mit kdc integration
play

MIT KDC integration Andreas Schneider <asn@samba.org> G unther - PowerPoint PPT Presentation

Aug 11, 2023 •868 likes •1.17k views

MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices MIT KDC integration Andreas Schneider <asn@samba.org> G unther Deschner <gd@samba.org> Red Hat May 21th, 2015 Andreas Schneider <asn@samba.org> G

  1. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices MIT KDC integration Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat May 21th, 2015 Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  2. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices Who we are? We both are Samba Team members work for Red Hat on Samba love rock climbing and love Frankonian beer (an important part of rock climbing) Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  3. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices MIT KDC integration 1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits What is remaining? 4 Heimdal sacrifices Has Heimdal gone to Valhalla ? The End Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  4. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices The SDB Layer MIT KDC integration 1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits What is remaining? 4 Heimdal sacrifices Has Heimdal gone to Valhalla ? The End Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  5. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices The SDB Layer HDB, KDB, SDB New SDB layer simple abstraction of samba kdc routines into a new sdb layer provides conversion routines into HDB and KDB formats (for Heimdal and MIT KDCs) Samba builds either MIT or Heimdal plugin, not both KDB plugin works for a MIT KDC (version greater 1.10) Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  6. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices The SDB Layer New KDC backend layering Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  7. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices Microsoft Interop Lab MIT KDC integration 1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits What is remaining? 4 Heimdal sacrifices Has Heimdal gone to Valhalla ? The End Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  8. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices Microsoft Interop Lab Microsoft Kerberos Testsuite Microsoft Interopability Event September 2014 in Redmond MS testsuite testing Samba/MIT KDC with new kdb samba driver Some issues found: kdb samba driver failed encryption type negotiation ARCFOUR-HMAC-MD5 was the only enctype used Re-ordering enabled AES enctypes Salting issues with salting principals for AES kpasswd support via kadmind Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  9. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices Microsoft Interop Lab Microsoft Protocol Test Suites Publically available: ”Kerberos Protocol Test Suite” Supports different scenarios Report generation See ”Open Specifications Dev Center” for further details https://msdn.microsoft.com/openspecifications Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  10. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices cwrap MIT KDC integration 1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits What is remaining? 4 Heimdal sacrifices Has Heimdal gone to Valhalla ? The End Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  11. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices cwrap The libkrb5 DNS discovery problem libkrb5 could not find its DC We needed support for service discovery via DNS We had some DNS faking in the Samba developer build BUT: Samba DNS faking did not work with system libraries Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  12. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices cwrap resolv wrapper This wraps functions from libresolv.so; res query(3), res search(3) We have two modes: 1 Create your own resolv.conf and redirect everything to your DNS server 2 Fake queries from a simple DNS file This is for querying SRV, SOA or CNAME records ... https://cwrap.org/resolv_wrapper.html Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  13. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices cwrap resolv wrapper in Samba Selftest resolv wrapper is preloaded in Selftest Currently only supports DNS faking The internal DNS implementation does not correctly handle SOA records, so we can’t send DNS queries to it yet The system libkrb5 can now do SRV record lookups to discover the KDC Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  14. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices Kadmind MIT KDC integration 1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits What is remaining? 4 Heimdal sacrifices Has Heimdal gone to Valhalla ? The End Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  15. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices Kadmind kpasswd support ”Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols” (RFC3244) The ’kpasswd’ client from MIT Kerberos did not work In MIT Kerberos the kpasswd protocol is implemented in kadmind ⇒ We needed to start kadmind Password Set variant still needs ACL handling Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  16. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices Kadmind kadmind The MIT Kerberos administration server Allows administrative tasks via kadmin or kadmin.local tool ⇒ e.g. modify principals, export keytabs Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  17. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices NETLOGON Generic PAC Validation MIT KDC integration 1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits What is remaining? 4 Heimdal sacrifices Has Heimdal gone to Valhalla ? The End Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  18. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices NETLOGON Generic PAC Validation Netlogon PAC validation Netlogon has a logon mode to validate a PAC Samba implements an IRPC service to allow that Basically the service checks if the signature of the PAC is valid When we start the MIT KDC we also set up the IRPC service Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  19. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices What has gone upstream? MIT KDC integration 1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits What is remaining? 4 Heimdal sacrifices Has Heimdal gone to Valhalla ? The End Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  20. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices What has gone upstream? What has gone upstream? Bugfixes, bugfixes, bugfixes... New cwrap components e.g. resolv wrapper Fixes for enabling/disabling parts of the Samba DC for MIT or Heimdal Switch to krb5 API calls and structs from private HDB calls and structs General migration away from HDB where possible Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

  21. MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices What is remaining? MIT KDC integration 1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits What is remaining? 4 Heimdal sacrifices Has Heimdal gone to Valhalla ? The End Andreas Schneider <asn@samba.org> G¨ unther Deschner <gd@samba.org> Red Hat MIT KDC integration

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CD/MH Integration Workgroup The What and the How of integration CD Integration Workgroup

CD/MH Integration Workgroup The What and the How of integration CD Integration Workgroup

CD/MH Integration Workgroup The What and the How of integration CD Integration Workgroup RECOMMENDATIONS TO THE TASK FORCE July 18, 2014 Each Behavioral Health Organization should provide rapid access to the following billable services along a

790 views • 9 slides
Integration Programme? Integration Strategy? No national or local integration programme (not

Integration Programme? Integration Strategy? No national or local integration programme (not

Integration Programme? Integration Strategy? No national or local integration programme (not voluntary or compulsory) BUT Citizenship now requires a language and culture test National government is now piloting a personal integration

778 views • 13 slides
Integration of Refugees in Norway Ida Hjelde The Norwegian Directorate of Integration and

Integration of Refugees in Norway Ida Hjelde The Norwegian Directorate of Integration and

Integration of Refugees in Norway Ida Hjelde The Norwegian Directorate of Integration and Diversity New White Paper: From reception center to the labour market an effective integration policy Meld. St. 30 (2015 2016) 2 16% of the

591 views • 17 slides
Page 1, 18-Sep-07 Product Integration Product Integration Technical Product Product

Page 1, 18-Sep-07 Product Integration Product Integration Technical Product Product

Key Elements of the Product Integration Process Thesis proposal Stig Larsson Page 1, 18-Sep-07 Product Integration Product Integration Technical Product Product Customer Solution Integration Reports Reports Verification

299 views • 29 slides
JUST THE MATHS SLIDES NUMBER 12.4 INTEGRATION 4 (Integration by substitution in general)

JUST THE MATHS SLIDES NUMBER 12.4 INTEGRATION 4 (Integration by substitution in general)

JUST THE MATHS SLIDES NUMBER 12.4 INTEGRATION 4 (Integration by substitution in general) by A.J.Hobson 12.4.1 Examples using the standard formula 12.4.2 Integrals involving a function and its derivative UNIT 12.4 - INTEGRATION 4

313 views • 7 slides
Provenance -Only Integration Ashish Gehani Dawood Tariq SRI Provenance -Only Integration p.

Provenance -Only Integration Ashish Gehani Dawood Tariq SRI Provenance -Only Integration p.

Provenance -Only Integration Ashish Gehani Dawood Tariq SRI Provenance -Only Integration p. 1/13 Integration Challenges Metadata variation: Abstraction levels Completeness Identifiers Semantics Querying requires: Record assembly

683 views • 13 slides
Fortify Integration &amp; User Experience Fortify Partner Integration Integration with both

Fortify Integration &amp; User Experience Fortify Partner Integration Integration with both

Fortify Integration &amp; User Experience Fortify Partner Integration Integration with both Fortify on Demand and Software Security Center (v18.2). Get Training provides Fortify User with real-time interactive training in Secure

527 views • 31 slides
Advancing Clinical Integration Mark Briesacher, MD Senior VP, Clinical Integration Clinical

Advancing Clinical Integration Mark Briesacher, MD Senior VP, Clinical Integration Clinical

Advancing Clinical Integration Mark Briesacher, MD Senior VP, Clinical Integration Clinical Integration in 2015 Challenging and important iCentra implementations and improvements Logan, Bear River support and stabilization McKay-Dee,

500 views • 10 slides
Continuous Integration Continuous Integration (CI) CI is widely accepted as the best way to

Continuous Integration Continuous Integration (CI) CI is widely accepted as the best way to

Continuous Integration Continuous Integration (CI) CI is widely accepted as the best way to create large- scale software in a collaborative environment In its most basic form you use a service which monitors the version control system,

616 views • 28 slides
Towards numerical integration in Coq Faster real computation Numerical integration Picard

Towards numerical integration in Coq Faster real computation Numerical integration Picard

Towards numerical integration in Coq Bas Spitters (jww Eelis van der Weegen) Integration Experiment building a library Towards numerical integration in Coq Faster real computation Numerical integration Picard method Bas Spitters (jww

580 views • 40 slides
Numerical Differentiation &amp; Integration Elements of Numerical Integration I Numerical

Numerical Differentiation &amp; Integration Elements of Numerical Integration I Numerical

Numerical Differentiation &amp; Integration Elements of Numerical Integration I Numerical Analysis (9th Edition) R L Burden &amp; J D Faires Beamer Presentation Slides prepared by John Carroll Dublin City University c 2011 Brooks/Cole,

1.24k views • 81 slides
Phone System Integration with Synergy Enterprise Phone Integration This Phone Integration

Phone System Integration with Synergy Enterprise Phone Integration This Phone Integration

Phone System Integration with Synergy Enterprise Phone Integration This Phone Integration allows a VOIP phone system to link with Synergy. The phone system may be either an on-premises or a hosted service. Incoming Calls pull up the

408 views • 28 slides
Integration of Integration of Sustainable Travel Modes Sustainable Travel Modes Integration of

Integration of Integration of Sustainable Travel Modes Sustainable Travel Modes Integration of

Integration of Integration of Sustainable Travel Modes Sustainable Travel Modes Integration of Sustainable Travel Modes Stephan Koch Cork 04/12/2018 CIHT / Engineers Ireland / IPI Stephan Koch (Dipl.-Ing.) Urban Road Design University

397 views • 25 slides
Multimodal Integration Outline Spatial Transformation Motion Correction

Multimodal Integration Outline Spatial Transformation Motion Correction

freesurfer.net Multimodal Integration Outline Spatial Transformation Motion Correction Registration, Automatic and Manual MultiModal Integration DTI Integration fMRI Integration Viewing on Volume and

721 views • 47 slides
integration in PiMu (in 2 minutes) Nikhef Stafoverleg 9/3/2020 R. Bruijn Activities : DOM

integration in PiMu (in 2 minutes) Nikhef Stafoverleg 9/3/2020 R. Bruijn Activities : DOM

KM3NeT DOM and DU integration in PiMu (in 2 minutes) Nikhef Stafoverleg 9/3/2020 R. Bruijn Activities : DOM integration DOM DU integration Integration Logistics for collaboration Storage (distribution) (Europe/Local)

197 views • 6 slides
Numerical Differentiation &amp; Integration Composite Numerical Integration I Numerical Analysis

Numerical Differentiation &amp; Integration Composite Numerical Integration I Numerical Analysis

Numerical Differentiation &amp; Integration Composite Numerical Integration I Numerical Analysis (9th Edition) R L Burden &amp; J D Faires Beamer Presentation Slides prepared by John Carroll Dublin City University c 2011 Brooks/Cole,

1.14k views • 93 slides
User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
(username, password) ? x ? ? ? ? but (username,hash(password))

(username, password) ? x ? ? ? ? but (username,hash(password))

Hash Functions - Bart Preneel June 2016 Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 MD2, MD4, MD5 Introduction to the SHA-512 SHA-1 Design and Cryptanalysis of Cryptographic Hash Functions This is an input to a crypto-

517 views • 10 slides
Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 7

Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 7

Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 7 Page 1 CS 236 Online Outline Introduction Basic authentication mechanisms Lecture 7 Page 2 CS 236 Online Introduction Much of

799 views • 30 slides
Salting Loft 1 WEEK STARTS COST 1 02-Jan 420.00 2 9 420.00 3 16 420.00 4 23

Salting Loft 1 WEEK STARTS COST 1 02-Jan 420.00 2 9 420.00 3 16 420.00 4 23

Salting Loft 1 WEEK STARTS COST 1 02-Jan 420.00 2 9 420.00 3 16 420.00 4 23 420.00 5 30 420.00 6 06-Feb 420.00 7 13 470.00 8 20 420.00 9 27 420.00 10 06-Mar 420.00 11 13 420.00 12 20

624 views • 3 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
Learning from Adobe Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013 Quickly,

Learning from Adobe Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013 Quickly,

Better PHP Security Learning from Adobe Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013 Quickly, about me Consultant Senior Engineer Developer Senior Developer Director of Tech Hosting Manager Support

478 views • 32 slides
Encryption The Problem Using HTTP , anyone with access to your packets can see everything you

Encryption The Problem Using HTTP , anyone with access to your packets can see everything you

Encryption The Problem Using HTTP , anyone with access to your packets can see everything you are doing online This includes your passwords! Who has access to my packets? Your ISP at home UBIT on campus Tier 1 Networks

232 views • 22 slides
AEAD Ciphers for Highly Constrained Networks Ren Struik e-mail: rstruik.ext@gmail.com Slide

AEAD Ciphers for Highly Constrained Networks Ren Struik e-mail: rstruik.ext@gmail.com Slide

August 13, 2013 DIAC 2013 AEAD Ciphers for Highly Constrained Networks Ren Struik e-mail: rstruik.ext@gmail.com Slide 1 Ren Struik (Struik Security Consultancy) August 13, 2013 DIAC 2013 Outline 1. Highly Constrained Networks

559 views • 30 slides

More recommend