Date post: | 03-Dec-2015 |
Category: |
Documents |
Upload: | ali-fayez-sahar |
View: | 217 times |
Download: | 3 times |
SAMBA AND ADMod 5
Secure Communication Privacy
only the sender and the receiver should be able to understand the conversation
Eavesdroppers can make no sense of information Integrity
the receiving end must be able to know for sure that the message he is receiving is exactly the one that the transmitting end sent
malicious user can’t intercept a communication with the intent of modifying its contents – even without understanding the contents
Authentication ensure that the parties involved in the communication are who they claim to
be Impersonation
Authorization is not Authentication○ Users can only access resources allowed○ Prevent a valid user from hacking○ Inside the system usually not part of communication
SECURITY IN WINDOWS
SSO
Single Sign-Onthe ability of a user to authenticate and
thereafter to have access to all authorized network resources without additional authentication
NTLM Network Logon Security mechanism A ‘challenge/response’ authentication protocol Used in NT systems and Windows versions below 2000 in
native mode or The client is authenticating to a server that belongs to a different
Active Directory forest, or doesn't belong to a domain. No Active Directory domain exists (commonly referred to as
"workgroup" or "peer-to-peer"). Where a firewall would otherwise restrict the ports required by
Kerberos
Kerberos Authentication
Remember that Authentication and Authorization are two separate processes
It is an open standard (RFC 4120) Kerberos is an Authentication protocol
which features ‘mutual authentication’ or ‘shared secrets’
Kerberos Version 5 is standard on all versions of Windows 2000 and up
Kerberos Components Key Distribution Centre (KDC)
Installed as part of DCProvides two services
○ Authentication Service (AS) ○ Ticket-Granting Service (TGS)
The client
The server with the resource Must be able to accept and process tickets
AS
TGS DC
KDC
Kerberos Exchanges AS Exchange (Authentication
Service)Authenticate on the domainAS-Request and AS-Reply
TGS Exchange (Ticket Granting Service)Get a ticket to access a resourceTGS-Request and TGS-Reply
CS Exchange (Client/Server)Access the resource
User Keys (shared secret) When a user is created, the password is
used to create the user key. In Active Directory domains, the user
key is stored with the user's object in the Active Directory.
At the workstation, the user key is created when the user logs on.
First we have to find a DC
Local Security
subsystem
User
Workstation
1.
2.
DNS Server
3.4.
1. The user enters username, password and domain information into the logon dialog box.
2. The logon credentials are passed to the local security subsystem on the workstation.
3. The local security subsystem on the workstation checks the domain name entered in the logon credentials and queries DNS to find a Domain controller for the domain. (DNS SRV record)
4. The DNS server must provide the address of a Domain controller which will also have Kerberos services (KDC)
Then we create our secret key
Local Security
subsystem
Workstation
Workstation Credentials Cache
+ PASSWORD = USK 5.
6.
USK
5. The Kerberos client on the workstation creates the users secret key
› The users timestamp is encrypted with the users password to form the users secret key (USK)
6. The users secret encrypted key (USK) is saved in the workstation's credential cache.
The AS-Exchange (AS-Request)
7. The KDC Authentication Service (AS) checks for the principal in the Active Directory Database and global memberships in the global catalogue server.
8. If the principal is found and the key accepted, the AS service on the KDC creates a Ticket-granting-ticket (TGT). The TGT has an expiration time (usually about 8hrs). The TGT is sent to the workstation.
Local Security
subsystem
Workstation
7.
Domain Controller(KDC)
Active Directory
Authentication Service
Global Catalogue Server
8.
USK
Pre-Authentication By default windows uses
Kerberos pre-authentication PA-ENC-TIMESTAMP Password and timestamp
encrypted into a hash This prevents user spoofing The pre-authentication
feature may be disabled for specific users in order to support some applications that don't support the security feature
The AS-Exchange (AS-Reply)
9. The TGT (Ticket Granting Ticket) is sent to the local security subsystem on the Client workstation. The TGT is stored in the credentials cache with the USK. Together these form the authentication information that the workstation will use to communicate with the KDC from now on until the user logs out or the ticket expires.
TGT
This ticket can be used to request access to a domain resource such as a shared folder or printer, or the ability to log on to a particular computer
has a default lifetime of 10 hours › may be renewed throughout the user's log-on session without requiring the user to re-enter his password.
The TGT is cached on the local machine in volatile memory space and used to request sessions with services throughout the network
Time!!!!!
Maximum Tolerance For Computer Clock Synchronization: The Maximum tolerance for computer clock synchronization is one of the few Kerberos policies that may need to be changed. By default, computers in the domain must be synchronized within five minutes of each other. If the client clock and the server clock are not synchronized closely enough, a client ticket is not issued. The default value is 5 minutes, and settings are in minutes. If there are remote users that log on to the domain without synchronizing their clock to the network timeserver, it may be necessary to adjust this value.
The Ticket Granting Service
A TGT and a Service Ticket are needed to access resources on the domain
We have an TGT from the AS (Authentication Service) exchange
We get a Service Ticket from the TGS-Exchange
When we are logging on we are asking for access to the local machine which is a domain resource so we need a Service Ticket
The TGS Exchange (TGS-Request)
10. The client contacts the TGS wishing to connect to a file share on the domain.
1. The name of the target computer, 2. The name of the target computer’s
domain3. The TGT.
11. The TGS decrypts the TGT, verifies the user with Active directory and checks the timestamp and the domain policies and group membership.
The TGS Exchange (TGS-Reply)
12. If everything checks out the TGS creates a TGS Reply (service ticket) and returns it to the Client System to be placed in the credentials cache.
Using the Service Ticket13. The client can now contact the file server with the desired share and present the Service ticket.14. The file server will check its Access Control lists against the users name and group membership and allow (or not) the user access to the file system.
Summary AS exchange occurs at logon, providing the client with
a TGT (Ticket Granting Ticket) The TGT allows the client to enter the TGS exchange
(which authenticates the client), returning an ST (service ticket)
The ST identifies the authenticated client to a service following which the service will provide access (but only if the client passes the service’s own authorization criteria).
Because messages are encrypted, only the KDC can read the TGT and only the service can read the ST.
Understanding Kerberos Resources
http://www.youtube.com/watch?v=kp5d8Yv3-0c
http://www.youtube.com/watch?v=KD2Q-2ToloE&feature=related
http://www.computerworld.com/computerworld/records/images/pdf/kerberos_chart.pdf
http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fintroductiontokerberosauthentication.htm
SAMBA AND ADSCMPS305
ADS Level Security ADS Security Mode
In Samba you can join as a native AD member All your machines are running Windows 2000 and above
and all use Kerberos
WindowsDCWorkstation Workstation Workstation Workstation
SAMBA
Joining an active directory domain
find a ADS DC create a secret key get krb5 TGT for administrator Get Service ticket to join to domain Complete join
SAMBA and ADS First you have to load the Kerberos
workstation software○ Allows samba to authenticate to a Kerberos server○ Allows samba to get and use tickets○ Allows samba to be seen as a principal
What would SAMBA need to be an Active directory domain controller?
Configure the smb.conf fileType of securityThe kerberos realmThe password server
Configure the krb5.conf file
Smb.conf
A Kerberos Realm is the a set of principles administrated as a single group in Kerberos
All Windows domains are also Kerberos realms but the realm name is always all uppercase
Krb5.conf Libdefaults – sets the
deraults for Kerberos on your system Ticket lifetime Realm
Realms – where to find KDC’s for each realm
Domain_realm – maps the hostnames to Kerberos realm . = all So all hosts in condm.com
map to condm.com realm
DNS
How does a domain member find a domain controller?› DNS SRV records› So you have to know where to find a DNS server
And you have to make sure you have a proper hosts file
Testing it out
Kinit – key initialization for administrator in the domain
Klist – get a list of Kerberos keys
Join the domain
Users OK so we have some user issues to deal with
UID GID Shell
One way is to add them to the Linux passwd file and then the smbpasswd file but that’s too much work
Winbind
Unifies Unix and Windows account management› Pulls the windows usernames from the dc and integrates
them into the Linux /etc/passwd /etc/groups sysem.› Allows Unix to see and use the windows accounts› Listens for requests from NSS or PAM› Configure user mapping in the smb.conf
› Must be started after smb and nmb
NSS
Nsswitch› Name Service Switch› Allows you to resolve names between services› is used by various functions in the C library to
control where information was looked for› /etc/nsswitch.conf, specifies the sources for the
``databases'' and their lookup order
The checkout
getent passwd