Using Kerberos with the HP CIFS Client

These procedures should be followed to use Kerberos with the HP CIFS Client:

Step 1. Review fundamental Kerberos operating principals

Step 2. Set up and verify the Kerberos infrastructure

Step 3. Configure Kerberos in the HP CIFS Client

Step 1. Review fundamental Kerberos Operating Principals

If you are not familiar with the fundamental features and operation of Kerberos, consult one or more of the following references.

These HP-UX resources explain the essentials of Kerberos (in the respective Overview chapters in each manual). This level of detail may be sufficient for most installations.

Configuration Guide for Kerberos Client Products on HP-UX:
http://docs.hp.com/hpux/onlinedocs/T1417-90005/T1417-90005.html
Installing, Configuring and Administering the Kerberos Server on HP-UX 11i:
http://docs.hp.com/hpux/onlinedocs/T1417-90001/T1417-90001.html
Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i:
http://docs.hp.com/hpux/onlinedocs/T1417-90003/T1417-90003.html

Other HP-UX resources can be found by searching for kerberos at http://docs.hp.com

In-depth discussion of the Kerberos protocol can be found in the following excellent documentation:

Kerberos: An Authentication Service for Computer Networks, B. Clifford Neuman and Theodore Ts’o:
http://www.isi.edu/gost/publications/kerberos-neuman-tso.html
The documentation repository at Massachusetts Institute of Technology (the developer of Kerberos):
http://web.mit.edu/kerberos
The Kerberos specification, RFC 1510. An excellent introduction (section 1) and descriptions of message exchanges (section 3):
http://ftp.rfc-editor.org/in-notes/rfc1510.txt
Several informative papers can also be found at the Microsoft web site. Most of these documentation also include practical infomation on how you should set up security in networks of Windows computers. Please search for kerberos or related topics at:
http://www.microsoft.com

Step 2. Set Up and Verify the Kerberos Infrastructure

In order to utilize Kerberos with the HP CIFS Client, you must have a working Kerberos infrastructure on your network (completely independent of the CIFS Client) which consists of:

A Key Distribution Center (KDC)
At least one CIFS server that supports Kerberos and is a member of the KDC’s domain (called a “realm” in the Kerberos terminology)
At least one user principal account on the KDC
A properly configured HP-UX Kerberos Client installation on the system running the HP CIFS Client




	NOTE: A domain name server (DNS) is recommended to be active on a Windows server on your network. CIFS servers to which you want to connect should be configured in the Windows DNS table in order to be recognized by the KDC.

If you are setting up a Key Distribution Center on a Windows 2000 server, consult your Microsoft documentation.

The CIFS servers to which you want to connect via Kerberos with the CIFS client must be joined to the Windows Domain. Windows online help contains information on how this can be accomplished.

If you want to set up user principals on a Windows 2000 KDC, consult online help for managing user Domain accounts.

To set up the HP-UX Kerberos client, consult the Configuration Guide cited above in step 1. The following HP-UX man pages also contain useful information: kerberos(9), krb5.conf(4), kpasswd(1), kinit(1), klist(1), kdestroy(1).

Once you have set up these elements of your Kerberos infrastructure, you can use the following checks to verify that everything is working. Please do not proceed to step 3 without performing this verification.

To verify that the user principals have been set up properly on the KDC, and that the Kerberos authentication service on the KDC and the HP-UX Kerberos client can communicate properly, enter:
$ kinit name
where name is one of the user principals. If the operation succeeds, a Ticket-Granting Ticket (TGT) will be issued for name. To verify that this actually occurred, execute the klist command to display the contents of the ticket stored in the system Kerberos cache.
To verify that the CIFS server has been properly configured in the KDC, execute the test program, cifsgettkt, located in /opt/cifsclient/bin:
$ cifsgettkt -s server
where server is one of the CIFS servers. This command will use the TGT acquired with kinit to request a service ticket (ST) from the Ticket-Granting Server (TGS). Because cifsgettkt is used only for testing, it does not modify the system Kerberos cache. However, it produces an informative message at the console.
If these verification steps succeed, Kerberos authentication for CIFS clients and servers should succeed. You are ready to proceed to step 3.

Step 3. Configure Kerberos on the HP CIFS Client

The configuration parameter, authenticationLevel, specified in the HP CIFS Client configuration file (/etc/opt/cifsclient/cifsclient.cfg) indicates which mechanism should be used by the CIFS Client to authenticate users to CIFS servers. Legal entries for this parameter are ntlm or kerberos. By default, the traditional Windows NT LAN Manager (NTLM) protocol is used. The configuration setting is:

authenticationLevel = ntlm;

If you wish to use Kerberos, change the line to:

authenticationLevel = kerberos;

In this case, the CIFS Client will request the use of Kerberos when negotiating an initial connection with the CIFS Server. If the server’s response is affirmative, only Kerberos is used for authenticating users to this server; otherwise NTLM is used.

Using Kerberos with the HP CIFS Client

Technical documentation

» Table of Contents

» Glossary

» Index

Step 1. Review fundamental Kerberos Operating Principals

Step 2. Set Up and Verify the Kerberos Infrastructure

Step 3. Configure Kerberos on the HP CIFS Client