout Standard
-
-Extensive use of SRV records.
+Microsoft has devised their own secure update scheme for DNS, based around
+ kerberos.
+ This allows machines to update their own entry in the DNS server.
 \layout Section
 
-NTP
+SNTP
 \layout Standard
 
-Schannel-signed NTP packets.
+The Simple Network Time Protocol (SNTP) is an Internet Standard time protocol,
+ and is used extensivly in ADS domains to keep accurate time.
+ Each domain controller runs a time server, and in an ideal network is syncronis
+ed with an upstream time server.
+ In an intersting extension to SNTP, Microsoft signs the time responses
+ with the schannel security scheme.
+ This allows a secure bootstraping to to correct time, needed for correct
+ Kerberos operation.
 \layout Chapter
 
 Authentication
@@ -1787,6 +1858,11 @@
 CLDAP
 \layout Standard
 
+
+\begin_inset LatexCommand \label{sub:CLDAP}
+
+\end_inset 
+
 Connectionless LDAP is used as an `Internet Standard' transport for Microsoft's
  proprietary domain controller location protocols.
  While CLDAP would be an ideal mechanism for this purpose, it has been mangled
@@ -2945,12 +3021,21 @@
 PIDL - Midl replacement for Samba
 \layout Standard
 
+
+\begin_inset LatexCommand \label{sec:PIDL---Midl}
+
+\end_inset 
+
 One of the biggest achievements in Samba4's design and development is Dr
  Tridgell's PIDL IDL compiler.
  Known as PIDL because it is a Perl compiler of the Interface Definition
  Language, this comparatively small collection of Perl modules and handling
  scripts converts the standard IDL file format into C code for use inside
- Samba.
+ Samba (On the Microsoft platform a program known as 
+\family typewriter 
+midl
+\family default 
+ does the same thing).
  Attempted, but not completed, in the past, this contrasts greatly with
  the approach in Samba3 - that of manual parsing of packets, with little
  regard to the inbuilt rules of the Network Data Representation (NDR) format.

More information about the samba-cvs mailing list