Directory Services and Interoperability A short chronicle of FAIL! - - PowerPoint PPT Presentation

directory services and interoperability
SMART_READER_LITE
LIVE PREVIEW

Directory Services and Interoperability A short chronicle of FAIL! - - PowerPoint PPT Presentation

Feb 16, 2024 107 likes •281 views

Directory Services and Interoperability A short chronicle of FAIL! :-) Simo Sorce Samba Team / Red Hat, Inc. Directory Services Centralize: management of users management of machines control of security settings configuration management

slide-1
SLIDE 1

Directory Services and Interoperability

A short chronicle of FAIL! :-)

Simo Sorce

Samba Team / Red Hat, Inc.

slide-2
SLIDE 2

Directory Services

Centralize: management of users management of machines control of security settings configuration management

slide-3
SLIDE 3

Windows – Active Directory

Good LDAP/Kerberos integration Excellent support for Windows machines Support for Linux/Unix machines Good configuration management for Windows machines (Group Policies)

slide-4
SLIDE 4

Linux / Unix

Good LDAP and Kerberos implementations but integration left to end-users * Good support for Linux / Unix machines No real support for Windows clients No integrated configuration management but there are excellent solutions like Puppet

*FreeIPA is Red Hat attempt to fix this

slide-5
SLIDE 5

Problems

Ownership of the Directory/Data Semantics mismatches between OSs. Custom Extensions/Data Configuration management for different OSs.

slide-6
SLIDE 6

What is FreeIPA ?

Why FreeIPA ? IPA – Identity, Policy, Audit FreeIPA is an integrated security information management solution combining 389 DS, MIT Kerberos, NTP, ISC Bind. It is managed through a web interface and command line tools.

slide-7
SLIDE 7

What is FreeIPA ?

Currently supports users and credentials synchronization with AD domains through the DS winsync/passsync plugins. Samba Integration is the next target.

slide-8
SLIDE 8

Integration Strategies

Users replicated between AD and other LDAP Samba4 on top of your LDAP Server Trust relationship between AD and integrated LDAP/Kerberos/Samba solution

slide-9
SLIDE 9

Replicating identities

Synchronization issues:

  • out of sync trees
  • conflicts
  • single point of failure

Groups?

  • I want my own!
  • Nested Groups ?
  • Foreign Groups ?

Authentication?

  • password synchronization
  • no Single-Sign-On
slide-10
SLIDE 10

Samba-AD on pre-existing Directory

slide-11
SLIDE 11

Trust relationship diagram

user@REALM.A KDC, REALM.A KDC, REALM.B CIFS/SRV@REALM.B

1 2 3 4 5

slide-12
SLIDE 12

What kind of trust ?

Simple AD-MIT Kerberos trust Full External/Forest level trust

slide-13
SLIDE 13

Required protocols for full AD trust

DNS KRB5 (+MS-PAC) NETLOGON LSARPC CLDAP(?)

slide-14
SLIDE 14

What would it look like ?

LDAP KDC SAMBA DNS

DNS Updates PAC Generation/Validation Users/Machines/Trust Credentials

AD NETLOGON / LSA

Data

slide-15
SLIDE 15

Problems ?

Foreign domain users/groups Custom groups to manage foreign users PAC for Unix/Linux users that want to access Windows Resources

slide-16
SLIDE 16

Questions ?

* Picture by user sfllaw from flickr, Creative Common Sharealike license