authenticating linux clients with active directory
TRANSCRIPT
-
7/29/2019 Authenticating Linux Clients With Active Directory
1/2
Authenticating Linux Clients with Active Directory
Objective:
To providing high-quality and cost-effective IT services through integration of core software
infrastructure; Active Directory.
Windows Authentication:
Windows has shipped with an integrated network authentication and single sign-on system for quite
some time.
Linux Authentication:
Linux was not built with a single authentication mechanism in mind and application developers
generally create their own authentication scheme, either by looking up names and password hashes
in /etc/passwd or providing a something such as Pluggable Authentication Modules (PAM.
However, OpenLDAP Software is an Open Source suite of directory software developed by the
Internet community to run on Linux and can be integrated with Microsoft Active Directory.
Samba and Winbind:
Samba is an open-source project which provides integration between Windows and Linux
environments. Using these Samba client components allows Linux machines to take advantage of
Windows authentication services provided by Active Directory DCs. Winbind (a daemon/service runson Samba clients) uses Kerberos to authenticate with Active Directory and LDAP to retrieve user and
group information and also provides additional services such as the ability to locate DCs and to reset
Active Directory passwords by communicating with a DC using RPC.
Authentication Strategies:
Given the availability of LDAP, Kerberos, and Winbind on Linux machines there are implementation
strategies we can adopt to allow our Linux machines to use Active Directory for authentication. The
best of these is using Wibind to proxy between (Pluggable Authentication Modules PAM and Name
Server Switch NSS) LDAP and Active Directory by making calls to the Winbind daemon. Winbind will
translate the different PAM and NSS requests into the corresponding Active Directory calls, using
either LDAP, Kerberos, or RPC, depending on which is most appropriate.
Implementation Plan:
Getting RHEL5 to authenticate to Active Directory basically requires five separate steps:
Locate and download the appropriate Samba and other dependent components. Build Samba. Install and configure Samba. Configure Linux, specifically PAM and NSS. Configure Active Directory.
-
7/29/2019 Authenticating Linux Clients With Active Directory
2/2
Once implemented, this will provide the ability to log into Linux systems using credentials that are
maintained in Active Directory. A huge improvement over managing identities locally on the Linuxmachines and allows for centralised user management within Active Directory.
Some issues would be things like getting technical support as most of the Linux community are
somewhat in the dark when it comes to Active Director and the support you can get depends
entirely on who happens to read your post and how they feel that day.
There are no migration or deployment tools with Samba so existing Linux accounts with their
associated user IDs and permissions will have to be manually maintained prior to migrating them to
Active Directory.
Finally, Group Policy isn't available with Samba but is currently being developed so though we can
join a Linux system to Active Directory with Samba, we can't manage it using Group Policy yet.
Third Party Solutions:
There are currently four commercial software vendors that have developed easy-to-install-and-use
versions. They provide the code and migration tools for nearly every popular version of Linux as well
as support for managing Linux machines using Group Policy.
The four companies are:
Centrify Likewise Software Quest Software Symark
All four vendors provide similar functionality but include Group Policy management across a wide
array of Linux distributions. Likewise Software has recently open-sourced its implementation, called
Likewise Open but its Group Policy component remains a commercial product. However, this may
provide a cheaper path for Linux integration into Active Directory.
Does it make sense to build our own authentication system using Samba and Winbind when there
are commercial options available?
If there is no money in the budget for integration software then going the open-source route with
Samba or Likewise Open has the advantage of being free barring some possible hardware costs;
however, migrating existing Linux machines and their existing UIDs is a very difficult problem though
once achieved; everything could be managed through Active Directory.
Integrating Linux authentication with Active Directory reduces the effort spent on managing multiple
user accounts, improves system security, and provides a single identity store to manage and audit,
and those are very good reasons for considering it.