samba and chrome os
play

Samba and Chrome OS the Start of a beautiful Friendship Lutz Justen - PowerPoint PPT Presentation

Sep 10, 2022 •318 likes •774 views

Samba and Chrome OS the Start of a beautiful Friendship Lutz Justen ljusten@google.com sambaXP, Gttingen June 06, 2018 Topics Chrome OS and Chromebooks Active Directory Integration How it works, management, Android apps, certificates,

  1. Samba and Chrome OS the Start of a beautiful Friendship Lutz Justen ljusten@google.com sambaXP, Göttingen June 06, 2018

  2. Topics Chrome OS and Chromebooks Active Directory Integration How it works, management, Android apps, certificates, file shares Under the Hood D-Bus interface, Samba usage, Kerberos integration, Sandboxing Summary and Future Plans

  3. Chrome OS Chrome OS is a Linux-based OS built around Chrome Designed based on the 3S: Simplicity , Security and Speed

  4. Chromebooks - History First Chromebooks shipped in 2011 Today more than 50 models, different form factors Popular in US schools with ~60% market share* * Source: https://www.zdnet.com/article/windows-pcs-gain-share-in-k-12-in-the-u-s-but-chromebooks-still-dominate/

  5. Chromebooks - Evolution First Chromebooks “Laptops running Chrome” Today’s Chromebooks Run Android apps (ARC++) Run Linux apps (Crostini) Run Windows apps (CrossOver)

  6. Chrome OS and Chromebooks Google Pixelbook

  7. Chrome OS and Chromebooks Requires a Google account Can be unmanaged (private) or managed (enterprise, schools) Management via cloud-based console

  8. Cloud-Based Management Management Console Chromebook

  9. Chromebooks in Enterprises I’ I’m an Active Directory admin and I I want to try out Chromebooks in my company Requires a Google account Not tied to enterprise identity ● Could use sync tool to create Google accounts for employees and sign in with SAML ● Admins might not want to/be able to share employee data with Google ● Separate management (Active Directory GPO + Google Cloud) Companies might not want all/any Google services Large up-front investment!

  10. Active Directory Integration Go Goal: Make it easy to use Ch Chromebooks in Active Directory environments No Google account necessary Management via Active Directory Group Policy Launched Aug 2017 as part of Chrome Enterprise Under the hood: Samba in sandboxed system daemon

  11. AD Integration - How it works Step 1: Register domain with Google One-pager Mainly for license counting, config All steps on Help Center

  12. AD Integration - How it works Step 2: On fresh Chromebook Press CTRL+ALT+E to enroll Enter Google domain credentials Enter Active Directory credentials + computer name Computer shows up in Active Directory All steps on Help Center

  13. AD Integration - How it works Step 3: Log in with Active Directory credentials All steps on Help Center

  14. AD Integration - Features Identity tied to Active Directory Handles password change Management via Group Policy Kerberos SSO Android apps Support for certificates, file shares, printing

  15. AD Integration - Management Managed by Group Policy Download and install Chrome OS ADMX templates Edit policies in Active Directory Group Policy Object (GPO) editor applies to device account (Chrome OS device policy) applies to user accounts (Chrome OS user policy)

  16. AD Integration - Management GPO Editor Chromebook

  17. AD Integration - Management JSON for complex policies, e.g. Default printer selection rules

  18. AD Integration - Android Apps Android apps are per user Requires SAML setup to prove user identity to Google Google creates a shadow account with scope limited to Android apps Service Provider Identity Provider (Google server) (ADFS/Active Directory) Client (Chromebook)

  19. AD Integration - Android Apps SAML sign-in page appears on first login (unless Kerberos SSO is set up)

  20. AD Integration - Android Apps Admin can Pick apps that users can install ● → PlayStore admin console Force install or preload apps ● → ArcPolicy policy Pin apps to launcher ● → PinnedLauncherApps policy

  21. AD Integration - Certificates Server and Authority Certificates → OpenNetworkConfiguration policy (spec) { "Type": "UnencryptedConfiguration", "Certificates": [ { "GUID": "my_cert", "TrustBits": [ "Web" ], "Type": "Authority", "X509": "<base-64 encoded X.509 file>" } ] }

  22. AD Integration - Certificates Client Certificates → Chrome OS Certificates Enrollment Chrome Extension Configured in GPO editor (needs ADMX templates*) Requests certs from ADCS Keys are hardware-backed * Currently not publicly available, but we’re working on it. Just ask for now!

  23. AD Integration - File Shares Currently (being deprecated) → Network File Share for Chrome OS Chrome extension SMB file shares only Uses Samba as well!

  24. AD Integration - File Shares Configuration in Chrome OS Files App with SMB Share

  25. AD Integration - File Shares File shares extension is being deprecated Slow ● Requires reauthentication every time ● Under development: Native integration Chrome OS system daemon ● Fast ● Kerberos SSO ● Expected on beta channel in Q3 ●

  26. AD Integration - Under The Hood Chrome OS system daemon with D-Bus interface Calls Samba binaries net, smbclient and kinit, klist, kpasswd Manages Kerberos ticket Sandboxed with Minijail

  27. AD Integration - D-Bus Interface JoinADDomain Joins machine to Active Directory domain AuthenticateUser Gets Kerberos ticket GetUserStatus Returns Kerberos ticket status, password status and user info GetUserKerberosFiles Returns Kerberos ticket and Kerberos configuration (krb5.conf)

  28. AD Integration - D-Bus Interface RefreshUserPolicy Retrieves user policy from Active Directory and stores it securely RefreshDevicePolicy Retrieves device policy from Active Directory and stores it securely SetDefaultLogLevel Turns on debug logs, used by “crosh” command authpolicy_debug

  29. AD Integration - Samba Usage net ads join Joins machine to Active Directory domain net ads info Looks up key distribution center (KDC) IP and server time net ads lookup Looks up domain controller (DC) name net ads workgroup Looks up workgroup

  30. AD Integration - Samba Usage net ads search Looks up user information (first name, last name, sAMAccountName, …) net ads gpo list Gets list of GPOs that apply to user/device account smbclient Downloads GPOs from sysvol

  31. AD Integration - MIT-KRB5 Usage kinit Gets Kerberos ticket klist Checks validity and lifetime of Kerberos ticket kpasswd Rotates machine password (every 30 days by default)

  32. AD Integration - Native Kerberos integration Daemon gets Kerberos ticket during sign-in Handles ticket renewal Provides ticket to Chrome Kerberos SSO ● Automatically signs in to pages requiring Integrated Windows Authentication through GSSAPI Controlled by policies for HTTP authentication ●

  33. AD Integration - Sandboxing As every large project, Samba has security flaws Minimize impact of security issues by reducing attack surface In case process is hijacked, hackers have less options Limit what the process can do using Minijail

  34. Pillars of Sandboxing I: Don’t run as root Root can do anything! Run as non-root user and group minijail0 -u user -g group /path/to/mydaemon

  35. Pillars of Sandboxing II: Only keep capabilities you need Linux has over 30 capability flags to do root-y stuff CAP_SETUID, CAP_SETGID to set user/group ● CAP_CHOWN to change ownership of a file ● Minijail lets you keep a subset of capabilities, e .g. minijail0 -u user -g group -c c0 /path/to/mydaemon CAP_SETUID | CAP_SETGID = Bits 6, 7 = 0xc0

  36. Pillars of Sandboxing III: Filtering system calls Linux has over 300 system calls read , write for file manipulation ● connect , sendto for networking ● Can specify a whitelist (seccomp filter) for syscalls minijail0 -S whitelist_file /path/to/mydaemon mydaemon crashes if another syscall is executed whitelist_file read: 1 write: 1

  37. Pillars of Sandboxing III: Filtering system calls complex_whitelist_file Can only pass TCGETS and TCSETS as second ioctl: arg1 == TCGETS || arg1 == TCSETS argument to ioctl mmap: arg2 in 0xfffffffb || arg2 in 0xfffffffd Memory can’t be both writeable (PROT_WRITE, bit 1) mprotect: arg2 in 0xfffffffb || arg2 in 0xfffffffd and executable (PROT_EXEC, bit 2).

  38. Pillars of Sandboxing III: Filtering system calls Generating a policy file 1) strace -f <cmd> 2>strace.log 2) generate_seccomp_policy.py strace.log > whitelist_file Seccomp filtering caveats - Syscalls are platform dependent! Need separate policy files. - Did your strace hit all code paths? Might miss some syscalls.

  39. Pillars of Sandboxing IV: Namespacing Process ID namespace Hides other processes Mount namespace Hides parts of the file system Makes parts read-only Other namespaces: IPC, cgroup, network, user, UTS

  40. Pillars of Sandboxing IV: Namespacing Example: Process ID namespace # minijail0 -p /bin/ps -A PID TTY TIME CMD 1 ? 00:00:00 minijail-init 2 ? 00:00:00 ps

  41. Pillars of Sandboxing IV: Namespacing Example: Mount namespace # minijail0 -v -P /tmp/my_root_folder \ -b /bin,/bin /bin/ls / bin -v Enter mount namespace -P Enters a pivot root (“unmounts everything”) -b /bin,/bin Bind-mounts /bin only

Recommend

5. Note two things, the box now says, Added to Chrome. Notice the Blue box with an S (for Snagit)

5. Note two things, the box now says, Added to Chrome. Notice the Blue box with an S (for Snagit)

Snagit for Google Chrome: Instructions IMPORTANT. You will need to be in Chrome and Not on Chrome for this app to work. (go to Chrome first, then go to whatever site you plan to screencast.) 1. Open Chrome, Type in Snagit for Chrome.

184 views • 3 slides
Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org

Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org

Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org jeremy.allison@hp.com Where we are now : Samba 2.2 The current Samba is a credible replacement for a Windows server providing file and

529 views • 19 slides
Implementing the Witness protocol in Samba Gnther Deschner &lt;gd@samba.org&gt; (Red Hat /

Implementing the Witness protocol in Samba Gnther Deschner &lt;gd@samba.org&gt; (Red Hat /

Implementing the Witness protocol in Samba Gnther Deschner &lt;gd@samba.org&gt; (Red Hat / Samba Team) About Samba and RedHat Currently 7 Samba Team members inside RedHat Creators and users of Samba technology for authentication

836 views • 45 slides
Samba Witness Protection Programming Samuel Cabrero scabrero@suse.com David Disseldorp

Samba Witness Protection Programming Samuel Cabrero scabrero@suse.com David Disseldorp

Samba Witness Protection Programming Samuel Cabrero scabrero@suse.com David Disseldorp ddiss@samba.org Agenda Clustered Samba Witness Protocol Demo Outlook Clustered Samba Samba File and print server SMB / CIFS, SMB2

428 views • 40 slides
Samba and the road to Python3 Noel Power SUSE/Samba team noel.power@suse.com npower@samba.org

Samba and the road to Python3 Noel Power SUSE/Samba team noel.power@suse.com npower@samba.org

Samba and the road to Python3 Noel Power SUSE/Samba team noel.power@suse.com npower@samba.org Agenda Reasons to move to Python3 What is supported in what release Some history of the porting effort Challenges Lessons learned

815 views • 19 slides
Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome

Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome

Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome OS Chrome Graphics Buffer (Prime FD) Android IPC IPC Chrome IPC Binder System Bridge Bridge (*/init*) Input Events network config, GL,

296 views • 10 slides
The Important Details Of Windows Authentication Stefan Metzmacher &lt;metze@samba.org&gt; Samba

The Important Details Of Windows Authentication Stefan Metzmacher &lt;metze@samba.org&gt; Samba

The Important Details Of Windows Authentication Stefan Metzmacher &lt;metze@samba.org&gt; Samba Team / SerNet 2017-05-04 https://samba.org/~metze/presentations/2017/SambaXP/ Topics Windows Domains, Forests and Trusts Netlogon Secure

497 views • 34 slides
SMB3 Multi-Channel in Samba ... Now Really! Michael Adam Red Hat / samba.org sambaXP -

SMB3 Multi-Channel in Samba ... Now Really! Michael Adam Red Hat / samba.org sambaXP -

SMB3 Multi-Channel in Samba ... Now Really! Michael Adam Red Hat / samba.org sambaXP - 2016-05-11 Introduction SMB - mini history SMB: created around 1983 by Barry Feigenbaum, IBM SMB in Lan Manager: around 1990 SMB in Windows for

1.29k views • 58 slides
Tools for the Vagabonding Samba Developer sambaXP 2015 Michael Adam Samba Team / Red Hat May

Tools for the Vagabonding Samba Developer sambaXP 2015 Michael Adam Samba Team / Red Hat May

Tools for the Vagabonding Samba Developer sambaXP 2015 Michael Adam Samba Team / Red Hat May 21, 2015 We use a lot of VMs and containers for testing and building Samba. The setup and maintenance of these machines requires a lot of work. How

351 views • 20 slides
Samba's AD DC: Samba 4.2 and Beyond Presented by Andrew Bartlett of Catalyst // 2014-09 About me

Samba's AD DC: Samba 4.2 and Beyond Presented by Andrew Bartlett of Catalyst // 2014-09 About me

Samba's AD DC: Samba 4.2 and Beyond Presented by Andrew Bartlett of Catalyst // 2014-09 About me Andrew Bartlett Samba T eam member since 2001 Working on the AD DC since 2006 These views are my own, but I do with to thank:

856 views • 36 slides
Faking a Failover Over the Top With Samba Clusters Christopher R. Hertel Samba Team May 2017

Faking a Failover Over the Top With Samba Clusters Christopher R. Hertel Samba Team May 2017

Faking a Failover Over the Top With Samba Clusters Christopher R. Hertel Samba Team May 2017 Introductions Introductor a t i o n a r y e s q u e n e s s e si s m Me: Samba Team Elder SMB Wizard with: The opinions expressed are my

874 views • 21 slides
Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of

Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of

Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of W3Counter 2 Courtesy of W3Counter 3 Chrome has ~190,000 Google Chrome extensions released 2010 2020 2008 2019 Chrome adds Chrome removes

1.07k views • 105 slides
Status of SMB2 and SMB3 development in Samba SDC 2012 Michael Adam obnox@samba.org Samba Team /

Status of SMB2 and SMB3 development in Samba SDC 2012 Michael Adam obnox@samba.org Samba Team /

Status of SMB2 and SMB3 development in Samba SDC 2012 Michael Adam obnox@samba.org Samba Team / SerNet 2012-09-17 Hi there! Oh ... ... please interrupt with questions! Michael Adam SMB2+ in Samba (3 / 20) SMB2 in Samba Only SMB 2.0

1.35k views • 75 slides
Samba and the road to 100,000 users Presented by Andrew Bartlet Samba Team - Catalyst / / SambaXP

Samba and the road to 100,000 users Presented by Andrew Bartlet Samba Team - Catalyst / / SambaXP

Samba and the road to 100,000 users Presented by Andrew Bartlet Samba Team - Catalyst / / SambaXP 2017 Andrew Bartlet Samba developer since 2001 Working on the AD DC since soon afuer the start of the 4.0 branch, since 2004! Driven to

664 views • 44 slides
A Few things happened on the way to LMDB Presented by Andrew Bartlet Samba Team - Catalyst / /

A Few things happened on the way to LMDB Presented by Andrew Bartlet Samba Team - Catalyst / /

A Few things happened on the way to LMDB Presented by Andrew Bartlet Samba Team - Catalyst / / June 2018 Samba is a member project of the Sofuware Freedom Conseraancy Andrew Bartlet and Catalysts Samba Team Samba Deaeloper since 2001

436 views • 30 slides
Using the Samba Testsuite Andrew Tridgell Samba Team tridge@osdl.org Torture yourself! The

Using the Samba Testsuite Andrew Tridgell Samba Team tridge@osdl.org Torture yourself! The

Using the Samba Testsuite Andrew Tridgell Samba Team tridge@osdl.org Torture yourself! The Samba4 torture suite is an extensive, general purpose CIFS test suite. It is not Samba specific. All CIFS vendors should take advantage of it to

377 views • 21 slides
MIT KDC integration Andreas Schneider &lt;asn@samba.org&gt; G unther Deschner

MIT KDC integration Andreas Schneider &lt;asn@samba.org&gt; G unther Deschner

MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices MIT KDC integration Andreas Schneider &lt;asn@samba.org&gt; G unther Deschner &lt;gd@samba.org&gt; Red Hat May 21th, 2015 Andreas Schneider &lt;asn@samba.org&gt; G

1.17k views • 29 slides
New printing protocols in Samba Gnther Deschner &lt;gd@samba.org&gt; Agenda MS16-087

New printing protocols in Samba Gnther Deschner &lt;gd@samba.org&gt; Agenda MS16-087

New printing protocols in Samba Gnther Deschner &lt;gd@samba.org&gt; Agenda MS16-087 RPRN and PAR PAR support detection Print Driver Packages Driver Signing Core Printer Drivers Current state of PAR in

579 views • 45 slides
THE SELFTEST SUITE Testing Samba May 21th, 2015 Andreas Schneider Red Hat Inc. Samba Team Who

THE SELFTEST SUITE Testing Samba May 21th, 2015 Andreas Schneider Red Hat Inc. Samba Team Who

THE SELFTEST SUITE Testing Samba May 21th, 2015 Andreas Schneider Red Hat Inc. Samba Team Who am I? The Selftest Suite Running tests Writing tests ABOUT ME I'm a Free and Open Source Software developer working on: Samba - The domain

383 views • 25 slides
Samba, Quo Vadis? Experimenting with languages the Cool Kids use Kai Blin Samba Team SambaXP

Samba, Quo Vadis? Experimenting with languages the Cool Kids use Kai Blin Samba Team SambaXP

Samba, Quo Vadis? Experimenting with languages the Cool Kids use Kai Blin Samba Team SambaXP 2017 2017-05-03 Intro M.Sc. in Computational Biology Ph.D. in Microbiology Samba Team member 2/45 Overview Programming

776 views • 45 slides
Speeding up Samba by backing up Experiences in implementing and optimizing Active Directory

Speeding up Samba by backing up Experiences in implementing and optimizing Active Directory

Speeding up Samba by backing up Experiences in implementing and optimizing Active Directory features in Samba What has been done in the last year? Samba 4.9 Password and membership change auditing LMDB back-end (semi-experimental)

1.06k views • 49 slides
A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome OS Speed Security - Verified boot Security - Reboot to recover Security for the internet age Current Operating Systems Chrome OS Apps have

424 views • 8 slides
Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b

Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b

Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b October 2012 2012 Luminant Corporate Safety David Friedman, CIH, MSPH, ARM Background Information Situation occurred at a lignite plant in Central

495 views • 25 slides
Present And Future File Serving With Samba LinuxCon Europe 2014 Michael Adam Samba Team / SerNet

Present And Future File Serving With Samba LinuxCon Europe 2014 Michael Adam Samba Team / SerNet

Present And Future File Serving With Samba LinuxCon Europe 2014 Michael Adam Samba Team / SerNet October 14, 2014 Samba... Michael Adam SambaFS (2/40) Short History 1.9.17: 1996/08 2.0: 1999/01: domain-member, +SWAT 2.2: 2001/04:

553 views • 40 slides

More recommend