<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=csiso2022jp">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>Kerberos and CIFS question</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Hi, </FONT>
</P>
<P><FONT SIZE=2>Thanks for your great work as always. This question is slightly an off-topic, but you know a lot Microsoft Kerberos, so let me try ... . </FONT></P>
<P><FONT SIZE=2>I am trying to achieve PKI authentication and SMB access to Windows Domain from a UNIX box. In other words:</FONT>
<BR><FONT SIZE=2>- From a UNIX box (let's say MacOS X), a user gets authenticated by a Domain Controller (which uses Active Directory for authenticating users) with digital signature with a smartcard</FONT></P>
<P><FONT SIZE=2>- The user mounts a directory on a Windows PC, which is in the domain, through SMB/CIFS.</FONT>
<BR><FONT SIZE=2>- The user accesses the files through SMB/CIFS. </FONT>
</P>
<P><FONT SIZE=2>To achieve this, I need to gather some information about Kerberos and SMB/CIFS on Windows. </FONT>
</P>
<P><FONT SIZE=2>By reading documents in MSDN Library and on the Internet, I am guessing the following are the architectures of Windows filesystem client and server.</FONT></P>
<P><FONT SIZE=2>Microsoft Client Microsoft Server</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>Filesystem Filesystem </FONT>
<BR><FONT SIZE=2>-------------- --------------</FONT>
<BR><FONT SIZE=2>SSPI-Krb5 SSPI-Krb5 </FONT>
<BR><FONT SIZE=2>-------------- -------------- </FONT>
<BR><FONT SIZE=2>Kerberos | CSP Kerberos </FONT>
<BR><FONT SIZE=2>-------------- </FONT>
<BR><FONT SIZE=2>TCP/IP | PC/SC </FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>- Filesystem relies on SSPI-KerberosV to provide security services.</FONT>
<BR><FONT SIZE=2>- SSPI-KerberosV5 uses KerberosV5 (and its PKI extension, PKINIT) to authenticate a user (and maybe establish a secure channel).</FONT></P>
<P><FONT SIZE=2>- SSPI-KerberosV5 uses CSP/CAPI for smartcard services.</FONT>
</P>
<P><FONT SIZE=2>[Question 1. Is this guess correct?]</FONT>
</P>
<P><FONT SIZE=2>Assuming the answer to Question 1. is yes or almost yes, I believe I can achieve the goal with an architecture like this:</FONT></P>
<P><FONT SIZE=2>My Client MicroSoft Server</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>Filesystem Filesystem </FONT>
<BR><FONT SIZE=2>-------------- --------------</FONT>
<BR><FONT SIZE=2>GSSAPI-Krb5 SSPI-Krb5 </FONT>
<BR><FONT SIZE=2>-------------- -------------- </FONT>
<BR><FONT SIZE=2>Kerberos | PC/SC Kerberos </FONT>
<BR><FONT SIZE=2>-------------- </FONT>
<BR><FONT SIZE=2>TCP/IP </FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>- Fortunately, since there are open source implementations of SMB/CIFS filesystems (e.g. on MacOS X and on Linux), we don't have to write a filesystem.</FONT></P>
<P><FONT SIZE=2>Then, the next question is, what exactly do we have to do in Kerberizing SMBFS. </FONT>
</P>
<P><FONT SIZE=2>[Question 2. What exactly does Kerberos do in the server? If Kerberos is used only for initial authentication, then all we need to do is PKINIT in the filesystem on UNIX, right? Or, does the fileserver actually check a ticket per each message, and even more, encrypt the data transferred between the client and the server? If so, what exactly do we have to do? Encrypt packets with Kerberos functions (krb5_mk_priv(), etc.)?]</FONT></P>
<P><FONT SIZE=2>[Question 3. Is there any documents, or maybe piece of code, which describe internals of SSPI, Microsoft filesystem implementation, etc.?] </FONT></P>
<P><FONT SIZE=2>As these are very detailed questions, I will appreciate any help ... advices on how I should proceed, where to get more information, etc. </FONT></P>
<P><FONT SIZE=2>Thank you.</FONT>
</P>
<BR>
<P><FONT SIZE=2>-------------------</FONT>
<BR><FONT SIZE=2>Naomaru Itoi, Ph.D. </FONT>
<BR><FONT SIZE=2>ActivCard, Inc. </FONT>
<BR><FONT SIZE=2>Researcher / Architect</FONT>
<BR><FONT SIZE=2>Phone: 510-745-6270</FONT>
</P>
</BODY>
</HTML>