Integrating Red Hat Enterprise Linux 6 with Microsoft Active ... .fr

Integrating. Red Hat Enterprise Linux 6 with Microsoft Active Directory. Presentation. Page 2. Agenda. ○ Overview. ○ Components. ○ Considerations.
Télécharger le PDF
3MB taille 60 téléchargements 318 vues
commentaire
Report
Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

Agenda

Overview ● Components ● Considerations ● Configurations ● Futures ● Summary ●

What is needed? ●

Thorough understanding components, interactions



Awareness of technical, non-technical considerations



Comparison of configurations, options



Best practices, guidelines



Assistance in making a selection

Windows – Consumer Perception

“To the cloud...yay cloud”

Windows – Systems Reality

Help!

Overview ● Components ● Considerations ● Configurations ● Futures ● Summary ●

Components - Overview Red Hat Enterprise Linux

Windows Server 2008 R2

Active Directory

Kerberos

LDAP SSSD

Samba

SMB/CIFS

Winbind

NSS

DNS

NTP

* Let's examine several core components closer *

Active Directory Domain Services (AD DS) ●

Suite of directory services



Customized versions: ● ● ●

Kerberos Domain Name System (DNS) Lightweight Directory Access Protocol (LDAP)



Object hierarchy – nodes, trees, forests, domains



Renamed in Windows Server 2008 R2 * Included Windows Server 2008 R2 (Server Role) *

Samba ●

Open source suite of programs



Provides file and print services



Includes two daemons:





smbd (file and print services)



nmbd (NetBIOS name server)

Samba v3.5 is current version (RHEL 6) * Behavior configured by /etc/samba/smb.conf *

SMB/CIFS ●

Client-server communications protocols



Server Message Block (SMB) - IBM developed



Common Internet File System (CIFS) – MS extended



Both protocols used interchangeably



SMB older, legacy servers (Windows 2000)

* Samba supports both protocols *

Winbind (1) ●

Daemon included with Samba suite



Unified logon to Active Directory accounts



Minimizes need for separate accounts



Primary functions: ●

Authentication of user credentials (“Who”)



ID Tracking/Name Resolution via nsswitch (“Where”)



ID Mapping of UID/GID SID (“What”)

Winbind (2)

Winbind (3) ●

ID Mapping implemented through “backends”



~8 backends available



ID Mappings classified as:





Allocating (r/w, local)



Algorithmic (r/o, calculated, consistent)



Assigned (r/o, assigned in AD, consistent)

Each has advantages, disadvantages * See Reference Architecture for further details *

SSSD (System Security Services Daemon) ●

RHEL systems members of centralized IdM solution (Active Directory, IPA, LDAP, Kerberos)



Access to different identity, authentication providers (e.g. - LDAP native, LDAP w/Kerberos)



Extensible (new identity, authentication sources)



Supports off-line caching (clients)



Reduces load on identity servers * Extensible, enhanced alternative to Winbind *

Kerberos ●

Current version = V5



Clients request ticket from trusted third party (KDC) ●

Key distribution center (KDC) = AD server



Behavior configured by /etc/krb5.conf



Managed by PAM libraries: ●

pam_winbind (Samba), pam_sss (SSSD), pam_krb5

Integration best practice: * Install krb5-workstation for testing/troubleshooting *

Overview ● Components ● Considerations ● Configurations ● Futures ● Summary ●

Non-technical Considerations ●

Organizational Alignment



Expertise Levels



Scope/Complexity



Prototype



Project Deployment

Technical Considerations – File Sharing ●



File sharing required? ●

Yes = Samba based configuration



No = Samba or non-Samba ok

Where are file shares located? ●

Client side?



Server side?

* Red Hat Enterprise Linux supports both roles *

Technical Considerations – Login Access ●



Red Hat Enterprise Linux login access required? ●

Command Line Interface (CLI)



Graphical Display Manager (GDM)

Local vs. Active Directory accounts ●

Local accounts = more administration



Active Directory = centralized administration

* Active Directory accounts require AD integration *

Technical Considerations – AD ID Attributes ●



RFC2307/bis ●

Extends UNIX ID attributes via LDAP



Provides more flexibility, control (home dir, shell)

Enabling in Windows Server ●

2008 R2 => Identity Management for UNIX (IMU) role



2008, 2003 R2 => Identity Management for UNIX (IMU) service



2003 and earlier => Windows Services for UNIX (SFU) service

* Organizational policy may restrict use *

Technical Considerations – Enumeration ●

Winbind listing of users, groups in AD domain



Default behavior during user login, authentication



More users = longer login time Integration best practice: * Disable in environments 20,000+ users * /etc/samba/smb.conf [global] winbind enum users = no winbind enum groups = no

Technical Considerations – LDAP Referrals ●

LDAP in Active Directory scales out over time ●



Objects relocate across multiple domain controllers

LDAP referral ●

Responding domain controller can't find object



Clients contact multiple controllers to complete lookup

Integration best practice: * Disable for performance (if no partial replication) * /etc/sssd/sssd.conf ldap_disable_referrals = true

Overview ● Components ● Considerations ● Configurations ● Futures ● Summary ●

Recommended Configurations - Overview Configuration 1. Samba/Winbind (idmap_rid)

2. Samba/Winbind (idmap_ad)

3. SSSD/Kerberos/ LDAP

4. Kerberos/LDAP

Services Provided

Features

File sharing ● Login access ●

File sharing ● Login access ●



Login access



Login access

Templated shell, home dirs Least intrusive to AD (No user/group ID attribute changes) ● Algorithmic ID mappings ● Customizable shell, home dirs ● Centralized user mgmt ● Assigned ID mappings ● User/group ID attributes set in AD (requires IMU) ● Advanced authentication, caching ● Reduces client loading on server ● User/group ID attributes set in AD (requires IMU) ● No off-line caching user credentials ● User/group ID attributes set in AD (requires IMU) ●

Use Case “Template-driven”



“Customizable”

“Enhanced”

“Legacy”

* See Reference Architecture for details *

Configuration 1 (winbind – idmap_rid)

“Template-driven”

Configuration 1 (Authentication and ID Components )

Configuration 2 (winbind - idmap_ad)

“Customizable”

Configuration 2 (Authentication and ID Components )

Configuration 3 (SSSD/Kerberos/LDAP)

“Enhanced”

Configuration 3 (Authentication and ID Components )

Configuration 4 (Kerberos/LDAP)

“Legacy”

Configuration 4 (Authentication and ID Components )

Overview ● Components ● Considerations ● Configurations ● Futures ● Summary ●

Futures ●





Winbind idmap_autorid ●

New backend for Samba 3.6/RHEL 6.4



Automatically allocates domain ranges

SSSD ●

Active Directory domain trust support (RHEL 6.4)



New AD integration capabilites - ID Mapping, etc. (RHEL 6.4+)



Fully featured, enhanced alternative to Winbind

Red Hat Enterprise Linux 7 ●

Windows interoperability remains high focus

Overview ● Components ● Considerations ● Configurations ● Futures ● Summary ●

Summary (1) ●

First glance deceptively simple



Second glance appears overwhelming



Many variables, components, interactions



Reference Architecture simplifies selection, deployment and integration: https://www.redhat.com/resourcelibrary/reference-architectures/ integrating-red-hat-enterprise-linux-6-with-active-directory



See Customer Portal for additional materials: https://access.redhat.com/knowledge/

Summary (2) ●

Select best configuration for your environment, organizational goals



Hybrid configurations ok to consider



Third-party products viable alternatives



Prototype, test in advance



Most issues have simple causes “Red Hat Enterprise Linux integrates well with Windows Active Directory”