handling posix attributes for trusted active directory
play

Handling POSIX attributes for trusted Active Directory users and - PowerPoint PPT Presentation

Dec 31, 2022 •8 likes •298 views

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander Bokovoy <ab@samba.org> May 21th, 2015 Samba Team / Red Hat 0 A crisis of identity (solved?) FreeIPA What is FreeIPA? Cross Forest Trusts

  1. Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander Bokovoy <ab@samba.org> May 21th, 2015 Samba Team / Red Hat 0

  2. A crisis of identity (solved?) FreeIPA What is FreeIPA? Cross Forest Trusts Original FreeIPA assumptions Identity Views Demo 1

  3. FreeIPA

  4. POSIX attributes for Active Directory users and groups in FreeIPA FreeIPA What is FreeIPA? Cross Forest Trusts Original FreeIPA assumptions Identity Views Demo 3

  5. FreeIPA: http://www.freeipa.org ฀ I: Identity ฀ LDAP-based store for common objects (users, groups, hosts, services, ...) ฀ 389-ds as an LDAP server with FreeIPA server-side plugins ฀ MIT Kerberos KDC with FreeIPA driver ฀ Integrated certificate management with Dogtag Certificate Authority ฀ Python-based command line and Web management tools ฀ P: Policy ฀ Delegation and separation of access ฀ Flexible delegation of editing controls ฀ Host-based access controls to services: ฀ Everything is denied by default, define rules to allow ฀ < user or group[, source host] > → < host, service > ฀ Rules enforced at client side with SSSD project ฀ A: Audit Coming ... 4

  6. FreeIPA: http://www.freeipa.org 5

  7. POSIX attributes for Active Directory users and groups in FreeIPA FreeIPA What is FreeIPA? Cross Forest Trusts Original FreeIPA assumptions Identity Views Demo 6

  8. FreeIPA supports Active Directory native cross-forest trusts ฀ FreeIPA acts as ‘Active Directory forest root domain’ that can only establish trust but can’t join Windows machines ฀ technically: KDC + CLDAP + LSA RPCs ฀ FreeIPA provides KDC and LDAP, Samba provides LSA RPC ฀ no Global Catalog yet ฀ Works well for Active Directory users accessing FreeIPA resources 7

  9. FreeIPA v3 architecture Full overview is available at http://freeipa.org/page/IPAv3_Architecture 8

  10. Identity management with cross-forest trust ฀ Identities of Active Directory users and groups resolved with the help of SSSD ฀ SSSD on IPA master talks to AD DCs and Global Catalog ฀ Kerberos credentials of host / ipa . master @ IPA . REALM are used to authenticate against AD DCs ฀ Two-way trust is needed to allow issuing cross-realm TGTs ฀ Other IPA clients’ SSSDs talk to IPA master to resolve AD users and groups 9

  11. POSIX attributes for Active Directory users and groups in FreeIPA FreeIPA What is FreeIPA? Cross Forest Trusts Original FreeIPA assumptions Identity Views Demo 10

  12. Original FreeIPA assumptions ฀ Linux users are in FreeIPA, single LDAP entry defines POSIX attributes ฀ SUDO rules are in FreeIPA as LDAP objects ฀ HBAC rules are in FreeIPA as LDAP objects ฀ Public SSH keys for users and hosts are in FreeIPA as well ฀ Two-factor authentication tokens are in FreeIPA as LDAP objects ฀ ... or referenced to external RADIUS servers defined as LDAP objects in FreeIPA 11

  13. Consequences ฀ Linux machines have uniform view of the information above ฀ No per-machine shell or home directory for a user ฀ No per-machine public SSH keys for users ฀ No Active Directory users or groups in LDAP 12

  14. FreeIPA is a progress ... ... in ID management on Linux but there are anomalies too: ฀ Migration from other solutions often imposes requirements: ฀ File servers might need to keep old user and group IDs for some time locally ฀ Users might want to use different shells or home directories per machine ฀ Public SSH keys access into a common account (think Gitlab or Github-like deployments) might differ per server ฀ Old application might rely on specific values of GECOS field for users 13

  15. FreeIPA is a progress ... ... in ID management on Linux but there are anomalies too: ฀ When Active Directory forest is trusted by FreeIPA: ฀ AD users and groups have templated POSIX attributes, no way to individualize them ฀ AD users cannot have associated public SSH keys ฀ When existing environment with AD synchronization is being migrated to AD Trusts ฀ AD users synchronized to IPA use UID/GID from IPA range ฀ AD users used via AD Trusts will use UID/GID generated from their SID or specific POSIX UID/GID 14

  16. We don’t like to see another Progress spin, don’t we? 15

  17. POSIX attributes for Active Directory users and groups in FreeIPA FreeIPA What is FreeIPA? Cross Forest Trusts Original FreeIPA assumptions Identity Views Demo 16

  18. Identity Views ฀ FreeIPA 4.1 introduced a way to redefine POSIX attributes for a group of machines ฀ ID View ฀ A container of ’corrected’ POSIX attributes for users or groups ฀ Can be applied to a host or a group of hosts, or to all hosts ฀ Each entry in the view is an override of the original attributes ฀ Defaults ฀ For FreeIPA users and groups the default values are in their primary entry ฀ For Active Directory users and groups there is a ’Default Trust View’ ฀ Overrides from the default trust view apply to all FreeIPA clients 17

  19. ID View overrides ฀ Each override applies to a single user or group User Group ฀ Description ฀ Description ฀ User login ฀ Group name ฀ User ID (uid) ฀ Group ID (gid) ฀ User GECOS field ฀ User group ID (gid) ฀ User home directory ฀ User shell ฀ User public SSH key 18

  20. How ID override looks like in LDAP? 19

  21. Application of ID views ฀ ID Views are applied on the IPA master and IPA client sides by SSSD ฀ Host-specific views applied on the IPA client directly ฀ Default trusted view applied by the IPA master ฀ It is not possible to use host-specific view on IPA master ฀ Key logic is performed by SSSD 1.12.2 or later ฀ Available in Fedora 21+, RHEL 6.7 beta, RHEL 7.1, CentOS 7.1 ฀ Legacy clients supported through the compat tree 20

  22. Application of ID views: IPA master ฀ Default Trust View overrides are always applied to Active Directory users and groups ฀ IPA clients always use IPA masters to resolve AD users and groups ฀ POSIX attributes from Default Trust View will be returned to all SSSD clients (Fedora, RHEL 6.x, RHEL 7.0, RHEL 7.1) ฀ Public SSH keys from Default Trust View will be returned to new SSSD clients (Fedora 21+, RHEL 7.1, RHEL 6.7) 21

  23. Application of ID views: IPA client ฀ IPA client’s SSSD applies host-specific ID view ฀ All attributes from the assigned ID View are applied ฀ ID overrides are applied per attribute per user ฀ Host-specific view is always applied last ฀ If no ID override exist for the attribute of the user in all views, original value is used 22

  24. Application of ID views: Legacy clients ฀ Legacy clients are those without SSSD supporting AD trusts ฀ RHEL 5.x, RHEL 6.x, AIX, Solaris, FreeBSD, other Linux machines without SSSD 1.12+ ฀ Legacy clients use compat tree for all requests ฀ Base DN: cn=compat,$SUFFIX ฀ RFC2307 schema, no public SSH keys ฀ Default Trust View is applied by IPA server automatically, no need to change anything on the legacy client ฀ To use host-specific view on top of that, change base DN on the client to cn=viewname,cn=views,cn=compat,$SUFFIX 23

  25. Caveats ฀ OTP tokens cannot be attached to Active Directory users in FreeIPA 4.1 yet ฀ RADIUS server authentication cannot be used for Active Directory users in FreeIPA 4.1 yet ฀ With SSSD before 1.12.2 ID overrides only be actual for groups at the user’s login time, not before ฀ Removing host-specific ID view from the host requires clean up of the SSSD cache and restart of SSSD on that host 24

  26. Resources ฀ Upstream design page ฀ http://www.freeipa.org/page/V4/Migrating_ existing_environments_to_Trust ฀ Red Hat Enterprise Linux Windows Integration Guide ฀ https://access.redhat.com/documentation/en-US/ Red_Hat_Enterprise_Linux/7/html/Windows_ Integration_Guide/ 25

  27. Demo

  28. Demo videos will be published on Youtube after Red Hat Summit in June 2015 27

  29. Questions & Answers ฀ Slides http://www.samba.org/~ab/sambaxp/2015/ 28

Recommend

Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory

Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory

Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory Unlike the earlier Microsoft Windows NT 4.x Domain directory service which used proprietary DCE/RPC calls, Active Directory is based on standard

557 views • 27 slides
Directory Services A service that stores collections of bindings between names and attributes, and

Directory Services A service that stores collections of bindings between names and attributes, and

Directory Services A service that stores collections of bindings between names and attributes, and looks up entries that match attribute-based specifications (e.g., Microsoft's Active Directory Service, X.500 and LDAP) Case Study - X.500

515 views • 12 slides
Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory

Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory

Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory Collection of related objects Files, Printers, Fax servers etc. Directory Service Information needed to use and manage the objects. Source

438 views • 27 slides
Trusted Domain Support as Active Directory Domain Controller Stefan Metzmacher

Trusted Domain Support as Active Directory Domain Controller Stefan Metzmacher

Trusted Domain Support as Active Directory Domain Controller Stefan Metzmacher &lt;metze@samba.org&gt; Samba Team / SerNet 2018-06-07 https://samba.org/~metze/presentations/2018/SambaXP/ Talks at SambaXP/SDC 2017 Last year I gave talks

388 views • 27 slides
Restore von Active Directory mit einer von HP entwickelten Lsung (Recovering from Active

Restore von Active Directory mit einer von HP entwickelten Lsung (Recovering from Active

Restore von Active Directory mit einer von HP entwickelten Lsung (Recovering from Active Directory Disasters) Guido Grillenmeier Senior Consultant Technology Solutions Group Hewlett-Packard Agenda What is a Disaster? Authoritative

363 views • 19 slides
Active Directory as a powerful LDAP server: the unknown tips Alban Meunier SmartWave SA 45 min

Active Directory as a powerful LDAP server: the unknown tips Alban Meunier SmartWave SA 45 min

Active Directory as a powerful LDAP server: the unknown tips Alban Meunier SmartWave SA 45 min Introduction Active Directory context NT inheritance SAM (Security Account Manager, Samba V3) Active Directory (2000 2003)

429 views • 27 slides
Azure Active Directory Provider The Azure Provider can be used to congure infrastructure in

Azure Active Directory Provider The Azure Provider can be used to congure infrastructure in

Azure Active Directory Provider The Azure Provider can be used to congure infrastructure in Azure Active Directory (https://azure.microsoft.com/en- us/services/active-directory/) using the Azure Resource Manager API's. Documentation regarding

925 views • 46 slides
Directories and directory implementation Introduction to directory implementation and the art of

Directories and directory implementation Introduction to directory implementation and the art of

Directories and directory implementation Introduction to directory implementation and the art of attributes Miroslav Milinovic, University Computing Centre, University of Zagreb Jasmina Hodzic, Center for Information Technology Services,

1.65k views • 20 slides
Statewide Provider Directory Project Overview Mar 2017 1 Provider Directory Highlights

Statewide Provider Directory Project Overview Mar 2017 1 Provider Directory Highlights

Statewide Provider Directory Project Overview Mar 2017 1 Provider Directory Highlights Directory of accurate, trusted provider data available to vetted healthcare entities (Not consumer-facing) Authoritative data sources that feed the

529 views • 11 slides
POSIX IPC: Overview primitive POSIX function description message queues create or access

POSIX IPC: Overview primitive POSIX function description message queues create or access

CPSC-313: Introduction to Computer Systems POSIX IPC POSIX Inter-Process Communication (IPC) Message Queues Shared Memory Semaphores Reading: R&amp;R, Ch 15 POSIX IPC: Overview primitive POSIX function description message

392 views • 6 slides
Windows.NET Windows.NET Beta 3 Beta 3 Active Directory New Features Directory New Features

Windows.NET Windows.NET Beta 3 Beta 3 Active Directory New Features Directory New Features

25. DECUS Symposium 16.04.2002 Windows.NET Beta 3 Windows.NET Windows.NET Beta 3 Beta 3 Active Directory New Features Directory New Features Active Active Directory New Features Wolfgang Werner Wolfgang Werner Compaq Compaq Decus Bonn

588 views • 31 slides
Active Directory Security: The Journey Sean Metcalf (@Pyrotek3) s e a n [@] TrimarcSecurity.com

Active Directory Security: The Journey Sean Metcalf (@Pyrotek3) s e a n [@] TrimarcSecurity.com

Active Directory Security: The Journey Sean Metcalf (@Pyrotek3) s e a n [@] TrimarcSecurity.com www.ADSecurity.org TrimarcSecurity.com ABOUT Founder Trimarc, a security company. Microsoft Certified Master (MCM) Directory Services

1.35k views • 100 slides
Xamarin and Azure AD Authenticating and Authorizing Your Mobile Apps Basic Active Directory

Xamarin and Azure AD Authenticating and Authorizing Your Mobile Apps Basic Active Directory

Xamarin and Azure AD Authenticating and Authorizing Your Mobile Apps Basic Active Directory Terms Domain: A directory of users, groups, roles, etc... User: An individual accounts Group: A collection of other users and groups Role: Something that

492 views • 22 slides
XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling

XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling

XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling Overview by Yuri Demchenko On behalf of OSG/EGEE AuthZ Interoperability WG and Phosphorus project SNE Group, University of Amsterdam TF-EMC2 Meeting 3

633 views • 50 slides
www.pdl.cmu.edu/posix/ December 14, 2005 APIs for HPC IO POSIX IO APIs (open, close, read,

www.pdl.cmu.edu/posix/ December 14, 2005 APIs for HPC IO POSIX IO APIs (open, close, read,

POSIX I/O High Performance Computing Extensions Brent Welch (Speaker) Panasas www.pdl.cmu.edu/posix/ December 14, 2005 APIs for HPC IO POSIX IO APIs (open, close, read, write, stat) have semantics that can make it hard to achieve high

674 views • 24 slides
Creating Organizational Units, Accounts, and Groups Tom Brett Active Directory Users and Computers

Creating Organizational Units, Accounts, and Groups Tom Brett Active Directory Users and Computers

21/05/2013 Creating Organizational Units, Accounts, and Groups Tom Brett Active Directory Users and Computers (ADUC) Active Directory Users and Computers (ADUC) After installing AD DS, the next task is to create your Organizational Units,

535 views • 41 slides
Posix-Free File Systems in the Cloud Jeff Chase Duke University Beyond Posix

Posix-Free File Systems in the Cloud Jeff Chase Duke University Beyond Posix

Posix-Free File Systems in the Cloud Jeff Chase Duke University Beyond Posix Filesystem Posix file system semantics? open(2) Hierarchical directories with aliasing Human-readable symbolic names Atomic ops on

599 views • 12 slides
How to impress your management when you are an Active Directory noob? Vincent LE TOUX 15:15

How to impress your management when you are an Active Directory noob? Vincent LE TOUX 15:15

How to impress your management when you are an Active Directory noob? Vincent LE TOUX 15:15 -&gt; 16:00 #RomHack2019 28th of September 2019 in Rome Whoami Vincent LE TOUX https://www.pingcastle.com / @mysmartlogon Management (Architect,

584 views • 35 slides
Speeding up Samba by backing up Experiences in implementing and optimizing Active Directory

Speeding up Samba by backing up Experiences in implementing and optimizing Active Directory

Speeding up Samba by backing up Experiences in implementing and optimizing Active Directory features in Samba What has been done in the last year? Samba 4.9 Password and membership change auditing LMDB back-end (semi-experimental)

1.06k views • 49 slides
thread creation / POSIX / process management 1 Changelog 21 January 2020 (between 12:30pm and

thread creation / POSIX / process management 1 Changelog 21 January 2020 (between 12:30pm and

thread creation / POSIX / process management 1 Changelog 21 January 2020 (between 12:30pm and 3:30pm lecture): added alternate version of typical pattern slide 1 last time handling non-system-call exceptions context switching in xv6

1.41k views • 124 slides
Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick

Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick

Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick Mike Dorman cjellick@godaddy.com mdorman@godaddy.com Go Daddy OpenStack Cloud Platform Group Agenda OpenStack at Go Daddy Keystone

875 views • 28 slides
Zoho Corporation Bootstrapped and profitable 2018 6,500 Employees 65% Fortune 500

Zoho Corporation Bootstrapped and profitable 2018 6,500 Employees 65% Fortune 500

Zoho Corporation Bootstrapped and profitable 2018 6,500 Employees 65% Fortune 500 35 million users 2001 2005 1996 190+ countries IT service Active Directory management management Help desk Active Directory

516 views • 26 slides
Active Directory: Where Exploit Ends (kind of) Ar Aravind Prakash Security Analyst at Lucideus

Active Directory: Where Exploit Ends (kind of) Ar Aravind Prakash Security Analyst at Lucideus

Active Directory: Where Exploit Ends (kind of) Ar Aravind Prakash Security Analyst at Lucideus Works mostly in Infrastructure security. Passionate about offensive security. CRTE and CRTP certified. Member of DEF CON Trivandrum

457 views • 18 slides
ScoutFS: POSIX Archiving at Extreme Scale Zach Brown, Versity MSST 2019 POSIX Archiving with

ScoutFS: POSIX Archiving at Extreme Scale Zach Brown, Versity MSST 2019 POSIX Archiving with

ScoutFS: POSIX Archiving at Extreme Scale Zach Brown, Versity MSST 2019 POSIX Archiving with ScoutFS POSIX: NFS / SAMBA / RSYNC / CUSTOM ScoutFS SAN Fabric ScoutAM Archive Manager Archival Storage Archival Filesystem Differences Built

443 views • 8 slides

More recommend