Authenticating UNIX/Linux to Windows 2008R2. Part 6 : Single Sign On and final thoughts

Putting it all together: Single Sign On

Once clients have keytab files, we can now trust the KDC. This means that GSSAPI will work, and we can ssh, or telnet, or login from box to box without further authentication.

eg:

-sh-3.2$ hostname
rhel5host1.example.com
-sh-3.2$ kinit
Password for unix1@EXAMPLE.COM:
-sh-3.2$ ssh rhel6host1.example.com
Last login: Fri Aug 12 17:19:11 2011 from rhel5host1.example.com
-sh-4.1$ exit
logout
Connection to rhel6host1.example.com closed.
-sh-3.2$ ssh sol10host1.example.com
Last login: Fri Aug 12 17:11:40 2011 from rhel6host1.exam
Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
$ exit
Connection to sol10host1.example.com closed.

and this will work from Windows Putty.exe too:

Still to do

I can’t get Secondary Groups in Red Hat 6 or Solaris 10 to work. This maybe due to the format that users are displayed in LDAP:

Red Hat 5.6

-sh-3.2$ id -a unix2
uid=10001(unix2) gid=10000(unixgrp1) groups=10000(unixgrp1),10001(unixgrp2)

Red Hat 6

-sh-4.1$ id -a unix2
uid=10001(unix2) gid=10000(unixgrp1) groups=10000(unixgrp1)

Solaris

$ id -a unix2
uid=10001(unix2) gid=10000(unixgrp1) groups=10000(unixgrp1)

Windows LDAP Entry:

Windows stores secondary group information in two locations, in the group, and in the user record.  The group record contains an attribute field, memberUid, and the user record contains an attribute field msSFU30PosixMemberOf, the latter of which is specified in full distinguished name format.

Group Record:

ldapsearch -h adserver -D "cn=ldapsearch,cn=Users,dc=example,dc=com" \
-w ld@p53arch -b "dc=example,dc=com" "cn=unixgrp2"
version: 1
dn: CN=unixgrp2,OU=UNIX,DC=example,DC=com
objectClass: top
objectClass: group
cn: unixgrp2
distinguishedName: CN=unixgrp2,OU=UNIX,DC=example,DC=com
instanceType: 4
whenCreated: 20110811002931.0Z
whenChanged: 20110811002943.0Z
uSNCreated: 21285
uSNChanged: 21292
name: unixgrp2
objectGUID:: w+OU4CAOHUy5UiN/lnCa6w==
objectSid:: AQUAAAAAAAUVAAAA9P+gsh3KJO48P5XaWwQAAA==
sAMAccountName: unixgrp2
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com
dSCorePropagationData: 16010101000000.0Z
msSFU30Name: unixgrp2
msSFU30NisDomain: example
msSFU30PosixMember: CN=unix2,OU=UNIX,DC=example,DC=com
gidNumber: 10001
memberUid: unix2
Unfollowed continuation reference(s):
ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com
Unfollowed continuation reference(s):
ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com
Unfollowed continuation reference(s):
ldap://example.com/CN=Configuration,DC=example,DC=com

User Record:

bash-3.00# ldapsearch -h adserver -D "cn=ldapsearch,cn=Users,dc=example,dc=com" \
-w ld@p53arch -b "dc=example,dc=com" "cn=unix2"
version: 1
dn: CN=unix2,OU=UNIX,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: unix2
givenName: unix2
distinguishedName: CN=unix2,OU=UNIX,DC=example,DC=com
instanceType: 4
whenCreated: 20110810133119.0Z
whenChanged: 20110810135707.0Z
displayName: unix2
uSNCreated: 21206
uSNChanged: 21225
name: unix2
objectGUID:: ofwjB4QV+0G9kLq65UVl5w==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 129574589275235806
pwdLastSet: 129574566798691363
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA9P+gsh3KJO48P5XaWQQAAA==
accountExpires: 9223372036854775807
logonCount: 3
sAMAccountName: unix2
sAMAccountType: 805306368
userPrincipalName: unix2@example.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 129574582277635517
uid: unix2
msSFU30Name: unix2
msSFU30NisDomain: example
msSFU30PosixMemberOf: CN=unixgrp2,OU=UNIX,DC=example,DC=com
uidNumber: 10001
gidNumber: 10000
unixHomeDirectory: /home/unix2
loginShell: /bin/sh
Unfollowed continuation reference(s):
    ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com
Unfollowed continuation reference(s):
    ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com
Unfollowed continuation reference(s):
    ldap://example.com/CN=Configuration,DC=example,DC=com


Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: