Square Pegs in Round Holes:Linux in a Windows World

Eric G. Wolfe <wolfe21@marshall.edu> © 2008Senior Linux AdministratorMarshall University        

Slides, and code available at http://webpages.marshall.edu/~wolfe21

Understanding the technology.

Part 1

What is Active Directory?

Active Directory• A pre-configured Authentication

and Authorization solution, offered by Microsoft.

 • Components

o DNS o Kerberoso LDAPo MSRPC

• Proso Simple to manage and

maintain.• Cons

o Interoperability requires some knowledge of the underlying components.

What is Kerberos?

Kerberos• A secure authentication protocol.

• Hashes, NOT passwords are sent to the server.

• Tickets are granted to the client.

• Tickets can be used as authentication against services.

 • Versions

o MIT (US)o Heimdal (Swiss)

• Proso Centralized user management.o Protocol transport is secure by

default.o Third party support.

 • Cons

o Time syncronization must be precise.

o Password management is not standardized.

What is LDAP?

Lightweight Directory Access Protocol• A directory is like a database

optimized for reads.• LDAP is used for authorization.• Contains centralized information

o user and group o application configuration

• Proso Usernames have a relationship

to centralized attributes. 

 • Cons

o Directory schema is not standardized.

o Performance is hindered with clients and applications increases.

What is MSRPC?

Microsoft Remote Procedure Call• Modified version of The Open Group's DCE/RPC 1.1 (Distributed Computing

Environment Remote Procedure Call)• MSRPC is how Microsoft operating systems talk to each other.

o "Domain Member" servers resolve usernames, and groups between one another.

o Remote Registry serviceso Administrative Tools - Microsoft Management Console

Part 2

Configuring these technologies, the basics of AD Integration.

Setting up Kerberos.pam_krb5

This is specific to Red Hat Enterprise.• Easy way

o setup (select Authentication Config) o authconfig-tui

 • Harder way, editing config files.

o /etc/krb5.confo /etc/pam.d/system-auth

Note: Debian/Ubuntu splits up system-auth /etc/pam.d/common-auth /etc/pam.d/common-account /etc/pam.d/common-password /etc/pam.d/common-session

 Video Demonstration 

Setting up Kerberos.mod_auth_kerb

• Kerberos authentication in Apacheo behaves like IIS Windows Integrated Authentication.o sets $_SERVER['USERNAME'] environment variable for use in custom or

third-party web applications.• Authentication protocol is secured between the Domain Controller and web

server.o still need SSL/TLS for client -> webserver.

 • Edit two files

o /etc/httpd/conf.d/auth_kerb.confo /etc/httpd/conf.d/auth_kerb.keytab

Setting up SambaJoin a domain

– Edit /etc/samba/smb.conf (next slide) – Configure services

o chkconfig smb ono chkconfig winbind ono chkconfig nscd off

– Stop or start serviceso /etc/init.d/smb starto /etc/init.d/winbind starto /etc/init.d/nscd stop

– Join domaino net ads join createcomputer="Organizational Unit" -Uadministrator

 Video Demonstration

PAM Samba configuration

Name Service Switch

Part 3

Advanced tricks: Linux & MSRPC

Remote registry & DNS

DNS management• Problems encountered

o You can read AD-integrated zones from LDAP, but the majority of our zones are NOT AD-integrated.

o We have thousands of internal reverse zones, it is tedious to maintain them on several servers individually.

o There is no DNS standard allowing a slave server to grab all of the zone names off of a primary.

• Observationso Windows DNS can be read remotely from a registry branch with Samba.

Remote Registry & DNSconfiguring dnsnarf

• Create a DNS service account in AD for the script.  GPO settings  •  Registry key for non-administrator remote registry reads.

o HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winrego Set 'read' and 'apply gpo' permissions for your DNS service account.

Remote Registry & DNSdnsnarf is born

Samba component used.• net rpc registry enumerate

o manpage: net(8)  Remote registry location to read zones.• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\

Zones Example test commandnet -S kdc01.contoso.com \-U administrator -W CONTOSO.COM \rpc registry enumerate \"\\HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\DNS Server\\Zones"

Example net rpc output

Sample dnsnarf output (named.conf)

Questions?

Eric G. Wolfe <wolfe21@marshall.edu>  © 2008Senior Linux AdministratorMarshall University 

This work is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.

 Slides and code available at http://webpages.marshall.edu/~wolfe21/