svn commit: lorikeet r101 - in trunk/samba4-ad-thesis: .
abartlet at samba.org
abartlet at samba.org
Mon Oct 25 13:02:25 GMT 2004
Author: abartlet
Date: 2004-10-25 13:02:24 +0000 (Mon, 25 Oct 2004)
New Revision: 101
WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=lorikeet&path=/trunk/samba4-ad-thesis&rev=101&nolog=1
Log:
Add information on the 'short name, kerberos later' join.
Remove NTLM2 stub, we probably don't need to detail that.
Andrew Bartlett
Modified:
trunk/samba4-ad-thesis/chapters.lyx
Changeset:
Modified: trunk/samba4-ad-thesis/chapters.lyx
===================================================================
--- trunk/samba4-ad-thesis/chapters.lyx 2004-10-24 10:40:45 UTC (rev 100)
+++ trunk/samba4-ad-thesis/chapters.lyx 2004-10-25 13:02:24 UTC (rev 101)
@@ -80,7 +80,7 @@
\layout List
\labelwidthstring 00.00.0000
-Samba3 A production, NT4 replacement DC
+Samba3 A production, NT4 replacement Domain Controller
\layout List
\labelwidthstring 00.00.0000
@@ -533,7 +533,7 @@
\family typewriter
ncacn_np
\family default
- - the acronym is unimporant, but it means `Named Pipes' and this filesystem
+ - the acronym is unimportant, but it means `Named Pipes' and this file-system
concept is carried over CIFS to remote servers.
Other transports include:
\layout List
@@ -552,6 +552,14 @@
ncacn_ip_udp
\family default
DCE-RPC over UDP/IP
+\layout List
+\labelwidthstring 00.00.0000
+
+
+\family typewriter
+ncacn_ip_http
+\family default
+ DCE-RPC over HTTP
\layout Section
DNS
@@ -563,7 +571,7 @@
\family typewriter
_msdcs
\family default
- subdomain, Microsoft stores information about each of the domain controllers
+ sub-domain, Microsoft stores information about each of the domain controllers
on the network, both by DC name and more importantly by the network service
they provide.
@@ -967,7 +975,7 @@
More importantly, this authentication scheme has a direct heritage back
to the early days of the CIFS (then SMB) networking suite, with much of
the weakness in it as an authentication scheme linked to backward compatibility.
- It is the ubiquitous authentication scheme in windows networking, and even
+ It is the ubiquitous authentication scheme in Windows networking, and even
with Windows 2000 is the transparent fall-back option if and when Kerberos
fails to operate in a particular environment.
\layout Subsection
@@ -1571,7 +1579,7 @@
be securely collected, in clear-text, for hashing into appropriate Kerberos
keys.
Microsoft knew that it could not expect this kind of effort in upgrading
- windows servers from NT4 to Active Directory, so they solved it a different
+ Windows servers from NT4 to Active Directory, so they solved it a different
way.
\layout Standard
@@ -2180,7 +2188,7 @@
Windows 2000 versions), allows the login to progress using Kerberos authenticat
ion.
Likewise, a client unable to perform Kerberos knows from this reply that
- NTLMSSP, the more traditional login scheme on windows networks, is also
+ NTLMSSP, the more traditional login scheme on Windows networks, is also
acceptable.
\layout Subsection
@@ -2813,7 +2821,7 @@
Samba
\layout Standard
-Samba provides windows networking services, on a Unix-like platform.
+Samba provides Windows networking services, on a Unix-like platform.
These services range from simple file and printer sharing, to full management
of a NT-style domain.
All of these services are provided in the Samba package, which is itself
@@ -2845,7 +2853,7 @@
, Samba quietly evolved over the past 12 years from a barely functional
prototype, used to communicate between a DOS Pathworks client and a Sun
- server, into a solid file and print server for windows clients.
+ server, into a solid file and print server for Windows clients.
\layout Subsubsection*
Samba 2.0
@@ -2889,13 +2897,13 @@
and in particular Samba 3.0 grew to include the ability to be an NT4 compatible
domain controller, a functionality that even allows Samba to `take over'
- an existing windows network
+ an existing Windows network
\begin_inset LatexCommand \citep{samba-guide-migration}
\end_inset
.
- This has allowed many sites to remove windows servers entirely from their
+ This has allowed many sites to remove Windows servers entirely from their
networks.
\layout Standard
@@ -3078,7 +3086,7 @@
\end_inset
- on windows in it's ubiquitous use, GENSEC allows all aspects of Samba4
+ on Windows in it's ubiquitous use, GENSEC allows all aspects of Samba4
to use the same implementation of our core authentication protocols.
The interface is completely generic, and on starting this thesis it contained
support only for NTLMSSP, the development of which had been brought forward
@@ -3123,7 +3131,7 @@
of the packets.
\layout Standard
-The particular success of the echo pipe in Samba development is the windows
+The particular success of the echo pipe in Samba development is the Windows
client and server.
By running the echo server on a Microsoft platform, questions such as 'how
much data can I pass in a DCE-RPC packet' can be answered, without first
@@ -3276,7 +3284,7 @@
While the PAC is now well understood, and sample KDC implementations that
successfully sign the PAC are available, PAC support was not implemented
- - instead, the Samba server was modified to accept kerberos packets without
+ - instead, the Samba server was modified to accept Kerberos packets without
the PAC.
(The client does not process the PAC in the initial use case, so this complexit
y was deferred).
@@ -3312,8 +3320,8 @@
\layout Standard
In my testing the of a Kerberos domain join, it quickly becomes clear that
- the domain would not use kerberos if the `short' (NetBIOS) domain name
- was specified.
+ the domain would not use Kerberos for the join if the `short' (NetBIOS)
+ domain name was specified.
While it is no more painful to enter the long name, the point made in Section
\begin_inset LatexCommand \ref{sub:An-Upgraded-NT4}
@@ -3352,6 +3360,24 @@
As mentioned above, this blocking point should be removed in near-future
development, but this marks the conclusion of the development for this
thesis.
+\layout Subsection
+
+Trying the short name
+\layout Standard
+
+After compleating the `failed' testing with long-name domain joins, comparison
+ tests were run - to confirm the status of the `before' case, which was
+ expected to easily be triggered by simply using the `short' or NetBIOS
+ domain name.
+ Indeed, this domain join proceeds with NTLMSSP, but what is more interesting
+ is what happens after the client reboots, having sucessfully joined the
+ domain.
+ It turns out that the client clues in on Kerberos in the meantime, and
+ proceeds to make a sucessful Kerberos connection to the Samba4 server,
+ using the machine account! Unfortunetly, other issues with current Samba4
+ prevent the login from proceeding, but these appear unreleated to the Kerberos
+ work (it occours with Kerberos compleatly disabled), and is rather an unrelated
+ regression.
\layout Section
Assessing the Changes
@@ -3391,6 +3417,8 @@
\end_inset
of the trace, that we will also need Kerberos encrypted DRSUAPI support.
+ Likewise, the compromised `short name' join looks very promising, sucessfully
+ putting off the Kerberos until the logon stage.
\layout Chapter
Crypto Challenges
@@ -3539,6 +3567,7 @@
Once one password change or set function is known, may of the others prove
to be simple variations, fixing particular issues (such as adding in the
new NT password, or adding a confounder).
+ We look at a couple of puzzles in detail:
\layout Section
Netlogon 128
@@ -3736,29 +3765,6 @@
because that would break the cryptographic signature.
The client should instead use the bulk encryption security of the entire
session to secure the transport of these sensitive data items.
-\layout Section
-
-NTLM2
-\layout Standard
-
-NTLM2 is a collection of changes to the NTLMSSP authenticaton system.
- While some of these changes have been publicly documented
-\begin_inset LatexCommand \citep{davenportntlm}
-
-\end_inset
-
-, the encryption and cryptographic signing algorithms were not fully understood,
- particularly as the apply to DCE-RPC.
-
-\layout Standard
-
-\layout Standard
-
-AEAD (Authenticated Encryption with Additional Data)
-\layout Standard
-
-reference lukeh pointed paper, proposed change to gssapi standard (lukeh).
- SSPI compatibility
\layout Chapter
Glossary
More information about the samba-cvs
mailing list