Linux Training 1825 Monetary Lane Suite #104 Carrollton, TX Do a presentation at NTLUG. What is the Linux Installation Project? Real companies using Linux! Not just for business anymore. Providing ready to run platforms on Linux |
Single Sign OnSetting up automatic authentication to Linux/Unix hosts from a Windows client. Christopher J. Cox Linux Is As Linux DoesThroughout this presentation, I will use the word Linux to mean a full Linux distribution with all of the GNU and NON-GNU software that often comes with a Linux distribution or at least is easily added as free software. The term GNU/Linux is simply no longer sufficient to cover everything since there are free sources of software under BSD, MIT and other licenses. While some licenses are easily encompassed by GNU, others are not. Domain ExpectationsQuestions?
Single Sign OnSingle Sign On - The ability to authenticate one time for access to many resources.
All promise WAYS of achieving Single Sign On, but actual implementations are rare or limited to very homogeneous network environments. Simple Single Sign OnSSH is an easy way to create Single Sign On. user@myhost:~> ssh-keygen -t rsa -b 1024 user@myhost:~> ssh foreignhost "cat >>.ssh/authorized_keys2" <~/.ssh/id_rsa.pub Password: <password> user@myhost:-> ssh foreignhost user@foreignhost:~> SSH for WindowsSSH for Windows
PuTTY Simple Single Sign On
We're Done (???)Simple as that... BUT...
Can we do better? Linux/Unix Domains
Samba to the Rescue?Samba - Brings SMB protocols (file/print sharing) to Linux/Unix AND the promise of full Windows Domain support.
QuandaryWindows is NOT about integration.
It is easy to get Windows to not own DNS and DHCP, but very difficult for it to not own the username database. Therefore, in a mixed network, Windows gets to own at least the username database portion. WinbindSamba has a feature called Winbind that allows users from a Windows Domain to become available transparently on a Linux/Unix host.
Winbind works well but leaves the Linux/Unix server in a subservient role. Primarily designed for situations where Linux/Unix boxes are to be value added servers in a Windows network. Sometimes You Need TwoA balance is to use both Windows Domains based user accounts AND NIS/LDAP accounts with some kind of synchronization.
Solution OverviewThe balanced approach:
What Happened to Unix?Linux simply does a much, much better job in supporting the protocols and subsystems used than commercial Unix. It is a much better integration platform and therefore better suited than Unix to handle enterprise level infrastructure pieces. You could use Unix, but it would take much, much longer to make it functional. Overview DiagramNot Covered HereTime does not permit adequate treatment of the setting up of DNS/DHCP (with dynamic DNS) and basic NIS/NFS concepts. NFS Home Directories and NISFor normal Linux/Unix logins, create a centralized NFS exported home directory on
Initial Global Samba ConfigThe [global]
workgroup = THEENDLESSHOME
server string = FBC Proxy and Home Directory Server
security = DOMAIN
map to guest = Bad User
realm = theendlesshome.com
winbind trusted domains only = yes
winbind use default domain = yes
password server = *
username map = /etc/samba/smbusers
log level = 5
Initial Samba Homes ConfigThis will allow the [homes]
comment = Home Directories
valid users = %S
browseable = No
read only = No
inherit acls = Yes
Joining the Windows DomainIdeally, any Linux/Unix box that needs to know about the Windows Domain, needs to be joined to it. Our Windows 2003 Server is called $ net ads join -S w2k3 -U Administrator Using short domain name -- THEENDLESSHOME Joined 'FBCPROXY' to realm 'THEENDLESSHOME.COM' Test the join by trying to retrieve the users from $ net user -U Administrator Administrator's password: Administrator Guest ... etc ... Using your Windows Password InsteadThe Samba config so far would allow us to get to our shared home directory from Windows, but we can allow direct logins using our Windows password from Install
Then you must start up the # /etc/init.d/pamsmbd start Configuring PAM to Allow Windows AuthOn SUSE, we will place our auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_smb_auth.so debug cachetime=20 use_first_pass
You should now be able to login as NIS InsecurityAs mentioned earlier, NIS is insecure in that the DES encrypted password strings are easily retrieved for brute force password cracking attempts. While we could prevent the use of NIS passwords on a host and just use So instead, we'll simply changed the DES string to something that would be hard or impossible to enter. For simplicity, we'll use the DES string of Creating NIS Users AutomaticallyAssuming that we use our Samba home directory has our Windows home directory, when a user logs into the Windows Domain on a Windows XP host (for example), their home directory will get mapped to a drive letter. Samba has a global setting that can be used to perform an action when an unknown user attempts to access a resource. On add user script = /usr/local/sbin/nis_add_user %u %I Now we simply need to create our NIS Add User Script username="$1"
ip="$2"
pid=$$
logger -p auth.warning -t nis_add_user "IP [$ip] requested add user [$username]"
rm -f /tmp/nis_add_user.$pid
useradd -m "$username" &&
echo "${username}:OkBadPassword" >/tmp/nis_add_user.$pid &&
chpasswd -c des -e /tmp/nis_add_user.$pid &&
usermod -d /home/nfshome/${username} ${username} &&
(cd /var/yp;make)
rc=$?
logger -p auth.warning -t nis_add_user "IP [$ip] added user [$username]"
rm -f /tmp/nis_add_user.$pid
exit $?
Test Add New User
Test NIS Login
PuTTY Simple Single Sign On
PuTTY Pageant Startup Using Key
Done?Some issues/limitations:
Demo and Questions |