Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe <wolfe21@marshall.edu> © 2008 Senior Linux Administrator Marshall University Slides, and code available at http://webpages.marshall.edu/~wolfe21 Part 1 Understanding the technology. What is Active Directory? Active Directory • A pre-configured Authentication and Authorization solution, offered by Microsoft. • Components o DNS o Kerberos o LDAP o MSRPC • Pros o Simple to manage and maintain. • Cons o Interoperability requires some knowledge of the underlying components. What is Kerberos? Kerberos • A secure authentication protocol. • Hashes, NOT passwords are sent to the server. • Tickets are granted to the client. • Tickets can be used as authentication against services. • Versions o MIT (US) o Heimdal (Swiss) • Pros o Centralized user management. o Protocol transport is secure by default. o Third party support. • Cons o Time syncronization must be precise. o Password management is not standardized. What is LDAP? Lightweight Directory Access Protocol • A directory is like a database optimized for reads. • LDAP is used for authorization. • Contains centralized information o user and group o application configuration • Pros o Usernames have a relationship to centralized attributes. • Cons o Directory schema is not standardized. o Performance is hindered with clients and applications increases. What is MSRPC? Microsoft Remote Procedure Call • Modified version of The Open Group's DCE/RPC 1.1 (Distributed Computing Environment Remote Procedure Call) • MSRPC is how Microsoft operating systems talk to each other. o "Domain Member" servers resolve usernames, and groups between one another. o Remote Registry services o Administrative Tools - Microsoft Management Console Part 2 Configuring these technologies, the basics of AD Integration. Setting up Kerberos. pam_krb5 This is specific to Red Hat Enterprise. • Easy way o setup (select Authentication Config) o authconfig-tui • Harder way, editing config files. o /etc/krb5.conf o /etc/pam.d/system-auth Note: Debian/Ubuntu splits up system-auth /etc/pam.d/common-auth /etc/pam.d/common-account /etc/pam.d/common-password /etc/pam.d/common-session Video Demonstration Setting up Kerberos. mod_auth_kerb • Kerberos authentication in Apache o behaves like IIS Windows Integrated Authentication. o sets $_SERVER['USERNAME'] environment variable for use in custom or third-party web applications. • Authentication protocol is secured between the Domain Controller and web server. o still need SSL/TLS for client -> webserver. • Edit two files o /etc/httpd/conf.d/auth_kerb.conf o /etc/httpd/conf.d/auth_kerb.keytab Setting up Samba Join a domain – Edit /etc/samba/smb.conf (next slide) – Configure services o chkconfig smb on o chkconfig winbind on o chkconfig nscd off – Stop or start services o /etc/init.d/smb start o /etc/init.d/winbind start o /etc/init.d/nscd stop – Join domain o net ads join createcomputer="Organizational Unit" -Uadministrator Video Demonstration PAM Samba configuration Name Service Switch Part 3 Advanced tricks: Linux & MSRPC Remote registry & DNS DNS management • Problems encountered o You can read AD-integrated zones from LDAP, but the majority of our zones are NOT AD-integrated. o We have thousands of internal reverse zones, it is tedious to maintain them on several servers individually. o There is no DNS standard allowing a slave server to grab all of the zone names off of a primary. • Observations o Windows DNS can be read remotely from a registry branch with Samba. Remote Registry & DNS configuring dnsnarf • Create a DNS service account in AD for the script. GPO settings • Registry key for non-administrator remote registry reads. o HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg o Set 'read' and 'apply gpo' permissions for your DNS service account. Remote Registry & DNS dnsnarf is born Samba component used. • net rpc registry enumerate o manpage: net(8) Remote registry location to read zones. • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones Example test command net -S kdc01.contoso.com \ -U administrator -W CONTOSO.COM \ rpc registry enumerate \ "\\HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\DNS Server\\Zones" Example net rpc output Sample dnsnarf output (named.conf) Questions? Eric G. Wolfe <wolfe21@marshall.edu> © 2008 Senior Linux Administrator Marshall University This work is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. Slides and code available at http://webpages.marshall.edu/~wolfe21/