1 / 17

Don McCall HP WTEC

A Simple ‘Single Sign on’ Method for HP-UX and Active Directory Domains, using Kerberos Client and Winbind. Don McCall HP WTEC. Introduction. Single signon the ‘holy grail’ some methods exist already Kerberos+ldap+MS-SFU Complicated and requires MS ADS changes Pam_winbind

wgriffiths
Download Presentation

Don McCall HP WTEC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Simple ‘Single Sign on’ Method for HP-UX and Active Directory Domains, using Kerberos Client and Winbind Don McCall HP WTEC

  2. Introduction • Single signon the ‘holy grail’ • some methods exist already • Kerberos+ldap+MS-SFU • Complicated and requires MS ADS changes • Pam_winbind • A good solution, but not currently available on HP-UX • Also currently uses challenge/response, not kerberos for authentication.

  3. Problem Statement • HP-UX system currently using /etc/passwd for local unix user authentication • Need to grant login/ftp access to users in existing MS ADS domain • Do not want to ‘shadow’ MS users with HP-UX users • Need to keep it simple – no ldap or ADS experience in the HP-UX administration staff.

  4. Initial conditions • HP-UX system name: walnut.wtec.diagnostic.hp.com • HP-UX authentication method: simple /etc/passwd authentication • swlist shows that the following products are installed: • B8725AA HP CIFS Server... • PAM Kerberos PAM-Kerberos … • Active Directory KDC: mccalldc.wtec.diagnostic.hp.com • Kerberos realm: WTEC.DIAGNOSTIC.HP.COM • Active Directory user name: moby • Active Directory user password: fishlips • Active Directory user ‘moby’ is a member in: ‘Domain Users’,’engineering’ • moby has no access to the HP-UX system ‘walnut’, as he is NOT defined in the /etc/passwd file.

  5. Target conditions • MS user moby should be able to telnet to HP-UX system ‘walnut’ • Needs access to application ‘LabStats’ • Only moby gets access to ‘LabStats’

  6. Our solution • Kerberos for authentication against MS KDC • Winbind authorization using MS ADS as user and group backing store.

  7. Kerberos setup • /etc/krb5.conf: [libdefaults] default_realm = WTEC.DIAGNOSTIC.HP.COM default_tkt_enctypes = DES-CBC-MD5[1] default_tkt_enctypes = DES-CBC-MD5 ccache_type = 2 [realms] WTEC.DIAGNOSTIC.HP.COM = { kdc = mccalldc.wtec.diagnostic.hp.com:88 } [domain_realm] .wtec.diagnostic.hp.com = WTEC.DIAGNOSTIC.HP.COM [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log

  8. Verifying the kerberos setup # kinit moby Password for moby@WTEC.DIAGNOSTIC.HP.COM: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: moby@WTEC.DIAGNOSTIC.HP.COM Valid starting Expires Service principal 05/25/06 07:00:40 05/25/06 16:58:19 krbtgt/WTEC.DIAGNOSTIC.HP.COM@WTEC.DIAGNOSTIC.HP.COM renew until 05/25/06 17:00:40

  9. Pam setup # PAM configuration[1] # Authentication management login auth sufficient /usr/lib/security/libpam_unix.1 login auth sufficient /usr/lib/security/libpam_krb5.1 ftp auth sufficient /usr/lib/security/libpam_krb5.1 ftp auth required /usr/lib/security/libpam_unix.1 OTHER auth required /usr/lib/security/libpam_unix.1 # Account management login account sufficient /usr/lib/security/libpam_unix.1 login account sufficient /usr/lib/security/libpam_krb5.1 ftp account sufficient /usr/lib/security/libpam_krb5.1 ftp account required /usr/lib/security/libpam_unix.1 OTHER account required /usr/lib/security/libpam_unix.1 # Session management login session sufficient /usr/lib/security/libpam_unix.1 login session sufficient /usr/lib/security/libpam_krb5.1 OTHER session required /usr/lib/security/libpam_unix.1 # Password management login password sufficient /usr/lib/security/libpam_unix.1 login password sufficient /usr/lib/security/libpam_krb5.1 passwd password required /usr/lib/security/libpam_unix.1 OTHER password required /usr/lib/security/libpam_unix.1 [1] In HP-UX 11.23, change any instance of ‘libpam_krb5.1’ to ‘libpam_krb5.so.1’

  10. So, can we log in yet? # telnet walnut.wtec.diagnostic.hp.com Trying... Connected to walnut.wtec.diagnostic.hp.com. Escape character is '^]'. Local flow control on Telnet TERMINAL-SPEED option ON HP-UX walnut B.11.11 A 9000/785 (ta) login: moby Password: Connection closed by foreign host. WHY? Because HPUX needs to know how to map ‘moby’ to a uid. We still need winbind for the authorization piece of the puzzle.

  11. Winbindd setup [global] encrypt passwords = yes realm = WTEC.DIAGNOSTIC.HP.COM netbios name = walnut #hpux host name workgroup = WTEC security = ADS idmap uid = 1500-1620 #range of UIDs to map to idmap gid = 1621-1700 #range of GIDs to map to winbind separator = + winbind enum users = Yes #for large AD Domains, set to NO[1] winbind enum groups = Yes #for large AD Domains, set to NO winbind use default domain = Yes template shell = /usr/bin/sh #info not provided by windows template homedir = /home/%U #info not provided by windows [1] On large Active Directory Domains (1000’s of users and groups) you can set ‘winbind enum groups’ and ‘winbind enum users’ to no. This will decrease network traffic and system load, but be aware that if you do so, programs that call getpwent() or getgrent() to enumerate all users or groups will not return any data – programs such as ‘finger’ rely on having the full user list to function.

  12. After joining the domain, configure winbind into nsswitch.conf /etc/nsswitch.conf: # # passwd: files winbind group: files winbind hosts: dns files networks: files protocols: files rpc: files publickey: files netgroup: files automount: files aliases: files services: files

  13. Verify winbind, and create home dir • Verify your winbind configuration: # startwinbind winbindd started successfully; process ids: 12519. # wbinfo -u|grep moby moby 1545 create a home directory for moby: # mkdir /home/moby # chown moby /home/moby # ll -d /home/moby drwxrwxrwx 2 moby sys 96 May 25 10:26 /home/moby

  14. Verify login # telnet walnut.wtec.diagnostic.hp.com Trying... Connected to walnut.wtec.diagnostic.hp.com. Escape character is '^]'. Local flow control on Telnet TERMINAL-SPEED option ON HP-UX walnut B.11.11 A 9000/785 (ta) login: moby Password: Password: Please wait...checking for disk quotas $ pwd /home/moby $ touch test.txt $ ll test.txt -rw-rw-rw- 1 moby domain user 0 May 25 10:30 test.txt $ newgrp engineering $ touch test.group.txt $ ll test.group.txt -rw-rw-rw- 1 moby engineering 0 May 25 10:40 test.group.txt

  15. Limitations • Cannot access system from trusted domains • Pam kerberos doesn’t understand domain\username format • Winbind doesn’t understand kerberos upn (user@realm) format • samAccount name must be consistent with UPN • If you need consistent sid-uid/gid mapping on multiple HP-UX servers, will need to use ldap backend to store winbind mappings, or the idmap rid method to deterministically generate sid-uid/gid mapping

  16. Known issues • HP-UX ll listing limited to 11 display chars for user/group fields • HP-UX passwd command may fail when winbind is included in the /etc/nsswitch.conf file • Same name users in /etc/passwd and ADS can play havoc with your system accessibility! • Delays for ‘local’ user logins introduced when either winbind or kerberos unavailable

  17. In Conclusion • A good model for very SIMPLE configurations • Allowing ADS users from a single domain to access ‘one-off’ HP-UX systems • Trusted domain and/or multi domain access is beyond the scope of this model. • ADS domains that permit userAccount names to be differerent than the principal part of the kerberos upn are not suited to this model.

More Related