Unix windows inter operability
This presentation is the property of its rightful owner.
Sponsored Links
1 / 31

Unix/Windows Inter-Operability PowerPoint PPT Presentation


  • 69 Views
  • Uploaded on
  • Presentation posted in: General

Unix/Windows Inter-Operability. What do we want?. Single Username Password Access Users files (N drive) Personal Machine Multi-User Machines Information about users Name Service Simple Client Setup Multiple Namespaces?. UNIX files. /etc/ passwd User account information

Download Presentation

Unix/Windows Inter-Operability

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Unix windows inter operability

Unix/Windows Inter-Operability


What do we want

What do we want?

  • Single Username Password

  • Access Users files (N drive)

    • Personal Machine

    • Multi-User Machines

  • Information about users

    • Name Service

  • Simple Client Setup

  • Multiple Namespaces?


Unix files

UNIX files

  • /etc/passwd

    • User account information

    • Name:DES#:uid:gid:DisplayName:homedir:shell

  • /etc/group

    • Group information and membership

    • Name:[hash]:gid:user1,user2...

  • /etc/hosts ....

  • Files are readable by all users


Des encryption

DES Encryption

  • Encrypt 64bit 0 25 times using 12bit salt and 8 7bit character password (56bit).

  • Designed to take 1 second on 1979 hardware. Brute force ~ 23,000,000,000 years.

    • Only 94 characters on keyboard ~54.2bits

  • Moore’s law

    • 500,000 per sec ~4500 years.

    • Dictionary attack takes only minutes


Shadow file

Shadow File

  • Remove DES # from public passwd file

  • Shadow file only access by local root

  • Add account management for password change frequency, expiry, etc


Yellow pages aka nis

Yellow Pages (aka NIS)

  • Service on the network based on maps containing key-value pairs

  • Add + at the end of files in /etc

  • All machines in the same namespace see the same information.

  • Central management of user accounts etc.

  • Information now visible to all users on any machine on the network.


Unix windows inter operability

LDAP

  • Lightweight Directory Access Protocol

  • General mechanism

  • Schema used to define objects

  • Objects have named attributes

  • Objects can be extranded

  • Can require authentication to connect

  • Can secure individual objects


Ldap vs nis

LDAP vs NIS

  • ypmatch –d rucsc 11420 passwd.byuid

    sssadw:x:11420:11203:Anthony Worrall:/home/sufs1/ru10/ss/sssadw:/bin/csh

  • ldapsearch -h host -b "ou=people,dc=sse,dc=rdg,dc=ac,dc=uk" uidNumber=11420

    uid=sssadw,ou=People,dc=sse,dc=rdg,dc=ac,dc=uk

    cn=Anthony Worrall

    [email protected]

    uid=sssadw

    givenName=Anthony

    sn=Worrall

    objectClass=person

    objectClass=organizationalPerson

    objectClass=inetOrgPerson

    objectClass=dspswuser

    objectClass=account

    objectClass=posixAccount

    objectClass=shadowAccount

    objectClass=top

    loginShell=/bin/csh

    uidNumber=11420

    gidNumber=11203

    homeDirectory=/home/sir/sssadw

    gecos=Anthony Worrall


Nsswitch conf

nsswitch.conf

  • Controls where each nameservice gets its information

    passwd:files ldap

    group:compat

    hosts: nisdns [NOTFOUND=return] files

    netgroup:nis

  • Compat allows +/-[@netgroup] syntax in files

  • getent instead of ypmatch an ldapsearch


Kerberos

Kerberos

  • An Authentication Service (KDC)

  • Obtian a ticket (Passport) at login

  • Use ticket to access other services.

  • Can also be used to authenticate clients, services, and encrypt traffic

  • Based on principals [email protected]

  • Realms can have a trust relationship

  • Pre-authentication need for security


Kerberos client tools

Kerberos client tools

  • kint

    • Get ticket for a prinicpal using information from user input or file

  • klist

    • List principals for current user or stored in a file

  • kdestroy

  • ktutil

    • Mange princiapls in a keytable files


Pluggable authentication modules

Pluggable Authentication Modules

  • Stack of modules in 4 contexts

    • Auth:User authentication

    • Account:password/account expiry etc

    • Session:session management e.g. logging

    • Password:how to change password etc.

  • Each service such as login, ftp etc can have its own stacks


Configuring linux in sse

Configuring Linux in SSE

  • LDAP Settings

    LDAP Server : sse.ad.rdg.ac.uk

    Search Base : ou=unix,dc=sse,dc=ad,dc=rdg,dc=ac,dc=uk

    Group member attribute : member

  • Kerberos Settings

    Default Domain : rdg.ac.uk

    Default Realm : RDG-HOME.AD.RDG.AC.UK

    KDC : rdg-home.ad.rdg.ac.uk


Name service cache deamon

Name Service Cache Deamon

  • NSCD save results of NameService requests including DNS lookups

  • Some services on multiple machines

    • rdg-home.ad.rdg.ac.uk

    • timehost.rdg.ac.uk

  • Modify /etc/nscd.conf

    • enable-cachehostsno


Authentication vs authorization

Authentication vs Authorization


Options of integration

Options of Integration

  • AD Kerberos Authentication, UNIX name service

  • AD Kerberos Authentication, AD name service

  • AD LDAP Authentication, UNIX name service

  • AD LDAP Authentication, AD name service

  • UNIX Kerberos with cross realm trust for authentication and UNIX name service


Option requirements

Option Requirements


1 ad kerberos auth unix ns

1. AD Kerberos Auth, UNIX NS

  • Pros

    • Same username/password

    • Existing name service

    • Single Sign On available

  • Cons

    • Need to maintain UNIX NS


2a ad kerberos ad ns

2a. AD Kerberos, AD NS

  • Pros

    • Single username/password

    • Single Name Store

    • 2003R2 supports RFC 2307 (homeDirectory?)

  • Cons

    • Need to extend “user” class

    • Map Classes and Attributes on clients


2b ad kerberos ad ns separate ou

2b. AD Kerberos, AD NS separate OU

  • Pros

    • Only need AD DC’s

    • Looks like UNIX OpenLDAP to clients (RFC 2307)

    • Allows Multiple Name Spaces

  • Cons

    • Need to promote PosixAccount Class

    • Synchronise information between OU


3 ad ldap auth unix ns

3. AD LDAP Auth, UNIX NS

  • Pros

    • Same username/password

    • Existing name service

  • Cons

    • Need to maintain UNIX NS

    • No Single Sign On


4 ad ldap auth ad ns

4. AD LDAP Auth, AD NS

  • Pros

    • Only need AD DC’s

  • Cons

    • Need to extend users class or promote PosixAccount class

    • No Single Sign On

    • Need Proxy User to access NS


5 cross realm trust

5. Cross Realm Trust

  • Pros

    • Native Tools

    • User Prinicpals in AD, Unix Services and Hosts Prinicpals in Unix Kerberos

  • Cons

    • Extra complication


Authentication

Authentication

Kerberos

AD LDAP

Pros

Simple

Used by web backends (PHP, Perl), Apache Module

Cons

need to secure connection

Modify

pam.conf

  • Pros

    • Single Sign On to services

    • Apache Module

    • Authenticate services

  • Cons

    • Host and Service Prinicples

  • Modify

    • krb.conf

    • pam.conf

    • krb5.keytab


Ad as ns

AD as NS

Extend user class

Promote PosixAccount

Pros

Looks like UNIX OpenLDAP to clients

Allows Multiple Name Spaces

Cons

Synchronise information between OU

  • Pros

    • Single object to maintain

  • Cons

    • Map objects and attributes on client (e.g. uid => sAMaccountName )


Unix name service

Unix Name Service

LDAP

NIS

Pros

Simple

Configuration by DHCP

Cons

World readable

  • Pros

    • Out of the BOX

    • Can be restricted

  • Cons

    • Complicated

    • Proxy User on clients if restricted


Network file system

Network File System

  • Mount directory from server on client (c.f. map network share)

  • Host based security

  • Client does authorization by user/group


Nfs v4

NFS V4

  • Server side authorization

  • NTFS like Access Control Lists

  • Kerberos Support

    • Authentication

    • Integrity

    • Encryption

  • Client Prinicpal need to allow root to mount filesystem


Smbmount

smbmount

  • Mount folder from Windows server using cifs protocol

  • Single username and group mapping

  • Need root access (sudo) to do mount

  • Requires username and password on command line, in a file or user input.


Lufs fuse

LUFS/FUSE

  • Allows normal user to mount “filesystem”

  • Present sftp connection as filesystem

  • Other backends available

  • Similar problems to smbmount

  • Performance issues?


  • Login