X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: by onstor-exch02.onstor.net 
	id <01C739A3.63D1EE86@onstor-exch02.onstor.net>; Tue, 16 Jan 2007 11:20:32 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C739A3.63D1EE86"
Content-class: urn:content-classes:message
Subject: RE: Kerberos functional spec
Date: Tue, 16 Jan 2007 11:20:31 -0800
Message-ID: <BB375AF679D4A34E9CA8DFA650E2B04E0218561D@onstor-exch02.onstor.net>
In-Reply-To: <BB375AF679D4A34E9CA8DFA650E2B04E02185614@onstor-exch02.onstor.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Kerberos functional spec
thread-index: Acc168TKVL4+EE/8QdSEzxjEIj0VzAC7bJ+AAAkoRNAAKC+LwAAAjitwAABr/CA=
References: <BB375AF679D4A34E9CA8DFA650E2B04E021855E9@onstor-exch02.onstor.net> <BB375AF679D4A34E9CA8DFA650E2B04E02185614@onstor-exch02.onstor.net>
From: "Ron Bhanukitsiri" <ronb@onstor.com>
To: "Mary Li" <mary.li@onstor.com>,
	"Jonathan Goldick" <jonathan.goldick@onstor.com>,
	"Brian DeForest" <brian.deforest@onstor.com>,
	"dl-Design Review" <dl-designreview@onstor.com>
Cc: "Narayan Venkat" <narayan.venkat@onstor.com>,
	"Ron Bhanukitsiri" <ronb@onstor.com>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C739A3.63D1EE86
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Thanks Mary.

_____________________________________________
From: Mary Li=20
Sent: Tuesday, January 16, 2007 11:15 AM
To: Ron Bhanukitsiri; Jonathan Goldick; Brian DeForest; dl-Design Review
Cc: Narayan Venkat
Subject: RE: Kerberos functional spec

Thanks. See my inline reply.

_____________________________________________
From: Ron Bhanukitsiri=20
Sent: Tuesday, January 16, 2007 10:59 AM
To: Mary Li; Jonathan Goldick; Brian DeForest; dl-Design Review
Cc: Narayan Venkat; Ron Bhanukitsiri
Subject: RE: Kerberos functional spec

Thanks Mary for your feedback.  My response below in brown.

Ron B[ee]

_____________________________________________
From: Mary Li=20
Sent: Tuesday, January 16, 2007 10:33 AM
To: Jonathan Goldick; Brian DeForest; dl-Design Review
Cc: Narayan Venkat
Subject: RE: Kerberos functional spec

1.	Question about "2.3 Unmet Requirements", if we don't' support
Kerberos authentication for accessing files over cifs in the first
release, Can customer use the application that requires Kerberos
authentication only (no negotiation to NTLM)?

RB> I don't quite understand your question.  We don't support Kerberos
application in a generic sense.
If the Windows (or Samba) client is joined to the Windows Active
Directory domain (i.e. Kerberos), then
ONstor will tell the client we support Kerberos and if the client is
Kerberos capable (i.e. W2K, W2K3, WXP, Samba 3-x client configured to
use kerberos),
then the user will be authenticated via Kerberos.  However, if the
client doesn't support Kerberos for some
reason (eg. not joined to the domain), we must support NTLM for backward
compatibility and the user
will obviously be challenge for the password.  Otherwise, the user on a
client not joined to the domain will
be denied service even if he/she has the right credential :-).
[Mary] Some application (Like IIS 6.00) can be configured to take
Kerberos authentication only, even client is ok to negotiate down to
NTLM. If we don't support kerberso  auth for accessing files over cifs,
is there any potential issue here? Could you explain more about "not
supporting Keberos authentication for accessing files over cifs "?
RB> I think you misunderstood me.  We *are* going to support Kerberos
over cifs.  In fact, the Kerberos
security blob is be carried inside the SessionSetupAndX SMBs.  This is
what I explained earlier.
We could design it so that customer can configure ONstor to support only
Kerberos if this is desirable.
But by default we will support both Kerberos and NTLM for backward
compatibility.

2.	Do we support single sign-on? For example, if there are 3 Onstor
virtual servers sharing the same KDC, user authenticated vsvr1 , does
user still  need to type in password and user id for accessing vsvr2 and
vsvr3 from the same client. Single sign-on is the major advantage for
using Kerberos authentication.

RB> Ah "single sign-on" is such a popular terms these days and
encompasses many aspects.
Our product will focus on the file service aspect of single sign-on.
What this means is that in
your scenario, if vsrv1 and vsr2 and vsr3 are all joined to the same
Windows Active Directory
Domain, then the user will not need to type in the password or the user
id.

3.	Do we support cifs session setup with "user@realm" format? For
example user1@matrix.lab
=09
RB> Realm is a Kerberos terminology.  So in the Windows and Kerberos
world, realm and fully
qualified DNS Domain name is synonymous.  The user@realm is called
Kerberos principal and
for this particular case, it's a fancy name for a user :-).  However, a
Kerberos principal does not
need to be a user (eg. vsrvr1@matrix.lab is the principal name for a
server).
[Mary]  This is great news.  Just lbe aware that all authentication
related components need to support this format. For example Idmapping
for multiprotocol.

2.3	 Unmet Requirements
The following requirements are at risk for the initial CIFS release due
to time-to-market considerations.

*	REQUIREMENT: Provide Kerberos v5 based authentication for
clients accessing files over CIFS

Note:  This capability must be delivered without the usage of Samba
libraries.  We need to purge Samba libraries post haste


_____________________________________________
From: Brian DeForest=20
Sent: Thursday, January 11, 2007 5:49 PM
To: dl-Design Review
Cc: Narayan Venkat
Subject: Kerberos functional spec

 << File: KerberosFuncSpec.doc >>=20

------_=_NextPart_001_01C739A3.63D1EE86
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7650.28">
<TITLE>RE: Kerberos functional spec</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">Thanks =
Mary.</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
SIZE=3D2 =
FACE=3D"Tahoma">_____________________________________________<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">From:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> Mary Li<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">Sent:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> Tuesday, January 16, 2007 =
11:15 AM<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">To:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> Ron Bhanukitsiri; =
Jonathan Goldick; Brian DeForest; dl-Design Review<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">Cc:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> Narayan Venkat<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">Subject:</FONT></B></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Tahoma"> RE: Kerberos functional spec</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">Thanks. See my inline =
reply.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
SIZE=3D2 =
FACE=3D"Tahoma">_____________________________________________<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">From:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> Ron Bhanukitsiri<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">Sent:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> Tuesday, January 16, 2007 =
10:59 AM<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">To:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> Mary Li; Jonathan =
Goldick; Brian DeForest; dl-Design Review<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">Cc:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> Narayan Venkat; Ron =
Bhanukitsiri<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">Subject:</FONT></B></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Tahoma"> RE: Kerberos functional spec</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">Thanks Mary for your =
feedback.&nbsp; My response below in</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"> <FONT COLOR=3D"#993300" =
SIZE=3D2 FACE=3D"Arial">brown</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" =
SIZE=3D2 FACE=3D"Arial">.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">Ron B[ee]</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
SIZE=3D2 =
FACE=3D"Tahoma">_____________________________________________<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">From:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> Mary Li<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">Sent:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> Tuesday, January 16, 2007 =
10:33 AM<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">To:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> Jonathan Goldick; Brian =
DeForest; dl-Design Review<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">Cc:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> Narayan Venkat<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">Subject:</FONT></B></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Tahoma"> RE: Kerberos functional spec</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">1.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"> <FONT COLOR=3D"#0000FF" =
SIZE=3D2 FACE=3D"Arial">Question about &#8220;2.3 Unmet =
Requirements&#8221;, if we don&#8217;t&#8217; support Kerberos =
authentication for accessing files over cifs in the first release, Can =
customer use the application that requires Kerberos authentication only =
(no negotiation to NTLM)?</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#993300" SIZE=3D2 FACE=3D"Arial">RB&gt; I don&#8217;t quite =
understand your question.&nbsp; We don&#8217;t support Kerberos =
application in a generic sense.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 =
FACE=3D"Arial">If the Windows (or Samba) client is joined to the Windows =
Active Directory domain (i.e. Kerberos), then</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 =
FACE=3D"Arial">ONstor will tell the client we support Kerberos and if =
the client is Kerberos capable (i.e. W2K, W2K3, WXP, Samba 3-x client =
configured to use kerberos),</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 =
FACE=3D"Arial">then the user will be authenticated via Kerberos.&nbsp; =
However, if the client doesn&#8217;t support Kerberos for =
some</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 =
FACE=3D"Arial">reason (eg. not joined to the domain), we must support =
NTLM for backward compatibility and the user</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 =
FACE=3D"Arial">will obviously be challenge for the password.&nbsp; =
Otherwise, the user on a client not joined to the domain =
will</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 =
FACE=3D"Arial">be denied service even if he/she has the right =
credential</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"> <FONT FACE=3D"Wingdings" SIZE=3D2>J</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#993300" =
SIZE=3D2 FACE=3D"Arial">.</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">[Mary] Some application (Like =
IIS 6.00) can be configured to take Kerberos authentication only, even =
client is ok to negotiate down to NTLM. If we don&#8217;t support =
kerberso&nbsp; auth for accessing files over cifs,&nbsp; is there any =
potential issue here? Could you explain more about &#8220;not supporting =
Keberos authentication for accessing files over cifs =
&#8220;?</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#993300" SIZE=3D2 FACE=3D"Arial">RB&gt; I think you =
misunderstood</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 FACE=3D"Arial"> =
me</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#993300" SIZE=3D2 FACE=3D"Arial">.&nbsp; We =
*</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT COLOR=3D"#993300" SIZE=3D2 =
FACE=3D"Arial">are</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 FACE=3D"Arial">* going =
to support</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"> <FONT COLOR=3D"#993300" SIZE=3D2 =
FACE=3D"Arial">Kerberos</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 FACE=3D"Arial"> over =
cifs.&nbsp;</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"> <FONT COLOR=3D"#993300" SIZE=3D2 FACE=3D"Arial">In fact, =
the</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"> <FONT =
COLOR=3D"#993300" SIZE=3D2 FACE=3D"Arial">Kerberos</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 =
FACE=3D"Arial">security blob</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"> <FONT COLOR=3D"#993300" =
SIZE=3D2 FACE=3D"Arial">is</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"> <FONT COLOR=3D"#993300" =
SIZE=3D2 FACE=3D"Arial">be carried inside the SessionSetupAndX =
SMBs.&nbsp;</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"> <FONT COLOR=3D"#993300" SIZE=3D2 FACE=3D"Arial">This is =
what I explained earlier.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 =
FACE=3D"Arial">We could</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"> <FONT COLOR=3D"#993300" SIZE=3D2 FACE=3D"Arial">design =
it so that customer can</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"> <FONT COLOR=3D"#993300" SIZE=3D2 =
FACE=3D"Arial">configure ONstor</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"> <FONT COLOR=3D"#993300" =
SIZE=3D2 FACE=3D"Arial">to support only</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"> <FONT COLOR=3D"#993300" =
SIZE=3D2 FACE=3D"Arial">Kerberos</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#993300" =
SIZE=3D2 FACE=3D"Arial"> if this is desirable.</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#993300" SIZE=3D2 FACE=3D"Arial">But by default we will support =
both</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#993300" SIZE=3D2 FACE=3D"Arial"></FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"> <FONT COLOR=3D"#993300" =
SIZE=3D2 FACE=3D"Arial">Kerberos and NTLM for backward =
compatibility.</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">2.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"> <FONT COLOR=3D"#0000FF" =
SIZE=3D2 FACE=3D"Arial">Do we support single sign-on? For example, if =
there are 3 Onstor virtual servers sharing the same KDC, user =
authenticated vsvr1 , does user still&nbsp; need to type in password and =
user id for accessing vsvr2 and vsvr3 from the same client. Single =
sign-on is the major advantage for using Kerberos =
authentication.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#993300" SIZE=3D2 FACE=3D"Arial">RB&gt; Ah &#8220;single =
sign-on&#8221; is such a popular terms these days and encompasses many =
aspects.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 =
FACE=3D"Arial">Our product will focus on the file service aspect of =
single sign-on.&nbsp; What this means is that in</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 =
FACE=3D"Arial">your scenario, if vsrv1 and vsr2 and vsr3 are all joined =
to the same Windows Active Directory</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 =
FACE=3D"Arial">Domain, then the user will not need to type in the =
password or the user id.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">3.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"> <FONT COLOR=3D"#0000FF" =
SIZE=3D2 FACE=3D"Arial">Do we support cifs session setup with =
&#8220;user@realm&#8221; format? For example</FONT></SPAN><SPAN =
LANG=3D"en-us"> </SPAN><A HREF=3D"mailto:user1@matrix.lab"><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><U><FONT COLOR=3D"#0000FF" =
SIZE=3D2 FACE=3D"Arial">user1@matrix.lab</FONT></U></SPAN><SPAN =
LANG=3D"en-us"></SPAN></A><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>
<UL DIR=3DLTR>
<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>
</UL>
<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#993300" SIZE=3D2 FACE=3D"Arial">RB&gt; Realm is a Kerberos =
terminology.&nbsp; So in the Windows and Kerberos world, realm and =
fully</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 =
FACE=3D"Arial">qualified DNS Domain name is synonymous.&nbsp; The =
user@realm is called Kerberos principal and</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 =
FACE=3D"Arial">for this particular case, it&#8217;s a fancy name for a =
user</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"> =
<FONT FACE=3D"Wingdings" SIZE=3D2>J</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#993300" =
SIZE=3D2 FACE=3D"Arial">.&nbsp; However, a Kerberos principal does =
not</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 =
FACE=3D"Arial">need to be a user (eg.</FONT></SPAN><SPAN LANG=3D"en-us"> =
</SPAN><A HREF=3D"mailto:vsrvr1@matrix.lab"><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><U><FONT COLOR=3D"#0000FF" =
SIZE=3D2 FACE=3D"Arial">vsrvr1@matrix.lab</FONT></U></SPAN><SPAN =
LANG=3D"en-us"></SPAN></A><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#993300" SIZE=3D2 FACE=3D"Arial"> is the =
principal name for a server).</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">[Mary]&nbsp; This is great =
news.&nbsp; Just lbe aware that all authentication related components =
need to support this format. For example Idmapping for =
multiprotocol.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><A NAME=3D""><SPAN =
LANG=3D"en-us"><B></B></SPAN><B><SPAN LANG=3D"en-us"><FONT =
FACE=3D"Arial">2.3&nbsp;&nbsp;&nbsp;&nbsp;</FONT></SPAN></B><SPAN =
LANG=3D"en-us"></SPAN></A><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><B></B></SPAN><B><SPAN LANG=3D"en-us">&nbsp;<FONT =
FACE=3D"Arial"> Unmet Requirements</FONT></SPAN></B></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us">The =
following requirements are<B><U> at risk</U></B> for the initial CIFS =
release due to time-to-market considerations.</SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT FACE=3D"Symbol">&#183;<FONT =
FACE=3D"Courier =
New">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT></FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"> =
REQUIREMENT: Provide Kerberos v5 based authentication for clients =
accessing files over CIFS<BR>
<BR>
Note:&nbsp; This capability must be delivered without the usage of Samba =
libraries.&nbsp; We need to purge Samba libraries post haste</SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Tahoma">_____________________________________________<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B></B></SPAN><B><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Tahoma">From:</FONT></SPAN></B><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Tahoma"> Brian DeForest<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B></B></SPAN><B><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Tahoma">Sent:</FONT></SPAN></B><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Tahoma"> Thursday, January 11, 2007 5:49 PM<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B></B></SPAN><B><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Tahoma">To:</FONT></SPAN></B><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Tahoma"> dl-Design Review<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B></B></SPAN><B><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Tahoma">Cc:</FONT></SPAN></B><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Tahoma"> Narayan Venkat<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B></B></SPAN><B><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Tahoma">Subject:</FONT></SPAN></B><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> Kerberos functional =
spec</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us">&nbsp;&lt;&lt; File: =
KerberosFuncSpec.doc &gt;&gt;</SPAN><SPAN LANG=3D"en-us"> </SPAN></P>

</BODY>
</HTML>
------_=_NextPart_001_01C739A3.63D1EE86--
