Kangaroot SUSE TechUpdate Interoperability SUSE Linux Enterprise and Windows

Kangaroot SUSE

TechUpdate

Interoperability SUSE Linux Enterprise and Windows

Gábor Nyers

Systems Engineer @SUSE [email protected]

2

Agenda

14:00 Kangaroot Update SUSE Update

Data Center Interoperability – the playfield Scenario's

SLES Participating in a Active Directory domain

Integration of Apache on SLES with Active Directory 15:30 Pause

SLES and Samba as domain controller Remote Desktop

On the bleeding edge: Btrfs + Snapper + Samba = FSRVP 17:00 Refreshments

18:00 End

SUSE Update

4

SUSE Update

Last 3 months

•

Changes in the Subscription

Model

•

SUSECon 2012

‣ Visit the SUSE channel on YouTube

•

SUSE Manager Proof of

Concept Programma

SUSE Update

Next 3 months

•

SUSECon 2013

•

SUSE Cloud

‣ Topic of the next TechExchange

•

New SUSE Customer Center

•

New SUSE Partners in

The Netherlands

6

SUSE Update

Improving services

to help SUSE

customers

Events, Workshops, Seminars

•

TechExchange and TechTalk's

•

Workshops for

Special Interests, e.g.:

‣ High Availability, RPM Packaging,

‣ SUSE Customer Center update

Trainings, Certification

•

Advanced Technical Trainings

•

CLA, CLP, CLE

•

RHCE → CLP or CLE

SUSE Update

Improving services

to help SUSE

customers

Assessments

•

In co-operation with partners

•

Fix price / fix duration

•

Topics:

‣ Health check

‣ Patch Management

‣ Disaster Recovery

‣ Security and Hardening

‣ Migration physical to virtual

Interoperability Scenario's

Data Center Interoperability

The Playfield

UNIX Mainframe

Linux Windows

Platforms Observable trends

(in general):

‣ Legacy Unix holds or declines

‣ Mainframe:

♦z/OS holds

♦Linux on System z emerging

‣ Linux and Windows grow

10

> <

Linux – Windows Interoperability

The playfield

UNIX Mainframe

Linux Windows

Platforms Interoperability Topics

Services

Virtualization

Systems Management

Documents

Scripting Languages

Porting and running

software

SUSE Linux Enterprise – Windows Interoperability

Example Services 1/2

‣ File and printer shares (Samba)

‣ Domain services (Samba)

‣ Directory services

(Samba 4, openLDAP)

‣ Web services

(Apache, Tomcat, ...)

‣ Network Proxy (Squid)

‣ E-mail (Postfix, Dovecot)

‣ Databases

(MySQL, PostgreSQL)

‣ SSL certificates

(OpenSSL, YaST CA)

‣ Remote Desktop (NX)

‣ DNS, DHCP

‣ VoIP (Asterisk) etc...

Windows using services of SUSE Linux Enterprise (*)

(*) in braces the involved components on SLES

12

SUSE Linux Enterprise – Windows Interoperability

Example Services 2/2

‣ File and printer shares (Samba)

‣ Domain services (Samba)

‣ Directory services (Winbind)

‣ Web services

‣ Network proxy

‣ E-mail (Postfix, Dovecot)

‣ Databases

(FreeTDS, JDBC)

‣ SSL certificates

‣ Remote Desktop (rdesktop)

‣ DNS, DHCP etc...

SUSE Linux Enterprise using services of Windows

(*) in braces the involved components on SLES

Scenario's

1. SLES Participating in an Active Directory domain

2. Integration of Apache with Active Directory

3. SLES and Samba as domain controller

4. Windows Remote Desktop on Linux

5. Prototype Samba implementation of “Recovery Point”

14

Scenario's

Practical value vs. Maturity

Enterprise

Emerging

Practical value Maturity

SLES Participating in an Active Directory domain

Integration of Apache on SLES with Active Directory

SLES and Samba as domain controller

Windows Remote Desktop on Linux

Prototype Samba implementation of “Recovery Point”

1

2

3

4

5 5 4

3 2 1

Overview of SMB versions (*)

Samba 3.6 supports SMB 1.0, 2.0 and partly 2.1

(*) see also this blog article

16

Scenario 1:

SLES as member server in Active Directory domain

Features

‣ SLES as member server in an Active Directory domain

‣ Used services

♦Directory and Authentication through Winbind

♦Mount Windows file share

‣ Provided services

♦File and print sharing for Windows workstations

‣ PAM integration

Technology components

‣ SLES 11 SP2

♦Samba (v3.6)

‣ Windows 2008 R2

‣ Windows XP and 7

Troubleshooting:

‣ wbinfo, smbclient, strace, lsof, netstat, tcpdump, Wireshark

‣ Logs: /var/log/samba/*

Scenario 1:

SLES as member server in Active Directory domain

File share Mount share SSH service

SLES 11 SP2 Role: Member server in AD: ad.demo.lan

Hostname: interop01

Windows 7 (win764.ad.demo.lan)

PAM

Windows XP (winxp01.ad.demo.lan)

Mapped share Shared

folder Active Directory

Mapped

share Mapped

share

Windows 2008 R2 Role: AD Domain Controller

AD: ad.demo.lan Hostname: win200864 Demo 1

Demo 2 Demo 3

Demo 4

18

Scenario 1:

SLES as member server in Active Directory domain

•

Steps on SLES

‣ Join the domain using YaST Windows Domain Membership

‣ Manually configure

pam_winbind to restrict allowed users

•

Steps on Active Directory

‣ Add group “SLES Shell Users”

‣ Add user “Administrator” to

“SLES Shell Users”

•

Steps on Windows

Workstations

‣ Map share

\\interop01\homes

/etc/security/pam_winbind.conf

[global]

cached_login = yes krb5_auth = yes

krb5_ccache_type = FILE debug = yes

require_membership_of = "SLES Shell Users"

See also: Interop Demo appliance

Scenario 2:

Integration of Apache on SLES with Active Directory

Features

‣ SLES as member server in an Active Directory domain

‣ Browsers running on

Windows workstations can transparently log in to Web applications

‣ Active Directory as provider for:

♦Authentication through Kerberos

♦Authorization through LDAP

‣ Provided services

♦Web services by Apache/Tomcat

Technology components

‣ SLES 11 SP2

♦Samba (v3.6), mod_kerb_auth

‣ Windows 2008 R2

‣ Windows XP and 7

Troubleshooting

‣ klist, strace, lsof, netstat, tcpdump, Wireshark

‣ Firefox add-in Live Headers

‣ Logs: /var/log/apache2/*, /var/log/messages

20

Scenario 2: Integration of Apache with Active

Directory

/secure / mod_kerb_auth

SLES 11 SP2 Role: Member server AD: ad.demo.lan Hostname: interop04

Windows 7 (win764.ad.demo.lan)

Apache

Kerberos Active Directory

(LDAP)

Firefox

Windows 2008 R2 Role: AD Domain Controller

AD: ad.demo.lan Hostname: interop01

Internet Explorer

1

2 3

4

Scenario 2: Integration of Apache with Active Directory

Configuration steps

•

Steps on SLES

‣ Join domain

‣ Create keytab

‣ Configure Apache

•

Steps on workstations

‣ Configure Integrated

Authentication for browsers

•

Steps on Active Directory

‣ Add user “sles-apache”

‣ Add group “SLES Web Users”

‣ Add user “Administrator” to

“SLES Web Users”

See also: HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol (MSDN) See also: Interop Demo appliance

22

Configure Apache for Kerberos

authentication

LoadModule auth_kerb_module /usr/lib64/apache2/mod_auth_kerb.so LoadModule ldap_module /usr/lib64/apache2/mod_ldap.so

LoadModule authnz_ldap_module /usr/lib64/apache2/mod_authnz_ldap.so

<Location /secure>

AuthName "---Restricted Access, please use your Active Directory credentials---"

AuthType Kerberos KrbMethodNegotiate on KrbMethodK5Passwd on

Krb5Keytab /etc/apache2/conf.d/sles-apache.krb5.keytab

KrbAuthRealms AD.DEMO.LAN

KrbServiceName HTTP/[email protected] KrbLocalUserMapping On

AuthLDAPBindDN cn=sles-apache,cn=Users,dc=ad,dc=demo,dc=lan AuthLDAPBindPassword SecretPassword

AuthLDAPURL "ldap://win200864.ad.demo.lan:389/dc=ad,dc=demo,dc=lan?sAMAccountName"

AuthLDAPGroupAttribute member

Require ldap-group cn=SLES Web Users,cn=Users,dc=ad,dc=demo,dc=lan

</Location>

Configure Firefox for Integrated

Authentication

•

Firefox is by default not

enabled for the

“Negotiate”

authentication

24

Configure IE for Integrated

Authentication

•

IE is by default not

enabled for the

“Negotiate”

authentication

Scenario 3: SLES and Samba as

Domain Controller

Features

‣ SLES as domain controller (NT style)

‣ Windows workstations can consume domain, file- and printer shares

‣ Optional: Samba

configuration in replicated LDAP directory

Technology components

‣ SLES 11 SP2

♦Samba (v3.6)

♦(OpenLDAP)

‣ Windows XP and 7

Troubleshooting

‣ smbclient, strace, lsof,

netstat, tcpdump, Wireshark

‣ Logs: /var/log/samba/*

26

Scenario 3: Overview

File share Samba

Domain service OpenLDAP

Directory

SLES 11 SP2

Windows XP Windows 7

Samba config

Printer share

Mapped

share Mapped

share Network

printer Domain Users and

Groups

Network printer

Demo 1 Demo 2

Scenario 3: Configuration Steps

•

Steps on SLES

‣ Configure LDAP server using YaST

‣ Configure Samba domain using YaST

•

Steps on Windows

clients

‣ Join Samba domain

See also: Interop Demo appliance

28

Scenario 4: Remote Desktop

Use case

‣ Using the build in Remote Desktop capability, log in on a Windows system

Technology components

•

SLES 11 SP2

‣ rdesktop

‣ tsclient

•

Windows 2008 R2

•

Windows XP and 7

•

Troubleshooting

‣ netstat, tcpdump, Wireshark

Scenario 4: Overview

Remote Desktop service

SLED 11 SP2 Windows 7

Windows XP

VDI farm

Remote Desktop service

Remote Desktop client

Virtual Desktops

30

Scenario 4 Configuration Steps

•

On SLE client

‣ Install the packages:

“rdesktop” and “tsclient”

‣ Configure remote desktop systems

•

On Active Directory

domain controller:

‣ Create AD Group: “Domain Remote Desktop Users”

‣ Add

•

On Windows systems

‣ Add the AD group

“Domain Remote Desktop Users”

to local group

“Remote Desktop Users”

See also: Interop Demo appliance

Scenario 5: Prototype Samba

implementation of “Recovery Point”

Features

‣ Through integration of Btrfs, Snapper and Samba, SLES 11 SP2 is providing a file share

‣ Automatic snapshots create by Snapper provide

“Recovery Points” for files

‣ Through Windows Explorer clients may access older versions of a file

Technology components

‣ SLES 11 SP2

♦Btrfs and Snapper(prototype)

♦Samba 4(prototype)

‣ Windows XP and 7

See also: David Disseldorp's “Bleeding Edge Samba and Snapper” appliance

32

Scenario 5: Demo

File share

SLES 11 SP2

Windows XP

Samba4 service

File “test.txt” is changed

Automatic snapshots by Snapper

File “test.txt” is created

Network share

Now Previous versions of “test.txt” in Explorer

Thank you.

For more information please

visit our website:

www.suse.com

Unpublished Work of SUSE. All Rights Reserved.

This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE.

Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE.

Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General Disclaimer

This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole

discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.