Authenticate Linux Clients with Active Directory (Technet) [LWN.net]

Authenticate Linux Clients with Active Directory (Technet)

Posted Nov 15, 2008 2:39 UTC (Sat) by k8to (subscriber, #15413) [Link]

Having experiemented with setting up kerb on my home network I can confirm. It's a pain.

Authenticate Linux Clients with Active Directory (Technet)

Posted Nov 15, 2008 21:52 UTC (Sat) by drag (subscriber, #31333) [Link]

Absolutely.

Getting a full Kerberos-based domain with proper authentication, proper network services, proper DNS support, proper LDAP authentication, and proper configuration management scheme is probably one of the most difficult and error-prone exercise that a Linux administrator is likely to desire to do

It's certainly possible. Most of the software that is required is provided by folks like Debian. It's not setup to do anything or actually work in any meaningful manner and there are gaps in functionality that a end user needs to work around.

Meanwhile Microsoft has provided it's enterprise customers these features, and more, with Active Directory in a relatively easy to use and effective package for, ohh, since Windows 2000 came out. Every version of 'Windows Pro' and 'Windows Server' is designed to work with Kerberos/LDAP/Configuration management/etc out of the box and in fact is harder to setup and manage without using Active Directory in many cases.

So Linux is about 8 years behind the curve here.

-------------------------------

To be brutally honest probably the best way to implement this sort of domain thing is to just run out to Best Buy and buy a copy of Microsoft Small Business Server and figure out how to get Samba/Winbind working with it. A LOT less headaches and a lot less error-prone.

This article is probably one the more useful bits of documentation you're likely to run across for most administrators trying out Linux. No joking.

------------------

Now, of course, with things like Samba4 and FreeIPA Linux may be starting to catch up, but it's worthless to end users until distributions realize the need and understand how to get something competitive to Active Directory/Small Business Server, up and running easily for end users.

This means secure LDAP, kerberos, proper network authentication, proper DNS, proper configuration management, proper configuration interfaces.. etc etc.

Then Linux on the desktop would probably start being taken more seriously by businesses. While the ability to have a spinning cube is interesting for end users the lack of the ability to manage users, their environments, and their passwords in a easy and secure manner is a big turn off for any IT person.

Authenticate Linux Clients with Active Directory (Technet)

Posted Nov 16, 2008 12:57 UTC (Sun) by deleteme (guest, #49633) [Link]

As is stated in the article there are commercial options if you want to do this on Linux, so the easiest option would be to buy from them.

The problem was that RHEL doesn't include this. And I'm guessing they think there is too little market for it.

Authenticate Linux Clients with Active Directory (Technet)

Posted Nov 16, 2008 22:10 UTC (Sun) by drag (subscriber, #31333) [Link]

> The problem was that RHEL doesn't include this. And I'm guessing they think there is too little market for it.

Well for the market Redhat is in it's all heterogenous enterprise arenas. Places were Microsoft isn't very common.

So there is going to be a lot of legacy software and legacy operating systems that probably are to difficult to get running with secure network authenication.. either that or your dealing with corporations that take things seriously and already have a extensive kerberos and network directory system in place.

Either way to integrate Linux into a situation like that is going to require significant amounts of in-house expertise and customization... which those larger corporations are going to have. And compared to other Unix or legacy systems that Linux tends to replace Linux distros are much easier to deal with for the most part.

--------

But saying the market for having a easily integrated secure domain and desktop is small is 100% wrong. In terms of numbers the amount of people needing these features to deploy their desktops vastly outweigh any other server market.

This is Microsoft's bread-n-butter. This is how they make their money and is one of the major reasons, if not the major reason, why their server platform is the #1 most popular in the world in terms of cash and numbers.

The thing is is that Microsoft has grown up with their customers, and continue to do so. They provide products that favor small-medium businesses and as those businesses grow to larger and larger businesses they continue to purchase Microsoft products.

That's like saying the desktop arena is small potatoes because Linux doesn't sell well. And, in fact, this is one of the major problems when it comes to Linux desktop... whenever you have a Microsoft domain with Microsoft servers and Microsoft software Linux will always be a PITA, will always be second-fiddle.

Authenticate Linux Clients with Active Directory (Technet)

Posted Nov 15, 2008 17:01 UTC (Sat) by jeleinweber (subscriber, #8326) [Link]

I personally find several advantages for using samba winbind over straight Kerberos + LDAP.

1. Samba joins AD as a regular host. If you want to use plain Kerberos with pam authentication, you'll have to make host/server@REALM users by hand in AD instead of machine accounts and export a /etc/krb5.keytab file using Microsoft's ktpass tool from the windows support tools. ktpass has a lot of weird limitations and an uncertain future. I have done this, and it works, but the samba way is easier.

2. Winbind can use regular microsoft groups. Most Unix -> LDAP solutions, regardless of what your LDAP server is (Microsoft? Sun? Novell? IBM? OpenLDAP), use rfc2307 attributes for uid, gid, home directory, shell, etc. There is a subtle but important difference between rfc2307 and rfc2307bis: group members in rfc2307 were LDAP IA5string types (lists of usernames, compare /etc/group). rfc2307bis also allows group members to be LDAP "distinguished names". Microsoft groups in AD use DN's in the "member" attribute. winbind lets you tap into the regular groups, including nested group memberships. If you don't use winbind you may be spending a lot of time mucking around in tools like adsiedit and using different procedures to edit your unix groups than your windows groups. Microsoft has extensions to their "active directory user and computer" tool for "unix attributes" tabs, but those don't include any decent editing support for group memberships. A plain LDAP implementation is going to have more trouble in /etc/nsswitch.conf with mapping groups.

3. Winbind will use the usual spnego encryption for its RPC calls, so you don't have to configure a certificate infrastructure to get LDAP over TLS. Unauthenticated users can't read the unix attributes, and you don't want LDAP clients binding to the server using plaintext passwords, so avoiding this makes life easier.

Note that you'd strongly prefer your windows domain controllers to be running at last server 2003 R2, as the microsoft's services for unix 3.5 on that platform will populate both the legacy microsoft msSFU30* LDAP attributes and the newer rfc2307bis attributes. In spite of the fact that the RFC status of rcd2307bis is "expired,experimental", it's the way of the future. Get a copy at www.padl.com; the main IETF repository purges the expired stuff.

Also, I'm liking "idmap ... = ad" for my winbind configuration, and recommend it to you.

Unfortunately, the documentation from the likes of Microsoft, Redhat, and Samba hasn't caught up with the software yet. Most of it is for samba 3.0.20 or earlier and windows server 2003. Lots of stuff you care about changed in server 2003 R2 and between samba 3.0.23 and 3.0.25, but the white papers and man pages don't reflect it yet. Sigh.