SDC EMEA 2019 Tel Aviv

Similar documents
The workstation account, netlogon schannel and credentials. SambaXP Volker Lendecke Samba Team / SerNet

Samba. OpenLDAP Developer s Day. Volker Lendecke, Günther Deschner Samba Team

Windows Authentication With Multiple Domains and Forests

The Important Details Of Windows Authentication

Windows Authentication With Multiple Domains and Forests

SerNet. Samba Status Update. SNIA SDC 2011 Santa Clara, CA. Volker Lendecke SerNet Samba Team

Cross-realm trusts with FreeIPA v3

Windows Authentication With Multiple Domains and Forests

Windows Authentication With Multiple Domains and Forests

FreeIPA Cross Forest Trusts

The Samba-3: Overview, Authentication, Integration

FreeIPA - Control your identity

Subtitle: Join Sun Solaris Systems to Active Directory with Likewise

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA. Alexander Bokovoy Red Hat Inc. May 4th, 2017

The Samba-3 Enchilada: Overview, Authentication, Integration

Open Enterprise Server 11 SP3 Domain Services for Windows Security Guide. July 2016

Samba4 and Directory Services. Andrew Bartlett Samba Team

SMB2 and SMB3 in Samba: Durable File Handles and Beyond. sambaxp 2012

Samba in Business. John H Terpstra

Identity Management Scaling Out and Up

IdMap and Nss Info Interface Changes in Samba

SerNet. Async Programming in Samba. Linuxkongress Oktober Volker Lendecke SerNet Samba Team. Network Service in a Service Network

Identity Management In Red Hat Enterprise Linux. Dave Sirrine Solutions Architect

SNIA SDC 2018 Santa Clara

Kerberos and NFS4 on Linux. isginf Workshop

User Authentication. Modified By: Dr. Ramzi Saifan

HP OpenVMS CIFS File Security and Management

<Insert Picture Here> Active Directory and Windows Security Integration with Oracle Database

VAS 2.6 ADMINISTRATION GUIDE

The return of the vampires

Beyond the Horizon. What's after Samba 3.0? (Or is the earth really flat?)

Badlock. One Year In Security Hell. Stefan Metzmacher Samba Team / SerNet

CS530 Authentication

ZENworks 11 Support Pack 4 User Source and Authentication Reference. October 2016

User Authentication. Modified By: Dr. Ramzi Saifan

SSSD. Client side identity management. LinuxDays 2012 Jakub Hrozek

Samba 4 Status Report

Novell Kerberos Login Method for NMASTM

Migration of NT4 to Samba-3

The State of Samba (June 2011) Jeremy Allison Samba Team/Google Open Source Programs Office

Lorikeet Integrated Authentication

Managing External Identity Sources

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

Red Hat Enterprise Linux 8.0 Beta

Gerald Carter Samba Team/HP

Spotfire Security. Peter McKinnis July 2017

VMware Identity Manager Administration

User Authentication Principles and Methods

MIT Kerberos & Red Hat

Kerberos & HPC Batch systems. Matthieu Hautreux (CEA/DAM/DIF)

FreeIPA - Control your identity

Red Hat Enterprise Linux 7

Network Security: Kerberos. Tuomas Aura

Samba in a cross protocol environment

Nicolas Williams Staff Engineer Sun Microsystems, Inc.

Dell EMC Unity Family

How to Integrate an External Authentication Server

Likewise Open provides smooth integration with Active Directory environments. We show you how to install

Authenticating Devices

NFSv4 Multi-Domain Access. Andy Adamson Connectathon 2010

AutoRID module extensions to control ID generation

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Using Two-Factor Authentication to Connect to a Kerberos-enabled Informatica Domain

Open Source in the Corporate World. Open Source. Single Sign On. Erin Mulder

Copyright 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13

Red Hat Enterprise Linux 7

IO110: Open Enterprise Server 2. Hardware you can hit with a hammer, software you can only curse at...

dcache NFSv4.1 Tigran Mkrtchyan Zeuthen, dcache NFSv4.1 Tigran Mkrtchyan 4/13/12 Page 1


ISILON ONEFS WITH HADOOP KERBEROS AND IDENTITY MANAGEMENT APPROACHES. Technical Solution Guide

Improving DCERPC Security Hardening

Configuring Request Authentication and Authorization

WINS Replication. Stefan Metzmacher SerNet Service Network GmbH Samba Team

Security Provider Integration: Kerberos Server

Clustered Samba Challenges and Directions. SDC 2016 Santa Clara

Clustered NAS For Everyone Clustering Samba With CTDB. NLUUG Spring Conference 2009 File Systems and Storage

Escape from the Identity crisis with FreeIPA

Henry B. Hotz Jet Propulsion Laboratory California Institute of Technology. Kerberos 5 Upgrade

The Windows Server 2008 R2 Schema Extension Must Be Applied To The Ad Schema For The Forest

Using samba base libraries SSSD as an example application

Clustered NAS For Everyone Clustering Samba With CTDB A Tutorial At sambaxp 2009

Simo Sorce Samba Team.

IT222 Microsoft Network Operating Systems II

Pre-Assessment Answers-1

Integrating the RHCI Suite with IdM

CIFS/9000 Server. Windows Integration Enhancements and Roadmap. September, Eric Roseme Systems Networking Solutions Lab Hewlett-Packard

Linux Administration

Configuring Content Authentication and Authorization on Standalone Content Engines

NFS on Steroids: Building Worldwide Distributed File System Gregory Touretsky Intel IT

RED HAT ENTERPRISE LINUX: ACTIVE DIRECTORY - CLIENT INTEGRATION OPTIONS

A new DCERPC infrastructure for Samba

Cloud Access Manager Configuration Guide

DoD Common Access Card Authentication. Feature Description

How to Configure Authentication and Access Control (AAA)

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Kerberos Introduction. Jim Binkley-

A new DCERPC infrastructure for Samba

Kerberized NFS 2010 Kerberos Conference

OpenVMS Security Update 1M01

Andrew Bartlett Hawker College

Transcription:

Integrating Storage Systems into Active Directory SDC EMEA 2019 Tel Aviv Volker Lendecke Samba Team / SerNet 2019-01-30

Volker Lendecke AD integration (2 / 16) Overview Active Directory Authentication Mechanisms Windows- and Unix-IDs API introduction

Volker Lendecke AD integration (3 / 16) Who am I? Co-Founder of SerNet in Göttingen, Germany First Samba patches in 1994 Early Samba Team member Samba infrastructure (tdb, tevent, etc) File server Clustered Samba Winbind AD controller is my colleague Stefan Metzmacher s domain Stefan implemented AD multi-master replication in Samba

Volker Lendecke AD integration (4 / 16) Active Directory Microsoft s central user database Successor to NT4-based Security Account Manager (SAM) It s what edirectory is for the Bindery (Novell anyone?) Kerberos KDC with an LDAP database backend Multi-Master replicated LDAP database Highly specific LDAP schema with custom extensions A lot of internal magic and validity checks Authentication server for Challenge-Response based schemes DNS database for server lookup Often very complex setup of many domains (Realms) Cross-Realm authentication is common, not an exception

Volker Lendecke AD integration (5 / 16) What is Samba? Started in the 1990s as a DEC Pathworks file server Originally based on Solaris Implementation of many Microsoft Protocols Server Message Block (SMB) for file services SMB and DCE-RPC for print services RPC for user database services Kerberos, DNS, LDAP, etc NT4 compatible Domain Controller Active Directory Domain Controller Active Directory Domain Member Make AD users and groups available to Linux/Unix

Volker Lendecke AD integration (6 / 16) Authentication and Authorization Did the user type in her/his password correctly? What is the user allowed to do? What groups is the user member of? What is the user s access token? Access token in Windows Style or Unix Style?

Volker Lendecke AD integration (7 / 16) Authentication mechanisms telnet/ftp: Not spending much time here Salted and hashed passwords on the server s disk ssh: plain text passwords protected by public key crypto Also public key authentication Challenge/Response Server offers a Nonce, client encrypts nonce with user s password Server does the same and compares the result Plain text password on server s disk Kerberos: Complicated version of challenge/response Plain text password on KDC disk

Volker Lendecke AD integration (8 / 16) NTLM vs Kerberos NTLM MS Challenge Response Authentication Protocol flavor (a.k.a. CRAP) Not as CRAP as it used to be, modern versions are resonably secure For every authentication the DC must be asked Kerberos is the standard authentication protocol Based on signed tickets with lifetimes Reduced load on the DC due to ticket caching Can be very picky, often fails Server must be contacted by it s name, IP addresses don t work NTLM as a fallback must always be available

Volker Lendecke AD integration (9 / 16) Roles in Authentication User The one who knows a password, presents a certificate or similar Authenticating workstation or server Machine a user requests access to Domain Controller / Key Distribution Center Central user database, point of trust Gatekeeper for all access control decisions Workstation/Server has to trust the DC Trust based on a shared secret / workstation password DC proves that it knows the workstation password In Kerberos-speak that s a machine principal and keytab

Volker Lendecke AD integration (10 / 16) Samba s winbind Daemon responsible for all DC traffic Domain Controller lookup (DNS SRV records, CLDAP, NetBIOS) Establish encrypted and verified DC connection All nasty Microsoft RPC is done by winbind Machine password changed regularly Maintenance of the trust account Very (too?) simple socket interface on /tmp/.winbindd/pipe Samba s PAM and NSS modules redirect to winbind Tries to do exactly what Windows clients do That s all we can rely on Not fully there yet though

Volker Lendecke AD integration (11 / 16) Authorization Authentication is done via Kerberos or NTLM via winbind Authorization: What is the user allowed to do? Utilize permissions from ACLs ACLs are defined for User- and Group-IDs What is a user s UID and what groups is she/he member of? Domain Controllers are the ones to know group memberships User token describes the user precisely AD only provides the Token upon successful authentication Kerberos tickets and NTLM CRAP reply contain all user info

Volker Lendecke AD integration (12 / 16) User token calculation Access control needs User ID and a list of Group IDs Active Directory has a very complex group model Group Types: Domain, Universal, Domain Local, Local groups Group memberships can be nested Domain Controllers calculate membership at login time Kerberos initial user login NTLM authentication Winbind can t calculate group memberships for users not logged in NFS manage-gids not reliable Future development: Service4U2Self via Kerberos

Volker Lendecke AD integration (13 / 16) ID mapping Windows user IDs are 128 bit Under Windows, multiple domains are seamlessly integrated via trusts Unix user, groups and ACLs defined in terms of 32-bit values Merging organizations is a nightmare Every Windows user and group needs a stable unix equivalent Multiple servers need to agree Winbind has multiple ways to do idmapping Static configuration per domain: idmap rid Table-based: idmap autorid or idmap tdb AD-maintained mappings: idmap ad

Volker Lendecke AD integration (14 / 16) winbind nss info Active Directory can maintain Unix user information Services for Unix (SFU) schema extension Every user can get a uidnumber User objects have two primary groups: Windows and Unix Before 4.6, Samba only looked at the Windows primary group Some customers don t want a gidnumber for Domain Users idmap config DOMAIN : unix primary group = yes idmap config DOMAIN : unix nss info = yes

Volker Lendecke AD integration (15 / 16) libwbclient Let s look at some header file

Volker Lendecke AD integration (16 / 16) Questions? vl@samba.org / vl@sernet.de http://www.sambaxp.org/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback