[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM and Kerberos



> > Marc, you have hit the nail on the head.  What we really need on
> > Unix is to replace the file based credentials cache with something 
> > else that can be contacted securely by the network process, the login
> > process, and the user.
> 
> Something like Windows 2000's LSA service and SSPI?

yep.

the way that nt's security works is that a process, or a
process-that-can-be-contacted-by-another-process caches sufficient
authentication info to be able to automatically verify that resources can
be accessed.

in the case of nt5, this is a krb tgt.  in the case of nt4, this is the
username/domainname/password-hash.

in the case of file access, there is _also_ a third party "pass-through"
mechanism, where the third party can request access to a resource in a
remote location, and rights to access the resource are "passed through" to
a central authentication location (in the case of nt4, the PDC).

the remote location "trusts" the central authentication location, and this
is backed up by, and protected by, a protocol that uses a "trust account".

this process is well understood and pretty much fully implemented in the
samba source code.

the "remote location" is a Windows NT Workstation as a member of a Domain.

the "central authentication location" is a Windows NT-compatible PDC.

the "process" is the NETLOGON DCE/RPC api.

the "trust account" is a Workstation Trust Account that is stored in the
SAM database.

the "third party" is any SMB client.

luke





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []