Cross-realm trusts with FreeIPA v3

Similar documents
FreeIPA Cross Forest Trusts

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA. Alexander Bokovoy Red Hat Inc. May 4th, 2017

The Important Details Of Windows Authentication

Windows Authentication With Multiple Domains and Forests

SDC EMEA 2019 Tel Aviv

Windows Authentication With Multiple Domains and Forests

The workstation account, netlogon schannel and credentials. SambaXP Volker Lendecke Samba Team / SerNet

Windows Authentication With Multiple Domains and Forests

Windows Authentication With Multiple Domains and Forests

RED HAT ENTERPRISE LINUX: ACTIVE DIRECTORY - CLIENT INTEGRATION OPTIONS

DCERPC and Endpoint Mapper

FreeIPA and SSSD. Free software identity management. Red Hat Developers Conference Jakub Hrozek Martin Nagy September 14, 2009

Directory Services. MacSysAdmin 2012

MIT Kerberos & Red Hat

The return of the vampires

Identity Management In Red Hat Enterprise Linux. Dave Sirrine Solutions Architect

FreeIPA. Directory and authentication services the easy way. Christian Stankowic. Free and Open Source software Conference

How to Integrate an External Authentication Server

The System Security Services Daemon (SSSD) explained

Identity Management Scaling Out and Up

Practical Steps Implementing Red Hat Identity Management Solution David Sirrine Senior Technical Account Manager, Red Hat Jerel Gilmer SEC June 29,

Nicolas Williams Staff Engineer Sun Microsystems, Inc.

Integrating the RHCI Suite with IdM

Linux authentication using the System Security Services Daemon (SSSD) explained

Badlock. One Year In Security Hell. Stefan Metzmacher Samba Team / SerNet

FreeIPA - Control your identity

Configuring Kerberos

Setting Up Identity Management

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

10 Active Directory Misconfigurations That Lead to Total Compromise Austin, TX 201 W 5th St.

DoD Common Access Card Authentication. Feature Description

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810

Proposed User Experience for Handling Multiple Identity Providers in Network Identity Manager 2.0

Securing the Elastic Stack

Subtitle: Join Sun Solaris Systems to Active Directory with Likewise

Active Directory Integration

The Samba-3: Overview, Authentication, Integration

How to Connect to a Microsoft SQL Server Database that Uses Kerberos Authentication in Informatica 9.6.x

Kerberized NFS 2010 Kerberos Conference

Pass-the-Hash Attacks

MIT KDC integration. Andreas Schneider Günther Deschner May 21th, Red Hat

Streaming Analytics Manager Authorization

KERBEROS PARTY TRICKS

Lightweight DCE Client in NetSEAT PKMS

The Directory Schema Is Not Accessible Because The Logon Attempt Failed

Andrew Bartlett Hawker College

Lorikeet Integrated Authentication

FULLY QUALIFIED DOMAIN NAMES (FQDNS) IN ACTIVE DIRECTORY CANNOT EXCEED 64 CHARACTERS IN TOTAL LENGTH, INCLUDING HYPHENS AND PERIODS (.).

Unit 2: Manage Files Graphically with Nautilus Objective: Manage files graphically and access remote systems with Nautilus

Configuring Ambari Authentication with LDAP/AD

Red Hat Enterprise Linux 7

Advanced Clientless SSL VPN Configuration

Using Two-Factor Authentication to Connect to a Kerberos-enabled Informatica Domain

Likewise Open provides smooth integration with Active Directory environments. We show you how to install

Open Enterprise Server 11 SP3 Domain Services for Windows Security Guide. July 2016

Samba in Business. John H Terpstra

Vintela Single Sign-On for Java Reference Manual

Escape from the Identity crisis with FreeIPA

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1811

ADVANCED WINDOWS AUDITING

User Management: Configuring Auth Servers

TIBCO Spotfire Connecting to a Kerberized Data Source

Configuring Ambari Authentication with LDAP/AD

Red Hat Enterprise Linux 7

SSSD: FROM AN LDAP CLIENT TO SYSTEM SECURITY SERVICES DEAMON

Configuring Kerberos

Using the MyProxy Online Credential Repository

Active Directory Attacks and Detection

Implementing Cross-Domain Kerberos Constrained Delegation Authentication An AirWatch How-To Guide

Spotfire Security. Peter McKinnis July 2017

Samba. OpenLDAP Developer s Day. Volker Lendecke, Günther Deschner Samba Team

EnterpriseLink and LDAP

The Samba-3 Enchilada: Overview, Authentication, Integration

The Kerberos Authentication Service

Pass-the-Hash Attacks. Michael Grafnetter

Red Hat Enterprise Linux 8.0 Beta

KEY DISTRIBUTION AND USER AUTHENTICATION

TLS Client Certificate and Smart Card Logon

Florence Blanc-Renaud Senior Software Engineer - Identity Management - Red Hat

User Security Configuration Guide, Cisco IOS XE Fuji 16.8.x (Cisco ASR 920 Routers)

Windows Authentication Concepts

External Authentication with Ultra Protect v7.2 SSL VPN Authenticating Users Using SecurAccess Server by SecurEnvoy

Realms and Identity Policies

Beyond the Horizon. What's after Samba 3.0? (Or is the earth really flat?)

<Insert Picture Here> Active Directory and Windows Security Integration with Oracle Database

Linux with Active Directory

Identity Management: Unicorn or Gorgon?

SSSD. Client side identity management. LinuxDays 2012 Jakub Hrozek

Kerberos & HPC Batch systems. Matthieu Hautreux (CEA/DAM/DIF)

Using PDC's resources in Applied CFD. Elisabet Molin PDC

Real Application Security Administration

Novell Kerberos Login Method for NMASTM

Develop and test Web authentication with containers

PSUMAC102: Penn State Central Auth In- Depth

Exam : JN Title : Juniper Networks Certified Internet Assoc(JNCIA-SSL) Exam. Version : Demo

Security Enterprise Identity Mapping

Jelmer Vernooij. April 21, 2008

Edge Security Pack (ESP) Feature Description

Admin Reporting Kit for Active Directory

Network Security: Kerberos. Tuomas Aura

Transcription:

Cross-realm trusts with FreeIPA v3 Alexander Bokovoy, Andreas Scheider

Alexander Bokovoy about:me Member of Samba Team since 2003 Principal Software Engineer, Red Hat FreeIPA project Andreas Schneider about:me Member of Samba Team since 2010 Software Engineer, Red Hat Samba support and development 2

Cross-realm trusts with Active Directory Active Directory CIFS authentication protocols used by Windows 2000 and above Kerberos protocol LDAP storage and protocol, CLDAP protocol PAC kerberos extension 3

Cross-realm trusts with Active Directory PAC: Privilege Attribute Certificate Extension to Kerberos to convey CIFS information Contains Authorization data (security identifiers and relative identifiers of group membership, etc) User profile information (home directory, logon script, etc) Service for User data Password credentials (for smartcards) 4

Cross-realm trusts with Active Directory PAC: Privilege Attribute Certificate Relatively well described in [MS-PAC] Allows to cache and pass through important account details for kerberized services Usually not inspected and not expected by traditional Kerberos-based services/applications Tickets with PAC may grow large, up to 65KiB 5

FreeIPA v3 FreeIPA v3 introduces few extensions: New Kerberos database back end Support for filling in PAC structure CLDAP responder to complement LDAP queries New Samba SAM back end 6

FreeIPA v3 FreeIPA v3 relies on merged Samba build Samba 3 daemon with external RPC processing End-point mapper LSA SS, LSA SD, LSA RPC SAMR, NETLOGON IPA SAM back end to use LDAP/Kerberos combined information from FreeIPA Samba 4 client libraries and Python bindings for trust management 7

FreeIPA v3 net rpc trust Samba 3 'net' utility Connects to remote DC and issues LSA calls to setup the trust part Modifies Samba databases directly Requires root access Can't be run within FreeIPA WSGI process Complex command line arguments 8

FreeIPA v3 Challenges FreeIPA management process runs under unprivileged user Uses delegated Kerberos credentials to access managed services Thus, trust relationship should be queried and managed via remote CIFS calls Use of samba client libraries Python bindings to Samba 4 9

FreeIPA v3 Trust User Experience 'net rpc trust create' Asks for 6 specialized parameters including those not exposed in Windows UI Windows Admins usually don't give up their credentials easily Creates the trust in one shot Quest to simplify the experience Trust has two halves: Trust information in local realm Trust information in remote realm Can be set independently 10

FreeIPA v3 Trust User Experience Quest to simplify the experience Trust has two halves: Trust information in local realm Trust information in remote realm Can be set independently Require verification to finalize All trust information is possible to autodiscover using LSA and CLDAP requests 11

Trust setup with existing admin credentials ipa trust-add-ad --server=winda.ad.local --realm-admin=ad\administrator My credentials (kerberos ticket) AD server AD admin creds (will be asked for the password) Miss shared trust secret Resulted actions: Generate shared secret Discover AD domain/realm with AD admin creds Setup local trust part Setup remote trust part Verify remote trust working Display info, result of verification, and instructions how to use the trust 12

Local trust setup before remote trust is done ipa trust-add-ad --server=winda.ad.local My credentials (kerberos ticket) AD server Miss AD admin creds Miss shared trust secret Resulted actions: Generate shared trust secret Discover anonymously AD domain/realm Set up local trust part Display instructions and info for windows admin to setup the remote trust part 13

Local trust setup after remote trust is done ipa trust-add-ad --server=winda.ad.local --shared-secret=abcd My credentials (kerberos ticket) AD server Shared trust secret Miss AD admin creds Resulted actions: Discover anonymously AD domain/realm Setup local trust part Verify remote trust working Display info and result of verification 14

Challenges and issues Samba 4 python bindings Largely shaped by use in setting up Samba 4 DC Auto-generated for majority of DCE RPC calls Common processing Very brief error reporting (RuntimeError) Crash immediately if used incorrectly Samba 4 Credentials library Makes wild assumptions of ways to authenticate Tries to discover based on environment, does not work for cases like running within WSGI process with multiple Kerberos credentials caches 15

Challenges and issues Samba 3 Samba 4 Not everything in new RPCs for Active Directory is supported Can't complete Windows-initiated trust request due to lack of DRSU API Samba 4 is there for a reason! Samba relies on Heimdal a lot Work to make sure MIT Kerberos library is usable is being done. A must for distribution integration Will require fairly new MIT Kerberos (1.9) 16

Questions? 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback