Research for managing Windows clients #7
Labels
No labels
Security
TeX
auto-update
check
delete-eslint-rc-js
check
update-builddeps-package-json
check
update-eslint-rc-js
check
update-gitignore
check
update-merge-request-template
check
update-prettier-ignore
check
update-pyproject-toml
check
update-renovate-json
check
update-tox-ini
part
backend
part
ci
part
docs
part
frontend
part
i18n
part
non-technical
part
packaging
prio
1
prio
2
prio
3
release-mr-5.x
size
large
size
medium
size
small
source
customer
source
customer::fsmw
source
customer::fss
source
customer::teckids
source
downstream
type
bug
type
feature
type
refactoring
workflow
blocked
workflow
confirmed
workflow
current-todo
workflow
discussing
workflow
new-app
workflow
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
aleksis/AlekSIS-App-Kompjuter#7
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Scope of this issue
This issue is supposed to be a collection of research into the question of how to use AlekSIS as a management tool for Windows client machines. It will not get a concrete implementation; such an implementation will later be drafted in separate issues.
Background
The ultimate goal of AlekSIS-App-Kompjuter is to achieve feature parity (to some important extent) with Debian Edu 10, which used GOSa and Samba to provide an NT-style domain for Windows clients. Debian Edu also uses OpenLDAP and Kerberos to provide user authentication and, to some extent, client management to its own Debian Edu workstation clients.
With AlekSIS-App-Kompjuter, fai-webapi and system-auth-webapi, we are trying to simplify and decentralise client management for Debian Edu (and generally all kinds of clients) by leveraging the benefits of Web APIs (only HTTP necessary, which is stateless, relatively easy to load-balance and to move off-site). We already have:
At this point, we can fully deploy and manage client systems and authenticate users without ever talking to anything more complex than AlekSIS' REST API.
Debian Edu, on the other hand, has basically dropped Windows client support together with Samba 3. Samba 4, which is a drop-in replacement for Microsoft Active Directory, now enforces its own internal LDAP server and cannot work with an external directory anymore.
Goals for Windows support
While overhauling the management of Debian clients leveraging AlekSIS and web APIs, we want to re-introduce support for Windows clients. To do this, there is one obvious solution: We could provide a way to deploy a Samba 4 server, and let AlekSIS replicate user and host information into it. This is what other solutions, like Linuxmuster, seem to do. We will look into this as one option.
However, we would lose some benefits of using only web APIs doing so, so we need to look into other options. We also need to figure out how to do software deployment and configuration.
More concisely, the goals are (ordered by priority):
Research topics
The following topics should be researched as options for implementing the above goals, or as background knowledge. The topics have no defined order, they can be researched in any order that seems to make sense.
What APIs does Samba offer?
If it should turn out that we need to orchestrate Samba 4, we sholud know how to do it. What APIs (REST? RPC? Command-line tools?) does it offer to manage users, hosts, credentials,…?
Can we simply talk OpenLDAP, and everything works? One point to watch out for is changing passwords, which in turn has to cover two scenarios:
OpenLDAP implements the Password Modify Extended Operation (in contrast to simply changing the attribute holding the password), and allows hooking into it. So, in OpenLDAP, we can catch a password change, and in turn run code to update NTLM hashes or Kerberos principals.
Does Samba also offer the Password Modify Extended Operation? If yes, is it enough to really update a user's cerdentials, so they work everywhere after that? In short: Can we just talk LDAP, and be done with that scenario?
How does Microsoft Azure AD handle authentication and password changes?
Microsoft has started their own efforts in moving user and client management out of the basements of their customers and into their Azure cloud, called Azure AD. Azure AD offers web-based APIs for user management, and it seems they also offer OAuth for users to authenticate against it.
The main question here is: Does Windows use these APIs? Traditionally, Windows AD uses Microsoft's versions of LDAP and Kerberos/GSSAPI. Did this change, and for the cloud-based Azure AD, Windows now uses web APIs? Or does it still talk LDAP and Kerberos to the Azure Cloud?
How does Microsoft Azure AD handle system configuration, GPOs,…?
This question is the same as the previous one, but for everything related to system configuration, which is GPO in traditional AD.
What APIs does Windows offer to modify the login process?
Another approach would be to modify the Windows logon process. Do we even have to use the AD mechanisms? Or can we write some kind of plugin that handles authentication for us, and we can then simply port system-auth-webapi to Windows?
Prior to Vista and Server 2003, Windows had a pluggable system called GINA that officially supported overriding the logon process by replacing GINA's DLL file. Does such a mechanism still exist in Windows 10 or 11?
If so, is there documentaiton or prior art (existing projects) that leverage this?
Can we orchestrate some Windows package manager for software deployment?
There are two well-known package managers for Windows, opsi and WAPT. @sunweaver seems to prefer WAPT, and as it seems they have already a repository of pre-packaged software.
Can we orchestrate these platforms, so that the packages to be installed per host could be configured in AlekSIS?
How does Linuxmuster orchestrate Windows?
Linuxmuster can manage Windows and Linux clients. We should collect information on how it does that, and how the "Schulkonsole" interacts with all the ooling around it (especially Samba and Opsi).
How does Microsoft's device management fit in?
Microsoft also uses its APIs for (mobile) device management, under Microsoft Intune. How does this fit in? What happens when we login to a device using an Azure AD device?
How do other third-party MDMs integrate with Azure?
Expected results
Results for the research should collect, per topic:
changed the description
changed the description
assigned to @sggua
changed the description
The answer seems to be that Microsoft has undergone exactly the same transformation as we have scheamed for Debian Edu: https://www.varonis.com/blog/azure-active-directory
Trying out Azure AD
Logging into Azure, we automatically get a default Azure AD directory, and we can also create new tenants as new directories.
We can manage users, which get principal names below a third-level domain under
onmicrosoft.com.Observation: the subdomain is not DNS-resolvable
After installation, we can choose to make the device organization-managed. That let's us sign in with the Azure AD account, and automatically registers the device.
The accounts locally get prefixed with the domain
AzureAD\.Assorted findings
changed the description
SAMBA 4
after all preparings it work as well as usual Windows Active Directory does.
The schema was used in a testing is a QEMU libv with installed:
# samba-tool dns query 192.168.122.11 aleksis22.tmp @ ALL -U AdministratorWhat was checked and worked well enough:
Links are used in this research:
WAPT
Most important is that WAPT API v3 well described at:
You can play with WAPT by curl scripts but I didn't found how to do with API such things:
So, if you want see step by step, you're welcome!
It's a "very long read" so take a cola and go!
The same linux system was used (with Samba4) for this research.
ERROR occured:
The problem was in used port 80 by apache2, so I disabled it. Apache was not necessary.
8.You need one certificate and matching private key to be able to sign actions and configurations.
To activate the licence, use the licence.lic file provided by our sales department.
So, no licenses for now.
The path to your private key MUST NOT be in the installation path of WAPT (C:\Program Files (x86)\wapt).
GPO worked!
After installing WAPT you can manipulate using:
Lets try to see get-post packages with Wireshark...
This part with wireshark is not really was needed so just main points.
Several times a minute I've got checks of licenses.. and nothing more..
"GET /licences.json HTTP/1.1" 200 0 "-" "wapt/2.2.2".. and several pages of html.. it was not the result that I looked for..
Wireshark, TLS decoding, SSL MIM parsing.. and nothing interested...
only the license checks....
i.e.
Following are requests with parts of responds.
_html trash in a responce... _
Or using the Firefox
**further requests needs credentials. **
and then you could get proper JSONs as replies.
API v3 well described at
https://www.wapt.fr/en/doc/wapt-api.html?highlight=api#api-v3
so we could try it in much correct way
$ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/reported_managed_hosts_count'
{"success": true, "result": 2}
$ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/get_ad_ou'
{"success": true, "msg": "AD OU DN List", "result": ["CN=Computers,DC=aleksis22,DC=tmp"], "request_time": 0.0011298656463623047}
$ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/ping'
{"success": true, "msg": "WAPT Server running", "result": {"version": "2.2.2", "full_version": "2.2.2.12388-10e35aa7", "api_root": "/api/", "api_version": "v3", "uuid": "db2233e8-23a6-11ed-8ce2-525400683c8f", "date": "2022-08-28T00:33:12.558762", "application_root": "", "edition": "enterprise", "platform": "Linux", "architecture": ["64bit", "ELF"]}, "request_time": 0.013669729232788086}
get the readable JSON response.
howto: https://stackoverflow.com/questions/27238411/display-curl-output-in-readable-json-format-in-unix-shell-script
: add "| json_pp -json_opt pretty,canonical" to the end of commandAnswer = 2
install PyScripter x86 and x64 on w10-wapt
install Python3 x86 and x64 on w10-wapt
test-7-zip-22.01-x64 is in a list
And that's probably all..
You cannot manage software by curl or manage windows console.
Links used in a research:
pGina 3.1.8.0
(OpenSource tool to add an ability to Windows systems to use third party logon plugins)
All testings in this research made with v.3.1.8.0
You can write own plugins for this and for forked versions:
GINA for Windows 10
https://docs.microsoft.com/en-us/windows/win32/secauthn/winlogon-and-gina
http://pgina.org/
https://github.com/pgina/pgina/wiki
https://github.com/pgina/pgina/wiki/How-pGina-Works
pGina is a replacement for the default Windows Credential Provider (CP), or GINA (for XP and earlier). Through plugins, pGina allows you to configure many aspects of the login process from authentication and authorization through to logging and terminal events.
Note that the Credential Provider framework is supported in Windows 7/Vista and higher. Prior versions of Windows used a framework called GINA. For much of this guide, we'll simply refer to it as a Credential Provider or CP.
Let's try pGina on a new cloned win10-pgina
Install pGina
https://github.com/pgina/pgina/wiki/Install#installing-pgina
LDAP Server on Ubuntu Server 17.04 and Windows 10 Client (pGina)
https://www.youtube.com/watch?v=6ls6kRvGkrU
So this schema can work but you should be sure that a client can see a server in a network environment.
There are several available plugins to use with pGina for logon:
Let's try:
\ - user se----@----.de
\ - LDAP host: debian11.aleksis22.tmp
\ - Search Filter: uid=%u
\ - Email, LDAP, Local machine
Simulation1 (IMAP):
Simulation2 (IMAP):
result: SUCCESS
Simulation3 (IMAP):
https://superuser.com/questions/1042701/openldap-and-pgina-vs-active-directory-using-samba4-domain-controller
OpenLDAP and pGina vs Active Directory (Using Samba4 Domain Controller)
pGina fork
http://mutonufoai.github.io/pgina/index.html
http://mutonufoai.github.io/pgina/documentation.html
this fork has extra plugins:
Going ahead..
Re-configured original (not forked) pGina:
Simulation works only with Email authentication.
Char '@' replaced with '.' in username.
Going to check it in real login case.
First test was unsuccessful..
Disabled plugins: LDAP, Modificate username.
Enabled only Email plugin.
Test successuful!


Access granted! (Email only...)
OpenID / OAuth 2.0 and Windows login.
OIDC
for Azure AD:
--etc.
ADSelfService Plus:
Ivanti:
Certified OpenID services and libraries:
Several non-proprietary OpenID-certified services:
AuthMachine 4.0.7 https://authmachine.com/
Gluu Server 4.0.0 http://www.gluu.org/
Gravitee.io Access Management 2.1.x https://gravitee.io/
Identity Server 5.4.0 https://wso2.com/identity-and-access-management
Verify My Identity 0.1.1 http://verifymyidentity.com/
Ansible
https://en.wikipedia.org/wiki/Ansible_(software)
Probably it could help us with automated scripts?..
https://www.ansible.com/overview/how-ansible-works?hsLang=en-us
Ansible is a radically simple IT automation engine that automates cloud provisioning, configuration management, application deployment, intra-service orchestration, and many other IT needs.
Short video: https://www.youtube.com/watch?v=VRoQLVHdNHE
https://www.tutorialspoint.com/ansible/index.htm
Quick guide: https://www.tutorialspoint.com/ansible/ansible_quick_guide.htm
Installation Process
Mainly, there are two types of machines when we talk about deployment −
Control Machine Requirements
Ansible can be run from any machine with Python 2 (versions 2.6 or 2.7) or Python 3 (versions 3.5 and higher) installed.
Note − Windows does not support control machine.
By default, Ansible uses ssh to manage remote machine.
Docs: https://docs.ansible.com/index.html