Академический Документы
Профессиональный Документы
Культура Документы
SAMBA AND AD
Secure Communication
Privacy
only the sender and the receiver should be able to understand the
conversation
Eavesdroppers can make no sense of information
Integrity
the receiving end must be able to know for sure that the message he is
Authentication
ensure that the parties involved in the communication are who they claim to
be
Impersonation
SECURITY IN
WINDOWS
SSO
Single Sign-On
the ability of a user to authenticate and
NTLM
Kerberos
Authentication
Kerberos Components
The client
KDC
AS
TGS
DC
Kerberos Exchanges
AS Exchange (Authentication
Service)
Authenticate on the domain
AS-Request and AS-Reply
CS Exchange (Client/Server)
Access the resource
2.
3.
4.
6.
7.
8.
The KDC Authentication Service (AS) checks for the principal in the Active Directory
Database and global memberships in the global catalogue server.
If the principal is found and the key accepted, the AS service on the KDC creates a
Ticket-granting-ticket (TGT). The TGT has an expiration time (usually about 8hrs). The
TGT is sent to the workstation.
Pre-Authentication
9.
The TGT (Ticket Granting Ticket) is sent to the local security subsystem on the Client
workstation. The TGT is stored in the credentials cache with the USK. Together these form the
authentication information that the workstation will use to communicate with the KDC from
now on until the user logs out or the ticket expires.
TGT
This ticket can be used to request access to a domain resource such as a shared
folder or printer, or the ability to log on to a particular computer
has a default lifetime of 10 hours
may be renewed throughout the user's log-on session without requiring the user to re-enter his password.
The TGT is cached on the local machine in volatile memory space and used to
request sessions with services throughout the network
Time!!!!!
Maximum Tolerance For Computer Clock Synchronization: The Maximum tolerance for computer
clock synchronization is one of the few Kerberos policies that may need to be changed. By default,
computers in the domain must be synchronized within five minutes of each other. If the client clock and
the server clock are not synchronized closely enough, a client ticket is not issued. The default value is 5
minutes, and settings are in minutes. If there are remote users that log on to the domain without
synchronizing their clock to the network timeserver, it may be necessary to adjust this value.
Summary
Understanding Kerberos
Resources
http://www.youtube.com/watch?v=kp5d8Yv3-0c
http://www.youtube.com/watch?v=KD2Q-2ToloE&fe
ature=related
http://www.computerworld.com/computerworld/reco
rds/images/pdf/kerberos_chart.pdf
http://software.intel.com/sites/manageability/A
MT_Implementation_and_Reference_Guide/default.h
tm?turl=WordDocuments%2Fintroductiontokerberosa
uthentication.htm
CMPS305
Worksta tion
SAMBA
Worksta tio n
Worksta tio n
Workstation
Windows
DC
find a ADS DC
create a secret key
get krb5 TGT for administrator
Get Service ticket to join to domain
Complete join
controller?
Smb.conf
A Kerberos Realm is
the a set of principles
administrated as a
single group in
Kerberos
All Windows domains
are also Kerberos
realms but the realm
name is always all
uppercase
Krb5.conf
DNS
And you have to make sure you have a proper hosts file
Testing it out
Kinit key
initialization for
administrator in
the domain
Klist get a list
of Kerberos
keys
Users
Winbind
Unifies Unix and Windows account management
Pulls the windows usernames from the dc and integrates them into the
NSS
Nsswitch
Name Service Switch
Allows you to resolve names between services
is used by various functions in the C library to
The checkout
getent passwd