Research for managing Windows clients
Scope of this issue
This issue is supposed to be a collection of research into the question of how to use AlekSIS as a management tool for Windows client machines. It will not get a concrete implementation; such an implementation will later be drafted in separate issues.
Background
The ultimate goal of AlekSIS-App-Kompjuter is to achieve feature parity (to some important extent) with Debian Edu 10, which used GOSa and Samba to provide an NT-style domain for Windows clients. Debian Edu also uses OpenLDAP and Kerberos to provide user authentication and, to some extent, client management to its own Debian Edu workstation clients.
With AlekSIS-App-Kompjuter, fai-webapi and system-auth-webapi, we are trying to simplify and decentralise client management for Debian Edu (and generally all kinds of clients) by leveraging the benefits of Web APIs (only HTTP necessary, which is stateless, relatively easy to load-balance and to move off-site). We already have:
- an NSS module loading users and groups from a REST API, with accomapnying backend in AlekSIS
- a PAM module authenticating users using OAuth2, with accompanying backend in AlekSIS
- a dynamic FAI configspace generator with accompanying support in FAI
At this point, we can fully deploy and manage client systems and authenticate users without ever talking to anything more complex than AlekSIS' REST API.
Debian Edu, on the other hand, has basically dropped Windows client support together with Samba 3. Samba 4, which is a drop-in replacement for Microsoft Active Directory, now enforces its own internal LDAP server and cannot work with an external directory anymore.
Goals for Windows support
While overhauling the management of Debian clients leveraging AlekSIS and web APIs, we want to re-introduce support for Windows clients. To do this, there is one obvious solution: We could provide a way to deploy a Samba 4 server, and let AlekSIS replicate user and host information into it. This is what other solutions, like Linuxmuster, seem to do. We will look into this as one option.
However, we would lose some benefits of using only web APIs doing so, so we need to look into other options. We also need to figure out how to do software deployment and configuration.
More concisely, the goals are (ordered by priority):
- Users shall be able to login to Windows clients using the same credentials as in AlekSIS
- Admins shall be able to configure software to be deployed on Windows clients
- Admins shall be able to configure Windows clients (like with group policies, etc.)
Research topics
The following topics should be researched as options for implementing the above goals, or as background knowledge. The topics have no defined order, they can be researched in any order that seems to make sense.
What APIs does Samba offer?
If it should turn out that we need to orchestrate Samba 4, we sholud know how to do it. What APIs (REST? RPC? Command-line tools?) does it offer to manage users, hosts, credentials,…?
Can we simply talk OpenLDAP, and everything works? One point to watch out for is changing passwords, which in turn has to cover two scenarios:
- A user changes their password, providing their old and a new password
- An administrator changes a user's password, without knowing their old password (this is the same scenario as password resets)
OpenLDAP implements the Password Modify Extended Operation (in contrast to simply changing the attribute holding the password), and allows hooking into it. So, in OpenLDAP, we can catch a password change, and in turn run code to update NTLM hashes or Kerberos principals.
Does Samba also offer the Password Modify Extended Operation? If yes, is it enough to really update a user's cerdentials, so they work everywhere after that? In short: Can we just talk LDAP, and be done with that scenario?
How does Microsoft Azure AD handle authentication and password changes?
Microsoft has started their own efforts in moving user and client management out of the basements of their customers and into their Azure cloud, called Azure AD. Azure AD offers web-based APIs for user management, and it seems they also offer OAuth for users to authenticate against it.
The main question here is: Does Windows use these APIs? Traditionally, Windows AD uses Microsoft's versions of LDAP and Kerberos/GSSAPI. Did this change, and for the cloud-based Azure AD, Windows now uses web APIs? Or does it still talk LDAP and Kerberos to the Azure Cloud?
How does Microsoft Azure AD handle system configuration, GPOs,…?
This question is the same as the previous one, but for everything related to system configuration, which is GPO in traditional AD.
What APIs does Windows offer to modify the login process?
Another approach would be to modify the Windows logon process. Do we even have to use the AD mechanisms? Or can we write some kind of plugin that handles authentication for us, and we can then simply port system-auth-webapi to Windows?
Prior to Vista and Server 2003, Windows had a pluggable system called GINA that officially supported overriding the logon process by replacing GINA's DLL file. Does such a mechanism still exist in Windows 10 or 11?
If so, is there documentaiton or prior art (existing projects) that leverage this?
Can we orchestrate some Windows package manager for software deployment?
There are two well-known package managers for Windows, opsi and WAPT. @sunweaver seems to prefer WAPT, and as it seems they have already a repository of pre-packaged software.
Can we orchestrate these platforms, so that the packages to be installed per host could be configured in AlekSIS?
How does Linuxmuster orchestrate Windows?
Linuxmuster can manage Windows and Linux clients. We should collect information on how it does that, and how the "Schulkonsole" interacts with all the ooling around it (especially Samba and Opsi).
How does Microsoft's device management fit in?
Microsoft also uses its APIs for (mobile) device management, under Microsoft Intune. How does this fit in? What happens when we login to a device using an Azure AD device?
How do other third-party MDMs integrate with Azure?
Expected results
Results for the research should collect, per topic:
- A summary of the findings, primarily answering the questions listed here
- Links to documentation and prior art (existing projects and solutions)
- If possible, a conclusion of the benefits and downsides
- A list of open questions or issues, and follow-up questions and research topics
- If possible with not too much effort, an example installation (please ask @nik for Windows/Linux/whatever VMs for testing)