SCAP
s+c LDAP Authentication Package for the Microsoft Kerberos security support providerMotivation
Microsoft Windows® offers authentication against external Kerberos Realms for local users (Kerberos 5 Interoperability, krb5 1.0).However, a network authentication protocol appears rather useless if it can only be applied local users.
The s+c Authentication Package SCAP is a security support provider for Microsoft Windows® XP workstations. SCAP provides LDAP support to windows XP by creating the necessary local user accounts on the fly. The actual authentication task is passed through to Microsoft's Kerberos SSP.
Assumptions
All examples assume workstations and servers in the example.com DNS domain name. The Kerberos realm is named EXAMPLE.COM, the LDAP base DN is dc=example,dc=com.The windows XP client is named xp.exmaple.com, the kdc's are named kdc1.example.com through kdc3.example.com, the kpasswd service runs on kdc1.example.com. The ldap servers areldap1.example.com through ldap3.example.com.
The user is called johndoe, the user's principal johndoe@EXAMPLE.COM and is assumed to already exist.
Prerequisites
You must install and configure Microsoft's Kerberos 5 Interoperability Software. To do so, install the support tools from any Windows XP installation CD, choose a complete install.Host Principal
Create a host principal on your UNIX KDC for your XP workstation:kadmin> addprinc -e arcfour-hmac-md5:normal,des-cbc-md5:normal host/xp.example.com
enter a random password.
If your Kerberos V implementation does not support arcfour-hmac-md5, just use “-e des-cbc-md5:normal”
Client Configuration
Configure Kerberos 5 Interoperability on your XP workstation according to http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EEAAksetup /SetRealm EXAMPLE.COM
ksetup /AddKdc EXAMPLE.COM kdc1.example.com
ksetup /AddKdc EXAMPLE.COM kdc2.example.com
ksetup /AddKdc EXAMPLE.COM kdc3.example.com
ksetup /AddKpasswd EXAMPLE.COM kdc1.example.com
ksetup /MapUser * *
ksetup /SetComputerPassword (random password from above)
Ensure the time of your XP workstation is in sync with the time of your KDCs.
Ensure the domain name of my computer → properties → computername is xp.example.com.
Create a local user matching the existing Kerberos principal name johndoe.
Reboot.
Log on to the Kerberos realm EXAMPLE.COM as johndoe.
SCAP Installation
Automatic Installation
Currently there is no installer wizard available.Manual Installation
Software
Simply copy sspap3.dll to %SYSTEMROOT%\SYSTEM32Minimal LDAP configuration
create the following key in the windows registry:HKLM\Software\Science + Computing\scap
All of scap's configuration will be stored below this key.
Configure your LDAP base DN by creating this value:
basedn REG_SZ dc=example,dc=com
Define your LDAP Server(s) by creating this REG_SZ_MULTI value:
Servers REG_MULTISZ
ldap1.example.com
ldap2.example.com
ldap3.example.com
To activate the SSP replace Kerberos by sspap3 in this registry value:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Security Packages REG_MULTI_SZ
sspap3
msv1_0
schannel
wdigest
Reboot your XP workstation.
Now any POSIX user in the LDAP registry that has a corresponding Kerberos principal should be able to log on.
More sophisticated configurations
LDAP search with authentication
Add the credentials used to bind for LDAP seaches to the following registry values:binddn REG_SZ cn=nss,dc=example,dc=com
binpasswd REG_SZ secret
Home path
The LDAP SSP sets the user's homepath according to one of the following attributes (highest precedence mentioned first):
the user's LDAP attribute sambaHomePath (samba)
the user's LDAP attribute homeDirectory (POSIX)
he modules registry value REG_SZ homepath
The resulting string may be postprocessed with rules stored in registry SZ_MULTI values named „homepathreplace(number)“
If the first string of each SZ_MULTI value is matched on the left of the current homepath, the match will be replaced by the second string.
Applied to „\home\johndoe“ the following set of rules
REG_MULTI_SZ homepathreplace0 "\home\" "\\homeserver\homeshare\"
REG_MULTI_SZ homepathreplace1 "\home2\" "\\homeserver\home2\"
will yield a homepath of „\\homeserver\homeshare\johndoe“
If you use a logon script to connect the share holding all the homes to H: then use
REG_MULTI_SZ homepathreplace0 "\home\" "H:\"
which will result in H:\johndoe.
Home Drive
The LDAP SSP sets the user's homedrive according one of the following attributes (highest precedence mentioned first):
the user's LDAP attribute sambaHomeDrive (samba)
the modules registry value REG_SZ homedrive
Use Home Drive if you connect a share holding exactly the user's home.
Profile Path
The LDAP SSP sets the path to the user's profile according one of the following attributes (highest precedence mentioned first):
the user's LDAP attribute sambaProfilePath (samba)
if a home drive has been supplied in the previous section:
the modules registry value REG_SZ profilepath with the home drive prepended
the modules registry REG_SZ profilepath appended to the homepath from above, with postprocessing.
Examples:
If the user has an LDAP attribute sambaProfilePath=\\profileserver\profiles then that is used.
If instead the REG_SZ profilepath has been set to „\profiles“, and a home drive „D:“ has been supplied in the previous section, „D:\profiles“ is used.
If neither sambaProfilePath is defined in LDAP, nor a home drive has been supplied, the homepath from above is used, REG_SZ profilepath is appended and postprocessing applies.
Say homepath were \\homeserver\homepath\johndoe, profilepath the empty string and
profilereplace0 SZ_MULTI „\\homeserver\homepath\“ „\\profileserver\profiles\“
the resulting profile would be \\profileserver\profiles\johndoe
Logonscript
The LDAP SSP sets the path to the user's logon script according one of the following attributes (highest precedence mentioned first):
the user's LDAP attribute sambaLogonScript (samba)
the modules registry value REG_SZ logonscript
Downloads and Project
The sourceforge project can be accessed here:http://sourceforge.net/projects/sc-ap.The sources are in CVS. Modulename is "sc-ap".
