• No results found

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation"

Copied!
37
0
0

Loading.... (view fulltext now)

Download now ( 37 Page )

Full text

(1)

Integrating

Red Hat Enterprise Linux 6

with Microsoft Active

Directory

(2)

Agenda

Overview

Components

Considerations

Configurations

Futures

(3)

What is needed?

● Thorough understanding components, interactions

● Awareness of technical, non-technical considerations ● Comparison of configurations, options

● Best practices, guidelines

(4)

Windows – Consumer Perception

(5)

Windows – Systems Reality

(6)

Overview

Components

Considerations

Configurations

Futures

(7)

Components - Overview

* Let's examine several core components closer *

Red Hat

Enterprise Linux Active Windows Server 2008 R2 Directory Winbind Kerberos LDAP SSSD NTP DNS NSS Samba SMB/CIFS

(8)

Active Directory Domain Services (AD DS)

● Suite of directory services ● Customized versions:

● Kerberos

● Domain Name System (DNS)

● Lightweight Directory Access Protocol (LDAP)

● Object hierarchy – nodes, trees, forests, domains ● Renamed in Windows Server 2008 R2

(9)

Samba

● Open source suite of programs ● Provides file and print services ● Includes two daemons:

● smbd (file and print services) ● nmbd (NetBIOS name server)

● Samba v3.5 is current version (RHEL 6)

(10)

SMB/CIFS

● Client-server communications protocols

● Server Message Block (SMB) - IBM developed

● Common Internet File System (CIFS) – MS extended ● Both protocols used interchangeably

● SMB older, legacy servers (Windows 2000)

(11)

Winbind (1)

● Daemon included with Samba suite

● Unified logon to Active Directory accounts ● Minimizes need for separate accounts

● Primary functions:

● Authentication of user credentials (“Who”)

● ID Tracking/Name Resolution via nsswitch (“Where”) ● ID Mapping of UID/GID <-> SID (“What”)

(12)
(13)

Winbind (3)

● ID Mapping implemented through “backends” ● ~8 backends available

● ID Mappings classified as:

Allocating (r/w, local)

Algorithmic (r/o, calculated, consistent)

Assigned (r/o, assigned in AD, consistent)

● Each has advantages, disadvantages

(14)

SSSD (System Security Services Daemon)

● RHEL systems members of centralized IdM solution

(Active Directory, IPA, LDAP, Kerberos)

● Access to different identity, authentication providers

(e.g. - LDAP native, LDAP w/Kerberos)

● Extensible (new identity, authentication sources) ● Supports off-line caching (clients)

● Reduces load on identity servers

(15)

Kerberos

● Current version = V5

● Clients request ticket from trusted third party (KDC)

● Key distribution center (KDC) = AD server

● Behavior configured by /etc/krb5.conf ● Managed by PAM libraries:

● pam_winbind (Samba), pam_sss (SSSD), pam_krb5

Integration best practice:

(16)

Overview

Components

Considerations

Configurations

Futures

(17)

Non-technical Considerations

● Organizational Alignment ● Expertise Levels

● Scope/Complexity ● Prototype

(18)

Technical Considerations – File Sharing

● File sharing required?

● Yes = Samba based configuration ● No = Samba or non-Samba ok

● Where are file shares located?

● Client side? ● Server side?

(19)

Technical Considerations –

Login Access

● Red Hat Enterprise Linux login access required?

● Command Line Interface (CLI)

● Graphical Display Manager (GDM)

● Local vs. Active Directory accounts

● Local accounts = more administration

● Active Directory = centralized administration

(20)

Technical Considerations –

AD ID Attributes

● RFC2307/bis

● Extends UNIX ID attributes via LDAP

● Provides more flexibility, control (home dir, shell)

● Enabling in Windows Server

● 2008 R2 => Identity Management for UNIX (IMU) role

● 2008, 2003 R2 => Identity Management for UNIX (IMU) service ● 2003 and earlier => Windows Services for UNIX (SFU) service

(21)

Technical Considerations –

Enumeration

● Winbind listing of users, groups in AD domain

● Default behavior during user login, authentication ● More users = longer login time

Integration best practice:

* Disable in environments 20,000+ users *

/etc/samba/smb.conf

[global]

winbind enum users = no winbind enum groups = no

(22)

Technical Considerations – LDAP Referrals

● LDAP in Active Directory scales out over time

● Objects relocate across multiple domain controllers

● LDAP referral

● Responding domain controller can't find object

● Clients contact multiple controllers to complete lookup

Integration best practice:

* Disable for performance (if no partial replication) *

/etc/sssd/sssd.conf

(23)

Overview

Components

Considerations

Configurations

Futures

(24)

Recommended Configurations - Overview

Configuration Services

Provided Features Use Case

1. Samba/Winbind (idmap_rid)

● File sharing ● Login access

● Templated shell, home dirs ● Least intrusive to AD

(No user/group ID attribute changes) ● Algorithmic ID mappings

“Template-driven”

2. Samba/Winbind (idmap_ad)

● File sharing ● Login access

● Customizable shell, home dirs ● Centralized user mgmt

● Assigned ID mappings

● User/group ID attributes set in AD (requires IMU)

“Customizable”

3. SSSD/Kerberos/ LDAP

● Login access ● Advanced authentication, caching ● Reduces client loading on server ● User/group ID attributes set in AD

(requires IMU)

“Enhanced”

4. Kerberos/LDAP ● Login access ● No off-line caching user credentials ● User/group ID attributes set in AD

(requires IMU)

“Legacy”

(25)

Configuration 1

(winbind – idmap_rid)

(26)
(27)

Configuration 2

(winbind - idmap_ad)

(28)
(29)

Configuration 3

(SSSD/Kerberos/LDAP)

(30)
(31)

Configuration 4

(Kerberos/LDAP)

(32)
(33)

Overview

Components

Considerations

Configurations

Futures

(34)

Futures

● Winbind idmap_autorid

● New backend for Samba 3.6/RHEL 6.4

● Automatically allocates domain ranges

● SSSD

● Active Directory domain trust support (RHEL 6.4)

● New AD integration capabilites - ID Mapping, etc. (RHEL 6.4+)

● Fully featured, enhanced alternative to Winbind

● Red Hat Enterprise Linux 7

(35)

Overview

Components

Considerations

Configurations

Futures

(36)

Summary (1)

● First glance deceptively simple

● Second glance appears overwhelming

● Many variables, components, interactions ● Reference Architecture simplifies selection,

deployment and integration:

https://www.redhat.com/resourcelibrary/reference-architectures/ integrating-red-hat-enterprise-linux-6-with-active-directory

● See Customer Portal for additional materials:

(37)

Summary (2)

● Select best configuration for your environment, organizational goals

● Hybrid configurations ok to consider ● Third-party products viable alternatives ● Prototype, test in advance

● Most issues have simple causes

“Red Hat Enterprise Linux integrates well with Windows Active Directory”

References

Download now ( PDF - 37 Page - 2.87 MB )

Related documents

Hybrid and plant density effects on nitrogen response in corn

Interestingly, when the N rate x plant density interaction was analyzed across different stress levels, the low density (44,460 plants/ha) responded to the same level of N (133

WHITE PAPER NEXXUS SALES. Administering MBO-based Incentive Compensation Plans

As the prevalence of MBO-based incentive programs grows, a Sales Performance Management system can deliver a completely automated administration method that allows you to

pi!* free robux codes - robux free 72 claim

There are several promo codes that you can input into the FREE ROBUX platform itself or specific games to unlock these free items.. If you want to take your gameplay to the next

Identity Management: The authentic & authoritative guide for the modern enterprise

37 Direct Integration Active Directory Active Directory Linux system Linux system DNS DNS LDAP LDAP KDC KDC SSSD SSSD Policies Policies Name Resolution Name Resolution

SSSD. Client side identity management. LinuxAlt 2012 Jakub Hrozek 3. listopadu 2012

UNIX/Linux – LDAP, LDAP + Kerberos, NIS Windows – Active Directory (LDAP + Kerberos) LDAP is the most common identity store.. Centralized user databases.. Basic LDAP

Interoperability Update: Red Hat Enterprise Linux 7 beta and Microsoft Windows

Direct Integration – Red Hat Enterprise Linux 6 Identity Store Components Platform Third Party Client Central Identity Server Active Directory. Red Hat

Stonesoft Augmented VPN WITH MULTI-LINK TECHNOLOGY

Add new multiple links without compromising usability or your budget Always available connectivity with maximized throughput Ensure that your critical business traffic

CZ Health Insurance and Occupational Insurance Providing care means looking ahead

This is what CZ stands for, and this is why CZ also offers healthcare services in addition to group health insurance that will assist you with ensuring the health of your