WinBIND and SSSD
Can they by friends?
Sumit Bose - Red Hat
sbose@redhat.com
Winbind
Get User and Group data from AD
Offer PAM and NSS interfaces
NTLM authentication
SSSD
ID-Mapping
Secure Channel
Trust maintainance
GPO based access control
2FA/SC authentication
sudo-rules in AD
DBus-Interface
Supports Forest-Trust
Supports multiple joins
ID-Mapping
Windows
UNIX/Linux
SIDs
POSIX IDs
Common Namespace
for User and Groups
Separate Namespaces
for Users and Groups
128bit ID
32bit ID
S-1-5-21-11-22-33-1001
1001
ID-Mapping
POSIX IDs stored in AD
Winbind and SSSD will have the same source
SSSD allows overriding POSIX data
ID-Mapping
First come first serve
S-1-5-21-11-22-33-1234
S-1-5-21-12-22-32-4321
S-1-5-21-31-32-33-1122
1000
1001
1002
S-1-5-21-11-22-33-1234
S-1-5-21-12-22-32-4321
S-1-5-21-31-32-33-1122
1000
1001
1002
or
ID-Mapping
Algorithmic RID-based mapping
S-1-5-21-111-222-333-1234
Domain-specific part
Object specific part RID
sets POSIX ID range
e.g. [200000, 399999]
used as offset
1234
POSIX ID: 201234
ID-Mapping
How does SSSD find the POSIX ID range?
S-1-5-21-111-222-333-1234
S-1-5-21-111-222-333
1234
murmurhash3(S-1-5-21-111-222-333) % N
1
2
3
4
5
6
7
8
N-1
N
.
.
.
.
.
.
POSIX ID range
How could they run together
Let SSSD handle PAM and NSS
Use id-mapping from SSSD
Use Samba's idmap-nss ?
Better have a specific idmap module
SSSD idmap module
/* Filled out by IDMAP backends */
struct idmap_methods {
/* Called when backend is first loaded */
NTSTATUS (*init)(struct idmap_domain *dom);
/* Map an array of uids/gids to SIDs. The caller specifies
the uid/gid and type. Gets back the SID. */
NTSTATUS (*unixids_to_sids)(struct idmap_domain *dom, struct id_map **ids);
/* Map an arry of SIDs to uids/gids. The caller sets the SID
and type and gets back a uid or gid. */
NTSTATUS (*sids_to_unixids)(struct idmap_domain *dom, struct id_map **ids);
/* Allocate a Unix-ID. */
NTSTATUS (*allocate_id)(struct idmap_domain *dom, struct unixid *id);
};
Unfortunately idmap.h is not public
From idmap.h:
SSSD idmap module
/etc/samba/smb.conf:
...
idmap config * : backend = sss
idmap config * : range = 1-2147483647
...Plugin maps SIDs<->IDs in a single request
Plugin will directly talk to SSSD via a Socket
Next: in-memory cache for SID based requests
Why should Winbind and
SSSD run together?
To get the most out of central management
and
authentication
GPO-based Access Control
Maps Logon-Rights to PAM services
PAM Services:
- login
- su
- xdm, kdm, gdm, ...
GPO-based Access Control
Allow/Deny log on locally
login, su, su-l, gdm-fingerprint, gdm-password, gdm-smartcard,
kdm, lightdm, lxdm, sddm, xdm
Allow/Deny log on through Remote Desktop Services
sshd, cockpit
Deny /Access (to) this computer from the network
ftp
Allow/Deny log on as a batch job
crond
Allow/Deny log on as a service
- not set -
Always permit
sudo, sudo-i, systemd-user
Always deny
- not set - (default for all other services)
SUDO-Rules in AD
Details at http://jhrozek.livejournal.com/3860.html
Add sudo-schema and rules to AD
AD
CN=less,OU=sudoers,...
...
sudoCommand: /usr/bin/less
...
SSSD AD
name=less,cn=sudorules,..
...
sudoCommand: /usr/bin/less
...
SSSD SUDO
Prepares rules for sudo
SUDO
/etc/nsswitch.conf:
sudoers: files sssSSSD will download and cache the rules
SUDO-Rules in AD
Benefits of SSSD over plain sudoers.ldap
caching
different update rules
no additional configuration
no additional LDAP bind/authentication
InfoPIPE - DBus Interface
Where to get the user's telephone number?
GECOS?
What about application specific attributes?
Let SSSD read and cache the attributes
Use DBus to make them available locally
InfoPIPE - DBus Interface
# dbus-send --system --print-reply \
--dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Users \
org.freedesktop.sssd.infopipe.Users.FindByName string:"user@ad.domain"
object path "/org/freedesktop/sssd/infopipe/Users/ad_2edomain/1367201104"
# dbus-send --system --print-reply \
--dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Users/ad_2edevel/1367201104 \
org.freedesktop.DBus.Properties.GetAll \
string:"org.freedesktop.sssd.infopipe.Users.User"
array [
dict entry(
string "name"
variant string "tu1@ad.devel"
)
......
dict entry(
string "extraAttributes"
variant array [
dict entry(
string "mail"
array [
string "tu1@ad.devel"
]
)
dict entry(
string "telephoneNumber"
array [
string "123-456-789"
]
)Kerberos - Localauth
Kerberos and the OS use different namespaces
Kerberos principal vs logon name
Simple default heuristic: strip realm part
user@AD.DOMAIN -> user
user@CHILD.AD.DOMAIN -> user
Fully qualified names AD\user are not handled
Kerberos - Localauth
MIT Kerberos allows localauth plugins to map names
SSSD knows
samAccountName
userPrincipalName attribute in AD
default principal samAccountName@AD.DOMAIN
SSSD's localauth plugin compares
logon name
Kerberos principal
Kerberos - Localauth
$ kdestroy -A
$ kinit tu1@AD.DEVEL
Password for tu1@AD.DEVEL:
$ ssh -K -l 'AD\tu1' linux.ad.devel
Last login: Fri May 6 17:50:37 2016 from 192.168.122.117
-sh-4.3$ klist
Ticket cache: KEYRING:persistent:1367201104:1367201104
Default principal: tu1@AD.DEVEL
Valid starting Expires Service principal
06.05.2016 17:50:55 07.05.2016 03:50:52 krbtgt/AD.DEVEL@AD.DEVEL
renew until 07.05.2016 17:50:49
-sh-4.3$
Smartcard Authentication
How to map User to Smartcard?
SSSD reads and caches userCertificate from AD
Certificate is validated at login time
PKINIT support is currently added
Smartcard Authentication
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 488 (0x1e8)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=Red Hat, OU=prod, CN=Certificate Authority
Validity
Not Before: Mar 23 11:26:32 2016 GMT
Not After : Mar 23 11:26:32 2018 GMT
Subject: DC=com, DC=redhat, OU=users/UID=sbose/emailAddress=sbose@redhat.com, CN=Sumit Bose Sumit Bose
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:83:df:7c:6b:22:e6:1c:93:10:b0:7e:d3:64:35:
...
9c:1d
Exponent: 2972463911 (0xb12c3327)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:7B:DA:09:F5:49:5D:D9:D7:5C:C9:36:F8:55:D2:1B:97:9E:11:2F:7E
Authority Information Access:
OCSP - URI:http://ocsp.redhat.com/ca/ocsp/
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection
X509v3 Subject Alternative Name:
email:sbose@redhat.com
Signature Algorithm: sha256WithRSAEncryption
50:2d:61:1f:bf:bb:76:ca:05:e3:cb:f4:cf:a2:8b:11:b4:8f:
...
f7:7e:e6:f4Smartcard Authentication
What about remote hosts?
Smartcards carry public-private key pairs
Private key is protected with the PIN
Public key is part of the X509 certificate
"Public key with meta-data"
Smartcard Authentication
SSH's PubkeyAuthentication
# ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so
ssh-rsa AAAAB3NzaC1yc2EAAAAFALEsMycAAAEBAIPffGsi5hyTELB+02Q1063F8f...# ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so sctest@remote
Enter PIN for 'OpenSC Card (Sumit Bose)':
Last login: Mon May 9 11:22:18 2016 from localhost
[sctest@remote ~]$Certificate data is ignored
No validation at all
Public key stored in authorized_keys file
Smartcard Authentication
AD
CN=user,CU=Users,...
...
userCertificate:: MIIGhDCC...
...
SSSD AD
name=user,cn=users,..
...
userCertificate:: MIIGhDCC...
...
SSSD SSH
Validates Certificate
OpenSSHD
Calls
sss-ssh-authorizedkeys
Smartcard Authentication
SSH's authentication agent forwarding
pam_ssh_agent_auth PAM module
/etc/pam.d/sudo:
auth sufficient pam_ssh_agent_auth.so \
authorized_keys_command=/usr/bin/sss_ssh_authorizedkeysThe Future?
Already available:
SSSD container for RHEL Atomic¹
https://hub.docker.com/r/fedora/sssd/
both are able to join an AD domain
¹https://access.redhat.com/documentation/en/red-hat-enterprise-linux-atomic-host/7/getting-started-with-containers/chapter-13-using-sssd-container-image
