One User, One Password: Integrating Unix Accounts and Active Directory - PowerPoint PPT Presentation

One user one password integrating unix accounts and active directory l.jpg
Download
1 / 20

One User, One Password: Integrating Unix Accounts and Active Directory. David J. Blezard & Jerry Marceau Academic Computing Systems University of New Hampshire http://at.unh.edu. Overview. General Authentication Issues UNH Background One User One Password Conclusions & Lessons Learned

Related searches for One User, One Password: Integrating Unix Accounts and Active Directory

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

One User, One Password: Integrating Unix Accounts and Active Directory

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


One user one password integrating unix accounts and active directory l.jpg

One User, One Password:Integrating Unix Accounts and Active Directory

David J. Blezard & Jerry Marceau

Academic Computing Systems

University of New Hampshire

http://at.unh.edu


Overview l.jpg

Overview

  • General Authentication Issues

  • UNH Background

  • One User

  • One Password

  • Conclusions & Lessons Learned

  • Future Directions


Authentication l.jpg

Authentication

  • Are you really who you say you are?

  • Must happen in order to have authorization to access resources

  • Historically, most systems have been separate, especially between platforms


One user one password l.jpg

One User - One Password

  • Plusses

    • Easy for users

    • Less account maintenance for administrators

  • Minuses

    • If passwords are exposed, multiple systems are compromised

  • Not the same as single sign-on


Unh clusters l.jpg

UNH Clusters

  • 13,000+ Students plus Faculty and Staff

  • 4 Main Locations and 4 Satellite Locations

  • 450 Total Computers

  • Student Consultants Staff in Main Locations Only

  • Some Clusters Open 24 Hours

  • No existing Kerberos or LDAP


Past authentication systems l.jpg

Past Authentication Systems

  • Checking ID’s - labor intensive

  • In-House SS#/DOB system - security problem

  • Windows 95/98 & Samba Domain

    • Samba on central Unix systems provides Samba Password Server

    • Samba on a local Linux box creates an NT-style domain

    • Computers login to Linux domain which passes authentication to central Unix machines


Samba win2000 l.jpg

Samba & Win2000

  • Windows NT/2000/XP require machine accounts as well as user accounts

  • Not an option at UNH due to central control of Unix account base

  • Samba cannot completely emulate a Windows 2000 Active Directory


W2k unix sfu 2 0 l.jpg

W2K + Unix = SFU 2.0

  • Services for Unix 2.0 - package of tools from Microsoft to let Windows and Unix “interoperate”

  • Provides Unix command line tools plus wizards for various integration functions on Windows

  • Extends AD schema to allow for Unix properties

  • Includes some source code and tools for Unix

  • Current release is SFU 3.0


One user easy l.jpg

One User - Easy

  • Usernames directly accessible in /etc/passwd

  • SFU NIS Migration Wizard

    • Creates AD users from existing Unix users

    • Designed to migrate meaning a permanent change of all accounts to residing in AD

    • No means for dynamic updates or removal of users

  • Created VBScripts to parse /etc/passwd and create user accounts


One user not so fast l.jpg

One User - Not So Fast!

  • Requires scripts on the Unix systems to monitor newly created accounts and deleted accounts

    • Compare cached password file to current file

    • Create lists of added and deleted users

    • Lists are stored on a Samba share

  • More complicated because a decision was made to separate faculty and staff accounts (AD) from student accounts (WILDCAT)


One password hard l.jpg

One Password - Hard

  • Unix passwords are one-way encrypted – cannot recover them from /etc/passwd

  • Unix password stored in Active Directory is separate from Windows password

  • SFU Two-way Password Synchronization

    • Allows password changes on Windows system to propagate to Unix and vice versa

    • Uses a shared encryption key to secure and validate password change communications


Sfu password sync l.jpg

SFU Password Sync

  • The good news

    • It works!

  • The bad news

    • Design for either Windows to Unix only or two-way synchronization

    • UNH Unix systems have strict password rules

    • Password changes from Windows would not meet these requirements


Password sync solution l.jpg

Password Sync Solution

  • Source for the Password Sync components for the Unix side are included in SFU

  • Do not run the daemon on Unix machines and password changes sent from the AD domain controllers cannot come in

  • Errors will accumulate in Windows Event Logs

  • Undocumented Registry hack will disable Windows to Unix synchronization


Slide14 l.jpg

jruser

456789

Unix

script sees

new user

User logs

in first time

SFU

Password

Sync

Required

password

change

added.txt

VBScript

makes WILDCAT

user w/ random pwd

WILDCAT

password

change

jruser

??????

Create a WILDCAT Account

CIS Unix

account

created

jruser

Pwd!99

jruser

Pwd!99


Existing users l.jpg

Existing Users?

  • Batch imported all existing students to WILDCAT

  • Initial Windows passwords are random

  • Password change would create Windows password – not very popular!

  • Winsync - Unix utility to fake a password change

    • Based on SFU source

    • Validate user by requesting password

    • Use the encryption key to send the proper password change command to the domain controller


Winsync on the web l.jpg

Winsync on the Web


Some advice l.jpg

Some Advice

  • LDAP would have been better in the long run

  • Don’t split up student and faculty accounts

  • Occasional password sync problems - just directly change the user’s AD password

  • Plan for account deletions


Now what l.jpg

Now What?

  • Networked Storage from Unix systems

    • With identical Unix and Windows passwords, we can mount Unix home disk to “My Documents” via Samba

  • Student VPN

    • Setup to provide access to full network services via wireless

    • Requires WILDCAT account

  • Mac OS X ??

  • ResNet ????


Acknowledgements l.jpg

Acknowledgements

  • Tony DiTulio - the other third of our department (the one who is actually a Windows guy!)

  • Paul Sand - Unix guru & sys admin extraordinaire


  • Login