W2K Integration in the Kerberos5 based AFS cell le.infn.it. Enrico M. V. Fasanelli I.N.F.N. Sezione di Lecce Catania, 15 4 2002



Similar documents
Deploying BitDefender Client Security and BitDefender Windows Server Solutions

1. Installation Overview

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Installation Overview

Going in production Winbind in large AD domains today. Günther Deschner (Red Hat / Samba Team)

Recommended Practices for Deploying & Using Kerberos in Mixed Environments

Remote access. Contents

Site Report. Plus Book Information

Integrating UNIX and Linux with Active Directory. John H Terpstra

Kerberos authentication made easy on OpenVMS

Windows Clients and GoPrint Print Queues

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

Integration with Active Directory. Jeremy Allison Samba Team

Outlook Connector Installation & Configuration groupwaresolution.net Hosted MS Exchange Alternative On Linux

Informatica Corporation Proactive Monitoring for PowerCenter Operations Version 3.0 Release Notes May 2014

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

MAPI Connector Overview

Parallels Plesk Panel

Red Hat Enterprise ipa

Persona Backup and OS Migration for insync Private Cloud 5.5. June 16, 15

MIGRATING TO AVALANCHE 5.0 WITH MS SQL SERVER

Security Provider Integration Kerberos Authentication

Session 17 Windows 7 Professional DNS & Active Directory(Part 2)

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

Moving to Plesk Automation 11.5

How to build an Identity Management System on Linux. Simo Sorce Principal Software Engineer Red Hat, Inc.

Remote Support Jumpoint Guide: Unattended Access to Computers in a Network 3. Requirements and Considerations to Install a Jumpoint 4.

Windows Authentication on Microsoft SQL Server

Windows Active Directory. DNS, Kerberos and LDAP T h u r s d a y, J a n u a r y 2 7, 2011 INLS 576 Spring 2011

Mac OS X Directory Services

How To - Implement Single Sign On Authentication with Active Directory

Deployment of Keepit for Windows

Persona Backup & OS Migration

VPN Network Access. Principles and Restrictions

Contents. Supported Platforms. Event Viewer. User Identification Using the Domain Controller Security Log. SonicOS

How to Use the Yellow Machine Appliance in a Windows 2000/2003 Server Environment

Instructions: Configuring Outlook 2003 with Exchange 2010 on the FIUMail

TopEase Single Sign On Windows AD

WHMCS LUXCLOUD MODULE

Cross-Realm Trust Interoperability, MIT Kerberos and AD

Mod 2: User Management

LinuxCon North America

Eduroam wireless network - Windows 7

SUSE Manager 1.2.x ADS Authentication

Windows 2000 Planning at the University of Michigan

Install and Configure Oracle Outlook Connector

Stealing credentials for impersonation

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

An Open Source Wide-Area Distributed File System. Jeffrey Eric Altman jaltman *at* secure-endpoints *dot* com

The question becomes, How does the competent Windows IT professional open up their print server to their Mac clients?

Kerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, BC. From Italy (?).

Configuration Manual for Lime Domains

A Transend Corporation White Paper Preparing Microsoft Exchange Server for Migration

SWsoft, Inc. Plesk File Server. Administrator's Guide. Plesk 7.5 Reloaded

Implementing Active Directory Hurdles, Obstacles, and the Finish Line. Jim McDonough Samba Team IBM Linux Technology Center April 6, 2004

Please note that all activities on IADT s Wireless Network are subject to IADT s ICT A/AUP and

Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory

Content Server Installation Guide

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Other documents in this series are available at: servernotes.wazmac.com

Integrating OID with Active Directory and WNA

OpenAFS for Windows Release Notes

Implementing a Kerberos Single Sign-on Infrastructure

CONFIGURING ACTIVE DIRECTORY IN LIFELINE

IGEL Linux and Microsoft Remote Desktop Connection Broker 2012 R2

TestElite - Troubleshooting

Windows Security and Directory Services for UNIX using Centrify DirectControl

Monitoring Windows Servers and Applications with GroundWork Monitor Enterprise 6.7. Product Application Guide October 8, 2012

Defender EAP Agent Installation and Configuration Guide

EJBCA with GemSAFE Toolbox Part2 Sign. and Encrypt

This Deployment Guide is intended for administrators in charge of planning, implementing and

Authentication in a Heterogeneous Environment

Full disk encryption with Sophos Safeguard Enterprise With Two-Factor authentication of Users Using SecurAccess by SecurEnvoy

How to Configure Outlook Client for Exchange

Integrating Mac OS X 10.6 with Active Directory. 1 April 2010

Enterprise Security: Building On All Your Assets

Open Source Terminal Server Architecture for Enterprise Environment

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA

GL550 - Enterprise Linux Security Administration

User Guide. Version 3.2. Copyright Snow Software AB. All rights reserved.

Centralized Oracle Database Authentication and Authorization in a Directory

Migrating your custom settings to version 7.6

Integrated Approach to User Account Management

Samba in the Enterprise : Samba 3.0 and beyond

Operating System Security

Chapter 1 Scenario 1: Acme Corporation

ENTERPRISE LINUX SECURITY ADMINISTRATION

HOBCOM and HOBLink J-Term

Oracle EXAM - 1Z Oracle Weblogic Server 11g: System Administration I. Buy Full Product.

TIBCO Spotfire Platform IT Brief

SOA Software API Gateway Appliance 7.1.x Administration Guide

Allowing Linux to Authenticate to a Windows 2003 AD Domain. Prepared by. Thomas J. Munn, CISSP 11-May-06

Device Log Export ENGLISH

IWA AUTHENTICATION FUNDAMENTALS AND DEPLOYMENT GUIDELINES

ManageEngine ADSelfService Plus. Evaluator s Guide

ecopy ShareScan v4.3 Pre-Installation Checklist

User Guide Microsoft Exchange Remote Test Instructions

Table of Contents Introduction and System Requirements 9 Installing VMware Server 35

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

Transcription:

W2K Integration in the Kerberos5 based AFS cell le.infn.it Enrico M. V. Fasanelli Catania, 15 4 2002

Outline A bit of history The integration idea Summary of results from various tests The solution adopted Future work 2

The framework Completely separate UNIX & Windows worlds le.infn.it Transarc AFS cell Mainly UNIX clients AIX, HP UX, DUX, Linux Some WNT4 workstation clients in workgroup CASPUR version of MS GINA for AFS authentication Login with AFS username mapped to Guest Windows account INFN NICE WNT4 environment Limited to administrative and CADM users No password synchronization Common services (Web, mail) belongs to unix world Need of a AFS account Some operations (change of password) can be done only in a UNIX machine 3

The goal Single account database for UNIX & Windows Mail (IMAP4, POP) Single shared file system Web personal home pages Password synchronization Windows users can forget the existence of unix 4

Constraints for the new solution From the UNIX point of view Must save existing AFS infrastructure Must be available on all platform in use Better if free/opensource From Windows side Must works with Windows 2000 Don t care about W9x & WNT4 Don t write ad hoc code 5

Kerberos! Seems to be the only common infrastructure Windows authentication in 6

W2K Kerberos PROS Native authentication for the Windows world Can authenticate a properly configured Unix Kerberos5 client CONS No way to get AFS tokens 7

MIT Kerberos 5 PROS Is known to works with Windows 2000 There is a Microsoft step by step guide to do this [1] Can provide AFS tokens (via external fakeka [2] utility) CONS Windows AFS clients think to be in the year 1601 if the tokens lifetime is greater than 12 hours Old Unix AFS clients (afs3.4 build 5.28) do not authenticate 8

KTH Heimdal PROS Native and well behaved AFS support Authenticate Windows login CONS Authenticated users cannot access the shared resources in the W2K domain Windows AFS clients work in a strange way Get the tokens, but Windows say that AFS service cold not be started!!! 9

Null intersection Windows 2000 AD need Windows Kerberos5 Windows 2000 works ONLY with MIT Kerberos5 based realm The AFS client in a W2K machine works ONLY with HEIMDAL Kerberos5 Unix AFS clients works with both MIT and HEIMDAL The inter cell communication is done in native way in HEIMDAL and instead needs the external fakeka in MIT 10

Union: Windows + MIT + HEIMDAL AD Windows 2000 domain w2k.le.infn.it We need a domain name (realm) different from the one hosting AFS cell in order to make the trust relationship Kerberos5 realm LE.INFN.IT served by an MIT KDC AFS cell is le.infn.it Define a trust relationship between them On Windows side (W2K.LE.INFN.IT KRB5 realm) Ksetup Active Directory Domains and Trusts On LE.INFN.IT KDC Kadmin for adding principals krbtgt/w2k.le.infn.it@le.infn.it and krbtgt/le.infn.it@w2k.le.infn.it 11

From AFS KAserver to MIT KDC I Configured the LE.INFN.IT Kerberos5 realm based to the MIT master KDC We use MIT Kerberos 5 version 1.2.2 on a Linux RH 7.2 Populated the KDC principal database with AFS database entries using afs2k5db, a tool from Ken Hornstein s migration kit [2] Configured the AFS db servers in order to run HEIMDAL in slave mode This is done inside BOS configuration 12

From AFS KAserver to MIT KDC II Configured the master LE.INFN.IT KDC in order to propagate any database change to the slaves ones (HEIMDAL based) Modify database related commands (klog, kpasswd, ecc.) in all unix AFS clients with the corresponding kerberized ones 13

A simple picture 14

Windows configuration Windows 2000/XP professional belongs to w2k.le.infn.it AD domain Ksetup at installation time advertise the LE.INFN.IT kerberos realm Users login in the LE.INFN.IT realm with their AFS username/password The windows authentication is done via the trust relationship of two realms The AFS client get the token at login time Startup script maps AFS home to assigned network drive 15

Windows user administration Mapping between AFS user and the Windows one allow AD resources usage By default users have a pre assigned (unknown to the user) password in the AD domain and then their can login only in the LE.INFN.IT realm Ctrl+Alt+Del sequence permit to change the Kerberos password 16

A more complicated view 17

w2k.le.infn.it domain Windows AD domain is used to Share resources (printers) Deploying anti virus Is not used for login Users login in the LE.INFN.IT Kerberos realm Users don t know their AD domain password Problems with laptop disconnected from the network Workaround: enable domain login 18

Opened issues Laptops Disconnected login OpenAFS client on Windows XP 19

References/Useful links [1] Microsoft step by step guide to kerberos 5 http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp [2] Ken Hornstein migration kit ftp://ftp.cmf.nrl.navy.mil/pub/kerberos5/afs krb5 1.3.tar.gz [3] KTH HEIMDAL ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal 0.4b.tar.gz [4] KTH Kerberos 4 ftp://ftp.pdc.kth.se/pub/krb/src/krb4 1.0.9.tar.gz [5] MIT Kerberos 5 20

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information