SCAP

s+c LDAP Authentication Package for the Microsoft Kerberos security support provider

Motivation

Microsoft Windows® offers authentication against external Kerberos Realms for local users (Kerberos 5 Interoperability, krb5 1.0).

However, a network authentication protocol appears rather useless if it can only be applied local users.

The s+c Authentication Package SCAP is a security support provider for Microsoft Windows® XP workstations. SCAP provides LDAP support to windows XP by creating the necessary local user accounts on the fly. The actual authentication task is passed through to Microsoft's Kerberos SSP.

Assumptions

All examples assume workstations and servers in the example.com DNS domain name. The Kerberos realm is named EXAMPLE.COM, the LDAP base DN is dc=example,dc=com.

The windows XP client is named xp.exmaple.com, the kdc's are named kdc1.example.com through kdc3.example.com, the kpasswd service runs on kdc1.example.com. The ldap servers are ldap1.example.com through ldap3.example.com.

The user is called johndoe, the user's principal johndoe@EXAMPLE.COM and is assumed to already exist.

Prerequisites

You must install and configure Microsoft's Kerberos 5 Interoperability Software. To do so, install the support tools from any Windows XP installation CD, choose a complete install.

Host Principal

Create a host principal on your UNIX KDC for your XP workstation:

kadmin> addprinc -e arcfour-hmac-md5:normal,des-cbc-md5:normal host/xp.example.com

enter a random password.

If your Kerberos V implementation does not support arcfour-hmac-md5, just use “-e des-cbc-md5:normal

Client Configuration

Configure Kerberos 5 Interoperability on your XP workstation according to http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EEAA

ksetup /SetRealm EXAMPLE.COM
ksetup /AddKdc EXAMPLE.COM kdc1.example.com
ksetup /AddKdc EXAMPLE.COM kdc2.example.com
ksetup /AddKdc EXAMPLE.COM kdc3.example.com
ksetup /AddKpasswd EXAMPLE.COM kdc1.example.com
ksetup /MapUser * *
ksetup /SetComputerPassword (random password from above)

Ensure the time of your XP workstation is in sync with the time of your KDCs.

Ensure the domain name of my computerpropertiescomputername is xp.example.com.

Create a local user matching the existing Kerberos principal name johndoe.

Reboot.

Log on to the Kerberos realm EXAMPLE.COM as johndoe.

SCAP Installation

Automatic Installation

Currently there is no installer wizard available.

Manual Installation

Software

Simply copy sspap3.dll to %SYSTEMROOT%\SYSTEM32

Minimal LDAP configuration

create the following key in the windows registry:

HKLM\Software\Science + Computing\scap

All of scap's configuration will be stored below this key.

Configure your LDAP base DN by creating this value:

basedn REG_SZ dc=example,dc=com

Define your LDAP Server(s) by creating this REG_SZ_MULTI value:

Servers REG_MULTISZ
 ldap1.example.com
 ldap2.example.com
 ldap3.example.com

To activate the SSP replace Kerberos by sspap3 in this registry value:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Security Packages REG_MULTI_SZ
 sspap3
 msv1_0
 schannel
 wdigest

Reboot your XP workstation.

Now any POSIX user in the LDAP registry that has a corresponding Kerberos principal should be able to log on.

More sophisticated configurations

LDAP search with authentication

Add the credentials used to bind for LDAP seaches to the following registry values:

binddn REG_SZ cn=nss,dc=example,dc=com
binpasswd REG_SZ secret

Home path

The LDAP SSP sets the user's homepath according to one of the following attributes (highest precedence mentioned first):

  1. the user's LDAP attribute sambaHomePath (samba)

  2. the user's LDAP attribute homeDirectory (POSIX)

  3. he modules registry value REG_SZ homepath

All occurences of „/“ are replaces by „\“ automatically, eg. homeDirectory=/home/johndoe will yield a homepath of „\home\johndoe“.

The resulting string may be postprocessed with rules stored in registry SZ_MULTI values named „homepathreplace(number)

If the first string of each SZ_MULTI value is matched on the left of the current homepath, the match will be replaced by the second string.

Applied to „\home\johndoe“ the following set of rules

REG_MULTI_SZ homepathreplace0 "\home\" "\\homeserver\homeshare\"
REG_MULTI_SZ homepathreplace1 "\home2\" "\\homeserver\home2\"

will yield a homepath of „\\homeserver\homeshare\johndoe

If you use a logon script to connect the share holding all the homes to H: then use

REG_MULTI_SZ homepathreplace0 "\home\" "H:\"

which will result in H:\johndoe.

Home Drive

The LDAP SSP sets the user's homedrive according one of the following attributes (highest precedence mentioned first):

  1. the user's LDAP attribute sambaHomeDrive (samba)

  2. the modules registry value REG_SZ homedrive

There are no rewriting rules for home drive.

Use Home Drive if you connect a share holding exactly the user's home.

Profile Path

The LDAP SSP sets the path to the user's profile according one of the following attributes (highest precedence mentioned first):

  1. the user's LDAP attribute sambaProfilePath (samba)

  2. if a home drive has been supplied in the previous section:

    the modules registry value REG_SZ profilepath with the home drive prepended

  3. the modules registry REG_SZ profilepath appended to the homepath from above, with postprocessing.

Postprocessing rules for case 3 work as with homepathreplacen, but are called profilerplacen. There are no rewriting rules for cases 1 or 2.

Examples:

  1. If the user has an LDAP attribute sambaProfilePath=\\profileserver\profiles then that is used.

  2. If instead the REG_SZ profilepath has been set to „\profiles“, and a home drive „D:“ has been supplied in the previous section, „D:\profiles“ is used.

  3. If neither sambaProfilePath is defined in LDAP, nor a home drive has been supplied, the homepath from above is used, REG_SZ profilepath is appended and postprocessing applies.

    Say homepath were \\homeserver\homepath\johndoe, profilepath the empty string and
    profilereplace0 SZ_MULTI „\\homeserver\homepath\“ „\\profileserver\profiles\“
    the resulting profile would be \\profileserver\profiles\johndoe

Logonscript

The LDAP SSP sets the path to the user's logon script according one of the following attributes (highest precedence mentioned first):

  1. the user's LDAP attribute sambaLogonScript (samba)

  2. the modules registry value REG_SZ logonscript

Downloads and Project

The sourceforge project can be accessed here:http://sourceforge.net/projects/sc-ap.

The sources are in CVS. Modulename is "sc-ap".