IntegrationwithActive Directory JeremyAllison SambaTeam

BenefitsofusingActiveDirectory
UnliketheearlierMicrosoftWindowsNT4.xDomaindirectory servicewhichusedproprietaryDCE/RPCcalls,ActiveDirectoryis basedonstandardInternetprotocols. LDAPv3fordirectorylookupandupdates. Kerberos5forauthentication(singlesignon). DNSfornameresolution. ThehopewasthatnonMicrosoftimplementationsofthese protocolscouldbeusedtoserveWindowsclientsallowingtrue competitionforprovidingtheseservices. Unfortunatelythisisnotthecase.

WhatisActiveDirectory? DynamicDNS Server DHCPServer Kerberos5Server (KDC) LDAPv3Server MicrosoftRPC Domainserver

DatabaseBack endStore

WhymustweuseanActiveDirectoryServer?
tuseonlythestandardprotocolstoachieve Windowsclientsdon' logonservices. Mandatoryextrafeatures(likethemodifiedKerberosticketand otherdetails)aretiedintotheActiveDirectoryimplementationto enforcevendorlockin. ThepracticalresultofthisisthatifyouwanttouseWindows clientsandserversandobtainallthefunctionalityyoupaidfor thenyoumustuseaWindowsActiveDirectoryserver. ITStaffwhorecommendanActiveDirectoryrolloutwithout makingmanagementawareofthiscommitmentgoingforward aremisleadingtheirexecutivestaff.

WhymustweuseanActiveDirectoryServer?
Windowsclientsdonotallowreplacementoftheirlowlevel functionalitytoeaseintegrationwithnonWindowsdirectory servers. Asusual,itiseasiertoconfigurenonWindowssystemsto interoperatewithWindowssystemsthanvicaversa. ThefreereleaseofMicrosoftServicesforUNIXdoeshelphere, althoughtheprotocolsused(NIS)arenotassecureasusingthe nativeprotocolsofKerberosandLDAP. ActiveDirectoryserverscanhavetheirLDAPschema(theformal definitionoftheformatofthedatatheystore)extendedtoallow themtoservenonWindowsclients.

Whatdowemeanbyintegrationwithan ActiveDirectoryServer?
ForanonWindowsclienttointegratesuccessfullyintoActive Directoryweneedtwooperationstobeseamless.
AuthenticationofLinux/UNIXaccountsagainstActiveDirectory. EnumerationofLinux/UNIXuserandgroupdirectoryinformationstoredinan ActiveDirectorystore.

ForauthenticationthepreferredmethodisKerberos5(thenative Windows2000andaboveauthenticationmethod).
MicrosoftServicesforUNIX,LDAPorMSRPCcanalsobeusedhere.

ForuserandgroupenumerationintegrationLDAPisthepreferred method.
MicrosoftServicesforUNIXandMSRPCcanalsobeused.

KerberosAuthentication Integration

ActiveDirectoryServerscanbe Kerberos5KDCserversfor Linux/UNIXclients. MITorHeimdalKerberosservers cannotbecompleteKDCservers forWindowsclientsduetothe missingextradatafield. MITorHeimdalKDCserverscan besettotrustADKerberos serversiftheWindowsandUNIX useraccountsareseparatedinto separaterealms. Inamoreintegratedenvironmentit isprobablyeasiertojustuseActive DirectoryKerberosServers(as Microsoftintendedbyextending thestandard).

IntegratingWindowsAuthentication ServiceswithLinux/UNIX
Linux/UNIXsystemsstartedwithlocalfilescontainingall authenticationinformation. Sincethenastandardizedpluginarchitecturehasbeendeveloped toallowreplacementoftheauthenticationinformationvalidation (userlogons)andmaintenance(passwordchanging)withmany differentpossibletargets. PAM(PluggableAuthenticationModules)APIinventedbySun andadoptedbyLinuxandotherUNIXplatforms.

PAMPluggableAuthenticationModules
Application
PA req M ue st

PAMrequestscanbeforauth,account, passwordorsessionfunctionality.
A p p licatio n lo o k u p

PAMlibrary M od u S tack le PAMlibrary

PAM Config Directory

PAMlibrary PAMlibrary

PAMonLinux/UNIXsystems
PAMisastandardonLinuxandmanyUNIXsystems(HPUX, Solarisandothers). OvertwentydifferentPAMmodulesexisttoprovideallmannerof authenticationservices. ThreespecificmodulesareofinterestforActiveDirectory Integration Kerberospam_krb5(http://pamkrb5.sourceforge.net) LDAPpam_ldap(http://www.padl.com) Samba/MicrosoftRPCpam_winbind( http://www.samba.org)

Kerberospam_krb5
Takestheuserscleartextpasswordandvalidatesitagainsta standardKerberos5server(ActiveDirectoryaddsextraproprietary dataintothereturnedticket,buttheclientlibrariesonLinux/UNIX ignorethisdata). ReturnsaKerberos5TicketGrantingTicket(TGT)whichcanbe usedtogetticketsforotherservices. Caremustbetakentoensuretheencryptionmethodusedby defaultbyWindows(RC4HMAC)isavailableontheLinux/UNIX Kerberossystem. Sourcecodeavailable,OpenSource/FreeSoftware.

LDAPpam_ldap
Takestheuserscleartextpasswordandvalidatesitagainstan LDAPserverbyattemptingtosetupanLDAPconnectionasthe givenusername/passwordpair. MustbesetuptouseSSL/TLSinordertosecurelyvalidatethe password(pam_krb5doesn' thavethisproblem,allkerberos exchangesaresecure). DevelopedbyPADLsoftwareavailableasOpenSource/Free Software.

Sambapam_winbind
AllowsaLinux/UNIXusertoauthenticateinexactlythesameway asiftheywereloggingontoaMicrosoftmemberserverinthe Domain. RequiresaworkingSambasetup(moredetailslater). CompletelyintegratestheLinux/UNIXauthenticationmechanism intotheWindowsworldidenticaltoaWindowsserver. AllofSambaisOpenSource/FreeSoftware.

IntegratingWindowsUserDirectory ServiceswithLinux/UNIX
Linux/UNIXsystemsstartedwithonlylocaldirectorylistings(local files)andhavesincehadtodevelopstandardizedplugin architecturestoallowreplacementofthedirectoryservicewithany compatibleserver(nohiddenprotocols). NSS(NameServiceSwitch). NSSallowsuserandgrouplookupandenumerationtobedone viamanydifferentdirectoryservices.Theorderinwhichtheyare queriedcanbechanged. ThenssmodulesthatareofinterestforActiveDirectory Integrationare:
nss_ldap nss_winbind

NSSNameServiceSwitch
Application
NS r eq S ue st

NSSrequestscanlookupuser,group,or enumeratetheuserorgrouplists.
A p p licatio n lo o k u p

/etc/nsswitch.conf

NSSlibrary(libc) Mod u S tack le NSSlibrary

NSSlibrary NSSlibrary

E x tern allo o k u p (N IS ) L o calfiles lo o k u p Ex tern allook up (winbind)

LDAPnss_ldap
WrittenbyPADLsoftware(asispam_ldap)thislibraryallows Linux/UNIXsystemstolookupusersandgroupsstoredinan ActiveDirectoryserver. TheActiveDirectorySchemamusthavebeenextendedfromthe standardschemabyincludingeithertheRFC2307schema (createdbyPADL)ortheschemausedbyMicrosoft' sServicesfor UNIXproduct. TheLinux/UNIXuserandgroupinformationmustalreadyexistin theActiveDirectoryaspartoftheschema. Thisrequiressomeextraadministrationtoaddtheextra informationtotheexistingActiveDirectorydata.

Sambanss_winbind
PartofthecompletesolutionprovidedbySamba(willbedescribed indetaillater). DoesnotrequireanychangestotheActiveDirectorySchema. DoesrequireaworkingSambasetupandtheLinux/UNIXmachine tohavebeenaddedasamemberserverintotheActiveDirectory.

MicrosoftServicesforUNIXnss_nis
DoesnottalkdirectlytotheActiveDirectoryServerbuttoaNIS (NetworkInformationServices)gatewayrunningonaWindows server. Aswithnss_ldap,requiresadditionstobemadetotheActive DirectorySchematoaddtheLinux/UNIX(POSIX)definitions. UsefulforolderUNIXinstallationsthatwillonlyusetheNIS protocols(regardedasinsecureinmodernUNIXsystems). s. NISprotocoldevelopedbySuninlate1980'

ThreeComplete Solutionsfor ActiveDirectory Integration

PADLsolution
ModifyActiveDirectorywitheithertheRFC2307schemadefinition ortheMicrosoftServicesforUNIXschema. Installpam_ldap(oralternativelypam_krb5)tohandlethe authenticationfromtheLinux/UNIXsystems. Installnss_ldaptohandlethedirectoryserviceenumerationfrom theLinux/UNIXsystems. Probablytheeasiestchoicefororganizationswithsignificant existingLinux/UNIXexperience. Secure,robustsolutionbutrequiresworktomaintain.

Servicesfor UNIXsolution
NISServer Service WindowsActive DirectoryServer (modifiedschema) CommunicationusingNIS protocoloverthenetwork. Linux/UNIX Server NISPAM NISNSS

Servicesfor UNIXsolution
UsesolderNISprotocolanolderUNIXstandard.
ModernLinux/UNIXsystemsuseeitherNISPLUS(encryptedversionofNIS)or LDAPorKerberosforpasswordverification.

NowMicrosofthasmadeServicesforUNIXavailableforfreethisis nowacompetitivesolution.
Nosourcecodeavailable,unlikeothersolutions.

GoodchoiceifanorganizationismainlyWindows,withafewolder Linux/UNIXmachinesforwhichsecurityisnotapriority.

Sambawinbind solution

WindowsActive DirectoryServer (unmodifiedschema)

winbind daemon

Linux/UNIX Server

MSRPCorLDAP communication overthenetwork.

winbindPAM winbindNSS

Sambawinbind solution
AllowsaLinux/UNIXmachinetocompletelyemulateaWindows memberserver. NochangestoActiveDirectoryschemaneededwinbindcopes withmappingWindowsusersandgroupstoLinux/UNIXusersand groups. AllowsWindowsclientsaccessingfileandprint(Samba)services ontheLinux/UNIXservertopasskerberos5ticketstoobtain service(astoaWindowsfileserver). Tosynchronizeuserandgroupmappingbetweenmultiple Linux/UNIXserversusingwinbindanexternalLDAPservermustbe used(notcompletelytransparent). UsesthesameprotocolsasWindowsserversforenumerating

Integrating Samba
p st n sh i T r u latio Re SambaDomain Controller

M em S er v b er er

Me Se m be rve r r

WindowsActive DirectoryServer M S e em b r v e er r Windows Application Server

Conclusions
WindowsActiveDirectoryisanecessaryevilifyouhavelarge numbersofWindowsclients. renotpilotingadesktopLinuxprogram, Themoralofthisisifyou' you' repayingtoomuchforyourMicrosoftclientsoftware . OptionsarePADLOpenSourcecode,MicrosoftServicesforUNIX, orSambatoprovidenocostintegrationbetweenyourLinux/UNIX machinesandActiveDirectory. Allsolutionshavecomplexityinvolvedsetupatestenvironment todeterminewhichbestmatchesyourbusiness(nosurpriseshere ).

http://www.hp.com/linux

http://www.samba.org