Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

Agenda Overview Components Considerations Configurations Futures Summary

What is needed? Thorough understanding components, interactions Awareness of technical, non-technical considerations Comparison of configurations, options Best practices, guidelines Assistance in making a selection

Windows Consumer Perception To the cloud...yay cloud

Windows Systems Reality Help!

Overview Components Considerations Configurations Futures Summary

Components - Overview Red Hat Enterprise Linux Windows Server 2008 R2 Active Directory Kerberos LDAP SSSD Samba SMB/CIFS Winbind NSS DNS NTP * Let's examine several core components closer *

Active Directory Domain Services (AD DS) Suite of directory services Customized versions: Kerberos Domain Name System (DNS) Lightweight Directory Access Protocol (LDAP) Object hierarchy nodes, trees, forests, domains Renamed in Windows Server 2008 R2 * Included Windows Server 2008 R2 (Server Role) *

Samba Open source suite of programs Provides file and print services Includes two daemons: smbd (file and print services) nmbd (NetBIOS name server) Samba v3.5 is current version (RHEL 6) * Behavior configured by /etc/samba/smb.conf *

SMB/CIFS Client-server communications protocols Server Message Block (SMB) - IBM developed Common Internet File System (CIFS) MS extended Both protocols used interchangeably SMB older, legacy servers (Windows 2000) * Samba supports both protocols *

Winbind (1) Daemon included with Samba suite Unified logon to Active Directory accounts Minimizes need for separate accounts Primary functions: Authentication of user credentials ( Who ) ID Tracking/Name Resolution via nsswitch ( Where ) ID Mapping of UID/GID <-> SID ( What )

Winbind (2)

Winbind (3) ID Mapping implemented through backends ~8 backends available ID Mappings classified as: Allocating (r/w, local) Algorithmic (r/o, calculated, consistent) Assigned (r/o, assigned in AD, consistent) Each has advantages, disadvantages * See Reference Architecture for further details *

SSSD (System Security Services Daemon) RHEL systems members of centralized IdM solution (Active Directory, IPA, LDAP, Kerberos) Access to different identity, authentication providers (e.g. - LDAP native, LDAP w/kerberos) Extensible (new identity, authentication sources) Supports off-line caching (clients) Reduces load on identity servers * Extensible, enhanced alternative to Winbind *

Kerberos Current version = V5 Clients request ticket from trusted third party (KDC) Key distribution center (KDC) = AD server Behavior configured by /etc/krb5.conf Managed by PAM libraries: pam_winbind (Samba), pam_sss (SSSD), pam_krb5 Integration best practice: * Install krb5-workstation for testing/troubleshooting *

Overview Components Considerations Configurations Futures Summary

Non-technical Considerations Organizational Alignment Expertise Levels Scope/Complexity Prototype Project Deployment

Technical Considerations File Sharing File sharing required? Yes = Samba based configuration No = Samba or non-samba ok Where are file shares located? Client side? Server side? * Red Hat Enterprise Linux supports both roles *

Technical Considerations Login Access Red Hat Enterprise Linux login access required? Command Line Interface (CLI) Graphical Display Manager (GDM) Local vs. Active Directory accounts Local accounts = more administration Active Directory = centralized administration * Active Directory accounts require AD integration *

Technical Considerations AD ID Attributes RFC2307/bis Extends UNIX ID attributes via LDAP Provides more flexibility, control (home dir, shell) Enabling in Windows Server 2008 R2 => Identity Management for UNIX (IMU) role 2008, 2003 R2 => Identity Management for UNIX (IMU) service 2003 and earlier => Windows Services for UNIX (SFU) service * Organizational policy may restrict use *

Technical Considerations Enumeration Winbind listing of users, groups in AD domain Default behavior during user login, authentication More users = longer login time Integration best practice: * Disable in environments 20,000+ users * /etc/samba/smb.conf [global] winbind enum users = no winbind enum groups = no

Technical Considerations LDAP Referrals LDAP in Active Directory scales out over time Objects relocate across multiple domain controllers LDAP referral Responding domain controller can't find object Clients contact multiple controllers to complete lookup Integration best practice: * Disable for performance (if no partial replication) * /etc/sssd/sssd.conf ldap_disable_referrals = true

Overview Components Considerations Configurations Futures Summary

Recommended Configurations - Overview Configuration 1. Samba/Winbind (idmap_rid) 2. Samba/Winbind (idmap_ad) 3. SSSD/Kerberos/ LDAP 4. Kerberos/LDAP Services Provided Features File sharing Login access File sharing Login access Login access Login access Templated shell, home dirs Least intrusive to AD (No user/group ID attribute changes) Algorithmic ID mappings Customizable shell, home dirs Centralized user mgmt Assigned ID mappings User/group ID attributes set in AD (requires IMU) Advanced authentication, caching Reduces client loading on server User/group ID attributes set in AD (requires IMU) No off-line caching user credentials User/group ID attributes set in AD (requires IMU) Use Case Template-driven Customizable Enhanced Legacy * See Reference Architecture for details *

Configuration 1 (winbind idmap_rid) Template-driven

Configuration 1 (Authentication and ID Components )

Configuration 2 (winbind - idmap_ad) Customizable

Configuration 2 (Authentication and ID Components )

Configuration 3 (SSSD/Kerberos/LDAP) Enhanced

Configuration 3 (Authentication and ID Components )

Configuration 4 (Kerberos/LDAP) Legacy

Configuration 4 (Authentication and ID Components )

Overview Components Considerations Configurations Futures Summary

Futures Winbind idmap_autorid New backend for Samba 3.6/RHEL 6.4 Automatically allocates domain ranges SSSD Active Directory domain trust support (RHEL 6.4) New AD integration capabilites - ID Mapping, etc. (RHEL 6.4+) Fully featured, enhanced alternative to Winbind Red Hat Enterprise Linux 7 Windows interoperability remains high focus

Overview Components Considerations Configurations Futures Summary

Summary (1) First glance deceptively simple Second glance appears overwhelming Many variables, components, interactions Reference Architecture simplifies selection, deployment and integration: https://www.redhat.com/resourcelibrary/reference-architectures/ integrating-red-hat-enterprise-linux-6-with-active-directory See Customer Portal for additional materials: https://access.redhat.com/knowledge/

Summary (2) Select best configuration for your environment, organizational goals Hybrid configurations ok to consider Third-party products viable alternatives Prototype, test in advance Most issues have simple causes Red Hat Enterprise Linux integrates well with Windows Active Directory