Win2k & Samba compatibility?

Christopher R. Hertel crh at nts.umn.edu
Wed Feb 9 22:56:55 GMT 2000 

Urq.  I just sent a long message about this to Jeremy, though it was 
supposed to go to the list.  Some bug in this version of elm.  Sorry.

> On Thu, 10 Feb 2000, Terry McCoy wrote:
> 
> > Adding support for kerb5 on platforms that support PAM should actually
> > be just a few lines as long as the machine's PAM configuration is
> > working.
> 
> Proper kerberization of a network application involves more than simply
> passing a cleartext password back to a PAM module for verification against a
> KDC.  Doing as you describe would allow Samba to authenticate a Kerberos
> domain controller, but it would not allow Kerberos authentication between the
> client and server, which is what is required for Win2K compatibility.

Okay, quickly...

Microsoft is using a proprietary Privilage Authorization Certificate.  
Note the word "Authorization".  Kerberos was originally designed as an 
Authentication service.  PACs were added as an option for K5.  Microsoft 
has (last I heard) chosen not to release info about their PACs.

The upshot is that many, many systems will have trouble.  I heard an MBONE
multicast of a Q&A session with Vixie the other night.  He was explaining
that in certain configurations a W2K box will expect to use it's PAC as
authoriziation for DynDNS registrations.  Of course, a non-W2K DNS server
won't recognize the encrypted, proprietary PAC and will drop the request
on the floor, logging an unauthorized registration request. 

The result will be that the DNS server will be filtering out large numbers
(depending upon the network size and number of W2K boxes) of such packets
and the W2K boxes won't be getting thier names registred.  Instant DoS.

> I know some of the people who were working on a similar project at Iowa State.
> However, I was never privy to the details, as the comp center has Policies
> regarding source code. :)

Samba is under GPL.  If they are merging their code with Samba they have 
no choice.

Chris -)-----

-- 
Christopher R. Hertel -)-----                   University of Minnesota
crh at nts.umn.edu              Networking and Telecommunications Services

    Ideals are like stars; you will not succeed in touching them
    with your hands...you choose them as your guides, and following
    them you will reach your destiny.  --Carl Schultz

More information about the samba-technical mailing list