Status of Kerberos Support across Samba versions

[Nicolas Williams]

Luke posted the IDL description of the user profile structure to the XAD
list not too long ago. So that much is known publically through means
other than reading the MS spec.

Also, several public MS docs describe enough of the mechanism that it
can be reverse engineered.

Samba will have to play a role in any KDC/ActiveDirectory open-source
replacement project as MS added a call to the NetLogon protocol to
validate the KDC PAC signature. (All of this is public knowledge).
Samba has the only open-source implementation of various MSRPC protocols,
including NetLogon.

Moreover, if you go read the Kerberos mailing list archives you'll see
that one of the MIT team members says that parts of the MS PAC were
discussed a long time ago on those same lists in detail.

If you put it all together it may be possible to obtain 90% of the
details of the spec without reading the MS secret spec.

If anyone is serious about starting such a project then they'll have to
document all their sources for any information about the MS PAC and any
reverse engineering efforts.

It might be best to wait for the IETF to decide on what to do with the
Kerberos standard. It may clarify it to make MS's extension officially
against the standard or it may promote a new extension format that is
akin to MS', but designed for openness, extensibility and
interoperability. If the IETF acts in anyway other than to condone MS's
spec then pressure would grow on MS to support the new standard.

BTW, other vendors (e.g., Sun) deal with the lack of a PAC by looking up
the Kerberos client principal's platform-specific system credentials in
some DB. Windows 2000 actually supports this mode of operation, but the
lookups are only done against the _local_ SAM; _this_ is the truly
onerous problem with the MS implementation.

Part of the problem with the lookup-the-client-principal's-system-creds
approach is that it requires that ALL servers be able to lookup any user
principal's system credentials. With a system like MS's this requirement
can be avoided and thus anonymous or nearly-anonymous directory lookups
can be avoided altogether. Mind you, in a mixed-mode Windows environment
(i.e., if you have NT 4 or Samba domain members) you cannot truly take
advantage of this feature.

Nico


On Sat May 06 2000, Mayers, P J (p.mayers at ic.ac.uk) wrote:
> As I understand is, the PAC issued by Win2K contains signed SIDs, the groups 
> of which the ticketholder is a member. By adding users to groups, requesting 
> a ticket, removing them, and requesting another ticket, it cannot be that 
> hard to reverse the contents. 
> 
> Samba wouldn't issue the PAC anyway - it would be the KDC's job to issue the 
> K5 ticket with the appropriate PAC. Samba would have to *use* the PAC (this 
> might seem a picky distinction, but I'm coming to the point...) 
> 
> So, what would not using the PAC implicate for Samba? Well, you wouldn't 
> know what NT groups the ticket had permissions for. If you're willing to 
> live with a loss of flexibility, you could do a name-based lookup (against 
> the ActiveDirectory, say) to get the groups. 
> 
> I agree a Win2K compliant PDC would have to have a PAC-format-issuing KDC, 
> but I'll leave that up to the MIT or Heimdal boys. Samba can survive without 
> the PAC info - but K5 ticket support (instead of NTLM of whatnot) would be 
> nice. 
> 
> Cheers, 
> Phil 


Nico
--