Authenticate local Linux accounts against Windows Active Directory

Slides:

Advertisements

Similar presentations

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Advertisements

1 Kerberos Anita Jones November, Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.

Active Directory and NT Kerberos Rooster JD Glaser.

CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.

Identity and Security Management Kevin Unthank Senior Product Manager Red Hat Security Management Products Cloud Business Unit.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Unix/Windows Inter-Operability. What do we want? Single Username Password Access Users files (N drive) – Personal Machine – Multi-User Machines Information.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Custom Authentication Services Jim McCusker (Yale University) Arch/VCDE F2F October 29, 2008.

Active Directory® and Apache® Using Kerberos and Apache to Authenticate via Microsoft Active Directory.

Securing Access in a Heterogeneous Network Environment Providing Interoperability between Microsoft Windows 2000 and Heterogeneous Networks Securing Authentication.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

Authentication June 24/2003. Overview Terminology Local Passwords Early Password Services Kerberos Basics Tickets Ticket Acquisition Kerberos Authentication.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.

Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at.

1 SAMBA. 2 Module - SAMBA ♦ Overview The presence of diverse machines in the network environment is natural. So their interoperability is critical. This.

Seamless Integration: Active Directory Services and Samba 3.0 FVLUG – December 8, 2003 Wim Kerkhoff.

User Management in LHCb Gary Moine, CERN 29/08/

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Information Security Depart. of Computer Science and Engineering 刘胜利 ( Liu Shengli) Tel:

Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu LTS comes with MIT Kerberos Admin through CLI, but from.

Module 10: Configuring Windows XP Professional to Operate in Microsoft Networks.

Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.

SAMBA Integrating Linux and Window. What is Samba? Free suite of programs that enables flavors of UNIX to work with other operating systems such as OS/2.

Tero Koskinen & Juuso Rintala.  First we decided which OS we´re operating with › CentOS was the most familiar to us  Then which services we´d like to.

Samba Erik Turner CSIS 4490 Linux Admin & Security Dr. Hoganson.

Secure Operating Systems Lesson C: Linux Security Features.

Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.

Single Sign-on with Kerberos 1 Chris Eberle Ryan Thomas RC Johnson Kim-Lan Tran CS-591 Fall 2008.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

SEC400 UNIX & Kerberos Interop to Achieve Identity Management

1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.

Scaling NT To The Campus Integrating NT into the MIT Computing Environment Danilo Almeida, MIT.

NETWORK OPERATING SYSTEM INTEROPERABILITY Jason Looney EKU, Department of Technology, CEN.

Kerberos on Servers "host" means ssh/telnet login to the server itself "service" means applications like HTTP, POP3 In both cases you need to: 1. Enable.

UMBC’s WebAuth Robert Banz – UMBC

Kerberos  Kerberos was a 3-headed dog in Greek mythology Guarded the gates of the deadGuarded the gates of the dead Decided who might enterDecided who.

1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.

Authentication at Penn State: The Present State of Affairs and Future Directions James A. Vuccolo, Manager, Software Technologies Group Phil Pishioneri,

SCSC 455 Computer Security Chapter 3 User Security.

Michael Tinker September 16, 2004

Plugged Authentication Module Enijmax 4/23/2004 8/17/2004 updated.

Advanced Authentication Campus-Booster ID: Copyright © SUPINFO. All rights reserved Kerberos.

Lecture – Authentication Services

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

Active Directory and NT Kerberos. Introduction to NT Kerberos v5 What is NT Kerberos? How is it different from NTLM NT Kerberos vs MIT Kerberos Delegation.

SSSD System Security Services Daemon. 2 Manages communication with centralized identity and authentication stores Provides robust, predictable caching.

SSSD and FreeIPA Advanced user management in Linux Red Hat Czech s.r.o. Jan Zelený 12 th February 2011.

Linux/Windows Integration John Dickerson – ECSS ● Domain Authentication ● Samba and Active Directory ● Directory Services ● CIFS on.

1 9/29/2016 Kerberos Authentication with the Linux Kernel CIFS Client Jeff Layton (Red Hat/Samba Team )

SSSD System Security Services Daemon. 2 Manages communication with centralized identity and authentication stores Provides robust, predictable caching.

ITIS 3110 IT INFRASTRUCTURE II

Windows interoperability with Unix/Linux

Managing User and Service Accounts

Network Administration Module 09

Radius, LDAP, Radius used in Authenticating Users

Unit OSC: Interoperability

Naomaru Itoi Peter Honeyman CITI

Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain.

SSSD and OpenSSH Integration

A Simple ‘Single Sign on’ Method for HP-UX and Active Directory Domains, using Kerberos Client and Winbind Don McCall HP WTEC.

Authentication Protocol

Single Sign-on with Kerberos

Operating System Security

CIT 470: Advanced Network and System Administration

Windows Networking ICCM 2004 Tim Young

Presentation transcript:

Authenticate local Linux accounts against Windows Active Directory Matt Hargrave robert.hargrave@gmfinancial.com GM Financial

Overview What is Kerberos Kerberos vs LDAP PAM pam_krb5 Setup krb5.conf sshd sudo httpd Samba Moving Foward

What we needed Have a single password for every user for every service Maintain control of users on a server level Use an universal (secure) authentication mechanism

Kerberos Developed at MIT and released as open source in 1987 Named after three headed dog that guarded the gates of hades Version 5 Uses tickets to authenticate Everyone uses it

Why Kerberos and not LDAP? Pros Quick and Simple Control over users Three headed dog (Cerberus) Cons User Management Dependent on Windows Server

Pluggable Authentication Module High level interface to low level schemes Supported on plethora of Unix and Unix like systems

The magic is in pam_krb5 Developed by Red Hat (Nalin Dahyabhai) Aims to work with minimal configuration

yum install pam_krb5 krb5_workstation Setup...

/etc/krb5.conf [libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = SERVER1.EXAMPLE.COM:88 admin_server = SERVER1.EXAMPLE.COM:749 kdc = SERVER2.EXAMPLE.COM:88 admin_server = SERVER2.EXAMPLE.COM:749 default_domain = EXAMPLE.COM } [domain_realm] .EXAMPLE.COM = EXAMPLE.COM .TEST.EXAMPLE.COM = EXAMPLE.COM [logging] kdc = SYSLOG:INFO admin_server = FILE=/var/krb5/log/kadmin.log

SSHD /etc/sshd_config /etc/pam.d/sshd UsePAM yes KerberosAuthentication no Using this option works perfectly fine. However, it will bypass the PAM options. /etc/pam.d/sshd

SSHD Cont… #%PAM-1.0 auth required pam_nologin.so auth sufficient pam_unix.so shadow md5 likeauth nullok auth requisite pam_succeed_if.so uid >= 200 quiet auth sufficient pam_krb5.so auth required pam_deny.so account required pam_unix.so password required pam_cracklib.so password required pam_unix.so shadow md5 nullok use_authtok session required pam_unix.so session required pam_limits.so session optional pam_krb5.so session required pam_selinux.so close session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke

SUDO /etc/pam.d/sudo #%PAM-1.0 auth sufficient pam_unix.so auth sufficient pam_krb5.so account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so

Non-PAM configurations...

HTTPD auth_kerb_module .htaccess AuthType Kerberos KrbAuthRealm EXAMPLE.COM KrbMethodNegotiate off KrbVerifyKDC off Require valid-user AuthGroupFile /path/to/file

Samba /etc/samba/smb.conf net ads join -Uadministrator workgroup = EXAMPLE realm = EXAMPLE.COM security = ADS client NTLMv2 auth = YES net ads join -Uadministrator

Things to consider... root (or account with sudo access) to have local password for backdoor DNS bug?

Moving Foward SSSD (System Security Services Daemon) Identify Management (FreeIPA) SSSD – Creates a framework for services to access remote directories and authentication mechanisms (such as FreeIPA)

Questions?