Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Principal Software Engineer, Red Hat // Samba Team Alexander Bokovoy SambaXP’16 Enterprise desktop? Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 2 Centralized identity management system There are now several free software identity management systems with the focus on managing operating systems’ environments: I Samba AD I FreeIPA I [many other LDAP+Kerberos based projects] Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 3 Enterprise desktop I a client enrolled to a centralized identity management system I a tool to solve business tasks I a subject to centrally defined access controls Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 4 I authentication services: logon details, mostly via PAM interface I authorization services: mostly via PAM interface or application-specific ones Enterprise desktop Typical enterprise desktop includes agents for I identity services: POSIX attributes for users and groups via NSSWITCH Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 5 I authorization services: mostly via PAM interface or application-specific ones Enterprise desktop Typical enterprise desktop includes agents for I identity services: POSIX attributes for users and groups via NSSWITCH I authentication services: logon details, mostly via PAM interface Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 6 Enterprise desktop Typical enterprise desktop includes agents for I identity services: POSIX attributes for users and groups via NSSWITCH I authentication services: logon details, mostly via PAM interface I authorization services: mostly via PAM interface or application-specific ones Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 7 I pam_sss use is configured at the enrollment time for system-auth PAM service which is included to all PAM configurations I SSSD performs host-based access control to PAM services using rules stored centrally in FreeIPA I OpenSSH is configured to look up public keys for users and hosts via SSSD I SUDO is configured to look up SUDO rules in FreeIPA via SSSD I automount can be configured to use SSSD to deliver the mount maps I SSSD provides locator and localauth plugins to MIT Kerberos to discover domain controllers and map Kerberos principals to POSIX user names for trust operations I SSSD supports offline logon, logon with smart cards, logon with Kerberos proxy Practical case: Fedora and FreeIPA FreeIPA client defaults to use SSSD as an agent I nss_sss is referenced in /etc/nsswitch.conf on Fedora by default Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 8 I SSSD performs host-based access control to PAM services using rules stored centrally in FreeIPA I OpenSSH is configured to look up public keys for users and hosts via SSSD I SUDO is configured to look up SUDO rules in FreeIPA via SSSD I automount can be configured to use SSSD to deliver the mount maps I SSSD provides locator and localauth plugins to MIT Kerberos to discover domain controllers and map Kerberos principals to POSIX user names for trust operations I SSSD supports offline logon, logon with smart cards, logon with Kerberos proxy Practical case: Fedora and FreeIPA FreeIPA client defaults to use SSSD as an agent I nss_sss is referenced in /etc/nsswitch.conf on Fedora by default I pam_sss use is configured at the enrollment time for system-auth PAM service which is included to all PAM configurations Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 9 I OpenSSH is configured to look up public keys for users and hosts via SSSD I SUDO is configured to look up SUDO rules in FreeIPA via SSSD I automount can be configured to use SSSD to deliver the mount maps I SSSD provides locator and localauth plugins to MIT Kerberos to discover domain controllers and map Kerberos principals to POSIX user names for trust operations I SSSD supports offline logon, logon with smart cards, logon with Kerberos proxy Practical case: Fedora and FreeIPA FreeIPA client defaults to use SSSD as an agent I nss_sss is referenced in /etc/nsswitch.conf on Fedora by default I pam_sss use is configured at the enrollment time for system-auth PAM service which is included to all PAM configurations I SSSD performs host-based access control to PAM services using rules stored centrally in FreeIPA Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 10 I SUDO is configured to look up SUDO rules in FreeIPA via SSSD I automount can be configured to use SSSD to deliver the mount maps I SSSD provides locator and localauth plugins to MIT Kerberos to discover domain controllers and map Kerberos principals to POSIX user names for trust operations I SSSD supports offline logon, logon with smart cards, logon with Kerberos proxy Practical case: Fedora and FreeIPA FreeIPA client defaults to use SSSD as an agent I nss_sss is referenced in /etc/nsswitch.conf on Fedora by default I pam_sss use is configured at the enrollment time for system-auth PAM service which is included to all PAM configurations I SSSD performs host-based access control to PAM services using rules stored centrally in FreeIPA I OpenSSH is configured to look up public keys for users and hosts via SSSD Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 11 I automount can be configured to use SSSD to deliver the mount maps I SSSD provides locator and localauth plugins to MIT Kerberos to discover domain controllers and map Kerberos principals to POSIX user names for trust operations I SSSD supports offline logon, logon with smart cards, logon with Kerberos proxy Practical case: Fedora and FreeIPA FreeIPA client defaults to use SSSD as an agent I nss_sss is referenced in /etc/nsswitch.conf on Fedora by default I pam_sss use is configured at the enrollment time for system-auth PAM service which is included to all PAM configurations I SSSD performs host-based access control to PAM services using rules stored centrally in FreeIPA I OpenSSH is configured to look up public keys for users and hosts via SSSD I SUDO is configured to look up SUDO rules in FreeIPA via SSSD Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 12 I SSSD provides locator and localauth plugins to MIT Kerberos to discover domain controllers and map Kerberos principals to POSIX user names for trust operations I SSSD supports offline logon, logon with smart cards, logon with Kerberos proxy Practical case: Fedora and FreeIPA FreeIPA client defaults to use SSSD as an agent I nss_sss is referenced in /etc/nsswitch.conf on Fedora by default I pam_sss use is configured at the enrollment time for system-auth PAM service which is included to all PAM configurations I SSSD performs host-based access control to PAM services using rules stored centrally in FreeIPA I OpenSSH is configured to look up public keys for users and hosts via SSSD I SUDO is configured to look up SUDO rules in FreeIPA via SSSD I automount can be configured to use SSSD to deliver the mount maps Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 13 I SSSD supports offline logon, logon with smart cards, logon with Kerberos proxy Practical case: Fedora and FreeIPA FreeIPA client defaults to use SSSD as an agent I nss_sss is referenced in /etc/nsswitch.conf on Fedora by default I pam_sss use is configured at the enrollment time for system-auth PAM service which is included to all PAM configurations I SSSD performs host-based access control to PAM services using rules stored centrally in FreeIPA I OpenSSH is configured to look up public keys for users and hosts via SSSD I SUDO is configured to look up SUDO rules in FreeIPA via SSSD I automount can be configured to use SSSD to deliver the mount maps I SSSD provides locator and localauth plugins to MIT Kerberos to discover domain controllers and map Kerberos principals to POSIX user names for trust operations Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 14 Practical case: Fedora and FreeIPA FreeIPA client defaults to use SSSD as an agent I nss_sss is referenced in /etc/nsswitch.conf on Fedora by default I pam_sss use is configured at the enrollment time for system-auth PAM service which is included to all PAM configurations I SSSD performs host-based access control to PAM services using rules stored centrally in FreeIPA I OpenSSH is configured to look up public keys for users and hosts via SSSD I SUDO is configured to look up SUDO rules in FreeIPA via SSSD I automount can be configured to use SSSD to deliver the mount maps I SSSD provides locator and localauth plugins to MIT Kerberos to discover domain controllers and map Kerberos principals to POSIX user names for trust operations I SSSD supports offline logon, logon with smart cards, logon with Kerberos proxy Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 15 I Pure winbindd: nss_winbind and pam_winbind for identity and authentication I Pure winbindd: Limited authorization capabilities (account lock) I Hybrid approach: I nss_sss and pam_sss for identity and authentication I winbindd is used by Samba, configured to trust SSSD-provided ID range I SSSD supports offline logon, logon with smart cards, logon with Kerberos proxy I SSSD does authorization using GPO and/or account lock Practical case: Samba AD domain member I A pure winbindd-based setup or a hybrid SSSD+winbindd configuration Enterprise desktop: