TICKET TO RIDE
IT’S AN AD, AD WORLD
Stuart Burns rolls up his sleeves and takes you through the process of setting up a Linux-based Active Directory infrastructure and how to use it.
The name Kerberos (Ceberos) is based on Greek mythology and refers to the three-headed guard dog of Hades, gatekeeper to the underworld. In our technical world it’s a system that essentially manages secure access to resources. In the current scenario it provides the security via the data in the Samba back-end. To provide this security role Keberos (in an end-to-end encrypted manner) provides tickets akin to access tokens to people and services to perform the desired action. Kerberos sits at the very core of the AD design. Without it, there would be nothing akin to the modern implementation of AD.
In this walkthrough we stood up the AD infrastructure and have a domain administrator. Adding additional users is straightfoward using the Active Directory tools. To be able to interact with the Windows domain, placing the user in the “Domain Users” group is sufficient.
It has what’s referred to as a ticket granting ticket. Essentially, this means that when a user or server requires access to a resource, Kerberos grants the resource a time-limited ticket to achieve that end. Once that ticket has expired, it’s renewed transparently. However, if in the meantime a resource has changed – for example, the user is no longer permitted to access that resource – the newly acquired ticket will deny that request.
Domain administrators go in the “Domain Admins” group. However, when users are placed into more than one group, it creates what’s referred to as a Resultant Set of Policies or RSOP. This can sometimes present a bit of head scratching by users because if the user in question is in two groups with different rights, the rights they receive will effectively be the combined rights of both of those groups. This is why it’s important to plan out the allocation of resources from the outset to minimise these clashes that can occur.
OUR EXPERT