Kerberos and CIFS question

Naomaru Itoi nitoi at activcard.com
Fri Dec 13 18:31:00 EST 2002 

Hi, 

Thanks for your great work as always.  This question is slightly an
off-topic, but you know a lot Microsoft Kerberos, so let me try ... . 

I am trying to achieve PKI authentication and SMB access to Windows Domain
from a UNIX box.  In other words:
- From a UNIX box (let's say MacOS X), a user gets authenticated by a Domain
Controller (which uses Active Directory for authenticating users) with
digital signature with a smartcard
- The user mounts a directory on a Windows PC, which is in the domain,
through SMB/CIFS.
- The user accesses the files through SMB/CIFS. 

To achieve this, I need to gather some information about Kerberos and
SMB/CIFS on Windows.  

By reading documents in MSDN Library and on the Internet,  I am guessing the
following are the architectures of Windows filesystem client and server.

Microsoft Client          Microsoft Server
        
Filesystem                     Filesystem       
--------------            --------------
SSPI-Krb5                     SSPI-Krb5    
--------------            --------------   
Kerberos | CSP               Kerberos  
-------------- 
TCP/IP   | PC/SC   
        
- Filesystem relies on SSPI-KerberosV to provide security services.
- SSPI-KerberosV5 uses KerberosV5 (and its PKI extension, PKINIT) to
authenticate a user (and maybe establish a secure channel).
- SSPI-KerberosV5 uses CSP/CAPI for smartcard services.

[Question 1. Is this guess correct?]

Assuming the answer to Question 1. is yes or almost yes, I believe I can
achieve the goal with an architecture like this:

My Client                 MicroSoft Server
        
Filesystem                     Filesystem       
--------------            --------------
GSSAPI-Krb5                 SSPI-Krb5    
--------------            --------------   
Kerberos | PC/SC           Kerberos  
--------------  
TCP/IP      
  
- Fortunately, since there are open source implementations of SMB/CIFS
filesystems (e.g. on MacOS X and on Linux), we don't have to write a
filesystem.

Then, the next question is, what exactly do we have to do in Kerberizing
SMBFS.  

[Question 2. What exactly does Kerberos do in the server?  If Kerberos is
used only for initial authentication, then all we need to do is PKINIT in
the filesystem on UNIX, right?  Or, does the fileserver actually check a
ticket per each message, and even more, encrypt the data transferred between
the client and the server?  If so, what exactly do we have to do?  Encrypt
packets with Kerberos functions (krb5_mk_priv(), etc.)?]

[Question 3. Is there any documents, or maybe piece of code, which describe
internals of SSPI, Microsoft filesystem implementation, etc.?]  

As these are very detailed questions, I will appreciate any help ... advices
on how I should proceed, where to get more information, etc.  

Thank you.


-------------------
Naomaru Itoi, Ph.D. 
ActivCard, Inc. 
Researcher / Architect
Phone: 510-745-6270
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/krbdev/attachments/20021213/39c1f719/attachment.htm

More information about the krbdev mailing list