Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation
Agenda
Overview ● Components ● Considerations ● Configurations ● Futures ● Summary ●
What is needed? ●
Thorough understanding components, interactions
●
Awareness of technical, non-technical considerations
●
Comparison of configurations, options
●
Best practices, guidelines
●
Assistance in making a selection
Windows – Consumer Perception
“To the cloud...yay cloud”
Windows – Systems Reality
Help!
Overview ● Components ● Considerations ● Configurations ● Futures ● Summary ●
Components - Overview Red Hat Enterprise Linux
Windows Server 2008 R2
Active Directory
Kerberos
LDAP SSSD
Samba
SMB/CIFS
Winbind
NSS
DNS
NTP
* Let's examine several core components closer *
Active Directory Domain Services (AD DS) ●
Suite of directory services
●
Customized versions: ● ● ●
Kerberos Domain Name System (DNS) Lightweight Directory Access Protocol (LDAP)
●
Object hierarchy – nodes, trees, forests, domains
●
Renamed in Windows Server 2008 R2 * Included Windows Server 2008 R2 (Server Role) *
Samba ●
Open source suite of programs
●
Provides file and print services
●
Includes two daemons:
●
●
smbd (file and print services)
●
nmbd (NetBIOS name server)
Samba v3.5 is current version (RHEL 6) * Behavior configured by /etc/samba/smb.conf *
SMB/CIFS ●
Client-server communications protocols
●
Server Message Block (SMB) - IBM developed
●
Common Internet File System (CIFS) – MS extended
●
Both protocols used interchangeably
●
SMB older, legacy servers (Windows 2000)
* Samba supports both protocols *
Winbind (1) ●
Daemon included with Samba suite
●
Unified logon to Active Directory accounts
●
Minimizes need for separate accounts
●
Primary functions: ●
Authentication of user credentials (“Who”)
●
ID Tracking/Name Resolution via nsswitch (“Where”)
●
ID Mapping of UID/GID SID (“What”)
Winbind (2)
Winbind (3) ●
ID Mapping implemented through “backends”
●
~8 backends available
●
ID Mappings classified as:
●
●
Allocating (r/w, local)
●
Algorithmic (r/o, calculated, consistent)
●
Assigned (r/o, assigned in AD, consistent)
Each has advantages, disadvantages * See Reference Architecture for further details *
SSSD (System Security Services Daemon) ●
RHEL systems members of centralized IdM solution (Active Directory, IPA, LDAP, Kerberos)
●
Access to different identity, authentication providers (e.g. - LDAP native, LDAP w/Kerberos)
●
Extensible (new identity, authentication sources)
●
Supports off-line caching (clients)
●
Reduces load on identity servers * Extensible, enhanced alternative to Winbind *
Kerberos ●
Current version = V5
●
Clients request ticket from trusted third party (KDC) ●
Key distribution center (KDC) = AD server
●
Behavior configured by /etc/krb5.conf
●
Managed by PAM libraries: ●
pam_winbind (Samba), pam_sss (SSSD), pam_krb5
Integration best practice: * Install krb5-workstation for testing/troubleshooting *
Overview ● Components ● Considerations ● Configurations ● Futures ● Summary ●
Non-technical Considerations ●
Organizational Alignment
●
Expertise Levels
●
Scope/Complexity
●
Prototype
●
Project Deployment
Technical Considerations – File Sharing ●
●
File sharing required? ●
Yes = Samba based configuration
●
No = Samba or non-Samba ok
Where are file shares located? ●
Client side?
●
Server side?
* Red Hat Enterprise Linux supports both roles *
Technical Considerations – Login Access ●
●
Red Hat Enterprise Linux login access required? ●
Command Line Interface (CLI)
●
Graphical Display Manager (GDM)
Local vs. Active Directory accounts ●
Local accounts = more administration
●
Active Directory = centralized administration
* Active Directory accounts require AD integration *
Technical Considerations – AD ID Attributes ●
●
RFC2307/bis ●
Extends UNIX ID attributes via LDAP
●
Provides more flexibility, control (home dir, shell)
Enabling in Windows Server ●
2008 R2 => Identity Management for UNIX (IMU) role
●
2008, 2003 R2 => Identity Management for UNIX (IMU) service
●
2003 and earlier => Windows Services for UNIX (SFU) service
* Organizational policy may restrict use *
Technical Considerations – Enumeration ●
Winbind listing of users, groups in AD domain
●
Default behavior during user login, authentication
●
More users = longer login time Integration best practice: * Disable in environments 20,000+ users * /etc/samba/smb.conf [global] winbind enum users = no winbind enum groups = no
Technical Considerations – LDAP Referrals ●
LDAP in Active Directory scales out over time ●
●
Objects relocate across multiple domain controllers
LDAP referral ●
Responding domain controller can't find object
●
Clients contact multiple controllers to complete lookup
Integration best practice: * Disable for performance (if no partial replication) * /etc/sssd/sssd.conf ldap_disable_referrals = true
Overview ● Components ● Considerations ● Configurations ● Futures ● Summary ●
Recommended Configurations - Overview Configuration 1. Samba/Winbind (idmap_rid)
2. Samba/Winbind (idmap_ad)
3. SSSD/Kerberos/ LDAP
4. Kerberos/LDAP
Services Provided
Features
File sharing ● Login access ●
File sharing ● Login access ●
●
Login access
●
Login access
Templated shell, home dirs Least intrusive to AD (No user/group ID attribute changes) ● Algorithmic ID mappings ● Customizable shell, home dirs ● Centralized user mgmt ● Assigned ID mappings ● User/group ID attributes set in AD (requires IMU) ● Advanced authentication, caching ● Reduces client loading on server ● User/group ID attributes set in AD (requires IMU) ● No off-line caching user credentials ● User/group ID attributes set in AD (requires IMU) ●
Use Case “Template-driven”
●
“Customizable”
“Enhanced”
“Legacy”
* See Reference Architecture for details *
Configuration 1 (winbind – idmap_rid)
“Template-driven”
Configuration 1 (Authentication and ID Components )
Configuration 2 (winbind - idmap_ad)
“Customizable”
Configuration 2 (Authentication and ID Components )
Configuration 3 (SSSD/Kerberos/LDAP)
“Enhanced”
Configuration 3 (Authentication and ID Components )
Configuration 4 (Kerberos/LDAP)
“Legacy”
Configuration 4 (Authentication and ID Components )
Overview ● Components ● Considerations ● Configurations ● Futures ● Summary ●
Futures ●
●
●
Winbind idmap_autorid ●
New backend for Samba 3.6/RHEL 6.4
●
Automatically allocates domain ranges
SSSD ●
Active Directory domain trust support (RHEL 6.4)
●
New AD integration capabilites - ID Mapping, etc. (RHEL 6.4+)
●
Fully featured, enhanced alternative to Winbind
Red Hat Enterprise Linux 7 ●
Windows interoperability remains high focus
Overview ● Components ● Considerations ● Configurations ● Futures ● Summary ●
Summary (1) ●
First glance deceptively simple
●
Second glance appears overwhelming
●
Many variables, components, interactions
●
Reference Architecture simplifies selection, deployment and integration: https://www.redhat.com/resourcelibrary/reference-architectures/ integrating-red-hat-enterprise-linux-6-with-active-directory
●
See Customer Portal for additional materials: https://access.redhat.com/knowledge/
Summary (2) ●
Select best configuration for your environment, organizational goals
●
Hybrid configurations ok to consider
●
Third-party products viable alternatives
●
Prototype, test in advance
●
Most issues have simple causes “Red Hat Enterprise Linux integrates well with Windows Active Directory”