CIFS and Kerberos question

[Naomaru Itoi]

Hi, 

Thanks for your great work as always.  This question is slightly an
off-topic, but you guys know a lot about SMB/CIFS and Microsoft Active
Directory & Kerberos, so let me ask ... 

I am trying to achieve PKI authentication and SMB access to Windows Domain
from a UNIX box.  In other words:
- From a UNIX box (let's say MacOS X), a user gets authenticated by a Domain
Controller (which uses Active Directory for authenticating users) with
digital signature with a smartcard
- The user mounts a directory on a Windows PC, which is in the domain,
through SMB/CIFS.
- The user accesses the files through SMB/CIFS. 

To achieve this, I need to gather some information about Kerberos and
SMB/CIFS on Windows.  

By reading documents in MSDN Library and on the Internet,  I am guessing the
following are the architectures of Windows filesystem client and server.

Microsoft Client          Microsoft Server
        
Filesystem                     Filesystem       
--------------            --------------
SSPI-Krb5                     SSPI-Krb5    
--------------            --------------   
Kerberos | CSP               Kerberos  
-------------- 
TCP/IP   | PC/SC   
        
- Filesystem relies on SSPI-KerberosV to provide security services.
- SSPI-KerberosV uses KerberosV5 (and its PKI extension, PKINIT) to
authenticate a user (and maybe establish a secure channel).
- SSPI-KerberosV uses CSP/CAPI for smartcard services.

[Question 1. Is this guess correct?]

Assuming the answer to Question 1. is correct, I believe here's what I have
to implement:

My Client                 Microsoft Server
        
Filesystem                     Filesystem       
--------------            --------------
GSSAPI-Krb5                 SSPI-Krb5    
--------------            --------------   
Heimdal | PC/SC             Kerberos  
--------------  
TCP/IP      
  
- Fortunately, since there are open source implementations of SMB/CIFS
filesystems (e.g. on MacOS X and on Linux), I don't have to write a
filesystem.
- Also fortunately, Heimdal seems to have PKINIT tested with Microsoft KDC,
so I don't have to implement this, either.
- My concern is that there is no SSPI on UNIX.  However, I believe SSPI and
GSSAPI are similar.

[Question 2. Is there a chance GSSAPI on UNIX client and SSPI on Windows
server interoperate, with reasonable amount of changes?]

Assuming the answer to Q2 is NO, then I guess I have to Kerberize the
filesystem.  

[Question 3. What exactly does Kerberos do in the server?  If Kerberos is
used only for initial authentication, then all I need to do is PKINIT in the
filesystem on UNIX, right?  Or, does Kerberos actually check a ticket per
each message, and even more, encrypt the data transferred between the client
and the server?  If so, what exactly do I have to do?  Encrypt packets with
Kerberos functions?]

[Question 4. Is there any documents which describe internals of SSPI,
Microsoft filesystem implementation, etc.?]  

As these are very detailed questions, I will appreciate any help ... advices
on how I should proceed, where to get more information, whom else to ask,
etc.  

Thank you.

--
Concentration ... Naomaru Itoi 
-------------- next part --------------
HTML attachment scrubbed and removed