Scaling NT To The Campus
Integrating NT into the MIT
Computing Environment
Danilo Almeida, MIT
What do we mean by scaling?
There are several possible metrics that can be
used.
We are concerned with the basic academic
computing environment which is used by
most students at MIT.
Our present environment is Athena.
What is Athena?
Athena is a heterogeneous distributed
computing environment.
• Objects managed via a database
– 30,000 users
– 60,000-80,000 computers
• Security
– Kerberos v4 and v5 environment
Athena
• Distributed file system (AFS)
– user files
– some software run out of AFS
• Single-user workstations running one of
many OSes (Solaris, IRIX, others)
– single-user
– serial reusability
– software can be remotely updated
Driving scaling metrics
• Ability to manage a “large” number of user
accounts
– Where “large” is >30,000
• Ability to manage a “large” number of
workstations
– Where the goal of “large” is >10,000
• Do this with a small support staff (low cost)
– less than linear growth
Driving scaling metrics - cost
• Sustainability
– Ability to sustain the system - includes the
recurring costs, or vendor imposed upgrade
costs. This must be part of the business model.
• TCO - Total Cost of Ownership
– stop making the users constantly reinstall or
reconfigure the software
– don’t ignore the costs of your central staff
Ignored scaling metrics
• Transactions per second
• Concurrent user connections
• Analyzing massive data sets
Objects
• Users
– must be global
• Resources
– servers
– printers
– other information
Global Users - Problem
• UNIX
– standard applications use the passwd file and
don’t care (UID is UID…)
• NT
– standard applications look up the user and can
tell whether user is local or global (domain)
(SIDs are machine/domain-relative)
Global Users - Solution
• UNIX
– At logon, populate local machine’s passwd file
with that user’s information from database
• NT
– puts users in domain
Resources
• Servers & Printers
– already using distributed file system
– have our own printing infrastructure
– departments may have their own, but not
necessary globally
• Other information
– Windows 2000 applications may store site-wide
configuration information
Some NT 4.0 scaling limits
• Limits imposed by Domain Controller
– 40MB of objects or about 25,000 users
– MIT has 30,000 users and 60,000 to 80,000
computers
• Trust relationship overcome the limitation
– In larger installations, Windows NT Server
customers create multiple domains within their
organizations and establish trust relationships
between them.
Resource domains and trust
Master User Domain
(All User Accounts)
Trust
Trust
Trust
Resource Domain “A”
Resource Domain “C”
(Departmental Servers, Printers, etc)
(Departmental Servers, Printers, etc)
Resource Domain “B”
(Departmental Servers, Printers, etc)
Windows 2000 scaling?
• No practical limits?
– Microsoft believes there are no practical limits
to the amount of objects that could be loaded
into the Active Directory.
• Limiting Factors
– the overhead of replication traffic over the
network
– the speed at which object data can be backed up
and restored for disaster recovery purposes
Security
Security at MIT
• Kerberos v4
• Kerberos v5
• GSS API (for Kerberos v5)
• X.509 Certificates (new)
Kerberos issues facing MIT
• Windows 2000 will use Kerberos v5 as the
default authentication mechanism
• No support for v4
• No support for GSS API
• Microsoft KDC required for domains
– MS domain controller = KDC + ADS
• Limited interoperability with MIT’s
Kerberos v5 reference implementation
On the positive side
• Stronger than today’s NTLM
• Forwarding tickets allows impersonation
• Optional use of public key technology to
obtain Kerberos tickets
Microsoft Kerberized Services
• Using Kerberos to distribute keys for
proprietary version of
– IPSec
– Secure DNS and DHCP
• Any service that uses the SSPI, e.g.
Exchange Server
Other Interoperability issues
• No DCE interoperability
• NT KDC can be used to support existing v5
clients and hosts as long as DES-CBC-MD5 or
DES-CBC-CRC encryption types are used for
authentication.
• UNIX client applications using the GSSAPI can obtain session tickets
• Interoperability requires a North American
version of Windows 2000
Domain vs. local account
• NT workstations can be configured to use
an MIT Kerberos server with single sign on
to the MIT KDC but only with a local
account.
What’s the Problem?
• Microsoft added a “PAC” to the Kerberos 5
ticket
• Contains group membership information for
the user
• Not compatible with the DCE PAC
• Microsoft PAC format is not currently
public
Some Beta 2 issues
• Only DES-CBC-MD5 and DES-CBC-CRC
are implemented.
• User-to-user authentication is not
implemented.
• Hierarchical realm support for crossplatform trust is not implemented.
• But, transitive trust between NT domains in
a tree is supported.
Solving the problem
• Two possible solutions
– Add support for MS PAC’s in the MIT KDC
– The Cross-realm hack
• Microsoft developers prefer the second
solution.
Add PAC Support to MIT KDC
• Requires Microsoft disclosure of the PAC
format
– Promised by Microsoft
– post beta 2 changed to post beta 3
• This solution still requires that the KDC
obtain the group information from the ADS
somehow (probably using LDAP)
The Cross-Realm Hack
• Preferred by the MS developers
• Put the servers and users in different realms;
users in the original Kerberos realm, and
servers in another realm.
• Users get initial tickets in the client
(original realm)
• NT Servers and Workstations have identities
in the server (NT Domain) realm
Comparing the Solutions
• Both will work
• Cross-realm hack’s advantages
– Does not require as much custom development
• MIT KDC solution’s advantages
– Don’t have to put the KDC on an NT server
– Support for Kerberos V4 and DCE
– Site has more control over its destiny
Open Questions
• How committed is Microsoft to Kerberos
interoperability?
– Beta 2 is incompatible out of the box
– Requires registry changes to make it work
• How difficult will it be to configure the
proposed cross-realm hack?
• We are continuing to work with Microsoft -- stay tuned.
Distributed File System
• AFS is currently available on NT 3.51 and
4.0 and will be available for Windows 2000
Workstation
• Remote installation and upgrades
– operating system and patches
– application software
• Serial Reusability
– A previous user’s actions or changes should not
affect the next user who logs in.
• Low TCO
– stop making the users constantly reinstall or
reconfigure the software.
Microsoft on lowering TCO
• Lockdown - restrict the user to a subset of
the system’s functionality
Problem:
An academic environment encourages
experimentation and openness. This
diametrically opposed to Microsoft’s
approach.
Security’s impact on lockdown
• Threat analysis
– “We have met the enemy and they are us.”
– Physical access to the network and end user’s
machines by hostile users is a reality
• Implications
– Lockdown will be subverted
• Athena’s solution:
– Remove the challenge
Challenges
• Minimize impact on current Athena
infrastructure
– feed Active Directory from Athena database
– use Athena KDC
• Windows 2000 Workstation
– OS installation and upgrades
– Software installation
– Automated cleanup for serial reuse
Questions?