Microsoft Active Directory and Linux

For the Western Michigan University Computer Club

Presented by Adam Loutzenhiser

Microsoft Active Directory and Linux

Microsoft Active Directory is not a single service itself. Rather, it's composed of three separate services working in tandem to produce a centralized environment for authentication, authorization, and access.

• Kerberos KDC
• LDAP Directory
• SMB and CIFS Resources

In addition, we will also cover the basics Linux's standard authentication library, PAM.

Kerberos

Kerberos is an authentication service developed by MIT. It is defined in RFC1510.

• Controls acecss to network resources
• Uses encrypted keys to verify identity
• Basic Components

• Ticket Granting Ticket (TGT)
• User Key
• Service Ticket
• Key Distribution Center (KDC)

Key Distribution Center

The KDC is composed of two services:

• Authentication Server (AS)
• Ticket Granting Server (TGS)

The Authentication Server distributes session keys and Tickets to authenticate a user to network services. When a user gets a session key from the AS, the AS encrypts the session key with the user's key.

Tickets are messages encrypted with the requested service's key.

The Ticket Granting Server is used to cache the key generated from a user's password.

Authentication Process

1. User requests a session key and a Ticket for a network service from the Authentication Server
2. The AS encrypts the session key with the user's key and encrypts the ticket with the service's key.
3. User decrypts the session key and generates an Authenticator using the current time and the session key.
4. User gives the Ticket and Authenticator to the requested service.
5. The service decrypts the Ticket with its key and the Authenticator with the session key to verify the identity of the user.

Ticket Granting Server

The Ticket Granting Server is a special network service used for caching the user's key.

Before using any other network service, the user authenticates to the TGS. The ticket used in this process is called the Ticket Granting Ticket (TGT). All further requests for Tickets are brokered through the TGS.

Without a TGS, the user would need to enter his password every time he wanted to access a network service. Because of the possibility of a third party recording the user's key, it is not safe to cache the user's key on the local system.

Relevant Commands and Files

• kinit

Requests a TGT and caches it

• klist

Lists cached tickets

• kdestroy

Removes tickets from the cache

• /etc/krb5.conf

Specifies the default KDC and authentication realm

Lightweight Directory Access Protocol

Lightweight Directory Access Protocol (LDAP) is used by various network systems to store data such as user privileges in a central repository.

LDAP is an internet standard defined in RFC2251.

Data Storage

LDAP is optimized for read operations and contains descriptive, attribute-based information.

An Object Class defines the attributes required for an entity, which may belong to one or more Object Classes. The Schema defines the Object Classes available to the LDAP tree.

The LDAP standard provides for four Object Classes:

• Groups
• Locations
• Organizations
• People

Attributes

Attributes can be either Required Attributes or Allowed Attributes.

Attributes have a syntax definition to define the type of data an attribute may store:

• bin — binary information
• ces — case exact string
• cis — case ignore string
• tel — telephone number
• dn — distinguished name

Entities

Entities must be uniquely identified by one Distinguished Name (DN). The DN consists of the name of the entity and a path of names tracing the entry back to the top of the directory hierarchy.

Sample entity:

dn: cn=Luiz Malere, o=TUDelft, c=NL

cn: Luiz Malere

sn: Malere

mail: malere@yahoo.com

objectclass: person

Relevant Commands and Files

• ldapsearch

Searches for an entity in the LDAP tree by specifying a filter

• ldapdelete

Deletes entities in the LDAP tree

• ldapmodify, ldapadd

Modifies or adds entries to the LDAP tree

• /etc/ldap.conf,

/etc/openldap/ldap.conf

Stores configuration for LDAP client utilities.

SMB and CIFS

SMB and CIFS are used primarily by Microsoft operating systems to share resources between computers.

SMB, sometimes knows as the LAN Manager protocol, stands for Server Message Block and is a protocol that dates back to DOS operating systems in the form of IBM's PC Network Program.

CIFS stands for Common Internet File System. It is the latest incarnation of SMB and represnts a collaborative effort among Microsoft and other vendors such as SCO.

Security Model

Historically, SMB's security was limited to applying a password to a network share, called share level security. Network shares could have two different passwords, one for read-only, and one for full access. Any user who supplied the correct password was granted access to the share in its entirety.

In Lan Manager 1.0, user level security allowed finer-grained access control. Users supply a username and password to authenitcate; in return they are granted a UID to use for all future requests.

LAN Browsing

Each computer must have a unique name, called the Netbios Name, as opposed to the computer's DNS name.

SMB and CIFS support a discovery process using Netbios broadcast packets to announce the presence of servers. One server is elected to become the Master Browser. The Master Browser maintains a list of all server in a given network.

Because broadcast packets do not route, Microsoft introduced Windows Internet Name Service (WINS) servers to collect lists of servers among subnets and share information over a WAN.

SMB and CIFS for Linux

SMB and CIFS have traditionally been the domain of Microsoft and their partners.

Through the efforts of the Samba project, Linux now has the ability to integrate with a SMB or CIFS based network to act as a file or print server.

Relevant Commands and Files

• smbclient

Browser for SMB and CIFS file shares

• smbmount

Mounts a SMB or CIFS share to the Linux filesystem

• nmblookup

Queries the network for a Netbios Name

• smbd, nmbd, winbindd

Responds to SMB and CIFS requests

• /etc/smb.conf

Configures file and print shares

Pluggable Authentication Modules

We've seen so far how to query an LDAP tree for a list of users and how to get a TGT from a Kerberos KDC. This is not the way Windows does it. When you log in to Windows, Windows automatically gets a TGT for your session.

A project called Linux PAM, or Pluggable Authentication Modules, gives us the solution. Any login method that supports PAM is agnostic of how we obtain user authorization. This means that programs such as login, sudo, useradd, kdm, and gdm that were using PAM simply to check the Unix password files can use Kerberos/LDAP to authorize users by changing one service.

Management Groups

PAM offers services four different management groups:

• account — Performs non-authentication account management, such as time of day or location requirements

• auth — Performs user authentication usually by requiring the application to prompt for a password

• password — Updates the user's authentication token, usually their password

• session — Performs actions before and after the user is given service

The Module Stack

As PAM executes modules in each Management Group stack, there are different actions that PAM may take depending on a Control Flag:

• required — If a "required" module fails, the whole stack fails. However, PAM continues executing modules.

• requisite — PAM aborts execution of the stack and returns a failure.

• sufficient — PAM aborts execution of the stack and returns a success unless a "required" module has already failed.

• optional — PAM ignores the return value

Common Modules

PAM comes with several modules that are very common:

• pam_unix.so — Provides auth, account, password, and session based on standard Unix configuration, e.g. /etc/passwd

• pam_deny.so — Provides auth, account, password, and session; always returns failure

• pam_warn.so — Provides auth and password in order to log attempts at either group

• pam_access.so — Provides account for logdaemon style access control, e.g. /etc/security/access.conf

Relevant Commands and Files

• /etc/pam.d/

This directory stores configuration files on a per-service basis. Examples: /etc/pam.d/login and /etc/pam.d/other

• /etc/pam.d/other

This the the default service; usually this should consist of only pam_deny.so and pam_warn.so

• login

Normally run from agetty. Prompts the user for a username and password and executes their shell upon successful login

Additional Resources

Kerberos:

• http://www.isi.edu/gost/brian/security/kerberos.html
• http://www.faqs.org/rfcs/rfc1510.html
• http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
• http://www.ms.washington.edu/Docs/Kerberos/krb5-workstation-1.2.7/user-guide.html
• http://web.mit.edu/kerberos/www/papers.html

LDAP:

• http://www.tldp.org/HOWTO/LDAP-HOWTO/
• http://www.faqs.org/rfcs/rfc2251.html

SMB and CIFS:

• http://samba.anu.edu.au/cifs/docs/what-is-smb.html

PAM:

• http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/