trusted domain support
play

Trusted Domain Support as Active Directory Domain Controller Stefan - PowerPoint PPT Presentation

Apr 29, 2023 •112 likes •388 views

Trusted Domain Support as Active Directory Domain Controller Stefan Metzmacher <metze@samba.org> Samba Team / SerNet 2018-06-07 https://samba.org/~metze/presentations/2018/SambaXP/ Talks at SambaXP/SDC 2017 Last year I gave talks

  1. Trusted Domain Support as Active Directory Domain Controller Stefan Metzmacher <metze@samba.org> Samba Team / SerNet 2018-06-07 https://samba.org/~metze/presentations/2018/SambaXP/

  2. Talks at SambaXP/SDC 2017 ◮ Last year I gave talks about concepts and details of trusted domains ◮ ”The Important Details Of Windows Authentication” at SambaXP. ◮ https://samba.org/˜metze/presentations/2017/SambaXP/ ◮ ”Windows Authentication With Multiple Domains and Forests” at Storage Developer Conference. ◮ https://samba.org/˜metze/presentations/2017/SDC/ Trusted Domain Support as AD DC Stefan Metzmacher (2/27)

  3. Topics ◮ The long road to trust support (4.3.0, 4.7.0, 4.8.0, master) ◮ samba-tool domain trust commands ◮ wbinfo -m –verbose changes ◮ Automatic creation of foreignSecurityPrincipal objects ◮ Implementing SID expanding/filtering ◮ Forest/Domain-wide Authentication ◮ Selective Authentication (Cross Organization Trusts) ◮ Future Improvements/Open Bugs ◮ Questions? Trusted Domain Support as AD DC Stefan Metzmacher (3/27)

  4. The long road to trust support (Part1, before 4.3.0) ◮ It started with a Red Hat project to support Forest Trusts to FreeIPA: ◮ Red Hat sponsored my work (via SerNet) ◮ The initial target was only Kerberos ◮ NTLMSSP was not required and got deferred ◮ Preparation work: ◮ The Windows GUI should be able to create/manage trusts ◮ It was required to fix/implement several LSA and Netlogon RPC calls ◮ The most challenging was the forest information conflict detection ◮ Our own tools: ◮ ’samba-tool domain trust *’ commands were added ◮ They use very similar network requests as the Windows GUI ◮ They manage trusts for the local domain by default ◮ But they can also run against remote servers Trusted Domain Support as AD DC Stefan Metzmacher (4/27)

  5. Management: samba-tool domain trust dc1 :~$ samba -tool domain trust help Usage: samba -tool domain trust <subcommand > Domain and forest trust management. Options: -h, --help show this help message and exit Available subcommands : create - Create a domain or forest trust. delete - Delete a domain trust. list - List domain trusts. namespaces - Manage forest trust namespaces . show - Show trusted domain details. validate - Validate a domain trust. For more help on a specific subcommand , please type: samba -tool domain trust <subcommand > (-h|--help) Trusted Domain Support as AD DC Stefan Metzmacher (5/27)

  6. The long road to trust support (Part2, before 4.3.0) ◮ We added code to manage and use a trust routing table: ◮ Utility (dsdb trust *) functions made it easier for high level code ◮ They load the forest information of the local forest ◮ They load the forest information of all trusted domain/forests ◮ Some put everything together to form a routing table ◮ Implementing INCOMING and OUTGOING trust support for Kerberos: ◮ The KDC was changed to use the routing table ◮ AS-Requests may refer clients to the correct KDC with WRONG REALM referrals ◮ TGS-Requests may result in cross realm referral tickets ◮ Regression selftests: ◮ We established trust relationships between several environments ◮ It was relatively easy by using the new ’samba-tool domain trust’ commands ◮ The rest was done with some blackbox tests using kinit or smbclient Trusted Domain Support as AD DC Stefan Metzmacher (6/27)

  7. The long road to trust support (Part3, 4.3.0) ◮ 4.3.0 was released (in September 2015) with the improvements, but had limitations: ◮ It’s not possible to add users groups of a trusted domain into domain groups ◮ NTLMSSP and LSA LookupNames Sids were not implemented for outgoing trusts ◮ There were also security limitations: ◮ No SID filtering rules are applied at all! ◮ Both sides of the trust need to fully trust each other! ◮ This means DCs of domain A can grant domain admin rights in domain B! ◮ There was a lot of useful work happening: ◮ But it was still only be usable for some rare usecases ◮ The project was stopped at that point Trusted Domain Support as AD DC Stefan Metzmacher (7/27)

  8. The long road to trust support (Part4, after 4.5.0) ◮ After 4.5.0 was released in September 2016 ◮ SerNet got more and more customers asking for trust support ◮ This was often the only reason they had to keep using Windows servers ◮ Other customers had a lot of problems with trusts on member servers ◮ We knew that support for trusted domains on a member server faces very similar problems than on a domain controller ◮ By selling the SAMBA+ subscriptions ◮ We had the opportunity to think about sponsoring our own projects ◮ So we decided to bring trust support for DCs to a level which is really useful for customers ◮ As a side effect we were also able to solve urgent problems on domain members Trusted Domain Support as AD DC Stefan Metzmacher (8/27)

  9. The long road to trust support (Part4, 4.7.0 and more) ◮ The new ”map untrusted to domain = auto” option ◮ Was introduced to improve member server setups ◮ It lets the domain controllers of the primary domain do its job ◮ The member server doesn’t have to know about trusted domains ◮ There is just an outgoing transitive trust to the primary domain ◮ The ”map untrusted to domain” and ”auth methods” options ◮ Got deprecated in 4.7.0 and removed in 4.8.0 ◮ The (new) default behaviour (as of 4.7.0) was kept for 4.8.0 ◮ The ”winbind scan trusted domains” option ◮ With ”map untrusted to domain” being removed there is no need to have a list of trusted domain available in winbindd ◮ We no longer try to list all trusted domain recursively ◮ The option was added in 4.8.0, but the default is still ”yes” ◮ But the old (default) is only required for domain specific idmap backend configurations ◮ As domain controller the behaviour is hardcoded to ”no” Trusted Domain Support as AD DC Stefan Metzmacher (9/27)

  10. The long road to trust support (Part5, 4.7.0 and more) ◮ The most challenging task was a rewrite of gensec processing ◮ Async authentication is required for to trusted domains ◮ The complexity of spnego.c relied on recursing into the sync ’gensec update()’ implementation ◮ It took a while to create a patchset for upstream inclusion: ◮ In total 31 files changed, 3774 insertions(+), 1954 deletions(-) ◮ It took about 150 (relatively small) commits to make auth/gensec fully async ◮ 82 patches just for spnego.c ◮ The aim was to allow a reviewer to understand and verify each single commit ◮ Some changes went into 4.7.0, while the rest made it into 4.8.0 Trusted Domain Support as AD DC Stefan Metzmacher (10/27)

  11. The long road to trust support (Part6, 4.8.0) ◮ Trusted domain support requires winbindd in 4.8.0 ◮ On domain members the primary domain is also a trusted domain ◮ The AD DC already required and used winbindd internally ◮ winbindd loads the full domain topology as AD DC ◮ We also load all domains of forest trusts ◮ Internally we remember a ”routing domain” for transitive trusts ◮ Only uses NETLOGON and LSA with Netlogon Secure Channel ◮ Only anonymous DCERPC transports (tcp or unauthenticated smb) ◮ No NTLMSSP, no Kerberos! ◮ No SAMR, no LDAP! ◮ LookupNames and LookupSids are routed via winbindd as AD DC ◮ There are various scopes for LookupNames/Sids ◮ Predefined, Builtin, Account Domain, Trusts ◮ We use abstracted view tables for this ◮ At the end winbindd is the last resort routing ◮ Samba member servers can make use of the trust now Trusted Domain Support as AD DC Stefan Metzmacher (11/27)

  12. The long road to trust support (Part7, 4.8.0) ◮ 4.8.0 was released (in March 2018) with the improvements, but had limitations: ◮ It’s still not possible to add users groups of a trusted domain into domain groups ◮ There are still security limitations: ◮ No SID filtering rules are applied at all! ◮ Both sides of the trust need to fully trust each other! ◮ This means DCs of domain A can grant domain admin rights in domain B! Trusted Domain Support as AD DC Stefan Metzmacher (12/27)

  13. Admin visible changes in 4.8.0 (Part1) ◮ Previously ”wbinfo -m –verbose” produced confusing results ◮ It mixed the views recursively of all reachable domains ◮ The trust types and directions don’t match the view of the local system ◮ This changed to be more useful in 4.8.0 ◮ The trust properties printed have been changed to correctly reflect the view of the system where wbinfo is executed (only!) ◮ This is only correct with ”winbind scan trusted domains” effectively ”no” ◮ On a domain member trusted domains are learned on the fly if used Trusted Domain Support as AD DC Stefan Metzmacher (13/27)

  14. Admin visible changes in 4.8.0 (Part2) ◮ Example, on a AD DC (SDOM1): dc1 :~$ wbinfo -m --verbose Domain Name DNS Domain Trust Type Transitive In Out BUILTIN Local SDOM1 sdom1.site RWDC WDOM3 wdom3.site Forest Yes No Yes WDOM2 wdom2.site Forest Yes Yes Yes SUBDOM31 subdom31.wdom3.site Routed (via WDOM3) SUBDOM21 subdom21.wdom2.site Routed (via WDOM2) ◮ Indirect (transitive) trusts are shown as ”Routed” including the routing domain Trusted Domain Support as AD DC Stefan Metzmacher (14/27)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Why dont we have a Secure and Trusted Inter-Domain Routing System? Geoff Huston, APNIC Why

Why dont we have a Secure and Trusted Inter-Domain Routing System? Geoff Huston, APNIC Why

Why dont we have a Secure and Trusted Inter-Domain Routing System? Geoff Huston, APNIC Why do we keep seeing these headlines? 1. The Meta Goal Can we devise changes to operational practices, or operational tools or routing technologies

572 views • 15 slides
Support for Trusted Extension in ACL2 J Strother Moore (joint work with Matt Kaufmann)

Support for Trusted Extension in ACL2 J Strother Moore (joint work with Matt Kaufmann)

Support for Trusted Extension in ACL2 J Strother Moore (joint work with Matt Kaufmann) Department of Computer Sciences University of Texas at Austin August, 2010 1 A C omputational L ogic for A pplicative C ommon L isp = ACL2 a

639 views • 35 slides
DMA Support for the Sancus Architecture Lightweight and Open-Source Trusted Computing for the IoT

DMA Support for the Sancus Architecture Lightweight and Open-Source Trusted Computing for the IoT

DMA Support for the Sancus Architecture Lightweight and Open-Source Trusted Computing for the IoT Sergio Seminara seminara@kth.se KTH - Kungliga Tekniska Hgskola Examiner: prof. Mads Dam Supervisor: prof. Roberto Guanciale Seminara (KTH)

545 views • 50 slides
TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution

TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution

TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution Environments Gui Andrade Krste Asanovi Dayeol Lee David Kohlbrenner Dawn Song University of California, Berkeley TRUSTED MEMORY? Securing data/code

703 views • 48 slides
Trusted Caregivers, On Demand An app that provides a marketplace of trusted, convenient, and

Trusted Caregivers, On Demand An app that provides a marketplace of trusted, convenient, and

Trusted Caregivers, On Demand An app that provides a marketplace of trusted, convenient, and affordable caregivers to families on demand. Why create RestUp? Americans provide $470 Billion in unpaid care in 2015. Emergency Staffing

324 views • 8 slides
Your Trusted China Partner Market Overview Your Trusted Partner in China Source: McKinsey &amp;

Your Trusted China Partner Market Overview Your Trusted Partner in China Source: McKinsey &amp;

Chinas Dietary Supplement Industry Market Insights Natural Products Expo West March 11, 2017 Your Trusted China Partner Market Overview Your Trusted Partner in China Source: McKinsey &amp; Company Your Trusted Partner in China Consumer

409 views • 29 slides
for TPM API Aybek Mukhamedov, Andy Gordon and Mark Ryan Trusted Platform Module Trusted

for TPM API Aybek Mukhamedov, Andy Gordon and Mark Ryan Trusted Platform Module Trusted

Towards Verified C specification for TPM API Aybek Mukhamedov, Andy Gordon and Mark Ryan Trusted Platform Module Trusted Computing, an initiative by major IT vendors Functions: integrity measurement, reporting &amp; protected storage

374 views • 16 slides
Trusted Platform Module Dries Schellekens COSIC, KU Leuven Nomenclature Trusted versus

Trusted Platform Module Dries Schellekens COSIC, KU Leuven Nomenclature Trusted versus

Trusted Platform Module Dries Schellekens COSIC, KU Leuven Nomenclature Trusted versus trustworthy RFC 4949 (Internet Security Glossary) Trust : A feeling of certainty (sometimes based on inconclusive evidence) either (a) that the system

788 views • 33 slides
Trusted Mobile Platforms: Part 1: An introduction to trusted computing Chris Mitchell Royal

Trusted Mobile Platforms: Part 1: An introduction to trusted computing Chris Mitchell Royal

Trusted Mobile Platforms: Part 1: An introduction to trusted computing Chris Mitchell Royal Holloway, University of London c.mitchell@rhul.ac.uk http://www.isg.rhul.ac.uk/~cjm Contents What is trusted computing? The TCG TCG

1.43k views • 114 slides
Chapter 10 Trusted Computing Trusted Computing Chapter 10 and Multilevel Security and

Chapter 10 Trusted Computing Trusted Computing Chapter 10 and Multilevel Security and

Computer S ecurity: Principles and Practice Chapter 10 Trusted Computing Trusted Computing Chapter 10 and Multilevel Security and Multilevel Security First Edition by William S tallings and Lawrie Brown Lecture slides by Lawrie

636 views • 40 slides
Four Layers to Build a Four Layers to Build a Trusted Architecture Trusted Architecture Danny

Four Layers to Build a Four Layers to Build a Trusted Architecture Trusted Architecture Danny

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Four Layers to Build a Four Layers to Build a Trusted Architecture Trusted Architecture Danny De Cock K.U.Leuven ESAT/COSIC

369 views • 17 slides
A BAD DREAM: SUBVERTING TRUSTED PLATFORM MODULE WHILE YOU ARE SLEEPING Seunghun Han, Wook Shin,

A BAD DREAM: SUBVERTING TRUSTED PLATFORM MODULE WHILE YOU ARE SLEEPING Seunghun Han, Wook Shin,

A BAD DREAM: SUBVERTING TRUSTED PLATFORM MODULE WHILE YOU ARE SLEEPING Seunghun Han, Wook Shin, Jun-Hyeok Park, and HyoungChun Kim, National Security Research Institute BACKGROUND Trusted Computing Group (TCG) Trusted Platform Module

375 views • 19 slides
AIMS 2017 Things in a Fog (TGIF): A Framework to Support Multi- domain Research in the Internet

AIMS 2017 Things in a Fog (TGIF): A Framework to Support Multi- domain Research in the Internet

AIMS 2017 Things in a Fog (TGIF): A Framework to Support Multi- domain Research in the Internet of Things Dr Jim Martin School of Computing Clemson University (jmarty@clemson.edu) Talk Overview Setting the stage SC-CVT: South

288 views • 10 slides
Numerical Abstract Domain using Support Function. Yassamine Seladji and Olivier Bouissou. CEA,

Numerical Abstract Domain using Support Function. Yassamine Seladji and Olivier Bouissou. CEA,

Numerical Abstract Domain using Support Function. Yassamine Seladji and Olivier Bouissou. CEA, LIST, LMeASI. yassamine.seladji@cea.fr olivier.bouissou@cea.fr 19 juin 2012 Context An industriel problem The crash of Ariane 5 : caused by

859 views • 74 slides
Access Control Casey Schaufler August 2010 Casey Schaufler Trusted Solaris, Trusted Irix,

Access Control Casey Schaufler August 2010 Casey Schaufler Trusted Solaris, Trusted Irix,

File Content Based Access Control Casey Schaufler August 2010 Casey Schaufler Trusted Solaris, Trusted Irix, Linux LSM Various Government Efforts Trusix, CMM, CHATS Standards P1003.1e/2c, TSIG Smack Linux Security Module

497 views • 30 slides
Kantara F2F Berlin Closing Session Summary slides from: Business Cases for Trusted Federations

Kantara F2F Berlin Closing Session Summary slides from: Business Cases for Trusted Federations

Kantara F2F Berlin Closing Session Summary slides from: Business Cases for Trusted Federations Trust Framework Meta Model Telecommunications Identity Open Source Support Initiative Privacy Framework eGovernment Board of Trustees BCTF

322 views • 17 slides
ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino Probabilistic Fundamentals in

ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino Probabilistic Fundamentals in

ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino Probabilistic Fundamentals in Robotics Non-parametric Filters Course Outline Basic mathematical framework Probabilistic models of mobile robots Mobile robot localization

485 views • 33 slides
AM (Zimbabwe) v SSHD and Article 3 ECHR in medical grounds cases Instant response webinar

AM (Zimbabwe) v SSHD and Article 3 ECHR in medical grounds cases Instant response webinar

AM (Zimbabwe) v SSHD and Article 3 ECHR in medical grounds cases Instant response webinar Krishnendu Mukherjee Alasdair Mackenzie k.mukherjee@doughtystreet.co.uk a.mackenzie@doughtystreet.co.uk Phil Haywood @DoughtyStreet/@DoughtyStPublic

109 views • 6 slides
J E R E M Y M O S S P R O F E S S O R O F P O L I T I C A L P H I L O S O P H Y U N I V E R S

J E R E M Y M O S S P R O F E S S O R O F P O L I T I C A L P H I L O S O P H Y U N I V E R S

Constraining Supply J E R E M Y M O S S P R O F E S S O R O F P O L I T I C A L P H I L O S O P H Y U N I V E R S I T Y O F N E W S O U T H W A L E S S Y D N E Y A U S T R A L I A Claim Current and likely future methods for

587 views • 10 slides
Proof Mining: Proof Interpretations and Their Use in Mathematics Ulrich Kohlenbach Department of

Proof Mining: Proof Interpretations and Their Use in Mathematics Ulrich Kohlenbach Department of

Proof Mining: Proof Interpretations and Their Use in Mathematics Ulrich Kohlenbach Department of Mathematics Technische Universit at Darmstadt PhDs in Logic VIII, Darmstadt, May 9-11, 2016 Proof Mining: Proof Interpretations and Their

2.05k views • 166 slides
Domain-Driven Design SWEN-610 Foundations of Software Engineering Department of Software

Domain-Driven Design SWEN-610 Foundations of Software Engineering Department of Software

Domain-Driven Design SWEN-610 Foundations of Software Engineering Department of Software Engineering Rochester Institute of Technology Domain driven design centers the architecture on the problem domain. Quote from the DDD Community:

215 views • 10 slides
Oshkosh Corporation Fourth Quarter Fiscal 2013 October 31, 2013 Charles L. Szews Chief

Oshkosh Corporation Fourth Quarter Fiscal 2013 October 31, 2013 Charles L. Szews Chief

Oshkosh Corporation Fourth Quarter Fiscal 2013 October 31, 2013 Charles L. Szews Chief Executive Officer Wilson R. Jones President and Chief Operating Officer David M. Sagehorn Executive Vice President and Chief Financial Officer Patrick

324 views • 20 slides
First Quarter 2014 Earnings Presentation May 6, 2014 Agenda Strategic Review Edward Tilly

First Quarter 2014 Earnings Presentation May 6, 2014 Agenda Strategic Review Edward Tilly

First Quarter 2014 Earnings Presentation May 6, 2014 Agenda Strategic Review Edward Tilly Chief Executive Officer Financial Review Alan Dean Executive Vice President, CFO and Treasurer Questions and Answers Edward Tilly Alan Dean

739 views • 47 slides
Experiments Over the Next 10 Years Alessandro Bravar (Universit de Genve) Why

Experiments Over the Next 10 Years Alessandro Bravar (Universit de Genve) Why

Prospects for Reducing Beam Flux Uncertainties with Hadron Production Experiments Over the Next 10 Years Alessandro Bravar (Universit de Genve) Why Hadro-Production Measurements Understand the neutrino source solar neutrinos n flux

734 views • 36 slides

More recommend