Novell Open Enterprise Server 11 SP3 Administration Guide

Brand: Novell

Model: Open Enterprise Server 11 SP3

Type: Administration Guide

www.novell.com/documentation

Domain Services for Windows

Security Guide

Open Enterprise Server 11 SP2

January 2014

Legal Notices

Novell,Inc.makesnorepresentationsorwarrantieswithrespecttothecontentsoruseofthisdocumentation,andspecifically

disclaimsanyexpressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.

reservestherighttorevisethispublicationandtomakechangestoitscontent,at

anytime,withoutobligationtonotifyany

personorentityofsuchrevisionsorchanges.

Further,Novell,Inc.makesnorepresentationsorwarrantieswithrespecttoanysoftware,andspecificallydisclaimsany

expressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.reservestheright

makechangestoanyandallpartsofNovellsoftware,atanytime,withoutanyobligationtonotifyanypersonorentityof

suchchanges.

AnyproductsortechnicalinformationprovidedunderthisAgreementmaybesubjecttoU.S.exportcontrolsandthetrade

lawsofothercountries.Youagreeto

complywithallexportcontrolregulationsandtoobtainanyrequiredlicensesor

classificationtoexport,re‐export,orimportdeliverables.Youagreenottoexportorre‐exporttoentitiesonthecurrentU.S.

exportexclusionlistsortoanyembargoedorterroristcountriesasspecifiedintheU.S.

exportlaws.Youagreetonotuse

deliverablesforprohibitednuclear,missile,orchemicalbiologicalweaponryenduses.Pleaserefertowww.novell.com/info/

exports/formoreinformationonexportingNovellsoftware.Novellassumesnoresponsibilityforyourfailuretoobtainany

necessaryexportapprovals.

Nopartofthispublicationmaybereproduced,photocopied,storedon

aretrievalsystem,ortransmittedwithouttheexpresswrittenconsentofthepublisher.

Novell, Inc.

1800 South Novell Place

Provo, UT 84606

U.S.A.

www.novell.com

Online Documentation: To access the online documentation for this and other Novell products, and to get updates, see (http:/

/www.novell.com/documentation/oes11).

Novell Trademarks

ForNovelltrademarks,seetheNovellTrademarkandServiceMarklist(http://www.novell.com/company/legal/trademarks/

tmlist.html).

Third-Party Materials

Allthird‐partytrademarksarethepropertyoftheirrespectiveowners.

Contents 3

Contents

About This Guide 5

1 Overview 7

2 Domain Services for Windows Security Model 9

2.1 DSfW Unit of Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

2.2 Partitions and Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

2.2.1 eDirectory Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

2.2.2 DSfW Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

2.3 Understanding DSfW in Relation to Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

2.3.1 Additional Features of Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

2.4 DSfW Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

2.5 Authenticating to Other Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

2.6 SYSVOL Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

3 Using Access Control Lists in Domain Services for Windows 13

3.1 ACL Changes in a Tree When DSfW Is Installed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

3.1.1 Installing a New Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

3.1.2 Installing a Forest Root Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

3.1.3 Installing a Non-Name-Mapped Forest Root Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

3.1.4 Installing a Name-Mapped Forest Root Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

4 Trust Relationship of Domains in the Forest 19

5 Authentication Methods 21

5.1 Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

5.1.1 LAN Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

5.1.2 NT LAN Manager (NTLM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

5.1.3 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

5.2 Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

6 Components of Domain Services for Windows 23

7 Using Group Policies to Secure Your Network 27

8 System Security Considerations 29

8.1 Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

8.1.1 DSfW Install Opens Ports 53 and 953 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

8.2 Starting and Stopping Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

8.3 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

8.4 Other Security Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

4 OES 11 SP2: Novell Domain Services for Windows Security Guide

9 General Security Considerations 31

9.1 Disabling a Server from Being a Global Catalog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

9.2 Retrieving Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

9.3 Getting a UID Range for a Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

9.4 Preventing Workstation Administrators from Accessing the SYSVOL Folder . . . . . . . . . . . . . . . . . .32

10 Encryption 33

11 Logging 35

A Windows and Active Directory Terminology 37

About This Guide 5

About This Guide

ThisguidedescribessecurityissuesandrecommendationsforNovellDomainServicesforWindows

forNovellOpenEnterpriseServer11.

 Chapter 1,“Overview,”onpage 7

 Chapter 2,“DomainServicesforWindowsSecurityModel,”onpage 9

 Chapter 3,“UsingAccessControlListsinDomainServicesforWindows,”onpage 13

 Chapter 4,“TrustRelationshipofDomainsin

theForest,”onpage 19

 Chapter 5,“AuthenticationMethods,”onpage 21

 Chapter 6,“ComponentsofDomainServicesforWindows,”onpage 23

 Chapter 7,“UsingGroupPoliciestoSecureYourNetwork,”onpage 27

 Chapter 8,“SystemSecurityConsiderations,”onpage 29

 Chapter 9,“GeneralSecurityConsiderations,”onpage 31

 Chapter 10,“Encryption,”onpage 33

 Chapter 11,“Logging,”onpage 35

 Appendix A,“Windowsand

ActiveDirectoryTerminology,”onpage 37

Audience

Theguideisintendedforsecurityadministratorsoranyonewhoisresponsibleforthesecurityofthe

system.

Feedback

Wewanttohearyourcommentsandsuggestionsaboutthismanualand theotherdocumentation

includedwiththisproduct.PleaseusetheUserCommentsfeatureatthebottomofeachpageofthe

onlinedocumentation.

Documentation Updates

Forthemostrecentversionofthisguide,seetheOES11SP2documentat ion Website(http://

www.novell.com/documentation/oes11).

Additional Documentation

Forinformationoninstalling,configuring,andusingNovellDomainServicesforWindowsseeOES

11SP2:DomainServicesforWindowsAdministrationGuide.

ForeDirectoryinstallationinstructions,seetheNetIQeDirectory8.8InstallationGuide(http://

www.netiq.com/documentation/edir88/index.html).

FordocumentationontheeDirectorymanagementutility,seetheiManager2.7.7AdministrationGuide.

6 OES 11 SP2: Novell Domain Services for Windows Security Guide

Forinformationonsecurityvulnerabilities,seeSecurityConsiderations(http://www.netiq.com/

documentation/edir88/edir88/data/bbybkf0.html)inthe.NetIQeDirectory8.8AdministrationGuide

(https://www.netiq.com/documentation/edir88/edir88/data/front.html)

Overview 7

Overview

DomainServicesforWindows(DSfW)isasuiteoftechnologiesinOpenEnterpriseServer(OES)11

thatallowsMicrosoftWindowsuserstoaccessOESservicesthroughnativeWindowsandActive

Directoryprotocols.ByallowingOESserverstobehaveasiftheywereActiveDirectoryservers,this

technologyenablescompanieswithActive

DirectoryandNetIQeDirectorydeploymentstoachieve

bettercoexistencebetweenthetwoplatforms.UserscanworkinapureWindowsdesktop

environmentandstilltakeadvantageofsomeOESback‐endservicesandtechnology,withoutthe

needforaNovellClientonthedesktop.

AdministratorscanuseeitherNovelliManager

orMicrosoftManagementConsole(MMC)to

administerusersandgroups.Networkadministratorsmanagefilesystemsusingthenativetoolsof

eachserver,andtheycanalsocentrallyadministerSambasharesonOES/DSfWserversbyusing

iManager.

AdministratorscanuseMMCtocreateone‐wayinter‐domaintrustsbetweenDSFW

domainsand

ActiveDirectorydomains.

WhenDSfWisdeployedinanenvironmentthatalsosupportsNetWareCoreProtocol(NCP),DSfW

supportscross‐protocollocking.WhethercustomersdecidetouseonlyWindowsclients,NCP

clients,oracombinationofboth,accessrightsforfilesareenforcedbytheNovellStorageServices

(NSS)filesystem.

ADSfWservercanbedeployedwithoutNSS.Inthesecases,theadministratorrunsSambaovera

POSIX‐compliantfilesystem,butthislosesthestrongsecurityprovidedbytheNovellrightsand

accessmodels.

8 OES 11 SP2: Novell Domain Services for Windows Security Guide

Domain Services for Windows Security Model 9

Domain Services for Windows Security

Model

DomainServicesforWindows(DSfW)emulatestheActiveDirectorysecuritymodelontopof

eDirectory,somostofthesecurityconsiderationsforbothActiveDirectoryandeDirectoryapplyto

DSfW.However,therearesomekeydifferences:

 Section 2.1,“DSfWUnitofAdministration,”onpage 9

 Section 2.2,“PartitionsandDomains,”onpage 9

 Section 2.3,“Understanding

DSfWinRelationtoActiveDirectory,”onpage 10

 Section 2.4,“DSfWAuthentication,” onpage 11

 Section 2.5,“AuthenticatingtoOtherServices,”onpage 12

 Section 2.6,“SYSVOLReplication,”onpage 12

2.1 DSfW Unit of Administration

Anorganizationalunit(OU)isthefundamentalunitofadministrationinaDSfWenvironment/

directorystructure.AdministrativepowersarecommonlyallottedattheOUlevel.Granular

delegationcanbeperformedonindividualobjectsorattributes.AnOUcancontainotherobjects,

includingotherOUs,whicharealsoreferredtoascontainer

objects.AnOUcanbenestedto10levels

toorganizethedirectoryandallowthecreationofsubdomains.

Forefficientdirectoryaccess,youcanlimitnestingtothreeorfourlevels.TheOUsshouldbe

arrangedtofacilitategrouppolicyappl icationandadministrativedelegation.TheOrganizational

Unitobjectusuallyrepresents

adepartment,whichholdsasetofobjectsthatcommonlyneedaccess

toeachother.

Atypicalexampleisasetofusers,alongwiththeprinters,volumes,andapplicationsthatthoseusers

need.Atthehighestlevelof OrganizationalUnitobjects,eachOrganizationalUnitcanrepresenteach

site(separatedby

WANlinks)inthenetwork.

AnOUformsanadministrativeboundary,andatreeformsthetruesecurityboundary.

FormoreinformationontheeDirectorystructure,referto“UnderstandingeDirectory“(http://

www.netiq.com/documentation/edir88/edir88/da ta/fbadjaeh.html)intheNetIQeDirectory8.8

AdministrationGuide(https://www.netiq.com/documentation/edir88/edir88/data/front.html)

2.2 Partitions and Domains

 Section 2.2.1,“eDirectoryPartitions,”onpage 10

 Section 2.2.2,“DSfWDomains,”onpage 10

10 OES 11 SP2: Novell Domain Services for Windows Security Guide

2.2.1 eDirectory Partitions

ApartitionineDirectoryisalogicalgroupofobjectsinaneDirectorytree.Partitioningallowsyouto

managethetreebytakingpartofthedirectoryfromoneserverandputtingitonanotherserver.If

youhavesloworunreliableWANlinksorifyourdirectoryhassomany

objectsthattheserveris

overwhelmedandaccessisslow,youshouldconsiderpartitioningthedirectory.

Eachdirectorypartitionconsistsofasetofcontainerobjects,alltheobjectscontainedinthem,and

dataaboutthoseobjects.eDirectorypartitionsdon’tincludeanyinformationaboutthefilesystemor

itsdirectories

andfiles.Partitionsarenamedbytheirtopmostcontainer.

Foracompletediscussionofpartitions,seeManagingPartitionsandReplicas(http://www.netiq.com/

documentation/edir88/edir88/data/a2iiiik.html).

2.2.2 DSfW Domains

AdomaininDSfWisasecurityboundarythatissimilartoapartitionineDirectory.Thedomainalso

formstheadministrativeandsecurityboundaryforalogicalgroupofnetworkresourcessuchas

usersorcomputers.Typically,adomainresidesinalocalizedgeographiclocation;however,this

mightnotalways

bethecase.Domainsarecommonlyusedtodivideglobalareasofanorganization

anditsfunctionalunits.

2.3 Understanding DSfW in Relation to Active Directory

eDirectory:eDirectoryorganizesobjectsinatreestructure,beginningwiththetopTreeobject,which

bearsthetreeʹsname.WhetheryoureDirectoryserversarerunningLinux,UNIX,orWindowsall

resourcescanbekeptinthesametree.Youdon’tneedtoaccessaspecificserverordomaintocreate



objects,grantrights,changepasswords,ormanageapplications.Thehierarchicalstructure ofthetree

givesyougreatmanagementflexibilityandpower.Formoreinformationontrees,referto

“UnderstandingeDirectory“(https://www.netiq.com/documentation/edir88/edir88/?page=/

documentation/edir88/edir88/data/fbadjaeh.html)inthe.NetIQeDirectory8.8AdministrationGuide

(https://www.netiq.com/documentation/edir88/edir88/data/front.html)

IneDirectory,themasterreplicaisawritablereplica

typeusedtoinitiatechangestoanobjector

partitionThemasterreplicaisresponsibleformaintainingallreplicaandschemaepochs.Ifa

replicationorschemaproblemneedstobecorrected,theoperationisperformedfromthemaster

replica.Ifthedirectoryhasbeenpartitionedintoanumberofreplicas,

amasterreplicaisrequiredon

eachserver.

ActiveDirectory:ActiveDirectoryisahierarchicalmultilevelframeworkofobjects.Itprovides

informationontheobjects,organizesthem,controlsaccesstothemandsetssecurity.Thelogical

divisionsofanActiveDirectorynetworkconsistofforests,trees,anddomains.

 Domain:In

ActiveDirectory,adomainisasecurityboundarythatissimilartoapartitionin

eDirectory.EachActiveDirectorydomainthatisconfiguredtoactasaGlobalCatalogstoresa

fullcopyofallActiveDirectoryobjectsinthehostdomainandapartialcopyofallobjectsfor

all

otherdomainsintheforest.

 Forest:AforestisacollectionofActiveDirectorydomainsand iscomparabletoatreein

eDirectory

 TrustRelationships:Youcan setuptrustrelationshipstoshareresourcesbetweendomains.

Federationcanbeaccomplishedthroughestablishingcross‐domainandcross‐foresttrusts.

Domain Services for Windows Security Model 11

 DomainNames:ActiveDirectoryusesdomainclass(DC)namingattherootofanaming

context,asopposedtotheX.500namingusedineDirectory.Forexample,ineDirectorya

partitionisspecifiedasou=sales.o=company,butinActiveDirectorythepartitionisspecifiedas

dc=sales,dc=company,dc=com.

 SecurityModel:TheActiveDirectory

securitymodelisbasedonsharedsecrets.Thedomain

controllercontainsallusers’keys.TheauthenticationmechanismisbasedonKerberos,NTLM,

Smartcard,Digestetc.

TheActiveDirectorysecuritymodelisbasedonsharedsecrets.Thedomaincontrollercontainsall

users’keys.

FormoreinformationonActiveDirectoryforests,referto

theActiveDirectoryTutorial(http://

searchwinit.techtarget.com/generic/0,295582,sid1_gci1050336,00.html)

2.3.1 Additional Features of Active Directory

 WithinanActiveDirectorytopology,distinctrolesaredefined,buttheserolesarenotfixed.Any

rolecanbemovedtoanotherserveratanytime.Formoreinformationabouttheseroles,see

“FlexibleSingleMasterOperation(FSMO)Roles”inthe OES11SP2:DomainServicesfor

WindowsAdministration

Guide.

 InActiveDirectory,FlexibleSingleMasterOperation(FSMO)rolesensuredirectoryintegrityby

policingspecificoperationsthatbelongonlyonasingle‐serverdirectoryservice.Forexample,

FSMOrolesenableActiveDirectorytoavoidthesimultaneouscreationofnewdomainswith

identicalnamesorthecreationofconcurrentschema

extensionsusingthesameattributewitha

differentunderlying syntax.

 InActiveDirectory,thePrimaryDomainControllerEmulatorFSMOrolehastwoprimary

functions.ItprovidesbackwardcompatibilityforWindowsNT4domainsandforservers,andit

actsasanacceleratorforcertainaccountmanagementfunctions.Forexample,password

changes

andaccountlockoutsarepassedtothePDCEmulatorFSMOroleand thenquickly 

replicatedthroughoutadomaininfrastructure.

 InaMicrosoftenvironment,timesynchronizationisimportantprimarilyformainta ining

Kerberosauthenticati on.Timesynchronizationisnotvitaltothefunctioningoftheprimary

domaincontroller.

2.4 DSfW Authentication

DSfWisbothanauthenticationserviceandanapplicationservicetowhichyoucanauthenticateby

usingpreviouslyacquiredcredentials.

Forexample,inaWindowslogonsession,theuseracquiresaKerberosticketgrantingticket(TGT),

andusesthattickettoacquireserviceticketstologintothelocalworkstation

andtheDSfWLDAP

serverforgrouppolicylookup.WhileperformingnetworkauthenticationtoeDirectorythrough

Kerberos,theusercouldjustaswellbeauthenticatingtoanotherservicejoinedtothedomain,for

example,afileserver.

DSfWabstractsnetworkauthenticationbyusingtheGSS‐API.ItusesNTLMandKerberos,

aswellas

athirdpseudo‐mechanism(SPNEGO)thatcansecurelynegotiatebetweenarbitraryconcrete

mechanisms.

Initial(logon)authenticationisprovidedbytheKDC(forKerberos)andtheNetLogonservice(for

NTLM).Additionally,NetLogonalsoprovidespass‐throughauthenticationforchallengeresponse

protocolssuchasNTLMandDigest

(forWindowsservices).

12 OES 11 SP2: Novell Domain Services for Windows Security Guide

2.5 Authenticating to Other Services

AproductauthenticatestoeDirectorybyusingSASLEXTERNALoverIPC.Itprovesthatitruns

withthesamePOSIXidentityandthisismappedtothedomaincontrolleraccountDN.Thedomain

controlleraccountisallowedtoimpersonatearbitraryusers,sothatitcanoperatewithleast

privilegeswhen

performingoperationsonbehalfofRPCclients.

2.6 SYSVOL Replication

SYSVOLreplicationisdoneoverSSHtunnelsusingtheKerberoscredentialsofaproxyuserthatis

setupandmanagedinternally.Thecredentialsareaccessibleonlytothelocalrootuser.

Using Access Control Lists in Domain Services for Windows 13

Using Access Control Lists in Domain

Services for Windows

IneDirectoryandinDomainServicesforWindows(DSfW),anaccesscontrollist(ACL)isalistof

permissionsassignedtoanobject.Thelistspecifiestheaccessdetailsoftheobject,andtheoperations

thatausercanperformontheobject.AtypicalACLentryspecifiesasubjectand

anoperation.

FormoreinformationonACLsineDirectory,refertoeDirectoryRights(http://www.netiq.com/

documentation/edir88/edir88/data/fbachifb.html)intheeDirectory8.8.AdministrationGuide.

3.1 ACL Changes in a Tree When DSfW Is Installed

ACLʹsarespannedacrossdifferentLDIFfiles.ThefollowingsectionsdescribeindetailtheACL

changesrequiredforDSFW.

 Section 3.1.1,“InstallingaNewDomain,”onpage 13

 Section 3.1.2,“InstallingaForestRootDomain,”onpage 15

 Section 3.1.3,“InstallingaNon‐Name‐MappedForestRootDomain,”onpage 16

 Section 3.1.4,“InstallingaName‐MappedForest

RootDomain,”onpage 17

3.1.1 Installing a New Domain

Newdomain:filename=nds‐domain.ldif.

Object DN Trustee DN Attribute Name Privileges

CN=Policies,CN=System,

<DC=domain>

CN=Group Policy Creator

Owners,CN=Users,<DC=

domain>

All Attributes Rights 15

CN=Group Policy Creator

Owners,CN=Users,<DC=

domain>

Entry Rights 15

DC=domain CN=Administrator,CN=Us

ers,<DC=domain>

dBCSPwd 4

CN=Administrator,CN=Us

ers,<DC=domain>

unicodePwd 4

CN=Administrator,CN=Us

ers,<DC=domain>

supplementalCredentials 4

CN=Administrator,CN=Us

ers,<DC=domain>

currentValue 4

14 OES 11 SP2: Novell Domain Services for Windows Security Guide

CN=Administrator,CN=Us

ers,<DC=domain>

priorValue 4

CN=Administrator,CN=Us

ers,<DC=domain>

initialAuth Incoming 4

CN=Administrator,CN=Us

ers,<DC=domain>

initialAuth Outgoing 4

CN=Administrator,CN=Us

ers,<DC=domain>

trustAuthIncoming 4

CN=Administrator,CN=Us

ers,<DC=domain>

trustAuthOutgoing 4

CN=Domain

Admins,CN=Users,<DC=d

omain>

dBCSPwd 4

CN=Domain

Admins,CN=Users,<DC=d

omain>

unicodePwd 4

CN=Domain

Admins,CN=Users,<DC=d

omain>

supplementalCredentials 4

CN=Domain

Admins,CN=Users,<DC=d

omain>

currentValue 4

CN=Domain

Admins,CN=Users,<DC=d

omain>

priorValue 4

CN=Domain

Admins,CN=Users,<DC=d

omain>

initialAuth Incoming 4

CN=Domain

Admins,CN=Users,<DC=d

omain>

initialAuth Outgoing 4

CN=Domain

Admins,CN=Users,<DC=d

omain>

trustAuthIncoming 6

CN=Domain

Admins,CN=Users,<DC=d

omain>

trustAuthOutgoing 6

CN=Administrators,CN=B

uiltin,<DC=domain>

All Attributes Rights 32

CN=Administrators,CN=B

uiltin,<DC=domain>

Entry Rights 16

CN=Domain

Admins,CN=Users,<DC=d

omain>

All Attributes Rights 15

Object DN Trustee DN Attribute Name Privileges

Using Access Control Lists in Domain Services for Windows 15

3.1.2 Installing a Forest Root Domain

Forestrootdomain:filename=nds‐admin‐acls.ldif

CN=Domain

Admins,CN=Users,<DC=d

omain>

Entry Rights 15

CN=Group Policy Creator

Owners,CN=Users,<DC=

domain>

gPLink 7

CN=Group Policy Creator

Owners,CN=Users,<DC=

domain>

gPOptions 7

CN=Cert

Publishers,CN=Users,<D

C=domain>

userCertificate 7

OU=Domain

Controllers,<DC=domain>

All Attributes Rights 32

CN=Domain

Controllers,CN=Users,<D

C=domain>

All Attributes Rights 32

OU=Domain

Controllers,<DC=domain>

Entry Rights 16

CN=Domain

Controllers,CN=Users,<D

C=domain>

Entry Rights 16

CN=Domain

Computers,CN=Users,<D

C=domain>

PasswordExpirationInterv

CN=Domain

Computers,CN=Users,<D

C=domain>

PasswordMinimumLength 3

CN=Domain

Computers,CN=Users,<D

C=domain>

nspmConfigurationOption

CN=Domain

Computers,CN=Users,<D

C=domain>

nspmMinPasswordLifetim

CN=Domain

Computers,CN=Users,<D

C=domain>

pwdInHistory 3

CN=Configuration,<DC=d

omain>

CN=Administrator,CN=Us

ers,<DC=domain>

All Attributes Rights 32

CN=Administrator,CN=Us

ers,<DC=domain>

Entry Rights 16

Object DN Trustee DN Attribute Name Privileges

16 OES 11 SP2: Novell Domain Services for Windows Security Guide

nds-domain-acls.ldif

3.1.3 Installing a Non-Name-Mapped Forest Root Domain

Non‐namemappedforestrootdomain:filename=nds‐domain‐lum‐acls.ldif.

Object DN Trustee DN Attribute Name Privileges

<DC=domain> CN=Enterprise

Admins,CN=Users,<DC=d

omain>

All Attributes Rights 32

CN=Enterprise

Admins,CN=Users,<DC=d

omain>

Entry Rights 16

CN=Configuration,<DC=d

omain>

CN=Enterprise

Admins,CN=Users,<DC=d

omain>

All Attributes Rights 32

CN=Enterprise

Admins,CN=Users,<DC=d

omain>

Entry Rights 16

CN=Schema,CN=Configu

ration,<DC=domain>

CN=Schema

Admins,CN=Users,<DC=d

omain>

All Attributes Rights 32

CN=Schema

Admins,CN=Users,<DC=d

omain>

Entry Rights 16

Object DN Trustee DN Attribute Name Privileges

<DC=domain> Public cn 1

This dBCSPwd 4

This unicodePwd 4

This supplementalCredentials 4

Object DN Trustee DN Attribute Name Privileges

<DC=domain> Public gecos 2

Public gidNumber 2

Public uidNumber 2

Public unixHomeDirectory 2

Public loginShell 2

Public memberUid 2

Using Access Control Lists in Domain Services for Windows 17

nds-super-rights-acls.ldif

3.1.4 Installing a Name-Mapped Forest Root Domain

Name‐mappedforestrootdomain:filename=nds‐domain‐rights‐acls.ldif

Object DN Trustee DN Attribute Name Privileges

Root server object CN=<hostname>,OU=Do

main

Controllers,<DC=domain>

Entry Rights 16

CN=<hostname>,OU=Do

main

Controllers,<DC=domain>

All Attributes Rights 32

Object DN Trustee DN Attribute Name Privileges

<DC=domain> CN=<hostname>,OU=Do

main

Controllers,<DC=domain>

Entry Rights 16

CN=<hostname>,OU=Do

main

Controllers,<DC=domain>

[All Attributes Rights 32

18 OES 11 SP2: Novell Domain Services for Windows Security Guide

Trust Relationship of Domains in the Forest 19

Trust Relationship of Domains in the

Forest

Atrustisusedtoallowusersofonedomaintoaccessresourcesfromanotherdomain.Trustsare

automaticallycreatedwithinaneDirectorytreewhendomainsarecreated.Forauthenticationand

namelookupstoworkacrossdomains,atrustrelationshipmustbecreatedbetweenthedomains.

Thetrustrelationshipincludesa

sharedsecretthatcanbeusedforbothKerberosandNTLM

authentication,alongwithinformationthatisusedtosupportnameresolution.

Domainscanhavetrustrelationshipstootherdomains,whichpermitauserinonedomaintobe

authenticatedtoanother.Theserelationshipsaremanifestedassharedsecretsbetweenthe

two

domains.Trustrelationshipsareautomatic(andtransitive)withinaforest;theycanalsobeexplicitly

createdtoexternaldomainsorforests.

Formoredetailsaboutthekindsoftrustsandsettinguptrusts,see“ManagingTrustRelationshipsin

DomainServicesforWindows”intheOES11SP2:DomainServices

forWindowsAdministrationGuide.

20 OES 11 SP2: Novell Domain Services for Windows Security Guide

Page is loading ...

Novell Open Enterprise Server 11 SP3 Administration Guide

Novell Open Enterprise Server 11 SP3 Administration Guide

Novell Open Enterprise Server 11 SP3 Administration Guide

Related papers

Other documents