Beruflich Dokumente
Kultur Dokumente
89 Fifth Avenue, 7th Floor
New York, NY 10003
www.TheEdison.com
212.367.7400
White Paper
Managing Group Policies for Non‐
Windows Computers through
Microsoft Active Directory
Printed in the United States of America.
Copyright © 2009 Edison Group, Inc. New York. Edison Group offers no warranty either expressed or
implied on the information contained herein and shall be held harmless for errors resulting from its use.
All products are trademarks of their respective owners.
First Publication: April 2009
Produced by: Andrew Podosenin, Senior Analyst; Barry Cohen, Editor‐in‐Chief
Table of Contents
Table of Contents......................................................................................................................... 1
Executive Summary ..................................................................................................................... 1
Introduction .................................................................................................................................. 2
Managing Group Policies........................................................................................................... 3
Predominance of Windows Platform..................................................................................... 3
Group Policy Management.................................................................................................. 3
Schema Extension ................................................................................................................. 3
Ease of Use ............................................................................................................................. 4
Uniformity of Management................................................................................................. 4
Policy Management Features Available through Active Directory............................... 4
Management Complexities in the Unix Environment ..................................................... 5
Cross‐platform Challenges ...................................................................................................... 6
Limitations of SUDO ............................................................................................................ 6
Limitations of NIS/NIS+ ....................................................................................................... 6
Limitations of RBAC............................................................................................................. 6
Kerberos Authentication ...................................................................................................... 7
Limitations of File Permissions in Unix............................................................................. 7
Managing Policies Across Different Flavors of Unix/Linux ........................................... 7
Advantages of Managing Unix Policies with Likewise....................................................... 7
Complexities of Managing Policies in Mac OS X Environment ..................................... 8
Conclusion and Recommendations........................................................................................ 11
Executive Summary
Currently, midsize and large enterprises have to manage identities and policies
uniformly across a heterogeneous platform base. This need arises from increasing node
management costs, the desire to improve security posture, and industry regulatory
requirements.
The most efficient way to manage policies and identities on non‐Windows platforms in
these environments is to choose Windows as a common ground for the storage,
management, and enforcement of such policies. Windows is chosen as a common
ground, because it is a scalable and reliable platform with excellent, intuitive
management tools.
Administrators can use Open Source tools or professional, scalable, and supported
solutions like Likewise Enterprise when standardizing identity management on
Windows. The present paper discusses the advantages and disadvantages of both
approaches.
Managing Group Policies for Non‐Windows Computers through Microsoft Active Directory Page 1
Introduction
This white paper discusses how Likewise Enterprise enables organizations to integrate
and manage their Unix, Linux, and Mac computers using Microsoft Active Directory
tools.
The paper briefly describes the proliferation of Windows and then moves on to describe
how Active Directory features, such as Group Policy and extensions to Active Directory
schemas, enable the management of Unix‐like systems.
The paper then discusses why Windowsʹ well known ease‐of‐use advantages make
management of non‐Windows systems through Active Directory an attractive
alternative.
The remainder of the white paper provides a more technical discussion of Unix
management complexity and why incorporating a Windows Policy‐based management
alternative provides organizations with a uniform use and management model for their
computing environments.
Finally, the paper describes how Likewise Enterprise works to bring together Active
Directory and Unix management under Windows Group Policies.
Managing Group Policies for Non‐Windows Computers through Microsoft Active Directory Page 2
Managing Group Policies
Predominance of Windows Platform
Microsoft Windows Server and Active Directory have come to dominate business
computing. This has resulted in the need for non‐Windows devices and applications to
interoperate with and even be managed within a Microsoft Windows Active Directory
environment. Besides being one of (if not the) most widely deployed scalable directory
solutions, Active Directory is also the widest deployed and most robust commercial
implementation of Kerberos.
Over the years, Microsoft has been successfully able to deliver a scalable computing
solution from the server to the client, particularly because of the ease of use of its
graphical user interface. Besides addressing the operating system, directory, and storage
markets, Microsoftʹs enterprise‐class applications such as Exchange and SQL Server
depend upon directory‐based authentication. In addition, many third‐party applications
such as PeopleSoft and SAP incorporate AD authentication. Given the roadmap offered
by Microsoft, this interconnection of the directory side and the application side will only
increase.
The following sections describe the advantages of Microsoft Windows marketplace
success from a heterogeneous environment perspective.
Group Policy Management
Unlike the other directory vendors, Microsoft has delivered profile and desktop
management on a large scale. Unlike vendors such as Novell or Sun Microsystems who
only have partial solutions, Microsoft is able to automatically push policies through the
domain from the server to the client. The enhanced group policy implementation in
Windows Vista and Windows Server 2008 has allowed administrators to centrally
manage a greater number of features and component behaviors than were possible in
the previous versions. With the continuing consolidation of IT vendors, the enterprise
computing landscape will be undoubtedly be geared more and more toward Windows
platforms.
Schema Extension
Over the years Microsoft has lessened its aggressive stance toward Unix, starting with
adding some interoperability in Microsoft Services for Unix 3.0 (SFU 3.0), and extending
that in SFU 3.5. Most recently, in Windows 2003 Server R2, Microsoft has incorporated
most of the features of SFU 3.5, adding the ability to extend AD schema with Unix‐
Managing Group Policies for Non‐Windows Computers through Microsoft Active Directory Page 3
compliant attributes in accordance with RFC 23071. This simplified the integration of
cross‐platform identity management by eliminating the need to choose between the
storing of Unix object credentials in the existing classes (so‐called non‐schema mode)
and the non‐supported extension of the AD schema. Now administrators can take
advantage of RFC 2307 by using Unix‐ and Linux‐specific attributes that are built into
the AD schema.
Ease of Use
It is generally accepted that Windowsʹ management tools are easier to use that their
Unix and Linux counterparts. This is one of the major reasons that Microsoft has won
the desktop client and server enterprise management battle. Administrators today very
infrequently must be involved with the error‐prone manual editing of configuration files
or rely on writing scripts and executing them from the command line. In fact, creating
and pushing the enterprise policy across thousands of clients can be performed with
fairly few mouse clicks from one of the policy management plug‐ins for the Microsoft
Management Console.
Uniformity of Management
The various vendorʹs Unix and Linux platforms are notoriously different from one
another: they have different management tools and different desktop interfaces. Looking
at a number of popular Linux distributions from Red Hat, SUSE, and Ubuntu, it
becomes clear that Linux did not deliver the uniformity hoped for. Since it is clear that
Unix and Linux must inevitably interoperate with Windows, there is a heightened need
for standardized authentication and management tools. Fortunately, Microsoft now
offers such common ground: the combination of an Active Directory framework and
Group Policy management. This is where Unix administrators can take a lazy approach,
since both the framework and the management tools have been already written, scaled,
tested, and delivered to the enterprise. All it takes is to tap into this offered technology
and use AD for uniform policy management.
Policy Management Features Available through Active Directory
Windows policy management allows administrators to automatically and intuitively
enforce a large number of end‐node parameters across the domain in a hierarchical
fashion. These parameters include security settings, wired and wireless settings, startup
and shutdown scripts, software restrictions, QoS, IPSec, remote software installation
settings, access restrictions to local hardware, and many more. Increased group policy
settings appearing in Microsoft Vista and the upcoming Windows 7clearly indicates that
this is the desktop management approach that Microsoft has chosen.
1 RFC 2307 can be found at: http://www.rfc‐archive.org/getrfc.php?rfc=2307
Managing Group Policies for Non‐Windows Computers through Microsoft Active Directory Page 4
All these policies are edited and enforced from the Microsoft Group Policy Management
Console (GPMC), a comprehensive and intuitive suite of policy management tools
available as a Microsoft Management Console (MMC) snap‐in. GPMC allows
administrators to launch the Active Directory Users and Computers (ADUC) console to
apply policy objects to the desired OU (Organizational Unit) level and launch Group
Policy Object Editor (GPOE) to modify group‐policy settings within group policy
objects. Overall, the above described suite of tools allows administrators to easily create
multiple group policies and enforce them at different OU levels.
Management Complexities in the Unix Environment
Interoperability between Windows and Unix has always been a problem repeatedly
addressed with limited success from both OSes. While porting applications across
platforms is often impractical, cross‐platform authentication allows administrators to
deliver Unix applications (particularly Web‐based applications) to the Windows realm,
providing a faster and more convenient solution. By the same token, allowing Windows
users to authenticate and manage Unix systems simplifies tracking identities, making
the overall Unix user experience more pleasant.
Some attempts to have Windows and Unix interoperate have met with moderate
success. Microsoft Services for Unix (most features of SFU have been incorporated into
Windows Server 2003 R2 and Windows Server 2008) offers limited interoperability
between AD and NIS, plus a password‐synchronization utility. Specifically, SFU offered
a service that would synchronize Unix UIDs/GIDs and Windows user and group
identities (SID) bidirectionally in one‐to‐one and many‐to‐one mode. Additionally, SFU
offered bidirectional Windows‐to‐Unix and Unix‐to‐Windows password
synchronization that supports both local and domain account Windows password
synchronization. However, these features did not support very many Unix flavors while
requiring a fair amount of manual configuration work to be implemented.
Documents for Unix and Linux platforms also offer limited interoperability at the cost of
extensive manual labor associated with editing configuration files, sometimes on each
participating host. This is a tedious and error‐prone procedure. Several how‐to
documents of this kind have been maintained since the year 2000, particularly
addressing authentication through pluggable authentication modules. Unfortunately,
not all the Unix and Linux flavors are supported and the implementation requires
laborious manual configuration and extensive testing. An incorrect configuration can
not only result in failed user authentication but also make the Unix host less secure.
There are similar documents for Samba, Apache, and SSH authentication. Additionally,
the recommendations and implementations change from application to application,
particularly in the versions of supported tools and the location and format of the
Managing Group Policies for Non‐Windows Computers through Microsoft Active Directory Page 5
configuration files. Frequently, the recommended modifications are not supported by
either the Unix or Linux vendors or Microsoft, which makes it difficult to implement
these changes in a production environment. Therefore, should the particular platforms
need to be supported, administrators need to have extensive knowledge of both
platforms and rely on often untimely free technical advice from Internet forums.
Supporting cross‐platform authentication in such a manner is stressful and counter‐
productive.
Cross‐platform Challenges
The following sections describe the cross‐platform challenges administrators must face.
Limitations of SUDO
SUDO is used as an alternative to the extensive use of the root account for management
purposes. SUDO allows non‐privileged accounts to execute privileged commands.
While a great idea, as typically implemented SUDO has a number of drawbacks. Among
these are the need to manually apply and maintain the sudoers file across all the
managed systems, test each configuration change, and make modifications to each node
when a new administrator joins or leaves the company.
Limitations of NIS/NIS+
While NIS is still widely used for domain authentication, the technology has known
security limitations (a client can retrieve the entire NIS password database for offline
inspection), is not very scalable, and has inefficient replication processes. While NIS+ has
fixed a number of NIS drawbacks, by being hierarchical, requiring server authentication,
and allowing permissions on operations, NIS+ is difficult to administer, requires special
backup procedures, and has limited scalability ‐ particularly with multiple domains and
over 1,000 clients. In this regard, the scalability and robustness of Active Directory offers
a far better alternative.
Limitations of RBAC
Role‐based access control (RBAC) is another approach at restricting system access to
authorized users. RBAC is based on roles that are created for various job functions. The
operations permissions are assigned to roles rather than users. Rights management is
simplified by assigning a user to a particular role, simplifying operations. However, in
large heterogeneous environments management of RBAC memberships becomes
extremely complex as it lacks hierarchical creation of roles and privilege assignments.
Additionally, not all the users have the same role on different systems, which further
complicates the administration process.
Managing Group Policies for Non‐Windows Computers through Microsoft Active Directory Page 6
Kerberos Authentication
Kerberos configuration requires running a daemon, synchronizing time between the
server and the client via NTP, installation of the pam_krb5 module, and making
applicable changes to the sample configuration files provided with the distribution.
Administrators, therefore, have to rely on an extensive knowledge of both platforms and
on the not always timely third‐party help from the Internet forums to get Kerberos
implemented within a Unix or Linux environment. Obviously, handling domain
authentication in such a manner is time‐consuming and prone to error.
Limitations of File Permissions in Unix
In Unix a file has three classes of permissions: the owner, the group, and everyone. Each
class has three levels of access rights: read, write, and execute. This offers far less
flexibility than a Windows environment, where multiple local and domain‐based file
permissions can be granted for users and groups. Linux Security Modules (LSM), which
are included with the SELinux 2 security framework, offer more granular file access but
at the cost of CPU overhead.
Managing Policies Across Different Flavors of Unix/Linux
In heterogeneous environments, administrators have to enforce standard policy settings
across multiple flavors of Unix, each often using different desktop environments
(GNOME, KDE, Sun Java Desktop System, etc). These desktop environments differ in
the parameters that can be modified and in the format and location of the configuration
files. Thus, when pushing policies, administrators have to manually filter the enforced
settings on a per‐target platform basis requiring either polling the system OS or
maintaining lists containing the systems and corresponding OSes. This is another time‐
consuming and error‐prone process.
Advantages of Managing Unix Policies with Likewise
Likewise Enterprise is capable of solving all the above problems in a simple and
intuitive fashion. The technology offers seamless integration of over a hundred different
Unix/Linux operating systems with Active Directory for both authentication and policy
management needs. Likewise Enterprise offers centralized management of identities,
desktop environments (including 2500‐plus Gnome policy parameters), credential
caching for off‐line connection, OS‐based client policy filtering, NIS and user migration
tools, as well as auditing and reporting functionality. With Likewise Enterprise
technology, administrators can easily deliver Kerberos‐based single sign‐on for such
applications as telnet, FTP, SSH, rlogin, rsh, LDAP queries against AD, and Apache
HTTP server.
2 SELinux, or Secure Linux is further explained at: http://www.nsa.gov/research/selinux/
Managing Group Policies for Non‐Windows Computers through Microsoft Active Directory Page 7
Likewise simplifies account management by assigning each user a unique ID, which is
provisioned and centrally managed through Active Directory. Likewise’s unique cell
technology can map users to different UIDs and GIDs for different computers,
eliminating the need for multiple local user accounts. The Likewise extension to the
Microsoft Active Directory User and Computers MMC snap‐in allows administrators to
create an associated cell for an OU and then use the cell to manage UID‐GID numbers.
This allows AD user to access non‐Windows node in selected Likewise cells:
The above features let administrators integrate non‐Widows nodes into a Windows AD
authentication and management framework with adequate policy management, user
provisioning, and reporting tools.
Complexities of Managing Policies in Mac OS X Environment
Over the years the Apple Macintosh computer has maintained a small but stable share
of the computing environment. While being used primarily for audio, video, and
Managing Group Policies for Non‐Windows Computers through Microsoft Active Directory Page 8
graphics editing, the Macintosh offers extreme ease of use compared to Windows (not to
mention Unix) coupled with a plethora of high‐end graphics applications designed and
compiled for the Macintosh platform. Apple’s marketing effort is maintaining and
somewhat expanding the OS X market share, which has now surpassed 8 percent. Part
of this success can be attributed to the use of a stable Unix kernel in OS X and more
standard PC components, such as Intel microprocessors, PCI‐E slots, and DDR memory.
This introduced Apple to a pool of hardware that is more reliable, less expensive, and
comes in wider variety than the components in older RISC processor‐based
Macintoshes.
Unfortunately, from an enterprise computing perspective, Apple does not have robust
enterprise management tools. There are a number of reasons for this. First, the
Macintosh has never been a widespread enterprise‐class platform, so Apple never
needed to address the issues of scalable directory service, terabytes of storage, or
centralized computational facilities. Thus enterprise messaging and data management
applications such as Microsoft Exchange, Lotus Notes, SQL Server, and so forth have
never been ported to Appleʹs Macintosh servers. Even now few enterprise‐class products
are available for the OS X platform. Secondly, the primary use of Macintoshes is in the
graphics departments, a technologically and organizationally secluded group that
requires sharing among Macintosh users only and interoperating with the rest of the IT
infrastructure via sharing printers, storage, and Internet access. This situation certainly
did not call for provisioning and identity solutions to the depth and scalability of its
Windows counterparts. On the bright side, since Apple did not excel in enterprise
management tools, others such as Microsoft, Novel, and Sun have created the
infrastructure allowing Macintosh users to tap into a reliable framework of user and
desktop provisioning.
The Macintosh platform uses a recently added Workgroup Manager (WGM) to manage
users, groups, shares (with access permissions), and client preferences. The application
allows administrators to modify accounts (including users, groups, and computer lists),
assign privileges, manage share points, and modify desktop preferences that define the
user experience for clients bound to Apple’s Open Directory domain. WGM requires an
OS X Server as a centralized repository of user information. While being a big step for
Macintosh management, the product pales in comparison with widely recognized
enterprise user provisioning solutions.
Likewise Solution for Mac Desktop Policy Management
The Likewise solution for managing Macintosh desktops allows administrators to store
settings in Active Directory rather than on a Macintosh OS X Server. Besides decreasing
the cost of the solution and offloading AD maintenance to Window administrators,
Macintosh user settings are now stored in a more robust and scalable directory. Since
storing third‐party data in Active Directory requires either irreversible schema changes
Managing Group Policies for Non‐Windows Computers through Microsoft Active Directory Page 9
(which may not be agreeable with Windows administrators) or using non‐standard
fields (which is cumbersome), initially non‐Windows vendors were reluctant to store
user credentials in AD. This is where Likewise comes to the rescue. By taking advantage
of RFC 2307, Likewise Enterprise integrates user authentication with Active Directory
(in the same way as Macintosh Active Directory Plug‐In allows Macs to authenticate to
Macintosh OS X Open Directory) offering a mechanism that allows Workgroup Manager
settings to be stored in Active Directory Group Policy Objects. Likewise Enterprise
contains a utility to join Macs to Active Directory, letting them participate in AD‐based
user authentication and in group policy processing. From that point on, administrators
can connect to Active Directory from the Workgroup Manager interface and store
settings in the GPO. From the Windows side, administrators can use GPMC to store and
manage Mac policy settings.
As a result, Likewise Enterprise brings together the advantages of the Macintosh
Workgroup Manager with the robustness and uniform policy management tools of
Active Directory in a seamless and intuitive fashion.
Managing Group Policies for Non‐Windows Computers through Microsoft Active Directory Page 10
Conclusion and Recommendations
Likewise Enterprise allows for seamless enforcement of group policies from Windows
Active Directory Group Policy Manager across Unix, Linux, and Macintosh platforms. It
does this with Windows GUI‐based policy management interfaces for authentication of
non‐Windows users and applications against Microsoft Active Directory. Additionally,
Likewise Enterprise offers adequate reporting and troubleshooting tools. All the above,
along with a very affordable per‐seat cost, make Likewise Enterprise indispensible for
heterogeneous enterprises that require tight user and policy management.
Managing Group Policies for Non‐Windows Computers through Microsoft Active Directory Page 11