Kangaroot SUSE TechUpdateInteroperability SUSE Linux Enterprise and Windows

Gábor NyersSystems Engineer @SUSE

gnyers@suse.com

2

Agenda

14:00 Kangaroot Update

SUSE Update

Data Center Interoperability – the playfield

Scenario's

SLES Participating in a Active Directory domain

Integration of Apache on SLES with Active Directory

15:30 Pause

SLES and Samba as domain controller

Remote Desktop

On the bleeding edge: Btrfs + Snapper + Samba = FSRVP

17:00 Refreshments

18:00 End

SUSE Update

4

SUSE Update

Last 3 months

• Changes in the Subscription Model

• SUSECon 2012‣ Visit the SUSE channel on

YouTube

• SUSE Manager Proof of Concept Programma

5

SUSE Update

Next 3 months

• SUSECon 2013

• SUSE Cloud‣ Topic of the next TechExchange

• New SUSE Customer Center

• New SUSE Partners in The Netherlands

6

SUSE Update

Improving services to help SUSE customers

Events, Workshops, Seminars

• TechExchange and TechTalk's

• Workshops for Special Interests, e.g.:‣ High Availability, RPM Packaging,

‣ SUSE Customer Center update

Trainings, Certification

• Advanced Technical Trainings

• CLA, CLP, CLE

• RHCE → CLP or CLE

7

SUSE Update

Improving services to help SUSE customers

Assessments

• In co-operation with partners

• Fix price / fix duration

• Topics:‣ Health check

‣ Patch Management

‣ Disaster Recovery

‣ Security and Hardening

‣ Migration physical to virtual

Interoperability Scenario's

9

Data Center InteroperabilityThe Playfield

UNIX

Mainframe

Linux Windows

Platforms Observable trends (in general):

‣ Legacy Unix holds or declines

‣ Mainframe:

♦ z/OS holds

♦ Linux on System z emerging

‣ Linux and Windows grow

10

> <

Linux – Windows Interoperability The playfield

UNIX

Mainframe

Linux Windows

Platforms Interoperability Topics

Services

Virtualization

Systems Management

Documents

Scripting Languages

Porting and running software

11

SUSE Linux Enterprise – Windows Interoperability

Example Services 1/2

‣ File and printer shares (Samba)

‣ Domain services (Samba)

‣ Directory services (Samba 4, openLDAP)

‣ Web services (Apache, Tomcat, ...)

‣ Network Proxy (Squid)

‣ E-mail (Postfix, Dovecot)

‣ Databases (MySQL, PostgreSQL)

‣ SSL certificates (OpenSSL, YaST CA)

‣ Remote Desktop (NX)

‣ DNS, DHCP

‣ VoIP (Asterisk)

etc...

Windows using services of SUSE Linux Enterprise (*)

(*) in braces the involved components on SLES

12

SUSE Linux Enterprise – Windows Interoperability

Example Services 2/2

‣ File and printer shares (Samba)

‣ Domain services (Samba)

‣ Directory services (Winbind)

‣ Web services

‣ Network proxy

‣ E-mail (Postfix, Dovecot)

‣ Databases (FreeTDS, JDBC)

‣ SSL certificates

‣ Remote Desktop (rdesktop)

‣ DNS, DHCP

etc...

SUSE Linux Enterprise using services of Windows

(*) in braces the involved components on SLES

13

Scenario's

1. SLES Participating in an Active Directory domain

2. Integration of Apache with Active Directory

3. SLES and Samba as domain controller

4. Windows Remote Desktop on Linux

5. Prototype Samba implementation of “Recovery Point”

14

Scenario's

Practical value vs. Maturity

Enterprise

Emerging

Practical value

MaturitySLES Participating in an Active Directory domain

Integration of Apache on SLES with Active Directory

SLES and Samba as domain controller

Windows Remote Desktop on Linux

Prototype Samba implementation of “Recovery Point”

1

2

3

4

55

4

3

2 1

15

Overview of SMB versions (*)

Samba 3.6 supports SMB 1.0, 2.0 and partly 2.1

(*) see also this blog article

16

Scenario 1:SLES as member server in Active Directory domain

Features‣ SLES as member server in

an Active Directory domain

‣ Used services♦ Directory and Authentication

through Winbind

♦ Mount Windows file share

‣ Provided services♦ File and print sharing for

Windows workstations

‣ PAM integration

Technology components‣ SLES 11 SP2

♦ Samba (v3.6)

‣ Windows 2008 R2

‣ Windows XP and 7

Troubleshooting:‣ wbinfo, smbclient,

strace, lsof, netstat, tcpdump, Wireshark

‣ Logs: /var/log/samba/*

17

Scenario 1: SLES as member server in Active Directory domain

Fileshare

Mountshare

SSHservice

SLES 11 SP2

Role: Member server in AD: ad.demo.lan

Hostname: interop01

Windows 7(win764.ad.demo.lan)

PAM

Windows XP(winxp01.ad.demo.lan)

Mappedshare

Shared folder

ActiveDirectory

Mappedshare

Mappedshare

Windows 2008 R2

Role: AD Domain ControllerAD: ad.demo.lan

Hostname: win200864

Demo 1

Demo 2

Demo 3

Demo 4

18

Scenario 1: SLES as member server in Active Directory domain

• Steps on SLES‣ Join the domain using

YaST Windows Domain Membership

‣ Manually configure pam_winbind to restrict allowed users

• Steps on Active Directory‣ Add group “SLES Shell Users”

‣ Add user “Administrator” to “SLES Shell Users”

• Steps on Windows Workstations‣ Map share

\\interop01\homes

/etc/security/pam_winbind.conf

[global]cached_login = yeskrb5_auth = yeskrb5_ccache_type = FILEdebug = yesrequire_membership_of = "SLES Shell Users"

See also: Interop Demo appliance

19

Scenario 2: Integration of Apache on SLES with Active Directory

Features‣ SLES as member server in

an Active Directory domain

‣ Browsers running on Windows workstations can transparently log in to Web applications

‣ Active Directory as provider for:♦ Authentication through Kerberos

♦ Authorization through LDAP

‣ Provided services♦ Web services by Apache/Tomcat

Technology components‣ SLES 11 SP2

♦ Samba (v3.6), mod_kerb_auth

‣ Windows 2008 R2

‣ Windows XP and 7

Troubleshooting‣ klist, strace, lsof, netstat,

tcpdump, Wireshark

‣ Firefox add-in Live Headers

‣ Logs: /var/log/apache2/*, /var/log/messages

20

Scenario 2: Integration of Apache with Active Directory

/secure

/

mod_kerb_auth

SLES 11 SP2

Role: Member server AD: ad.demo.lan

Hostname: interop04

Windows 7(win764.ad.demo.lan)

Apache

Kerberos

ActiveDirectory(LDAP)

Firefox

Windows 2008 R2

Role: AD Domain ControllerAD: ad.demo.lan

Hostname: interop01

Internet Explorer

1

2

3

4

21

Scenario 2: Integration of Apache with Active Directory

Configuration steps

• Steps on SLES‣ Join domain

‣ Create keytab

‣ Configure Apache

• Steps on workstations‣ Configure Integrated

Authentication for browsers

• Steps on Active Directory‣ Add user “sles-apache”

‣ Add group “SLES Web Users”

‣ Add user “Administrator” to “SLES Web Users”

See also: HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol (MSDN)

See also: Interop Demo appliance

22

Configure Apache for Kerberos authentication

LoadModule auth_kerb_module /usr/lib64/apache2/mod_auth_kerb.soLoadModule ldap_module /usr/lib64/apache2/mod_ldap.soLoadModule authnz_ldap_module /usr/lib64/apache2/mod_authnz_ldap.so

<Location /secure> AuthName "---Restricted Access, please use your Active Directory credentials---" AuthType Kerberos KrbMethodNegotiate on KrbMethodK5Passwd on Krb5Keytab /etc/apache2/conf.d/sles-apache.krb5.keytab KrbAuthRealms AD.DEMO.LAN KrbServiceName HTTP/interop02.ad.demo.lan@AD.DEMO.LAN KrbLocalUserMapping On

AuthLDAPBindDN cn=sles-apache,cn=Users,dc=ad,dc=demo,dc=lan AuthLDAPBindPassword SecretPassword AuthLDAPURL "ldap://win200864.ad.demo.lan:389/dc=ad,dc=demo,dc=lan?sAMAccountName" AuthLDAPGroupAttribute member Require ldap-group cn=SLES Web Users,cn=Users,dc=ad,dc=demo,dc=lan</Location>

23

Configure Firefox for Integrated Authentication

• Firefox is by default not enabled for the “Negotiate” authentication

24

Configure IE for Integrated Authentication

• IE is by default not enabled for the “Negotiate” authentication

25

Scenario 3: SLES and Samba as Domain Controller

Features‣ SLES as domain controller

(NT style)

‣ Windows workstations can consume domain, file- and printer shares

‣ Optional: Samba configuration in replicated LDAP directory

Technology components‣ SLES 11 SP2

♦ Samba (v3.6)

♦ (OpenLDAP)

‣ Windows XP and 7

Troubleshooting‣ smbclient, strace, lsof,

netstat, tcpdump, Wireshark

‣ Logs: /var/log/samba/*

26

Scenario 3: Overview

Fileshare

SambaDomainservice

OpenLDAPDirectory

SLES 11 SP2

Windows XP Windows 7

Sambaconfig

Printershare

Mappedshare

Mappedshare

Networkprinter

DomainUsers and

Groups

Networkprinter

Demo 1 Demo 2

27

Scenario 3: Configuration Steps

• Steps on SLES‣ Configure LDAP server

using YaST

‣ Configure Samba domain using YaST

• Steps on Windows clients‣ Join Samba domain

See also: Interop Demo appliance

28

Scenario 4: Remote Desktop

Use case‣ Using the build in Remote

Desktop capability, log in on a Windows system

Technology components

• SLES 11 SP2‣ rdesktop

‣ tsclient

• Windows 2008 R2

• Windows XP and 7

• Troubleshooting‣ netstat, tcpdump, Wireshark

29

Scenario 4: Overview

RemoteDesktopservice

SLED 11 SP2

Windows 7Windows XP

VDI farm

RemoteDesktopservice

RemoteDesktop

client

Virtual Desktops

30

Scenario 4 Configuration Steps

• On SLE client‣ Install the packages:

“rdesktop” and “tsclient”

‣ Configure remote desktop systems

• On Active Directory domain controller:‣ Create AD Group: “Domain

Remote Desktop Users”

‣ Add

• On Windows systems‣ Add the AD group

“Domain Remote Desktop Users” to local group “Remote Desktop Users”

See also: Interop Demo appliance

31

Scenario 5: Prototype Samba implementation of “Recovery Point”

Features‣ Through integration of Btrfs,

Snapper and Samba, SLES 11 SP2 is providing a file share

‣ Automatic snapshots create by Snapper provide “Recovery Points” for files

‣ Through Windows Explorer clients may access older versions of a file

Technology components‣ SLES 11 SP2

♦ Btrfs and Snapper(prototype)

♦ Samba 4(prototype)

‣ Windows XP and 7

See also: David Disseldorp's “Bleeding Edge Samba and Snapper” appliance

32

Scenario 5: Demo

Fileshare

SLES 11 SP2

Windows XP

Samba4service

File “test.txt” is changed

Automatic snapshots by Snapper

File “test.txt” is created

Networkshare

Now

Previous versions of “test.txt” in Explorer

Thank you.

33

For more information please visit our website:www.suse.com

Unpublished Work of SUSE. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.