FreeIPA Cross Forest Trusts

Similar documents
Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA

FreeIPA 3.3 Trust features

Identity Management based on FreeIPA

Building Open Source Identity Management with FreeIPA. Martin Kosek

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

Managing Identity & Access in On-premise and Cloud Environments. Ellen Newlands Identity Management Product Manager Red Hat, Inc

Interoperability Update: Red Hat Enterprise Linux 7 beta and Microsoft Windows

How to build an Identity Management System on Linux. Simo Sorce Principal Software Engineer Red Hat, Inc.

LinuxCon North America

External and Federated Identities on the Web

Red Hat Identity Management

Integrating Linux systems with Active Directory

Identity Management: The authentic & authoritative guide for the modern enterprise

System Security Services Daemon

Red Hat Enterprise Identity (IPA) Centralized Management of Identities & Authentication

FreeIPA - Open Source Identity Management in Linux

AD Integration options for Linux Systems

Integration with Active Directory. Jeremy Allison Samba Team

Red Hat Enterprise ipa

Implementing Active Directory Hurdles, Obstacles, and the Finish Line. Jim McDonough Samba Team IBM Linux Technology Center April 6, 2004

SSSD. Client side identity management. LinuxAlt 2012 Jakub Hrozek 3. listopadu 2012

FreeIPA Client and Server

Cross-Realm Trust Interoperability, MIT Kerberos and AD

Advancements in Linux Authentication and Authorisation using SSSD

SSSD Active Directory Improvements

FreeIPA v3: Trust Basic trust setup

Authentication in a Heterogeneous Environment

<Samba status report>

Integrating UNIX and Linux with Active Directory. John H Terpstra

FreeIPA Client and Server

CAC AND KERBEROS FROM VISION TO REALITY

Active Directory and Linux Identity Management

Samba as an Active Directory Domain Controller

Going in production Winbind in large AD domains today. Günther Deschner (Red Hat / Samba Team)

SerNet. Samba Status Update. Linuxkongress Hamburg October 10, Volker Lendecke SerNet Samba Team. Network Service in a Service Network

TIBCO Spotfire Platform IT Brief

SUSE Manager 1.2.x ADS Authentication

Migration of Windows Intranet domain to Linux Domain Moving Linux to a Wider World

CYAN SECURE WEB HOWTO. NTLM Authentication

Security Provider Integration Kerberos Authentication

Websense Support Webinar: Questions and Answers

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

Samba 4 AD + Fileserver

Guide to SASL, GSSAPI & Kerberos v.6.0

ENTERPRISE LINUX SECURITY ADMINISTRATION

RHEL Clients to AD Integrating RHEL clients to Active Directory

Enabling Active Directory Authentication with ESX Server 1

GL-550: Red Hat Linux Security Administration. Course Outline. Course Length: 5 days

Fedora 17 FreeIPA: Identity/ Policy Management

Active Directory network protocols and traffic

Allowing Linux to Authenticate to a Windows 2003 AD Domain. Prepared by. Thomas J. Munn, CISSP 11-May-06

Fedora 18 FreeIPA: Identity/ Policy Management

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

GL550 - Enterprise Linux Security Administration

WirelessOffice Administrator LDAP/Active Directory Support

Active Directory Integration

PKI Made Easy: Managing Certificates with Dogtag. Ade Lee Sr. Software Engineer Red Hat, Inc

Implementing Linux Authentication and Authorisation Using SSSD

Univention Corporate Server. Extended domain services documentation

Hadoop Elephant in Active Directory Forest. Marek Gawiński, Arkadiusz Osiński Allegro Group

MongoDB Security Guide

Configuring Sponsor Authentication

Windows Security and Directory Services for UNIX using Centrify DirectControl

Integrating OID with Active Directory and WNA

CA Performance Center

SSSD and OpenSSH Integration

Windows Server 2003 Active Directory: Perspective

Open-Xchange Hosted Edition Directory Integration

ENTERPRISE LINUX SECURITY ADMINISTRATION

Intel Entry Storage System SS4200-E Active Directory Implementation and Troubleshooting

VMware Identity Manager Administration

Install and Configure an Open Source Identity Server Lab

Enabling secure communication for a Tivoli Access Manager Session Management Server environment

Centralized Oracle Database Authentication and Authorization in a Directory

CONFIGURING ACTIVE DIRECTORY IN LIFELINE

Fedora Directory Server FUDCon III London, 2005

/ Preparing to Manage a VMware Environment Page 1

Unifying Authorization Models

Configure Samba with ACL and Active Directory integration Robert LeBlanc BioAg Computer Support, Brigham Young University

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

Setup Guide: Server-side synchronization for CRM Online and Exchange Server

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide

Centrify Identity and Access Management for Cloudera

Cloud Services ADM. Agent Deployment Guide

Integrating SAP BusinessObjects with Hadoop. Using a multi-node Hadoop Cluster

Likewise Security Benefits

MongoDB Security Guide

The release notes provide details of enhancements and features in Cloudera ODBC Driver for Impala , as well as the version history.

Nevepoint Access Manager 1.2 BETA Documentation

Domain Services for Windows Administration Guide

GL-275: Red Hat Linux Network Services. Course Outline. Course Length: 5 days

Upgrading VMware Identity Manager Connector

Embedded Web Server Security

Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access

How to Logon with Domain Credentials to a Server in a Workgroup

Architecting the Future of Big Data

Automating Cloud Security with Centrify Express and RightScale

Transcription:

Alexander Bokovoy <ab@samba.org> Andreas Schneider <asn@samba.org> May 10th, 2012

1 FreeIPA What is FreeIPA? Cross Forest Trusts 2 Samba 3 Demo

Talloc Tutorial Pavel Brezina wrote Talloc tutorial! http://talloc.samba.org/

What is FreeIPA? 1 FreeIPA What is FreeIPA? Cross Forest Trusts 2 Samba 3 Demo

What is FreeIPA? FreeIPA: http://www.freeipa.org I: Identity LDAP-based store for common objects (users, groups, hosts, services,...) 389-ds as an LDAP server with FreeIPA server-side plugins MIT Kerberos KDC with FreeIPA driver Integrated certificate management with Dogtag Certificate Authority Python-based command line and Web management tools P: Policy Delegation and separation of access Flexible delegation of editing controls Host-based access controls to services: Everything is denied by default, define rules to allow <user or group[, source host]> <host, service> Rules enforced at client side with SSSD project A: Audit Coming...

What is FreeIPA? FreeIPA v2.2 FreeIPA v2.2 is the current stable version: SE Linux user maps deployment, SSH known hosts management with SSSD 1.8.0 Available in Fedora 17 beta 1 Will be available in Enterprise Linux 6.3 Allows to deploy full GNU/Linux-based solution with centrally manageable servers and clients: Multi-master replication Client systems support with SSSD and LDAP/Kerberos-compatible solutions like nss ldap,pam ldap Active Directory two-way synchronization for side-by-side deployments

What is FreeIPA? Active Directory integration Winsync plugin for Active Directory triggers synchronization of users and groups: Configured as a IPA replica of special type Two-way, change in AD brings in change to IPA and backward Only allows sync back users, not groups Incomplete management of password change enforcement A better integration solution is required!

Cross Forest Trusts 1 FreeIPA What is FreeIPA? Cross Forest Trusts 2 Samba 3 Demo

Cross Forest Trusts Kerberos cross-forest trusts FreeIPA deployment is a fully managed Kerberos realm Can be integrated with Windows as RFC4120-compliant Kerberos realm Traditional Kerberos trust management applies: on GNU/Linux side ~/.k5login should be defined to impersonate users with identities on Active Directory side manual mapping is performed with special tools in a similar way Does not scale well for thousands of users and hosts: a foreign realm principal impersonates our realm s user requires additional management of special users to impersonate doubling the management effort mapping has to happen on every single machine. Manually?

Cross Forest Trusts Kerberos cross-forest trusts Active Directory native cross forest trusts Require two Active Directory domains AD domain establishes trust with another AD domain via LSA RPC AD uses LSA RPC to map incoming principals to SIDs technically: KDC + CLDAP + LSA RPC FreeIPA provides KDC and LDAP, Samba 3 provides LSA RPC Stage 1: we are interested in allowing AD users to connect to FreeIPA services e.g. PuTTY from Windows machine connecting to FreeIPA ssh service

Cross Forest Trusts Kerberos cross-forest trusts What was missing? Samba passdb backend to FreeIPA supporting trust storage and retrieval CLDAP plugin to FreeIPA to respond on AD discovery queries FreeIPA KDC backend to generate MS PAC Configuration tools to setup trusts

Cross Forest Trusts FreeIPA v3 architecture Full overview is available at http://freeipa.org/page/ipav3_architecture

Cross Forest Trusts Kerberos cross-forest trusts FreeIPA passdb backend: Expansion of traditional LDAP passdb backend New schema objects and attributes to support trusted domain information Support for uid/gid ranges for multi-master replicas Kerberos principal creation for foreign domain account FreeIPA KDC backend: Generates MS PAC information out of LDAP info and add to the ticket Allows to accept principals and tickets from a trusted cross forest realm Verifies and sign MS PAC coming from a trusted cross forest realm

Cross Forest Trusts Kerberos cross-forest trusts FreeIPA configuration tools: FreeIPA has command line (CLI) and Web user interfaces ipa trust-ad-add creates new cross-forest trust CLI operates with Kerberos authentication Request is sent to FreeIPA server via XML-RPC over HTTPS with Kerberos auth FreeIPA uses S4U2Proxy Kerberos feature to allow constrained delegation Samba 4 Python bindings are used to establish trust Code runs under non-privileged account (apache) Uses Kerberos ticket obtained via XML-RPC with the help of mod kerb auth Issues Kerberos-authenticated LSA RPC requests to a local smbd Uses AD credentials or shared secret passed via XML-RPC request to talk to AD DC

Cross Forest Trusts Using FreeIPA services with AD credentials Use of FreeIPA client system with AD cross forest credentials: Client system is provisioned with ipa-client-install SSSD is configured during provisioning to talk to FreeIPA LDAP krb5.conf is configured to perform mapping of cross forest trusted realm principal to user name 1:1 without removing the realm, e.g. Administrator@ad.local becomes user Administrator@ad.local

Cross Forest Trusts Using FreeIPA services with AD credentials

Cross Forest Trusts Using FreeIPA services with AD credentials On client SSH log-in following happens: SSH checks if user exists on the system SSSD NSS plugin handles the request and sees the user is not local. It requests additonal FreeIPA extended operation plugin for 389-ds that performs external domain user/group mapping using Winbind UID/GID are returned to SSH, GSSAPI is used to log-in that local user now Now SSSD NSS plugin uses MS PAC from the Kerberos ticket to fill up groups information using FreeIPA LDAP

1 FreeIPA What is FreeIPA? Cross Forest Trusts 2 Samba 3 Demo

What did we do? What a wurst! Spoolss Rewrite Spoolss Daemon Endpoint Mapper Daemon Pimped RPC Server Prefork Library LSA Service Daemon

This is the wurst!

Spoolss Rewrite Use winreg to store spoolss values instead of several tdb s Improve internal/(external) rpc connection handling

Spoolss Daemon Named pipe proxy over unix socket Doesn t scale but works for testing

Named Pipe Proxy A special unix socket smbd just accepts the named pipe connection and forwards it to the unix socket Authentication is done by the service handling the named pipe proxy.

Endpoint Mapper Daemon It is a simple port mapper needed for tcp/ip communication First implementation only supported named pipes If you want to know more look at my SambaXP talk from 2011

Pimped RPC Server Added tcp/ip support Added ncalrpc support over unix sockets ncalrpc special root mode for privileged operations

Preforked Library Research: We want a preforked library with a mutex around accept(2) The mutex didn t work that well, so we do a race on accept(2) now Small daemon with pretty small memory footprint We prefork 5 children by default Values are tunable via config options for each daemon

Preforked Spoolss Daemon Research: We want a preforked library with a mutex around accept()

LSA Service Daemon Preforked daemon Handles TCP/IP, Named Pipe and NCALRPC connections Provides LSA/SAMR/Netlogon Services

EPMD and LSASD is all we need from Samba

DEMO

Questions & Answers Slides http://www.samba.org/~asn/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information