About Kerberos Programming

Nicolas Williams Nicolas.Williams at ubsw.com
Thu Apr 5 17:44:01 GMT 2001

Just a note:

AFAICS you (the Samba Team) have four options:

1. Document the problem and otherwise do nothing about it. AD admins
   will just have to make sure Samba servers can lookup user profiles.

2. Reverse engineer the MS Kerberos PAC thing and implement the same
   features in Samba (clients and servers).

3. Design a better, more general and actually elegant system than the
   MS Kerberos PAC and produce a DLL to replace bits of functionality
   in LSA.DLL.

4. Give up.

I imagine (4) is unacceptable to you, the Samba Team.

(1) will likely make Samba unacceptable at some installations,

(2) is fraught will legal difficulties. Even if you do a great job of
proving HOW you got the knowledge you need for (2) WITHOUT having had
to read the MS spec you can never prove that you DIDN'T read the MS
spec. Worst case: Samba cannot be distributed in some parts of the
world that probably matter much to you, the Samba Team (e.g., the
United States of America).

(3) is almost free of legal issues, save to the extent that EULAs
prohibiting patching of systems are held up in the courts of those of
the United States that have made UCITA state law. Speak to a lawyer.

Remember though that IANAL!

I would recommend (3). There almost certainly are better ways to achieve
the technical goals that I imagine MS was trying to solve with their
Kerberos PAC thing. And, from a PR pov, you win because you would be
innovating, rather than "stealing" from MS. Plus, to top it off, others
have resorted to this kind of approach before (e.g., Novell). Besides,
if you come up with a better system and you make it a standard and you
make it work with MS systems, pretty soon pressure will mount on MS to
adopt the new standard; better for you to follow a strategy where
others have to follow your lead than where you have to constantly catch
up, no?

I have entertained several ways to do (3) and have even discussed it
with some folk who are involved with the Kerberos standards. So far as
I can see, there is little appetite amongs those folk to start a
project to design such better Kerberos extensions, but that doesn't
mean you, the Samba Team, can't take that on yourselves.

I will gladly share my thoughts on (3) if you want. But note, I'm not
interested in (3) out of resentment of MS or moral convictions, but
because there's a better way to do what MS did and more and that has
been bothering me for some time.


On Wed, Apr 04, 2001 at 05:10:27PM +0000, Jeremy Allison wrote:
> Nicolas Williams <Nicolas.Williams at ubsw.com> wrote:
> : Well, not quite. You can only do this kind of query if you're
> : authorized, and if you're running ActiveDirectory in native mode with no
> : NT4 systems around, then by default computer trust accounts don't have
> : the authorization to lookup up users' profiles.
> : THAT is one of the points of putting the profile in Kerberos tickets,
> : that hosts need not lookup user profiles and thus they do not need the
> : authorization to perform the lookups, thus making it it harder to
> : enumerate the users in your domain and thus find attack targets.
> *Very* good point - I hadn't considered that, thanks. Looks like
> we're going to have to be messing with the PAC format much sooner
> than I thought.....
> Thanks,
> 		Jeremy Allison,
> 		Samba Team.
> -- 
> --------------------------------------------------------
> Buying an operating system without source is like buying
> a self-assembly Space Shuttle with no instructions.
> --------------------------------------------------------

More information about the samba-technical mailing list