Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at

Understanding the technology. Part 1

What is Active Directory? Active Directory A pre-configured Authentication and Authorization solution, offered by Microsoft. Components o DNS o Kerberos o LDAP o MSRPC Pros o Simple to manage and maintain. Cons o Interoperability requires some knowledge of the underlying components.

What is Kerberos? Kerberos A secure authentication protocol. Hashes, NOT passwords are sent to the server. Tickets are granted to the client. Tickets can be used as authentication against services. Versions o MIT (US)‏ o Heimdal (Swiss)‏ Pros o Centralized user management. o Protocol transport is secure by default. o Third party support. Cons o Time syncronization must be precise. o Password management is not standardized.

What is LDAP? Lightweight Directory Access Protocol A directory is like a database optimized for reads. LDAP is used for authorization. Contains centralized information o user and group o application configuration Pros o Usernames have a relationship to centralized attributes. Cons o Directory schema is not standardized. o Performance is hindered with clients and applications increases.

What is MSRPC? Microsoft Remote Procedure Call Modified version of The Open Group's DCE/RPC 1.1 (Distributed Computing Environment Remote Procedure Call)‏ MSRPC is how Microsoft operating systems talk to each other. o "Domain Member" servers resolve usernames, and groups between one another. o Remote Registry services o Administrative Tools - Microsoft Management Console

Part 2 Configuring these technologies, the basics of AD Integration.

Setting up Kerberos. pam_krb5 This is specific to Red Hat Enterprise. Easy way o setup (select Authentication Config) o authconfig-tui Harder way, editing config files. o /etc/krb5.conf o /etc/pam.d/system-auth  Note: Debian/Ubuntu splits up system-auth  /etc/pam.d/common-auth  /etc/pam.d/common-account  /etc/pam.d/common-password  /etc/pam.d/common-session Video Demonstration

Setting up Kerberos. mod_auth_kerb Kerberos authentication in Apache o behaves like IIS Windows Integrated Authentication. o sets $_SERVER['USERNAME'] environment variable for use in custom or third-party web applications. Authentication protocol is secured between the Domain Controller and web server. o still need SSL/TLS for client -> webserver. Edit two files o /etc/httpd/conf.d/auth_kerb.conf o /etc/httpd/conf.d/auth_kerb.keytab

Setting up Samba Join a domain –Edit /etc/samba/smb.conf (next slide) –Configure services o chkconfig smb on o chkconfig winbind on o chkconfig nscd off –Stop or start services o /etc/init.d/smb start o /etc/init.d/winbind start o /etc/init.d/nscd stop –Join domain o net ads join createcomputer="Organizational Unit" -Uadministrator Video Demonstration

PAM Samba configuration Name Service Switch

Part 3 Advanced tricks: Linux & MSRPC

Remote registry & DNS DNS management Problems encountered o You can read AD-integrated zones from LDAP, but the majority of our zones are NOT AD-integrated. o We have thousands of internal reverse zones, it is tedious to maintain them on several servers individually. o There is no DNS standard allowing a slave server to grab all of the zone names off of a primary. Observations o Windows DNS can be read remotely from a registry branch with Samba.

Remote Registry & DNS configuring dnsnarf Create a DNS service account in AD for the script. GPO settings Registry key for non-administrator remote registry reads. o HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg o Set 'read' and 'apply gpo' permissions for your DNS service account.

Remote Registry & DNS dnsnarf is born Samba component used. net rpc registry enumerate o manpage: net(8) Remote registry location to read zones. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones Example test command net -S kdc01.contoso.com \ -U administrator -W CONTOSO.COM \ rpc registry enumerate \ "\\HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\DNS Server\\Zones"

Example net rpc output

Sample dnsnarf output (named.conf)‏

Questions? Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University This work is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. Slides and code available at