Home >Documents >Integration with Active Directory Jeremy Allison Samba · PDF fileIntegration with Active...

Integration with Active Directory Jeremy Allison Samba · PDF fileIntegration with Active...

Date post:15-Mar-2018
Category:
View:221 times
Download:3 times
Share this document with a friend
Transcript:
  • IntegrationwithActiveDirectory

    JeremyAllisonSambaTeam

  • BenefitsofusingActiveDirectory

    UnliketheearlierMicrosoftWindowsNT4.xDomaindirectoryservicewhichusedproprietaryDCE/RPCcalls,ActiveDirectoryisbasedonstandardInternetprotocols.

    LDAPv3fordirectorylookupandupdates.

    Kerberos5forauthentication(singlesignon).

    DNSfornameresolution.

    ThehopewasthatnonMicrosoftimplementationsoftheseprotocolscouldbeusedtoserveWindowsclientsallowingtruecompetitionforprovidingtheseservices.

    Unfortunatelythisisnotthecase.

  • WhatisActiveDirectory?

    DatabaseBackendStore

    DHCPServer

    Kerberos5Server(KDC)

    LDAPv3Server

    DynamicDNSServer

    MicrosoftRPCDomainserver

  • WhymustweuseanActiveDirectoryServer?

    Windowsclientsdon'tuseonlythestandardprotocolstoachievelogonservices.

    Mandatoryextrafeatures(likethemodifiedKerberosticketandotherdetails)aretiedintotheActiveDirectoryimplementationtoenforcevendorlockin.

    ThepracticalresultofthisisthatifyouwanttouseWindowsclientsandserversandobtainallthefunctionalityyoupaidforthenyoumustuseaWindowsActiveDirectoryserver.

    ITStaffwhorecommendanActiveDirectoryrolloutwithoutmakingmanagementawareofthiscommitmentgoingforwardaremisleadingtheirexecutivestaff.

  • WhymustweuseanActiveDirectoryServer?

    WindowsclientsdonotallowreplacementoftheirlowlevelfunctionalitytoeaseintegrationwithnonWindowsdirectoryservers.

    Asusual,itiseasiertoconfigurenonWindowssystemstointeroperatewithWindowssystemsthanvicaversa.

    ThefreereleaseofMicrosoftServicesforUNIXdoeshelphere,althoughtheprotocolsused(NIS)arenotassecureasusingthenativeprotocolsofKerberosandLDAP.

    ActiveDirectoryserverscanhavetheirLDAPschema(theformaldefinitionoftheformatofthedatatheystore)extendedtoallowthemtoservenonWindowsclients.

  • WhatdowemeanbyintegrationwithanActiveDirectoryServer?

    ForanonWindowsclienttointegratesuccessfullyintoActiveDirectoryweneedtwooperationstobeseamless.

    AuthenticationofLinux/UNIXaccountsagainstActiveDirectory.

    EnumerationofLinux/UNIXuserandgroupdirectoryinformationstoredinanActiveDirectorystore.

    ForauthenticationthepreferredmethodisKerberos5(thenativeWindows2000andaboveauthenticationmethod).

    MicrosoftServicesforUNIX,LDAPorMSRPCcanalsobeusedhere.

    ForuserandgroupenumerationintegrationLDAPisthepreferredmethod.

    MicrosoftServicesforUNIXandMSRPCcanalsobeused.

  • KerberosAuthenticationIntegration

    ActiveDirectoryServerscanbeKerberos5KDCserversforLinux/UNIXclients.

    MITorHeimdalKerberosserverscannotbecompleteKDCserversforWindowsclientsduetothemissingextradatafield.

    MITorHeimdalKDCserverscanbesettotrustADKerberosserversiftheWindowsandUNIXuseraccountsareseparatedintoseparaterealms.

    InamoreintegratedenvironmentitisprobablyeasiertojustuseActiveDirectoryKerberosServers(asMicrosoftintendedbyextendingthestandard).

  • IntegratingWindowsAuthenticationServiceswithLinux/UNIX

    Linux/UNIXsystemsstartedwithlocalfilescontainingallauthenticationinformation.

    Sincethenastandardizedpluginarchitecturehasbeendevelopedtoallowreplacementoftheauthenticationinformationvalidation(userlogons)andmaintenance(passwordchanging)withmanydifferentpossibletargets.

    PAM(PluggableAuthenticationModules)APIinventedbySunandadoptedbyLinuxandotherUNIXplatforms.

  • PAMPluggableAuthenticationModules

    Application

    PAMrequest

    PAMlibrary PAMConfigDirectory

    ModuleStack

    Applicationlookup

    PAMlibrary

    PAMlibrary

    PAMlibrary

    PAMrequestscanbeforauth,account,passwordorsessionfunctionality.

  • PAMonLinux/UNIXsystems

    PAMisastandardonLinuxandmanyUNIXsystems(HPUX,Solarisandothers).

    OvertwentydifferentPAMmodulesexisttoprovideallmannerofauthenticationservices.

    ThreespecificmodulesareofinterestforActiveDirectoryIntegration

    Kerberospam_krb5(http://pamkrb5.sourceforge.net)

    LDAPpam_ldap(http://www.padl.com)

    Samba/MicrosoftRPCpam_winbind(http://www.samba.org)

  • Kerberospam_krb5

    TakestheuserscleartextpasswordandvalidatesitagainstastandardKerberos5server(ActiveDirectoryaddsextraproprietarydataintothereturnedticket,buttheclientlibrariesonLinux/UNIXignorethisdata).

    ReturnsaKerberos5TicketGrantingTicket(TGT)whichcanbeusedtogetticketsforotherservices.

    CaremustbetakentoensuretheencryptionmethodusedbydefaultbyWindows(RC4HMAC)isavailableontheLinux/UNIXKerberossystem.

    Sourcecodeavailable,OpenSource/FreeSoftware.

  • LDAPpam_ldap

    TakestheuserscleartextpasswordandvalidatesitagainstanLDAPserverbyattemptingtosetupanLDAPconnectionasthegivenusername/passwordpair.

    MustbesetuptouseSSL/TLSinordertosecurelyvalidatethepassword(pam_krb5doesn'thavethisproblem,allkerberosexchangesaresecure).

    DevelopedbyPADLsoftwareavailableasOpenSource/FreeSoftware.

  • Sambapam_winbind

    AllowsaLinux/UNIXusertoauthenticateinexactlythesamewayasiftheywereloggingontoaMicrosoftmemberserverintheDomain.

    RequiresaworkingSambasetup(moredetailslater).

    CompletelyintegratestheLinux/UNIXauthenticationmechanismintotheWindowsworldidenticaltoaWindowsserver.

    AllofSambaisOpenSource/FreeSoftware.

  • IntegratingWindowsUserDirectoryServiceswithLinux/UNIX

    Linux/UNIXsystemsstartedwithonlylocaldirectorylistings(localfiles)andhavesincehadtodevelopstandardizedpluginarchitecturestoallowreplacementofthedirectoryservicewithanycompatibleserver(nohiddenprotocols).

    NSS(NameServiceSwitch).

    NSSallowsuserandgrouplookupandenumerationtobedoneviamanydifferentdirectoryservices.Theorderinwhichtheyarequeriedcanbechanged.

    ThenssmodulesthatareofinterestforActiveDirectoryIntegrationare:

    nss_ldap nss_winbind nss_nis

  • NSSNameServiceSwitch

    Application

    NSSrequest

    NSSlibrary(libc)

    /etc/nsswitch.conf

    ModuleStack

    Applicationlookup

    NSSlibrary

    NSSlibrary

    NSSlibrary

    NSSrequestscanlookupuser,group,orenumeratetheuserorgrouplists.

    Externallookup

    (NIS)Localfileslookup

    Externallookup(winbind)

  • LDAPnss_ldap

    WrittenbyPADLsoftware(asispam_ldap)thislibraryallowsLinux/UNIXsystemstolookupusersandgroupsstoredinanActiveDirectoryserver.

    TheActiveDirectorySchemamusthavebeenextendedfromthestandardschemabyincludingeithertheRFC2307schema(createdbyPADL)ortheschemausedbyMicrosoft'sServicesforUNIXproduct.

    TheLinux/UNIXuserandgroupinformationmustalreadyexistintheActiveDirectoryaspartoftheschema.

    ThisrequiressomeextraadministrationtoaddtheextrainformationtotheexistingActiveDirectorydata.

  • Sambanss_winbind

    PartofthecompletesolutionprovidedbySamba(willbedescribedindetaillater).

    DoesnotrequireanychangestotheActiveDirectorySchema.

    DoesrequireaworkingSambasetupandtheLinux/UNIXmachinetohavebeenaddedasamemberserverintotheActiveDirectory.

  • MicrosoftServicesforUNIXnss_nis

    DoesnottalkdirectlytotheActiveDirectoryServerbuttoaNIS(NetworkInformationServices)gatewayrunningonaWindowsserver.

    Aswithnss_ldap,requiresadditionstobemadetotheActiveDirectorySchematoaddtheLinux/UNIX(POSIX)definitions.

    UsefulforolderUNIXinstallationsthatwillonlyusetheNISprotocols(regardedasinsecureinmodernUNIXsystems).

    NISprotocoldevelopedbySuninlate1980's.

  • ThreeCompleteSolutionsfor

    ActiveDirectoryIntegration

  • PADLsolution

    ModifyActiveDirectorywitheithertheRFC2307schemadefinitionortheMicrosoftServicesforUNIXschema.

    Installpam_ldap(oralternativelypam_krb5)tohandletheauthenticationfromtheLinux/UNIXsystems.

    Installnss_ldaptohandlethedirectoryserviceenumerationfromtheLinux/UNIXsystems.

    ProbablytheeasiestchoicefororganizationswithsignificantexistingLinux/UNIXexperience.

    Secure,robustsolutionbutrequiresworktomaintain.

  • ServicesforUNIXsolution

    WindowsActiveDirectoryServer(modifiedschema)

    NISServerService

    Linux/UNIXServer

    NISPAM

    NISNSS

    CommunicationusingNISprotocoloverthenetwork.

  • ServicesforUNIXsolution

    UsesolderNISprotocolanolderUNIXstandard.

    ModernLinux/UNIXsystemsuseeitherNISPLUS(encryptedversionofNIS)orLDAPorKerberosforpasswordverification.

    NowMicrosofthasmadeServicesforUNIXavailableforfreethisisnowacompetitivesolution.

    Nosourcecodeavailable,unlikeothersolutions.

    GoodchoiceifanorganizationismainlyWindows,withafewolderLinux/UNIXmachinesforwhichsecurityisnotapriority.

  • Sambawinbindsolution

    WindowsActiveDirectoryServer(unmodifiedschema)

    winbinddaemon

    Linux/UNIXServer

    winbindPAM

    winbindNSS

    MSRPCorLDAPcommunicationoverthenetwork.

  • Sambawinbindsolution

    AllowsaLinux/UNIXmachinetocompletelyemulateaWindowsmemberserver.

    NochangestoActiveDirectoryschemaneededwinbindcopeswithmappingWindowsusersandgroupstoLinux/UNIXusersandgroups.

    AllowsWindowsclientsaccessingfileandprint(Samba)servicesontheLinux/UNIXservertopasskerberos5ticketstoobtainservice(astoaWindowsfileserver).

    TosynchronizeuserandgroupmappingbetweenmultipleLinux/UNIXserversusingwinbindanexternalLDAPservermustbeused(notcompletelytransparent).

    UsesthesameprotocolsasWindowsserversforenumeratingusersandgroupsandcheckingpasswords.

  • IntegratingSamba

    WindowsActiveDirectoryServer

    WindowsApplicationServer

    SambaDomainController

    Trust

    Relatio

    nship Member

    Server

    Mem

    ber

    Serv

    er

    MemberServer

  • Conclusions

    WindowsActiveDirectoryisanecessaryevilifyouhavelargenumbersofWindowsclients.

    Themoralofthisisifyou'renotpilotingadesktopLinuxprogram,you'repayingtoomuchforyourMicrosoftclientsoftware .

    OptionsarePADLOpenSourcecode,MicrosoftServicesforUNIX,orSambatopr

Click here to load reader

Reader Image
Embed Size (px)
Recommended