Authenticating UNIX/Linux to Windows 2008R2. Part 6 : Single Sign On and final thoughts

-

Putting it all together: Single Sign On

Once clients have keytab files, we can now trust the KDC. This means that GSSAPI will work, and we can ssh, or telnet, or login from box to box without further authentication.

eg:

-sh-3.2$ hostname  rhel5host1.example.com  -sh-3.2$ kinit  Password for unix1@EXAMPLE.COM:  -sh-3.2$ ssh rhel6host1.example.com  Last login: Fri Aug 12 17:19:11 2011 from rhel5host1.example.com  -sh-4.1$ exit  logout  Connection to rhel6host1.example.com closed.  -sh-3.2$ ssh sol10host1.example.com  Last login: Fri Aug 12 17:11:40 2011 from rhel6host1.exam  Oracle Corporation      SunOS 5.10      Generic Patch   January 2005  $ exit  Connection to sol10host1.example.com closed.

and this will work from Windows Putty.exe too:

Still to do

I can't get Secondary Groups in Red Hat 6 or Solaris 10 to work. This maybe due to the format that users are displayed in LDAP:

Red Hat 5.6

-sh-3.2$ id -a unix2  uid=10001(unix2) gid=10000(unixgrp1) groups=10000(unixgrp1),10001(unixgrp2)

Red Hat 6

-sh-4.1$ id -a unix2  uid=10001(unix2) gid=10000(unixgrp1) groups=10000(unixgrp1)

Solaris

$ id -a unix2  uid=10001(unix2) gid=10000(unixgrp1) groups=10000(unixgrp1)

Windows LDAP Entry:

Windows stores secondary group information in two locations, in the group, and in the user record.  The group record contains an attribute field, memberUid, and the user record contains an attribute fieldmsSFU30PosixMemberOf, the latter of which is specified in full distinguished name format.

Group Record:

ldapsearch -h adserver -D "cn=ldapsearch,cn=Users,dc=example,dc=com" \  -w ld@p53arch -b "dc=example,dc=com" "cn=unixgrp2"  version: 1  dn: CN=unixgrp2,OU=UNIX,DC=example,DC=com  objectClass: top  objectClass: group  cn: unixgrp2  distinguishedName: CN=unixgrp2,OU=UNIX,DC=example,DC=com  instanceType: 4  whenCreated: 20110811002931.0Z  whenChanged: 20110811002943.0Z  uSNCreated: 21285  uSNChanged: 21292  name: unixgrp2  objectGUID:: w+OU4CAOHUy5UiN/lnCa6w==  objectSid:: AQUAAAAAAAUVAAAA9P+gsh3KJO48P5XaWwQAAA==  sAMAccountName: unixgrp2  sAMAccountType: 268435456  groupType: -2147483646  objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com  dSCorePropagationData: 16010101000000.0Z  msSFU30Name: unixgrp2  msSFU30NisDomain: example  msSFU30PosixMember: CN=unix2,OU=UNIX,DC=example,DC=com  gidNumber: 10001  memberUid: unix2  Unfollowed continuation reference(s):  ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com  Unfollowed continuation reference(s):  ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com  Unfollowed continuation reference(s):  ldap://example.com/CN=Configuration,DC=example,DC=com

User Record:

bash-3.00# ldapsearch -h adserver -D "cn=ldapsearch,cn=Users,dc=example,dc=com" \  -w ld@p53arch -b "dc=example,dc=com" "cn=unix2"  version: 1  dn: CN=unix2,OU=UNIX,DC=example,DC=com  objectClass: top  objectClass: person  objectClass: organizationalPerson  objectClass: user  cn: unix2  givenName: unix2  distinguishedName: CN=unix2,OU=UNIX,DC=example,DC=com  instanceType: 4  whenCreated: 20110810133119.0Z  whenChanged: 20110810135707.0Z  displayName: unix2  uSNCreated: 21206  uSNChanged: 21225  name: unix2  objectGUID:: ofwjB4QV+0G9kLq65UVl5w==  userAccountControl: 512  badPwdCount: 0  codePage: 0  countryCode: 0  badPasswordTime: 0  lastLogoff: 0  lastLogon: 129574589275235806  pwdLastSet: 129574566798691363  primaryGroupID: 513  objectSid:: AQUAAAAAAAUVAAAA9P+gsh3KJO48P5XaWQQAAA==  accountExpires: 9223372036854775807  logonCount: 3  sAMAccountName: unix2  sAMAccountType: 805306368  userPrincipalName: unix2@example.com  objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com  dSCorePropagationData: 16010101000000.0Z  lastLogonTimestamp: 129574582277635517  uid: unix2  msSFU30Name: unix2  msSFU30NisDomain: example  msSFU30PosixMemberOf: CN=unixgrp2,OU=UNIX,DC=example,DC=com  uidNumber: 10001  gidNumber: 10000  unixHomeDirectory: /home/unix2  loginShell: /bin/sh  Unfollowed continuation reference(s):      ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com  Unfollowed continuation reference(s):      ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com  Unfollowed continuation reference(s):      ldap://example.com/CN=Configuration,DC=example,DC=com




Popular posts from this blog

Shrink you container size up to 95%.

-
BLAFS is a bloat-aware filesystem for container debloating. The design principles of BLAFS are effective, efficient, and easy to use. It detects the files used by the container, and then debloats the container by removing the unused files. The debloated containers are still functional and can run the same workload as the original containers, but with a much smaller size and faster deployment. https://github.com/negativa-ai/BLAFS?tab=readme-ov-file
Read more

alma linux: dnf Module yaml error: Unexpected key in data

-
While applying recent updates to a server running Rocky Linux 8, an error presented itself. Module yaml error: Unexpected key in data: static_context [line 9 col 3] Module yaml error: Unexpected key in data: static_context [line 9 col 3] The solution turned out to be a simple one. Update the libmodulemd first to correct the problem then perform the dnf updates as usual. dnf update libmodulemd For a detailed explanation as to the cause of this problem.
Read more