Presentation is loading. Please wait.

Presentation is loading. Please wait.

Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at.

Published byIsaac Garrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at."— Presentation transcript:

1 Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at http://webpages.marshall.edu/~wolfe21

2 Understanding the technology. Part 1

3 What is Active Directory? Active Directory A pre-configured Authentication and Authorization solution, offered by Microsoft. Components o DNS o Kerberos o LDAP o MSRPC Pros o Simple to manage and maintain. Cons o Interoperability requires some knowledge of the underlying components.

4 What is Kerberos? Kerberos A secure authentication protocol. Hashes, NOT passwords are sent to the server. Tickets are granted to the client. Tickets can be used as authentication against services. Versions o MIT (US)‏ o Heimdal (Swiss)‏ Pros o Centralized user management. o Protocol transport is secure by default. o Third party support. Cons o Time syncronization must be precise. o Password management is not standardized.

5 What is LDAP? Lightweight Directory Access Protocol A directory is like a database optimized for reads. LDAP is used for authorization. Contains centralized information o user and group o application configuration Pros o Usernames have a relationship to centralized attributes. Cons o Directory schema is not standardized. o Performance is hindered with clients and applications increases.

6 What is MSRPC? Microsoft Remote Procedure Call Modified version of The Open Group's DCE/RPC 1.1 (Distributed Computing Environment Remote Procedure Call)‏ MSRPC is how Microsoft operating systems talk to each other. o "Domain Member" servers resolve usernames, and groups between one another. o Remote Registry services o Administrative Tools - Microsoft Management Console

7 Part 2 Configuring these technologies, the basics of AD Integration.

8 Setting up Kerberos. pam_krb5 This is specific to Red Hat Enterprise. Easy way o setup (select Authentication Config) o authconfig-tui Harder way, editing config files. o /etc/krb5.conf o /etc/pam.d/system-auth  Note: Debian/Ubuntu splits up system-auth  /etc/pam.d/common-auth  /etc/pam.d/common-account  /etc/pam.d/common-password  /etc/pam.d/common-session Video Demonstration

9

10

11 Setting up Kerberos. mod_auth_kerb Kerberos authentication in Apache o behaves like IIS Windows Integrated Authentication. o sets $_SERVER['USERNAME'] environment variable for use in custom or third-party web applications. Authentication protocol is secured between the Domain Controller and web server. o still need SSL/TLS for client -> webserver. Edit two files o /etc/httpd/conf.d/auth_kerb.conf o /etc/httpd/conf.d/auth_kerb.keytab

12

13 Setting up Samba Join a domain –Edit /etc/samba/smb.conf (next slide) –Configure services o chkconfig smb on o chkconfig winbind on o chkconfig nscd off –Stop or start services o /etc/init.d/smb start o /etc/init.d/winbind start o /etc/init.d/nscd stop –Join domain o net ads join createcomputer="Organizational Unit" -Uadministrator Video Demonstration

14

15 PAM Samba configuration Name Service Switch

16 Part 3 Advanced tricks: Linux & MSRPC

17 Remote registry & DNS DNS management Problems encountered o You can read AD-integrated zones from LDAP, but the majority of our zones are NOT AD-integrated. o We have thousands of internal reverse zones, it is tedious to maintain them on several servers individually. o There is no DNS standard allowing a slave server to grab all of the zone names off of a primary. Observations o Windows DNS can be read remotely from a registry branch with Samba.

18 Remote Registry & DNS configuring dnsnarf Create a DNS service account in AD for the script. GPO settings Registry key for non-administrator remote registry reads. o HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg o Set 'read' and 'apply gpo' permissions for your DNS service account.

19 Remote Registry & DNS dnsnarf is born Samba component used. net rpc registry enumerate o manpage: net(8) Remote registry location to read zones. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones Example test command net -S kdc01.contoso.com \ -U administrator -W CONTOSO.COM \ rpc registry enumerate \ "\\HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\DNS Server\\Zones"

20

21 Example net rpc output

22 Sample dnsnarf output (named.conf)‏

23 Questions? Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University This work is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. Slides and code available at http://webpages.marshall.edu/~wolfe21/

Download ppt "Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at."

Similar presentations

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Microsoft Windows Server 2008 Software Deployment Chris Rutherford EKU Technology: CEN/CET.

Microsoft Windows Server 2008 Software Deployment Chris Rutherford EKU Technology: CEN/CET.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
Homework 3.2 Clients Hub What’s wrong with this picture? Clients Using 100TX.

Homework 3.2 Clients Hub What’s wrong with this picture? Clients Using 100TX.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
15.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

15.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Exchange server 2003. Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
Chapter 5 Managing a Server. Overview  Server management  Examine networking models  Learn how users are authenticated  Manage users and groups 

Chapter 5 Managing a Server. Overview  Server management  Examine networking models  Learn how users are authenticated  Manage users and groups 
Hands-On Microsoft Windows Server 2008 1 Connecting Through Terminal Services Terminal server – Enables clients to run services and software applications.

Hands-On Microsoft Windows Server Connecting Through Terminal Services Terminal server – Enables clients to run services and software applications.
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.

© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.

Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

Similar presentations

Ads by Google