October 1st, 2012

New Security Feature in Fedora 18 Part 2: Mutual Trusts with Active Directory domains

FreeIPA has a couple of new features that are showing up in Fedora 18.  Support for SELinux Confined User labelling will be covered in a future blog...  In this blog I will be talking about better integration with Windows environments.

I am saddened to realize that there are still people out there using Microsoft Windows!  

My house has been Windows free for a number of years now.  It is a lot darker, but much more secure! :^)

I also have heard that those Windows environments are using Active Directory. 

Well Fedora 18 will make these environments a little more secure.

FreeIPA and Active Directory can be setup with mutual trust.

In Fedora 18 it is possible to create a trust relationship between an FreeIPA and an Active Directory domain.  This means users defined in Active Directory can access resources defined in FreeIPA.  In a future release,  users defined in FreeIPA will be able to access resources defined in Active Directory.  You can manage all of your user accounts in a single place.  If you are using Active Directory to manage your users, you can now use the same user accounts on your Linux boxes.

Fedora 17 FreeIPA used winsync to allow users from an Active Directory domain to access resources in the IPA domain. To achieve this winsync had to replicate the user and password data from an Active Directory server to FreeIPA server and attempt to keep them in sync.  Causing potential race conditions.

In Fedora 18,  SSSD, System Security Services Daemon, has been enhanced to work with AD.  SSSD understands some of the native AD controls and features that it did not understand in the previous Fedoras. 

You can set this up without using FreeIPA at all!

In addition SSSD can work in the environment where it is connected to FreeIPA that is in trust relationships with AD. In this case, SSSD not only recognises users defined in FreeIPA but also recognizes users coming from the trusted AD domains.  SSSD can read user and group directory data directly from the Active Directory server.  

Additionally if you do use FreeIPA you can setup Kerberos cross realm trust.  This allows Single-Sign-On between the Active Directory and the IPA domain.

  • A user from the Active Directory Domain can access kerberized resources from the FreeIPA domain without being asked for a password.
  • If you choose to setup users in the FreeIPA Domain, they will be able to access resources from the Active Directory domain. No need to set POSIX attributes in the Active Directory Domain
  • Single sign-on for all kerberized services is possible
We may never get to full single sign on, where I only have one password asked of me, but this is a step in right direction.