From owner-freebsd-chat Fri Oct 6 12: 9:14 2000 Delivered-To: freebsd-chat@freebsd.org Received: from smtp03.primenet.com (smtp03.primenet.com [206.165.6.133]) by hub.freebsd.org (Postfix) with ESMTP id 690C037B502; Fri, 6 Oct 2000 12:09:11 -0700 (PDT) Received: (from daemon@localhost) by smtp03.primenet.com (8.9.3/8.9.3) id MAA11561; Fri, 6 Oct 2000 12:07:37 -0700 (MST) Received: from usr05.primenet.com(206.165.6.205) via SMTP by smtp03.primenet.com, id smtpdAAAfKaiCw; Fri Oct 6 12:07:27 2000 Received: (from tlambert@localhost) by usr05.primenet.com (8.8.5/8.8.5) id MAA20085; Fri, 6 Oct 2000 12:08:52 -0700 (MST) From: Terry Lambert Message-Id: <200010061908.MAA20085@usr05.primenet.com> Subject: Re: .net threat ? To: marko@FreeBSD.ORG (Mark Ovens) Date: Fri, 6 Oct 2000 19:08:40 +0000 (GMT) Cc: jcm@FreeBSD-uk.eu.org (j mckitrick), chat@FreeBSD.ORG In-Reply-To: <20001006182849.E252@parish> from "Mark Ovens" at Oct 06, 2000 06:28:49 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > [ ... ] and Kerberos authentication (although they have slightly > bastardized it by using an unused field without publishing it's use). They used a reserved field in a way specifically noted as being incorrect usage of the field by the author of the field. To be exact, they store an MS cookie there that can not be used by a non-MS system, and can not be generated by a non-MS system. This is tantamount to storing an encrypted index key into the Domain controller credential database, such that clients with the key are treated differently (given additional services) from clients without the key (denied additional services). This means: o You can use an MS workstation as a kerberos client of MS kerberos, and get full service o You can use a MS workstation as a kerberos client of UNIX kerberos, and get decreased service o You can use an UNIX workstation as a kerberos client of MS kerberos, and get decreased service o You can use a UNIX workstation as a kerberos client of UNIX kerberos, and get decreased service In other words, they are locking up the ability to provide the domain controller associated services, and doing so in a standards violating way. This is different from merely "slighly bastardized", since if that were the case, one could choose to "slightly bastardize" UNIX kerberos clients and servers, and the problem would go away. As it sits, it's now just one more thing that SAMBA and kerberos people will have to reverse engineer, and given the bludgeon of money and the U.S. Civil court system (c.v. Microsoft v. Stacker) this work will have to take place outside the U.S. to be safe from litigation based supression of legally reverse engineered compatability code. > They've also added some Unixisms as well; the 'runas' command (similar to > su(1)), This is easy; I did this in NT 3.x using a program that called "impersonate()" before creating a task ("fork(); exec()" in UNIX parlance). > you can boot to a single-user command line, Not impossible in NT 3.x, either, just a pain. > and you can mount disks (drive letters) on a directory a la > mount(8) (although the dir *must* be empty, so no over-mounting). Trivial even in Windows 95, actually, by hooking IFSMgr calls. I wrote code to do this back in 1996. I suspect the "overmounting" prohibition came from the file handle conversion code, since this would fail, without some heroic measures, should a file be open in the subhierarchy you are mounting over. There are actually ways to work around this (I wrote that code, too, to permit relocation of data from the C: drive, where everything wants to install, in order to overcome space limitations; as far as the code was concerned, it still believed it was on the C: drive, when it was actually elsewhere). Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message