IntegrationwithActiveDirectory

JeremyAllisonSambaTeam

BenefitsofusingActiveDirectory

UnliketheearlierMicrosoftWindowsNT4.xDomaindirectoryservicewhichusedproprietaryDCE/RPCcalls,ActiveDirectoryisbasedonstandardInternetprotocols.

LDAPv3fordirectorylookupandupdates.

Kerberos5forauthentication(singlesignon).

DNSfornameresolution.

ThehopewasthatnonMicrosoftimplementationsoftheseprotocolscouldbeusedtoserveWindowsclientsallowingtruecompetitionforprovidingtheseservices.

Unfortunatelythisisnotthecase.

WhatisActiveDirectory?

DatabaseBackendStore

DHCPServer

Kerberos5Server(KDC)

LDAPv3Server

DynamicDNSServer

MicrosoftRPCDomainserver

WhymustweuseanActiveDirectoryServer?

Windowsclientsdon'tuseonlythestandardprotocolstoachievelogonservices.

Mandatoryextrafeatures(likethemodifiedKerberosticketandotherdetails)aretiedintotheActiveDirectoryimplementationtoenforcevendorlockin.

ThepracticalresultofthisisthatifyouwanttouseWindowsclientsandserversandobtainallthefunctionalityyoupaidforthenyoumustuseaWindowsActiveDirectoryserver.

ITStaffwhorecommendanActiveDirectoryrolloutwithoutmakingmanagementawareofthiscommitmentgoingforwardaremisleadingtheirexecutivestaff.

WhymustweuseanActiveDirectoryServer?

WindowsclientsdonotallowreplacementoftheirlowlevelfunctionalitytoeaseintegrationwithnonWindowsdirectoryservers.

Asusual,itiseasiertoconfigurenonWindowssystemstointeroperatewithWindowssystemsthanvicaversa.

ThefreereleaseofMicrosoftServicesforUNIXdoeshelphere,althoughtheprotocolsused(NIS)arenotassecureasusingthenativeprotocolsofKerberosandLDAP.

ActiveDirectoryserverscanhavetheirLDAPschema(theformaldefinitionoftheformatofthedatatheystore)extendedtoallowthemtoservenonWindowsclients.

WhatdowemeanbyintegrationwithanActiveDirectoryServer?

ForanonWindowsclienttointegratesuccessfullyintoActiveDirectoryweneedtwooperationstobeseamless.

AuthenticationofLinux/UNIXaccountsagainstActiveDirectory.

EnumerationofLinux/UNIXuserandgroupdirectoryinformationstoredinanActiveDirectorystore.

ForauthenticationthepreferredmethodisKerberos5(thenativeWindows2000andaboveauthenticationmethod).

MicrosoftServicesforUNIX,LDAPorMSRPCcanalsobeusedhere.

ForuserandgroupenumerationintegrationLDAPisthepreferredmethod.

MicrosoftServicesforUNIXandMSRPCcanalsobeused.

KerberosAuthenticationIntegration

ActiveDirectoryServerscanbeKerberos5KDCserversforLinux/UNIXclients.

MITorHeimdalKerberosserverscannotbecompleteKDCserversforWindowsclientsduetothemissingextradatafield.

MITorHeimdalKDCserverscanbesettotrustADKerberosserversiftheWindowsandUNIXuseraccountsareseparatedintoseparaterealms.

InamoreintegratedenvironmentitisprobablyeasiertojustuseActiveDirectoryKerberosServers(asMicrosoftintendedbyextendingthestandard).

IntegratingWindowsAuthenticationServiceswithLinux/UNIX

Linux/UNIXsystemsstartedwithlocalfilescontainingallauthenticationinformation.

Sincethenastandardizedpluginarchitecturehasbeendevelopedtoallowreplacementoftheauthenticationinformationvalidation(userlogons)andmaintenance(passwordchanging)withmanydifferentpossibletargets.

PAM(PluggableAuthenticationModules)APIinventedbySunandadoptedbyLinuxandotherUNIXplatforms.

PAMPluggableAuthenticationModules

Application

PAMrequest

PAMlibrary PAMConfigDirectory

ModuleStack

Applicationlookup

PAMlibrary

PAMlibrary

PAMlibrary

PAMrequestscanbeforauth,account,passwordorsessionfunctionality.

PAMonLinux/UNIXsystems

PAMisastandardonLinuxandmanyUNIXsystems(HPUX,Solarisandothers).

OvertwentydifferentPAMmodulesexisttoprovideallmannerofauthenticationservices.

ThreespecificmodulesareofinterestforActiveDirectoryIntegration

Kerberospam_krb5(http://pamkrb5.sourceforge.net)

LDAPpam_ldap(http://www.padl.com)

Samba/MicrosoftRPCpam_winbind(http://www.samba.org)

Kerberospam_krb5

TakestheuserscleartextpasswordandvalidatesitagainstastandardKerberos5server(ActiveDirectoryaddsextraproprietarydataintothereturnedticket,buttheclientlibrariesonLinux/UNIXignorethisdata).

ReturnsaKerberos5TicketGrantingTicket(TGT)whichcanbeusedtogetticketsforotherservices.

CaremustbetakentoensuretheencryptionmethodusedbydefaultbyWindows(RC4HMAC)isavailableontheLinux/UNIXKerberossystem.

Sourcecodeavailable,OpenSource/FreeSoftware.

LDAPpam_ldap

TakestheuserscleartextpasswordandvalidatesitagainstanLDAPserverbyattemptingtosetupanLDAPconnectionasthegivenusername/passwordpair.

MustbesetuptouseSSL/TLSinordertosecurelyvalidatethepassword(pam_krb5doesn'thavethisproblem,allkerberosexchangesaresecure).

DevelopedbyPADLsoftwareavailableasOpenSource/FreeSoftware.

Sambapam_winbind

AllowsaLinux/UNIXusertoauthenticateinexactlythesamewayasiftheywereloggingontoaMicrosoftmemberserverintheDomain.

RequiresaworkingSambasetup(moredetailslater).

CompletelyintegratestheLinux/UNIXauthenticationmechanismintotheWindowsworldidenticaltoaWindowsserver.

AllofSambaisOpenSource/FreeSoftware.

IntegratingWindowsUserDirectoryServiceswithLinux/UNIX

Linux/UNIXsystemsstartedwithonlylocaldirectorylistings(localfiles)andhavesincehadtodevelopstandardizedpluginarchitecturestoallowreplacementofthedirectoryservicewithanycompatibleserver(nohiddenprotocols).

NSS(NameServiceSwitch).

NSSallowsuserandgrouplookupandenumerationtobedoneviamanydifferentdirectoryservices.Theorderinwhichtheyarequeriedcanbechanged.

ThenssmodulesthatareofinterestforActiveDirectoryIntegrationare:

nss_ldap nss_winbind nss_nis

NSSNameServiceSwitch

Application

NSSrequest

NSSlibrary(libc)

/etc/nsswitch.conf

ModuleStack

Applicationlookup

NSSlibrary

NSSlibrary

NSSlibrary

NSSrequestscanlookupuser,group,orenumeratetheuserorgrouplists.

Externallookup

(NIS)Localfileslookup

Externallookup(winbind)

LDAPnss_ldap

WrittenbyPADLsoftware(asispam_ldap)thislibraryallowsLinux/UNIXsystemstolookupusersandgroupsstoredinanActiveDirectoryserver.

TheActiveDirectorySchemamusthavebeenextendedfromthestandardschemabyincludingeithertheRFC2307schema(createdbyPADL)ortheschemausedbyMicrosoft'sServicesforUNIXproduct.

TheLinux/UNIXuserandgroupinformationmustalreadyexistintheActiveDirectoryaspartoftheschema.

ThisrequiressomeextraadministrationtoaddtheextrainformationtotheexistingActiveDirectorydata.

Sambanss_winbind

PartofthecompletesolutionprovidedbySamba(willbedescribedindetaillater).

DoesnotrequireanychangestotheActiveDirectorySchema.

DoesrequireaworkingSambasetupandtheLinux/UNIXmachinetohavebeenaddedasamemberserverintotheActiveDirectory.

MicrosoftServicesforUNIXnss_nis

DoesnottalkdirectlytotheActiveDirectoryServerbuttoaNIS(NetworkInformationServices)gatewayrunningonaWindowsserver.

Aswithnss_ldap,requiresadditionstobemadetotheActiveDirectorySchematoaddtheLinux/UNIX(POSIX)definitions.

UsefulforolderUNIXinstallationsthatwillonlyusetheNISprotocols(regardedasinsecureinmodernUNIXsystems).

NISprotocoldevelopedbySuninlate1980's.

ThreeCompleteSolutionsfor

ActiveDirectoryIntegration

PADLsolution

ModifyActiveDirectorywitheithertheRFC2307schemadefinitionortheMicrosoftServicesforUNIXschema.

Installpam_ldap(oralternativelypam_krb5)tohandletheauthenticationfromtheLinux/UNIXsystems.

Installnss_ldaptohandlethedirectoryserviceenumerationfromtheLinux/UNIXsystems.

ProbablytheeasiestchoicefororganizationswithsignificantexistingLinux/UNIXexperience.

Secure,robustsolutionbutrequiresworktomaintain.

ServicesforUNIXsolution

WindowsActiveDirectoryServer(modifiedschema)

NISServerService

Linux/UNIXServer

NISPAM

NISNSS

CommunicationusingNISprotocoloverthenetwork.

ServicesforUNIXsolution

UsesolderNISprotocolanolderUNIXstandard.

ModernLinux/UNIXsystemsuseeitherNISPLUS(encryptedversionofNIS)orLDAPorKerberosforpasswordverification.

NowMicrosofthasmadeServicesforUNIXavailableforfreethisisnowacompetitivesolution.

Nosourcecodeavailable,unlikeothersolutions.

GoodchoiceifanorganizationismainlyWindows,withafewolderLinux/UNIXmachinesforwhichsecurityisnotapriority.

Sambawinbindsolution

WindowsActiveDirectoryServer(unmodifiedschema)

winbinddaemon

Linux/UNIXServer

winbindPAM

winbindNSS

MSRPCorLDAPcommunicationoverthenetwork.

Sambawinbindsolution

AllowsaLinux/UNIXmachinetocompletelyemulateaWindowsmemberserver.

NochangestoActiveDirectoryschemaneededwinbindcopeswithmappingWindowsusersandgroupstoLinux/UNIXusersandgroups.

AllowsWindowsclientsaccessingfileandprint(Samba)servicesontheLinux/UNIXservertopasskerberos5ticketstoobtainservice(astoaWindowsfileserver).

TosynchronizeuserandgroupmappingbetweenmultipleLinux/UNIXserversusingwinbindanexternalLDAPservermustbeused(notcompletelytransparent).

UsesthesameprotocolsasWindowsserversforenumeratingusersandgroupsandcheckingpasswords.

IntegratingSamba

WindowsActiveDirectoryServer

WindowsApplicationServer

SambaDomainController

Trust

Relatio

nship Member

Server

Mem

ber

Serv

er

MemberServer

Conclusions

WindowsActiveDirectoryisanecessaryevilifyouhavelargenumbersofWindowsclients.

Themoralofthisisifyou'renotpilotingadesktopLinuxprogram,you'repayingtoomuchforyourMicrosoftclientsoftware .

OptionsarePADLOpenSourcecode,MicrosoftServicesforUNIX,orSambatopr