7/29/2019 Authenticating Linux Clients With Active Directory

1/2

Authenticating Linux Clients with Active Directory

Objective:

To providing high-quality and cost-effective IT services through integration of core software

infrastructure; Active Directory.

Windows Authentication:

Windows has shipped with an integrated network authentication and single sign-on system for quite

some time.

Linux Authentication:

Linux was not built with a single authentication mechanism in mind and application developers

generally create their own authentication scheme, either by looking up names and password hashes

in /etc/passwd or providing a something such as Pluggable Authentication Modules (PAM.

However, OpenLDAP Software is an Open Source suite of directory software developed by the

Internet community to run on Linux and can be integrated with Microsoft Active Directory.

Samba and Winbind:

Samba is an open-source project which provides integration between Windows and Linux

environments. Using these Samba client components allows Linux machines to take advantage of

Windows authentication services provided by Active Directory DCs. Winbind (a daemon/service runson Samba clients) uses Kerberos to authenticate with Active Directory and LDAP to retrieve user and

group information and also provides additional services such as the ability to locate DCs and to reset

Active Directory passwords by communicating with a DC using RPC.

Authentication Strategies:

Given the availability of LDAP, Kerberos, and Winbind on Linux machines there are implementation

strategies we can adopt to allow our Linux machines to use Active Directory for authentication. The

best of these is using Wibind to proxy between (Pluggable Authentication Modules PAM and Name

Server Switch NSS) LDAP and Active Directory by making calls to the Winbind daemon. Winbind will

translate the different PAM and NSS requests into the corresponding Active Directory calls, using

either LDAP, Kerberos, or RPC, depending on which is most appropriate.

Implementation Plan:

Getting RHEL5 to authenticate to Active Directory basically requires five separate steps:

Locate and download the appropriate Samba and other dependent components. Build Samba. Install and configure Samba. Configure Linux, specifically PAM and NSS. Configure Active Directory.

7/29/2019 Authenticating Linux Clients With Active Directory

2/2

Once implemented, this will provide the ability to log into Linux systems using credentials that are

maintained in Active Directory. A huge improvement over managing identities locally on the Linuxmachines and allows for centralised user management within Active Directory.

Some issues would be things like getting technical support as most of the Linux community are

somewhat in the dark when it comes to Active Director and the support you can get depends

entirely on who happens to read your post and how they feel that day.

There are no migration or deployment tools with Samba so existing Linux accounts with their

associated user IDs and permissions will have to be manually maintained prior to migrating them to

Active Directory.

Finally, Group Policy isn't available with Samba but is currently being developed so though we can

join a Linux system to Active Directory with Samba, we can't manage it using Group Policy yet.

Third Party Solutions:

There are currently four commercial software vendors that have developed easy-to-install-and-use

versions. They provide the code and migration tools for nearly every popular version of Linux as well

as support for managing Linux machines using Group Policy.

The four companies are:

Centrify Likewise Software Quest Software Symark

All four vendors provide similar functionality but include Group Policy management across a wide

array of Linux distributions. Likewise Software has recently open-sourced its implementation, called

Likewise Open but its Group Policy component remains a commercial product. However, this may

provide a cheaper path for Linux integration into Active Directory.

Does it make sense to build our own authentication system using Samba and Winbind when there

are commercial options available?

If there is no money in the budget for integration software then going the open-source route with

Samba or Likewise Open has the advantage of being free barring some possible hardware costs;

however, migrating existing Linux machines and their existing UIDs is a very difficult problem though

once achieved; everything could be managed through Active Directory.

Integrating Linux authentication with Active Directory reduces the effort spent on managing multiple

user accounts, improves system security, and provides a single identity store to manage and audit,

and those are very good reasons for considering it.