svn commit: lorikeet r252 - in trunk/white-papers: .

abartlet at samba.org abartlet at samba.org
Wed Apr 13 12:36:38 GMT 2005 

Author: abartlet
Date: 2005-04-13 12:36:37 +0000 (Wed, 13 Apr 2005)
New Revision: 252

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=252

Log:
Explain a little what the protocols are, and where the code in Samba4
came from.

Andrew Bartlett

Modified:
   trunk/white-papers/gensec-white-paper.lyx


Changeset:
Modified: trunk/white-papers/gensec-white-paper.lyx
===================================================================
--- trunk/white-papers/gensec-white-paper.lyx	2005-04-12 09:00:17 UTC (rev 251)
+++ trunk/white-papers/gensec-white-paper.lyx	2005-04-13 12:36:37 UTC (rev 252)
@@ -310,13 +310,19 @@
 \layout Section*
 
 Protocol Scope
+\layout Standard
+
+The biggest challenge (and the failure of the previous efforts in this area)
+ is the shear scope of the protocols involved.
+ Previous efforts did not attempt to address all the host protocols at once,
+ nor did they address or even allow for the full scope of security protocols.
 \layout Subsection*
 
 Host Protocols
 \layout Standard
 
-Any generic security solution used by Samba must be compatible with the
- wide variety of protocols that Samba4 implements or provides services to:
+At this stage, the host protocols which require security support in Samba
+ are:
 \layout Itemize
 
 CIFS
@@ -336,21 +342,35 @@
 
 Likewise, any solution we must also correctly handle the number of security
  protocols we implement:
-\layout Itemize
+\layout List
+\labelwidthstring 00.00.0000
 
-NTLMSSP
-\layout Itemize
+NTLMSSP The standard NTLM challenge response system, used by all modern
+ windows systems.
+\layout List
+\labelwidthstring 00.00.0000
 
-Kerberos
-\layout Itemize
+Kerberos Kerberos, oringally from MIT's project Athena is a crypographicly
+ secure trusted-third-party security system.
+ Kerberos version 5 (krb5) is the current standard.
+\layout List
+\labelwidthstring 00.00.0000
 
-GSSAPI
-\layout Itemize
+GSSAPI GSSAPI is a wrapping layer around security protocols, designed to
+ make them easier to use.
+ It typically wraps Kerberos version 5.
+\layout List
+\labelwidthstring 00.00.0000
 
-SPNEGO
-\layout Itemize
+SPNEGO This is a security negotiation protocol.
+ Also known as SNEGO, work is progressing to make the P again really mean
+ `protected'.
+\layout List
+\labelwidthstring 00.00.0000
 
-SCHANNEL
+SCHANNEL Schannel is the security mechanism used between Microsoft client
+ workstations and servers for domain membership, and used the machine trust
+ account.
 \layout Standard
 
 This list is expected to grow, particularly as LDAPv3 has DIGEST-MD5 as
@@ -388,14 +408,62 @@
  to import that portion of Samba.
 \layout Subsection*
 
+NTLMSSP
+\layout Standard
+
+The NTLMSSP library was brought forward from Samba 3.0 in the original branch
+ of Samba4, and has been updated from that point.
+ This code, built in the early days of the Samba 3.0 project to support SPNEGO
+ includes a micro-impelmentation of NDR generation and parsing, suitable
+ for the small packets used in the NTLMSSP exchange.
+ The code has proven supprsingly stable in both 3.0 and Samba4, and has now
+ been extended to handle NTLM2 signing.
+\layout Standard
+
+It was the comparitive sucess of this code in Samba 3.0 (used in the CIFS
+ client, CIFS server and the DCERPC client) that strongly influenced the
+ design of GENSEC in Samba4.
+ 
+\layout Subsection*
+
+SPNEGO
+\layout Standard
+
+The SPNEGO code in Samba4 was derived from the code contributed by Anthony
+ Ligouri to Samba 3.0's 
+\family typewriter 
+ntlm_auth
+\family default 
+ utility.
+ This needed substatial extension, but unlike the code used in the rest
+ of Samba3, this was quite practical, and did not drasticly alter the parse
+ layer.
+\layout Standard
+
+This code now selects between the registered GENSEC mechanisms, in choosing
+ a suitable security protocol (essentially NTLM or Krb5 for now) for use
+ on the connection.
+ 
+\layout Subsection*
+
+SCHANNEL
+\layout Standard
+
+Samba4 includes a new schannel implementation, only distently derived from
+ that in Samba 3.0.
+ Now better seperated from the rest of the DCE-RPC code than it was in Samba
+ 3.0 or earlier Samba4 development, this is handled almost entirely as a
+ normal GENSEC module.
+\layout Subsection*
+
 Using the Heimdal library
 \layout Standard
 
 In an apparent contradiction with the above, we are also investigating a
- strong tie with the Heimdal implementation of Kerberos.
+ strong tie with the Heimdal implementation of Kerberos and GSSAPI.
  This contradiction comes about because we do not wish to re-implement the
- entire Kerberos library, but require features that to this point are only
- implemented in our custom release of that library.
+ entire Kerberos and GSSAPI libraries, but require features that to this
+ point are only implemented in our custom release of that library.
 \layout Standard
 
 The idea is that we will statically link with this library, rather than
@@ -759,6 +827,15 @@
 The Session Key function breaks all the abstractions that should be present
  in such a security system, but are required for operation on CIFS, due
  to the way that `session keys' are used in SMB signing.
+\layout Section*
+
+Future requirements
+\layout Subsection*
+
+Asyncronous request support
+\layout Subsection*
+
+Moving beyond Samba
 \layout Standard

More information about the samba-cvs mailing list