Hi,
Thanks for your great work as always. This question is slightly an off-topic, but you guys know a lot about SMB/CIFS and Microsoft Active Directory & Kerberos, so let me ask ...
I am trying to achieve PKI authentication and SMB access to Windows Domain from a UNIX box. In other words:
- From a UNIX box (let's say MacOS X), a user gets authenticated by a Domain Controller (which uses Active Directory for authenticating users) with digital signature with a smartcard
- The user mounts a directory on a Windows PC, which is in the domain, through SMB/CIFS.
- The user accesses the files through SMB/CIFS.
To achieve this, I need to gather some information about Kerberos and SMB/CIFS on Windows.
By reading documents in MSDN Library and on the Internet, I am guessing the following are the architectures of Windows filesystem client and server.
Microsoft Client Microsoft Server
Filesystem Filesystem
-------------- --------------
SSPI-Krb5 SSPI-Krb5
-------------- --------------
Kerberos | CSP Kerberos
--------------
TCP/IP | PC/SC
- Filesystem relies on SSPI-KerberosV to provide security services.
- SSPI-KerberosV uses KerberosV5 (and its PKI extension, PKINIT) to authenticate a user (and maybe establish a secure channel).
- SSPI-KerberosV uses CSP/CAPI for smartcard services.
[Question 1. Is this guess correct?]
Assuming the answer to Question 1. is correct, I believe here's what I have to implement:
My Client Microsoft Server
Filesystem Filesystem
-------------- --------------
GSSAPI-Krb5 SSPI-Krb5
-------------- --------------
Heimdal | PC/SC Kerberos
--------------
TCP/IP
- Fortunately, since there are open source implementations of SMB/CIFS filesystems (e.g. on MacOS X and on Linux), I don't have to write a filesystem.
- Also fortunately, Heimdal seems to have PKINIT tested with Microsoft KDC, so I don't have to implement this, either.
- My concern is that there is no SSPI on UNIX. However, I believe SSPI and GSSAPI are similar.
[Question 2. Is there a chance GSSAPI on UNIX client and SSPI on Windows server interoperate, with reasonable amount of changes?]
Assuming the answer to Q2 is NO, then I guess I have to Kerberize the filesystem.
[Question 3. What exactly does Kerberos do in the server? If Kerberos is used only for initial authentication, then all I need to do is PKINIT in the filesystem on UNIX, right? Or, does Kerberos actually check a ticket per each message, and even more, encrypt the data transferred between the client and the server? If so, what exactly do I have to do? Encrypt packets with Kerberos functions?]
[Question 4. Is there any documents which describe internals of SSPI, Microsoft filesystem implementation, etc.?]
As these are very detailed questions, I will appreciate any help ... advices on how I should proceed, where to get more information, whom else to ask, etc.
Thank you.
--
Concentration ... Naomaru Itoi
