Integrating non-DCE/DFS Desktops into an existing DCE/DFS Environment Markus Zahn Computer Centre Augsburg University Markus.Zahn@RZ.Uni-Augsburg.DE May 2000
Integrating non-DCE/DFS Desktops into an existing DCE/DFS Environment Overview • Introduction • Environment and Goals • Solution for Linux Clients • Upcoming Solution for Windows Clients • Conclusions • References Markus Zahn — Augsburg University, Computer Centre 1
Introduction, assumptions and environment Introduction • Large computing environments consist of many different platforms. – Unix (Solaris, HP/UX, AIX, . . . including Linux) – Windows 3.x/95/98/NT – Mac – . . . • Each platform has its own native authentication mechanism. • Each platform has its own native file sharing facilities. ⇒ There is definitely a great demand for both a single sign on solution and a common file system. Markus Zahn — Augsburg University, Computer Centre 2
Introduction, assumptions and environment Basic Approach • Idea: Make use of a distributed system based on Unix and handle desktop access via gateway solutions (e.g. Samba, netatalk, . . . ). • NIS/NFS is not really desireable (security, scalability). • Make use of DCE/DFS: – Implementations for most Unix systems. – Windows and Mac implementation. Markus Zahn — Augsburg University, Computer Centre 3
Introduction, assumptions and environment Advantages • Leverage existing capital investment and expertise to provide file services from Unix to the different desktop systems. • Increase service by providing one single password for login, mail service etc. • Provide for Unix-based account mangement. Markus Zahn — Augsburg University, Computer Centre 4
Introduction, assumptions and environment Caveats • No DCE/DFS for Linux (at least no DFS): – How to authenticate against DCE? – Using the DFS/NFS gateway is far too much trouble (regarding authentica- tion/authorization). • No DFS support for Mac and Windows � = NT ⇒ Samba, netatalk. • Login integration not too smart on Windows: – Accounts have to be known by DCE and Windows. – Make use of a customized GINA or find a different approach. Markus Zahn — Augsburg University, Computer Centre 5
Introduction, assumptions and environment Augsburg University’s Environment • Overall – 11 000 enrolled students. – 1 000 employees. • DCE cell (growing since 1994) – DCE/DFS is backbone of account management and file sharing. – 9 000 registered student accounts. – 600 registered employee accounts. – 400 affiliates with accounts. • Windows NT domain (students only, since 1996) – Student accounts derived from DCE registry. – Continued for traditional reasons mainly. Markus Zahn — Augsburg University, Computer Centre 6
Our Solution In general • Modify client systems as few as possible. • Make use of SSL to secure connections. Linux integration • “Pluggable Authentication Module” (PAM) to allow integrated login. • Implicit DFS/NFS Gateway authentication/mapping. • Extend “Name Service Switch” (NSS) for DCE registry lookups. Markus Zahn — Augsburg University, Computer Centre 7
Our Solution, continued Windows integration (in progress) • Synchronize Windows NT and DCE registry. • Use integrated login (login against NT and DCE registry) and native DFS support on DCE/DFS-integrated systems. • Use SMB gateways elsewhere (e.g. Samba with Paul Henson’s extensions). • No modifications on the clients (except installation of DCE/DFS). Markus Zahn — Augsburg University, Computer Centre 8
Inside PAM/NSS for Linux Extending Linux Major Components • “Pluggable Authentication Module” (pam dce.so) to authenticate users. • “Name Service Switch” extension (libnss dce.so.2) to make DCE registry lookups. • PAM-Dæmon on DFS/NFS Gateway server to process PAM requests and establish DFS/NFS mapping. • NSS-Dæmon on any DCE client to process NSS requests. Markus Zahn — Augsburg University, Computer Centre 9
Inside PAM/NSS for Linux Conceptual Overview Linux Client libnss_dce.so.2 pam_dce.so NFS Client SSL DCE Client DCE nssdced Registry pamdced DFS/NFS NFS Server Gateway DFS Markus Zahn — Augsburg University, Computer Centre 10
Inside PAM/NSS for Linux Linux Configuration • Compile/install modules (/lib/security/pam dce.so and /lib/libnss dce.so.2). • Setup PAM/DCE configuration (/etc/security/pam dce.conf). • Install SSL certificate (/etc/security/pam dce.pem). • Modify PAM configuration (e.g. /etc/pam.d/login): auth required /lib/security/pam_dce.so • NSS/DCE configuration (/etc/nss dce.conf). • Modify NSS configuration (/etc/nsswitch.conf): passwd: files dce group: files dce Markus Zahn — Augsburg University, Computer Centre 11
Inside PAM/NSS for Linux Dæmon Setup • Compile/install dæmons on DCE client (/usr/local/pam nss/pamdced and /usr/local/pam nss/nssdced). • Create/install SSL certificate. • Add pamdced to /etc/inetd.conf. • Add nssdced to /etc/rc.local. Markus Zahn — Augsburg University, Computer Centre 12
Inside PAM/NSS for Linux Current Status What is implemented . . . √ Authentication via PAM. √ Establish DFS/NFS mapping via PAM. √ SSL to secure PAM connections (i.e. password transfers). √ Support for the most important lookup methods (getpwnam(), getpwuid(), getgrnam() and getgrgid()). Markus Zahn — Augsburg University, Computer Centre 13
Inside PAM/NSS for Linux Current Status, continued What is not implemented (yet) . . . – No session support, no kdestroy equivalent ( ⇒ security issue). – No password managment yet. – Not all lookup methods implemented for performace reasons (setpwent(), endpwent(), getpwent(), setgrent(), endgrent() and getgrent()). – No support for multiple nssdced Dæmons (within client configuraton) yet. Markus Zahn — Augsburg University, Computer Centre 14
Integrating Windows clients We are planning to . . . • make use of existing Windows NT servers (mainly for traditional reasons). • synchronize DCE registry and Windows NT registry. – Add new accounts to both registries. – Propagate password changes from DCE to NT and vice versa. – Use password stength facilities of DCE (password strength server) and NT (password strength DLL) • use patched Samba to export DFS home directories. Markus Zahn — Augsburg University, Computer Centre 15
Integrating Windows clients Conceptual Overview Windows 3.x/95/98 Windows NT DCE/DFS Client Integrated Login authentication DFS access authentication authentication Windows NT PDC DCE Client DCE/DFS Client DCE/DFS Client DCE/DFS Client PWD Strength DLL PWD Strength SMB Gateway SMB Gateway SMB Gateway Server SSL password propagation DCE registry Markus Zahn — Augsburg University, Computer Centre 16
Conclusions • PAM/NSS-DCE integration for Linux in production use for > 2 months now. • DFS access over DFS/NFS Gateway is restricted to NFS capabilities (e.g. no ACL support). • Installation is plug & play. • No major problems up to now. • Additional features on wish list. Markus Zahn — Augsburg University, Computer Centre 17
References • PAM/NSS-DCE Homepage: http://www.rz.uni-augsburg.de/~zahn/pam_nss_dce/ • Linux-PAM: ftp://ftp.kernel.org/pub/linux/libs/pam/index.html • The GNU C Library — System Databases and Name Service Switch: http://www.gnu.org/manual/glibc-2.0.6/html_chapter/libc_25.html • Paul Henson’s Samba patches and authentication extensions: http://www.csupomona.edu/~henson/www/projects/dce_patches/samba/ http://www.csupomona.edu/~henson/www/projects/sec_auth/ • Synchronizing NT and Unix passwords with DCE: http://www.icaen.uiowa.edu/ntpw/ Markus Zahn — Augsburg University, Computer Centre 18
Recommend
More recommend
