1/24/2017

Sponsored by
Configuring Linux and Macs to Use
Active Directory for Users, Groups,
Kerberos Authentication and even Group
Policy

© 2017 Monterey Technology Group Inc.

 Made possible by

Thanks to

1
 1/24/2017

 Integration of AD and Linux

Preview of Key
 PAM
Points  NSS
 CentOS
 SSSD
 Beyond CentOS

 Linux is designed to be extensible

 Pluggable Authentication Module (PAM)
 Name Service Switch (NSS)

login sshd sudo et al

Integration of
Linux and AD PAM NSS

Default
kerberos ldap
passwd shadow

domain
controllers

2
 1/24/2017

 Theoretically just
 Plugging in Kerberos and configuring it with AD domain
controller
 Configuring LDAP for NSS and pointing it at AD as well

login sshd sudo et al

Integration of
Linux and AD PAM NSS

Default
kerberos ldap
passwd shadow

domain
controllers

 So much more to it though

 What about when DC is down?
 Multiple DC awareness
 What about using nearest DC?
Integration of  Site topology awareness
 What about multiple domains?
Linux and AD  Trusts
 Global catalog
 What about mapping
 Local users
 UIDs
 Local groups
 GIDs
 Multiple Linux systems

3
 1/24/2017

 Trying to integrate using a standards based, interoperable

protocol approach
Integration of  Extremely frustrating
 Limited ROI
Linux and AD  Incomplete integration
 Really need AD-aware technology
 Some *nix have varying levels of AD-awareness built-in
 We’ll look at a couple
 You can assume functionality goes down from here

 System Security Services Daemon (SSSD)

 “set of daemons to manage access to remote directories and
authentication mechanisms”

login sshd sudo et al

CentOS SSSD PAM NSS

SSSD

AD module

kerberos ldap

AD

4
 1/24/2017

 Steps using realmd

 This is just one version of CentOS and build/flavor
 Install packages
 realmd
 sssd
CentOS SSSD 

adcli
oddjob
 oddjob-mkhomedir
 samba-commontools
 net-tools
 yum provides ifconfig

 Make sure DNS pointing at AD

 Name your host according to computer account in AD

 vi etc/sysconfig/network

 vi /etc/hosts
CentOS SSSD
 hostname linuxtm.lab.local
 /etc/init.d/network restart

5
 1/24/2017

 Join the domain

CentOS SSSD
 Are we really joined to the domain?

 Try logging in as a domain account

CentOS SSSD

6
 1/24/2017

 Default, optimistic mapping of AD’s SID-RID to Linux uid

CentOS SSSD

UID/GID number space

100k
range

Domain 100k
SID to UID/GID SID hash range

mapping 100k
range
User’s RID
100k
range

100k
Nifty! range
If you only have one domain
and a green field …

7
 1/24/2017

 CentOS 7.5
 Green field
 Small environments
*nix Built-in  1 domain, etc
 Homogenous environments
AD Awareness  1 distro of *nix

 Other versions and flavors

 Mileage will vary
 Other distros
 Mileage will really very

Migration and mapping of

legacy accounts is not
trivial

 Do you have
 Pre-existing environment?
Integration of  Multiple distros off Linux, Apple or Unix?
*nix and AD  Version changes within the same distro changes each version
 And flavors within: Core, GUI,
 Multiple domains?
 Legacy users and groups on *nix systems with different UIDs
and GIDs?

8
 1/24/2017

 Kerberos/SSO Issues
 Nix to Nix
 Accessing Java based site
 Windows to Nix
 SSH key replacement
 Keytab files
Beyond just  Samba and DFS
authentication  Group Policy
 Nix based management of AD
 Reporting and Compliance
 Technical issues
 Authorization
 Off-Line Joins
 Support / finger-pointing

Different integration technologies

Redhat Different levels of integration
Different levels of functionality
Lots of fun with support
Debian

Real world Ubuntu

Active
Directory

AIX

Apple

Solaris

9
 1/24/2017

Redhat

Debian

Check out Ubuntu

Active
BeyondTrust Directory

AIX

Apple

Solaris
© 2017 Monterey Technology Group Inc.

PowerBroker
Identity Services

‘Active Directory Bridging’

10
 1/24/2017

Helicopter View – BeyondTrust Solutions

Password Safe:
Password Management
Session Management
SSH Key Management
Application Management

Privilege Management:
PowerBroker for Windows & Mac
PowerBroker for Sudo
PowerBroker for Unix & Linux

Vulnerability Management:
Vulnerability Management
Patch Mgmt for Adobe, Java, etc
Analytic Reporting

PowerBroker Identity Services: PowerBroker Auditor:

Single Sign On (AD Bridge) Audit for Active Directory
Policy Mgmt for Unix/Linux/Mac via Audit for File Server
AD Audit for MS Exchange

PowerBroker Identity Services

Centralized authentication – Users logon to Unix, Linux, or Mac systems
using their Active Directory username and password

Centralized authorization – Active Directory group membership controls

*nix server and workstation access

One Password and One Password Policy – Improved production time

Group Policy – extend Microsoft Group Policy to *nix platforms

Single Point Of Control – De-provision user’s in one location

Consistent Experience – Same experience on ALL supported platforms

11
 1/24/2017

Architecture Overview
• No Changes to AD schema (Uses RFC2307)
• Fully integrated with ADUC & GPMC
• Manage with supplied snap-ins or 3rd party tools
• Command Line Toolset (For AD Management)
• Easily configure alternate Unix Identities with cells
• Deploy and Join using web based console

User: Nick Wey Group: unixadm

samAccountName: nwey samAccountName: unixadm
uid nwey uid: unixadm
uidNumber: 224396392 gidNumber: 1000
gidNumber: 1000
gecos:
unixHomeDirectory: %H/BTDEMO/nwey
loginShell: /bin/bash

Supported Platforms
• Wide range of supported
platforms, providing a
consistent installation,
configuration and management
experience across the
enterprise.

• Administration tools for both

Windows and *Nix platforms.

12
 1/24/2017

Simple Deployment

• Discover
• Profile
• Install
• Domain Join
• Upgrade

PowerBroker Identity Services

• Authentication with Active Directory • UID-GID Mapping
• Multiple Trusts Support • No Schema Changes
• Cached Credentials • Reporting
• Single Sign-on • Commercial Support
• Two-Factor Authentication with Smart Card • Directory and NIS Migration
• Command-Line Administration tools • Group Policy
• Migration Expertise

13
 1/24/2017

Product Demonstration

Quick Poll

14
 1/24/2017

Q&A
Thank you for attending!

15