SSSD Active Directory Improvements



Similar documents
RHEL Clients to AD Integrating RHEL clients to Active Directory

Allowing Linux to Authenticate to a Windows 2003 AD Domain. Prepared by. Thomas J. Munn, CISSP 11-May-06

FreeIPA 3.3 Trust features

Interoperability Update: Red Hat Enterprise Linux 7 beta and Microsoft Windows

FreeIPA v3: Trust Basic trust setup

SUSE Manager 1.2.x ADS Authentication

System Security Services Daemon

AD Integration options for Linux Systems

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

Kerberos Delegation with SAS 9.4

Active Directory and Linux Identity Management

I am an SE at a large storage system vendor

Identity Management based on FreeIPA

Univention Corporate Server. Extended domain services documentation

Integrating Linux systems with Active Directory

Migration of Windows Intranet domain to Linux Domain Moving Linux to a Wider World

Using Active Directory as your Solaris Authentication Source

Integrating Red Hat Enterprise Linux 6 with Active Directory. Mark Heslin Principal Software Engineer

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

Advancements in Linux Authentication and Authorisation using SSSD

SSSD and OpenSSH Integration

FreeIPA - Open Source Identity Management in Linux

Windows Enterprise OU Administrator Tips. Integrating RHEL5 Systems with Active Directory

Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access

SSSD. Client side identity management. LinuxAlt 2012 Jakub Hrozek 3. listopadu 2012

Integration with Active Directory. Jeremy Allison Samba Team

Using Single Sign-on with Samba. Appendices. Glossary. Using Single Sign-on with Samba. SonicOS Enhanced

SSSD DNS Improvements in AD Environment

Building Open Source Identity Management with FreeIPA. Martin Kosek

Unifying Authorization Models

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

Going in production Winbind in large AD domains today. Günther Deschner (Red Hat / Samba Team)

Attunity RepliWeb PAM Configuration Guide

FreeIPA Cross Forest Trusts

Charles Firth Managing Macs in a Windows World

Configure Samba with ACL and Active Directory integration Robert LeBlanc BioAg Computer Support, Brigham Young University

Installing Squid with Active Directory Authentication

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

IPA Identity, Policy, Audit Karl Wirth, Red Hat Kevin Unthank, Red Hat

Single Sign-On for Kerberized Linux and UNIX Applications

Red Hat Enterprise Linux 7 Windows Integration Guide

FreeIPA Client and Server

Hadoop Elephant in Active Directory Forest. Marek Gawiński, Arkadiusz Osiński Allegro Group

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA

Samba. Samba. Samba 2.2.x. Limitations of Samba 2.2.x 1. Interoperating with Windows. Implements Microsoft s SMB protocol

Network Startup Resource Center

Red Hat Identity Management

Windows Security and Directory Services for UNIX using Centrify DirectControl

Connect to UW UWWI Active Directory

Integrating Lustre with User Security Administration. LAD 15 // Chris Gouge // 2015 Sep

INUVIKA TECHNICAL GUIDE

Guide to SASL, GSSAPI & Kerberos v.6.0

Kerberos and Windows SSO Guide Jahia EE v6.1

SUSE Linux Enterprise Server in an Active Directory Domain

Using Samba to play nice with Windows. Bill Moran Potential Technologies

Configure the Application Server User Account on the Domain Server

ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

Table 1 shows the LDAP server configuration required for configuring the federated repositories in the Tivoli Integrated Portal server.

Table of Contents. Red Hat Summit Labs. Lab Overview... 3 Background... 3

LDAP-UX Client Services B with Microsoft Windows Active Directory Administrator's Guide

(june > this is version 3.025a)

Cross-Realm Trust Interoperability, MIT Kerberos and AD

Bring Linux into Microsoft s ADS

Using Active Directory to Authenticate Linux Users. Using Standard Protocols and Open Source Products

External and Federated Identities on the Web

Active Directory Integration

Implementing Linux Authentication and Authorisation Using SSSD

How to build an Identity Management System on Linux. Simo Sorce Principal Software Engineer Red Hat, Inc.

Vintela Authentication from SCO Release 2.2. System Administration Guide

Remote access. Contents

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Using OpenSSH in a Single Sign-On Corporate Environment with z/os, Windows and Linux

Linux/Windows Security Interop: Apache with mod_auth_kerb and Windows Server 2003 R2

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Secure Unified Authentication for NFS

Integrating UNIX and Linux with Active Directory. John H Terpstra

CONFIGURING ACTIVE DIRECTORY IN LIFELINE

Using Kerberos tickets for true Single Sign On

Intel Entry Storage System SS4200-E Active Directory Implementation and Troubleshooting

FreeIPA Client and Server

Kerberos authentication between multiple domains may fail on LiveCycle Rights Management ES 8.2.1

1 Introduction. Ubuntu Linux Server & Client and Active Directory. Page 1 of 14

Identity Management: The authentic & authoritative guide for the modern enterprise

Linux Virtual Desktop. Installation Guide for Red Hat Enterprise Linux. Version 1.0

Linux Virtual Desktop

CAC AND KERBEROS FROM VISION TO REALITY

Authentication in a Heterogeneous Environment

Centrify Identity and Access Management for Cloudera

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

ACE Names and UID/GID/SIDs

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

BusinessObjects 4.0 Windows AD Single Sign on Configuration

ENTERPRISE LINUX SECURITY ADMINISTRATION

How To Use Directcontrol With Netapp Filers And Directcontrol Together

Using Kerberos to Authenticate a Solaris TM 10 OS LDAP Client With Microsoft Active Directory

Parallels Plesk Panel

Integrating OID with Active Directory and WNA

Integrating Mac OS X 10.6 with Active Directory. 1 April 2010

Transcription:

FreeIPA Training Series SSSD Active Directory Improvements Jakub Hrozek January 2013

Contents of the presentation 1.Overview of Active Directory related improvements 2.Range attributes support 3.Mapping Active Directory SIDs onto UNIX IDs 4.The Active Directory provider 5.Hands-on example joining a SSSD 1.9 client to an Active Directory domain 2 FreeIPA Training Series

Active Directory client improvements in SSSD 1.9 Support of range attributes Enables resolving large groups from AD Mapping of Windows SIDs to UNIX IDs Removes the requirement for AD users to contain POSIX attributes, in particular UIDs and GIDs A new Active Directory provider Simplifies SSSD config file and uses AD specific defaults Takes advantage of several AD specific features to improve performance 3 FreeIPA Training Series

Range attribute parsing By default, AD limits the number of multivalued attributes returned in a single search Typically an issue with the member attribute when large groups are present in AD If the number of values is over the single page limit, the attributes are returned in the form attribute;range=low-high Example: member;range=99-499 The SSSD 1.9 is able to parse and process these attributes Support on by default in the LDAP provider, no configuration needed 4 FreeIPA Training Series

Mapping AD SIDs to UNIX IDs Windows use Security Identifiers to identify users and groups Contains identifier of the domain and relative identifier of the object In SSSD 1.9, the sssd is able to automatically map these SIDs to IDs The SSSD automatically selects the proper range for mapping SIDs to IDS preventing overlaps and conflicts between different domains In LDAP provider, set ldap_id_mapping = true Off by default in LDAP provider, on by default in AD provider 5 FreeIPA Training Series

The Active Directory provider It was possible for client to use identities from an Active Directory server prior to SSSD 1.9 The SSSD would treat Active Directory as a generic LDAP server for identities and Kerberos server for authentication So why bother with a brand new AD provider? POSIX attributes were required on the AD side Non trivial configuration of the SSSD Did not use AD-specific features the client could benefit from, such as tokengroups 6 FreeIPA Training Series

Benefits over using the LDAP provider Simplified configuration The AD provider already contains the correct defaults for attribute names as used on the AD side Secure by default The AD provider defaults to using GSSAPI for encrypting identity lookups Faster logins Using the tokengroups attribute speeds up the initgroups operation Support for ID mapping The Windows Security Identifiers (SIDs) are automatically converted into UNIX IDs 7 FreeIPA Training Series

AD provider configuration example sssd.conf with LDAP provider SSSD with AD provider [domain/ad.example.com] [domain/ad.example.com] id_provider = ldap id_provider = ad auth_provider = krb5 ldap_schema = rfc2307bis #uncomment if autodiscovery is not #required ldap_sasl_mech = GSSAPI #ad_server = ad.example.com ldap_user_object_class = user ldap_group_object_class = group ldap_user_home_directory = unixhomedirectory ldap_user_principal = userprincipalname ldap_force_upper_case = true..and more that wouldn't fit on the slide.. 8 FreeIPA Training Series

Performance enhancements in AD provider Many users were not happy with slow logins Usually the slowest part of login is initgroups The initgroups operation is performed on each login Collects the groups a user is a member of Benchmark: id -G $username The LDAP provider would look up all the groups the user is a member of with LDAP searches Could be several searches per single login, at least one search per nesting level The AD provider uses tokengroups to improve performance 9 FreeIPA Training Series

tokengroups With AD provider it is possible to grab the list of groups the user is a member of along with the user entry The AD specific tokengroups attribute contains a list of all the Security Identifiers (SIDs) the user is a member of The client must be able to map the SIDs to UNIX IDs Only works when ID mapping is enabled 10 FreeIPA Training Series

Comparison with Winbind and the LDAP provider Feature SSSD with LDAP/KRB5 providers SSSD with AD provider Requires SFU/IMU Yes No No Winbind Supports ID mapping None One method Multiple methods AD specific call to retrieve initgroups Handles mounting CIFS shares No Yes Yes No No (planned for 1.10) Yes DNS site support No No (planned for 1.10) Yes DNS dynamic updates No No (planned for 1.10) Yes 11 FreeIPA Training Series

Q&A: Migration from the LDAP provider A client already uses SSSD with AD using the LDAP provider. Can I simply switch to using the AD provider? Not simply. The UIDs and GIDs of users and groups would change when the client switches from using the POSIX attributes to using ID mapping Can I disable ID mapping and just use the faster initgroups feature? No, the tokengroups support only works in conjuction with ID mapping 12 FreeIPA Training Series

Q&A: Migration from Winbind A client already uses Winbind for his setup. Can I simply switch to using SSSD with ID mapping? Not easily. You would have to carefully set the default domain SID (ldap_idmap_default_domain_sid) and the range start (ldap_idmap_range_min). But in general, such migration is not recommended. 13 FreeIPA Training Series

Joining a Linux client to Active Directory Example enroll a client linux.example.com into an AD server at ad.example.com that is administering the domain EXAMPLE.COM Pre-requisities Functional host name resolution Including SRV records if auto discovery is needed Our examples will even use the AD server as DNS server Synchronized time for Kerberos Packages installed yum install sssd krb5-workstation samba-common authconfig 14 FreeIPA Training Series

The general steps to join a Linux client to AD Enroll the client into Active Directory Configure krb5.conf Configure smb.conf Obtain the keytab using the net utility Configure the system to use SSSD for looking up identity information and performing authentication Configure the SSSD 15 FreeIPA Training Series

Enrolling a client configure Kerberos Start by configuring /etc/krb5.conf Define the [realms] and [domain_realm] sections if autodiscovery doesn't work [logging] default = FILE:/var/log/krb5libs.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = yes 16 FreeIPA Training Series

Enrolling a client configure Samba Edit /etc/samba/smb.conf [global] workgroup = EXAMPLE client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log password server = AD.EXAMPLE.COM realm = EXAMPLE.COM security = ads 17 FreeIPA Training Series

Enrolling a client joining the domain Obtain the Kerberos ticket of a user to enroll as kinit Administrator Can be any user with sufficient rights to join a machine to domain Join the machine net ads join -k Should print Joined 'linux' to dns domain 'example.com' on success A new file /etc/krb5.keytab should be created 18 FreeIPA Training Series

Enrolling a client check the keytab Check if the keytab contains the expected principal klist -k Should print several entries that contain both the full and the short host name of the client and the domain Try to kinit using the keytab kinit -k 19 FreeIPA Training Series

Configure the system to use the SSSD Currently authconfig can't configure the SSSD with the AD provider on its own We'll use authconfig to set up the system to use the SSSD authconfig --enablesssdauth --enablesssd --update nsswitch.conf to look up identity information with the SSSD PAM stack to perform authentication using the SSSD..and then configure the SSSD manually 20 FreeIPA Training Series

Configure the SSSD Configure /etc/sssd.conf Use ad_server to specify the AD server if autodiscovery is not working Example sssd.conf using autodiscovery: [sssd] services = nss, pam config_file_version = 2 domains = EXAMPLE.COM [domain/example.com] id_provider = ad 21 FreeIPA Training Series

Enrolling a client test the setup Start the SSSD service service sssd start Test if identity information can be obtained getent passwd aduser Test if authentication works Some services (notably sshd) must be restarted to re-read the new PAM config ssh aduser@linux.example.com 22 FreeIPA Training Series

Troubleshooting the SSSD Generic checklist Check if time is synchronized Check if the keytab /etc/krb5.keytab contains What if identity information can't be obtained Raise the debug_level in the [nss] and [domain] sections of sssd, restart the SSSD and attach the log files in /var/log/sssd What if logins do not work All of the above and debug logs from the [pam] section /var/log/secure 23 FreeIPA Training Series

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information