Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Square Pegs in Round Holes

advertisement 
Square Pegs in Round Holes:
Linux in a Windows World
Eric G. Wolfe <wolfe21@marshall.edu> © 2008
Senior Linux Administrator
Marshall University
Slides, and code available at http://webpages.marshall.edu/~wolfe21
Part 1
Understanding the technology.
What is Active Directory?
Active Directory
• A pre-configured Authentication
and Authorization solution, offered
by Microsoft.
• Components
o DNS
o Kerberos
o LDAP
o MSRPC
• Pros
o Simple to manage and
maintain.
• Cons
o Interoperability requires some
knowledge of the underlying
components.
What is Kerberos?
Kerberos
• A secure authentication protocol.
• Hashes, NOT passwords are
sent to the server.
• Tickets are granted to the
client.
• Tickets can be used as
authentication against services.
• Versions
o MIT (US)
o Heimdal (Swiss)
• Pros
o Centralized user management.
o Protocol transport is secure by
default.
o Third party support.
• Cons
o Time syncronization must be
precise.
o Password management is not
standardized.
What is LDAP?
Lightweight Directory Access Protocol
• A directory is like a database
optimized for reads.
• LDAP is used for authorization.
• Contains centralized information
o user and group
o application configuration
• Pros
o Usernames have a relationship
to centralized attributes.
• Cons
o Directory schema is not
standardized.
o Performance is hindered with
clients and applications
increases.
What is MSRPC?
Microsoft Remote Procedure Call
• Modified version of The Open Group's DCE/RPC 1.1 (Distributed Computing
Environment Remote Procedure Call)
• MSRPC is how Microsoft operating systems talk to each other.
o "Domain Member" servers resolve usernames, and groups between one
another.
o Remote Registry services
o Administrative Tools - Microsoft Management Console
Part 2
Configuring these technologies, the basics of
AD Integration.
Setting up Kerberos.
pam_krb5
This is specific to Red Hat Enterprise.
• Easy way
o setup (select Authentication Config)
o authconfig-tui
• Harder way, editing config files.
o /etc/krb5.conf
o /etc/pam.d/system-auth
 Note: Debian/Ubuntu splits up system-auth
 /etc/pam.d/common-auth
 /etc/pam.d/common-account
 /etc/pam.d/common-password
 /etc/pam.d/common-session
Video Demonstration
Setting up Kerberos.
mod_auth_kerb
• Kerberos authentication in Apache
o behaves like IIS Windows Integrated Authentication.
o sets $_SERVER['USERNAME'] environment variable for use in custom or
third-party web applications.
• Authentication protocol is secured between the Domain Controller and web
server.
o still need SSL/TLS for client -> webserver.
• Edit two files
o /etc/httpd/conf.d/auth_kerb.conf
o /etc/httpd/conf.d/auth_kerb.keytab
Setting up Samba
Join a domain
– Edit /etc/samba/smb.conf (next slide)
– Configure services
o chkconfig smb on
o chkconfig winbind on
o chkconfig nscd off
– Stop or start services
o /etc/init.d/smb start
o /etc/init.d/winbind start
o /etc/init.d/nscd stop
– Join domain
o net ads join createcomputer="Organizational Unit" -Uadministrator
Video Demonstration
PAM Samba configuration
Name Service Switch
Part 3
Advanced tricks: Linux & MSRPC
Remote registry & DNS
DNS management
• Problems encountered
o You can read AD-integrated zones from LDAP, but the majority of our
zones are NOT AD-integrated.
o We have thousands of internal reverse zones, it is tedious to maintain
them on several servers individually.
o There is no DNS standard allowing a slave server to grab all of the zone
names off of a primary.
• Observations
o Windows DNS can be read remotely from a registry branch with Samba.
Remote Registry & DNS
configuring dnsnarf
• Create a DNS service account in AD for the script.
GPO settings
• Registry key for non-administrator remote registry reads.
o HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
o Set 'read' and 'apply gpo' permissions for your DNS service account.
Remote Registry & DNS
dnsnarf is born
Samba component used.
• net rpc registry enumerate
o manpage: net(8)
Remote registry location to read zones.
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS
Server\Zones
Example test command
net -S kdc01.contoso.com \
-U administrator -W CONTOSO.COM \
rpc registry enumerate \
"\\HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\DNS Server\\Zones"
Example net rpc output
Sample dnsnarf output (named.conf)
Questions?
Eric G. Wolfe <wolfe21@marshall.edu> © 2008
Senior Linux Administrator
Marshall University
This work is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 United
States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/ or
send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.
Slides and code available at http://webpages.marshall.edu/~wolfe21/
Related documents
Questions for Unit-7
Questions for Unit-7
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
Assignment-2_old Paper
Assignment-2_old Paper
Membership Of The Students` Union
Membership Of The Students` Union
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Donor Registry Form
Donor Registry Form
Clinical Registries In Hand Surgery
Clinical Registries In Hand Surgery
Lab 11 - Personal Web Pages
Lab 11 - Personal Web Pages
Download
advertisement