Keith C. Perry on 6 Sep 2016 08:53:39 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Questions regarding LDAP and AD


I wanted to circle back around to this since I think I've make some inroads into understanding the current state of affairs....

It appears there is no "clean" (i.e. a FOSS solution relatively easy to install, build and manage) Linux distro agnostic way to replace Active Directory in situations where you need to manage identities and resources for Linux clients and AD clients.  There are two major issues at play in this regard:

1) Samba 4's AD DC functionality is based on included LDAP and Kerberos functionalities which are not modular.  They MUST be used if Samba 4 is to function as a replacement for Active Directory.  Therefore, the LDAP and Kerberos services from FreeIPA can not be directly used with Samba 4.

https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller

"Please note that you do not need to install or configure a separate Kerberos KDC for Samba to work. Samba includes an AD compatible KDC, currently based on an included copy of the Heimdal project. Likewise Samba ships its own LDAP implementation for AD backends. OpenLDAP or other LDAP servers are not supported at the moment."

2) FreeIPA's focus is on Linux and other standards based environments (including other Unix systems... https://www.freeipa.org/page/ConfiguringUnixClients) and thus it is NOT a replacement for Active Directory.  FreeIPA does a good job of providing an integrated solution for identity management which can provide service authorizations via kerberos ticketing and other principals.  It does not provide the actual user service (e.g. CIFS for Windows file sharing) but it does take care of things NTP, DNS, PAM modules and other critical services needed to authenticate in an AD like manner.

https://www.freeipa.org/page/Windows_authentication_against_FreeIPA

What about domain trusts?

Recent versions of FreeIPA (>= v4.x.x) allow for domain trusts. By using domain trusts, it would be possible to have FreeIPA and Active Directory realms trust each other so users in either domain have access to resources seamlessly across both domains.  This does not address the issue in #1 above but is something that both projects are aware of and want to solve.  As I understand it, the biggest problem is getting MIT Kerberos to work as an embedded KDC for Samba 4.  There are various discussions on that as well as other items that need to be addressed.

https://www.freeipa.org/page/IPAv3_Architecture
https://wiki.samba.org/index.php/Samba4/Proposal_for_IPA_to_AD_forest_trust

Where that leaves us is:

1) If you just are managing identities for Linux servers or need a standards based directory for authorizations, FreeIPA is worth a look.  Even though it is thought of as a Red Hat product, all my testing was done on Ubuntu 16.04 LTS with the FreeIPA packages that are available (4.3.1 as of this email).  It worked as expected the only thing I had to do is manually edit the PAM configuration (literally adding 1 line) so that home directories are created for accounts that do not exist.  I did not test it but adding client servers should simply be a matter of running "ipa-client-install --mkhomedir" on a realm member server with minor tweaks, if any, for your platform (such as on Ubuntu, PAM).

2) If you need to manage identities for Linux and Windows users and you don't want an Active Directory server in the mix then your only bet for now is Samba 4 AD DC.  You have to keep in mind that you will still need other critical services like NTP, DNS, DHCP, etc.  You will probably also want some sort of GUI interface for user management (SWAT2, Webmin, GAdmin, etc... see https://www.samba.org/samba/GUI/... most of these seem to be for Samba 3).  Not an impossible job but the breadth of what you have to do manually is why projects like Zentyal are very attractive.

Once Samba 4 can use other LDAP and Kerberos services, using FreeIPA with Samba or doing a domain trust between FreeIPA and a Samba AD DC will become options.  Hopefully that is not too far away.  You may have noticed from https://www.freeipa.org/page/Windows_authentication_against_FreeIPA that supposedly Samba 4.3 is able to do cross realm trusts.  This feature is stated as incomplete and I did not have any success configuring the 4.3.9 Samba server that comes with Ubuntu 16.04 LTS to use FreeIPA 4.3.1.  This probably is because Samba 4 needs to be built differently (see https://www.freeipa.org/page/IPAv3_AD_trust#Samba).  This is also confusing because such a build also implies having Samba without AD DC capabilities (i.e. you're building at Samba 3 server with Samba 4 client, see https://lists.samba.org/archive/samba-technical/2012-May/083913.html) so I don't see how you can or would use trusts (unless its to an MS AD?).  If I am misunderstanding that, I'd enjoy hearing some feedback on how this is done.


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Owner, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com


From: "Keith C. Perry" <kperry@daotechnologies.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Thursday, August 25, 2016 1:22:17 PM
Subject: Re: [PLUG] Questions regarding LDAP and AD

I'm in the middle of designing a solution for this for a client that is using Zentyal but hasn't been happy with how feature seem to have been disappearing in recent releases.  We're concerned about their strategy and getting caught off guard because of issues with MS being involved.

That said, I was looking at ApacheDS but that was a bit messy and didn't feel like it was ready for prime time.

With Fedora Server, FreeIPA supposedly can managed from Cockpit but even the UI on Fedora 24 Server is not showing the proper components.  Still, we're leaning that way because FreeIPA + Samba 4 would be a complete solution.

The problem there is that no one has confidence in Fedora Server staying stable enough for production so I'm rebuilding in Ubuntu since FreeIPA is available in 16.04 LTS.  Samba 4 of course is but Cockpit is less so.  Its also less critical but it would be nice.  I might just compile it if its not too big a deal.

Not the most fun I've ever had but there needs to be a real alternative to Zentyal.

To that end, in anyone knows someone close to the Zentyal folks.  I'd love to hear from them in regards to their future strategy and how much control or involvement does Microsoft really have.

---
KP-


On Aug 25, 2016 12:38 PM, Tone Montone <tonemontone@gmail.com> wrote:
Hello,
I have an implementation question regarding LDAP and AD. 

I am looking for advice on a path forward for managing user accounts across about 500 Unix systems, which are comprised of  a mixture of RHEL 5 and 6, and Solaris 10 and 11;  There is also some OEL, which is basically RHEL 5, and some Suse sprinkled in.  Currently, we are using local accounts, and I would like to move to a more streamlined/centralized method.

I need a solution that has a support package tied to it, as it's for a government installation and that is a mandatory requirement.  

I was thinking about using Red Hat Directory Server, which is basically 389-DS.  Having the AD server do a one-way sync to the DS, then have all the Unix systems point to the DS.  However, I read that in some instances you can have systems point directly to AD servers and get their authentication directly from the AD, so you don't need an LDAP intermediate server, but I am not sure it will work for all systems/OSes.  e.g. I read that you could use RHEL's IdM (Identity Manager) on RHEL 6, but I don't think this will work on RHEL 5.

I also thought about using LDAP for sudoers file management, as well as storing ssh public keys.

I installed 389-DS to do some testing, and I also looking at FreeIPA because it provides Kerberos, as well as Samba.

Any advice or experience anyone would like to share would be greatly appreciated.

Thanks,

Mike


I'm in the middle of designing a solution for this for a client that is using Zentyal but hasn't been happy with how feature seem to have been disappearing in recent releases.  We're concerned about their strategy and getting caught off guard because of issues with MS being involved.

That said, I was looking at ApacheDS but that was a bit messy and didn't feel like it was ready for prime time.

With Fedora Server, FreeIPA supposedly can managed from Cockpit but even the UI on Fedora 24 Server is not showing the proper components.  Still, we're leaning that way because FreeIPA + Samba 4 would be a complete solution.

The problem there is that no one has confidence in Fedora Server staying stable enough for production so I'm rebuilding in Ubuntu since FreeIPA is available in 16.04 LTS.  Samba 4 of course is but Cockpit is less so.  Its also less critical but it would be nice.  I might just compile it if its not too big a deal.

Not the most fun I've ever had but there needs to be a real alternative to Zentyal.

To that end, in anyone knows someone close to the Zentyal folks.  I'd love to hear from them in regards to their future strategy and how much control or involvement does Microsoft really have.

---
KP-


On Aug 25, 2016 12:38 PM, Tone Montone <tonemontone@gmail.com> wrote:
>
> Hello,
>
> I have an implementation question regarding LDAP and AD. 
>
> I am looking for advice on a path forward for managing user accounts across about 500 Unix systems, which are comprised of  a mixture of RHEL 5 and 6, and Solaris 10 and 11;  There is also some OEL, which is basically RHEL 5, and some Suse sprinkled in.  Currently, we are using local accounts, and I would like to move to a more streamlined/centralized method.
>
> I need a solution that has a support package tied to it, as it's for a government installation and that is a mandatory requirement.  
>
> I was thinking about using Red Hat Directory Server, which is basically 389-DS.  Having the AD server do a one-way sync to the DS, then have all the Unix systems point to the DS.  However, I read that in some instances you can have systems point directly to AD servers and get their authentication directly from the AD, so you don't need an LDAP intermediate server, but I am not sure it will work for all systems/OSes.  e.g. I read that you could use RHEL's IdM (Identity Manager) on RHEL 6, but I don't think this will work on RHEL 5.
>
> I also thought about using LDAP for sudoers file management, as well as storing ssh public keys.
>
> I installed 389-DS to do some testing, and I also looking at FreeIPA because it provides Kerberos, as well as Samba.
>
> Any advice or experience anyone would like to share would be greatly appreciated.
>
> Thanks,
>
> Mike

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug