Unifying Authorization Models

Similar documents
Using Single Sign-on with Samba. Appendices. Glossary. Using Single Sign-on with Samba. SonicOS Enhanced

SSSD Active Directory Improvements

Attunity RepliWeb PAM Configuration Guide

Allowing Linux to Authenticate to a Windows 2003 AD Domain. Prepared by. Thomas J. Munn, CISSP 11-May-06

Integrating UNIX and Linux with Active Directory. John H Terpstra

Going in production Winbind in large AD domains today. Günther Deschner (Red Hat / Samba Team)

Allion Ingrasys Europe. NAStorage. Security policy under a UNIX/LINUX environment. Version 2.01

Cross-Realm Trust Interoperability, MIT Kerberos and AD

Agenda. NT4 PDC Migration to Samba-3. Site Objectives. Samba-3 is NOT MS Windows NT. John H Terpstra, Samba-Team jht@samba.org

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

RHEL Clients to AD Integrating RHEL clients to Active Directory

Active Directory and Linux Identity Management

Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite

SAMBA VI: As a Domain Controller

Integration with Active Directory. Jeremy Allison Samba Team

Integrating Ubuntu 8.04 LTS into Microsoft Active Directory using Likewise Open

NT4 PDC Migration to Samba 3

Interoperability Update: Red Hat Enterprise Linux 7 beta and Microsoft Windows

IDENTITIES, ACCESS TOKENS, AND THE ISILON ONEFS USER MAPPING SERVICE

VNC Upgrade Guide. Version 5.0. June 2012

NAStorage. Administrator Guide. Security Policy Of NAStorage Under UNIX/LINUX Environment

Samba. Samba. Samba 2.2.x. Limitations of Samba 2.2.x 1. Interoperating with Windows. Implements Microsoft s SMB protocol

Managing Access Control in PresSTORE

Configure Samba with ACL and Active Directory integration Robert LeBlanc BioAg Computer Support, Brigham Young University

Migration of Windows Intranet domain to Linux Domain Moving Linux to a Wider World

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Vintela Authentication from SCO Release 2.2. Installation Guide

PowerBroker Identity Services. Administration Guide

Centrify-Enabled Samba

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA

Authentication in a Heterogeneous Environment

Exploiting the Web with Tivoli Storage Manager

Using Samba to play nice with Windows. Bill Moran Potential Technologies

Security with LDAP. Andrew Findlay. February Skills 1st Ltd

Vintela Authentication from SCO Release 2.2. System Administration Guide

SAMBA SERVER (PDC) Samba is comprised of a suite of RPMs that come on the RHEL/Fedora CDs. The files are named:

Installation and Configuration Guide. Version

Distributed File System

Likewise Security Benefits

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

FreeIPA v3: Trust Basic trust setup

ONEFS MULTIPROTOCOL SECURITY UNTANGLED

How to Tunnel Remote Desktop using SSH (Cygwin) for Windows XP (SP2)

NAS 109 Using NAS with Linux

Bring Linux into Microsoft s ADS

CYAN SECURE WEB HOWTO. NTLM Authentication

FreeIPA Cross Forest Trusts

Using SUSE Linux Enterprise Desktop with Microsoft * Active Directory Infrastructure

Windows Security and Directory Services for UNIX using Centrify DirectControl

Likewise Open Installation and Administration Guide

IBM WebSphere Application Server Version 7.0

VINTELA AUTHENTICATION SERVICES

AD Integration options for Linux Systems

Domain Services for Windows Administration Guide

Remote Unix Lab Environment (RULE)

Centrify Server Suite Management Tools

Configuring the Active Directory Plug-in

Integrating Linux systems with Active Directory

Linuxdays 2005, Samba Tutorial

How To Configure the Oracle ZFS Storage Appliance for Quest Authentication for Oracle Solaris

Univention Corporate Server. Extended domain services documentation

Understanding and Using NetInfo. Includes information on setting up Mac OS X Server and NetInfo to increase the power of your Mac OS X network

Active Directory Integration

Privileged Account Management Mar3n Cannard, Security Solu3ons Architect

FreeIPA 3.3 Trust features

IPA Identity, Policy, Audit Karl Wirth, Red Hat Kevin Unthank, Red Hat

Deploying Ubuntu Server Edition. Training Course Overview. (Ubuntu LTS)

ESM s management across multi-platforms eliminates the need for various account managers.

(june > this is version 3.025a)

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

Enterprise Apple Xserve Wiki and Blog using Active Directory. Table Of Contents. Prerequisites 1. Introduction 1

Desktop : Ubuntu Desktop, Ubuntu Desktop Server : RedHat EL 5, RedHat EL 6, Ubuntu Server, Ubuntu Server, CentOS 5, CentOS 6

Instructions for Adding a MacOS 10.4.x Client to ASURITE

Trust but Verify: Best Practices for Monitoring Privileged Users

What s New in Centrify Server Suite 2014

Network Startup Resource Center

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

Installing QuickBooks Enterprise Solutions Database Manager On Different Linux Servers

CA Unified Infrastructure Management Server

SUSE Manager 1.2.x ADS Authentication

SSSD. Client side identity management. LinuxAlt 2012 Jakub Hrozek 3. listopadu 2012

How To Configure Vnx (Vnx) On A Windows-Only Computer (Windows) With A Windows 2.5 (Windows 2.2) (Windows 3.5) (Vnet) (Win

Avatier Identity Management Suite

Chapter 1: How to Register a UNIX Host in a One-Way Trust Domain Environment 3

Setting up a DNS MX Record for mail.corp.com p. 327 Installing Fedora on the Front-End Mail Server with the Postfix and SpamAssassin Packages

What s New in Propalms VPN 3.5?

PxPlus Version Control System Using TortoiseSVN. Jane Raymond

Parallels. for your Linux or Windows Server. Small Business Panel. Getting Started Guide. Parallels Small Business Panel // Linux & Windows Server

# Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server ; wins support = no

Configuring and Using the TMM with LDAP / Active Directory

CONFIGURING ACTIVE DIRECTORY IN LIFELINE

What s New in Centrify Server Suite 2013 Update 2

Transcription:

Unifying Authorization Models Merging /etc/group and 'Domain Users' Gerald Carter Centeris jerry@samba.org http://www.samba.org/ Slide 1 Copyright G. Carter, 2006 Outline http://samba.org/~jerry/slides/lwny07_2up.pdf Short overview of Samba's Winbind service Joining Unix/Linux desktops to Active Directory Problem statement Managing group membership Access to files Nesting groups Case Study: Software development at Centeris using Subversion Slide 2 Copyright G. Carter, 2006 1

Network Environment Mix of desktops and servers Unix/Linux Windows Mac OS X Active Directory is the central source of authentication Slide 3 Copyright G. Carter, 2006 Winbind Included in Samba releases Composed of three parts Daemon (winbindd) that communicates with Samba/Windows domain controllers NSS library (libnss_winbind.so) that exports domain users and groups as Unix users and group PAM library (pam_winbind.so) for authenticating domain users Reference: Using Samba (3 rd ed.), O'Reilly, and http://www.samba.org/samba/docs/ Slide 4 Copyright G. Carter, 2006 2

Joining an AD domain Modify /etc/krb5.conf Define the allowable key encryption types Modify /etc/samba/smb.conf Specify domain parameters such as AD realm Modify /etc/nsswitch.conf Install /lib/libnss_winbind.so.2 Add the winbind service for 'passwd' and 'group' Run 'net ads join' Slide 5 Copyright G. Carter, 2006 Logging on as a Domain User Add pam_winbind.so to the appropriate files in /etc/pam.d/* Demo... Slide 6 Copyright G. Carter, 2006 3

Problem: Group membership Windows users require access to Unix services Windows users may be logging onto Unix desktops e.g. Software engineering groups Windows users belong to Windows groups Unix users belong to Unix groups Window users may belong to Unix groups Windows groups cannot belong to a Unix group Slide 7 Copyright G. Carter, 2006 Ubuntu and /etc/sudoers Ubuntu uses /etc/sudoers to manage administrative control over a system without requiring a user to login as root Example: ## Members of the admin group may gain root ## privileges %admin ALL=(ALL) ALL Slide 8 Copyright G. Carter, 2006 4

Ubuntu and /etc/group Simply add users to the admin group membership defined in /etc/group Example: Local Unix user named jerry Windows domain user named smitty ## /etc/group... admin:x:113:jerry,books\smitty Managing individual user accounts in /etc/group duplicates work done by Active Directory Slide 9 Copyright G. Carter, 2006 Problem: File Access Traditional Unix permissions only allow owner group other The single group owner could be a Unix or a Windows group We need a group that is able to contain both users and groups Windows local groups (NT4) Slide 10 Copyright G. Carter, 2006 5

Nesting Groups The Windows NT 4.0 local group model allows a server to define a group that may contain Local and Domain users Domain Groups Example: Adding the Domain Admins group to the local Administrators group Slide 11 Copyright G. Carter, 2006 Winbind Nested Groups Feature was first added in Samba 3.0.3 Much improved in Samba 3.0.23 winbind nested groups = yes Winbind acts as another database of local groups and group membership Group membership is stored as a list of SIDs Winbind expands the list of SIDs and returns these as a list of Unix gids to the calling process Slide 12 Copyright G. Carter, 2006 6

Managing Nested Groups Winbind's local groups may be managed via Windows Local User & Groups MMC plugin net sam command Creating a group net sam createlocalgroup Developers Allocates a Unix gid for the group Adding a domain group net sam addmem Developers BOOKS\Engineering Listing membership net sam listmem Developers Slide 13 Copyright G. Carter, 2006 Samba's Account Database Samba maintains a local SAM (account database) of users and groups Layered on top of system users and groups Must assign a Window SID to users and groups in order to include them in a Winbind nested group Add a user: smbpasswd -a biddle && smbpasswd -d biddle Add a group: net groupmap add unixgroup=foo ntgroup=bar Slide 14 Copyright G. Carter, 2006 7

Making Use of Nested Groups The gid of any local group membership appears in the Unix token of the user Example: $ net groupmap list verbose ntgroup=subversion Subversion SID : S-1-5-21-413303968-2244891970-896255792-1001 Unix gid : 101 Unix group: svn Group type: Domain Group Comment : Domain Unix group $ net sam listmem Developers ORWELL\Developers has 2 members ORWELL\Subversion BOOKS\Engineering Slide 15 Copyright G. Carter, 2006 Making Use of Nested Groups Example: [rain]$ ssh -l BOOKS\smitty orwell Password: [orwell]$ id uid=100000(books\smitty) gid=100000(books\domain^users) groups=10000(orwell\developers), 100000(BOOKS\domain^users), 100001(BOOKS\engineering) Slide 16 Copyright G. Carter, 2006 8

Case Study: Centeris Engineering Windows Active Directory Manages all user accounts and groups Linux Desktops & Servers Various Linux distributions: Ubuntu, Novell, & RedHat Other Unix: Solaris, AIX. etc... Joined to AD using Likewise Identity 3.0 http://www.centeris.com/products/ Source code is maintained in Subversion repository Slide 17 Copyright G. Carter, 2006 Case Study: Centeris Engineering All developer accounts in AD belong to the Engineering domain group To facilitate access to the svn repository: Create local winbind group named Developers Add a group mapping entry for the Unix svn group Add the domain Engineering group and local Subversion group to the local Developers group $ net sam listmem Developers ORWELL\Developers has 2 members ORWELL\Subversion BOOKS\Engineering Slide 18 Copyright G. Carter, 2006 9

Case Study: Centeris Engineering Group write access is given to the local Developers group $ ls -ld /data/svn/centeris drwxrws--- 7 svn ORWELL\developers /data/svn/centeris Advantages: New users and groups may be given access to the svn tree by simply adding the account to the local Developers group The Developers group only has to be managed on the server hosting the svn repository Slide 19 Copyright G. Carter, 2006 Questions? Unifying Authorization Models Merging /etc/group and 'Domain Users' Gerald Carter Centeris jerry@samba.org http://www.samba.org/ Slide 20 Copyright G. Carter, 2006 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information