荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: Jobs (温少), 信区: WinNT
标 题: Interoperability with Microsoft Windows 2000 Active Directory and
Kerberos Services
发信站: BBS 荔园晨风站 (Sun Nov 28 09:50:36 1999), 站内信件
Interoperability with Microsoft Windows 2000 Active Directory and Kerberos
Services
John Brezak
Microsoft Corporation
November 1999
Summary: This article describes interoperability with Microsoft? Windows? 2000
Active Directory and Kerberos from non-Windows platforms using freely available
toolkits. (5 printed pages)
Introduction
The Microsoft Windows 2000 Active Directory is the repository for user, service,
and computer accounts in a Windows 2000 domain. Each account is also a
Kerberos security principal. Together these services can be used to provide a
Kerberos-based account service. This article describes interoperability with
these services from non-Windows platforms using freely available toolkits.
The article assumes the reader抯 familiarity with the Kerberos security
protocol developed at the Massachusetts Institute of Technology. For an
overview of Kerberos in Windows 2000, see 揥indows 2000 Kerberos Authentication?
at http://www.microsoft.com/windows/server/Technical/security/kerberos.asp. For
a collection of interoperability scenarios, see 揥indows 2000 Kerberos
Interoperability? at
http://www.microsoft.com/windows/server/Technical/security/kerbint.asp.
The sample code that comes with this article is for Unix platforms. These
samples have been testing on NetBSD 1.4, Linux 2.1, and Solaris 2.7. The
samples should also run on other Unix variants with minimal changes; they will
not work on Windows, however.
Supported Protocols
The Active Directory is an implementation of the Lightweight Directory Access
Protocol (LDAP) version 3 standard as specified in RFC-2251. LDAP version 3
supports authenticated connections using simple authentication through NTLM,
SSL, and SASL/GSSAPI (RFC-2222) mechanisms.
The Kerberos authentication service is an implementation of the Kerberos
version 5 as specified in RFC-1510. The authentication service implements the
Key Distribution Center (KDC) service and forms the core security mechanism for
Windows 2000.
Related to the Kerberos authentication service is a service to securely change
account passwords. The Kerberos change and set password protocols are described
in Internet-Drafts (included in the krb5passwd directory of the samples).
Unix LDAP and Kerberos Libraries
Before these samples can be compiled, you抣l need the LDAP and Kerberos client
SDKs for the target Unix platform. The samples have been tested with the
Netscape LDAP library and the MIT Kerberos 5 libraries, which are freely
available on the Internet at these locations:
MIT Kerberos 5 documentation and installation instructions can be obtained from
http://web.mit.edu/kerberos/www/index.html.
The Netscape Directory SDK for C (LDAP client) can be obtained from
http://developer.netscape.com/directory/downloads.html.
Before you compile the samples, you抣l need to install the Kerberos and LDAP
distributions. To configure your Unix system抯 Kerberos to work with a Windows
2000 domain, refer to the MIT Kerberos Walkthrough at
http://www.microsoft.com/windows/server/Deploy/security/MitKerb/default.asp.
Unix Samples
The attached samples demonstrate how to locate domain controllers, change user
passwords, list accounts, and create new user and computer accounts. Each of
these samples includes an executable that is built for the desired Unix
platform and a Unix-style man page that documents the command usage.
Before viewing the man pages, you抣l need to format them using the Unix nroff
command with the man macros (nroff -man).
Each sample is structured to use common library functions. These include
libraries that encapsulate the set password and change password protocol
functions, encapsulate the person and computer directory object classes, and
locate the LDAP and KDC services.
Locator
The locator sample queries the DNS for service location resource records (SRV
RR). Windows 2000 registers these DNS records in order to locate the computers
that are hosting the LDAP and Kerberos services in a domain. The locator sample
program allows the user to query the DNS for the computers that are providing
the LDAP/tcp service by default. It can also be used to query for other
services using the appropriate switches. For more information, see the man page
in the samples at locator/locator.M.
Kpasswd
The kpasswd sample comes from the MIT Kerberos 1.1 distribution. This version
has been modified for use with MIT Kerberos 1.0.6 distributions. It implements
the Kerberos change password protocol as specified in the Internet-Draft (see
krb5passwd/kerb-chg-password-02.txt). This sample will allow users to change
their passwords in Active Directory from a Unix system.
Ksetpw
The ksetpw sample demonstrates how to use the Kerberos set password protocol as
specified in the Internet-Draft (see krb5passwd/kerb-set-password-00.txt). It
is used to set an account抯 password. Only those users who are authorized to
set a password on a particular account are able to use this command to set
account passwords.
Pwdump
The pwdump sample queries the Active Directory for an account that matches the
specified query string on the command line. By default, this command uses
anonymous access to the directory. However, the directory may not allow the
anonymous user to search the tree. In this case, a DN for an account that is
authorized to search the name space should be specified using the ?-A? switch.
When the ?-A? switch is used, the user is prompted for a password for that
account. Because this LDAP authentication mechanism uses simple authentication,
the password is sent in the clear on the network.
Any accounts that match the query string are printed on stdout in the form of a
Unix passwd entry. If the Active Directory is using a Posix extended schema
(such as the one provided by the Microsoft Windows NT Services for Unix), items
such as the Posix UID (user identification), GID (group identification), user
home directory, and logon shell are retrieved from the account. If the Posix
attributes are not available for a particular directory entry, defaults are
provided by the pwdump command. See the man page in pwdump/pwdump.M for more
information on using this command.
Adduser
The adduser sample creates a user account for the specified user in the Active
Directory and prompts for the initial password. If the specified user name is
an account on the local Unix system, the UID, GID, and other user information
is added to the account (if the directory has been extended with the Posix
schema). If the account doesn抰 exist in the Active Directory, it is created in
the users container. The ?-O? switch to specify an OU can be used to change
this. See the man page in adduser/adduser.M for more information on using this
command.
Netjoin
The netjoin sample creates a computer account for the specified computer. If no
computer name is specified, the current host is used. If the account doesn抰
exist, one is created in the Active Directory under the computers container.
The computer operating system version and identification string are taken from
the computer抯 uname(1) information. The computer account抯 password is set to
a random password. Then a Kerberos keytab is created for the computer account
that matches the key set in Active Directory (based on the password). If the
account already exists, the computer account抯 password is changed and the
keytab is updated.
If a computer is specified on the command line, the keytab will be created in
/tmp with the computer name and the extension .keytab. If netjoin is operating
on the current host, then the default keytab will be used. See the man page in
netjoin/netjoin.M for more information on using this command.
Directory Sync Sample
The utils directory contains a simple mechanism to synchronize the accounts in
a Kerberos realm with a Windows 2000 domain. This sample demonstrates account
synchronization only, no attempt is made to synchronize passwords. This
technique is described in 揥indows 2000 Kerberos Interoperability? at
http://www.microsoft.com/windows/server/Technical/security/kerbint.asp.
Building and Installing the Samples
To build and install the samples on Unix:
Unpack the distribution. The samples are compressed using gzip and tar.
# mkdir /usr/src/AD
# cd /usr/src/AD
# gunzip -c /tmp/AD.tar.gz | tar -xvf -
Run the configure script specifying the paths for the LDAP and Kerberos
distributions.
# ./configure --with-krb5-source=/root/kerberos/krb5-1.0.6/src \
--with-ldap-source=/usr/src/mozilla/directory/c-sdk/ldap \
--with-krb5-includes=/usr/local/include \
--with-krb5-libraries=/usr/local/lib \
--with-ldap-includes=/usr/src/mozilla/dist/public/ldap \
--with-ldap-libraries=/usr/src/mozilla/dist/Linux2.0.36_x86_DBG.OBJ/lib
Build the samples.
# make
Install the samples. (This will default to installing most of the samples in
/usr/local/sbin or /usr/local/bin.)
# make install
Reporting Bugs
Send bug reports to: uxkrbbug@Microsoft.com.
Please include the following information in the report:
The operating system version on which you are attempting to install these
samples.
The version of Kerberos that you are using.
The version of LDAP client library that you are using.
A complete description of the problem (including the command line you used and
a stack trace if it caused a core dump).
A suggested fix (context diff suggested).
Code License and Access to Samples
This MICROSOFT SOURCE CODE LICENSE is a contract that allows you to use the
accompanying software. For short, we抣l refer to the Microsoft Source Code
License as the 揕icense? and the accompanying software as the 揝oftware.?
This License governs use of the accompanying Software. Microsoft hopes you
find this Software useful.
You are licensed to do anything you want with the Software.
In return, we simply require that you agree:
Not to remove any copyright notices from the Software.
That the Software comes 揳s is?, with no warranties. None whatsoever. This
means no implied warranty of merchantability or fitness for a particular
purpose or any warranty of non-infringement. Also, you must pass this
disclaimer on whenever you distribute the Software.
That we will not be liable for any of those types of damages known as indirect,
special, consequential, or incidental related to the Software or this License.
Also, you must pass this limitation of liability on whenever you distribute the
Software.
That if you sue anyone over patents that you think may apply to the Software,
your license to the Software ends automatically (this applies even when the
rest of the License ends).
That the patent rights Microsoft is licensing only apply to the Software, not
to any derivatives you make.
That your rights under the License end automatically if you breach this in any
way.
Click here to copy .tgz version of the sample files.
Click here to copy the WinZip version of the sample files
To use these samples, please click on the hot text to download the sample you
choose. Then run it on a Windows system to extract the gzipped .tar files or
the .zip file.
? 1999 Microsoft Corporation. All rights reserved. Terms of use.
--
☆ 来源:.BBS 荔园晨风站 bbs.szu.edu.cn.[FROM: bbs@192.168.11.73]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店