HP CIFS Server Administrator Guide Version A.02.04.04 (5070-6710, October 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software

101

102

103

104

105

106

107

108

109

110

8 Kerberos Support

Introduction

The Kerberos protocol is regulated by the IETF RFC 1510. Kerberos was adopted by Microsoft for

Windows 2000, and is the default authentication protocol for Windows 2000, Windows 2003,

Windows XP, and Windows Vista clients. For the HP CIFS Server, Kerberos authentication is limited

exclusively to server membership in a Windows 2003 and Windows 2008 domain, and only

when the HP CIFS Server is configured with "security = ads".

This chapter provides a brief overview of Kerberos and a variety of Kerberos configuration

information including configuration detail which can be used when HP CIFS Server co-exists with

other HP-UX applications that make use of the Kerberos security protocol. For basic Windows

2003 and Windows 2008 domain membership configuration, see “Windows 2003 and Windows

2008 Domains” (page 69). For more detailed CIFS related Kerberos information, refer to the HP

white paper HP CIFS Server and Kerberos, at the following web site:

http://docs.hp.com/en/netcom.html

then navigate to CIFS.

Kerberos Overview

Kerberos is an authentication protocol which utilizes shared secrets and encryption to decode keys

between an authenticator, authenticatee, and some resource that the authenticatee requires access

to. In the particular case of HP CIFS Server, the following applies

• Windows Key Distribution Center (KDC): Authenticator

• Windows client: Authenticatee

• HP CIFS Server: Resource

The protocol exchanges do not include actual passwords passed over the wire, therefore a password

cannot be sniffed and unencrypted to gain access to a resource. Instead, encrypted keys are passed

over the wire and the 3 principals (KDC, Windows client, and CIFS server) each use pre-arranged

secrets to decode the keys and allow access. The secrets are not transferred. The critical components

of the exchanges are:

• Windows Key Distribution Center (KDC): Central Kerberos Authority for a domain

• Long-Term Key: Persistent key that is derived from a client's password

• Session Key: Short-term key that is used for authentication before it expires

• Ticket Granting Ticket (TGT): Allows a client access to the KDC to get a service ticket from

TGS

• Ticket Granting Service (TGS): Exchange that provides client access to a CIFS server's service

• Authentication Service: Exchange that actually allows client access to the KDC

For a comprehensive Microsoft Kerberos implementation white paper, refer to the following web

site:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/kerbers.mspx

Introduction 109