FreeIPA Cross Forest Trusts

Similar documents
Cross-realm trusts with FreeIPA v3

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA. Alexander Bokovoy Red Hat Inc. May 4th, 2017

Identity Management In Red Hat Enterprise Linux. Dave Sirrine Solutions Architect

FreeIPA. Directory and authentication services the easy way. Christian Stankowic. Free and Open Source software Conference

Windows Authentication With Multiple Domains and Forests

FreeIPA and SSSD. Free software identity management. Red Hat Developers Conference Jakub Hrozek Martin Nagy September 14, 2009

DCERPC and Endpoint Mapper

Windows Authentication With Multiple Domains and Forests

MIT Kerberos & Red Hat

Red Hat Enterprise Linux 8.0 Beta

SSSD. Client side identity management. LinuxDays 2012 Jakub Hrozek

Windows Authentication With Multiple Domains and Forests

SDC EMEA 2019 Tel Aviv

FreeIPA - Control your identity

The System Security Services Daemon (SSSD) explained

RED HAT ENTERPRISE LINUX: ACTIVE DIRECTORY - CLIENT INTEGRATION OPTIONS

Practical Steps Implementing Red Hat Identity Management Solution David Sirrine Senior Technical Account Manager, Red Hat Jerel Gilmer SEC June 29,

SSSD: FROM AN LDAP CLIENT TO SYSTEM SECURITY SERVICES DEAMON

Linux authentication using the System Security Services Daemon (SSSD) explained

Samba in Business. John H Terpstra

Windows Authentication With Multiple Domains and Forests

The Samba-3: Overview, Authentication, Integration

FreeIPA - Control your identity

Subtitle: Join Sun Solaris Systems to Active Directory with Likewise

Identity Management: Unicorn or Gorgon?

Integrating the RHCI Suite with IdM

Identity Management Scaling Out and Up

The Important Details Of Windows Authentication

The Samba-3 Enchilada: Overview, Authentication, Integration

Active Directory Attacks and Detection

Escape from the Identity crisis with FreeIPA

Nicolas Williams Staff Engineer Sun Microsystems, Inc.

The return of the vampires

Samba4: War Stories. Andrew Bartlett Samba Team / Red Hat

Administration Of Active Directory Schema Version Checking

MIT KDC integration. Andreas Schneider Günther Deschner May 21th, Red Hat

The workstation account, netlogon schannel and credentials. SambaXP Volker Lendecke Samba Team / SerNet

Identity with Windows Server 2016 (742)

How to Integrate an External Authentication Server

KERBEROS PARTY TRICKS

70-742: Identity in Windows Server Course Overview

SerNet. Samba Status Update. SNIA SDC 2011 Santa Clara, CA. Volker Lendecke SerNet Samba Team

Kerberos-enabled applications. Core services for UNIX shell programs and applications. Kerberos environment. Centrify DirectControl Service Library

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Samba. OpenLDAP Developer s Day. Volker Lendecke, Günther Deschner Samba Team

MOC 6232A: Implementing a Microsoft SQL Server 2008 Database

On-demand Authentication Infrastructure for Test and Development Andrew Leonard Dell EMC/Isilon

Develop and test Web authentication with containers

Samba4 and Directory Services. Andrew Bartlett Samba Team

Kerberos and NFS4 on Linux. isginf Workshop

70-647: Windows Server Enterprise Administration Course 01 Planning for Active Directory

"Charting the Course... Enterprise Linux Security Administration Course Summary

Andrew Bartlett Hawker College

Likewise Open provides smooth integration with Active Directory environments. We show you how to install

Vintela Single Sign-On for Java Reference Manual

IdMap and Nss Info Interface Changes in Samba

Network Security: Kerberos. Tuomas Aura

Course Outline 20742B

Distributing Secrets. Securely? Simo Sorce. Presented by. Red Hat, Inc.

2 SCANNING, PROBING, AND MAPPING VULNERABILITIES

Configure advanced audit policies

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Novell Kerberos Login Method for NMASTM

Kerberos on the Web Thomas Hardjono

Directory Services. MacSysAdmin 2012

Implementing the SSSD using SUSE Linux Enterprise Server 12 and Active Directory

Using samba base libraries SSSD as an example application

NFSv4 Multi-Domain Access. Andy Adamson Connectathon 2010

A new DCERPC infrastructure for Samba

Active Directory Attacks and Detection

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1811

"Charting the Course... RHCE Rapid Track Course. Course Summary

Red Hat Enterprise Linux 7

A new DCERPC infrastructure for Samba

ISILON ONEFS WITH HADOOP KERBEROS AND IDENTITY MANAGEMENT APPROACHES. Technical Solution Guide

Office 365 and Azure Active Directory Identities In-depth

Red Hat Enterprise Linux 7 Windows Integration Guide

Updates from MIT Kerberos

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

Badlock. One Year In Security Hell. Stefan Metzmacher Samba Team / SerNet

Linux Administration

Ldap Bind Function Call Failed Error Code 82

Changing Schema Active Directory Domain Name Server 2008 R2

Samba and Chrome OS the Start of a beautiful Friendship

VAS 2.6 ADMINISTRATION GUIDE

Cisco VCS Authenticating Devices

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810

How to Configure Authentication and Access Control (AAA)

Gerald Carter Samba Team/HP

Red Hat Enterprise Linux 7

NetIQ Advanced Authentication Framework. Deployment Guide. Version 5.1.0

ForeScout CounterACT. Configuration Guide. Version 4.3

Change Schema Active Directory Domain Name 2003

KEY DISTRIBUTION AND USER AUTHENTICATION

[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol

Red Hat Enterprise Linux 7

JXTA TM Technology for XML Messaging

NetIQ Advanced Authentication Framework. Deployment Guide. Version 5.1.0

Understanding Active Directory Level 100

Change Schema Active Directory Password Mac Users Can't

Transcription:

Alexander Bokovoy <ab@samba.org> Andreas Schneider <asn@samba.org> May 10th, 2012

1 FreeIPA What is FreeIPA? Cross Forest Trusts 2 Samba 3 Demo

Talloc Tutorial Pavel Březina wrote Talloc tutorial! http://talloc.samba.org/

What is FreeIPA? 1 FreeIPA What is FreeIPA? Cross Forest Trusts 2 Samba 3 Demo

What is FreeIPA? FreeIPA: http://www.freeipa.org I: Identity LDAP-based store for common objects (users, groups, hosts, services,...) 389-ds as an LDAP server with FreeIPA server-side plugins MIT Kerberos KDC with FreeIPA driver Integrated certificate management with Dogtag Certificate Authority Python-based command line and Web management tools P: Policy Delegation and separation of access Flexible delegation of editing controls Host-based access controls to services: Everything is denied by default, define rules to allow <user or group[, source host]> <host, service> Rules enforced at client side with SSSD project A: Audit Coming...

What is FreeIPA? FreeIPA v2.2 FreeIPA v2.2 is the current stable version: SE Linux user maps deployment, SSH known hosts management with SSSD 1.8.0 Available in Fedora 17 beta 1 Will be available in Enterprise Linux 6.3 Allows to deploy full GNU/Linux-based solution with centrally manageable servers and clients: Multi-master replication Client systems support with SSSD and LDAP/Kerberos-compatible solutions like nss ldap,pam ldap Active Directory two-way synchronization for side-by-side deployments

What is FreeIPA? Active Directory integration Winsync plugin for Active Directory triggers synchronization of users and groups: Configured as a IPA replica of special type Two-way, change in AD brings in change to IPA and backward Only allows sync back users, not groups Incomplete management of password change enforcement A better integration solution is required!

Cross Forest Trusts 1 FreeIPA What is FreeIPA? Cross Forest Trusts 2 Samba 3 Demo

Cross Forest Trusts Kerberos cross-forest trusts FreeIPA deployment is a fully managed Kerberos realm Can be integrated with Windows as RFC4120-compliant Kerberos realm Traditional Kerberos trust management applies: on GNU/Linux side ~/.k5login should be defined to impersonate users with identities on Active Directory side manual mapping is performed with special tools in a similar way Does not scale well for thousands of users and hosts: a foreign realm principal impersonates our realm s user requires additional management of special users to impersonate doubling the management effort mapping has to happen on every single machine. Manually?

Cross Forest Trusts Kerberos cross-forest trusts Active Directory native cross forest trusts Require two Active Directory domains AD domain establishes trust with another AD domain via LSA RPC AD uses LSA RPC to map incoming principals to SIDs technically: KDC + CLDAP + LSA RPC FreeIPA provides KDC and LDAP, Samba 3 provides LSA RPC Stage 1: we are interested in allowing AD users to connect to FreeIPA services e.g. PuTTY from Windows machine connecting to FreeIPA ssh service

Cross Forest Trusts Kerberos cross-forest trusts What was missing? Samba passdb backend to FreeIPA supporting trust storage and retrieval CLDAP plugin to FreeIPA to respond on AD discovery queries FreeIPA KDC backend to generate MS PAC and support case-insensitive searches Configuration tools to setup trusts

Cross Forest Trusts FreeIPA v3 architecture Full overview is available at http://freeipa.org/page/ipav3_architecture

Cross Forest Trusts Kerberos cross-forest trusts FreeIPA passdb backend: Expansion of traditional LDAP passdb backend New schema objects and attributes to support trusted domain information Support for uid/gid ranges for multi-master replicas Kerberos principal creation for foreign domain account FreeIPA KDC backend: Generates MS PAC information out of LDAP info and add to the ticket Allows to accept principals and tickets from a trusted cross forest realm Verifies and sign MS PAC coming from a trusted cross forest realm

Cross Forest Trusts Kerberos cross-forest trusts FreeIPA configuration tools: FreeIPA has command line (CLI) and Web user interfaces ipa trust-ad-add creates new cross-forest trust CLI operates with Kerberos authentication Request is sent to FreeIPA server via XML-RPC over HTTPS with Kerberos auth FreeIPA uses S4U2Proxy Kerberos feature to allow constrained delegation Samba 4 Python bindings are used to establish trust Code runs under non-privileged account (apache) Uses Kerberos ticket obtained via XML-RPC with the help of mod kerb auth Issues Kerberos-authenticated LSA RPC requests to a local smbd Uses AD credentials or shared secret passed via XML-RPC request to talk to AD DC

Cross Forest Trusts Using FreeIPA services with AD credentials Use of FreeIPA client system with AD cross forest credentials: Client system is provisioned with ipa-client-install SSSD is configured during provisioning to talk to FreeIPA LDAP krb5.conf is configured to perform mapping of cross forest trusted realm principal to user name 1:1 without removing the realm, e.g. Administrator@ad.local becomes user Administrator@ad.local

Cross Forest Trusts Using FreeIPA services with AD credentials

Cross Forest Trusts Using FreeIPA services with AD credentials On client SSH log-in following happens: SSH checks if user exists on the system SSSD NSS plugin handles the request and sees the user is not local. It requests additonal FreeIPA extended operation plugin for 389-ds that performs external domain user/group mapping using Winbind UID/GID are returned to SSH, GSSAPI is used to log-in that local user now Now SSSD NSS plugin uses MS PAC from the Kerberos ticket to fill up groups information using FreeIPA LDAP

1 FreeIPA What is FreeIPA? Cross Forest Trusts 2 Samba 3 Demo

What did we do? What a wurst! Spoolss Rewrite Spoolss Daemon Endpoint Mapper Daemon Pimped RPC Server Prefork Library LSA Service Daemon MIT Kerberos support

This is the wurst!

Spoolss Rewrite Use winreg to store spoolss values instead of several tdb s Improve internal/(external) rpc connection handling

Spoolss Daemon Named pipe proxy over unix socket Doesn t scale but works for testing

Named Pipe Proxy A special unix socket smbd just accepts the named pipe connection and forwards it to the unix socket Authentication is done by the service handling the named pipe proxy.

Endpoint Mapper Daemon It is a simple port mapper needed for tcp/ip communication First implementation only supported named pipes If you want to know more look at my SambaXP talk from 2011

Pimped RPC Server Added tcp/ip support Added ncalrpc support over unix sockets ncalrpc special root mode for privileged operations

Preforked Library Research: We want a preforked library with a mutex around accept(2) The mutex didn t work that well, so we do a race on accept(2) now Small daemon with pretty small memory footprint We prefork 5 children by default Values are tunable via config options for each daemon

Preforked Spoolss Daemon Research: We want a preforked library with a mutex around accept()

LSA Service Daemon Preforked daemon Handles TCP/IP, Named Pipe and NCALRPC connections Provides LSA/SAMR/Neglogon Services

EPMD and LSASD is all we need from Samba... plus Samba 4 client libraries and Python bindings

MIT Kerberos support Samba 4 client libraries and Python bindings use Kerberos API They were developed using Heimdal Kerberos implementation as a reference for several past years Using Python bindings within FreeIPA server process pulls them into MIT Kerberos environment The result of mixing two Kerberos implementations in one process in unpredictable An effort was done on allowing to build Samba 4 client code with MIT Kerberos Mostly in git master, remaining bits are in waf-mit-work personal branches (Simo, Alexander, Andreas) Good news: MIT Kerberos-based Samba 4 client code works! Almost... There is unrelated crash in sys setgroups() in git master (wasn t caught by autobuild).

DEMO

Questions & Answers Slides http://www.samba.org/~asn/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback