Implementing and Scaling an Online Early Intervention System in a Multi-Campus Environment
Scaling NT To The Campus
description
Transcript of Scaling NT To The Campus
![Page 1: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/1.jpg)
Scaling NT To The Campus
Integrating NT into the MIT Computing Environment
Danilo Almeida, MIT
![Page 2: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/2.jpg)
What do we mean by scaling?
There are several possible metrics that can be used.
We are concerned with the basic academic computing environment which is used by most students at MIT.
Our present environment is Athena.
![Page 3: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/3.jpg)
What is Athena?
Athena is a heterogeneous distributed computing environment.
• Objects managed via a database– 30,000 users– 60,000-80,000 computers
• Security– Kerberos v4 and v5 environment
![Page 4: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/4.jpg)
Athena
• Distributed file system (AFS)– user files– some software run out of AFS
• Single-user workstations running one of many OSes (Solaris, IRIX, others)– single-user– serial reusability– software can be remotely updated
![Page 5: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/5.jpg)
Driving scaling metrics
• Ability to manage a “large” number of user accounts– Where “large” is >30,000
• Ability to manage a “large” number of workstations– Where the goal of “large” is >10,000
• Do this with a small support staff (low cost)– less than linear growth
![Page 6: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/6.jpg)
Driving scaling metrics - cost
• Sustainability– Ability to sustain the system - includes the
recurring costs, or vendor imposed upgrade costs. This must be part of the business model.
• TCO - Total Cost of Ownership– stop making the users constantly reinstall or
reconfigure the software– don’t ignore the costs of your central staff
![Page 7: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/7.jpg)
Ignored scaling metrics
• Transactions per second
• Concurrent user connections
• Analyzing massive data sets
![Page 8: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/8.jpg)
Objects
• Users– must be global
• Resources– servers– printers– other information
![Page 9: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/9.jpg)
Global Users - Problem
• UNIX– standard applications use the passwd file and
don’t care (UID is UID…)
• NT– standard applications look up the user and can
tell whether user is local or global (domain) (SIDs are machine/domain-relative)
![Page 10: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/10.jpg)
Global Users - Solution
• UNIX– At logon, populate local machine’s passwd file
with that user’s information from database
• NT– puts users in domain
![Page 11: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/11.jpg)
Resources
• Servers & Printers– already using distributed file system– have our own printing infrastructure– departments may have their own, but not
necessary globally
• Other information– Windows 2000 applications may store site-wide
configuration information
![Page 12: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/12.jpg)
Some NT 4.0 scaling limits
• Limits imposed by Domain Controller– 40MB of objects or about 25,000 users– MIT has 30,000 users and 60,000 to 80,000
computers
• Trust relationship overcome the limitation– In larger installations, Windows NT Server
customers create multiple domains within their organizations and establish trust relationships between them.
![Page 13: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/13.jpg)
Resource domains and trust
Master User Domain(All User Accounts)
Resource Domain “A”(Departmental Servers, Printers, etc)
Resource Domain “B”(Departmental Servers, Printers, etc)
Resource Domain “C”(Departmental Servers, Printers, etc)
Trust
Trust
Trust
![Page 14: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/14.jpg)
Windows 2000 scaling?
• No practical limits?– Microsoft believes there are no practical limits to
the amount of objects that could be loaded into the Active Directory.
• Limiting Factors – the overhead of replication traffic over the network
– the speed at which object data can be backed up and restored for disaster recovery purposes
![Page 15: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/15.jpg)
Security
Security at MIT
• Kerberos v4
• Kerberos v5
• GSS API (for Kerberos v5)
• X.509 Certificates (new)
![Page 16: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/16.jpg)
Kerberos issues facing MIT
• Windows 2000 will use Kerberos v5 as the default authentication mechanism
• No support for v4
• No support for GSS API
• Microsoft KDC required for domains– MS domain controller = KDC + ADS
• Limited interoperability with MIT’s Kerberos v5 reference implementation
![Page 17: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/17.jpg)
On the positive side
• Stronger than today’s NTLM
• Forwarding tickets allows impersonation
• Optional use of public key technology to obtain Kerberos tickets
![Page 18: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/18.jpg)
Microsoft Kerberized Services
• Using Kerberos to distribute keys for proprietary version of – IPSec– Secure DNS and DHCP
• Any service that uses the SSPI, e.g. Exchange Server
![Page 19: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/19.jpg)
Other Interoperability issues
• No DCE interoperability
• NT KDC can be used to support existing v5 clients and hosts as long as DES-CBC-MD5 or DES-CBC-
CRC encryption types are used for authentication.
• UNIX client applications using the GSS-API can obtain session tickets
• Interoperability requires a North American version of Windows 2000
![Page 20: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/20.jpg)
Domain vs. local account
• NT workstations can be configured to use an MIT Kerberos server with single sign on to the MIT KDC but only with a local account.
![Page 21: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/21.jpg)
What’s the Problem?
• Microsoft added a “PAC” to the Kerberos 5 ticket
• Contains group membership information for the user
• Not compatible with the DCE PAC
• Microsoft PAC format is not currently public
![Page 22: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/22.jpg)
Some Beta 2 issues
• Only DES-CBC-MD5 and DES-CBC-CRC are implemented.
• User-to-user authentication is not implemented.
• Hierarchical realm support for cross-platform trust is not implemented.
• But, transitive trust between NT domains in a tree is supported.
![Page 23: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/23.jpg)
Solving the problem
• Two possible solutions– Add support for MS PAC’s in the MIT KDC– The Cross-realm hack
• Microsoft developers prefer the second solution.
![Page 24: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/24.jpg)
Add PAC Support to MIT KDC
• Requires Microsoft disclosure of the PAC format– Promised by Microsoft– post beta 2 changed to post beta 3
• This solution still requires that the KDC obtain the group information from the ADS somehow (probably using LDAP)
![Page 25: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/25.jpg)
The Cross-Realm Hack
• Preferred by the MS developers
• Put the servers and users in different realms; users in the original Kerberos realm, and servers in another realm.
• Users get initial tickets in the client (original realm)
• NT Servers and Workstations have identities in the server (NT Domain) realm
![Page 26: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/26.jpg)
Comparing the Solutions
• Both will work
• Cross-realm hack’s advantages– Does not require as much custom development
• MIT KDC solution’s advantages– Don’t have to put the KDC on an NT server– Support for Kerberos V4 and DCE– Site has more control over its destiny
![Page 27: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/27.jpg)
Open Questions
• How committed is Microsoft to Kerberos interoperability?– Beta 2 is incompatible out of the box– Requires registry changes to make it work
• How difficult will it be to configure the proposed cross-realm hack?
• We are continuing to work with Microsoft --- stay tuned.
![Page 28: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/28.jpg)
Distributed File System
• AFS is currently available on NT 3.51 and 4.0 and will be available for Windows 2000
![Page 29: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/29.jpg)
Workstation
• Remote installation and upgrades– operating system and patches– application software
• Serial Reusability– A previous user’s actions or changes should not
affect the next user who logs in.
• Low TCO– stop making the users constantly reinstall or
reconfigure the software.
![Page 30: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/30.jpg)
Microsoft on lowering TCO
• Lockdown - restrict the user to a subset of the system’s functionality
Problem:
An academic environment encourages experimentation and openness. This diametrically opposed to Microsoft’s approach.
![Page 31: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/31.jpg)
Security’s impact on lockdown
• Threat analysis– “We have met the enemy and they are us.”– Physical access to the network and end user’s machines by hostile
users is a reality
• Implications– Lockdown will be subverted
• Athena’s solution:– Remove the challenge
![Page 32: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/32.jpg)
Challenges
• Minimize impact on current Athena infrastructure– feed Active Directory from Athena database– use Athena KDC
• Windows 2000 Workstation– OS installation and upgrades– Software installation– Automated cleanup for serial reuse
![Page 33: Scaling NT To The Campus](https://reader036.fdocuments.us/reader036/viewer/2022062409/568148bb550346895db5d74e/html5/thumbnails/33.jpg)
Questions?