samba as an active directory domain controllerdonour/prof/cifs2002.pdf · samba as an active...
TRANSCRIPT
![Page 1: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/1.jpg)
Samba as an Active Directory Domain
Controller
Samba as an Active Directory Domain
ControllerGregory Havens II
Texas A&M University – [email protected]
Anthony LiguoriRutgers University – [email protected]
C. Donour SizemoreUniversity of Chicago – [email protected]
![Page 2: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/2.jpg)
2CIFS Conference, 2002
Active Directory
Active Directory
![Page 3: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/3.jpg)
3CIFS Conference, 2002
What is Active Directory?What is Active Directory?
u Central repository of network resources– users and groups– computers, printers, etc.– configuration data
u Administrative abstraction for managing users and resources.– ADSI– Windows MMC
![Page 4: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/4.jpg)
4CIFS Conference, 2002
Why People Use Active Directory?Why People Use Active Directory?
u Provides much tighter integration of services than previously existed
u Bundled with all Windows 2000 servers.
u Provides central point of resource management
u Good Administration Tools
![Page 5: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/5.jpg)
5CIFS Conference, 2002
ComponentsComponents
u LDAP Serveru Kerberos Key Distribution Center
(KDC)u Domain Controlleru Integrated Services
– File / Printer (CIFS)– Web (IIS)– Mail (Exchange)– Naming (DNS)
![Page 6: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/6.jpg)
6CIFS Conference, 2002
AD Domain ControllerAD Domain Controller
![Page 7: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/7.jpg)
7CIFS Conference, 2002
What are domains?What are domains?
1. Canonical– DNS
2. Resource– LDAP
3. Security– NT domains
u Active Directory combines these
![Page 8: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/8.jpg)
8CIFS Conference, 2002
Domain Controller (DC) FunctionDomain Controller (DC) Function
u Manage various network resources– Printers– filesystems– Applications
u Provides– Authentication– Authorization– Administrative Abstraction
![Page 9: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/9.jpg)
9CIFS Conference, 2002
Native vs. Mixed ModeNative vs. Mixed Mode
u Windows 2000 Server supports both native and mixed mode operation
u Mixed mode– Master-slave replication– Support for NT BDCs
u Native mode– peer to peer replication– better server scalability
(except Global Catalog which exists on one server)
![Page 10: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/10.jpg)
10CIFS Conference, 2002
NT DomainNT Domain
NT PDC
Windows Client
NT BDC
Windows Client
Windows Client
Samba Client
uMaster-slave domain hierarchy
![Page 11: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/11.jpg)
11CIFS Conference, 2002
Root Domain (ibm.com)
linux.ibm.comigs.ibm.com
ltc.linux.ibm.com
Samba ClientWindows Client
Active Directory DomainActive Directory Domain
![Page 12: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/12.jpg)
12CIFS Conference, 2002
DC ComponentsDC Components
u Filesystem / RPC server– Samba
u Directory server– iPlanet, IBM Directory Server, eDirectory– OpenLDAP
u Kerberos– MIT / Kerberos– Heimdal
![Page 13: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/13.jpg)
13CIFS Conference, 2002
DNS
Windows Client Active Directory
LDAP
SMB
DCERPC
Kerberos
BIND
MIT/Kererbos
Samba
OpenLDAP
Possible SolutionPossible Solution
![Page 14: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/14.jpg)
14CIFS Conference, 2002
Common Domain ProcessesCommon Domain Processes
u Join a domainu User logonu Resource requestu Add useru Add a resource (printer, shared folder,
etc.)u Add domain controlleru System boot
![Page 15: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/15.jpg)
15CIFS Conference, 2002
Domain Join ProcessDomain Join Process
u Locate Domain controller – DNS SRV record queries
u Locate logon server – CLDAPu Authenticate – Kerberosu Send connection request – SMB/RPCu Negotiate addition to domain
– Security Descriptor generation– objectSid generation
![Page 16: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/16.jpg)
16CIFS Conference, 2002
CLDAPCLDAP
![Page 17: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/17.jpg)
17CIFS Conference, 2002
CLDAPCLDAP
u Connectionless LDAP server– UDP 389– LDAP v3
u Ability is being integrated into the Samba 3.0 development tree.
u Failure drops back to NetBIOS name service– Long domain join delay
![Page 18: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/18.jpg)
18CIFS Conference, 2002
CLDAP Server SupportCLDAP Server Support
u Not a true LDAP request, seems to be more of a new RPC transport - so it can’t be served by any current LDAP implementation.
u Preliminary work to integrate it into Samba’s nmbd.
![Page 19: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/19.jpg)
19CIFS Conference, 2002
SambaSamba
![Page 20: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/20.jpg)
20CIFS Conference, 2002
What Samba Can Do NowWhat Samba Can Do Now
u Samba 2.2 releases– Supports most of the RPC calls
necessary for a Windows XP join (netlogon, etc.)
– NT Primary Domain Controller
u Forthcoming in Future Samba releases– Active Directory client– Active Directory Domain Controller
![Page 21: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/21.jpg)
21CIFS Conference, 2002
AD LDAP Server
AD LDAP Server
![Page 22: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/22.jpg)
22CIFS Conference, 2002
Dynamically Generated FieldsDynamically Generated Fields
u Breaks with spirit of LDAP– ntSecurityDescriptor– objectSid
u Requires a special purpose backend to serve dynamic data.– Proxy backend– “AD” backend
![Page 23: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/23.jpg)
23CIFS Conference, 2002
Active Directory SchemaActive Directory Schema
u Published in the Directoryu Root DSE attributes
– ldapServiceName
u Includes non-standard objectsu Breaks certain standard objects
– person object class
![Page 24: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/24.jpg)
24CIFS Conference, 2002
KerberosKerberos
![Page 25: Samba as an Active Directory Domain Controllerdonour/prof/cifs2002.pdf · Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University – venom@tamu.edu](https://reader030.vdocument.in/reader030/viewer/2022040409/5ec5ae9140e2aa608144cced/html5/thumbnails/25.jpg)
25CIFS Conference, 2002
KerberosKerberos
u Heimdal– Stores keytab data and principal database
in OpenLDAP
u MIT/Kerberos– Supports PAC extensions– Doesn’t support using an LDAP server for
storing configuration.