Author: abartlet Date: 2005-04-13 12:36:37 +0000 (Wed, 13 Apr 2005) New Revision: 252
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=252 Log: Explain a little what the protocols are, and where the code in Samba4 came from. Andrew Bartlett Modified: trunk/white-papers/gensec-white-paper.lyx Changeset: Modified: trunk/white-papers/gensec-white-paper.lyx =================================================================== --- trunk/white-papers/gensec-white-paper.lyx 2005-04-12 09:00:17 UTC (rev 251) +++ trunk/white-papers/gensec-white-paper.lyx 2005-04-13 12:36:37 UTC (rev 252) @@ -310,13 +310,19 @@ \layout Section* Protocol Scope +\layout Standard + +The biggest challenge (and the failure of the previous efforts in this area) + is the shear scope of the protocols involved. + Previous efforts did not attempt to address all the host protocols at once, + nor did they address or even allow for the full scope of security protocols. \layout Subsection* Host Protocols \layout Standard -Any generic security solution used by Samba must be compatible with the - wide variety of protocols that Samba4 implements or provides services to: +At this stage, the host protocols which require security support in Samba + are: \layout Itemize CIFS @@ -336,21 +342,35 @@ Likewise, any solution we must also correctly handle the number of security protocols we implement: -\layout Itemize +\layout List +\labelwidthstring 00.00.0000 -NTLMSSP -\layout Itemize +NTLMSSP The standard NTLM challenge response system, used by all modern + windows systems. +\layout List +\labelwidthstring 00.00.0000 -Kerberos -\layout Itemize +Kerberos Kerberos, oringally from MIT's project Athena is a crypographicly + secure trusted-third-party security system. + Kerberos version 5 (krb5) is the current standard. +\layout List +\labelwidthstring 00.00.0000 -GSSAPI -\layout Itemize +GSSAPI GSSAPI is a wrapping layer around security protocols, designed to + make them easier to use. + It typically wraps Kerberos version 5. +\layout List +\labelwidthstring 00.00.0000 -SPNEGO -\layout Itemize +SPNEGO This is a security negotiation protocol. + Also known as SNEGO, work is progressing to make the P again really mean + `protected'. +\layout List +\labelwidthstring 00.00.0000 -SCHANNEL +SCHANNEL Schannel is the security mechanism used between Microsoft client + workstations and servers for domain membership, and used the machine trust + account. \layout Standard This list is expected to grow, particularly as LDAPv3 has DIGEST-MD5 as @@ -388,14 +408,62 @@ to import that portion of Samba. \layout Subsection* +NTLMSSP +\layout Standard + +The NTLMSSP library was brought forward from Samba 3.0 in the original branch + of Samba4, and has been updated from that point. + This code, built in the early days of the Samba 3.0 project to support SPNEGO + includes a micro-impelmentation of NDR generation and parsing, suitable + for the small packets used in the NTLMSSP exchange. + The code has proven supprsingly stable in both 3.0 and Samba4, and has now + been extended to handle NTLM2 signing. +\layout Standard + +It was the comparitive sucess of this code in Samba 3.0 (used in the CIFS + client, CIFS server and the DCERPC client) that strongly influenced the + design of GENSEC in Samba4. + +\layout Subsection* + +SPNEGO +\layout Standard + +The SPNEGO code in Samba4 was derived from the code contributed by Anthony + Ligouri to Samba 3.0's +\family typewriter +ntlm_auth +\family default + utility. + This needed substatial extension, but unlike the code used in the rest + of Samba3, this was quite practical, and did not drasticly alter the parse + layer. +\layout Standard + +This code now selects between the registered GENSEC mechanisms, in choosing + a suitable security protocol (essentially NTLM or Krb5 for now) for use + on the connection. + +\layout Subsection* + +SCHANNEL +\layout Standard + +Samba4 includes a new schannel implementation, only distently derived from + that in Samba 3.0. + Now better seperated from the rest of the DCE-RPC code than it was in Samba + 3.0 or earlier Samba4 development, this is handled almost entirely as a + normal GENSEC module. +\layout Subsection* + Using the Heimdal library \layout Standard In an apparent contradiction with the above, we are also investigating a - strong tie with the Heimdal implementation of Kerberos. + strong tie with the Heimdal implementation of Kerberos and GSSAPI. This contradiction comes about because we do not wish to re-implement the - entire Kerberos library, but require features that to this point are only - implemented in our custom release of that library. + entire Kerberos and GSSAPI libraries, but require features that to this + point are only implemented in our custom release of that library. \layout Standard The idea is that we will statically link with this library, rather than @@ -759,6 +827,15 @@ The Session Key function breaks all the abstractions that should be present in such a security system, but are required for operation on CIFS, due to the way that `session keys' are used in SMB signing. +\layout Section* + +Future requirements +\layout Subsection* + +Asyncronous request support +\layout Subsection* + +Moving beyond Samba \layout Standard