svn commit: lorikeet r101 - in trunk/samba4-ad-thesis: .

abartlet at samba.org abartlet at samba.org
Mon Oct 25 13:02:25 GMT 2004 

Author: abartlet
Date: 2004-10-25 13:02:24 +0000 (Mon, 25 Oct 2004)
New Revision: 101

WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=lorikeet&path=/trunk/samba4-ad-thesis&rev=101&nolog=1

Log:
Add information on the 'short name, kerberos later' join.

Remove NTLM2 stub, we probably don't need to detail that.

Andrew Bartlett

Modified:
   trunk/samba4-ad-thesis/chapters.lyx


Changeset:
Modified: trunk/samba4-ad-thesis/chapters.lyx
===================================================================
--- trunk/samba4-ad-thesis/chapters.lyx	2004-10-24 10:40:45 UTC (rev 100)
+++ trunk/samba4-ad-thesis/chapters.lyx	2004-10-25 13:02:24 UTC (rev 101)
@@ -80,7 +80,7 @@
 \layout List
 \labelwidthstring 00.00.0000
 
-Samba3 A production, NT4 replacement DC 
+Samba3 A production, NT4 replacement Domain Controller 
 \layout List
 \labelwidthstring 00.00.0000
 
@@ -533,7 +533,7 @@
 \family typewriter 
 ncacn_np
 \family default 
- - the acronym is unimporant, but it means `Named Pipes' and this filesystem
+ - the acronym is unimportant, but it means `Named Pipes' and this file-system
  concept is carried over CIFS to remote servers.
  Other transports include:
 \layout List
@@ -552,6 +552,14 @@
 ncacn_ip_udp
 \family default 
  DCE-RPC over UDP/IP
+\layout List
+\labelwidthstring 00.00.0000
+
+
+\family typewriter 
+ncacn_ip_http
+\family default 
+ DCE-RPC over HTTP
 \layout Section
 
 DNS
@@ -563,7 +571,7 @@
 \family typewriter 
 _msdcs
 \family default 
- subdomain, Microsoft stores information about each of the domain controllers
+ sub-domain, Microsoft stores information about each of the domain controllers
  on the network, both by DC name and more importantly by the network service
  they provide.
  
@@ -967,7 +975,7 @@
 More importantly, this authentication scheme has a direct heritage back
  to the early days of the CIFS (then SMB) networking suite, with much of
  the weakness in it as an authentication scheme linked to backward compatibility.
- It is the ubiquitous authentication scheme in windows networking, and even
+ It is the ubiquitous authentication scheme in Windows networking, and even
  with Windows 2000 is the transparent fall-back option if and when Kerberos
  fails to operate in a particular environment.
 \layout Subsection
@@ -1571,7 +1579,7 @@
  be securely collected, in clear-text, for hashing into appropriate Kerberos
  keys.
  Microsoft knew that it could not expect this kind of effort in upgrading
- windows servers from NT4 to Active Directory, so they solved it a different
+ Windows servers from NT4 to Active Directory, so they solved it a different
  way.
  
 \layout Standard
@@ -2180,7 +2188,7 @@
  Windows 2000 versions), allows the login to progress using Kerberos authenticat
 ion.
  Likewise, a client unable to perform Kerberos knows from this reply that
- NTLMSSP, the more traditional login scheme on windows networks, is also
+ NTLMSSP, the more traditional login scheme on Windows networks, is also
  acceptable.
 \layout Subsection
 
@@ -2813,7 +2821,7 @@
 Samba
 \layout Standard
 
-Samba provides windows networking services, on a Unix-like platform.
+Samba provides Windows networking services, on a Unix-like platform.
  These services range from simple file and printer sharing, to full management
  of a NT-style domain.
  All of these services are provided in the Samba package, which is itself
@@ -2845,7 +2853,7 @@
 
 , Samba quietly evolved over the past 12 years from a barely functional
  prototype, used to communicate between a DOS Pathworks client and a Sun
- server, into a solid file and print server for windows clients.
+ server, into a solid file and print server for Windows clients.
 \layout Subsubsection*
 
 Samba 2.0
@@ -2889,13 +2897,13 @@
 
  and in particular Samba 3.0 grew to include the ability to be an NT4 compatible
  domain controller, a functionality that even allows Samba to `take over'
- an existing windows network
+ an existing Windows network
 \begin_inset LatexCommand \citep{samba-guide-migration}
 
 \end_inset 
 
 .
- This has allowed many sites to remove windows servers entirely from their
+ This has allowed many sites to remove Windows servers entirely from their
  networks.
 \layout Standard
 
@@ -3078,7 +3086,7 @@
 
 \end_inset 
 
- on windows in it's ubiquitous use, GENSEC allows all aspects of Samba4
+ on Windows in it's ubiquitous use, GENSEC allows all aspects of Samba4
  to use the same implementation of our core authentication protocols.
  The interface is completely generic, and on starting this thesis it contained
  support only for NTLMSSP, the development of which had been brought forward
@@ -3123,7 +3131,7 @@
  of the packets.
 \layout Standard
 
-The particular success of the echo pipe in Samba development is the windows
+The particular success of the echo pipe in Samba development is the Windows
  client and server.
  By running the echo server on a Microsoft platform, questions such as 'how
  much data can I pass in a DCE-RPC packet' can be answered, without first
@@ -3276,7 +3284,7 @@
 
 While the PAC is now well understood, and sample KDC implementations that
  successfully sign the PAC are available, PAC support was not implemented
- - instead, the Samba server was modified to accept kerberos packets without
+ - instead, the Samba server was modified to accept Kerberos packets without
  the PAC.
  (The client does not process the PAC in the initial use case, so this complexit
 y was deferred).
@@ -3312,8 +3320,8 @@
 \layout Standard
 
 In my testing the of a Kerberos domain join, it quickly becomes clear that
- the domain would not use kerberos if the `short' (NetBIOS) domain name
- was specified.
+ the domain would not use Kerberos for the join if the `short' (NetBIOS)
+ domain name was specified.
  While it is no more painful to enter the long name, the point made in Section
  
 \begin_inset LatexCommand \ref{sub:An-Upgraded-NT4}
@@ -3352,6 +3360,24 @@
  As mentioned above, this blocking point should be removed in near-future
  development, but this marks the conclusion of the development for this
  thesis.
+\layout Subsection
+
+Trying the short name
+\layout Standard
+
+After compleating the `failed' testing with long-name domain joins, comparison
+ tests were run - to confirm the status of the `before' case, which was
+ expected to easily be triggered by simply using the `short' or NetBIOS
+ domain name.
+ Indeed, this domain join proceeds with NTLMSSP, but what is more interesting
+ is what happens after the client reboots, having sucessfully joined the
+ domain.
+ It turns out that the client clues in on Kerberos in the meantime, and
+ proceeds to make a sucessful Kerberos connection to the Samba4 server,
+ using the machine account! Unfortunetly, other issues with current Samba4
+ prevent the login from proceeding, but these appear unreleated to the Kerberos
+ work (it occours with Kerberos compleatly disabled), and is rather an unrelated
+ regression.
 \layout Section
 
 Assessing the Changes
@@ -3391,6 +3417,8 @@
 \end_inset 
 
  of the trace, that we will also need Kerberos encrypted DRSUAPI support.
+ Likewise, the compromised `short name' join looks very promising, sucessfully
+ putting off the Kerberos until the logon stage.
 \layout Chapter
 
 Crypto Challenges
@@ -3539,6 +3567,7 @@
  Once one password change or set function is known, may of the others prove
  to be simple variations, fixing particular issues (such as adding in the
  new NT password, or adding a confounder).
+ We look at a couple of puzzles in detail:
 \layout Section
 
 Netlogon 128
@@ -3736,29 +3765,6 @@
  because that would break the cryptographic signature.
  The client should instead use the bulk encryption security of the entire
  session to secure the transport of these sensitive data items.
-\layout Section
-
-NTLM2
-\layout Standard
-
-NTLM2 is a collection of changes to the NTLMSSP authenticaton system.
- While some of these changes have been publicly documented
-\begin_inset LatexCommand \citep{davenportntlm}
-
-\end_inset 
-
-, the encryption and cryptographic signing algorithms were not fully understood,
- particularly as the apply to DCE-RPC.
- 
-\layout Standard
-
-\layout Standard
-
-AEAD (Authenticated Encryption with Additional Data)
-\layout Standard
-
-reference lukeh pointed paper, proposed change to gssapi standard (lukeh).
- SSPI compatibility
 \layout Chapter
 
 Glossary

More information about the samba-cvs mailing list