Kangaroot SUSE TechUpdateInteroperability SUSE Linux Enterprise and Windows
Gábor NyersSystems Engineer @SUSE
2
Agenda
14:00 Kangaroot Update
SUSE Update
Data Center Interoperability – the playfield
Scenario's
SLES Participating in a Active Directory domain
Integration of Apache on SLES with Active Directory
15:30 Pause
SLES and Samba as domain controller
Remote Desktop
On the bleeding edge: Btrfs + Snapper + Samba = FSRVP
17:00 Refreshments
18:00 End
SUSE Update
4
SUSE Update
Last 3 months
• Changes in the Subscription Model
• SUSECon 2012‣ Visit the SUSE channel on
YouTube
• SUSE Manager Proof of Concept Programma
5
SUSE Update
Next 3 months
• SUSECon 2013
• SUSE Cloud‣ Topic of the next TechExchange
• New SUSE Customer Center
• New SUSE Partners in The Netherlands
6
SUSE Update
Improving services to help SUSE customers
Events, Workshops, Seminars
• TechExchange and TechTalk's
• Workshops for Special Interests, e.g.:‣ High Availability, RPM Packaging,
‣ SUSE Customer Center update
Trainings, Certification
• Advanced Technical Trainings
• CLA, CLP, CLE
• RHCE → CLP or CLE
7
SUSE Update
Improving services to help SUSE customers
Assessments
• In co-operation with partners
• Fix price / fix duration
• Topics:‣ Health check
‣ Patch Management
‣ Disaster Recovery
‣ Security and Hardening
‣ Migration physical to virtual
Interoperability Scenario's
9
Data Center InteroperabilityThe Playfield
UNIX
Mainframe
Linux Windows
Platforms Observable trends (in general):
‣ Legacy Unix holds or declines
‣ Mainframe:
♦ z/OS holds
♦ Linux on System z emerging
‣ Linux and Windows grow
10
> <
Linux – Windows Interoperability The playfield
UNIX
Mainframe
Linux Windows
Platforms Interoperability Topics
Services
Virtualization
Systems Management
Documents
Scripting Languages
Porting and running software
11
SUSE Linux Enterprise – Windows Interoperability
Example Services 1/2
‣ File and printer shares (Samba)
‣ Domain services (Samba)
‣ Directory services (Samba 4, openLDAP)
‣ Web services (Apache, Tomcat, ...)
‣ Network Proxy (Squid)
‣ E-mail (Postfix, Dovecot)
‣ Databases (MySQL, PostgreSQL)
‣ SSL certificates (OpenSSL, YaST CA)
‣ Remote Desktop (NX)
‣ DNS, DHCP
‣ VoIP (Asterisk)
etc...
Windows using services of SUSE Linux Enterprise (*)
(*) in braces the involved components on SLES
12
SUSE Linux Enterprise – Windows Interoperability
Example Services 2/2
‣ File and printer shares (Samba)
‣ Domain services (Samba)
‣ Directory services (Winbind)
‣ Web services
‣ Network proxy
‣ E-mail (Postfix, Dovecot)
‣ Databases (FreeTDS, JDBC)
‣ SSL certificates
‣ Remote Desktop (rdesktop)
‣ DNS, DHCP
etc...
SUSE Linux Enterprise using services of Windows
(*) in braces the involved components on SLES
13
Scenario's
1. SLES Participating in an Active Directory domain
2. Integration of Apache with Active Directory
3. SLES and Samba as domain controller
4. Windows Remote Desktop on Linux
5. Prototype Samba implementation of “Recovery Point”
14
Scenario's
Practical value vs. Maturity
Enterprise
Emerging
Practical value
MaturitySLES Participating in an Active Directory domain
Integration of Apache on SLES with Active Directory
SLES and Samba as domain controller
Windows Remote Desktop on Linux
Prototype Samba implementation of “Recovery Point”
1
2
3
4
55
4
3
2 1
15
Overview of SMB versions (*)
Samba 3.6 supports SMB 1.0, 2.0 and partly 2.1
(*) see also this blog article
16
Scenario 1:SLES as member server in Active Directory domain
Features‣ SLES as member server in
an Active Directory domain
‣ Used services♦ Directory and Authentication
through Winbind
♦ Mount Windows file share
‣ Provided services♦ File and print sharing for
Windows workstations
‣ PAM integration
Technology components‣ SLES 11 SP2
♦ Samba (v3.6)
‣ Windows 2008 R2
‣ Windows XP and 7
Troubleshooting:‣ wbinfo, smbclient,
strace, lsof, netstat, tcpdump, Wireshark
‣ Logs: /var/log/samba/*
17
Scenario 1: SLES as member server in Active Directory domain
Fileshare
Mountshare
SSHservice
SLES 11 SP2
Role: Member server in AD: ad.demo.lan
Hostname: interop01
Windows 7(win764.ad.demo.lan)
PAM
Windows XP(winxp01.ad.demo.lan)
Mappedshare
Shared folder
ActiveDirectory
Mappedshare
Mappedshare
Windows 2008 R2
Role: AD Domain ControllerAD: ad.demo.lan
Hostname: win200864
Demo 1
Demo 2
Demo 3
Demo 4
18
Scenario 1: SLES as member server in Active Directory domain
• Steps on SLES‣ Join the domain using
YaST Windows Domain Membership
‣ Manually configure pam_winbind to restrict allowed users
• Steps on Active Directory‣ Add group “SLES Shell Users”
‣ Add user “Administrator” to “SLES Shell Users”
• Steps on Windows Workstations‣ Map share
\\interop01\homes
/etc/security/pam_winbind.conf
[global]cached_login = yeskrb5_auth = yeskrb5_ccache_type = FILEdebug = yesrequire_membership_of = "SLES Shell Users"
See also: Interop Demo appliance
19
Scenario 2: Integration of Apache on SLES with Active Directory
Features‣ SLES as member server in
an Active Directory domain
‣ Browsers running on Windows workstations can transparently log in to Web applications
‣ Active Directory as provider for:♦ Authentication through Kerberos
♦ Authorization through LDAP
‣ Provided services♦ Web services by Apache/Tomcat
Technology components‣ SLES 11 SP2
♦ Samba (v3.6), mod_kerb_auth
‣ Windows 2008 R2
‣ Windows XP and 7
Troubleshooting‣ klist, strace, lsof, netstat,
tcpdump, Wireshark
‣ Firefox add-in Live Headers
‣ Logs: /var/log/apache2/*, /var/log/messages
20
Scenario 2: Integration of Apache with Active Directory
/secure
/
mod_kerb_auth
SLES 11 SP2
Role: Member server AD: ad.demo.lan
Hostname: interop04
Windows 7(win764.ad.demo.lan)
Apache
Kerberos
ActiveDirectory(LDAP)
Firefox
Windows 2008 R2
Role: AD Domain ControllerAD: ad.demo.lan
Hostname: interop01
Internet Explorer
1
2
3
4
21
Scenario 2: Integration of Apache with Active Directory
Configuration steps
• Steps on SLES‣ Join domain
‣ Create keytab
‣ Configure Apache
• Steps on workstations‣ Configure Integrated
Authentication for browsers
• Steps on Active Directory‣ Add user “sles-apache”
‣ Add group “SLES Web Users”
‣ Add user “Administrator” to “SLES Web Users”
See also: HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol (MSDN)
See also: Interop Demo appliance
22
Configure Apache for Kerberos authentication
LoadModule auth_kerb_module /usr/lib64/apache2/mod_auth_kerb.soLoadModule ldap_module /usr/lib64/apache2/mod_ldap.soLoadModule authnz_ldap_module /usr/lib64/apache2/mod_authnz_ldap.so
<Location /secure> AuthName "---Restricted Access, please use your Active Directory credentials---" AuthType Kerberos KrbMethodNegotiate on KrbMethodK5Passwd on Krb5Keytab /etc/apache2/conf.d/sles-apache.krb5.keytab KrbAuthRealms AD.DEMO.LAN KrbServiceName HTTP/[email protected] KrbLocalUserMapping On
AuthLDAPBindDN cn=sles-apache,cn=Users,dc=ad,dc=demo,dc=lan AuthLDAPBindPassword SecretPassword AuthLDAPURL "ldap://win200864.ad.demo.lan:389/dc=ad,dc=demo,dc=lan?sAMAccountName" AuthLDAPGroupAttribute member Require ldap-group cn=SLES Web Users,cn=Users,dc=ad,dc=demo,dc=lan</Location>
23
Configure Firefox for Integrated Authentication
• Firefox is by default not enabled for the “Negotiate” authentication
24
Configure IE for Integrated Authentication
• IE is by default not enabled for the “Negotiate” authentication
25
Scenario 3: SLES and Samba as Domain Controller
Features‣ SLES as domain controller
(NT style)
‣ Windows workstations can consume domain, file- and printer shares
‣ Optional: Samba configuration in replicated LDAP directory
Technology components‣ SLES 11 SP2
♦ Samba (v3.6)
♦ (OpenLDAP)
‣ Windows XP and 7
Troubleshooting‣ smbclient, strace, lsof,
netstat, tcpdump, Wireshark
‣ Logs: /var/log/samba/*
26
Scenario 3: Overview
Fileshare
SambaDomainservice
OpenLDAPDirectory
SLES 11 SP2
Windows XP Windows 7
Sambaconfig
Printershare
Mappedshare
Mappedshare
Networkprinter
DomainUsers and
Groups
Networkprinter
Demo 1 Demo 2
27
Scenario 3: Configuration Steps
• Steps on SLES‣ Configure LDAP server
using YaST
‣ Configure Samba domain using YaST
• Steps on Windows clients‣ Join Samba domain
See also: Interop Demo appliance
28
Scenario 4: Remote Desktop
Use case‣ Using the build in Remote
Desktop capability, log in on a Windows system
Technology components
• SLES 11 SP2‣ rdesktop
‣ tsclient
• Windows 2008 R2
• Windows XP and 7
• Troubleshooting‣ netstat, tcpdump, Wireshark
29
Scenario 4: Overview
RemoteDesktopservice
SLED 11 SP2
Windows 7Windows XP
VDI farm
RemoteDesktopservice
RemoteDesktop
client
Virtual Desktops
30
Scenario 4 Configuration Steps
• On SLE client‣ Install the packages:
“rdesktop” and “tsclient”
‣ Configure remote desktop systems
• On Active Directory domain controller:‣ Create AD Group: “Domain
Remote Desktop Users”
‣ Add
• On Windows systems‣ Add the AD group
“Domain Remote Desktop Users” to local group “Remote Desktop Users”
See also: Interop Demo appliance
31
Scenario 5: Prototype Samba implementation of “Recovery Point”
Features‣ Through integration of Btrfs,
Snapper and Samba, SLES 11 SP2 is providing a file share
‣ Automatic snapshots create by Snapper provide “Recovery Points” for files
‣ Through Windows Explorer clients may access older versions of a file
Technology components‣ SLES 11 SP2
♦ Btrfs and Snapper(prototype)
♦ Samba 4(prototype)
‣ Windows XP and 7
See also: David Disseldorp's “Bleeding Edge Samba and Snapper” appliance
32
Scenario 5: Demo
Fileshare
SLES 11 SP2
Windows XP
Samba4service
File “test.txt” is changed
Automatic snapshots by Snapper
File “test.txt” is created
Networkshare
Now
Previous versions of “test.txt” in Explorer
Unpublished Work of SUSE. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.