 yeah hello welcome it's oh thank you I haven't done anything yet but it's really pity that we only have such a small room so who am I I live in Göttingen in Germany I co-founded Zenit like in 1996 first Samba patches from 1994 porting Samba at that time to a next workstation and I am a very early somebody member Jeremy says third fourth whatever I don't know yeah possibly I mostly work on Samba infrastructure TDB TVN file server I'm one of the authors of the clustered file server that is being utilized in large storage environments and I have my hands in windbind which I'm gonna talk about here the active directory domain controller that's the colleague Stefan Metzmacher he has initially implemented the multi-master application protocol just by looking at what's going on on the wire before we had documentation in fact it was his bachelor thesis I believe to implement the DRS UAPI protocol and so he's the he's our expert on active directory yeah whatever so what is it this talk is to being a bit of a high-level overview of what active directory and Samba authentication is and in particular it I try to get you a picture of who to assume who can talk to whom who can answer what questions and so on what tasks are involved to get a Samba user authenticated and why the different aspects are important and so on quick overview what is active directory really it's Microsoft's central user database since like Windows 2000 before that Microsoft had a anti for a Windows nt4 which is a was a flat user database just a list of users you had a GUI limit of like 40,000 users in a single database and even at that it was very clumsy to use but yeah it worked they moved that to an adab database and they also put in Kerberos as an authentication protocol as a standard authentication protocol this adab database is multi master replicated and as always you have problems with multi master replication they for all the conflicts that can come can arise they have strategies to to mitigate that based on whatever kind of conflict what attribute this is on for example I believe on passwords it's last writer wins if you remove a directory somewhere a sub in OU somewhere and move something into that OU on another domain controller for each of these cases active directory has strategies to work around that and it's well understood these days the adab is highly specific and this is what I was talking about but this was my comment in the last talk they have very custom extensions and that are partly to accommodate huge directories that are not really covered well by some aspect of the adab standard they have a lot of internal magic in their implementation to make sure the internal schema requirements and all non schema requirements and are are actually met and always valid also active directory as used to be is a challenge response based authentication server and even in the world of Kerberos this is still very important for reasons I will point out of course it's also a DNS and they went to standards for doing domain controller lookup and yeah one aspect that is in practice relevant is that when you go to customers it's you will always or you will very often find very complex multi domain setups that have all sorts of trust in between I guess the our friends friends can tell stories about this people do all sorts of multi domain setups and active directory is made to cope with that better or worse but it's in if you go to a university it's very common to only have one single realm but if you go to active directory I mean dozens of domains or hundreds of domains is not really uncommon so what is Samba started in the 90s as a compatible file server to deck path works it used to be based on Solaris at that time that has long gone it's an implementation of many Microsoft protocols it started as all as server message block which is a pure file server protocol with some printing extensions based on that Microsoft that has added many other protocols in particular they have taken the distributed computing environments RPC implementation and extended that big ways Samba is a file is a print server using DC RPC it's a RPC server for user database services and this is essentially what is the anti for compatible domain controller then as I said we have Kerberos servers we have a DNS server we have an ad up server and so on DNS of course is always is again not invented here but yeah bind is also kind of a moving target when you want to hook into it and there's so many DNS servers and in the end for the requirements that we have DNS is not really a complicated protocol to implement we have been an anti for compatible domain controller what we call nowadays classic domain controller still works for ages with Samba for we became an active directory domain controller and what we have been for a very long time is an active directory domain member because what you see is normally companies customers have the active directory and they want to just have Samba or Linux workstations join that active directory and be normal participants in that authentication realm what is authentication what is authorization we have to distinguish between those two authentication is mainly to identify users did the user type in the password correctly is the user really the one who he or she claims to be the second question is authorization what is the user allowed to do and how does active directory specify what a user is allowed to do it's mainly by listing groups a user is member of and this is what we call the access token and we have to distinguish those two questions and I will talk about both extra aspects in the next few slides let's talk about general authentication mechanisms tenant FTP well everybody knows it not spending much time here the main advantage is which distinguishes it from all the other ones is you don't need plain text passwords on disk of the server in particular challenge response and Kerberos they require plain text password or the equivalent of those on the service disks on the yeah on the authentication service disks so the authentication server can always impersonate a Unix machine with the ETC shadow can't impersonate the user against other machines and this is where SSH fits in they authenticate the server by public key and then pass on the password and plain text and it doesn't matter it's not bad anymore so we have essentially plain on plain text on net but encrypted on disk then we have plain text on net encrypted or safe sealed by by public key and then we have all sorts of challenge response schemes and active directory uses these two Kerberos I mean I always have to think very hard to make sure that Kerberos is actually safe but my take from it is really it's a complicated version of challenge response okay NTLM versus Kerberos who has heard the NTLM acronym or so it's the NT LAN manager challenge response authentication protocol favor challenge response authentication protocol really abbreviates to crap on the other hand recent versions are not really as bad as they used to be I mean the initial versions coming from OS to for example they were really really crap even at that time but they are they are actually quite good these days if you go to latest NTLM V2 with with all the added nonces and all the exchanges they are they are usable of course you will always find enterprises where they where they are banned but everybody still are at 99% of the customers I meet still have that enabled and they are not regularly attacked by flaws in that there's a downside to this NTLM thing and we will talk about the different roles in a minute for every single authentication event anybody trying to authenticate needs to ask a domain controller and that's pretty pretty high load on the domain controller depending on the kind of authentication you have just guess HTTP for example very short request and you have to catch something somewhere then we have Kerberos it's the standard authentication protocol the main distinguishing factor is we have lifetime of tickets meaning somebody can authenticate and get some signed binary blob token that verifies to somebody else hey Folklendike has authenticated correctly that's the main thing of Kerberos and this means greatly reduced load on the domain controller due to this cashing the main downside is it's extremely picky so I don't even want to start I mean the time synchronization is mainly is basically solved but that's that's number one the other one that I frequently meet is you have to contact the server under its name you can't just contact an IP address it doesn't work because you don't find the service principle in the KDC database and if you DNS is broken if you have C names if you're have local ETC host Kerberos just doesn't work and so this is one of the takeaways that you should really take out of this call a talk here NTLM as a crap fallback must always be available otherwise you will have very very unhappy users eventually and they have broken Kerberos and they think that everything works but in fact the reason experience from the field Alexander's comment was many companies don't know that they are still using NTLM and they have broken Kerberos for some reason I mean it can all be fixed but it can be broke it is often very often it's broken yeah and every single breakage needs to be analyzed so roles in authentication we have a user hey I want to access this box I know a password I have a certificate I have something then I have my workstation or a server this server usually doesn't have a user database local that's the whole point of having authentication service somewhere and then we have a domain controller in KDC in in Kerberos speak it's a key distribution center we have domain controller and those guys are the point of trust they have all the users they are the gatekeepers for access control decisions and the point I want to make here which is very very important is these guys here need to trust these guys because the KDC can tell the work stations or servers that for calendic is rude or administrator or whatever so there must be some level of trust between those two and this trust must be cryptographically assured so how does how is it done H workstation on each server has a shared secret with with the DC and so when a workstation wants to authenticate for calendic the DC must prove it knows the secret so the domain not only for calendic authenticates itself against the workstation but also the domain controller authenticates itself against the workstation so that the workstation can eventually be sure yes for calendic was authenticated by the right domain controller Kerberos speak its principal service principle and key tab where they have to agree so same inactive directory enter some bovine bind it's a demon that we wrote a while ago I think was it Tim Potter who initially wrote it and it's a demon that essentially takes care of all this stuff that it was talking about it connects to domain controllers and it can be surprisingly complex to find the right domain controller for example you have actual directory sites and you need to be site aware so if I'm sitting in Europe I'm not talking to a better domain controller in Kazakhstan because I mean I have satellite links in Africa whatever and I don't want all my authentication go to Africa and back and this is what Microsoft has the concept of sites for they can tell me hey here's I have 25 domain controllers the three of those are local to you that's all done with server records and dns then what it does it connects to one of these domain controllers and establishes an encrypted channel authenticated an encrypted channel to that domain controller and much of this is really really nasty and you don't want to implement that yourself and this is all being taken care of by wind bind what it does also is it changes it machine its machine password regularly which can be surprisingly difficult given you have given that you have multiple domain controllers you change your password against one that domain controller dies or you change it against the domain controller the domain controller has accepted that change but then your local right to your disk fails and yeah that's that's yeah there are some aspects to take care of and this is all that windmine takes care of what windmine provides is an extremely simple interface and quoting simu it's just crap and too simple but it just has some fixed size requests and it works okay usernames can't be longer than 256 bytes that's one limitation here but who cares it's really extremely simple and we provide a library that wraps all the ugliness um for for anybody who wants to use it but it it just works and yeah it's it's it's one of the hidden secrets that nobody has to take care of nobody has to bother sumber provides payment and ss modules so it can authenticate users it can give you the illusion of active directory showing up in etc password and etc group and one very important aspect is it tries to simulate where it can what windows does and do nothing else but what windows does because that's all we can rely on anything we do that windows doesn't do in normal trial in normal operations can break we're not there yet but we're getting there okay authentication done by ntlm windmine can do ntlm windmine can also verify cover of tickets and so on and this is done what authorization what is the user allowed to do eventually that's permissions from access controllers in the file system in normal unit operations how do we evaluate eckles that's all based on user ids and group ids small 32 bit numbers how do we get there first we need to answer the question what's a user id and what group what's a user's uid and what group groups is he or she member of who knows it's domain controllers the question here is when do they tell us and active directory domain controllers and this is one of the big misunderstandings only ever tell us and they calculate the group memberships only when a successful authentication has done has been done so if a user presents his password either correctly either via kerberos or via ntlm that is the only moment when we can reasonably figure out what groups the user is in anything else is prone to break okay windmine entrusted domains windmine performing several tasks we do the authentication as i said we do the password checks windmine has authenticated the user and i said in the as i said in the last slide right we have gotten the token the list of groups the problem is in what format did we get these groups windows has a completely different notion of a user id essentially it's the 128 bit user id it's called security identifier it's this maybe some of you have seen this one s1532 slash 454 s1521 slash and then many numbers but at the bottom of it it's 128 bit uids unix can't deal with that i would love to make unix deal with 128 bit uids but it would solve us this topic here and i'm not going to talk about this topic because it would be like a two-hour talk in itself there are so many ways that windmine is able to map these 128 bit uids it gets from the active directory into the 32 bit uids space that is given to it by by linux so we have we can ask active directory for database lookups we can do it on our own we can whatever have script-based solutions and so on if you're implementing samba in an active directory this is a hot topic that definitely needs clarifying with customers and this is different for every single customer okay windmine also provides an SS information important question i said windmine connects to a domain controller establishes a trust and encrypted channel who can we establish this encrypted channel to and i said in one of the first slides it's extremely common to have very very very many domains cross realm trusts and windmine can only ever talk to its own realm slash domain so if user a from domain a user a from domain whatever one comes to windmine and windmine is member of domain b i would have a whiteboard would need a whiteboard now so windmine is member of domain a user from domain b comes to windmine hey please authenticate me windmine depends on the domain controllers to talk to each other to take over the inter-domain trust stuff windmine can only talk to its own domain because that's the only domain we have a workstation password for we have a shared secret for we can establish trust so right now this is the part where we're not there yet i said windmine wants to do all only what microsoft microsoft windows plans do right now by default we have code to list all trusted domains and to also contact other domain controllers although we really can't or we can't really depending on your point of view this worked fine in 84 times when the trust scenarios were a lot more simple a lot simpler active directory trust you don't another whatever 10 slides talk what kind of trust you can have and these are a lot more complex and and yeah the failure scenarios are much much more diverse and so windmine in 4.8 will have code to just drop this the problem is you have this code in windmine it does all this stuff and because the situations out there are so different you don't know what's exactly going to break when you just disable this and so what we do is we optionally say okay we don't do all this okay let's talk to the trusted domains and so on we just disable this optionally and ask people hey please disable this and and report failures because we can't really reasonably test all the scenarios that we we have to live in because i mean we can't set up 500 domains in whatever trust scenarios okay from this slide essentially this bullet point here is i i i told you much of this two points here active directory groups are hell complex in particular something that unix doesn't know really i mean for elder for pure elder we have data models for this but in plain unix etc password etc group there is no group nesting active directory has all sorts of group nesting and sambar as a pure client has no way to follow all this group nesting itself i mean in theory the database offers it the data is there two points first it's how complex code second we might not have the access permissions by active directory to see all this information and this is that's why it's so important that we have to rely on domain controllers to calculate group memberships with all its nesting at successful login time we have no way to calculate it on our own essentially it comes down to if you log into unix box that is part of active directory using windbind you are root on that box the piece that doesn't work is id blank username as root this doesn't work if you ssh into that box as a successful login as that user typing in id without username hey i want to find my groups that works what does not work is id blank username typed in as root because i have not done a successful authentication against the domain controller one of the big misunderstandings that we that i face really in customer scenarios not daily but monthly at least yes go here go token group is not reliable once you enter trusts you are not able to contact the trust of domain controller and so on i mean it's it's a mess you don't even know that you're deprived of all the access to that yeah i mean there's one way we're working on this um there is a service that microsoft offers its service for you to self adreas already mentioned that that is supposed to do something similar um that will solve it okay um then another slide that is a bit out of topic here windbind nss info um so windbind as a client can provide the name service which info essentially it can fake etc password etc group how does it do that windows doesn't know about the concept of a login shop windows doesn't know about the concept of a home directory the same semantics that unix expects it and we have some same changes here active directory can hold all this information in adab attributes we can read that one particular change is i think when did that go in in 4.7 4.6 or 4.7 that went in if you look at the active directory users and groups tool there's two primary groups first in the windows group tab and then in the sf you she schema extension tab and before the change i think it was 4.6 before this change we always went in and used the windows primary group and expected to have some external id mapping for this windows primary group which was in most of the cases is just domain users and a lot of customers for whatever reason refuse to map windows domain users to a unix group because they have applied this separate primary group for a user in the active directory sfu tab and this is something that we recently i have it there 4.6 some only looked at the windows group and we changed this now so that you can be more flexible and say okay if you have these sfu extensions you don't want to map the unix domain the windows primary group yeah just go here and say unix primary group equals yes and then you can have a per user primary out of primary group out of the sfu tab okay that's it questions lights on uh oh thanks yeah so if i record correctly a customer i said i have a summer um environment as clients 18 clients yeah and it could easily do get and possibly get and group on those machines yeah so what if you say that winbind only gets the information and successful logging how did that work um that's different um so the question was how does get and password get and get and group work that does work although you don't want it and we disable it by default get and password will enumerate all users and in large active directories this can be slow you don't want this we disable this by default it's listing users can be done via add up or it can't it can active directory can't prohibit this so it's it's not reliable in many environments works but it's not reliable the other thing that doesn't work is getting the list of groups a user is member of that piece is utterly unreliable just listing users listing groups is one thing but you're getting the reliable up-to-date information about which groups is a user member of and this is the only one a file server is interested in that piece doesn't work what is there what is the scenario where this is dynamic i mean it's a quite you know i have my admin Saturday and i you know do all the changes required for my office business company whatever and then that's not for the next two months so where's the imagine semen's people go come and go every single hour people change groups every single hour yeah okay so it's it's it that's highly dynamic and you have to ask that information at log in time and as i said please don't ever type in wba for minus u2 list users this can take down your active directory because it's just too slow more questions thank you okay thank you