svn commit: lorikeet r252 - in trunk/white-papers: .
abartlet at samba.org
abartlet at samba.org
Wed Apr 13 12:36:38 GMT 2005
Author: abartlet
Date: 2005-04-13 12:36:37 +0000 (Wed, 13 Apr 2005)
New Revision: 252
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=252
Log:
Explain a little what the protocols are, and where the code in Samba4
came from.
Andrew Bartlett
Modified:
trunk/white-papers/gensec-white-paper.lyx
Changeset:
Modified: trunk/white-papers/gensec-white-paper.lyx
===================================================================
--- trunk/white-papers/gensec-white-paper.lyx 2005-04-12 09:00:17 UTC (rev 251)
+++ trunk/white-papers/gensec-white-paper.lyx 2005-04-13 12:36:37 UTC (rev 252)
@@ -310,13 +310,19 @@
\layout Section*
Protocol Scope
+\layout Standard
+
+The biggest challenge (and the failure of the previous efforts in this area)
+ is the shear scope of the protocols involved.
+ Previous efforts did not attempt to address all the host protocols at once,
+ nor did they address or even allow for the full scope of security protocols.
\layout Subsection*
Host Protocols
\layout Standard
-Any generic security solution used by Samba must be compatible with the
- wide variety of protocols that Samba4 implements or provides services to:
+At this stage, the host protocols which require security support in Samba
+ are:
\layout Itemize
CIFS
@@ -336,21 +342,35 @@
Likewise, any solution we must also correctly handle the number of security
protocols we implement:
-\layout Itemize
+\layout List
+\labelwidthstring 00.00.0000
-NTLMSSP
-\layout Itemize
+NTLMSSP The standard NTLM challenge response system, used by all modern
+ windows systems.
+\layout List
+\labelwidthstring 00.00.0000
-Kerberos
-\layout Itemize
+Kerberos Kerberos, oringally from MIT's project Athena is a crypographicly
+ secure trusted-third-party security system.
+ Kerberos version 5 (krb5) is the current standard.
+\layout List
+\labelwidthstring 00.00.0000
-GSSAPI
-\layout Itemize
+GSSAPI GSSAPI is a wrapping layer around security protocols, designed to
+ make them easier to use.
+ It typically wraps Kerberos version 5.
+\layout List
+\labelwidthstring 00.00.0000
-SPNEGO
-\layout Itemize
+SPNEGO This is a security negotiation protocol.
+ Also known as SNEGO, work is progressing to make the P again really mean
+ `protected'.
+\layout List
+\labelwidthstring 00.00.0000
-SCHANNEL
+SCHANNEL Schannel is the security mechanism used between Microsoft client
+ workstations and servers for domain membership, and used the machine trust
+ account.
\layout Standard
This list is expected to grow, particularly as LDAPv3 has DIGEST-MD5 as
@@ -388,14 +408,62 @@
to import that portion of Samba.
\layout Subsection*
+NTLMSSP
+\layout Standard
+
+The NTLMSSP library was brought forward from Samba 3.0 in the original branch
+ of Samba4, and has been updated from that point.
+ This code, built in the early days of the Samba 3.0 project to support SPNEGO
+ includes a micro-impelmentation of NDR generation and parsing, suitable
+ for the small packets used in the NTLMSSP exchange.
+ The code has proven supprsingly stable in both 3.0 and Samba4, and has now
+ been extended to handle NTLM2 signing.
+\layout Standard
+
+It was the comparitive sucess of this code in Samba 3.0 (used in the CIFS
+ client, CIFS server and the DCERPC client) that strongly influenced the
+ design of GENSEC in Samba4.
+
+\layout Subsection*
+
+SPNEGO
+\layout Standard
+
+The SPNEGO code in Samba4 was derived from the code contributed by Anthony
+ Ligouri to Samba 3.0's
+\family typewriter
+ntlm_auth
+\family default
+ utility.
+ This needed substatial extension, but unlike the code used in the rest
+ of Samba3, this was quite practical, and did not drasticly alter the parse
+ layer.
+\layout Standard
+
+This code now selects between the registered GENSEC mechanisms, in choosing
+ a suitable security protocol (essentially NTLM or Krb5 for now) for use
+ on the connection.
+
+\layout Subsection*
+
+SCHANNEL
+\layout Standard
+
+Samba4 includes a new schannel implementation, only distently derived from
+ that in Samba 3.0.
+ Now better seperated from the rest of the DCE-RPC code than it was in Samba
+ 3.0 or earlier Samba4 development, this is handled almost entirely as a
+ normal GENSEC module.
+\layout Subsection*
+
Using the Heimdal library
\layout Standard
In an apparent contradiction with the above, we are also investigating a
- strong tie with the Heimdal implementation of Kerberos.
+ strong tie with the Heimdal implementation of Kerberos and GSSAPI.
This contradiction comes about because we do not wish to re-implement the
- entire Kerberos library, but require features that to this point are only
- implemented in our custom release of that library.
+ entire Kerberos and GSSAPI libraries, but require features that to this
+ point are only implemented in our custom release of that library.
\layout Standard
The idea is that we will statically link with this library, rather than
@@ -759,6 +827,15 @@
The Session Key function breaks all the abstractions that should be present
in such a security system, but are required for operation on CIFS, due
to the way that `session keys' are used in SMB signing.
+\layout Section*
+
+Future requirements
+\layout Subsection*
+
+Asyncronous request support
+\layout Subsection*
+
+Moving beyond Samba
\layout Standard
More information about the samba-cvs
mailing list