1 / 20

One User, One Password: Integrating Unix Accounts and Active Directory

One User, One Password: Integrating Unix Accounts and Active Directory. David J. Blezard & Jerry Marceau Academic Computing Systems University of New Hampshire http://at.unh.edu. Overview. General Authentication Issues UNH Background One User One Password Conclusions & Lessons Learned

Patman
Télécharger la présentation

One User, One Password: Integrating Unix Accounts and Active Directory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. One User, One Password:Integrating Unix Accounts and Active Directory David J. Blezard & Jerry Marceau Academic Computing Systems University of New Hampshire http://at.unh.edu

  2. Overview • General Authentication Issues • UNH Background • One User • One Password • Conclusions & Lessons Learned • Future Directions

  3. Authentication • Are you really who you say you are? • Must happen in order to have authorization to access resources • Historically, most systems have been separate, especially between platforms

  4. One User - One Password • Plusses • Easy for users • Less account maintenance for administrators • Minuses • If passwords are exposed, multiple systems are compromised • Not the same as single sign-on

  5. UNH Clusters • 13,000+ Students plus Faculty and Staff • 4 Main Locations and 4 Satellite Locations • 450 Total Computers • Student Consultants Staff in Main Locations Only • Some Clusters Open 24 Hours • No existing Kerberos or LDAP

  6. Past Authentication Systems • Checking ID’s - labor intensive • In-House SS#/DOB system - security problem • Windows 95/98 & Samba Domain • Samba on central Unix systems provides Samba Password Server • Samba on a local Linux box creates an NT-style domain • Computers login to Linux domain which passes authentication to central Unix machines

  7. Samba & Win2000 • Windows NT/2000/XP require machine accounts as well as user accounts • Not an option at UNH due to central control of Unix account base • Samba cannot completely emulate a Windows 2000 Active Directory

  8. W2K + Unix = SFU 2.0 • Services for Unix 2.0 - package of tools from Microsoft to let Windows and Unix “interoperate” • Provides Unix command line tools plus wizards for various integration functions on Windows • Extends AD schema to allow for Unix properties • Includes some source code and tools for Unix • Current release is SFU 3.0

  9. One User - Easy • Usernames directly accessible in /etc/passwd • SFU NIS Migration Wizard • Creates AD users from existing Unix users • Designed to migrate meaning a permanent change of all accounts to residing in AD • No means for dynamic updates or removal of users • Created VBScripts to parse /etc/passwd and create user accounts

  10. One User - Not So Fast! • Requires scripts on the Unix systems to monitor newly created accounts and deleted accounts • Compare cached password file to current file • Create lists of added and deleted users • Lists are stored on a Samba share • More complicated because a decision was made to separate faculty and staff accounts (AD) from student accounts (WILDCAT)

  11. One Password - Hard • Unix passwords are one-way encrypted – cannot recover them from /etc/passwd • Unix password stored in Active Directory is separate from Windows password • SFU Two-way Password Synchronization • Allows password changes on Windows system to propagate to Unix and vice versa • Uses a shared encryption key to secure and validate password change communications

  12. SFU Password Sync • The good news • It works! • The bad news • Design for either Windows to Unix only or two-way synchronization • UNH Unix systems have strict password rules • Password changes from Windows would not meet these requirements

  13. Password Sync Solution • Source for the Password Sync components for the Unix side are included in SFU • Do not run the daemon on Unix machines and password changes sent from the AD domain controllers cannot come in • Errors will accumulate in Windows Event Logs • Undocumented Registry hack will disable Windows to Unix synchronization

  14. jruser 456789 Unix script sees new user User logs in first time SFU Password Sync Required password change added.txt VBScript makes WILDCAT user w/ random pwd WILDCAT password change jruser ?????? Create a WILDCAT Account CIS Unix account created jruser Pwd!99 jruser Pwd!99

  15. Existing Users? • Batch imported all existing students to WILDCAT • Initial Windows passwords are random • Password change would create Windows password – not very popular! • Winsync - Unix utility to fake a password change • Based on SFU source • Validate user by requesting password • Use the encryption key to send the proper password change command to the domain controller

  16. Winsync on the Web

  17. Some Advice • LDAP would have been better in the long run • Don’t split up student and faculty accounts • Occasional password sync problems - just directly change the user’s AD password • Plan for account deletions

  18. Now What? • Networked Storage from Unix systems • With identical Unix and Windows passwords, we can mount Unix home disk to “My Documents” via Samba • Student VPN • Setup to provide access to full network services via wireless • Requires WILDCAT account • Mac OS X ?? • ResNet ????

  19. Acknowledgements • Tony DiTulio - the other third of our department (the one who is actually a Windows guy!) • Paul Sand - Unix guru & sys admin extraordinaire

More Related