200 likes | 289 Views
UW Windows Infrastructure. Brian Arkills Software Engineer, LDAP geek, AD bum, and Associate Troublemaking Officer . Goal. Goal: To provide a centrally-provisioned Windows accounts to all of the UW campus Guiding Principal: The UW Windows Infrastructure is an enabling technology.
E N D
UW Windows Infrastructure Brian Arkills Software Engineer, LDAP geek, AD bum, and Associate Troublemaking Officer
Goal Goal: To provide a centrally-provisioned Windows accounts to all of the UW campus Guiding Principal: The UW Windows Infrastructure is an enabling technology
Core Components • Active Directory (netid.washington.edu) • LDAP directory AND KDC realm • “Fuzzy Kiwi”, a kiwi client that provisions *all* UW NetIDs with an active Kerberos subscription • Slurpee, a GDS connector, that synchronizes the enterprise group-oriented directory information • WINS, a netbios name resolution service
Key Features • AuthN: Windows user accounts with UW NetID password that are automatically provisioned • AuthZ: Automatically-provisioned institutional groups that can be used for authorization • 60K course groups • 7 affiliation groups (e.g. student, staff, faculty) • ~150 other groups, including C&C org groups
How to Adopt Get a trust. Use UWWI users and groups in your ACLs. Tell users. See http://www.netid.washington.edu/documentation/howToUse.aspx
Key Limitations • No delegated user management, i.e. • No home directory • No profile • No Exchange mailbox could be set, etc. • Course groups are private, memberOf on *all* users is private • NTLMv2 only for domain trusts; Kerberos & NTLMv2 only for forest trusts • Account lockouts: 5 bad attempts in 1 minute -> 1 minute lockout
Expected Uses (for now) • Provide Windows service to entire UW audience • File service • IIS • Sharepoint • Others … • Interactive login to existing domain workstations NOTE: Members of the UW community don’t need a computer in a domain that trusts UWWI to access a Windows service that is ACL’d with UWWI principals.
WinAuth Project • Arose out of C&C desire to move LABS out of UW Forest. This spawned outcry, a discussion group, and ultimately an C&C initiative to enable Windows-based services. • “Phase 1” did the authentication and authorization pieces. Deemed doable without additional funding. • “Delegated OUs” will make UWWI a nice place to live, phase out the UW forest, and provide other core Windows services as deemed necessary. Not currently funded.
Phase 1 Project Details • Maintaining existing LABS functionality was paramount, EPLT was on project team to facilitate quick adoption. • Maintaining Mac authentication • Providing a replacement for “LABS\domain users”, i.e. all users who used to be in LABS. • Kiwi code needed some enhancements • Slurpee needed to be written from scratch
Phase 1 Technical Details • “Fuzzy Kiwi” • Core is in C and helper app in C# (.net) • Handles account renames now w/o delete (preserving the SID) • Populates some person info from EDS/GDS • Uses a different delimiter to improve password handling • A new subscription maintains a group for EPLT authorization and populates the UA (soon to be C&C) uid onto the uidNumber attribute • Slurpee • VB.net • Automatically creates groups and updates them as appropriate (adds and removals) on a daily basis (GDS is only updated 1x daily currently) • Gets affiliation information from eduPersonAffiliation attribute on user objects in GDS. Uses this non-group-oriented info to create affiliation groups. • Parses group member string, replaces with AD DN of member • Handles nested groups • Knows how to add objectclasses and attributes as needed • Knows how to set AD ACLs
“Delegated OUs” Details A charter is written, and a Strategic Direction Team (SDT) proposal has been approved. Defines resources (2 engineer FTE, 1 CliSvc FTE), outlines deliverables (core and additional), and approximates a timeline. Core deliverables include: • Solve user management delegation issue • 2-way password sync? • Core infrastructure to enable Exchange • Provide domain migration strategy into UWWI • Phase out UW forest
Future Extended Deliverables After the ‘Delegated OU’ project, additional services may be pursued in follow-on projects depending on client interest. These include: • Help Nebula to move in as first “occupant” as a proof of concept • Setup billing for anything that needs it • DDNS (ala nebula) • Ezreg services (wireless registration) • DFS/file services • VPN • CA/PKI • Unix interoperability • Mac authentication • ADFS • <Your favorite thing here>
State of UW Forest • Domain count: 21. C&C owns 5 of these, and will remove 3 within 6 months. From past conversations, 9 other domains have indicated in the past an intention to have moved out by now. • 12 Domain compromises in past 4 years • Windows 2000 SP4 DCs: 18; Windows 2003 DCs: 28 • Windows 2000 Domain Level: 16; Windows 2003 Domain Level: 5 • Total number of users: 12141 (273730 w/ C&C domains leaving soon) • Total number of computer: 6898 • Domain size by users: • <50: 3 • 51-200: 6 • 201-500: 5 • 501-999: 4 • >1000: 3 • Domain size by computers: • <50: 6 • 51-200: 5 • 201-500: 7 • 501-999: 0 • >1000: 3
Expected Migration Path • Similar to C&C ‘How to Migrate Out of the Forest’ whitepaper http://www.washington.edu/computing/support/windows/UWdomains/migrateOut.html • Use ADMTv3 user/group migration • Use ADMT computer migration wizard to reACL and move computers without needing to touch each. • Registry • Profiles • File system • Local groups • Services • not scheduled tasks • not application-level credentials
Nebula Numbers • 0 domain compromises over 10 year history • 0 Nebula managed server compromises (yes, C&C has a managed servers service) • Users: 2323; Groups: 1388; Computers: 2816 • Gold (Nebula managed) workstations: 2452 • Bronze (not managed by Nebula) workstation: 131 • Kiosks: 61 • Servers: 172 (31 unmanaged, 141 managed) • 1 SG member + .25 engineer/250 workstations • 1 new software package/week • Cost: • $52/month for Gold workstation • $58/month for Gold laptop • $26/month for Bronze Doesn’t include hardware, add ~$30/month for hardware • 4.53 terabytes of network storage, 2.95 in use
Future Nebula Projects • Exchange (this is a C&C service that some Nebula users may consume) • SCCM (SMSv4 and SoftGrid) • Vista • Office 2007 • Dynamic local admin passwords (stage 1 done) • Laptop improvements • Managed Macs (research only) • CA for Nebula • Administrator account improvements • Kiosk revisit (dependent on vista) • New models to reflect impending UW Information Security Standard See http://staff.washington.edu/barkills/Nebula-HiEd.ppt for a recent overview of what Nebula provides in the managed workstation space.
The End Brian Arkills barkills@cac.washington.edu http://www.netid.washington.edu Author of LDAP Directories Explained