[Samba] Setting up Samba4 - lots of implementation questions esp re. PKI and SSO

[Michael Wood]

Hi

On 19 October 2010 01:48, Paul Bradley <paul.bradley.listmail at gmail.com> wrote:
> I have a LOT of questions!!! This may take a while. I know some of this
> stuff is at the edge of what Samba4 is just becoming able to do, so if
> anyone who knows feels this is better posted on samba-technical I'd
> appreciate a cross-post from someone in a position to know for sure - I did
> consider posting it there straight away but I figured it's a dev list and I
> could at least get _some_ of my questions answered here first maybe.

Well, the Samba4 HOWTO still says to post to samba-technical.  I think
some of the stuff you're asking about might also be appropriate for
the heimdal mailing list.

Anyway, I've copied the samba-technical list.

> I am setting up Samba4 for SSO on a home lan with VPN access. My needs are
> therefore relatively modest in terms of the more enterprise level features
> of S4 (awesome stuff by the way guys - what a project), but I do want to do
> some stuff like use a PKI structure with smartcards, manage group policy for
> the windows clients, use kerberos for single sign on and that sort of thing.
> We have a few PCs/Laptops/VMs and are setting up a VPN, so although it's not
> really enterprise level stuff I am doing a few things that are "business
> like" if you want to put it that way. I have mainly windows clients (Win7,
> WinXP VMs) but there are one or two linux VMs that I'd also like to get the
> benefits of samba4 with. I'm strongly getting the impression from reading
> over the past couple of days that samba4 has just recently reached the point
> of doing basically everything I need.
>
> Servers are linux and linux-like, applications are filesharing, ssh, vpn
> (probably going to be IPSEC/L2TP - haven't set that up yet, it's waiting on
> the PKI, and on the kerberos for authenticating sessions to services once
> the VPN connection is made), apache for a Joomla CMS and probably a couple
> of other bits and pieces that I've forgotten all about.
>
> My questions are:
>
>
> - I am a little confused about the PKI implementation. Especially as regards
> the particular details of how I should set up the X509 information in the
> certificates. I found this:
> http://middleware.internet2.edu/pki07/proceedings/slides/10-kornievskaia-pkinit-interop.pdf which
> seems quite detailed and covers quite a bit, in particular it mentions
> this:
>
> -------QUOTE----------------------------------------------------------
> CLIENT IDENTITY
> - Kerberos principal name encoded in X509 SAN
> - Mapping facility at the KDC
> - Must have X509 EKU fields
> --------/QUOTE----------------------------------------------------------
>
> So to handle those one at a time, principal name for a user would just be
> their username on the domain, or would it be the full CN like
> paul at mydomain.com ?

The principal would be user at REALM.

> Then for a service (I've read
> http://technet.microsoft.com/en-us/library/cc961723.aspx) is the principal
> name something like smb/192.168.0.1/:139/fileserver which would specify a
> smb service on 192.168.0.1 on port 139 called fileserver, then fileserver
> would be the name that resolved to 192.168.0.1 in the DNS? What happens with
> multiple services on one server - do they all need separate keys and
> certificates since they each need a different service principal name?

As far as I understand, yes, each service needs its own SPN.

> Perhaps it is enough to have more than one certificate each specifying a
> different SPN, but all using the same key, or if I did that would there be a
> security implication, since this might mean one service could masquerade as
> another? How do I specify when creating the certificates with OpenSSL what
> the SAN should be?
>
> As to the second part - "Mapping facility at the KDC". I understand the KDC
> needs to map the user certificate onto a username on the domain (or perhaps
> more accurately some sort of GUID for the user) but how is this set up when
> using PKI - do I use the Microsoft domain administration tools to connect to
> Samba and bind the user certificates to the users? What about servers -
> presumably their keys (now stored on disk rather than on tokens/smartcards)
> also need to be in the directory so they can be mapped to the object in the
> directory and participate in the kerberos or indeed do PKINIT for eg. cron
> jobs which require connecting to other services?
>
> For the third part (X509 EKU fields) - are these the "key usage" fields? The

Yes, I think it's "extended key usage" or something like that.

> stuff like "signing" "encryption" etc. etc.? How do I set these in OpenSSL
> when creating the certificates and what should I set them too?
>
> Also, is there much in particular I should be aware of when creating my CA?
> LDAP and X509 are probably my weakest points in understanding all this - can
> someone point me to a guide or give me some more information that can guide
> me in deciding how to name and structure things so as to avoid potential
> future issues.
>
> Now, as to the PKINIT I presume Samba4 will interact well enough with the
> native Windows PKINIT so I shouldn't have much to worry about there, but
> please do correct me if I'm wrong. What about the linux clients though -
> should I use CITI PKINIT ? If I do, what will happen as regards the PKCS#11
> library? I have two different types of cards here, both of which seem to
> work OK with the commercial middleware and tools which I have (SafeSign,
> which works on both Windows and Linux) so I would want to use the SafeSign
> PKCS#11 libraries, presumably the PKINIT will talk to any compliant PKCS#11
> ?
>
> Once PKINIT has happened, the services then need to authenticate the peer
> right, so presumably pam-krb5 is the tool for that? On the module page it
> mentions working well with MIT kerberos and says that it is less tested with
> Heimdal. I understand that S4 is implemented based on Heimdal so is
> operation with pam-krb5 generally working now? If not, how is it done?
>
> Having said that S4 kerberos is based on Heimdal, I wonder is the Heimdal
> documentation good for guidance or is the implementation too different?
>
> Now for IPSEC (told you this would go on a while...) - I presume IPSEC on
> linux can use kerberos to authenticate the peer - does this work through
> pam-krb5 again or is there some other mechanism at work?
>
> - I'm thinking of having my fileserver be one of the DCs/KDCs. The
> fileserver is probably one of the most secured machines in the whole lot
> anyway. Are there any good reasons I should not do this? The way I see it,
> if my KDC gets compromised the fileserver is shot anyway, and if the
> fileserver (which will have stuff like KDC backups on it, mounted when it's
> running which is basically always) gets compromised the KDC may as well be
> considered compromised. Therefore, I don't see that much reason to separate
> the two, and would simply run one DC on the fileserver and a second one on a
> dedicated old box for redundancy. Any comments?
>
> - Since the KDC is very sensitive (has it's own keys on the disk), I'd like
> to consider encrypting it so that if for example it were stolen there would
> be nothing to read off the disk. How would I go about setting up Samba4 to
> install all the security critical stuff in /home so I could use an encrypted
> home directory to protect it? I'd rather not encrypt the whole drive and use
> pre-boot authentication as that would stop me being able to do remote
> reboots or bring it back up after a power failure unless I was on-site.
> Indeed, what even IS the security critical stuff? Presumably the directory
> itself contains stuff of interest (although on the other hand, all it would
> have would be public keys wouldn't it, and of course details of who could do
> what and of the network structure), what about the KDC keys, where are they?
> Anything else I've not thought of? Anyway, the short version of the question
> is, how do I get all that stuff to install into /home so I can encrypt it
> easily.
>
> - For another rather thornier security question, and one I am leaning away
> from bothering with, what about exposing kerberos to the WAN (the public
> Internet) so that users can still do SSO to the VPN when off-lan? I presume
> this is asking for trouble, and probably shouldn't even bother asking this,
> at least not with alpha software, but I just thought it was worth opening it
> up for comment. Perhaps I could even consider opening it up but only to
> authenicated IPSEC sessions using certificates so only pre-authenticated
> users could even begin to talk to the KDC. Any thoughts?
>
> Thanks to anyone who actually managed to read this far - this post has gone
> on longer than even I imagined it would. I guess I still have a lot to
> learn, but this stuff is just plain AWESOME. Congratulations once again to
> everyone who's contributed to this. Indeed, if in some way my testing and
> feedback can provide more information to the developers and help with the
> SSO/PKI side of things I'll be very happy to have contributed in some small
> way.
>
> Paul

-- 
Michael Wood <esiotrot at gmail.com>