1、Enterprise Linux 7 Windows Integration GuideIntegrating Linux Systems with Active Directory EnvironmentsElla Deon BallardEnterprise Linux 7 Windows Integration GuideIntegrating Linux Systems with Active Directory EnvironmentsElla Deon BLegal NoticeCopyright 2014.This document is lic

2、ensed byunder the Creative Commons Attribution-ShareAlike 3.0 UnportedLicense. If you distribute this document, or a modified version of it, you must provide attribution to RedHat, Inc. and provide a link to the original. If the document is modified, all removed.trademarks must be, as the licensor o

3、f this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.,Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the InfiLogo,and RHCE are trademarks of, Inc., registered in the United States and other

4、countries.Linux is the registered trademark of Linus Torvalds in the United States and other countries.Java is a registered trademark of Oracle and/or its affiliates.XFS is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.MySQL is a

5、registered trademark of MySQL AB in the United States, the European Union and other countries.Node.js is an official trademark of Joyent.Software Collections is not formally related to orendorsed by the official Joyent Node.js open source or commercial project.The OpenStack Word Mark and OpenStack L

6、ogo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundations permission. We are not affiliated with, endorsed orsponsored by the OpenStack Foundation, or the OpenStack

7、commu.All other trademarks are the property of their respective owners.AbstractIdentity and policy management for both users and machines is a core function for almost any enterprise environment. Identity Management provides a way to create an identity domain that allows machines to enroll to a doma

8、in and immediately access identity information required for single sign-on and authentication services, as well as policy settings that govern authorization and access. This manual covers all aspects of installing, configuring, and managing Identity Management domains,including both servers ands. Th

9、is guide is intended for IT and systems administrators.Table of ContentsTable of ContentsP. .r.e.fa. c. e 3.1. Information for Managing Identity and Authentication Policies in Linux2. Audience and Purpose3. Giving Feedback4. Document Change History3334C. .h.a. p. t.e. r. 1. . .W. a. y. s. .t .o. I.n

10、.t .e.g.r.a.t e. .A. c. t.i.v.e. D. .ir.e.c.t.o.r.y.a. n. d. .L.i.n.u.x. E. .n.v.ir.o.n. m. .e.n.t.s 5.1.1. Defining Windows Integration1.2. Small Environments: Using Windows as an Identity Source566771.3. Small Environments: Enrolling Individual1.4. Big Environments: Synchronizing Users1.5. Big Env

11、ironments: Trusted RealmssP. .a.r.t .I. A. .d.d.in. .g. a. .S.i.n.g.le. .L.i.n.u.x. S. .y.s.t e. m. . t. o. .a.n. .A.c.t .iv.e. .D.i.re. c. t. o. r.y. .D.o.m. .a.in 9.C. .h.a. p. t.e. r. 2. . .U.s.in. g. .A. c. t.i.v.e. D. .ir.e.c.t.o.r.y.a. s. .a.n. I.d.e. n. t.i.t y. .P.r.o.v.id. .e.r .f.o.r .S. S

12、. S. .D 1. 0.2.1. About SSSD2.2. Environments for SSSD2.3. How SSSD Integrates with an Active Directory Environment2.4. Configuring an Active Directory Domain with ID Map2.5. Configuring an Active Directory Domain with POSIX Attributes2.6. Configuring Active Directory as an LDAP Domain2.7. Additiona

13、l Configuration Examples10121216192326C. .h.a. p. t.e. r. 3. . U. .s.in. g. .r.e.a.lm. .d. .t o. .C. o. n. .n.e.c.t .t.o. a. .n. A. c. t. i.v.e. D. .ir.e.c.t.o.r.y. D. .o.m. a. i.n 3.3.1. About realmd3.2. realmdds3.3. Discovering and Joining Active Directory Domains3.4. Managing User Logins from Act

14、ive Directory3.5. Adding Default User Configuration3.6. Additional Configuration for the Active Directory Domain Entry35C. .h.a. p. t.e. r. 4. . .U.s.in. .g. S. a. .m.b. a. ,. K. .e.rb. .e.ro. .s., .a.n.d. W. .i.n.b.in. d 3. 7.4.1. About Samba and Active Directory Authentication4.2. Summary of Confi

15、guration Files, Options, and Packages 4.3. Configuring a Domain Member Using authconfig374042P. .a.r.t .II. .In. .t e. g. .ra. t. i.n.g. a. .L. i.n.u.x. D. .o.m. a. .in. .w.i.t h. .a.n. .A.c.t.iv. e. .D. i.re. .c.t o. r. y. .D.o. m. .a.in 4. 8.C. .h.a. p. t.e. r. 5. . .C.r.e.a.t.in. g. .C. r.o. s. s

16、. -.R. e. a. l.m. .T. r.u.s.t.s. w. .it.h. .A.c.t .iv.e. .D.i.re. c. t. o. r.y. .a.n.d. I.d.e. n. t.i.t y. .M. a. n. .a.g.e.m. e. .n.t . .4 95.1. The Meaning of Trust5.2. Environment and Machine Requirements to Set up Trusts5.3. Creating Trusts5.4. Creating IdM Groups for Active Directory Users5.5.

17、Maintaining Trusts5.6. Verifying That IdM Machines Have Resolvable Names5.7. Setting PAC Types for Services5.8. Using SSH from Active Directory Machines for IdM Resources5.9. Using Trust with Kerberized Web Applications495962848690919495C. .h.a. p. t.e. r. 6. . .S.e.t.t i.n.g. .u.p. K. .e.r.b.e.r.o.

18、s. C. .ro. s. s. -. R. e. .a.lm. . A. u. .t h. e. .n.t i.c.a.t.io. n 9. 7.6.1. A Trust Relationship6.2. Setting up a Realm Trust97100C. .h.a. p. t.e. r. 7. . .S.y.n.c.h.r.o.n.i.z.in. g. .A.c.t.iv. e. .D. i.r.e.c.t o. .ry. .a.n.d. .Id. e. n. .t i.t .y.M. .a.n.a.g.e. m. .e.n.t. U. s. e. .rs 1. 0. 1.7.

19、1. Supported Windows Platforms7.2. About Active Directory and Identity Management1011011Enterprise Linux 7 Windows Integration Guide7.3. About Synchronized Attributes7.4. Setting up Active Directory for Synchronization7.5. Managing Synchronization Agreements7.6. Managing Password Synchronization1031

20、07107115I.n. d. e. x 1. 2. 0.2PrefacePrefaceMany IT environments aeterogeneous. In a mixed environment, theas to be some way to joinsystems to the larger domain, either directly as domains.s or by creating transparency between two peersThis is especially importnvironments where one domain (usually A

21、ctive Directory) maanges users,while another domain (such as a Linux domain through Identity Management) manages backend systems or a development or production environment.This guide covers different default applications withinEnterprise Linux which can help a Linuxsystem or an entire Linux domain i

22、ntegrate with an Active Directory environment.1. Information for Managing Identity and Authentication Policies in LinuxManaging user and system identities, authentication settings, and application policies is one of the central responsibilities of system administration. Even if users are defined wit

23、hin an Active Directory environment, it is still critical that those users have the appropriate access controls and policies in place as they access Linux-based services and resources. Those policies are defined within the Linux environment.There are two related guides forEnterprise Linux 7 which de

24、al with different scenarios related toidentity, authentication, and policy management:For managing identity and authentication services at the system-level, see the System-Level Authentication Guide.For configuring and managing a Linux domain and centralizing system policies, which uses Enterprise L

25、inux Identity Management, see the Linux Domain Administration Guide.2. Audience and PurposeThere are a number of different paths to integrate Linux systems within a Windows environment. With thedifferent security and identity applications available withinEnterprise Linux, outlined both in thisguide

26、and in the System-Level Authentication Guide and the Linux Domain Administration Guide, the configuration options are almost limitless and depend on the needs of an individual system or environment.This guide covers major applications and major integration options, which will be useful in many diffe

27、rentenvironments. This is not a definitive or compensive source, and the true integration solution may be amore complex mix of different scenarios. Use the options here as guidelines to plan how to integrate your different environments.This guide is written for systems administrators and IT staff wi

28、th a working knowledge of Linux systems and applications, but the core audience is for Windows administrators who are planning integration.3. Giving FeedbackIf there is any error in this book or there is any way to improve the documentation, please let us know.Bugs can be filedthe documentation for

29、IdM through Bugzilla,.Make the bug report as specific as possible, so we can be more effective in correcting any issues:1. Select thegroup and theEnterprise Linux 7 product.3Enterprise Linux 7 Windows Integration Guide2.Set the component to doc-Enterprise_Identity_Management_Guide.3.For errors, give

30、 the page number (for the PDF) or URL (for the HTML), and give a succinct description of the problem, such as incorrect procedure or typo.For enhancements, put in what information needs to be added and why.4.Give a clear title for the bug. For example, Incorrect script options is better than Bad exa

31、mple.d example for setupWe appreciate receiving any feedback requests for new sections, corrections, improvements, enhancements, even new ways of delivering the documentation or new styles of docs. You are welcome tocontactContent Services directly at .1.Select the Commugroup and theIPA prod

32、uct.2.Set the component to Documentation.3.Set the version number to 3.2.4.For errors, give the page number (for the PDF) or URL (for the HTML), and give a succinct description of the problem, such as incorrect procedure or typo.For enhancements, put in what information needs to be added and why.5.G

33、ive a clear title for the bug. For example, Incorrect script options is better than Bad example.d example for setupWe appreciate receiving any feedback requests for new sections, corrections, improvements, enhancements, even new ways of delivering the documentation or new styles of docs. You are wel

34、come to contact the Fedora docs team at .4. Document Change HistoryAdd html-single and epub formatsImproving Samba+Kerberos+Winbind chapters.Adding Kerberos realm chapter.Initial release.4Revision 7.0- 3June 11, 2014Ella Deon BallardRevision 7.0- 4June 13, 2014Ella Deon Ba

35、llardRevision 7.0- 5June 27, 2014Ella Deon BallardRevision 7.0- 5.4 05Thu Jul 7 2014Rdiger LandmannChapter 1. Ways to Integrate Active Directory and Linux EnvironmentsChapter 1. Ways to Integrate Active Directory and Linux EnvironmentsIT environments have a structure. The systems in them are arrange

36、d with a purpose. Integrating two separate infrastructures requires an assessment of the purpose of each of those environments and an understanding of how and where they interact.1.1. Defining Windows IntegrationWindows integration can mean very different things, depending on the ultimate w desired

37、interaction between the Linux environment and the Windows environment. It could mean that individual Linux systems are enrolled into a Windows domain, or it could mean that a Linux domain is configured to be a peer of the Windows domain, or it could simply mean that information is copied between env

38、ironments.There are several major potential points of contact between a Windows domain and Linux systems, and each of these points revolve around identifying different domain objects (users, groups, systems, services) and the services which are used in that identification.User Identities and Authent

39、icationWhere are users located, Windows only or both Linux and Windows?How are users authenticated on a Linux system locally or through Windows?How is group membership configured for groups? How is that group membership determined?Will users authenticate using a simple username/password, Kerberos ti

40、ckets, combination of methods?s, or aHow are user attributes managed? Specifically, for Linux-required POSIX attributes, are those attributes set in the Windows domain, configured locally on the Linux system, or (for UID/GID numbers and Windows SIDs) dynamically mapped?What users will be accessing w

41、hat resources? Will Windows-defined users access Linux resources? Will Linux-defined usersIn most environments, the Active Directory domain is the central hub for user information, which means that there needs to be some way for Linux systems to access that user information for authentication reques

42、ts. The real question then, with user identities, is how to obtain that information and how much of that information is available to external systems. There also needs to be a balance between information required for Linux systems (POSIX attributes) and Linux users (e.g., some application administra

43、tors) and how that information is managed.Host and Service PrincipalsWhat resources will be accessed?What authentication protocols are required?How will Kerberos tickets be obtained? How will SSLs be requested or verified?Will users need access to a single domain or to both Linux and Windows domains

44、?DNS Domains, Queries, and Name ResolutionIs there a single DNS domain? Are there subdomains?How will system hostnames be resolved?5Enterprise Linux 7 Windows Integration GuideHow will service discovery be configured?Security PoliciesWhere are access control instructions set?What administrators are

45、configured for each domain?Change ManagementHow frequently are systems added to the domain?If the underlying configuration for something related to Windows integration is changed (e.g., the DNS service is changed), how are those changes propagated?Is configuration maintained through domain-related t

46、ools or a provisioning system?Does the integration path requiditional applications or configuration on the Windows server?As important as what elements in the domains are integrated, is how that integration is maintained. If a particular means of integration is heavily manual, yet the environment ha

47、s a large number of systems which are frequently updated, then that one means may not work for that environment from a maintenance standpoint.1.2. Small Environments: Using Windows as an Identity SourceProbably the lightest touch for Windows integration is to have the Linux system use Windows as an

48、identity store, but to otherwise maintain all service, security, and other configuration within the local system.There are two services available to configure the local system:System Security Services Daemon (SSSD), using Active Directory as an identity providerrealmd, to configure SSSD (or, more ra

49、rely Winbind) aive Directory as an identity providerBoth SSSD and realmd use Windows for pass-through authentication. The user identities reside in the Windows side, and there can be some limited configuration for groups or authorization, but most configuration including security policies like SELin

50、ux remain within the ownership of the local system.There is also a lot of latitude in how user attributes are defined and used. For example, user IDs can be created locally on the Linux system, mapped to Windows SIDs, or taken directly from the Windows configuration. This is also true for login shel

51、ls, group membership, home directories, and other user settings.Both SSSD and realmd are local services, with local configuration files. Provisioning systems (such as Foreman or Puppet) can be used to maintain these files to try to lower the administrative overhead of making changes. Ultimately, tho

52、ugh, each system has to be updated individually to change or add integration settings. This means that using SSSD or realmd alone are best in IT environments with a small number of Linux systems.1.3. Small Environments: Enrolling IndividualsAn alternative to using Active Directory as an external ide

53、ntity store is to simply enroll a system within a Windows domain.There are several different paths to enroll a Linux system in a Windows domain:Winbind and Samba, to enroll a system directly in a Windows domain6Chapter 1. Ways to Integrate Active Directory and Linux EnvironmentsLocal PAM and Kerbero

54、s configuration, to enroll a system directly in a Windows domainAs with using SSSD and realmd, using either Winbind or PAM/Kerberos configuration requires local changes to the system. These can be managed through a provisioning system, but there is no central authority defining the configuration. Ad

55、ditionally, it requires external servers (either a Samba server or Kerberos KDC) within the Linux environment to integrate with the Windows environment. The Linux environment is more constrained, as well, with less use for or flexibility in managing user attributes.1.4. Big Environments: Synchronizi

56、ng UsersEnterprise Linux has a Linux domain tool included by default, Identity Management. This creates a Linux domain and centralizes the maintenance of Linux systems policies (SELinux, password policy, sudo, automount, host-based access controls, and others). Identity Management also creates and m

57、aintains acentral identity store, which is used by all Linuxs enrolled in the domain.If there are a large number of configured Linux users in Identity Management (meaning, Windows is not the only user directory), then it is possible to simply copy users between Windows and Linux directories.Synchronization has some benefits:The Linux-based users exist within the Windows domain and can be configured to access Windows resources.The sync configuration is relatively simple.Windows users can be Identity Management users and administrators.However