Re: Active Directory Control is No Barrier to Linux Adoption

Home	Messages Index

[Date Prev]	[Date Next]	[Thread Prev]	[Thread Next]

Author Index	Date Index	Thread Index

Re: Active Directory Control is No Barrier to Linux Adoption

Subject: Re: Active Directory Control is No Barrier to Linux Adoption
From: "Rex Ballard" <rex.ballard@xxxxxxxxx>
Date: 15 Aug 2006 20:35:51 -0700
Complaints-to: groups-abuse@google.com
In-reply-to: <2808479.UZ38A3EreF@schestowitz.com>
Injection-info: i42g2000cwa.googlegroups.com; posting-host=67.80.98.116; posting-account=W7I-5gwAAACdjXtgBZS0v1SA93ztSMgH
Newsgroups: comp.os.linux.advocacy
Organization: http://groups.google.com
References: <2808479.UZ38A3EreF@schestowitz.com>
User-agent: G2/0.2
Xref: news.mcc.ac.uk comp.os.linux.advocacy:1141039

Roy Schestowitz wrote:
> Centrify Boosts Unix Access To Active Directory
>
> ,----[ Quote ]
> | The company announced at the LinuxWorld Conference & Expo that
> | its DirectControl Suite now supports a number of UNIX and Linux
> | platforms.

Good LAWD.  Active Directory is just a really bastardized version of
LDAP/Kerberos, which features some really strange back doors designed
to circumvent encryption and grant rights to those who know the
"magic".  Microsoft added a clear text "identity" field in the kerberos
authentication field.  This is a UUID which, supposedly, only Microsoft
knows.  If the UUID and authentication are properly captured, the
server can be spoofed, and becomes the domain controller.

Part of the problem with regular LDAP was that real Kerberos is too
secure for Microsoft's tastes.  Each kerberos server has authentication
information for each host to be connected.  The client sends a
time-sensitive encrypted message which cannot be decrypted.  The
kerberos server encrypts the same timestamp using it's internal key.
If they match, then the key is a match.  The kerberos server then
returns a token or ticket which is good for a limited amount of time.
The ticket is encripted in a decryptable form.

Appearantly the ActiveDirectory implementation works more like a PKI,
sending a ticket to the kerberos server, which authenticates the key
using a CA, and if the key is authenticated, the server returns the
token.  This means that the key is only as secure as the CA.  Since
Microsoft owns part of Verisign, which owns part of Thawte and so on,
Microsoft only needs to know the token of the device it wants to
"watch" and the back door swings wide open.

Microsoft does offer a patch that converts AD to true LDAP/Kerberos-5,
but you have to request it directly, and doing so makes you a target
for the most aggressive reps Microsoft has to offer.

> | The list of platforms Centrify said it can offer Microsoft Active
> | Directory control for reads like a list of operating systems most
> | likely to make executives in Redmond lose some sleep.
> `----
>
> http://www.webpronews.com/expertarticles/expertarticles/wpn-62-20060815CentrifyBoostsUnixAccessToActiveDirectory.html

References:
- [News] Active Directory Control is No Barrier to Linux Adoption
  - From: Roy Schestowitz

[Date Prev]	[Date Next]	[Thread Prev]	[Thread Next]

Author Index	Date Index	Thread Index