Scaling NT To The Campus Integrating NT into the MIT Computing Environment Danilo Almeida, MIT

What do we mean by scaling? There are several possible metrics that can be used. We are concerned with the basic academic computing environment which is used by most students at MIT. Our present environment is Athena.

What is Athena? Athena is a heterogeneous distributed computing environment. Objects managed via a database –30,000 users –60,000-80,000 computers Security –Kerberos v4 and v5 environment

Athena Distributed file system (AFS) –user files –some software run out of AFS Single-user workstations running one of many OSes (Solaris, IRIX, others) –single-user –serial reusability –software can be remotely updated

Driving scaling metrics Ability to manage a “large” number of user accounts –Where “large” is >30,000 Ability to manage a “large” number of workstations –Where the goal of “large” is >10,000 Do this with a small support staff (low cost) –less than linear growth

Driving scaling metrics - cost Sustainability –Ability to sustain the system - includes the recurring costs, or vendor imposed upgrade costs. This must be part of the business model. TCO - Total Cost of Ownership –stop making the users constantly reinstall or reconfigure the software –don’t ignore the costs of your central staff

Ignored scaling metrics Transactions per second Concurrent user connections Analyzing massive data sets

Objects Users –must be global Resources –servers –printers –other information

Global Users - Problem UNIX –standard applications use the passwd file and don’t care (UID is UID…) NT –standard applications look up the user and can tell whether user is local or global (domain) (SIDs are machine/domain-relative)

Global Users - Solution UNIX –At logon, populate local machine’s passwd file with that user’s information from database NT –puts users in domain

Resources Servers & Printers –already using distributed file system –have our own printing infrastructure –departments may have their own, but not necessary globally Other information –Windows 2000 applications may store site-wide configuration information

Some NT 4.0 scaling limits Limits imposed by Domain Controller –40MB of objects or about 25,000 users –MIT has 30,000 users and 60,000 to 80,000 computers Trust relationship overcome the limitation –In larger installations, Windows NT Server customers create multiple domains within their organizations and establish trust relationships between them.

Resource domains and trust

Windows 2000 scaling? No practical limits? –Microsoft believes there are no practical limits to the amount of objects that could be loaded into the Active Directory. Limiting Factors –the overhead of replication traffic over the network –the speed at which object data can be backed up and restored for disaster recovery purposes

Security Security at MIT Kerberos v4 Kerberos v5 GSS API (for Kerberos v5) X.509 Certificates (new)

Kerberos issues facing MIT Windows 2000 will use Kerberos v5 as the default authentication mechanism No support for v4 No support for GSS API Microsoft KDC required for domains –MS domain controller = KDC + ADS Limited interoperability with MIT’s Kerberos v5 reference implementation

On the positive side Stronger than today’s NTLM Forwarding tickets allows impersonation Optional use of public key technology to obtain Kerberos tickets

Microsoft Kerberized Services Using Kerberos to distribute keys for proprietary version of –IPSec –Secure DNS and DHCP Any service that uses the SSPI, e.g. Exchange Server

Other Interoperability issues No DCE interoperability NT KDC can be used to support existing v5 clients and hosts as long as DES-CBC-MD5 or DES-CBC-CRC encryption types are used for authentication. UNIX client applications using the GSS- API can obtain session tickets Interoperability requires a North American version of Windows 2000

Domain vs. local account NT workstations can be configured to use an MIT Kerberos server with single sign on to the MIT KDC but only with a local account.

What’s the Problem? Microsoft added a “PAC” to the Kerberos 5 ticket Contains group membership information for the user Not compatible with the DCE PAC Microsoft PAC format is not currently public

Some Beta 2 issues Only DES-CBC-MD5 and DES-CBC-CRC are implemented. User-to-user authentication is not implemented. Hierarchical realm support for cross- platform trust is not implemented. But, transitive trust between NT domains in a tree is supported.

Solving the problem Two possible solutions –Add support for MS PAC’s in the MIT KDC –The Cross-realm hack Microsoft developers prefer the second solution.

Add PAC Support to MIT KDC Requires Microsoft disclosure of the PAC format –Promised by Microsoft –post beta 2 changed to post beta 3 This solution still requires that the KDC obtain the group information from the ADS somehow (probably using LDAP)

The Cross-Realm Hack Preferred by the MS developers Put the servers and users in different realms; users in the original Kerberos realm, and servers in another realm. Users get initial tickets in the client (original realm) NT Servers and Workstations have identities in the server (NT Domain) realm

Comparing the Solutions Both will work Cross-realm hack’s advantages –Does not require as much custom development MIT KDC solution’s advantages –Don’t have to put the KDC on an NT server –Support for Kerberos V4 and DCE –Site has more control over its destiny

Open Questions How committed is Microsoft to Kerberos interoperability? –Beta 2 is incompatible out of the box –Requires registry changes to make it work How difficult will it be to configure the proposed cross-realm hack? We are continuing to work with Microsoft - -- stay tuned.

Distributed File System AFS is currently available on NT 3.51 and 4.0 and will be available for Windows 2000

Workstation Remote installation and upgrades –operating system and patches –application software Serial Reusability –A previous user’s actions or changes should not affect the next user who logs in. Low TCO –stop making the users constantly reinstall or reconfigure the software.

Microsoft on lowering TCO Lockdown - restrict the user to a subset of the system’s functionality Problem: An academic environment encourages experimentation and openness. This diametrically opposed to Microsoft’s approach.

Security’s impact on lockdown Threat analysis –“We have met the enemy and they are us.” –Physical access to the network and end user’s machines by hostile users is a reality Implications –Lockdown will be subverted Athena’s solution: –Remove the challenge

Challenges Minimize impact on current Athena infrastructure –feed Active Directory from Athena database –use Athena KDC Windows 2000 Workstation –OS installation and upgrades –Software installation –Automated cleanup for serial reuse

Questions?