svn commit: lorikeet r105 - in trunk/samba4-ad-thesis: .
abartlet at samba.org
abartlet at samba.org
Tue Oct 26 12:27:18 GMT 2004
Author: abartlet
Date: 2004-10-26 12:27:18 +0000 (Tue, 26 Oct 2004)
New Revision: 105
WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=lorikeet&path=/trunk/samba4-ad-thesis&rev=105&nolog=1
Log:
More review fixes, from dad this time :-)
(I'll have the most globally distributed thesis review team ever at this rate ;-)
Andrew Bartlett
Modified:
trunk/samba4-ad-thesis/chapters.lyx
Changeset:
Modified: trunk/samba4-ad-thesis/chapters.lyx
===================================================================
--- trunk/samba4-ad-thesis/chapters.lyx 2004-10-26 00:42:46 UTC (rev 104)
+++ trunk/samba4-ad-thesis/chapters.lyx 2004-10-26 12:27:18 UTC (rev 105)
@@ -52,14 +52,14 @@
, and forms the culmination of over 3 years personal effort as a member
of that team.
- As a method of researching the topic of this thesis, I have been working
- on Samba4 since May 2004, developing the authentication and GENSEC security
- subsystems (described in Section
+ In researching the this thesis, I have been working on Samba4 since May
+ 2004, and developed the authentication and GENSEC security subsystems (describe
+d in Section
\begin_inset LatexCommand \ref{sec:GENSEC}
\end_inset
-) and bringing forward some of my previous work into the Samba4 framework.
+) as well as bringing some of my previous work into the Samba4 framework.
\layout Standard
This thesis contributes solid documentary basis for the work going forward,
@@ -113,13 +113,13 @@
\end_inset
demonstrated the ability to join a Microsoft Windows XP Professional client
- to a Samba4 domain.
- However, as this had not been independently reproduced, in Section
+ to a Samba4 domain; however this process had not been independently reproduced.
+ In Section
\begin_inset LatexCommand \ref{sec:Domain-Join}
\end_inset
- I proceed to do so in my test environment.
+ I proceed to reproduce this in my test environment.
\layout Section
@@ -129,17 +129,18 @@
In developing the new Samba4 infrastructure, the Samba Team decided to implement
calls in the same way as Microsoft Windows 2003 Server.
This decision is in line with a policy the Samba Team has consistently
- followed: to, where possible, emulate the latest versions of Microsoft's
- products.
+ followed: to emulate the latest versions of Microsoft's products whereever
+ possible.
This policy, in part, aims to avoid obsolecence and to take advantage
- of testing which other software vendors conduct against current products.
+ of testing which other software vendors conduct against current Microsoft
+ products.
\layout Standard
This policy has been hampered in recent years by the significant changes
made by Microsoft in developing Active Directory.
The Samba and IBM Blue Directory research teams
\begin_inset Foot
-collapsed false
+collapsed true
\layout Standard
@@ -169,8 +170,9 @@
biggest change in Windows Authentication since the introduction of Microsoft
Windows NT.
Seen as a fundamental shift away from pure password-based authentication
- schemes, the move to Kerberos allowed Microsoft to move to an industry-standar
-d, extensible authentication scheme, with far more flexibility in implementation.
+ schemes, the migration to Kerberos allowed Microsoft to adopt an industry-stan
+dard, extensible authentication system, with far more flexibility in implementat
+ion.
\layout Standard
Though Kerberos, an industry-standard authentication system, was developed
@@ -191,12 +193,12 @@
.
\layout Standard
-NT4 is now a deprecated technology,
+NT4 is now a legacy technology
\begin_inset LatexCommand \citep{nt4eol}
\end_inset
- despite the number of sites still running NT4 on both the client and the
+, despite the number of sites still running NT4 on both the client and the
server.
Therefore, the challenge is to emulate a much more recent version of Microsoft'
s offerings.
@@ -204,7 +206,7 @@
Because Kerberos is such key change in Active Directory, and because of
the lack of documentation for NTLM, this thesis looks at the authentication
- problem is considerable detail.
+ problem in considerable detail.
\layout Section
More than had been done before
@@ -212,7 +214,7 @@
The biggest change in Samba4 is the move beyond the CIFS
\begin_inset Foot
-collapsed false
+collapsed true
\layout Standard
@@ -227,7 +229,7 @@
protocol to also include the DCE-RPC
\begin_inset Foot
-collapsed false
+collapsed true
\layout Standard
@@ -245,6 +247,10 @@
that is carried over CIFS.
This move to include new protocols and new transports (layered wrappings)
for existing protocols is perhaps the most characteristic change.
+\layout Comment
+
+Perhaps reword the above.
+ Support for non-CIFS is a defining characteristic of Samba4.
\layout Standard
The first big change has been to answer DCE-RPC on non-CIFS transports.
@@ -274,8 +280,8 @@
as the basis for the network login system.
\layout Standard
-Directory servers, available from a number of vendors, in the most basic
- form consist of key-value lookups on structured information.
+Directory servers are available from a number of vendors, and in their most
+ basic form consist of key-value lookups on structured information.
This information is often organised into a hierarchy.
\layout Standard
@@ -302,9 +308,9 @@
Standards-based directory server
\layout Standard
-To those in institutions that care about such things, Active Directory is
+To those in institutions who care about such things, Active Directory is
a standards-based (and in some ways standards-compliant) directory system,
- with access possible by protocols such as LDAP and Kerberos.
+ with access made possible by protocols such as LDAP and Kerberos.
Both of these protocols provide views onto the directory, and the internal
database appears to be a X.500 data model of some kind (but is not exposed
to the outside world directly, only via LDAP).
@@ -379,19 +385,19 @@
\end_inset
-Perhaps the most important protocol in the Microsoft networking landscape,
- CIFS
+CIFS
\begin_inset LatexCommand \citep{mind,hertel,sniacifs}
\end_inset
+, perhaps the most important protocol in the Microsoft networking landscape,
dominates the connections made between almost all clients and servers on
a Windows network.
- As a network file-system, all file and print services are carried over
- it, but also Inter-Process Communication (IPC).
- As such, much of the network activity in an Active Directory implementation
- is carried over CIFS.
-
+ As a network file-system, file and print services are carried over CIFS,
+ but unlike other network file-systems CIFS also presents an Inter-Process
+ Communication (IPC) interface.
+ Accordingly CIFS carries much of the network activity in an Active Directory
+ implementation.
\layout Subsection
CIFS, SMB and NetBIOS
@@ -507,7 +513,7 @@
However, the complexity in DCE-RPC is not in the transport or basic operation
(not that the difficultly in writing a DCE-RPC marshaling and control library
should be underestimated), but in the proprietary security mechanisms and
- interface definitions:
+ interface definitions.
\layout Subsection
Interface Definitions
@@ -542,8 +548,8 @@
domain controllers) are the two predominant security mechanisms applied
to DCE-RPC in a Microsoft environment, and both are considered proprietary
by Microsoft.
- Fortunetly there is a growing body of documentation on both, built up by
- independent researchers and the Samba Team.
+ Fortunately there is a growing body of documentation on both, built up
+ by independent researchers and the Samba Team.
In either case these mechanisms authenticate clients (by means of an authentica
ted `bind') and can secure the traffic as it passes over the network.
@@ -666,7 +672,7 @@
\layout Standard
Proof of server identity is a very important issue, as soon as any of the
- information given by that server is to be trusted.
+ information given by that server needs to be trusted.
Often called `mutual authentication', a solution to this problem ensures
that the server is `trusted' not to provide malicious data, such as an
invalid address book, and that it will behave properly with information,
@@ -788,7 +794,7 @@
\end_inset
- shows how when the server repeats the operation, using its copy of the
+ shows how, when the server repeats the operation using its copy of the
password, it compares the output with the value supplied by the client.
If the values match, the client must know the user's password.
\layout Standard
@@ -824,23 +830,14 @@
The client sends its result (rc) to the server.
If the client's result matches the server's result (rs), then the two nodes
have matching keys.
-\begin_inset Foot
-collapsed false
-
-\layout Standard
-
-Image and text (c) Chris Hertel
-\begin_inset LatexCommand \citep{hertel}
-
+ (Image and text (c) Chris Hertel(hertel),
+\family typewriter
+http://www.ubiqx.org/cifs/figures/smb-11.html
+\family default
+)
\end_inset
-, http://www.ubiqx.org/cifs/figures/smb-11.html
-\end_inset
-
-\end_inset
-
-
\layout Standard
More information about the samba-cvs
mailing list