Pushi ng users i nto the pi t of success W ar stori es f - - PowerPoint PPT Presentation

pushi ng users i nto the pi t of success
SMART_READER_LITE
LIVE PREVIEW

Pushi ng users i nto the pi t of success W ar stori es f - - PowerPoint PPT Presentation

Aug 29, 2023 565 likes •964 views

Pushi ng users i nto the pi t of success W ar stori es f rom the Sam ba 4. 0 upgrade Presented by A ndrew Bartl ett of C atal yst / / 2015- 01 Pl ease ask questi ons duri ng the tal k A bout m e A

slide-1
SLIDE 1

W ar stori es f rom the Sam ba 4. upgrade Presented by A ndrew Bartl ett

  • f

C atal yst / / 2015- 01 Pl ease ask questi

  • ns

duri ng the tal k

Pushi ng users i nto the pi t

  • f

success

slide-2
SLIDE 2

A bout m e

  • A ndrew

Bartl ett

  • Sam ba

Team m em ber si nce 2001

  • W orki

ng

  • n

the A D D C si nce 2006

  • These

vi ew s are m y

  • w n,

but I do w i th to thank:

M y em pl

  • yer:

C atal yst

M y f el l

  • w

Sam ba Team m em bers

slide-3
SLIDE 3

Sam ba' s A D D C

  • A

trul y great success f

  • r

the Sam ba proj ect

  • W i

ndow s desktops are sti l l a real i ty

A t l east

  • utsi

de thi s room

A nd they need A D f

  • r

m anagem ent and authenti cati

  • n
  • Sam ba'

s A D D C provi des m any com pl ex servi ces

Yet i n a si m pl e, seam l ess w ay

  • Sam ba'

s first ' product' styl e f eature

slide-4
SLIDE 4

Sam ba A D D C Features

  • LD A P
  • K erberos
  • W i

ndow s D om ai n C ontrol l er

  • C entral

i sed I denti ty M anagem ent Server

A uthenti cati

  • n

A uthori sati

  • n
  • SM B

/ SM B2 / C I FS

  • W i

ndow s m achi nes j

  • i

n A D nati vel y

slide-5
SLIDE 5

I thi nk Sam ba' s A D D C i s a success

  • Pushi

ng users i nto the pi t

  • f

success m eans:

Even i f the sof tw are i s com pl ex

Even i f the protocol s are com pl ex

Even i f the needs

  • f

every si te are di f f erent

That the i ni ti al i nstal l i s a success

slide-6
SLIDE 6

W hat i s success: j ust w orki ng

  • The

i ni ti al i nstal l shoul d j ust w ork

A nsw er som e questi

  • ns,

and then add your first user

  • H ave

al l the detai l s i n the m eanti m e taken care

  • f

G enerati ng any requi red configurati

  • n

fil es

Scri pti ng al l the steps, l eave no steps m anual

slide-7
SLIDE 7

W hat i s success: securi ty

  • The

i ni ti al i nstal l shoul d be ' secure'

  • Passw ord

pol i cy shoul d be

  • n

by def aul t

Passw ords shoul d expi re

Passw ords shoul d be com pl ex

  • The

adm i ni strator shoul dn' t choose the m achi ne keys ( passw ords)

These shoul d be random gi bberi sh

  • Repl

i cati

  • n

shoul d be secure, encrypted

slide-8
SLIDE 8

W hat i s success: com pl exi ty

  • N ot

shyi ng aw ay f rom com pl ex protocol s l i ke K erberos

  • H i

di ng the detai l s by m aki ng thi ngs ' j ust w ork'

  • M aki

ng com pl ex sof tw are si m pl e to

  • perate

Parti cul arl y w hen starti ng

  • N ot

expecti ng the adm i ni strator to be an expert

Even i f they are

slide-9
SLIDE 9

Thi s shoul d not be revol uti

  • nary
  • But

too

  • f

ten, w e assum e the adm i ni strator:

I s an I denti ty and Securi ty expert, and w i l l add the securi ty l ater

H ow m any securi ty bugs can you find bel

  • w ?

add: olcSyncRepl

  • lcSyncRepl: rid=0 provider=ldap://ldap01.example.com

bindmethod=simple binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog

slide-10
SLIDE 10

Thi s shoul d not be revol uti

  • nary
  • But

too

  • f

ten, w e assum e the adm i ni strator:

I s an I denti ty and Securi ty expert, and w i l l add the securi ty l ater

H ow m any securi ty bugs can you find bel

  • w ?

add: olcSyncRepl

  • lcSyncRepl: rid=0 provider=ldap://ldap01.example.com

bindmethod=simple binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog

slide-11
SLIDE 11

A re these not j ust m otherhood statem ents?

  • Because

the al ternati ves are superfici al l y easi er

Yet dangerousl y si m pl er

W i th m any gui des l eavi ng securi ty as an af terthought

  • Because

aski ng the adm i ni strator to m anual l y configure w hat w e can scri pt i s a w aste

  • f

everyone' s ti m e.

slide-12
SLIDE 12

I m pressi ve because

  • f

w here w e have com e from

  • I

' l l rag

  • n

the O penLD A P / Sam ba pattern qui te a bi t

  • A

bi t l i ke argui ng that PostgreSQ L i s w rong f

  • r

not i ncl udi ng the ' ri ght' database schem a

  • O penLD A P

i s not an I denti ty M anagem ent sol uti

  • n

But no com m onl y accepted I D M sol uti

  • n

exi sts

A nd O penLD A P / Sam ba l

  • oks

l i ke an I D M sol uti

  • n
  • M any
  • f

the thi ngs I com pl ai n about can be done

But

  • nl

y by configurati

  • n
  • f

non- def aul t m odul es

slide-13
SLIDE 13

Thi s m ay sound l i ke a sal es pi tch

  • I

thi nk Sam ba' s A D D C has sol ved som e

  • f

these probl em s very w el l

  • Thi

s i s at the expense

  • f
  • ther

thi ngs

Speci fical l y perf

  • rm ance

A l so som e flexi bi l i ty

  • I

al so have hi gh prai se f

  • r

FreeI PA

M any

  • f

the sam e great patterns are there al so

Very di f f erent products, but cl

  • se

com m uni ti es

slide-14
SLIDE 14

W hat have w e done

  • W e

changed Sam ba' s D C m ode:

From a choose your

  • w n

w i ki adventure

I nto a consi stent reproduci bl e pattern pattern

  • W e

changed the constrai nts:

From al l

  • w i

ng al m ost anythi ng

To sensi bl e and stri ctl y defined constrai nts

slide-15
SLIDE 15

W hat el se w e di d

  • W e

changed securi ty:

From bei ng

  • pti
  • nal

and af ter the f act

To bei ng

  • n

by def aul t

  • W e

changed repl i cati

  • n

f rom bei ng

H ard to configure and easy to l eave i nsecure

To bei ng si m pl e to configure

Sadl y al so real l y, real l y com pl ex

  • O penLD A P

repl i cati

  • n

i s m uch si m pl er under the hood

slide-16
SLIDE 16

Sam ba 3. x and O penLD A P

  • A

very com m on pattern

Sam ba stores users and groups i n LD A P records

Essenti al l y a N T4 D om ai n to LD A P transl ator

LD A P

slide-17
SLIDE 17

Sam ba 3. x / O penLD A P A dvantages

  • LD A P

backend provi des repl i cati

  • n

' f

  • r

f ree'

  • Sol

ves key needs i n heterogeneous netw orks

W i ndow s w orkstati

  • ns

tal k to Sam ba

Li nux w orkstati

  • ns

and servi ces tal k to LD A P

  • But
  • nl

y a l

  • ose

pattern

N ot a tool

  • r

scri pt

N o docum ent

  • f

best practi ses

M ay not even provi de a si ngl e passw ord!

slide-18
SLIDE 18

I ntegrati

  • n
  • Som ebody

El se' s Probl em ?

  • O penLD A P

i s ' j ust' a data store

  • Sam ba

uses an external l y m anaged LD A P store

  • Lots
  • f

tool s and m odul es you can use

But none i nstal l ed

  • r

runni ng by def aul t

  • I

s the random w i ki real l y i n charge?

  • C an

w e do better?

slide-19
SLIDE 19

H ow bad i s i t real l y?

  • C an'

t sm art adm i ni strators

C ol l ect the sof tw are

Fol l

  • w

i nternet gui des

C ustom i se f

  • r

thei r

  • w n
  • rgani

sati

  • n?
  • Succeed

to:

C reate a secure, rel i abl e and f ul l y f eatured I D M

W i thout great stress and i nconveni ence?

  • Sadl

y N O

slide-20
SLIDE 20

The m i ssi ng C onstrai nts

  • Sam ba'

s A D D C enf

  • rces

constrai nts

  • I

n Sam ba / O penLD A P constrai nts w ere typi cal l y ' som ebody el se' s probl em '

C onstrai nts

slide-21
SLIDE 21

M ore than j ust constrai nts m i ssi ng

  • The

typi cal w i ki O penLD A P Sam ba al so m i sses:

Securi ng the LD A P di rectory

  • D ef

aul t A C L i s “to * by sel f w ri te”

  • Thi

s al l

  • w s

you to update your

  • w n

U I D

  • r

SI D !

  • Som e

gui des

  • f

ten f

  • rget

to secure the passw ords!

Tw o- w ay passw ord sync

  • Ensuri

ng LD A P passw ord changes change the Sam ba passw ord too!

Passw ord pol i cy

slide-22
SLIDE 22

U pgradi ng Sam ba 3

  • >

Sam ba 4

  • I

nstal l i ng Sam ba 4. x i s real l y easy

I nstal l Sam ba

Sam ba- tool dom ai n provi si

  • n

Start Sam ba

  • U pgradi

ng Sam ba turns

  • ut

to be m uch m ore di f ficul t

I t shoul d have been ' sam ba- tool dom ai n cl assi cupgrade'

But

  • ur

earl i er flexi bi l i ty cam e back to bi te us

slide-23
SLIDE 23

G i ven I nfini te flexi bi l i ty

  • O ur

adm i ni strators used i t al l

  • W e

had:

D upl i cate SI D s

M i xed dom ai ns

  • r

I ncorrect SI D s

D upl i cate user nam es

U sers w i th the sam e nam e as groups

I nval i d account flags

Entri es created by m ul ti pl e, i ndependent tool s

slide-24
SLIDE 24

I nnovati ve D om ai ns

  • O ther

chal l enges i ncl uded:

A dm i ni strator w i thout the w el l

  • know n

SI D

I nval i d N etBI O S dom ai ns l i ke m yuni . edu

  • N ot

techni cal l y i nval i d, but hi ghl y di scouraged

  • O ur

adm i ns used O penLD A P w el l

C ustom schem a

A ddi ti

  • nal

attri butes

slide-25
SLIDE 25

C l assi cupgrade becom es fsck

  • W i

th no previ

  • us

' check database f

  • r

i nsani ty' tool

  • A dm i

ni strators kept hi tti ng strange errors

  • W e

first have to tel l them to cl ean up the source

  • I

n the A D D C , w e now have dbcheck

slide-26
SLIDE 26

N ot too bad i n the end

  • Som e

l arge dom ai ns took si gni ficant ti m e to m i grate

Som e needed m anual cl eanup steps

O thers needed 8 hours

  • f

C PU !

  • W e

kept to

  • ur

val ues:

M ost

  • f

the fixes w e autom ated

The upgrade process w as scri pt- abl e

The resul ts w ere reproduci bl e

slide-27
SLIDE 27

Success for

  • ur

users

  • W e

strongl y encouraged testi ng

O n an i ndependent netw ork

  • M any,

m any si tes have m i grated

Som e qui te l arge

  • Very

gl ad to be abl e to use m odern w i ndow s

  • ut
  • f

the box

Eg W i ndow s 7 and W i ndow s 8

slide-28
SLIDE 28

Thi ngs w e coul d have done better

  • N on-

Sam ba data w asn' t m i grated

I ni ti al l y no handl i ng

  • f

PO SI X attri butes

  • N ow

w e m i grate som e

  • O ther

attri butes have been l ef t f

  • r

the adm i n

N ot even f

  • r

com pati bl e attri butes

N o schem a m i grati

  • n

H ad hoped users w oul d have extended the scri pt

slide-29
SLIDE 29

W e forgot that

  • ur

m ost passi

  • nate

users are PO SI X-centri c

  • N o

di stri buted ui d al l

  • cati
  • n

(

  • nl

y RI D al l

  • cati
  • n)
  • N o

autom ati c provi si

  • ni

ng

  • f

PO SI X user attri butes

  • W i

nbi ndd

  • n

the D C

doesn' t use LD A P ui dN um ber val ues by def aul t

D oesn' t use the LD A P uni xH om eD i rectory

slide-30
SLIDE 30

Sysvol repl i cati

  • n
  • Sti

l l no SYSVO L repl i cati

  • n

i n Sam ba A D D C

  • A l

so no

  • f

fici al w orkaround

  • D evel
  • pm ent
  • f

the D FSR protocol

D i f ficul t ( needs new D C E RPC f eatures)

O ngoi ng sl

  • w l

y

slide-31
SLIDE 31

Si m pl i ci ty: a devel

  • pm ent

cost

  • D N S

kept

  • n

bei ng the hardest part

  • f

the i nstal l

W e f

  • rgot
  • ur

rul es, and asked the adm i n to m anual l y configure

W e gave the exam pl e config fil e, but i t sti l l caused troubl e

  • W e

w rote

  • ur
  • w n

i nternal D N S server!

Si m pl e

N o cachi ng

Rel i abl y runni ng w i thout extra w ork

slide-32
SLIDE 32

Lessons

  • The

key w as the atti tude change

  • From

ki t

  • f

parts to product

  • But

adm i ns sti l l pushed

  • f

f the cl i f f at the edge

  • f

support

slide-33
SLIDE 33

B eyond Sam ba, B eyond W i ndow s?

  • See

al so FreeI PA

Based

  • n

389 ( ex Fedora D S, ex N etscape/Sun D S)

  • O penLD A P

coul d sti l l do the sam e

G reat parts avai l abl e f

  • r

a non- A D sol uti

  • n

N eeds to be scri pted

N eeds to be autom ated

Sam ba even has som e

  • f

the code!

slide-34
SLIDE 34

Sam ba Status update

  • Sam ba

4. 2 due soon

Fi nal l y End

  • f

l i f e f

  • r

Sam ba 3. 6

  • I

m proved securi ty

D C ERPC trai l er si gni ng, protecti ng key header i nf

U pgraded N ETLO G O N crypto

W i nbi nd requi res secure connecti

  • ns
  • Rem ove

si m pl e M I TM attacks

slide-35
SLIDE 35

Fi l e server

  • SM B3

support a key f eature

Leases ( l i ke

  • pl
  • cks)
  • Snapper

support

Previ

  • us

fil e versi

  • ns

m ade easy

  • Larger

I O si zes i n SM B2 reads and w ri tes

  • C TD B

i ntegrated i nto the tree

  • vf

s_f rui t

A ppl e cl i ents m ovi ng to SM B2

slide-36
SLIDE 36

I n the A D D C

  • Bad

Passw ord Lockout

W ri ti ng thi s f

  • und

a securi ty hol e i n w i ndow s!

  • N ow

uses the com m on w i nbi ndd

D eprecate the attem pted rew ri te

N ow j ust re- uses the fil e server code w i th pl ugi ns

  • Fi

ni shed the sm b. conf m erge

N o l

  • nger

confli cti ng ' l

  • adparm '

tool s

slide-37
SLIDE 37

TO D O

  • n

the A D D C

  • I

nter-f

  • rest

trusts

Recent w ork

  • n

trusts to FreeI PA qui te successf ul

  • Subdom ai

n support

  • Perf
  • rm ance

O ur perf

  • rm ance

i sn' t great at m assi ve scal e

Experi m ental ef f

  • rt

to ( agai n) use O penLD A P

  • But

auto-configured thi s ti m e

  • PO SI

X I ntegrati

  • n
slide-38
SLIDE 38

C atal yst' s O pen Source Technol

  • gi

es

I nterested i n w orki ng f

  • r

C atal yst

  • n

Sam ba? C atch m e i n the hal l w ay track

slide-39
SLIDE 39

Q uesti

  • ns