Transcription
WHITE PAPERCENTRIFY CORP.Centrify's Solution for NIS MigrationAPRIL 2008Leveraging Centrify’s DirectControl and Zone Technology to Simplify NIS MigrationABSTRACTSun Microsystem’s Network Information Service (NIS, originally known as SunYellow Pages) has been the primary choice for managing Unix identityinformation in a networked environment for many years. Unfortunately, NIShas several shortcomings in the areas of security, manageability, and networkdependency, and its successor, NIS , was never widely accepted as astandard. Increasingly, NIS has proven unable to pass stringent securityguidelines for user account management and access control, both from a simpleIT best practices perspective and from a regulatory compliance perspective.This fact, combined with Sun's end-of-life announcement for NIS and NIS , hasprompted corporate security and compliance managers and IT administrators tolook for a solution to replace NIS with a solution that is secure, manageable,and cost-effective.This white paper examines the challenges of migrating NIS deployments to acentral repository, and explains in detail how a combination of Microsoft ActiveDirectory and Centrify DirectControl can deliver a cost-effective solution thatstrengthens security while improving IT efficiency.
CENTRIFY WHITE PAPERCENTRIFY'S SOLUTION FOR NIS MIGRATIONInformation in this document, including URL and other Internet Web site references, is subject to changewithout notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mailaddresses, logos, people, places and events depicted herein are fictitious, and no association with any realcompany, organization, product, domain name, e-mail address, logo, person, place or event is intended orshould be inferred. Complying with all applicable copyright laws is the responsibility of the user. Withoutlimiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into aretrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording,or otherwise), or for any purpose, without the express written permission of Centrify Corporation.Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rightscovering subject matter in this document. Except as expressly provided in any written license agreement fromCentrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights,or other intellectual property. 2008 Centrify Corporation. All rights reserved.Centrify and DirectControl are trademarks of Centrify Corporation in the United States and/or other countries.Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks ortrademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respectiveowners.[WP019-2008-04-15] 2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.PAGE II
CENTRIFY WHITE PAPERCENTRIFY'S SOLUTION FOR NIS MIGRATIONContents1Introduction . 12About Network Information Service . 12.1 Limitations of NIS . 32.2 Alternatives to NIS . 33How the Centrify NIS Solution Works in a NIS Environment. 43.1 Using the Centrify DirectControl Network Information Service . 53.2 Understanding the Servicing of NIS Client Requests. 63.3 Importing and Creating Additional NIS Maps . 73.3.1 Importing Network Information from Existing NIS Maps. 73.3.2 Creating New Network NIS Maps in Active Directory . 83.3.3 Creating Generic Custom Maps . 83.3.4 Maintaining Map Records in Active Directory. 83.3.5 Managing Automounts without Using NIS . 93.4 Discontinuing Use of Legacy NIS Servers . 93.5 Migrating NIS Clients . 94Migration Approaches . 94.1 Example of Using NIS Clients with DirectControl Agents . 104.2 Example of Migrating Users Gradually . 104.3 Example of Complete Removal of NIS from the Enterprise . 125How to Contact Centrify . 14 2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.PAGE III
CENTRIFY WHITE PAPERCENTRIFY'S SOLUTION FOR NIS MIGRATION1IntroductionMost CIOs and IT managers will say that security is the number one issue they have todeal with in keeping their company’s IT systems running smoothly. Security is a broadterm that applies to computing systems, people, applications, data, physical access andpolicies – virtually every aspect of modern computing. In prioritizing their efforts, manyIT managers are first concentrating on getting control over systems and people. As arecent Goldman Sachs security survey of IT managers at Fortune 1000 organizationsfound, Identity and Access Management is a top priority for spending. "As Identity andAccess Management (IAM) solutions help limit the number of individuals who haveaccess to sensitive materials as well as recording who accessed what, it is not surprisingto see IAM solutions scoring highly in our survey for the third time running, with 78% ofrespondents expecting to increase spending in the area over the next 12 months."The survey reflects the fact that achieving a consistent, repeatable regimen for managinguser accounts and controlling access to systems remains an unsolved challenge for manyIT managers. Most organizations have deployed a variety of operating system platforms,each with its own methods of storing user account information and of using thatinformation for authentication, authorization, accounting, and access control purposes.One of the most common and pressing security issues that IT managers have been forcedto address in recent years is the Network Information Services (NIS) infrastructure thatthey have relied upon to manage their Unix and Linux environments. Unfortunately, NIShas proven unable to pass stringent guidelines for user account management and accesscontrol, both from a simple IT best practices perspective and from a regulatorycompliance perspective.As IT managers build a strategy for replacing NIS, their first requirement is frequently tomigrate the user account information held in NIS into a single, centralized repository.The benefits of a centralized repository are easily understood because they address notonly security concerns but also the corresponding need to control expenses bysimplifying IT infrastructure and streamlining IT operations. For a good overview of thebenefits of adopting a single repository, see the Centrify white paper Centrify's SolutionFor Migrating Unix Directories To Active Directory.This white paper examines the challenges of migrating NIS deployments to a centralrepository, and explains in detail how a combination of Microsoft Active Directory andCentrify DirectControl can deliver a cost-effective solution that strengthens securitywhile improving IT efficiency.2About Network Information ServiceThis section provides some background on NIS for those who are unfamiliar with NIS orwho want to learn more about how NIS works. This section is not comprehensive, butexplains key concepts and definitions used in this white paper. 2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.PAGE 1
CENTRIFY WHITE PAPERCENTRIFY'S SOLUTION FOR NIS MIGRATIONNetwork Information Service (NIS), originally called “Yellow Pages” (YP), providescentralized storage and distribution of information that needs to be known throughout thenetwork. The information accessed is stored in files called maps. NIS has a master-slavearchitecture: data can be updated only in a central, master server, where all maps aremaintained. Slaves can handle client requests for map access, but the slaves can make nochanges to the maps. Changes are made only at the master server, and then distributedthrough the master NIS server to the slaves.NIS is implemented through several daemons that handle NIS requests: ypserv on theserver side, and ypbind on the client side. Updated maps can be transferred to NIS slaveseither manually (using yppush) or automatically through ypxfrd (NIS slaves checktimestamps on the master and update their maps as needed).In a typical NIS environment, the NIS server is used to centrally manage a set of databasemaps that correspond to the system configuration files that are commonly found on Unixsystems—such as the /etc/passwd, /etc/group, secret authentication hashes in /etc/shadow,/etc/hosts, and /etc/services files—for a set of computers that make up a NIS domain.Each NIS map corresponds to a specific configuration file, such as the /etc/passwd or/etc/hosts file, and consists of a set of keys and values, and a version number for the data.When computers on the network require information stored in NIS maps, they send a NISclient request to query for the information. Each client computer that needs access to theinformation in the NIS database maps runs the ypbind process to identify and connect tothe NIS server best suited to respond to its request. When the NIS server receives arequest, it replies with the appropriate information from its set of NIS maps.Defining netgroups allows an enterprise to restrict access to hosts, NFS access andadministrators by checking permissions when processing requests for remote mounts,remote logins, and remote shells in a NIS domain. The main database for netgroups isstored on the NIS master server in the /etc/netgroup file. For remote mounts, theinformation in netgroup is used to classify machines; for remote logins and remote shells,it is used to classify users. NIS clients can use netgroups to include the map entries forthe members of a netgroup in the password file, /etc/passwd.The automount map, called auto.master, is typically used to share home directories on aNFS file share. The automount daemon reads the auto.master map to find out whichdirectory to mount either at login or when a file is touched in the directory. A script canbe used instead to mount a directory instead of “what should be mapped.”Communication between NIS servers and clients is based on the Remote Procedure Call(RPC) protocol, which uses the External Data Representation (XDR) standard andTransmission Control Protocol (TCP) and User Datagram Protocol (UDP). 2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.PAGE 2
CENTRIFY WHITE PAPERCENTRIFY'S SOLUTION FOR NIS MIGRATION2.1Limitations of NISAlthough NIS can be very efficient in responding to queries for network information, it isnot a secure mechanism for providing authentication and authorization services. Forexample:2.2 If NIS clients use the broadcast service to locate NIS servers on the network,intruders can easily introduce their own NIS server with their own privilegedaccounts. Once a client binds to the rogue NIS server, the intruder can gain access tothat client and perform unauthorized operations. The NIS server’s only security policy is the securenets setting. The securenets settingidentifies which NIS clients to accept queries from. If an intruder impersonates aclient that the securenets setting allows the NIS server to accept, he can download allof the NIS data. Even if an intruder fails the securenets test, he could potentiallyinspect all of the NIS requests and decode the data to gain access. Netgroups are not effective when they are used for transparent access across thenetwork utilizing rlogin and rsh. Syntax errors in /etc/netgroup files (,,) will allow allusers and machines trusted access. If NIS is used for authentication, password hashes are sent around the network inclear text and can be easily captured and cracked, making client systems vulnerable. NIS performs no authentication at the RPC level; any machine on any network couldeasily create a fake RPC reply simply by pretending to be the NIS serverAlternatives to NISSun's end-of-life announcement for NIS and NIS support, and the recommendation touse LDAP, have given system administrators a need to deploy new network services orleverage existing directory deployments. As a recent Linux.com article observed: “Sun ispushing LDAP as the replacement, but no two LDAP clients are implemented the sameway. Sun doesn’t talk to an LDAP server like a Linux machine does, or an AIX or HPUX machine does for that matter. Every one of these platforms has one issue or another.For Linux, nobody appears to have written the client-side code to properly handlenetgroups for all the things you might use netgroups for. For Sun, there's no start tlsimplementation. NetApp just barely knows what LDAP is.”Some within the Unix community believe that migrating to an LDAP server such asOpenLDAP, IBM SecureWay, Novell's eDirectory, or Sun's SunONE directory server isthe way to go. Many organizations favor using Microsoft’s Active Directory and GroupPolicy system, which has been an integral part of Windows since the release of Windows2000 Server. Active Directory is typically already deployed for managing Windowssystems and users, and organizations have already invested considerable time andresources to set up a secure and robust domain controller infrastructure, and to create ITworkflow and provisioning systems to manage user accounts. Thus, many organizations 2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.PAGE 3
CENTRIFY WHITE PAPERCENTRIFY'S SOLUTION FOR NIS MIGRATIONare turning to Active Directory as the logical and cost-effective directory from which tomanage more of their enterprise.3How the Centrify NIS Solution Works in a NIS EnvironmentReplacing NIS with a combination of Active Directory and Centrify DirectControl is anexcellent choice because many of the key features that IT managers are looking for areincluded with Active Directory and the Centrify DirectControl Agent. Centrify makes iteasy to migrate a legacy NIS-based infrastructure to a modern LDAP- and Kerberosbased directory infrastructure that works across a heterogeneous environment comprisedof Windows, Unix, Linux and Mac systems. In addition, the security risks are greatlyreduced when the legacy NIS environment is replaced with Active Directory as thecentral repository of identity information and the Centrify DirectControl Agent (adclient)serves as the “client” requesting information.Active Directory and Centrify DirectControl provide more secure authentication,authorization, and directory services than NIS by using the existing features in ActiveDirectory and using Centrify DirectControl Zone technology for authorization and theDirectControl Agent for authentication. Once a machine is joined to an Active Directorydomain and placed in a DirectControl Zone, the Unix machine Name Service Switchconfiguration file, nsswitch.conf (AIX has a similar feature), is modified so that accountlookup requests are passed to Active Directory through the Centrify DirectControl Agent,effectively bypassing the NIS client and server environment for passwordauthentications.It may not be possible to completely replace NIS, or in large organizations there may bemany NIS domains that require a phased approach. The following should be consideredin any NIS migration of any size: Legacy NIS Servers. It may be necessary to keep a legacy NIS server that isconfigured with network information, such as netgroup or automount maps, to makeavailable in response to client requests initially during a migration. Applications. Some applications may require access to a NIS server because theysend requests directly to the NIS port and expect a NIS process to be listening there. Network Attached Storage Devices and Legacy Systems. Devices such asNetwork Attached Storage devices or computers with older operating systems forwhich there is no DirectControl Agent may also need access to information normallystored in NIS maps. Those devices or computers cannot join an Active Directorydomain, but are capable of submitting NIS client requests. In these cases, a NISserver may be the only option for providing authentication and look-up services. 2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.PAGE 4
CENTRIFY WHITE PAPERCENTRIFY'S SOLUTION FOR NIS MIGRATION3.1Using the Centrify DirectControl Network Information ServiceComputers, devices, or applications that require access to a NIS server, on either anongoing or temporary basis, can use the Centrify DirectControl Network InformationService to replace existing NIS servers.To support computers and applications that are capable of submitting NIS client requeststo a NIS server, DirectControl provides its own Network Information Service server. TheDirectControl Network Information Service (adnisd) is an optional addition to theCentrify DirectControl Agent and can be installed on one or more DirectControlmanaged computers as needed. It is very useful in environments where a phasedmigration is planned from existing NIS servers and clients or when the environmentincludes legacy systems that cannot migrate or upgrade to support the DirectControlAgent. The figure below shows how the DirectControl Network Information Serviceworks when the NIS client is a remote machine.DirectControl ZoneDirectControl-Managed NIS ClientsNIS CacheMicrosoft Active DirectoryDirectControl-Managed Server w/DirectControl Network Information ServiceThe DirectControl NIS Architecture. The DirectControl-managed NIS client requestsinformation from the DirectControl Network Information Service running within its Zone.The DirectControl Network Information Service retrieves the information from its localcache and returns it to the client. Periodically, the DirectControl Network InformationService sends a request to Active Directory for updated NIS maps for the DirectControlZone to which it belongs.Once installed and running, the DirectControl Network Information Service functionslike a standard NIS server, but it responds to NIS client requests using the informationstored in Active Directory, including any information imported from passwd and groupNIS maps or from /etc/passwd and /etc/group files. When the NIS client is also aDirectControl-managed system, a secure directory service is provided throughauthenticated and encrypted connections between Active Directory and the DirectControlNetwork Information Service, and from the DirectControl Network Information Serviceto the NIS clients. When the NIS client is not managed by DirectControl (for example, onlegacy systems not supported by DirectControl or during a phased migrations), it has 2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.PAGE 5
CENTRIFY WHITE PAPERCENTRIFY'S SOLUTION FOR NIS MIGRATIONsome of the same security limitations as a standard NIS environment, with anauthenticated and encrypted connection only between Active Directory and theDirectControl Network Information Service.All user and group information is either found in cache or retrieved over encrypted LDAPconnections, and user authentication is handled by Kerberos. The end result is that Unixauthentication leverages Active Directory. This allows NIS password hashes to bereplaced with protected Kerberos authentication in a phased approach.The DirectControl Network Information Service cannot be used with any legacy NISservers in the same NIS domain. It can be used only in conjunction with Active Directoryand the DirectControl-managed systems. The legacy server expects other servers to beeither a master or a slave. The DirectControl Network Information Service does notsupport master-slave legacy NIS servers.3.2Understanding the Servicing of NIS Client RequestsTogether, the DirectControl Agent and DirectControl Network Information Servicesperform the role of a legacy NIS server and gateway for data stored in Active Directory.The NIS clients on the network communicate with the DirectControl NetworkInformation Service using Remote Procedure Calls (RPC) sent to the NIS port on theDirectControl-managed computer. The DirectControl Agent is responsible for allcommunication with Active Directory and maintains its own separate cache of data fromwhich the DirectControl Network Information Service can derive the user and groupinformation for the DirectControl Zone.When the DirectControl Network Information Service receives a request from the NISclient, it checks its local cache of map data and then responds to the client that made therequest.The local cache of map data is generated from the map data the DirectControl NetworkInformation Service receives from Active Directory. Within the local cache, there are twotypes of maps: Explicitly-defined maps are NIS maps imported into Active Directory from anexisting NIS domain or from text files, or created manually using the DirectControlAdministrator Console. Derived maps are maps that are automatically generated from information stored inActive Directory. Derived maps access the same data using different keys. Forexample, the user and group maps in the local cache are not retrieved directly fromActive Directory, but are generated based on the users and groups that have beenenabled for the local computer’s Zone. The maps derived from the Zone informationare passwd.byname, passwd.byuid, group.byname, and group.bygid. Theseautomatically generated maps are placed in the local cache, and can then be used tolook up or authenticate users by user name or by UID value, and groups by group 2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.PAGE 6
CENTRIFY WHITE PAPERCENTRIFY'S SOLUTION FOR NIS MIGRATIONname or by GID value. By default, the password hash in the passwd map is notpopulated because DirectControl does not need it for authentication.Periodically, the DirectControl Network Information Service connects to ActiveDirectory to locate updates to explicitly defined NIS maps. It then synchronizes its localcache of NIS map data to mirror any changes detected in Active Directory. After pollingActive Directory for updates to explicitly defined maps, the DirectControl NetworkInformation Service retrieves all users and groups in the current Zone from adclient, andgenerates the derived maps for user and group information.The DirectControl Network Information Service also generates derived maps forexplicitly defined maps when possible. If the DirectControl Network Information Servicefinds a NIS map defined in Active Directory with a name it recognizes as a common mapname, such as netgroup or service, it automatically derives related maps; for example, thenetgroup.byhost and netgroup.byuser for the netgroup map or services.byname andservices.byservicename for the services map.The DirectControl Network Information Service stores all of the explicitly defined andderived maps in its own local cache of map data (in most cases, /var/centrifydc/nis/*).Because the DirectControl Network Information Service always responds to NIS clientrequests using the data in its local cache, it can respond even when Active Directory isnot available.3.3Importing and Creating Additional NIS MapsUsing the Centrify DirectControl administrator console, NIS maps can be imported fromlegacy NIS servers or new network maps can be created. Network information can beimported from standard NIS maps, such as automount, automaster, and netgroupdatabases.In addition to the user and group information, the DirectControl Network InformationService can be used to service NIS client requests for network information or to makeinformation from custom maps available.Custom maps can be created as key/value pairs stored in a DirectControl Zone in ActiveDirectory. The passwd.* and group.* maps are derived automatically from theinformation stored in Active Directory for the Zone. Therefore, these derived mapsinclude account information for any passwd and group NIS maps or configuration filesthat have been imported and migrated to Active Directory using the Import from Unixwizard in the DirectControl Administrator Console.3.3.1Importing Network Information from Existing NIS MapsThe DirectControl Administrator Console’s import wizard can be used to import networkinformation from standard NIS maps such as automount, netgroup, and automaster intothe DirectControl Zone that will serve the NIS map data. There are also options to 2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.PAGE 7
CENTRIFY WHITE PAPERCENTRIFY'S SOLUTION FOR NIS MIGRATIONconnect directly to the NIS server and domain directly or to import the information froma text file.3.3.2Creating New Network NIS Maps in Active DirectoryIf the maps cannot be imported from existing NIS maps, then new maps can be createdby adding the appropriate information directly to Active Directory using theDirectControl Administrator Console. Once the information is added to Active Directory,the DirectControl Network Information Service will read the maps from Active Directoryand store them in its local cache and make the information available to NIS clients. Thiscan also be used to create netgroup, automaster, and automount network maps.3.3.3Creating Generic Custom MapsGeneric maps can be created and published for any type of custom information that needsto be made available to NIS clients. Generic custom maps consist of a simple key/valueformat and optional comments. Generic maps can also be used to manually createstandard NIS maps that consist of key/value pairs.3.3.4Maintaining Map Records in Active DirectoryOnce NIS maps are stored in Active Directory, they must be maintained to ensure thechanges in the records in Active Directory are reflected in the local map cache that theCentrify DirectControl Network Information Service uses to respond to NIS clientqueries. The DirectControl Administrator Console can be used to manually add, edit, ordelete individual map records for any map. The specific fields available in each record,and which fields are required and which are optional, depend on the type of map this isbeing edited. For example, the fields in an auto.master map entry are different from thefields in a netgroup map entry. 2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.PAGE 8
CENTRIFY WHITE PAPERCENTRIFY'S SOLUTION FOR NIS MIGRATION3.3.5Managing Automounts without Using NISAutomount information stored in Active Directory can be accessed through theDirectControl Network Information Service or directly through an LDAP request thatbypasses the DirectControl Network Information Service.Centrify has an alternative to using the DirectControl Network Information Service, withan optional adauto.pl script to get automount data (the script is located in the/usr/share/centrifydc/etc directory). The adauto.pl script gets mount point informationdirectly from Active Directory using LDAP. With the adauto.pl script, the automount ofthe home directories will be performed by using the information from NIS maps withoutrequesting them from the DirectControl Network Information Service.The adauto.pl script uses the information stored in the auto.home NIS map for theDirectControl Zone the local computer is a member of. After the script is added to theautomount configuration, the automounter program invokes the script and passes it theuser name of the user logging on. The adauto.pl script then uses the ldapsearch commandto retrieve the mount point information from Active Directory and returns the path to theremote home directory for the user logging on. The automounter will then attempt toconnect to that home directory.3.4Discontinuing Use of Legacy NIS ServersOnce the NIS maps are stored in Active Directory, incremental updates of the NIS datastored in Active Directory can be done by using the DirectControl AdministratorConsole. Updates made are then propagated to all of the DirectControl NetworkInformation Service servers automatically.For each NIS domain, the DirectControl Network Information Service deployed acrossthe enterprise replaces the legacy NIS servers without changing NIS client configurationsto complete the migration to Active Directory for secure, centralized directory service.3.5Migrating NIS ClientsIf the DirectControl Agent can be installed on the NIS client machine, a secureauthentication will take place directly through Active Directory, and NIS maps will berequested and loaded using the DirectControl Network Information Service.4Migration ApproachesThere are multiple ways of approaching an existing NIS environment using the CentrifyNIS migration features of DirectControl and the DirectControl Network InformationService.Customers have implemented NIS in many ways within their own organization to usesome or all of the features of NIS. 2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.PAGE 9
CENTRIFY WHITE PAPERCENTRIFY'S SOLUTION FOR NIS MIGRATION4.1Example of Using NIS Clients with DirectControl AgentsAn organization has an existing NIS environment, and wants to do authentication withActive Directory and keep standard NIS maps and custom maps used by an in-houseapplication on NIS. A simple approach is to install the Agents on the NIS clients forauthentication to Active Directory and use the DirectControl Network InformationService to serve the maps. The following steps can be performed:1.Create a Direc
Sun Microsystem's Network Information Service (NIS, originally known as Sun Yellow Pages) has been the primary choice for managing Unix identity . Directory and Centrify DirectControl can deliver a cost-effective solution that . Identity and Access Management is a top priority for spending. "As Identity and Access Management (IAM .
