Connecting to Enterprise Windows Share via Kerberos

[JMAP2014]

When attempting to connect with either a individual user or Domain account we experience a login attempt failure error. Authentication is via Kerberos.

[yoichiro]

@JMAP2014 The Kerberos authentication is not implemented yet. Also, I don't have any plan.

[JMAP2014]

Appreciate the quick response on this one Yoichiro.

You mention initially that you have not implemented YET but then go on to say you dont have any plan. Does this mean you may at some point and just need to work through other priorities prior?

I work along side Colin Jones (who you may have seen commenting to you on G+) and our organisation see's great potential in the work your doing, to the point we have escalated this with Google as something they need to keep an eye on. We are looking to progress Chrome devices internally and envision your app as a way to begin the migration process to the ChromeOS platform rather than a big bang move to Google Drive which is not desirable for our customers.

Anything we can do to prioritise this work would be appreciated as we see this as one of the last remaining steps to progress this solution. btw my name is Jason for future reference; very nice to finally speak with you.

[yoichiro]

@JMAP2014 Yes, I know. Of course, I already understand about the big possibility of supporting of Windows Domain authentication with Kerberos. However, I don't know the detail of the Kerberos protocol. And, I don't have any Windows Domain environment and Samba4 ActiveDirectory environment in my home. Actually, I couldn't test whether my NTLNv2 authentication implementation works or not with my environment. Instead, I required it to other contributor.

In addition, there is an important thing. This is (was?) a hobby programming to me...

I want to get enough times to investigate and implement the Kerberos support. But, currently, it is difficult to me a bit.

JMAP2014, if possible, could you collect useful information to implement the Kerberos protocol more easily? Or, could you investigate something of existing implementations of Kerberos client written by JavaScript or C/C++?

Of course, I know that they should be done by myself... Sorry...

[JMAP2014]

Yoichiro - I have spoken to Colin about your communications and we both, again, appreciate all your efforts to get things to this point.

We will see what resources we can provide to assist but I believe this is going to provide limited benefit as your need to see what is going on behind the scenes - this is information that wont be able to be released.

I did see there was a comment by someone on G+ where discussion around ramping up an instance on AWS may be of more benefit. I dont know what your opinion on this is being the fact that this was purely a hobby rather than a full-time role. In saying this, the applications for such a function are huge.

Please let me know if I or our team could be of further help on this front. Speak soon

[AndreyLavrov]

Dear Jason, Would you describe the meanings of using Kerberos protocol with SMB app? I am a consultant of many really big companies powered by Active Directory. The only means they do not use NTLM is for security reason. They blocked NTLM by GPO. Did you do the same thing? If you block NTLM protocol for compliance with SOX or similar rules then you definitely should prohibit the second password store too (SMB app store one local for improving a user experience). More over, If you follow SOX rules you could implement a personal user (no service) ACL to all shared resources then you should use personal user accounts for this. The only possibility to comply of all security rules in this situation is to use a federation service between Google ID provider (Google Apps Domain) and Microsoft ID provider (Microsoft Active Directory). This solution is already implemented by Google (Google Apps SSO). Google Apps SSO service can setup trust with Active Directory and allow constantly synchronize users accounts and their passwords one way from Active Directory. Google SSO allow Chromebook users to login with their GA credentials (that looks the same as their user account in AD) and claim ticket from ADFS 3.0. This ticket can be used for access to a SharePoint portal which in his case should mount a folder from a file server. P.S. I know this solution is requiring to mantain another one SharePoint but if you client is really big then it definitely have many of them. P.P.S. Google Apps has the highest compliance with all government rules that is why you might recommend to use Google Apps for Work (with Google Drive) easily. DoD used Google Drive for years (http://goo.gl/jLDyAb). P.P.P.S. To understand a difficalty of implementing Kerberos authentication in SMB app I could remember you that Microsoft promise to implement a more simple cliams in Windows File Server a 10 (ten!!!) years ago and failed to do that. If MS did not do this epic fail then we could direct access to Windows file folders from chromebooks without any proxies (like SharePoint) and any hassles. Yoichiro is might implement Kerberos in SMB but I am sure that it will not happen tomorrow definitely. If you can not wait for a moment and you want not implement trust between GA and AD then I advice you to allow NTLM v2 on your File Server and use SMB app as is.

[JMAP2014]

Andrey,

Just a couple of points;

1. SOX and "government compliance" in your post all relate to the US, and are not relevant to an Australian organisation, so I dont see this as being the reason why.
2. NTLM (v1) is disabled via GPO as this is the default, it is legacy and insecure. NTLMv2 is not disabled in our environment - yet this still doesn't work for AD accounts. It does even work for local accounts.
3. I know you mention SharePoint as an alternative though the key driver for my interest in this app is to reduce my reliance on MS products, rather than have to increase it.

Thanks