The System Security Services Daemon (SSSD), SLES12 and Active Directory

Similar documents
Implementing Linux Authentication and Authorisation Using SSSD

Advancements in Linux Authentication and Authorisation using SSSD

Interoperability Update: Red Hat Enterprise Linux 7 beta and Microsoft Windows

Integrating Linux systems with Active Directory

Identity Management based on FreeIPA

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA

SSSD Active Directory Improvements

Identity Management: The authentic & authoritative guide for the modern enterprise

System Security Services Daemon

Red Hat Identity Management

SSSD. Client side identity management. LinuxAlt 2012 Jakub Hrozek 3. listopadu 2012

Building Open Source Identity Management with FreeIPA. Martin Kosek

RHEL Clients to AD Integrating RHEL clients to Active Directory

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

Integrating UNIX and Linux with Active Directory. John H Terpstra

Hadoop Elephant in Active Directory Forest. Marek Gawiński, Arkadiusz Osiński Allegro Group

Security with LDAP. Andrew Findlay. February Skills 1st Ltd

Integration with Active Directory. Jeremy Allison Samba Team

Red Hat Enterprise Identity (IPA) Centralized Management of Identities & Authentication

FreeIPA - Open Source Identity Management in Linux

CAC AND KERBEROS FROM VISION TO REALITY

Univention Corporate Server. Extended domain services documentation

FreeIPA 3.3 Trust features

Managing Identity & Access in On-premise and Cloud Environments. Ellen Newlands Identity Management Product Manager Red Hat, Inc

LDAP-UX Client Services B with Microsoft Windows Active Directory Administrator's Guide

Integrating Lustre with User Security Administration. LAD 15 // Chris Gouge // 2015 Sep

LinuxCon North America

AD Integration options for Linux Systems

Red Hat Enterprise ipa

VINTELA AUTHENTICATION SERVICES

External and Federated Identities on the Web

How to build an Identity Management System on Linux. Simo Sorce Principal Software Engineer Red Hat, Inc.

FreeIPA Cross Forest Trusts

Integrating HP-UX 11.x Account Management and Authentication with Microsoft Windows 2000 White Paper

Authentication in a Heterogeneous Environment

Windows Security and Directory Services for UNIX using Centrify DirectControl

Active Directory and Linux Identity Management

How to Use Microsoft Active Directory as an LDAP Source with the Oracle ZFS Storage Appliance

ONEFS MULTIPROTOCOL SECURITY UNTANGLED

SUSE Manager 1.2.x ADS Authentication

Unified Authentication, Authorization and User Administration An Open Source Approach. Ted C. Cheng, Howard Chu, Matthew Hardin

Using SUSE Linux Enterprise Desktop with Microsoft * Active Directory Infrastructure

Creating an LDAP Directory

DB2 - LDAP. To start with configuration of transparent LDAP, you need to configure the LDAP server.

Fedora 17 FreeIPA: Identity/ Policy Management

Integrating Red Hat Enterprise Linux 6 with Active Directory. Mark Heslin Principal Software Engineer

Integrated Approach to User Account Management

ENTERPRISE LINUX NETWORKING SERVICES

FreeIPA Client and Server

Mac OS X Directory Services

IPA Identity, Policy, Audit Karl Wirth, Red Hat Kevin Unthank, Red Hat

User Management / Directory Services using LDAP

Avaya CM Login with Windows Active Directory Services

Fedora 18 FreeIPA: Identity/ Policy Management

MS 50292: Administering and Maintaining Windows 7

ENTERPRISE LINUX SECURITY ADMINISTRATION

Centrify Server Suite 2014

RedHat (RHEL) System Administration Course Summary

External Identity and Authentication Providers For Apache HTTP Server

Exam : Administrating Windows Server 2012 R2. Course Overview

Centrify-Enabled Samba

Introducing FedFS On Linux Chuck Lever Oracle Corporation

PowerBroker Identity Services. Administration Guide

Bring Linux into Microsoft s ADS

Kangaroot SUSE TechUpdate Interoperability SUSE Linux Enterprise and Windows

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

IDENTITIES, ACCESS TOKENS, AND THE ISILON ONEFS USER MAPPING SERVICE

Using Kerberos to Authenticate a Solaris TM 10 OS LDAP Client With Microsoft Active Directory

ENTERPRISE LINUX NETWORKING SERVICES

SSSD and OpenSSH Integration

Vintela Authentication from SCO Release 2.2. System Administration Guide

How To Configure the Oracle ZFS Storage Appliance for Quest Authentication for Oracle Solaris

GL275 - ENTERPRISE LINUX NETWORKING SERVICES

Enabling Active Directory Authentication with ESX Server 1

GL-550: Red Hat Linux Security Administration. Course Outline. Course Length: 5 days

Configuring User Identification via Active Directory

Chapter 3 Authenticating Users

Allowing Linux to Authenticate to a Windows 2003 AD Domain. Prepared by. Thomas J. Munn, CISSP 11-May-06

Lecture No 01 Novell Products Open Enterprise Server 2 Preview By Haim Malool. Main features Preview

Designing a Windows Server 2008 Applications Infrastructure

Samba. Samba. Samba 2.2.x. Limitations of Samba 2.2.x 1. Interoperating with Windows. Implements Microsoft s SMB protocol

Centralized Identity and Access Management of Cross-Platform Systems and Applications with Active Directory and the Centrify Suite

GL550 - Enterprise Linux Security Administration

How To Use Directcontrol With Netapp Filers And Directcontrol Together

Centralized Management for UNIX, Linux, Mac and Java with Active Directory and DirectControl

Using LDAP Authentication in a PowerCenter Domain

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Websense Support Webinar: Questions and Answers

GL-275: Red Hat Linux Network Services. Course Outline. Course Length: 5 days

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide

Introduction to Highly Available NFS Server on scale out storage systems based on GlusterFS

Designing a Windows Server 2008 Applications Infrastructure

What s New in Centrify Server Suite 2014

Likewise Security Benefits

Configuring and Using the TMM with LDAP / Active Directory

User-ID Best Practices

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led

CA Performance Center

COURSE OUTLINE MOC 20413: DESIGNING AND IMPLEMENTING A SERVER INFRASTRUCTURE

Global Filesystems in the Real World: Comparing Experiences with AFS and NFS. Phillip Moore

Transcription:

The System Security Services Daemon (SSSD), SLES12 and Active Directory Lawrence Kearney System Administrator Principal The University of Georgia lkearney@uga.edu

SSSD 101 2

First, Seek to Understand Features and Architecture of the SSSD: The needs the SSSD is addressing The advantages of the SSSD Speaking SSSD 3

The Needs Addressed by the SSSD Legacy PAM and NSS Framework Caveats Complex configurations that do not scale easily Linux servers dedicated authentication to one remote back end Relatively poor Active Directory integration No real offline authentication capability 4

The Needs Addressed by the SSSD Modern Linux Infrastructure Needs Specialised directory stores are proliferating Linux platforms limited as viable federation candidates Better Active Directory integration is more mission critical Reduced configuration and operational complexity 5

The Advantages of using the SSSD Authentication service enhancements Greater extensibility Multiple concurrently available identity stores Active Directory integration approaching domain member servers ID collision management features SSL/TLS or SASL/GSSAPI is required Single configuration file Reduced server loads Offline authentication 6

Speaking SSSD Daemon concepts and components SSSD concepts The Monitor Parent process for all SSSD processes Providers Modules with specific auth back end awareness Responders Interact with Linux and implement features SSSD components SSSD Provider ---> SSSD Responder ---> SSSD Monitor libsss_ldap.so ---> sssd_nss ---> sssd /etc/sssd/sssd.conf Monitor, provider and responder configuration 7

Speaking SSSD The SSSD Providers Local Accounts are kept in a local database LDAP Relies on installed extensions of target directory Kerberos Relies on installed extensions of target directory AD Supports many native Active Directory features IPA Supports trusts with Active Directory domains IdM Integrates tightly with Active Directory domains Proxy Permits integration of other provider modules autofs Supports integration using LDAP sudo Supports integration using LDAP 8

Speaking SSSD What are IPA and IdM Back Ends? Free IPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. Version 3 began focus is on Active Directory integration IdM is a way to create identity stores, centralized authentication, domain control for Kerberos and DNS services, and authorization policies on Linux systems, using native Linux tools. Integration focus heavily favours Active Directory. 9

Speaking SSSD The SSSD Responders [nss] User and group name resolution (configurable) [pam] User and group authentication control (configurable) [autofs] Automounter control (configurable) [sudo] Sudo rule control (configurable) [ssh] openssh public key control (configurable) [sssd_be] SSSD back end control (non-configurable) 10

The SSSD Configuration File SSSD Authentication Domain = Identity Provider + Authentication provider [sssd] Global/Monitor configuration directives services = Responders to start and monitor domains = (authentication domains and search order) [nss], [pam], [sudo] Responder configuration directives reconnection_retries = filter_users = [domain/name] SSSD authentication domain configuration directives id_provider = auth_provider = 11

The SSSD Processes SSSD uses a parent/child process monitoring model [sssd] Parent process, Monitor [nss] Child process, Responder [domain/ad.domain] Child process, Provider(s) 12

The SSSD Processes ~# ps -eaf grep sssd root 1476 1 0 /usr/sbin/sssd root 1478 1476 0 /usr/libexec/sssd/sssd_nss root 41279 1476 0 /usr/libexec/sssd/sssd_be --domain ad.dom.com pstree -A -p 1476 sssd (1476) - + - sssd_be (41279) - sssd_nss (1478) 13

The Complete Picture 14

Before You Deploy 15

First, Seek to Understand Decisions, requirements and advice: POSIX attributes LDAP Providers LDAP and Kerberos Providers Active Directory Providers Other back end clients 16

POSIX Attribute Standards Active Directory schema vs. LDAP schemas Active Directory MsSFU30UidNumber mssfu30gidnumber MsSFU30Gecos MsSFU30HomeDirectory MsSFU30LoginShell LDAP RFC uidnumber gidnumber gecos unixhomedirectory loginshell 17

POSIX Attribute Planning Planning and design requirements before deploying POSIX attributes Where they come from is important Changes can impact access 18

POSIX Attribute Planning Two methods can provide Linux POSIX attributes: Dynamically mapping user and group attributes using the SSSD Storing user and group attributes in the directory Only one method can be implemented per SSSD domain Migrating systems using PAM_LDAP is not complex Migrating using existing LDAP back ends is not complex Migrating domains between methods can be complex 19

POSIX Attribute Planning Storing and managing POSIX attributes in the directory: Identity Management for UNIX role can still be used Other identity management tools or systems can be used Provisioning, planning and design tasks Greater control over user primary group assignments Greater control over other user and group Linux attributes Less possibility of UID and GID collisions 20

POSIX Attribute Planning Dynamically mapping user/group attributes using the SSSD: Simple to deploy using the SSSD software stack Fewer Linux specific provisioning tasks Uniquely generated user and group UIDs and GIDs Less possibility of UID and GID collisions Less control for user primary group assignment Less control over other user and group Linux attributes Some Active Directory attributes applied by local system defaults 21

User Home Directory Planning Home directories are POSIX attributes with file system bits Use cases to consider: Do users have home directories on remote servers that will be mounted? Should home directories be created on user login? Should user home directories for be redirected, or reference another path for SSSD authentication domains? 22

The SSSD LDAP Providers Use cases: Maximum compatability with multiple back ends Can utilise SSL and TLS security Does not require Domain membership 23

The SSSD LDAP and Kerberos Providers Use cases: Reasonable compatability with Active Directory, IPA and IdM back ends Can utilise SSL, TLS and SASL\GSSAPI security Requires Domain membership 24

The SSSD Active Directory Providers Use cases: Member server compatability with Active Directory, IPA and IdM back ends Requires SASL\GSSAPI security Requires Domain membership 25

The openldap, Kerberos and Samba Clients Why install and configure these clients: Perform initial Active Directory domain integration tasks the SSSD Kerberos provider cannot Provide out of band tools for troubleshooting Active Directory connectivity and protocols (SSL, TLS and SASLGSSAPI) Provide CLI tools for manual and scripted server deployments for joined servers Provide CLI tools for Kerberos keytab file updates Require minimal configuration to obtain maximum benefits 26

Deployment 27

Deployment Decisions made: Direct or indirect integration with Active Directory Mapped vs. non-mapped ID models Home directory model to use SSSD providers to use 28

Deployment Procedures: Install SSSD software De-configure PAM LDAP and Kerberos configurations (migration) Disable name service caching daemon (migration) Configure SSSD software 29

Deployment Examples (LDAP Providers) [domain/ldap1] id_provider = ldap auth_provider = ldap enumerate = false cache_credentials = true ldap_schema = ad Most of the file is omitted for brevity, remainder of file shown in session 30

Deployment Examples (LDAP-Kerberos Providers) [domain/dvc.darkvixen.com] id_provider = ldap auth_provider = krb5 enumerate = false cache_credentials = true ldap_schema = ad Most of the file is omitted for brevity, remainder of file shown in session 31

Deployment Examples (Active Directory Providers) [domain/dvc.darkvixen.com] id_provider = ad auth_provider = ad enumerate = false cache_credentials = true ad_server = _srv_,darkvixen160win.dvc.darkvixen.com Some of the file is omitted for brevity, remainder of file shown in session 32

Questions Contact, info and additional training Lawrence Kearney: email: lawrence.kearney@earthlink.net Presentations and articles: www.lawrencekearney.com Tutorial videos: Doing stuff with the SSSD SUSECON: Implementing the SSSD using SLES12 and Active Directory - HO85752 SUSE Training: Administering SSSD on SUSE Linux Enterprise Server 12 - SLE342 33

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information