Unix/Windows Inter-Operability

What do we want?

• Single Username Password• Access Users files (N drive) – Personal Machine – Multi-User Machines

• Information about users – Name Service

• Simple Client Setup• Multiple Namespaces?

UNIX files

• /etc/passwd– User account information – Name:DES#:uid:gid:Display Name:homedir:shell

• /etc/group– Group information and membership– Name:[hash]:gid:user1,user2...

• /etc/hosts ....• Files are readable by all users

DES Encryption

• Encrypt 64bit 0 25 times using 12bit salt and 8 7bit character password (56bit).

• Designed to take 1 second on 1979 hardware. Brute force ~ 23,000,000,000 years.

• Only 94 characters on keyboard ~54.2bits• Moore’s law – 500,000 per sec ~4500 years.– Dictionary attack takes only minutes

Shadow File

• Remove DES # from public passwd file• Shadow file only access by local root• Add account management for password

change frequency, expiry, etc

Yellow Pages (aka NIS)

• Service on the network based on maps containing key-value pairs

• Add + at the end of files in /etc• All machines in the same namespace see the

same information.• Central management of user accounts etc.• Information now visible to all users on any

machine on the network.

LDAP

• Lightweight Directory Access Protocol• General mechanism • Schema used to define objects• Objects have named attributes• Objects can be extranded• Can require authentication to connect• Can secure individual objects

LDAP vs NIS ypmatch –d rucsc 11420 passwd.byuid

sssadw:x:11420:11203:Anthony Worrall:/home/sufs1/ru10/ss/sssadw:/bin/csh ldapsearch -h host -b "ou=people,dc=sse,dc=rdg,dc=ac,dc=uk" uidNumber=11420

uid=sssadw,ou=People,dc=sse,dc=rdg,dc=ac,dc=ukcn=Anthony Worrallmail=Anthony.Worrall@Reading.ac.ukuid=sssadwgivenName=Anthonysn=WorrallobjectClass=personobjectClass=organizationalPersonobjectClass=inetOrgPersonobjectClass=dspswuserobjectClass=accountobjectClass=posixAccountobjectClass=shadowAccountobjectClass=toploginShell=/bin/cshuidNumber=11420gidNumber=11203homeDirectory=/home/sir/sssadwgecos=Anthony Worrall

nsswitch.conf

• Controls where each nameservice gets its informationpasswd: files ldapgroup: compathosts: nis dns [NOTFOUND=return]

filesnetgroup: nis

• Compat allows +/-[@netgroup] syntax in files• getent instead of ypmatch an ldapsearch

Kerberos

• An Authentication Service (KDC)• Obtian a ticket (Passport) at login• Use ticket to access other services.• Can also be used to authenticate clients,

services, and encrypt traffic• Based on principals “username@realm”• Realms can have a trust relationship• Pre-authentication need for security

Kerberos client tools

• kint– Get ticket for a prinicpal using information from

user input or file• klist– List principals for current user or stored in a file

• kdestroy• ktutil– Mange princiapls in a keytable files

Pluggable Authentication Modules

• Stack of modules in 4 contexts– Auth: User authentication– Account: password/account expiry etc– Session: session management e.g. logging– Password: how to change password etc.

• Each service such as login, ftp etc can have its own stacks

Configuring Linux in SSE

• LDAP SettingsLDAP Server : sse.ad.rdg.ac.uk Search Base :

ou=unix,dc=sse,dc=ad,dc=rdg,dc=ac,dc=uk Group member attribute : member

• Kerberos SettingsDefault Domain : rdg.ac.uk Default Realm : RDG-HOME.AD.RDG.AC.UKKDC : rdg-home.ad.rdg.ac.uk

Name Service Cache Deamon

• NSCD save results of NameService requests including DNS lookups

• Some services on multiple machines– rdg-home.ad.rdg.ac.uk– timehost.rdg.ac.uk

• Modify /etc/nscd.conf– enable-cache hosts no

Authentication vs AuthorizationAUTHENTICATION AUTHORIZATION

KERBEROS TICKET Windows Privilege Access Certificate (PCA) in TGT contains user and group SID

LDAP Implementation Dependant

Schema objects and attributes

Name Server

UNIX NS AD LDAP

Authentication

AD Kerb. 1. 2. Modify AD, pam.conf and nsswitch.conf

AD LDAP 3.Modify pam.conf 4.

UNIX Kerb 5. Kerberos Cross Realm Trust

Options of Integration

1. AD Kerberos Authentication, UNIX name service

2. AD Kerberos Authentication, AD name service

3. AD LDAP Authentication, UNIX name service4. AD LDAP Authentication, AD name service5. UNIX Kerberos with cross realm trust for

authentication and UNIX name service

Option RequirementsOption AD Kerberos AD LDAP UNIX Kerberos UNIX NS

1 Yes Yes No No

2 Yes No No Yes

3 No Yes No Yes

4 No Yes No No

5 Yes No Yes Yes

1. AD Kerberos Auth, UNIX NS

• Pros– Same username/password – Existing name service– Single Sign On available

• Cons– Need to maintain UNIX NS

2a. AD Kerberos, AD NS

• Pros– Single username/password– Single Name Store– 2003R2 supports RFC 2307 (homeDirectory?)

• Cons– Need to extend “user” class– Map Classes and Attributes on clients

2b. AD Kerberos, AD NS separate OU

• Pros– Only need AD DC’s– Looks like UNIX OpenLDAP to clients (RFC 2307)– Allows Multiple Name Spaces

• Cons– Need to promote PosixAccount Class– Synchronise information between OU

3. AD LDAP Auth, UNIX NS

• Pros– Same username/password – Existing name service

• Cons– Need to maintain UNIX NS– No Single Sign On

4. AD LDAP Auth, AD NS

• Pros– Only need AD DC’s

• Cons– Need to extend users class or promote

PosixAccount class– No Single Sign On– Need Proxy User to access NS

5. Cross Realm Trust

• Pros– Native Tools– User Prinicpals in AD, Unix Services and Hosts

Prinicpals in Unix Kerberos• Cons– Extra complication

Authentication

Kerberos• Pros

– Single Sign On to services– Apache Module– Authenticate services

• Cons– Host and Service Prinicples

• Modify– krb.conf– pam.conf– krb5.keytab

AD LDAP• Pros

– Simple– Used by web backends (PHP,

Perl), Apache Module• Cons

– need to secure connection• Modify

– pam.conf

AD as NS

Extend user class• Pros

– Single object to maintain• Cons

– Map objects and attributes on client (e.g. uid => sAMaccountName )

Promote PosixAccount• Pros

– Looks like UNIX OpenLDAP to clients

– Allows Multiple Name Spaces • Cons

– Synchronise information between OU

Unix Name Service

LDAP• Pros

– Out of the BOX– Can be restricted

• Cons– Complicated– Proxy User on clients if

restricted

NIS• Pros

– Simple– Configuration by DHCP

• Cons– World readable

Network File System

• Mount directory from server on client (c.f. map network share)

• Host based security• Client does authorization by user/group

NFS V4

• Server side authorization• NTFS like Access Control Lists• Kerberos Support– Authentication– Integrity– Encryption

• Client Prinicpal need to allow root to mount filesystem

smbmount

• Mount folder from Windows server using cifs protocol

• Single username and group mapping• Need root access (sudo) to do mount• Requires username and password on

command line, in a file or user input.

LUFS/FUSE

• Allows normal user to mount “filesystem”• Present sftp connection as filesystem• Other backends available• Similar problems to smbmount• Performance issues?