Integrating non-DCE/DFS Desktops into an existing DCE/DFS - - PowerPoint PPT Presentation

Integrating non-DCE/DFS Desktops into an existing DCE/DFS Environment

Markus Zahn Computer Centre Augsburg University Markus.Zahn@RZ.Uni-Augsburg.DE May 2000

Integrating non-DCE/DFS Desktops into an existing DCE/DFS Environment

Overview

• Introduction
• Environment and Goals
• Solution for Linux Clients
• Upcoming Solution for Windows Clients
• Conclusions
• References

Markus Zahn — Augsburg University, Computer Centre 1

Introduction, assumptions and environment

Introduction

• Large computing environments consist of many different platforms.

– Unix (Solaris, HP/UX, AIX, . . . including Linux) – Windows 3.x/95/98/NT – Mac – . . .

• Each platform has its own native authentication mechanism.
• Each platform has its own native file sharing facilities.

⇒ There is definitely a great demand for both a single sign on solution and a common file system.

Markus Zahn — Augsburg University, Computer Centre 2

Introduction, assumptions and environment

Basic Approach

• Idea: Make use of a distributed system based on Unix and handle desktop

access via gateway solutions (e.g. Samba, netatalk, . . . ).

• NIS/NFS is not really desireable (security, scalability).
• Make use of DCE/DFS:

– Implementations for most Unix systems. – Windows and Mac implementation.

Markus Zahn — Augsburg University, Computer Centre 3

Introduction, assumptions and environment

Advantages

• Leverage existing capital investment and expertise to provide file services from

Unix to the different desktop systems.

• Increase service by providing one single password for login, mail service etc.
• Provide for Unix-based account mangement.

Markus Zahn — Augsburg University, Computer Centre 4

Introduction, assumptions and environment

Caveats

• No DCE/DFS for Linux (at least no DFS):

– How to authenticate against DCE? – Using the DFS/NFS gateway is far too much trouble (regarding authentica- tion/authorization).

• No DFS support for Mac and Windows = NT ⇒ Samba, netatalk.
• Login integration not too smart on Windows:

– Accounts have to be known by DCE and Windows. – Make use of a customized GINA or find a different approach.

Markus Zahn — Augsburg University, Computer Centre 5

Introduction, assumptions and environment

Augsburg University’s Environment

• Overall

– 11 000 enrolled students. – 1 000 employees.

• DCE cell (growing since 1994)

– DCE/DFS is backbone of account management and file sharing. – 9 000 registered student accounts. – 600 registered employee accounts. – 400 affiliates with accounts.

• Windows NT domain (students only, since 1996)

– Student accounts derived from DCE registry. – Continued for traditional reasons mainly.

Markus Zahn — Augsburg University, Computer Centre 6

Our Solution

In general

• Modify client systems as few as possible.
• Make use of SSL to secure connections.

Linux integration

• “Pluggable Authentication Module” (PAM) to allow integrated login.
• Implicit DFS/NFS Gateway authentication/mapping.
• Extend “Name Service Switch” (NSS) for DCE registry lookups.

Markus Zahn — Augsburg University, Computer Centre 7

Our Solution, continued

Windows integration (in progress)

• Synchronize Windows NT and DCE registry.
• Use integrated login (login against NT and DCE registry) and native DFS

support on DCE/DFS-integrated systems.

• Use SMB gateways elsewhere (e.g. Samba with Paul Henson’s extensions).
• No modifications on the clients (except installation of DCE/DFS).

Markus Zahn — Augsburg University, Computer Centre 8

Inside PAM/NSS for Linux

Extending Linux

Major Components

• “Pluggable Authentication Module” (pam dce.so) to authenticate users.
• “Name Service Switch” extension (libnss dce.so.2) to make DCE registry

lookups.

• PAM-Dæmon on DFS/NFS Gateway server to process PAM requests and

establish DFS/NFS mapping.

• NSS-Dæmon on any DCE client to process NSS requests.

Markus Zahn — Augsburg University, Computer Centre 9

Inside PAM/NSS for Linux

Conceptual Overview

Registry nssdced pamdced NFS Server DCE

DFS

DFS/NFS SSL Gateway libnss_dce.so.2 pam_dce.so NFS Client Linux Client DCE Client

Markus Zahn — Augsburg University, Computer Centre 10

Inside PAM/NSS for Linux

Linux Configuration

• Compile/install modules (/lib/security/pam dce.so and /lib/libnss dce.so.2).
• Setup PAM/DCE configuration (/etc/security/pam dce.conf).
• Install SSL certificate (/etc/security/pam dce.pem).
• Modify PAM configuration (e.g. /etc/pam.d/login):

auth required /lib/security/pam_dce.so

• NSS/DCE configuration (/etc/nss dce.conf).
• Modify NSS configuration (/etc/nsswitch.conf):

passwd: files dce group: files dce

Markus Zahn — Augsburg University, Computer Centre 11

Inside PAM/NSS for Linux

Dæmon Setup

• Compile/install dæmons on DCE client (/usr/local/pam nss/pamdced and

/usr/local/pam nss/nssdced).

• Create/install SSL certificate.
• Add pamdced to /etc/inetd.conf.
• Add nssdced to /etc/rc.local.

Markus Zahn — Augsburg University, Computer Centre 12

Inside PAM/NSS for Linux

Current Status

What is implemented . . . √ Authentication via PAM. √ Establish DFS/NFS mapping via PAM. √ SSL to secure PAM connections (i.e. password transfers). √ Support for the most important lookup methods (getpwnam(), getpwuid(), getgrnam() and getgrgid()).

Markus Zahn — Augsburg University, Computer Centre 13

Inside PAM/NSS for Linux

Current Status, continued

What is not implemented (yet) . . . – No session support, no kdestroy equivalent (⇒ security issue). – No password managment yet. – Not all lookup methods implemented for performace reasons (setpwent(), endpwent(), getpwent(), setgrent(), endgrent() and getgrent()). – No support for multiple nssdced Dæmons (within client configuraton) yet.

Markus Zahn — Augsburg University, Computer Centre 14

Integrating Windows clients

We are planning to . . .

• make use of existing Windows NT servers (mainly for traditional reasons).
• synchronize DCE registry and Windows NT registry.

– Add new accounts to both registries. – Propagate password changes from DCE to NT and vice versa. – Use password stength facilities of DCE (password strength server) and NT (password strength DLL)

• use patched Samba to export DFS home directories.

Markus Zahn — Augsburg University, Computer Centre 15

Integrating Windows clients

Conceptual Overview

registry DCE Server PWD Strength PWD Strength DLL Windows NT PDC SMB Gateway DCE/DFS Client SMB Gateway DCE Client DCE/DFS Client SMB Gateway Windows 3.x/95/98 SSL Integrated Login Windows NT DCE/DFS Client DCE/DFS Client authentication password propagation authentication authentication DFS access

Markus Zahn — Augsburg University, Computer Centre 16

Conclusions

• PAM/NSS-DCE integration for Linux in production use for > 2 months now.
• DFS access over DFS/NFS Gateway is restricted to NFS capabilities (e.g. no

ACL support).

• Installation is plug & play.
• No major problems up to now.
• Additional features on wish list.

Markus Zahn — Augsburg University, Computer Centre 17

References

• PAM/NSS-DCE Homepage:

http://www.rz.uni-augsburg.de/~zahn/pam_nss_dce/

• Linux-PAM:

ftp://ftp.kernel.org/pub/linux/libs/pam/index.html

• The GNU C Library — System Databases and Name Service Switch:

http://www.gnu.org/manual/glibc-2.0.6/html_chapter/libc_25.html

• Paul Henson’s Samba patches and authentication extensions:

http://www.csupomona.edu/~henson/www/projects/dce_patches/samba/ http://www.csupomona.edu/~henson/www/projects/sec_auth/

• Synchronizing NT and Unix passwords with DCE:

http://www.icaen.uiowa.edu/ntpw/

Markus Zahn — Augsburg University, Computer Centre 18