Scaling NT To The Campus

Integrating NT into the MIT Computing Environment

Danilo Almeida, MIT

What do we mean by scaling?

There are several possible metrics that can be used.

We are concerned with the basic academic computing environment which is used by most students at MIT.

Our present environment is Athena.

What is Athena?

Athena is a heterogeneous distributed computing environment.

• Objects managed via a database– 30,000 users– 60,000-80,000 computers

• Security– Kerberos v4 and v5 environment

Athena

• Distributed file system (AFS)– user files– some software run out of AFS

• Single-user workstations running one of many OSes (Solaris, IRIX, others)– single-user– serial reusability– software can be remotely updated

Driving scaling metrics

• Ability to manage a “large” number of user accounts– Where “large” is >30,000

• Ability to manage a “large” number of workstations– Where the goal of “large” is >10,000

• Do this with a small support staff (low cost)– less than linear growth

Driving scaling metrics - cost

• Sustainability– Ability to sustain the system - includes the

recurring costs, or vendor imposed upgrade costs. This must be part of the business model.

• TCO - Total Cost of Ownership– stop making the users constantly reinstall or

reconfigure the software– don’t ignore the costs of your central staff

Ignored scaling metrics

• Transactions per second

• Concurrent user connections

• Analyzing massive data sets

Objects

• Users– must be global

• Resources– servers– printers– other information

Global Users - Problem

• UNIX– standard applications use the passwd file and

don’t care (UID is UID…)

• NT– standard applications look up the user and can

tell whether user is local or global (domain) (SIDs are machine/domain-relative)

Global Users - Solution

• UNIX– At logon, populate local machine’s passwd file

with that user’s information from database

• NT– puts users in domain

Resources

• Servers & Printers– already using distributed file system– have our own printing infrastructure– departments may have their own, but not

necessary globally

• Other information– Windows 2000 applications may store site-wide

configuration information

Some NT 4.0 scaling limits

• Limits imposed by Domain Controller– 40MB of objects or about 25,000 users– MIT has 30,000 users and 60,000 to 80,000

computers

• Trust relationship overcome the limitation– In larger installations, Windows NT Server

customers create multiple domains within their organizations and establish trust relationships between them.

Resource domains and trust

Master User Domain(All User Accounts)

Resource Domain “A”(Departmental Servers, Printers, etc)

Resource Domain “B”(Departmental Servers, Printers, etc)

Resource Domain “C”(Departmental Servers, Printers, etc)

Trust

Trust

Trust

Windows 2000 scaling?

• No practical limits?– Microsoft believes there are no practical limits to

the amount of objects that could be loaded into the Active Directory.

• Limiting Factors – the overhead of replication traffic over the network

– the speed at which object data can be backed up and restored for disaster recovery purposes

Security

Security at MIT

• Kerberos v4

• Kerberos v5

• GSS API (for Kerberos v5)

• X.509 Certificates (new)

Kerberos issues facing MIT

• Windows 2000 will use Kerberos v5 as the default authentication mechanism

• No support for v4

• No support for GSS API

• Microsoft KDC required for domains– MS domain controller = KDC + ADS

• Limited interoperability with MIT’s Kerberos v5 reference implementation

On the positive side

• Stronger than today’s NTLM

• Forwarding tickets allows impersonation

• Optional use of public key technology to obtain Kerberos tickets

Microsoft Kerberized Services

• Using Kerberos to distribute keys for proprietary version of – IPSec– Secure DNS and DHCP

• Any service that uses the SSPI, e.g. Exchange Server

Other Interoperability issues

• No DCE interoperability

• NT KDC can be used to support existing v5 clients and hosts as long as DES-CBC-MD5 or DES-CBC-

CRC encryption types are used for authentication.

• UNIX client applications using the GSS-API can obtain session tickets

• Interoperability requires a North American version of Windows 2000

Domain vs. local account

• NT workstations can be configured to use an MIT Kerberos server with single sign on to the MIT KDC but only with a local account.

What’s the Problem?

• Microsoft added a “PAC” to the Kerberos 5 ticket

• Contains group membership information for the user

• Not compatible with the DCE PAC

• Microsoft PAC format is not currently public

Some Beta 2 issues

• Only DES-CBC-MD5 and DES-CBC-CRC are implemented.

• User-to-user authentication is not implemented.

• Hierarchical realm support for cross-platform trust is not implemented.

• But, transitive trust between NT domains in a tree is supported.

Solving the problem

• Two possible solutions– Add support for MS PAC’s in the MIT KDC– The Cross-realm hack

• Microsoft developers prefer the second solution.

Add PAC Support to MIT KDC

• Requires Microsoft disclosure of the PAC format– Promised by Microsoft– post beta 2 changed to post beta 3

• This solution still requires that the KDC obtain the group information from the ADS somehow (probably using LDAP)

The Cross-Realm Hack

• Preferred by the MS developers

• Put the servers and users in different realms; users in the original Kerberos realm, and servers in another realm.

• Users get initial tickets in the client (original realm)

• NT Servers and Workstations have identities in the server (NT Domain) realm

Comparing the Solutions

• Both will work

• Cross-realm hack’s advantages– Does not require as much custom development

• MIT KDC solution’s advantages– Don’t have to put the KDC on an NT server– Support for Kerberos V4 and DCE– Site has more control over its destiny

Open Questions

• How committed is Microsoft to Kerberos interoperability?– Beta 2 is incompatible out of the box– Requires registry changes to make it work

• How difficult will it be to configure the proposed cross-realm hack?

• We are continuing to work with Microsoft --- stay tuned.

Distributed File System

• AFS is currently available on NT 3.51 and 4.0 and will be available for Windows 2000

Workstation

• Remote installation and upgrades– operating system and patches– application software

• Serial Reusability– A previous user’s actions or changes should not

affect the next user who logs in.

• Low TCO– stop making the users constantly reinstall or

reconfigure the software.

Microsoft on lowering TCO

• Lockdown - restrict the user to a subset of the system’s functionality

Problem:

An academic environment encourages experimentation and openness. This diametrically opposed to Microsoft’s approach.

Security’s impact on lockdown

• Threat analysis– “We have met the enemy and they are us.”– Physical access to the network and end user’s machines by hostile

users is a reality

• Implications– Lockdown will be subverted

• Athena’s solution:– Remove the challenge

Challenges

• Minimize impact on current Athena infrastructure– feed Active Directory from Athena database– use Athena KDC

• Windows 2000 Workstation– OS installation and upgrades– Software installation– Automated cleanup for serial reuse

Questions?