square pegs in round holes: linux in a windows world eric g. wolfe © 2008 senior linux...
TRANSCRIPT
Square Pegs in Round Holes:Linux in a Windows World
Eric G. Wolfe <[email protected]> © 2008Senior Linux AdministratorMarshall University
Slides, and code available at http://webpages.marshall.edu/~wolfe21
What is Active Directory?
Active Directory• A pre-configured Authentication
and Authorization solution, offered by Microsoft.
• Components
o DNS o Kerberoso LDAPo MSRPC
• Proso Simple to manage and
maintain.• Cons
o Interoperability requires some knowledge of the underlying components.
What is Kerberos?
Kerberos• A secure authentication protocol.
• Hashes, NOT passwords are sent to the server.
• Tickets are granted to the client.
• Tickets can be used as authentication against services.
• Versions
o MIT (US)o Heimdal (Swiss)
• Proso Centralized user management.o Protocol transport is secure by
default.o Third party support.
• Cons
o Time syncronization must be precise.
o Password management is not standardized.
What is LDAP?
Lightweight Directory Access Protocol• A directory is like a database
optimized for reads.• LDAP is used for authorization.• Contains centralized information
o user and group o application configuration
• Proso Usernames have a relationship
to centralized attributes.
• Cons
o Directory schema is not standardized.
o Performance is hindered with clients and applications increases.
What is MSRPC?
Microsoft Remote Procedure Call• Modified version of The Open Group's DCE/RPC 1.1 (Distributed Computing
Environment Remote Procedure Call)• MSRPC is how Microsoft operating systems talk to each other.
o "Domain Member" servers resolve usernames, and groups between one another.
o Remote Registry serviceso Administrative Tools - Microsoft Management Console
Setting up Kerberos.pam_krb5
This is specific to Red Hat Enterprise.• Easy way
o setup (select Authentication Config) o authconfig-tui
• Harder way, editing config files.
o /etc/krb5.confo /etc/pam.d/system-auth
Note: Debian/Ubuntu splits up system-auth /etc/pam.d/common-auth /etc/pam.d/common-account /etc/pam.d/common-password /etc/pam.d/common-session
Video Demonstration
Setting up Kerberos.mod_auth_kerb
• Kerberos authentication in Apacheo behaves like IIS Windows Integrated Authentication.o sets $_SERVER['USERNAME'] environment variable for use in custom or
third-party web applications.• Authentication protocol is secured between the Domain Controller and web
server.o still need SSL/TLS for client -> webserver.
• Edit two files
o /etc/httpd/conf.d/auth_kerb.confo /etc/httpd/conf.d/auth_kerb.keytab
Setting up SambaJoin a domain
– Edit /etc/samba/smb.conf (next slide) – Configure services
o chkconfig smb ono chkconfig winbind ono chkconfig nscd off
– Stop or start serviceso /etc/init.d/smb starto /etc/init.d/winbind starto /etc/init.d/nscd stop
– Join domaino net ads join createcomputer="Organizational Unit" -Uadministrator
Video Demonstration
Remote registry & DNS
DNS management• Problems encountered
o You can read AD-integrated zones from LDAP, but the majority of our zones are NOT AD-integrated.
o We have thousands of internal reverse zones, it is tedious to maintain them on several servers individually.
o There is no DNS standard allowing a slave server to grab all of the zone names off of a primary.
• Observationso Windows DNS can be read remotely from a registry branch with Samba.
Remote Registry & DNSconfiguring dnsnarf
• Create a DNS service account in AD for the script. GPO settings • Registry key for non-administrator remote registry reads.
o HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winrego Set 'read' and 'apply gpo' permissions for your DNS service account.
Remote Registry & DNSdnsnarf is born
Samba component used.• net rpc registry enumerate
o manpage: net(8) Remote registry location to read zones.• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\
Zones Example test commandnet -S kdc01.contoso.com \-U administrator -W CONTOSO.COM \rpc registry enumerate \"\\HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\DNS Server\\Zones"
Questions?
Eric G. Wolfe <[email protected]> © 2008Senior Linux AdministratorMarshall University
This work is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.
Slides and code available at http://webpages.marshall.edu/~wolfe21/