RHEL Clients to AD Integrating RHEL clients to Active Directory



Similar documents
SSSD Active Directory Improvements

Allowing Linux to Authenticate to a Windows 2003 AD Domain. Prepared by. Thomas J. Munn, CISSP 11-May-06

Using Active Directory as your Solaris Authentication Source

Univention Corporate Server. Extended domain services documentation

Integrating Red Hat Enterprise Linux 6 with Active Directory. Mark Heslin Principal Software Engineer

FreeIPA - Open Source Identity Management in Linux

Attunity RepliWeb PAM Configuration Guide

Interoperability Update: Red Hat Enterprise Linux 7 beta and Microsoft Windows

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

Kerberos Delegation with SAS 9.4

Identity Management based on FreeIPA

Building Open Source Identity Management with FreeIPA. Martin Kosek

Active Directory and Linux Identity Management

System Security Services Daemon

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

Windows Enterprise OU Administrator Tips. Integrating RHEL5 Systems with Active Directory

CAC AND KERBEROS FROM VISION TO REALITY

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

FreeIPA 3.3 Trust features

Advancements in Linux Authentication and Authorisation using SSSD

SSSD. Client side identity management. LinuxAlt 2012 Jakub Hrozek 3. listopadu 2012

Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access

Windows Security and Directory Services for UNIX using Centrify DirectControl

Using Kerberos to Authenticate a Solaris TM 10 OS LDAP Client With Microsoft Active Directory

Configure Samba with ACL and Active Directory integration Robert LeBlanc BioAg Computer Support, Brigham Young University

Hadoop Elephant in Active Directory Forest. Marek Gawiński, Arkadiusz Osiński Allegro Group

Integrating Linux systems with Active Directory

FreeIPA v3: Trust Basic trust setup

Using Single Sign-on with Samba. Appendices. Glossary. Using Single Sign-on with Samba. SonicOS Enhanced

How To Configure the Oracle ZFS Storage Appliance for Quest Authentication for Oracle Solaris

Installing Squid with Active Directory Authentication

ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software

Connect to UW UWWI Active Directory

Migration of Windows Intranet domain to Linux Domain Moving Linux to a Wider World

Kerberos and Windows SSO Guide Jahia EE v6.1

Linux Virtual Desktop. Installation Guide for Red Hat Enterprise Linux. Version 1.0

Red Hat Identity Management

Linux/Unix Active Directory Authentication Integration Using Samba Winbind

Centrify Identity and Access Management for Cloudera

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

External and Federated Identities on the Web

How to build an Identity Management System on Linux. Simo Sorce Principal Software Engineer Red Hat, Inc.

Red Hat Enterprise Identity (IPA) Centralized Management of Identities & Authentication

SUSE Manager 1.2.x ADS Authentication

VINTELA AUTHENTICATION SERVICES

Integrating Mac OS X 10.6 with Active Directory. 1 April 2010

AD Integration options for Linux Systems

1 Introduction. Ubuntu Linux Server & Client and Active Directory. Page 1 of 14

Install and Configure an Open Source Identity Server Lab

Going in production Winbind in large AD domains today. Günther Deschner (Red Hat / Samba Team)

Network Startup Resource Center

Table 1 shows the LDAP server configuration required for configuring the federated repositories in the Tivoli Integrated Portal server.

Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter

Linux Virtual Desktop

Implementing Linux Authentication and Authorisation Using SSSD

Identity Management: The authentic & authoritative guide for the modern enterprise

Instructions for Adding a MacOS 10.4.x Server to ASURITE for File Sharing. Installation Section

LDAP-UX Client Services B with Microsoft Windows Active Directory Administrator's Guide

Introduction to Linux (Authentication Systems, User Accounts, LDAP and NIS) Süha TUNA Res. Assist.

INUVIKA TECHNICAL GUIDE

SSSD and OpenSSH Integration

Unifying Authorization Models

(june > this is version 3.025a)

Using Kerberos tickets for true Single Sign On

Configuring idrac6 for Directory Services

LinuxCon North America

Active Directory Integration

Vintela Authentication from SCO Release 2.2. System Administration Guide

Configure the Application Server User Account on the Domain Server

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA

Managing Identity & Access in On-premise and Cloud Environments. Ellen Newlands Identity Management Product Manager Red Hat, Inc

Integrating HP-UX 11.x Account Management and Authentication with Microsoft Windows 2000 White Paper

Integrating OID with Active Directory and WNA

Charles Firth Managing Macs in a Windows World

Creating an LDAP Directory

Guide to SASL, GSSAPI & Kerberos v.6.0

SUSE Linux Enterprise Server in an Active Directory Domain

1 Introduction. Windows Server & Client and Active Directory.

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

Dell Proximity Printing Solution. Installation Guide

FreeIPA Cross Forest Trusts

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Security Provider Integration Kerberos Authentication

Linux/Windows Security Interop: Apache with mod_auth_kerb and Windows Server 2003 R2

Enabling Active Directory Authentication with ESX Server 1

Table of Contents. Red Hat Summit Labs. Lab Overview... 3 Background... 3

HRSWEB ActiveDirectory How-To

Security with LDAP. Andrew Findlay. February Skills 1st Ltd

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Samba. Samba. Samba 2.2.x. Limitations of Samba 2.2.x 1. Interoperating with Windows. Implements Microsoft s SMB protocol

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

Secure Unified Authentication for NFS

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

Configuring Hadoop Security with Cloudera Manager

SAMBA SERVER (PDC) Samba is comprised of a suite of RPMs that come on the RHEL/Fedora CDs. The files are named:

Integration with Active Directory. Jeremy Allison Samba Team

Avaya CM Login with Windows Active Directory Services

Transcription:

RHEL Clients to AD Integrating RHEL clients to Active Directory Presenter Dave Sullivan Sr. TAM, Red Hat 2013-09-03

Agenda Review Dmitri Pal and Simo Sorce Preso Legacy RHEL hook to AD RHEL Direct--->sssd--->AD RHEL IdM/Trust--->sssd--->(FreeIPA/IdM and AD) Review Mark Heslin's Reference Architecture Direct AD integration options (excludes IdM/IPA integration) Quick walk through on simple direct integration rhel--->sssd--->ad 2

Dmitri Pal & Simo Sorce Preso Dmitri Pal (Software Engineering Manager focused on IdM) Simo Sorce (Principal Software Engineer focused on IdM) Presentation, AD Integration Options For Linux Systems Dmitri Pal & Simo Sorce - Integrating Linux systems into Active Directory Environment 3

Mark Heslin's Reference Architecture Mark Heslin (Principal Software Engineer focused on IdM) Reference Architecture, Integrating Enterprise Linux 6 With Active Directory How do I authenticate RHEL to Active Directory using sssd? 4

Direct RHEL6 integration to AD Walk-through Active Directory Existing Windows 2k8r2 Existing RHEL Client RHEL6.4+ @base [root@testclient-rhel6-006 ~]# rpm -qa wc -l 433 System Security Services Daemon (SSSD) Permits offline authentication Reduces load on identification/authentication servers yum -y install sssd See References [SSSD] for detailed SSSD documentation 5

Prerequisites Active Directory Existing Windows 2k8r2 Existing RHEL Client RHEL6.4+ @base [root@testclient-rhel6-006 ~]# rpm -qa wc -l 433 System Security Services Daemon (SSSD) Permits offline authentication Reduces load on identification/authentication servers yum -y install sssd See References [SSSD] for detailed SSSD documentation 6

Multiple Ways To Integrate GUI or CLI GUI 1. Run the authconfig-tui tool. Select ldap under the "User Information" section and Kerberos under the "Authentication" Section. 2. On the ldap Settings step. Leave the use TLS option unselected put the AD servers fully qualified domain name in and the base DN. 3. On the kerberos Settings page enter the AD servers Realm, also list the AD servers fully qualified domain name for the KDC and Admin Server. CLI [root@testclient-rhel6-006 ~]# rpm -qa grep sssd sssd-client-1.9.2-82.7.el6_4.x86_64 sssd-1.9.2-82.7.el6_4.x86_64 Utilize authconfig tool Need Windows FQDN, AD basedn Automatically configures nss, pam, sssd.conf, and krb5.conf [authconfig --enableldap --enablekrb5 --ldapserver=ldap://win2k8.example.com --ldapbasedn="dc=example,dc=com" --enablerfc2307bis --disablekrb5realmdns --krb5kdc=win2k8.example.com --krb5realm=example.com --disableforcelegacy --enablelocauthorize --enablemkhomedir --updateall [root@testclient-rhel6-006 ~]# echo $? 0 7

Review CLI Configuration NSS [root@testclient-rhel6-006 ~]# cat /etc/nsswitch.conf grep sss passwd: shadow: group: files sss files sss files sss services: files sss PAM netgroup: files sss [root@testclient-rhel6-006 ~]# ls -lrt /etc/pam.d/ system-auth-ac, password-auth-ac, smartcard-auth-ac, fingerprint-auth-ac modified lrwxrwxrwx. 1 root root 14 Jun 27 2012 system-auth -> system-auth-ac lrwxrwxrwx. 1 root root 16 Jun 27 2012 password-auth -> password-auth-ac lrwxrwxrwx. 1 root root 19 Jun 27 2012 fingerprint-auth -> fingerprint-auth-ac lrwxrwxrwx. 1 root root 17 Jun 27 2012 smartcard-auth -> smartcard-auth-ac 8

Review CLI Configuration sssd.conf [root@testclient-rhel6-006 sssd]# cat /etc/sssd/sssd.conf... ldap_schema = rfc2307bis ldap_search_base = dc=example,dc=com krb5_realm = EXAMPLE.COM krb5_server = win2k8.example.com id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://win2k8.example.com krb5_kpasswd = kerberos.example.com cache_credentials = True ldap_tls_cacertdir = /etc/openldap/cacerts [sssd] services = nss, pam config_file_version = 2 9

Review CLI Configuration krb5.conf [root@testclient-rhel6-006 sssd]# cat /etc/krb5.conf... [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true 10

Install oddjob-mkhomedir [root@test-rhel6-ad sssd]# yum -y install oddjob-mkhomedir Ensure that user home directories are created with the proper SELinux file and directory contexts [root@test-rhel6-ad sssd]# chkconfig oddjobd on;service oddjobd start Starting oddjobd: [ OK ] 11

Kerberos Binding To AD [root@testclient-rhel6-006 sssd]# yum -y install krb5-workstation samba-common [root@testclient-rhel6-006 sssd]# kinit Administrator Password for Administrator@EXAMPLE.COM: kinit: Clock skew too great while getting initial credentials [root@testclient-rhel6-006 sssd]# ntpdate win2k8.example.com 3 Sep 01:11:55 ntpdate[25813]: step time server 192.168.1.78 offset -50400.525691 sec [root@testclient-rhel6-006 sssd]# kinit Administrator Password for Administrator@EXAMPLE.COM: [root@testclient-rhel6-006 sssd]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@EXAMPLE.COM Valid starting Expires Service principal 09/03/13 01:11:58 09/03/13 11:12:01 krbtgt/example.com@example.com renew until 09/10/13 01:11:58 12

Join To AD Via Samba [root@testclient-rhel6-006 sssd]# cat /etc/samba/smb.conf [global] workgroup = EXAMPLE client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log realm = EXAMPLE.COM security = ads #necessary if dns not properly setup password server = win2k8.example.com [root@testclient-rhel6-006 sssd]# hostname test-rhel6-ad [root@testclient-rhel6-006 sssd]# net ads join -k Using short domain name -- EXAMPLE Joined 'TEST-RHEL6-AD' to dns domain 'EXAMPLE.COM' No DNS domain configured for test-rhel6-ad. Unable to perform DNS Update. DNS update failed! 13

Add Group To AD Open Administrative Tools -> Active Directory Users and Computers Browse to EXAMPLE.COM, then to Users Right click on Users and Create a New Group named unixusers Double click on the unixusers group then switch to the UNIX Attributes tab Select the NIS Domain created earlier Set the GID as appropriate 14

Add User To AD Open Administrative Tools -> Active Directory Users and Computers Browse to EXAMPLE.COM, then to Users Right click on Users and Create a New User named aduser Make sure User must change password at next logon and Account is disabled are unchecked Double click on the aduser group then switch to the UNIX Attributes tab Select the NIS Domain created earlier Set the UID as appropriate Set the Login Shell to /bin/bash Set the Home Directory to /home/aduser Set Primary Group Name/GID to unixusers 15

Can we query AD? root@testclient-rhel6-006 sssd]# yum -y install openldap-clients [root@testclient-rhel6-006 sssd]# /usr/bin/ldapsearch -H ldap://win2k8.example.com/ -Y GSSAPI -N -b "dc=example,dc=com" "(&(objectclass=user)(samaccountname=aduser))"... # red hat, Users, EXAMPLE.COM dn: CN=red hat,cn=users,dc=example,dc=com objectclass: top objectclass: person objectclass: organizationalperson objectclass: user cn: red hat sn: hat givenname: red distinguishedname: CN=red hat,cn=users,dc=example,dc=com InstanceType: 4... 16

Test with id command [root@testclient-rhel6-006 sssd]# kinit Administrator Password for Administrator@EXAMPLE.COM: [root@testclient-rhel6-006 sssd]# time id aduser <----first pull takes longer, not cached uid=10000(aduser) gid=10000(unixusers) groups=10000(unixusers) real user sys 0m21.930s 0m0.000s 0m0.001s [root@testclient-rhel6-006 sssd]# time id aduser <----second time much faster, it's in our sss cache uid=10000(aduser) gid=10000(unixusers) groups=10000(unixusers) real user sys 0m0.002s 0m0.001s 0m0.000s 17

Test logging in remotely via ssh [root@test-rhel6-ad ~]# grep aduser /etc/passwd [root@test-rhel6-ad ~]# ifconfig eth0 grep 192 inet addr:192.168.1.155 Bcast:192.168.1.255 Mask:255.255.255.0 [dsulliva@localhost ~]$ ssh aduser@192.168.1.155 aduser@192.168.1.155's password: Last login: Mon Sep 9 05:49:05 2013 from 192.168.1.6 [aduser@test-rhel6-ad ~]$ pwd /home/aduser [aduser@test-rhel6-ad ~]$ echo $SHELL /bin/bash 18

Clear kerberos and sssd cache [root@testclient-rhel6-006 sssd]# kdestroy [root@testclient-rhel6-006 sssd]# service sssd stop; rm -f /var/lib/sss/db/*; service sssd restart Stopping sssd: [ OK ] Stopping sssd: cat: /var/run/sssd.pid: No such file or directory [FAILED] Starting sssd: [ OK ] 19

References SSSD https://access.redhat.com/site/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sssd-introduction.html Red Hat Presentations How do I authenticate RHEL to Active Directory using sssd? Dmitri Pal & Simo Sorce - Integrating Linux systems into Active Directory Environment 20

THOUGHTS? QUESTIONS? CONCERNS?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information