kinit problems

tsu2 · October 3, 2012, 1:52am

hscheffers:

We don’t have samba shares, our linux systems are used as servers

We don’t (want to) use SSO

Please explain this, as non-windows systems without special software are not full AD members, why the Gentoo Wiki is so wrong…

We use domain users on local machines. It is not possible to use a non AD account to login, unless you use the root login on console (secured by red envelope procedure)

Again: Please explain

What exactly does YAST use underneath the service to establish the AD configuration?

As far as I have understood… these includes (parts of) the samba package

We use sudo, sometimes to the command-level. All is based on group-access defined in our AD.
Shared Accounts is not perse a violation, there are tasks that can only be accomplished by shared accounts. Everything is audited, using the audit features on SuSE as wel as command-line logging per shell. (only a special version of ksh is available for login, also defined in the AD).

I understand from your reaction, that the gentoo way is not the way to go, but i don’t understand the reasons why… Could you please explain that?

Hello,

Some answers which may or may not clarify…

Just because you say you “don’t have SAMBA shares” doesn’t mean you don’t need SAMBA. Anticipating this statement, I tried to describe how and when SAMBA is used on the client. Although it’s extremely unusual for Windows Networks to not configure any Network Shares, if that is your situation, so be it.
You may say you don’t want SSO, but all modern networking finds SSO desirable. SSO means that when you logon to a machine you are automatically authorized to access assets on the network ranging from network shares to access to the Internet to mail, more. Without SSO, you must configure your logon credentials for every connection to a network resource, and if you change your password you will have to re-configure everything all over again.
What I found objectionable was integrating local security with network security. They should be kept separate despite the attractiveness sometimes to be able to be God on another machine without being logged in as a Domain Admin (eg running a script on a remote machine). This is partly why early Windows has been obsoleted. The acceptable alternative to being a member of the Domain Admin group is to remote into a machine with sufficient permissions and execute the script or program locally (on the remote machine). Consequences of breaking this rule start at potential network compromise (compromise the right machine with God-like permissions on the Network and the exploit will now run on every machine immediately).
As I described, it depends on how you created your Domain User. You are relatively safe by using a Domain User Account created and maintained entirely using ADUG. If you “synchronize” Domain User Account with a Local System Account, then you’ve broken the partition between Local and Network Security. If the Domain User Account has been made to be more than it is by default then that’s dangerous unless you really know what you’re doing. Advanced Windows Admins may immediately identify the most obvious exception to this rule but I won’t discuss that in detail here which would muddy the waters. When talking about Linux machines, just know that even that exception can’t be applied here because whereas Windows Security is fundamentally based on User Security, Linux Security is fundamentally based on Machine security so the consequences of that practice is very different.

As I described, only way to fix your problem properly is to return to the state “before Gentoo Wiki.” Leaving anything behind is a YMMV. Maybe it’ll make a diff, maybe not. My advice is to not risk creating a “Frankenstein” which is a gumbo of this and that. Computing is hard enough getting things to work the right way without making your situation completely unique.

You can make your own decisions on using shared accounts, but I know that any hint of that violates HIPAA and SarBox in a big way. I do remember one Linux/Windows integration software does allow the use of sudo but only because it keeps its own “higher level” logs on how sudo is used. Normal logs <do not> sufficiently track who actually was doing what task if impersonation using sudo is used.

One last piece of advice, and I apply this to myself all the time…

Step One is to never stray from instructions when I’m learning a new technology. Oftentimes, i cannot see the purpose for why something is done until I’ve completed setting it up, debugging and getting it to work smoothly. And even then, sometimes I <really> have to use the technology for awhile exploring it before I can feel I really understand the reason why the technology works that way.

Step Two is questioning. Only after the technology is setup and running as it is originally designed can I start to question why it runs the way it does. If not setup correctly in the first place, then any questioning is fruitless, based on nothing real.

Step Three is what I hope for, to one day be able to “break the rules.” This cannot happen until enough experience has been accrued on a properly working system. If the system is running properly, <usually> there should not be any reason to break the rules, but there can always be that unique situation somewhere which because it’s atypical demands original thought. But, breaking the rules should never become habit, rules may be made to be broken but if they are good rules should almost never be broken.

HTH,
TSU