Interoperability with Microsoft Windows 2000 Active Directory and Kerberos Services
Summary: This article describes interoperability with Microsoft® Windows® 2000 Active Directory and Kerberos from non-Windows platforms using freely available toolkits. (5 printed pages)
The Microsoft Windows 2000 Active Directory is the repository for user, service, and computer accounts in a Windows 2000 domain. Each account is also a Kerberos security principal. Together these services can be used to provide a Kerberos-based account service. This article describes interoperability with these services from non-Windows platforms using freely available toolkits.
The article assumes the reader’s familiarity with the Kerberos security protocol developed at the Massachusetts Institute of Technology. For an overview of Kerberos in Windows 2000, see “Windows 2000 Kerberos Authentication” at www.microsoft.com/windows2000/library/howitworks/security/kerberos.asp.
The sample code that comes with this article is for Unix platforms. These samples have been testing on NetBSD 1.4, Linux 2.1, and Solaris 2.7. The samples should also run on other Unix variants with minimal changes; they will not work on Windows, however.
The LDAP SASL library (gsssasl) was provided by Luke Howard of PADL Software (www.padl.com/).
The Active Directory is an implementation of the Lightweight Directory Access Protocol (LDAP) version 3 standard as specified in RFC-2251. LDAP version 3 supports authenticated connections using simple authentication through NTLM, SSL, and SASL/GSSAPI (RFC-2222) mechanisms.
The Kerberos authentication service is an implementation of the Kerberos version 5 as specified in RFC-1510. The authentication service implements the Key Distribution Center (KDC) service and forms the core security mechanism for Windows 2000.
Related to the Kerberos authentication service is a service to securely change account passwords. The Kerberos change and set password protocols are described in Internet-Drafts (included in the krb5passwd directory of the samples).
Unix LDAP and Kerberos Libraries
Before these samples can be compiled, you’ll need the LDAP and Kerberos client SDKs for the target Unix platform. The samples have been tested with the Netscape LDAP library and the MIT Kerberos 5 libraries, which are freely available on the Internet at these locations:
- MIT Kerberos 5 documentation and installation instructions can be obtained from http://web.mit.edu/kerberos/www/index.html.
- The Netscape Directory SDK for C (LDAP client) can be obtained from http://www.mozilla.org/directory/csdk.html.
Before you compile the samples, you’ll need to install the Kerberos and LDAP distributions. These samples have been tested with the MIT Kerberos versions 1.0.6 and 1.1.1 .
The attached samples demonstrate how to locate domain controllers, change user passwords, list accounts, and create new user and computer accounts. Each of these samples includes an executable that is built for the desired Unix platform and a Unix-style man page that documents the command usage.
Before viewing the man pages, you’ll need to format them using the Unix nroff command with the man macros (nroff -man).
Each sample is structured to use common library functions. These include libraries that encapsulate the set password and change password protocol functions, encapsulate the person and computer directory object classes, and locate the LDAP and Kerberos services.
The locator sample queries the DNS for service location resource records (SRV RR). Windows 2000 registers these DNS records in order to locate the computers that are hosting the LDAP and Kerberos services in a domain. The locator sample program allows the user to query the DNS for the computers that are providing the LDAP/tcp service by default. It can also be used to query for other services using the appropriate switches. For more information, see the man page in the samples at locator/locator.M.
The kpasswd sample comes from the MIT Kerberos 1.1 distribution. This version has been modified for use with MIT Kerberos 1.0.6 distributions. It implements the Kerberos change password protocol as specified in the Internet-Draft (see krb5passwd/kerb-chg-password-02.txt). This sample will allow users to change their passwords in Active Directory from a Unix system.
The ksetpw sample demonstrates how to use the Kerberos set password protocol as specified in the Internet-Draft (see krb5passwd/kerb-set-password-00.txt). It is used to set an account’s password. Only those users who are authorized to set a password on a particular account are able to use this command to set account passwords.
The pwdump sample queries the Active Directory for an account that matches the specified query string on the command line. By default, this command uses the SASL/GSSAPI authentication mechanism to authenticate to the directory. If the "-A" option is used, simple bind will be used to authenticate to the directory. When the “-A” switch is used, the user is prompted for a password for that account. Because this LDAP authentication mechanism uses simple authentication, the password is sent in the clear on the network.
Any accounts that match the query string are printed on stdout in the form of a Unix passwd entry. If the Active Directory is using a Posix extended schema (such as the one provided by the Microsoft Windows NT Services for Unix), items such as the Posix UID (user identification), GID (group identification), user home directory, and logon shell are retrieved from the account. If the Posix attributes are not available for a particular directory entry, defaults are provided by the pwdump command. See the man page in pwdump/pwdump.M for more information on using this command.
The adduser sample creates a user account for the specified user in the Active Directory and prompts for the initial password. If the specified user name is an account on the local Unix system, the UID, GID, and other user information is added to the account (if the directory has been extended with the Posix schema; see Windows Service for Unix version 2.0 for more information). If the account doesn’t exist in the Active Directory, it is created in the users container. The “-O” switch to specify an OU can be used to change this. See the man page in adduser/adduser.M for more information on using this command.
The netjoin sample creates a computer account for the specified computer. If no computer name is specified, the current host is used. If the account doesn’t exist, one is created in the Active Directory under the computers container. The computer operating system version and identification string are taken from the computer’s uname(1) information. The computer account’s password is set to a random password. Then a Kerberos keytab is created for the computer account that matches the key set in Active Directory (based on the password). If the account already exists, the computer account’s password is changed and the keytab is updated.
If a computer is specified on the command line, the keytab will be created in /tmp with the computer name and the extension .keytab. If netjoin is operating on the current host, then the default keytab will be used. See the man page in netjoin/netjoin.M for more information on using this command.
Directory Sync Sample
The utils directory contains a simple mechanism to synchronize the accounts in a Kerberos realm with a Windows 2000 domain. This sample demonstrates account synchronization only, no attempt is made to synchronize passwords.
Building and Installing the Samples
To build and install the samples on Unix:
Unpack the distribution. The samples are compressed using gzip and tar.
# mkdir /usr/src/AD # cd /usr/src/AD # gunzip -c /tmp/AD.tar.gz | tar -xvf -
Run the configure script specifying the paths for the LDAP and Kerberos distributions.
# ./configure --with-krb5-source=/root/kerberos/krb5-1.1.1/src \ --with-ldap-source=/usr/src/mozilla/directory/c-sdk/ldap \ --with-krb5-includes=/usr/local/include \ --with-krb5-libraries=/usr/local/lib \ --with-ldap-includes=/usr/src/mozilla/dist/public/ldap \ --with-ldap-libraries=/usr/src/mozilla/dist/Linux2.0.36_x86_DBG.OBJ/lib
Build the samples.
Install the samples. (This will default to installing most of the samples in /usr/local/sbin or /usr/local/bin.)
# make install
Send bug reports to: uxkrbbug@Microsoft.com.
Please include the following information in the report:
- The operating system version on which you are attempting to install these samples.
- The version of Kerberos that you are using.
- The version of LDAP client library that you are using.
- A complete description of the problem (including the command line you used and a stack trace if it caused a core dump).
- A suggested fix (context diff suggested).
Code License and Access to Samples
This MICROSOFT SOURCE CODE LICENSE is a contract that allows you to use the accompanying software. For short, we’ll refer to the Microsoft Source Code License as the “License” and the accompanying software as the “Software.”
This License governs use of the accompanying Software. Microsoft hopes you find this Software useful.
You are licensed to do anything you want with the Software.
In return, we simply require that you agree:
- not to remove any copyright notices from the Software.
- that the Software comes “as is”, with no warranties. None whatsoever. This means no implied warranty of merchantability or fitness for a particular purpose or any warranty of non-infringement. Also, you must pass this disclaimer on whenever you distribute the Software.
- that we will not be liable for any of those types of damages known as indirect, special, consequential, or incidental related to the Software or this License. Also, you must pass this limitation of liability on whenever you distribute the Software.
- that if you sue anyone over patents that you think may apply to the Software, your license to the Software ends automatically (this applies even when the rest of the License ends).
- that the patent rights Microsoft is licensing only apply to the Software, not to any derivatives you make.
- that your rights under the License end automatically if you breach this in any way.