Authenticating Linux Clients with Active Directory

Objective: To providing high-quality and cost-effective IT services through integration of core software infrastructure; Active Directory. Windows Authentication: Windows has shipped with an integrated network authentication and single sign-on system for quite some time. Linux Authentication: Linux was not built with a single authentication mechanism in mind and application developers generally create their own authentication scheme, either by looking up names and password hashes in /etc/passwd or providing a something such as Pluggable Authentication Modules (PAM. However, OpenLDAP Software is an Open Source suite of directory software developed by the Internet community to run on Linux and can be integrated with Microsoft Active Directory. Samba and Winbind: Samba is an open-source project which provides integration between Windows and Linux environments. Using these Samba client components allows Linux machines to take advantage of Windows authentication services provided by Active Directory DCs. Winbind (a daemon/service runs on Samba clients) uses Kerberos to authenticate with Active Directory and LDAP to retrieve user and group information and also provides additional services such as the ability to locate DCs and to reset Active Directory passwords by communicating with a DC using RPC. Authentication Strategies: Given the availability of LDAP, Kerberos, and Winbind on Linux machines there are implementation strategies we can adopt to allow our Linux machines to use Active Directory for authentication. The best of these is using Wibind to proxy between (Pluggable Authentication Modules PAM and Name Server Switch NSS) LDAP and Active Directory by making calls to the Winbind daemon. Winbind will translate the different PAM and NSS requests into the corresponding Active Directory calls, using either LDAP, Kerberos, or RPC, depending on which is most appropriate. Implementation Plan: Getting RHEL5 to authenticate to Active Directory basically requires five separate steps: Locate and download the appropriate Samba and other dependent components. Build Samba. Install and configure Samba. Configure Linux, specifically PAM and NSS. Configure Active Directory.

Once implemented, this will provide the ability to log into Linux systems using credentials that are maintained in Active Directory. A huge improvement over managing identities locally on the Linux machines and allows for centralised user management within Active Directory. Some issues would be things like getting technical support as most of the Linux community are somewhat in the dark when it comes to Active Director and the support you can get depends entirely on who happens to read your post and how they feel that day. There are no migration or deployment tools with Samba so existing Linux accounts with their associated user IDs and permissions will have to be manually maintained prior to migrating them to Active Directory. Finally, Group Policy isn't available with Samba but is currently being developed so though we can join a Linux system to Active Directory with Samba, we can't manage it using Group Policy yet. Third Party Solutions: There are currently four commercial software vendors that have developed easy-to-install-and-use versions. They provide the code and migration tools for nearly every popular version of Linux as well as support for managing Linux machines using Group Policy. The four companies are: Centrify Likewise Software Quest Software Symark

All four vendors provide similar functionality but include Group Policy management across a wide array of Linux distributions. Likewise Software has recently open-sourced its implementation, called Likewise Open but its Group Policy component remains a commercial product. However, this may provide a cheaper path for Linux integration into Active Directory. Does it make sense to build our own authentication system using Samba and Winbind when there are commercial options available? If there is no money in the budget for integration software then going the open-source route with Samba or Likewise Open has the advantage of being free barring some possible hardware costs; however, migrating existing Linux machines and their existing UIDs is a very difficult problem though once achieved; everything could be managed through Active Directory. Integrating Linux authentication with Active Directory reduces the effort spent on managing multiple user accounts, improves system security, and provides a single identity store to manage and audit, and those are very good reasons for considering it.