Bring Linux into Microsoft s ADS



Similar documents
Samba and LDAP in 30 Minutes

Interoperability Update: Red Hat Enterprise Linux 7 beta and Microsoft Windows

(june > this is version 3.025a)

Active Directory and Linux Identity Management

Integrating UNIX and Linux with Active Directory. John H Terpstra

Allowing Linux to Authenticate to a Windows 2003 AD Domain. Prepared by. Thomas J. Munn, CISSP 11-May-06

Attunity RepliWeb PAM Configuration Guide

Configure Samba with ACL and Active Directory integration Robert LeBlanc BioAg Computer Support, Brigham Young University

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

SSSD Active Directory Improvements

Migration of Windows Intranet domain to Linux Domain Moving Linux to a Wider World

Integration with Active Directory. Jeremy Allison Samba Team

Identity Management based on FreeIPA

Security with LDAP. Andrew Findlay. February Skills 1st Ltd

Windows Security and Directory Services for UNIX using Centrify DirectControl

Using Single Sign-on with Samba. Appendices. Glossary. Using Single Sign-on with Samba. SonicOS Enhanced

Active Directory Integration

Unifying Authorization Models

SAMBA VI: As a Domain Controller

RHEL Clients to AD Integrating RHEL clients to Active Directory

Installing Squid with Active Directory Authentication

Authentication in a Heterogeneous Environment

System Security Services Daemon

Going in production Winbind in large AD domains today. Günther Deschner (Red Hat / Samba Team)

Windows Enterprise OU Administrator Tips. Integrating RHEL5 Systems with Active Directory

# Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server ; wins support = no

How To Use Directcontrol With Netapp Filers And Directcontrol Together

Samba in the Enterprise : Samba 3.0 and beyond

LDAP connectivity to the REDDOXX-Appliance

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

VINTELA AUTHENTICATION SERVICES

Centrify-Enabled Samba

Linux Windows Inter-operablity

Red Hat Enterprise ipa

Building Open Source Identity Management with FreeIPA. Martin Kosek

Using Active Directory as your Solaris Authentication Source

Installation and Configuration Guide. Version

Samba's AD DC: Samba 4.2 and Beyond. Presented by Andrew Bartlett of Catalyst //

Setting up a DNS MX Record for mail.corp.com p. 327 Installing Fedora on the Front-End Mail Server with the Postfix and SpamAssassin Packages

LinuxCon North America

Integrating Red Hat Enterprise Linux 6 with Active Directory. Mark Heslin Principal Software Engineer

Connect to UW UWWI Active Directory

FreeIPA v3: Trust Basic trust setup

SUSE Manager 1.2.x ADS Authentication

IPBrick - Member of AD domain IPBrick iportalmais

Integrating HP-UX 11.x Account Management and Authentication with Microsoft Windows 2000 White Paper

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

Mac OS X Directory Services

How To Manage A Network On A Linux Computer (Vnx) On A Windows 7 Computer (Windows) On An Ipod Or Ipod (Windows 7) On Your Ipod Computer (For Windows) On The Network (For Linux)

Implementing Linux Authentication and Authorisation Using SSSD

IPA Identity, Policy, Audit Karl Wirth, Red Hat Kevin Unthank, Red Hat

LDAP-UX Client Services B with Microsoft Windows Active Directory Administrator's Guide

FreeIPA 3.3 Trust features

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

Advancements in Linux Authentication and Authorisation using SSSD

<Samba status report>

Clustered CIFS For Everybody Clustering Samba With CTDB. LinuxTag 2009

Samba 4 AD + Fileserver

ACE Names and UID/GID/SIDs

SCOPTEL WITH ACTIVE DIRECTORY USER DOCUMENTATION

Windows Active Directory. DNS, Kerberos and LDAP T h u r s d a y, J a n u a r y 2 7, 2011 INLS 576 Spring 2011

Kangaroot SUSE TechUpdate Interoperability SUSE Linux Enterprise and Windows

Integrating Lustre with User Security Administration. LAD 15 // Chris Gouge // 2015 Sep

Using Active Directory to Authenticate Linux Users. Using Standard Protocols and Open Source Products

SerNet. Samba Status Update. Linuxkongress Hamburg October 10, Volker Lendecke SerNet Samba Team. Network Service in a Service Network

SUSE Linux Enterprise Server in an Active Directory Domain

Linux Virtual Desktop. Installation Guide for Red Hat Enterprise Linux. Version 1.0

Linuxdays 2005, Samba Tutorial

Linux/Unix Active Directory Authentication Integration Using Samba Winbind

Configuring User Identification via Active Directory

How To Configure the Oracle ZFS Storage Appliance for Quest Authentication for Oracle Solaris

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

How To Configure Vnx (Vnx) On A Windows-Only Computer (Windows) With A Windows 2.5 (Windows 2.2) (Windows 3.5) (Vnet) (Win

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

FreeIPA - Open Source Identity Management in Linux

Linux on Soho-Router

Oracle Net Service Name Resolution

CONFIGURING ACTIVE DIRECTORY IN LIFELINE

Integrating Linux systems with Active Directory

Chapter 3 Authenticating Users

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

NT4 PDC Migration to Samba 3

Vintela Authentication from SCO Release 2.2. System Administration Guide

Integrating Ubuntu 8.04 LTS into Microsoft Active Directory using Likewise Open

identity management in Linux and UNIX environments

Guide to SASL, GSSAPI & Kerberos v.6.0

Active Directory Synchronization with Lotus ADSync

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac

Linux Virtual Desktop

Introduction to Linux (Authentication Systems, User Accounts, LDAP and NIS) Süha TUNA Res. Assist.

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

Clustered Data ONTAP 8.2

Vintela Authentication from SCO Release 2.2. Installation Guide

Network Startup Resource Center

IPBrick - Member of an AD domain IPBRICK SA

Cross-Realm Trust Interoperability, MIT Kerberos and AD

Transcription:

Bring Linux into Microsoft s ADS A lecture by Jens Kühnel Jens Kühnel Konsult und Training Bad Vilbel Germany

About the speaker Jens Kühnel computer freak since age 8 Linux user since 1995 freelancer since 1999 certified RedHat, SuSE and Microsoft trainer RHCE, 4/5 RHCA, RHCX, SCLT, MCSE, MCT book author: Samba 3.0 Wanderer zwischen den Welten

Overview Samba Security = server/domain Security = ADS add user script Kerberos (pure) Winbindd Winbindd with LDAP-IDMAP SFU

What is Active Directory Domain-Model of Microsoft since Windows 2000 Technical Parts: LDAP-Server with strange schema and Multi master replication Kerberos with MS-enhancements DDNS (with Kerberos)

Samba and NT-Domains security = server available since 1.x uses any server (with user-security) security = domain available since 1.x uses an NT4 domain Needs an machine account or admin password security = ads Available since 3.x Uses LDAP and Kerberos Needs an machine account or admin password

User-ID Problem Every Samba-User needs a Unix-User-ID User can be created by add user script User-IDs are created in passwd/shadow on every machine

Winbindd Winbindd creates a Unix user accounts on the fly Winbindd connects to Windows NT4 or ADS- Domain Winbindd is a nsswitch- and PAM-Module Winbindd is a service shipped with Samba

Configure Winbindd Use authconfig with RedHat manual Add winbind to /etc/nsswitch.conf and /etc/pam.d/system-auth Join Domain (net join -U Administrator) smb.conf Winbind seperator = + Idmap uid = 10000-20000 Idmap gid = 10000 20000 Template homedir = /home/%d/%u Template shell = /bin/bash Use wbinfo and getent to test

Advanced Winbindd Winbind cache time = 300 How long are the User-List cached on the client Winbind enum user/group = yes Should a list of all users be possible Can be used by large installations Problem with some programs Winbind Nested Group = no Windows allow groups in groups New feature, handle with care Winbind use default domain = no Users without domainname are handled like they are in the default domain.

User-ID Problem 2 When using NFSv3 or similar the Unix-User- IDs should be the same on all Systems (NFSv3,...) Networked Systems should use LDAP NIS Winbindd with IDMAP

Winbindd and IDMAP Winbindd can use a LDAP-Directory to Sync the User-IDs throughout the systems. Winbindd needs the Samba schema. smb.conf Idmap backend = ldap:ldap://ldap-server Idmap backend = idmap_rid:domainname:1000-100000

LDAP and NIS OpenLDAP or Redhat-/Fedora-Directory- Server Samba can use LDAP to store all information in one place NIS and LDAP without TLS, please without password

Kerberos Windows uses Kerberos Linux can use Kerberos Windows needs an account for every non- Windows Kerberos-System and the command keytab Kerberos Trusts between Windows-KDC and Linux-KDCs are possible For more Information see: Interoperatibily Whitepaper from Microsoft http://www.microsoft.com/windows2000/techinfo/ planning/security/kerbsteps.asp

SFU Services for Unix is a free compatibility tool for integration Unix into Windows-Networks Parts are NFS-Server/Client NIS-Server/Client Shells (bourne, korn) Perl Posix-compatible Schema-Enhancement Can be used by nss-ldap

NSS-LDAP and PAM-Kerberos nss_ldap Use nss_map_objectclass to change SfU 3.5 to NSS-OpenLDAP in /etc/ldap.conf Look for Service for Unix 3.5 mapping PAM-Kerberos Create Account like account-name Map Account to a Kerberos Instance Ktpass princ service-instance@realm mapuser account-name -pass password -out UNIXmachine.keytab Add UNIXmachine.keytab to /etc/krb5.keytab

Synopsis Linux and Windows can work together,... but some work is necessary

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information