one user one password integrating unix accounts and active directory
Download
Skip this Video
Download Presentation
One User, One Password: Integrating Unix Accounts and Active Directory

Loading in 2 Seconds...

play fullscreen
1 / 20

One User, One Password: Integrating Unix Accounts and Active Directory - PowerPoint PPT Presentation


  • 293 Views
  • Uploaded on

One User, One Password: Integrating Unix Accounts and Active Directory. David J. Blezard & Jerry Marceau Academic Computing Systems University of New Hampshire http://at.unh.edu. Overview. General Authentication Issues UNH Background One User One Password Conclusions & Lessons Learned

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'One User, One Password: Integrating Unix Accounts and Active Directory' - Patman


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
one user one password integrating unix accounts and active directory
One User, One Password:Integrating Unix Accounts and Active Directory

David J. Blezard & Jerry Marceau

Academic Computing Systems

University of New Hampshire

http://at.unh.edu

overview
Overview
  • General Authentication Issues
  • UNH Background
  • One User
  • One Password
  • Conclusions & Lessons Learned
  • Future Directions
authentication
Authentication
  • Are you really who you say you are?
  • Must happen in order to have authorization to access resources
  • Historically, most systems have been separate, especially between platforms
one user one password
One User - One Password
  • Plusses
    • Easy for users
    • Less account maintenance for administrators
  • Minuses
    • If passwords are exposed, multiple systems are compromised
  • Not the same as single sign-on
unh clusters
UNH Clusters
  • 13,000+ Students plus Faculty and Staff
  • 4 Main Locations and 4 Satellite Locations
  • 450 Total Computers
  • Student Consultants Staff in Main Locations Only
  • Some Clusters Open 24 Hours
  • No existing Kerberos or LDAP
past authentication systems
Past Authentication Systems
  • Checking ID’s - labor intensive
  • In-House SS#/DOB system - security problem
  • Windows 95/98 & Samba Domain
    • Samba on central Unix systems provides Samba Password Server
    • Samba on a local Linux box creates an NT-style domain
    • Computers login to Linux domain which passes authentication to central Unix machines
samba win2000
Samba & Win2000
  • Windows NT/2000/XP require machine accounts as well as user accounts
  • Not an option at UNH due to central control of Unix account base
  • Samba cannot completely emulate a Windows 2000 Active Directory
w2k unix sfu 2 0
W2K + Unix = SFU 2.0
  • Services for Unix 2.0 - package of tools from Microsoft to let Windows and Unix “interoperate”
  • Provides Unix command line tools plus wizards for various integration functions on Windows
  • Extends AD schema to allow for Unix properties
  • Includes some source code and tools for Unix
  • Current release is SFU 3.0
one user easy
One User - Easy
  • Usernames directly accessible in /etc/passwd
  • SFU NIS Migration Wizard
    • Creates AD users from existing Unix users
    • Designed to migrate meaning a permanent change of all accounts to residing in AD
    • No means for dynamic updates or removal of users
  • Created VBScripts to parse /etc/passwd and create user accounts
one user not so fast
One User - Not So Fast!
  • Requires scripts on the Unix systems to monitor newly created accounts and deleted accounts
    • Compare cached password file to current file
    • Create lists of added and deleted users
    • Lists are stored on a Samba share
  • More complicated because a decision was made to separate faculty and staff accounts (AD) from student accounts (WILDCAT)
one password hard
One Password - Hard
  • Unix passwords are one-way encrypted – cannot recover them from /etc/passwd
  • Unix password stored in Active Directory is separate from Windows password
  • SFU Two-way Password Synchronization
    • Allows password changes on Windows system to propagate to Unix and vice versa
    • Uses a shared encryption key to secure and validate password change communications
sfu password sync
SFU Password Sync
  • The good news
    • It works!
  • The bad news
    • Design for either Windows to Unix only or two-way synchronization
    • UNH Unix systems have strict password rules
    • Password changes from Windows would not meet these requirements
password sync solution
Password Sync Solution
  • Source for the Password Sync components for the Unix side are included in SFU
  • Do not run the daemon on Unix machines and password changes sent from the AD domain controllers cannot come in
  • Errors will accumulate in Windows Event Logs
  • Undocumented Registry hack will disable Windows to Unix synchronization
slide14
jruser

456789

Unix

script sees

new user

User logs

in first time

SFU

Password

Sync

Required

password

change

added.txt

VBScript

makes WILDCAT

user w/ random pwd

WILDCAT

password

change

jruser

??????

Create a WILDCAT Account

CIS Unix

account

created

jruser

Pwd!99

jruser

Pwd!99

existing users
Existing Users?
  • Batch imported all existing students to WILDCAT
  • Initial Windows passwords are random
  • Password change would create Windows password – not very popular!
  • Winsync - Unix utility to fake a password change
    • Based on SFU source
    • Validate user by requesting password
    • Use the encryption key to send the proper password change command to the domain controller
some advice
Some Advice
  • LDAP would have been better in the long run
  • Don’t split up student and faculty accounts
  • Occasional password sync problems - just directly change the user’s AD password
  • Plan for account deletions
now what
Now What?
  • Networked Storage from Unix systems
    • With identical Unix and Windows passwords, we can mount Unix home disk to “My Documents” via Samba
  • Student VPN
    • Setup to provide access to full network services via wireless
    • Requires WILDCAT account
  • Mac OS X ??
  • ResNet ????
acknowledgements
Acknowledgements
  • Tony DiTulio - the other third of our department (the one who is actually a Windows guy!)
  • Paul Sand - Unix guru & sys admin extraordinaire
ad