Presentation is loading. Please wait.

Presentation is loading. Please wait.

Linux/Windows Integration John Dickerson – ECSS ● Domain Authentication ● Samba and Active Directory ● Directory Services ● CIFS on.

Published byLucy Simmons Modified over 8 years ago

Similar presentations

Presentation on theme: "Linux/Windows Integration John Dickerson – ECSS ● Domain Authentication ● Samba and Active Directory ● Directory Services ● CIFS on."— Presentation transcript:

1 Linux/Windows Integration John Dickerson – ECSS jedicker@iastate.edu ● Domain Authentication ● Samba and Active Directory ● Directory Services ● CIFS on Linux ● Applications April 10, 2009

2 9/28/2016 2 Domain Authentication ● Two methods for authentication: – Kerberos – Uses the IASTATE.EDU realm via the IASTATE Windows domain. – Tickets will not work with Vincent IASTATE.EDU realm. – Used primarily on university-owned systems. – NTLMv2 – An alternative authentication method for systems where Kerberos will not work (e.g. Systems not in the domain). – Often used by “visitor” systems (e.g. Personal laptops) to authenticate to the domain.

3 9/28/2016 3 Kerberos Prerequisites ● First things first: Set up DNS and NTP (time) ● In /etc/resolv.conf (may be done by DHCP) ● domain iastate.edu nameserver 129.186.1.200 nameserver 129.186.142.200 nameserver 129.186.140.200 ● In /etc/ntp.conf: ● server time.iastate.edu ● restrict time.iastate.edu mask 255.255.255.255 nomodify notrap noquery

4 9/28/2016 4 Setting up Kerberos ● One method: use the 'authconfig' utility ● Can be run during kickstart (RedHat's automatic build system) – # authconfig –enablekrb5 -krb5realm IASTATE.EDU \ – –krb5kdc windc4.iastate.edu,windc3.iastate.edu, \ – windc2.iastate.edu,windc1.iastate.edu

5 9/28/2016 5 PAM stuff ● Authconfig updates the default PAM stack: ● In /etc/pam.d/system-auth: ● auth required pam_env.so ● auth sufficient pam_unix.so nullok try_first_pass ● auth sufficient pam_krb5.so use_first_pass ● auth required pam_deny.so ● [Note: Just the 'auth' group of the PAM stack is shown above, though all PAM management groups (account, auth, password, session) are modified]

6 9/28/2016 6 Setting up Kerberos ● Brute force method: Edit /etc/krb5.conf: – [realms] – IASTATE.EDU = { – kdc = windc1.iastate.edu – kdc = windc2.iastate.edu – kdc = windc3.iastate.edu – kdc = windc4.iastate.edu – } – [domain_realm] – iastate.edu = IASTATE.EDU –.iastate.edu = IASTATE.EDU – [appdefaults] – pam = { – debug = false – ticket_lifetime = 36000 – renew_lifetime = 36000 – forwardable = true – krb4_convert = false – } These are in seconds. Adjust as necessary.

7 9/28/2016 7 NTLMv2 ● A fallback when kerberos isn't available. ● Particularly for non-domain machines. ● It's important to enable support for this on both clients and servers. ● Modify /etc/samba/smb.conf: ● [global] ● security = ads ● client ntlmv2 auth = yes ●...

8 9/28/2016 8 Samba ● The Swiss Army knife of Windows integration: ● CIFS file sharing ● CIFS print sharing ● Look up users and groups from the domain ● Create member servers in the Windows domain ● Create kerberos host principals in the Windows domain

9 9/28/2016 9 Samba and AD Integration ● First, configure /etc/samba/smb.conf: ● [global] ● workgroup = IASTATE ● wins server = 129.186.142.179, 129.186.142.189 ● security = ads ● client auth ntlmv2 = yes ● realm = IASTATE.EDU ● use kerberos keytab = yes ● password server = windc4.iastate.edu,\ windc3.istate.edu, windc2.iastate.edu,\ windc1.iastate.edu ● winbind enum users = yes ● winbind enum groups = yes ● winbind use default domain = yes ● winbind nested groups = yes ● idmap config IASTATE:backend = ad ● idmap domains = IASTATE Creates /etc/krb5.keytab

10 9/28/2016 10 Samba and AD Integration ● Then, join the host to the domain: ● # hostname myhost.engineering.iastate.edu ● # net ads join -U jedicker \ createcomputer=ENGR/Servers password: ************ ● In order to join the domain, the user whose credentials are being used (jedicker) must have authority to create a computer account in the specified organizational unit (ENGR). In this case, all servers are stored under the ENGR/Servers sub-OU.

11 9/28/2016 11 Did the join work? ● Check 'wbinfo': ● # wbinfo -t ● checking the trust secret via RPC calls succeeded ● # wbinfo -g ● (should list all the groups in the domain) ● # wbinfo -n jedicker ● S-1-5-21-1659004503-1450960922-1606980848-77661 User (1) ● Check the /etc/krb5.keytab file – # ktutil – ktutil: read_kt /etc/krb5.keytab – ktutil: list – slot KVNO Principal – 1 2 host/myhost.engineering.iastate.edu@IASTATE.EDU – 2 2 host/myhost.engineering.iastate.edu@IASTATE.EDU – 3 2 host/myhost.engineering.iastate.edu@IASTATE.EDU – 4 2 host/MYHOST@IASTATE.EDU – 5 2 host/MYHOST@IASTATE.EDU – 6 2 host/MYHOST@IASTATE.EDU

12 9/28/2016 12 Winbind ● Configured via /etc/samba/smb.conf ● Its main function is to map user and group SIDs to Unix uids and gids. ● Each client must be joined to the domain

13 9/28/2016 13 Samba and Share ACLs ● To limit access to a share using a domain group [preferably a “Windows Sync” group] ● In /etc/samba/smb.conf: ● [private] ● comment = Private Data ● path = /export/data/private ● browseable = yes ● writable = yes ● hosts allow = *.engineering.iastate.edu ● valid users = @"IASTATE\engr_private", \ @"IASTATE\engr_managers"

14 9/28/2016 14 Directory Services, Hesiod ● Works fine for mapping users. Not so well for groups. ● /etc/hesiod.conf ● Works well, fast. No need to authenticate :-) ● Tricky to map AD groups (needs ASW Windows Sync groups, and NFS group) ● Can't enumerate group members. ● Not really “integrated” with Windows.

15 9/28/2016 15 Directory Services, LDAP ● Use LDAP in NSS (nss_ldap) ● First: Configure nss_ldap for querying the domain controllers. ● Then: Modify NSS (/etc/nsswitch.conf) to use LDAP for users and groups. ● Requires authentication from (anonymous LDAPS binds not supported on our domain controllers) ● Requires PKI (ca cert bundle for domain controller SSL certs) ● A very helpful blog: http://blog.scottlowe.org/2007/01/15/linux-ad- integration-version-4/

16 9/28/2016 16 Set up nss_ldap ● Modify /etc/ldap.conf ● (Not to be confused with /etc/openldap/ldap.conf) base dc=IASTATE,dc=EDU uri ldaps://windc4.iastate.edu \ ldaps://windc1.iastate.edu \ ldaps://windc2.iastate.edu \ ldaps://windc3.iastate.edu binddn cn=MY LDAP USER,ou=Users,ou=ENGR,dc=IASTATE,dc=EDU bindpw {thepassword} scope sub nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group nss_map_attribute uniqueMember member pam_login_attribute sAMAccountName pam_filter objectclass=User This is a plaintext password!

17 9/28/2016 17 Set up NSS ● Modify /etc/nsswitch.conf: passwd: files ldap ● group: files ldap ● files: files dns ● Now check to see if it's working: # getent passwd jedicker ● # getent group engr_coll_profsci ● [Note: looking up groups via 'getent' will only work if the group has been created as a “Windows Sync” group in ASW, and that group has the “NFS group” parameter on]

18 9/28/2016 18 Winbind for users/groups ● Partly depends on NSS. In /etc/nsswitch.conf: ● passwd: files winbind ● group: files winbind hosts: files dns ● In /etc/samba/smb.conf winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes ● idmap config IASTATE:backend = ad ● idmap domains = IASTATE ● idmap config IASTATE:backend = rid ● idmap config IASTATE:base_rid = 1000 ● idmap config IASTATE:range = 10000 - 300000

19 9/28/2016 19 CIFS on Linux Clients ● Smbclient (also nautilus connect-to-server) – Supports kerberos auth ● mount.cifs – sec=krb5 supposedly works in RHEL5.3, unverified) – Uses cifs.upcall to pass krb5 tickets to kernel(?). Keyutils(?) ● pam_cifs – A PAM module that can mounts a CIFS share. pam_script – Can do just about anything (esp. for access control)

20 9/28/2016 20 Applications ● OpenOffice 3 supports Office 2007 file formats. ● ● Firefox and authentication to IIS using domain auth is broken (e.g. Sharepoint)

21 9/28/2016 21 Applications ● WINE – Anyone doing this? ●

Download ppt "Linux/Windows Integration John Dickerson – ECSS ● Domain Authentication ● Samba and Active Directory ● Directory Services ● CIFS on."

Similar presentations

CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.

CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005.

Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Unix/Windows Inter-Operability. What do we want? Single Username Password Access Users files (N drive) – Personal Machine – Multi-User Machines Information.

Unix/Windows Inter-Operability. What do we want? Single Username Password Access Users files (N drive) – Personal Machine – Multi-User Machines Information.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Samba Integrating SMB file systems with UNIX. Samba Provides a file server compatible with Windows 9x and NT.. SMB Can function in NETBIOS name browsing.

Samba Integrating SMB file systems with UNIX. Samba Provides a file server compatible with Windows 9x and NT.. SMB Can function in NETBIOS name browsing.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Securing Access in a Heterogeneous Network Environment Providing Interoperability between Microsoft Windows 2000 and Heterogeneous Networks Securing Authentication.

Securing Access in a Heterogeneous Network Environment Providing Interoperability between Microsoft Windows 2000 and Heterogeneous Networks Securing Authentication.
CMSC 691X – Summer 2002 Project By Pravin D’Souza.

CMSC 691X – Summer 2002 Project By Pravin D’Souza.
1 COP 4343 Unix System Administration Unit 16: file server – samba.

1 COP 4343 Unix System Administration Unit 16: file server – samba.
UNIT - III. Installing Samba Windows uses Sever Message Block(SMB) to communicate with each other using sharing services like file and printer. Samba.

UNIT - III. Installing Samba Windows uses Sever Message Block(SMB) to communicate with each other using sharing services like file and printer. Samba.
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
Introduction to Active Directory December 10th, 2008 1-3pm Daniels 407.

Introduction to Active Directory December 10th, pm Daniels 407.
Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at.

Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at.
Linux Windows Integration Can’t we all just get along?

Linux Windows Integration Can’t we all just get along?
1 SAMBA. 2 Module - SAMBA ♦ Overview The presence of diverse machines in the network environment is natural. So their interoperability is critical. This.

1 SAMBA. 2 Module - SAMBA ♦ Overview The presence of diverse machines in the network environment is natural. So their interoperability is critical. This.
Configuring CIFS Upon completion of this module, you should be able to: Configure the Data Mover for a Windows environment Create and Join a CIFS Server.

Configuring CIFS Upon completion of this module, you should be able to: Configure the Data Mover for a Windows environment Create and Join a CIFS Server.
Seamless Integration: Active Directory Services and Samba 3.0 FVLUG – December 8, 2003 Wim Kerkhoff.

Seamless Integration: Active Directory Services and Samba 3.0 FVLUG – December 8, 2003 Wim Kerkhoff.

Similar presentations

Ads by Google