540 likes | 1.85k Views
Single Sign-on Agenda Motivations for Windows Linux SSO Choosing an Architecture Implementation Strategies Walkthrough Goals of SSO Enhance user experience Improve security and compliance Reduce IdM costs
E N D
Agenda • Motivations for Windows Linux SSO • Choosing an Architecture • Implementation Strategies • Walkthrough
Goals of SSO • Enhance user experience • Improve security and compliance • Reduce IdM costs • But getting true SSO is really, really hard. Reduced Sign On (RSO) is much more realistic.
Choosing an Architecture • Enterprise SSO • Kerberos • Identity Federation • WS-Federation • SAML 2.0 • Metadirectory/Virtual Directory
Enterprise SSO • Caches credentials on the local machine or on a shared server • Doesn’t require much change to infrastructure or applications • Requires creation of adapters for each application • Doesn’t reduce IdM costs that much
Kerberos • Secure authentication protocol designed to provide single-signon • Standardized via RFCs and implementation • Single credential store to manage • Difficult to implement across security domains • Not designed to accommodate additional ID information
Federated Identity Systems • SAML v2 • WS-Federation • Focused on Web SSO • Leaves existing identity technologies in place • Relatively new • Requires establishment and management of trust relationships
Metadirectory/Virtual Directory • Doesn’t by itself produce SSO experience • Requires no change to existing application infrastructure • Potentially reduces IdM overhead • Potentially complex infrastructure
Windows Authentication Mechanisms • NTLM v2 • Not terribly secure • Generally understood only by Windows resources • Kerberos v5 • Quite secure • Provided by Active Directory
Linux Authentication Mechanisms • /etc/passwd, /etc/shadow • NIS, NIS+ • LDAP • Kerberos
Kerberos Implementations for Linux • MIT Kerberos v5 • De-facto standard • Included with most every Linux distribution • http://web.mit.edu/kerberos/ • Heimdal • European implementation to avoid export restrictions on strong encryption • http://www.pdc.kth.se/heimdal/
Linux PAM • Standard API for authentication-related functions • Pluggable modules to provide different authentication mechanisms • Configured on an application-by application basis in /etc/pam.d
PAM Services • Account • Does the account exist? • Authentication • Is the user who they say they are? • Password • Password policy and password change • Session • Session setup and configuration
PAM Configuration • /etc/pam.d/<application name> • system-auth
Linux NSS • Name to uid mapping • Group memberships • Home directory • Shell
Samba Project • Free/Open source project that helps integrate Windows and Linux • http://www.samba.org • SMB/CIFS server and clients • NT4 PDC/BDC • Windows/Linux printing • NTLMv2 and Kerberos authentication
Samba windbind • Daemon that manages domain-related communication to a DC • Includes PAM and NSS modules for integration • Added to system startup, e.g. /etc/rc.d/init.d
A Note on ID Mapping • Samba provides for several mechanisms • Store uid/gid and SID in local .tdb database • Store uid/gid in an LDAP store • Calculate uid/gid from SID • Store uid/gid in Active Directory
AS/TGT AS/TGT Our SSO Strategy Linux client Windows client
Implementing PAM winbind • Extend Active Directory to support Linux • Prep Linux environment • Build, install and configure winbindd • Configure PAM/NSS to use Active Directory
Extending the Schema • RFC 2307 specifies NIS representation in LDAP • WS2K3 R2 has it built-in to user object • RFC 2307 aux class schema extension for WS2K3 • SFU schema extension for Windows 2000 • But, names and OIDs are not 2307 compliant
Prep Linux Environment • # system-config-network • Make sure host name is set properly with same domain name as AD • Make sure DNS resolver is set to AD DNS namespace
Building 3.0.23c winbindd • Download and install Samba source RPM 3.0.23c • # rpm –i samba-3.0.23c-4.src.rpm • Edit the /usr/src/redhat/SPECS/samba3.spec • Add idmap_ad to --with-shared-modules option • Build Samba • # rpmbuild –bb SPECS/samba3.spec • Binary RPM will be in /usr/src/redhat/RPMS/i386
Remove and Reinstall Samba • Upgrade Samba • # rpm -e samba-common • # rpm -e samba-client • # rpm -e samba-swat • # rpm -e system-config-samba • # rpm -i samba-3.0.23c-4.i386.rpm
Configuring PAM to Use Winbind • Make sure selinux is disabled • # system-config-securitylevel • Enable PAM winbind support • # system-config-authentication • Enable Winbind for User Information • Enable Winbind for Authentication • Add pam_mkhomedir skel=/etc/skel umask=0077 to /etc/system-auth
Configuring Winbind • Configure winbind dialog • # system-config-authentication • Domain name (short) in ALL CAPS • Security model ADS • Realm is DNS name of Active Directory domain • DCs are FQ DNS host names of DC • Shell… • Edit /etc/samba/smb.conf • Add idmap backend = ad to global section • Add home directory • # mkdir /home/<DOMAINNAME> • Restart winbind daemon • # service winbind restart
Making it Work • Join the machine to the domain • # net ads join -U <administrator> • Check connectivity • # wbinfo -t • List domain users • # wbinfo -u • List domain groups • # wbinfo -g
Linuxifying Users and Groups • Every user must have a unique value for uidNumber attribute • Every user must have a value for gidNumber • Every group should have a unique value for gidNumber attribute • Domain Users group must have gidNumber defined
Figuring Out What Went Wrong • Syslog (/var/logs/messages) • /var/logs/samba/winbind.log • Set debug level in /etc/rc.d/init.d/winbind 1-10 • # service winbind restart • Enable auth logging on the domain controller
What Do You Get? • Ability to manage all users in AD • Solve the unique identifier problem while getting rid of NIS • Consolidated authentication audit logs • Ability to provide your Linux users access to Windows resources like shares and printers • Source code!
What’s Missing? • Ease of installation and configuration • Authoritative support • Group Policy management of Linux • Web SSO • mod_auth_pam • mod_auth_kerb • …or ADFS and mod_auth_adfs from PING • Scalability?
Centrify DirectControl • Supports 60+ platforms including Mac • Instant AD integration using Kerberos/LDAP and WS-Federation (ADFS) • Support for Apache and J2EE as well • GPO management of non-Windows platforms • Group Linux machines into Zones to organize authentication and management • No schema changes needed
Vintela Authentication Services • Supports 75+ platforms • … but not Mac • Instant AD integration using Kerberos/LDAP and WS-Federation (ADFS) • Support for Apache and J2EE as well • GPO management of Linux/Unix platforms • LDAP proxy for secure LDAP connections • Linux/Unix “personalities” • Uses standard RFC 2307 schema attributes
Summary • SSO Strategies • SSO Architectures • Linux Authentication • Configuring Linux to Use Active Directory Questions?
Directory Experts Conference • Microsoft Identity and Access Technologies • April 21-24 • Las Vegas
Thank You! Gil Kirkpatrick CTO, NetPro gilk@netpro.com www.netpro.com