TechX World Live Questions Answered

Penton Media (owners of Windows IT Pro) broadcast a recorded version of the Windows/Linux SSO session I did for the TechX World road show yesterday. We had quite a few attendees... several hundred based on the counts I saw. I have to say it was a little odd listening to myself speak over the web (is my voice really that monotone? Jeez)

I answered a bunch of questions live at the end of the pre-recorded session, but ran out of time to answer them all, so I thought I would go ahead and answer the questions here. Thanks again for listening, and feel free to contact me if you have further questions. I will post more about this whole integration exercise in the coming weeks.

So on with the questions...

What if you want to use Linux for SSO for Windows clients?
As far as I know that's not possible at this point. Windows clients will only authenticate to a Windows DC. The Samba 4.0 project has as one of its goals the ability to authenticate Windows clients, and they have some of the bits working and available. I haven't tried them myself yet.

This covers authentication. Does it also cover authorization? Does having access to uid\gid data give the ability to control who has access to what?
Yes, by virtue of the fact you can set the uidNumber and gidNumber attributes in AD, you can define the uid and gid assigned to users when they authenticate, and you can use those same values to determine resource access.

Do you have any experience in enabling SSO in Apache running on Linux/Unix against Active Directory (via Kerberos)?
No, but this is one of the things I've been playing around with recently. There are three strategies that bear looking at:

  1. Use the mod_auth_kerb and mod_auth_ldap Apache modules to authenticate to AD. I'm not real optimistic that will provide an SSO experience.
  2. Use the mod_auth_pam Apache module and set up PAM the way I described in the session. That's going to my first strategy.
  3. Use the WS-Federation module for Apache from Ping Identity, and use an Active Directory Federation Service (ADFS) server to provide the authentication tokens. This should also provide an SSO experience (login once on the Linux box, and get auth on Apache with no further interaction). Kim Cameron blogged about this a while ago.

Is there a way to specify a home directory to be used when logging in via linux?
Yes there is. I mentioned this in the session, but I sort of skimmed through it. First off, you need to include the pam_mkhomedir module in the system-auth file. The entry should be something like: skel=/etc/skel umask=0077

This tells PAM to create (if its not present) a home directory after successful authentication, copy the contents of /etc/skel into it, and assign it the umask 0077 (owner rwx). You also need to create a subdirectory in /home that has the same name(s) as the AD domains users will be authenticating to (and in the same case, thank you very much!) So for instance, in my demo setup where the domain was called SSO, I had to create /home/SSO. You also have to make sure the perms are set on it so that PAM can create the home directories for you.

How do you enable auth logging on the domain controller?
You can do this with a Group Policy setting on your domain controllers OU. Run the GPO editor on your Default Domain Controllers Policy, and open the Computer Configuration/Windows Settings/Security Settings/Local Policy/Audit Policy section. Set the Audit account logon events entry for Success, or Success and Failure if you want audit failed logon attempts as well (recommended).

Any issues with this solution using HP-UX?
Well, it should work. HP-UX has PAM, and you can build Samba for HP-UX. But as it is with almost everything in the Unix/Linux world, if you're using a different distro, or a different rev of a distro, your mileage will vary.

How do you ensure the UID & GID value ranges cover all possible ones used?
I'm not entirely sure I understand this question. When you create the user objects in AD, you define the uid and gid values in whatever way makes sense. They do have to fall within the ranges defined by the idmap gid and idmap uid settings in samba.conf. You have to manually ensure that the uid and gid values are unique in AD however. Or you can use a utility like PHP LDAP Admin which has a facility for ensuring uid/gid uniqueness when creating users and groups.

If you have a mix server enviroment with some at w2k3 sp1 and r2. do you still need to exend ad?
It depends on if you extended the schema when you install R2. Basically, you need to make sure that the RFC 2307 attributes are defined in the schema.

If you use SAM, aren't the passwords being sent in plain text (insecure)?
I think you mean if you use the NTLM protocol, which is the legacy authentication protocol for Windows. No, NTLM sent the password hash across the wire, not the cleartext password.

Can we use local accounts to get past Control Alt Del and use SAMBA + ACLs to authenticate against shares on Linux servers?
Hmmm... I'm not sure I understand this question either. Do you mean can you login in locally on a Windows client (not using domain credentials) and then access shares on a Samba server? I haven't tried it, but I assume so. You would still have to provide credentials to Samba to access the share. That seems like an odd scenario... what are you trying to accomplish?

Add/remove user from AD with unique SID/GID, how will Linux know to make correct changes with UID/GID relationships? And vice-versa.
In the setup I outlined in the session, Linux uses AD as the uid/gid store, so there is no synchronization necessary. Instead of getting the uid/gid values from etc/password or etc/shadow, Linux gets uid/gid from AD. That's part of the beauty of the setup... you eliminate an entire identity store.

How about using NDS on SUSE SLES 10 to authenticate Windows clients to access file shares on Linux servers?
I think I mis-answered this on the webcast. You can only use AD domain controllers to authenticate Windows clients as of today. When Samba 4 ships, it should be possible to authenticate a Windows client using Linux.

Can we do the same thing on MAC? if yes, do you have any info on it?
Well, maybe you can, but I can't . Actually, Centrify's CTO Paul Moore will be talking about exactly this scenario at the Directory Experts Conference in Las Vegas April 22-25. The Centrify product currently supports authenticating Macs using AD.

Is the AD integration similar with SUSE Enterprise Linux?
Yes, it should be, but as with everything Linux, your mileage will vary depending on distribution and rev. But I watched a webcast from Novell last September I think where they demo'd integration between SUSE and AD. I think they were using Winbind, but I'm not sure. Given the new support agreement between Microsoft and Novell, I'm sure Novell will support you using that configuration.

Is it possible to login from the linux workstation using the form
Good question, and I don't know the answer. You do have the ability to default the domain name, but I don't know about using the UPN. I'll look into that and post an answer.

Does winbind integration damage the ability to use standard, local Linux accounts?
Nope, which is pretty nice. You just have to make sure the uid/gid ranges don't overlap. For instance, in the demo configuration I had, root was a local account, and luser was a domain account in AD.


Comments are closed