200 likes | 592 Views
One User, One Password: Integrating Unix Accounts and Active Directory. David J. Blezard & Jerry Marceau Academic Computing Systems University of New Hampshire http://at.unh.edu. Overview. General Authentication Issues UNH Background One User One Password Conclusions & Lessons Learned
E N D
One User, One Password:Integrating Unix Accounts and Active Directory David J. Blezard & Jerry Marceau Academic Computing Systems University of New Hampshire http://at.unh.edu
Overview • General Authentication Issues • UNH Background • One User • One Password • Conclusions & Lessons Learned • Future Directions
Authentication • Are you really who you say you are? • Must happen in order to have authorization to access resources • Historically, most systems have been separate, especially between platforms
One User - One Password • Plusses • Easy for users • Less account maintenance for administrators • Minuses • If passwords are exposed, multiple systems are compromised • Not the same as single sign-on
UNH Clusters • 13,000+ Students plus Faculty and Staff • 4 Main Locations and 4 Satellite Locations • 450 Total Computers • Student Consultants Staff in Main Locations Only • Some Clusters Open 24 Hours • No existing Kerberos or LDAP
Past Authentication Systems • Checking ID’s - labor intensive • In-House SS#/DOB system - security problem • Windows 95/98 & Samba Domain • Samba on central Unix systems provides Samba Password Server • Samba on a local Linux box creates an NT-style domain • Computers login to Linux domain which passes authentication to central Unix machines
Samba & Win2000 • Windows NT/2000/XP require machine accounts as well as user accounts • Not an option at UNH due to central control of Unix account base • Samba cannot completely emulate a Windows 2000 Active Directory
W2K + Unix = SFU 2.0 • Services for Unix 2.0 - package of tools from Microsoft to let Windows and Unix “interoperate” • Provides Unix command line tools plus wizards for various integration functions on Windows • Extends AD schema to allow for Unix properties • Includes some source code and tools for Unix • Current release is SFU 3.0
One User - Easy • Usernames directly accessible in /etc/passwd • SFU NIS Migration Wizard • Creates AD users from existing Unix users • Designed to migrate meaning a permanent change of all accounts to residing in AD • No means for dynamic updates or removal of users • Created VBScripts to parse /etc/passwd and create user accounts
One User - Not So Fast! • Requires scripts on the Unix systems to monitor newly created accounts and deleted accounts • Compare cached password file to current file • Create lists of added and deleted users • Lists are stored on a Samba share • More complicated because a decision was made to separate faculty and staff accounts (AD) from student accounts (WILDCAT)
One Password - Hard • Unix passwords are one-way encrypted – cannot recover them from /etc/passwd • Unix password stored in Active Directory is separate from Windows password • SFU Two-way Password Synchronization • Allows password changes on Windows system to propagate to Unix and vice versa • Uses a shared encryption key to secure and validate password change communications
SFU Password Sync • The good news • It works! • The bad news • Design for either Windows to Unix only or two-way synchronization • UNH Unix systems have strict password rules • Password changes from Windows would not meet these requirements
Password Sync Solution • Source for the Password Sync components for the Unix side are included in SFU • Do not run the daemon on Unix machines and password changes sent from the AD domain controllers cannot come in • Errors will accumulate in Windows Event Logs • Undocumented Registry hack will disable Windows to Unix synchronization
jruser 456789 Unix script sees new user User logs in first time SFU Password Sync Required password change added.txt VBScript makes WILDCAT user w/ random pwd WILDCAT password change jruser ?????? Create a WILDCAT Account CIS Unix account created jruser Pwd!99 jruser Pwd!99
Existing Users? • Batch imported all existing students to WILDCAT • Initial Windows passwords are random • Password change would create Windows password – not very popular! • Winsync - Unix utility to fake a password change • Based on SFU source • Validate user by requesting password • Use the encryption key to send the proper password change command to the domain controller
Some Advice • LDAP would have been better in the long run • Don’t split up student and faculty accounts • Occasional password sync problems - just directly change the user’s AD password • Plan for account deletions
Now What? • Networked Storage from Unix systems • With identical Unix and Windows passwords, we can mount Unix home disk to “My Documents” via Samba • Student VPN • Setup to provide access to full network services via wireless • Requires WILDCAT account • Mac OS X ?? • ResNet ????
Acknowledgements • Tony DiTulio - the other third of our department (the one who is actually a Windows guy!) • Paul Sand - Unix guru & sys admin extraordinaire