One user one password integrating unix accounts and active directory
1 / 20

One User - PowerPoint PPT Presentation

  • Updated On :

One User, One Password: Integrating Unix Accounts and Active Directory. David J. Blezard & Jerry Marceau Academic Computing Systems University of New Hampshire Overview. General Authentication Issues UNH Background One User One Password Conclusions & Lessons Learned

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'One User' - Patman

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
One user one password integrating unix accounts and active directory l.jpg
One User, One Password:Integrating Unix Accounts and Active Directory

David J. Blezard & Jerry Marceau

Academic Computing Systems

University of New Hampshire

Overview l.jpg

  • General Authentication Issues

  • UNH Background

  • One User

  • One Password

  • Conclusions & Lessons Learned

  • Future Directions

Authentication l.jpg

  • Are you really who you say you are?

  • Must happen in order to have authorization to access resources

  • Historically, most systems have been separate, especially between platforms

One user one password l.jpg
One User - One Password

  • Plusses

    • Easy for users

    • Less account maintenance for administrators

  • Minuses

    • If passwords are exposed, multiple systems are compromised

  • Not the same as single sign-on

Unh clusters l.jpg
UNH Clusters

  • 13,000+ Students plus Faculty and Staff

  • 4 Main Locations and 4 Satellite Locations

  • 450 Total Computers

  • Student Consultants Staff in Main Locations Only

  • Some Clusters Open 24 Hours

  • No existing Kerberos or LDAP

Past authentication systems l.jpg
Past Authentication Systems

  • Checking ID’s - labor intensive

  • In-House SS#/DOB system - security problem

  • Windows 95/98 & Samba Domain

    • Samba on central Unix systems provides Samba Password Server

    • Samba on a local Linux box creates an NT-style domain

    • Computers login to Linux domain which passes authentication to central Unix machines

Samba win2000 l.jpg
Samba & Win2000

  • Windows NT/2000/XP require machine accounts as well as user accounts

  • Not an option at UNH due to central control of Unix account base

  • Samba cannot completely emulate a Windows 2000 Active Directory

W2k unix sfu 2 0 l.jpg
W2K + Unix = SFU 2.0

  • Services for Unix 2.0 - package of tools from Microsoft to let Windows and Unix “interoperate”

  • Provides Unix command line tools plus wizards for various integration functions on Windows

  • Extends AD schema to allow for Unix properties

  • Includes some source code and tools for Unix

  • Current release is SFU 3.0

One user easy l.jpg
One User - Easy

  • Usernames directly accessible in /etc/passwd

  • SFU NIS Migration Wizard

    • Creates AD users from existing Unix users

    • Designed to migrate meaning a permanent change of all accounts to residing in AD

    • No means for dynamic updates or removal of users

  • Created VBScripts to parse /etc/passwd and create user accounts

One user not so fast l.jpg
One User - Not So Fast!

  • Requires scripts on the Unix systems to monitor newly created accounts and deleted accounts

    • Compare cached password file to current file

    • Create lists of added and deleted users

    • Lists are stored on a Samba share

  • More complicated because a decision was made to separate faculty and staff accounts (AD) from student accounts (WILDCAT)

One password hard l.jpg
One Password - Hard

  • Unix passwords are one-way encrypted – cannot recover them from /etc/passwd

  • Unix password stored in Active Directory is separate from Windows password

  • SFU Two-way Password Synchronization

    • Allows password changes on Windows system to propagate to Unix and vice versa

    • Uses a shared encryption key to secure and validate password change communications

Sfu password sync l.jpg
SFU Password Sync

  • The good news

    • It works!

  • The bad news

    • Design for either Windows to Unix only or two-way synchronization

    • UNH Unix systems have strict password rules

    • Password changes from Windows would not meet these requirements

Password sync solution l.jpg
Password Sync Solution

  • Source for the Password Sync components for the Unix side are included in SFU

  • Do not run the daemon on Unix machines and password changes sent from the AD domain controllers cannot come in

  • Errors will accumulate in Windows Event Logs

  • Undocumented Registry hack will disable Windows to Unix synchronization

Slide14 l.jpg




script sees

new user

User logs

in first time










user w/ random pwd






Create a WILDCAT Account

CIS Unix







Existing users l.jpg
Existing Users?

  • Batch imported all existing students to WILDCAT

  • Initial Windows passwords are random

  • Password change would create Windows password – not very popular!

  • Winsync - Unix utility to fake a password change

    • Based on SFU source

    • Validate user by requesting password

    • Use the encryption key to send the proper password change command to the domain controller

Some advice l.jpg
Some Advice

  • LDAP would have been better in the long run

  • Don’t split up student and faculty accounts

  • Occasional password sync problems - just directly change the user’s AD password

  • Plan for account deletions

Now what l.jpg
Now What?

  • Networked Storage from Unix systems

    • With identical Unix and Windows passwords, we can mount Unix home disk to “My Documents” via Samba

  • Student VPN

    • Setup to provide access to full network services via wireless

    • Requires WILDCAT account

  • Mac OS X ??

  • ResNet ????

Acknowledgements l.jpg

  • Tony DiTulio - the other third of our department (the one who is actually a Windows guy!)

  • Paul Sand - Unix guru & sys admin extraordinaire