Scaling NT To The Campus Integrating NT into the MIT Computing Environment Danilo Almeida, MIT What do we mean by scaling? There are several possible metrics that can be used. We are concerned with the basic academic computing environment which is used by most students at MIT. Our present environment is Athena. What is Athena? Athena is a heterogeneous distributed computing environment. • Objects managed via a database – 30,000 users – 60,000-80,000 computers • Security – Kerberos v4 and v5 environment Athena • Distributed file system (AFS) – user files – some software run out of AFS • Single-user workstations running one of many OSes (Solaris, IRIX, others) – single-user – serial reusability – software can be remotely updated Driving scaling metrics • Ability to manage a “large” number of user accounts – Where “large” is >30,000 • Ability to manage a “large” number of workstations – Where the goal of “large” is >10,000 • Do this with a small support staff (low cost) – less than linear growth Driving scaling metrics - cost • Sustainability – Ability to sustain the system - includes the recurring costs, or vendor imposed upgrade costs. This must be part of the business model. • TCO - Total Cost of Ownership – stop making the users constantly reinstall or reconfigure the software – don’t ignore the costs of your central staff Ignored scaling metrics • Transactions per second • Concurrent user connections • Analyzing massive data sets Objects • Users – must be global • Resources – servers – printers – other information Global Users - Problem • UNIX – standard applications use the passwd file and don’t care (UID is UID…) • NT – standard applications look up the user and can tell whether user is local or global (domain) (SIDs are machine/domain-relative) Global Users - Solution • UNIX – At logon, populate local machine’s passwd file with that user’s information from database • NT – puts users in domain Resources • Servers & Printers – already using distributed file system – have our own printing infrastructure – departments may have their own, but not necessary globally • Other information – Windows 2000 applications may store site-wide configuration information Some NT 4.0 scaling limits • Limits imposed by Domain Controller – 40MB of objects or about 25,000 users – MIT has 30,000 users and 60,000 to 80,000 computers • Trust relationship overcome the limitation – In larger installations, Windows NT Server customers create multiple domains within their organizations and establish trust relationships between them. Resource domains and trust Master User Domain (All User Accounts) Trust Trust Trust Resource Domain “A” Resource Domain “C” (Departmental Servers, Printers, etc) (Departmental Servers, Printers, etc) Resource Domain “B” (Departmental Servers, Printers, etc) Windows 2000 scaling? • No practical limits? – Microsoft believes there are no practical limits to the amount of objects that could be loaded into the Active Directory. • Limiting Factors – the overhead of replication traffic over the network – the speed at which object data can be backed up and restored for disaster recovery purposes Security Security at MIT • Kerberos v4 • Kerberos v5 • GSS API (for Kerberos v5) • X.509 Certificates (new) Kerberos issues facing MIT • Windows 2000 will use Kerberos v5 as the default authentication mechanism • No support for v4 • No support for GSS API • Microsoft KDC required for domains – MS domain controller = KDC + ADS • Limited interoperability with MIT’s Kerberos v5 reference implementation On the positive side • Stronger than today’s NTLM • Forwarding tickets allows impersonation • Optional use of public key technology to obtain Kerberos tickets Microsoft Kerberized Services • Using Kerberos to distribute keys for proprietary version of – IPSec – Secure DNS and DHCP • Any service that uses the SSPI, e.g. Exchange Server Other Interoperability issues • No DCE interoperability • NT KDC can be used to support existing v5 clients and hosts as long as DES-CBC-MD5 or DES-CBC-CRC encryption types are used for authentication. • UNIX client applications using the GSSAPI can obtain session tickets • Interoperability requires a North American version of Windows 2000 Domain vs. local account • NT workstations can be configured to use an MIT Kerberos server with single sign on to the MIT KDC but only with a local account. What’s the Problem? • Microsoft added a “PAC” to the Kerberos 5 ticket • Contains group membership information for the user • Not compatible with the DCE PAC • Microsoft PAC format is not currently public Some Beta 2 issues • Only DES-CBC-MD5 and DES-CBC-CRC are implemented. • User-to-user authentication is not implemented. • Hierarchical realm support for crossplatform trust is not implemented. • But, transitive trust between NT domains in a tree is supported. Solving the problem • Two possible solutions – Add support for MS PAC’s in the MIT KDC – The Cross-realm hack • Microsoft developers prefer the second solution. Add PAC Support to MIT KDC • Requires Microsoft disclosure of the PAC format – Promised by Microsoft – post beta 2 changed to post beta 3 • This solution still requires that the KDC obtain the group information from the ADS somehow (probably using LDAP) The Cross-Realm Hack • Preferred by the MS developers • Put the servers and users in different realms; users in the original Kerberos realm, and servers in another realm. • Users get initial tickets in the client (original realm) • NT Servers and Workstations have identities in the server (NT Domain) realm Comparing the Solutions • Both will work • Cross-realm hack’s advantages – Does not require as much custom development • MIT KDC solution’s advantages – Don’t have to put the KDC on an NT server – Support for Kerberos V4 and DCE – Site has more control over its destiny Open Questions • How committed is Microsoft to Kerberos interoperability? – Beta 2 is incompatible out of the box – Requires registry changes to make it work • How difficult will it be to configure the proposed cross-realm hack? • We are continuing to work with Microsoft -- stay tuned. Distributed File System • AFS is currently available on NT 3.51 and 4.0 and will be available for Windows 2000 Workstation • Remote installation and upgrades – operating system and patches – application software • Serial Reusability – A previous user’s actions or changes should not affect the next user who logs in. • Low TCO – stop making the users constantly reinstall or reconfigure the software. Microsoft on lowering TCO • Lockdown - restrict the user to a subset of the system’s functionality Problem: An academic environment encourages experimentation and openness. This diametrically opposed to Microsoft’s approach. Security’s impact on lockdown • Threat analysis – “We have met the enemy and they are us.” – Physical access to the network and end user’s machines by hostile users is a reality • Implications – Lockdown will be subverted • Athena’s solution: – Remove the challenge Challenges • Minimize impact on current Athena infrastructure – feed Active Directory from Athena database – use Athena KDC • Windows 2000 Workstation – OS installation and upgrades – Software installation – Automated cleanup for serial reuse Questions?