MIT KDC integration. Andreas Schneider Günther Deschner May 21th, Red Hat

Similar documents
The return of the vampires

Updates from MIT Kerberos

Henry B. Hotz Jet Propulsion Laboratory California Institute of Technology. Kerberos 5 Upgrade

FreeIPA Cross Forest Trusts

Samba4: War Stories. Andrew Bartlett Samba Team / Red Hat

MIT Kerberos & Red Hat

Kerberos Administration Guide

Cross-realm trusts with FreeIPA v3

Data, Avdeling for ingeniørutdanning, Høgskolen i Oslo

Windows Authentication With Multiple Domains and Forests

US FEDERAL: Enabling Kerberos for Smartcard Authentication to Apache.

Centralized Authentication with Kerberos 5, Part I

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA. Alexander Bokovoy Red Hat Inc. May 4th, 2017

Badlock. One Year In Security Hell. Stefan Metzmacher Samba Team / SerNet

The Important Details Of Windows Authentication

Windows Authentication With Multiple Domains and Forests

HP CIFS Server and Kerberos

Windows Authentication With Multiple Domains and Forests

Windows Authentication With Multiple Domains and Forests

Powerful and Frictionless Storage Administration

Nicolas Williams Staff Engineer Sun Microsystems, Inc.

SDC EMEA 2019 Tel Aviv

Gerald Carter Samba Team/HP

Dell EMC Unity Family

Kerberos and Active Directory symmetric cryptography in practice COSC412

A new DCERPC infrastructure for Samba

Kerberos and NFS4 on Linux. isginf Workshop

A new DCERPC infrastructure for Samba

Procedure to Kerberize HDP 3.1

Improving DCERPC Security

Configuring Kerberos based SSO in Weblogic Application server Environment

Improving DCERPC Security Hardening

Configuring Kerberos

LIP for Windows Server Infrastructure Automation Via Ansible Devops Tool

The Samba-3: Overview, Authentication, Integration

FreeIPA and SSSD. Free software identity management. Red Hat Developers Conference Jakub Hrozek Martin Nagy September 14, 2009

Secure Unified Authentication for NFS

Secure Unified Authentication

The workstation account, netlogon schannel and credentials. SambaXP Volker Lendecke Samba Team / SerNet

Configuring Hadoop Security with Cloudera Manager

CWRAP. Testing your full software stack. Andreas Schneider. February 2nd, Red Hat Inc. Samba Team

TIBCO ActiveMatrix BPM Single Sign-On

Kerberos User Guide. Release 1.13 MIT

Andrew Bartlett Hawker College

Samba and Chrome OS the Start of a beautiful Friendship

AAI-SSO with Active Directory. Kerberos Login Handler

Administration Of Active Directory Schema Version Checking

BlackBerry UEM Configuration Guide

ALAP - AgiLe Authentication Provider

Configuration Guide. BlackBerry UEM. Version 12.9

Course Outline: Linux Professional Institute-LPI 202. Learning Method: Instructor-led Classroom Learning. Duration: 5.00 Day(s)/ 40 hrs.

How to Connect to a Microsoft SQL Server Database that Uses Kerberos Authentication in Informatica 9.6.x

SSSD: FROM AN LDAP CLIENT TO SYSTEM SECURITY SERVICES DEAMON

Novell Kerberos Login Method for NMASTM

"Charting the Course... RHCE Rapid Track Course. Course Summary

Active Directory Attacks and Detection

Agha Mohammad Haidari General ICT Manager in Ministry of Communication & IT Cell#

Spring Security Kerberos - Reference Documentation

The Samba-3 Enchilada: Overview, Authentication, Integration

Copyright 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13

Ambari User Views: Tech Preview

Configuring NFSv4 on SUSE Linux Enterprise 10

Configuration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2

User Security Configuration Guide, Cisco IOS XE Fuji 16.8.x (Cisco ASR 920 Routers)

Introducing Microsoft s commitment to interoperability (Office, Windows, and SQL)

Security in Bomgar Remote Support

Samba in Business. John H Terpstra

NFS: The Next Generation. Steve Dickson Kernel Engineer, Red Hat Wednesday, May 4, 2011

Subversion Plugin HTTPS Kerberos authentication

Configuring Kerberos

Networking with Windows Server 2016 (741)

Change Schema Active Directory Domain Name Windows 2008 R2

Installation and Configuration Guide Simba Technologies Inc.

NFSv4 Multi-Domain Access. Andy Adamson ABFAB WG, IETF 80 March 2011

IBM Security Access Manager v8.x Kerberos Part 1 Desktop Single Sign-on Solutions

Implementing the Witness protocol in Samba

Factotum Sep. 24, 2007

Hardware Tokens in META Centre

HP Operations Orchestration Software

Workspace ONE UEM Directory Service Integration. VMware Workspace ONE UEM 1811

VAS 2.6 ADMINISTRATION GUIDE

Installation and Configuration Guide Simba Technologies Inc.

Request for Comments: 4757 Category: Informational Microsoft Corporation December 2006

IBM i Version 7.2. Security Network authentication service IBM

Apple 9L Mac OS X Security and Mobility Download Full Version :

SMB security in Windows 10: Multichannel with preauthentication. Edgar Olougouna

Development Guide. BlackBerry Dynamics SDK for Windows 10

Samba 4 Status Report

IBM Education Assistance for z/os V2R2

Chapter 4: Managing the Directory 4.1: Overview of Managing the Directory

Single Sign On (SSO) with Polarion 17.3

TIBCO Spotfire Connecting to a Kerberized Data Source

COURSE 10982: SUPPORTING AND TROUBLESHOOTING WINDOWS 10

<Insert Picture Here> Active Directory and Windows Security Integration with Oracle Database

Red Hat Enterprise Linux 6

KERBEROS PARTY TRICKS

Beyond the Horizon. What's after Samba 3.0? (Or is the earth really flat?)

Hortonworks Data Platform

Open World Forum 2013

Course 10982B: Supporting and Troubleshooting Windows 10

Transcription:

Andreas Schneider <asn@samba.org> Günther Deschner <gd@samba.org> May 21th, 2015

Who we are? We both are Samba Team members work for on Samba love rock climbing and love Frankonian beer (an important part of rock climbing)

1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits 4 Heimdal sacrifices Has Heimdal gone to Valhalla? The End

The SDB Layer 1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits 4 Heimdal sacrifices Has Heimdal gone to Valhalla? The End

The SDB Layer HDB, KDB, SDB New SDB layer simple abstraction of samba kdc routines into a new sdb layer provides conversion routines into HDB and KDB formats (for Heimdal and MIT KDCs) Samba builds either MIT or Heimdal plugin, not both KDB plugin works for a MIT KDC (version greater 1.10)

The SDB Layer New KDC backend layering

Microsoft Interop Lab 1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits 4 Heimdal sacrifices Has Heimdal gone to Valhalla? The End

Microsoft Interop Lab Microsoft Kerberos Testsuite Microsoft Interopability Event September 2014 in Redmond MS testsuite testing Samba/MIT KDC with new kdb samba driver Some issues found: kdb samba driver failed encryption type negotiation ARCFOUR-HMAC-MD5 was the only enctype used Re-ordering enabled AES enctypes Salting issues with salting principals for AES kpasswd support via kadmind

Microsoft Interop Lab Microsoft Protocol Test Suites Publically available: Kerberos Protocol Test Suite Supports different scenarios Report generation See Open Specifications Dev Center for further details https://msdn.microsoft.com/openspecifications

cwrap 1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits 4 Heimdal sacrifices Has Heimdal gone to Valhalla? The End

cwrap The libkrb5 DNS discovery problem libkrb5 could not find its DC We needed support for service discovery via DNS We had some DNS faking in the Samba developer build BUT: Samba DNS faking did not work with system libraries

cwrap resolv wrapper This wraps functions from libresolv.so; res query(3), res search(3) We have two modes: 1 Create your own resolv.conf and redirect everything to your DNS server 2 Fake queries from a simple DNS file This is for querying SRV, SOA or CNAME records... https://cwrap.org/resolv_wrapper.html

cwrap resolv wrapper in Samba Selftest resolv wrapper is preloaded in Selftest Currently only supports DNS faking The internal DNS implementation does not correctly handle SOA records, so we can t send DNS queries to it yet The system libkrb5 can now do SRV record lookups to discover the KDC

Kadmind 1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits 4 Heimdal sacrifices Has Heimdal gone to Valhalla? The End

Kadmind kpasswd support Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols (RFC3244) The kpasswd client from MIT Kerberos did not work In MIT Kerberos the kpasswd protocol is implemented in kadmind We needed to start kadmind Password Set variant still needs ACL handling

Kadmind kadmind The MIT Kerberos administration server Allows administrative tasks via kadmin or kadmin.local tool e.g. modify principals, export keytabs

NETLOGON Generic PAC Validation 1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits 4 Heimdal sacrifices Has Heimdal gone to Valhalla? The End

NETLOGON Generic PAC Validation Netlogon PAC validation Netlogon has a logon mode to validate a PAC Samba implements an IRPC service to allow that Basically the service checks if the signature of the PAC is valid When we start the MIT KDC we also set up the IRPC service

What has gone upstream? 1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits 4 Heimdal sacrifices Has Heimdal gone to Valhalla? The End

What has gone upstream? What has gone upstream? Bugfixes, bugfixes, bugfixes... New cwrap components e.g. resolv wrapper Fixes for enabling/disabling parts of the Samba DC for MIT or Heimdal Switch to krb5 API calls and structs from private HDB calls and structs General migration away from HDB where possible

1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits 4 Heimdal sacrifices Has Heimdal gone to Valhalla? The End

Under review: SDB database abstraction KDB samba module Automatic MIT KDC detection and/or startup selftest and autobuild integration

Under discussion: Removal of Heimdal codebase or at least moving it to the thirdparty repository last Heimdal import was: Mon Jul 25 18:51:53 2011 +0200

TODOs: Password set protocol with ACL support Full gss wrap iov support for Heimdal? S4U2SELF/S4U2PROXY support Client application (kinit, kpasswd) parameters used in selftest Porting new smbtorture krb5 tests to MIT samba-tool support for provisioning an MIT KDC with samba backend

How to set it up? Fetch git repository from: https://git.samba.org/?p=asn/samba.git;a=shortlog;h= refs/heads/master-mit-kdc Install a MIT Kerberos KDC package Compile Samba with with-system-mitkrb5 Create kdc.conf and krb5.conf, FIXME: example Start samba binary

Has Heimdal gone to Valhalla? 1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits 4 Heimdal sacrifices Has Heimdal gone to Valhalla? The End

Has Heimdal gone to Valhalla? The problem of Heimdal development Core maintainer at Apple Project is unactive, no releases Maintenance repository on github Unclear roadmap (if any) Example: gss wrap iov

The End 1 MIT KDB Design The SDB Layer 2 Ongoing development Microsoft Interop Lab cwrap Kadmind NETLOGON Generic PAC Validation What has gone upstream? 3 Remaining bits 4 Heimdal sacrifices Has Heimdal gone to Valhalla? The End

The End Questions & Answers

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback