Forgot your password?
typodupeerror
Communications IT Linux

Linux Authentication Against Active Directory 90

Posted by kdawson
from the likewise-i'm-sure dept.
Bandman writes "For a while now I've been looking for something to integrate my Linux/Mac corporate environment with Windows Active Directory. I was hoping for centralized authentication at best. As I found out, Likewise Software has produced two products, the free Likewise Open and the commercial Likewise Enterprise. Both of them provide much more than just a centralized repository for accounts. I wrote a review of Likewise Open, but I don't have enough experience with Active Directory to really do justice to Likewise Enterprise. If you've been trying to integrate the Linux and Windows worlds, this could be the easiest way to do it."
This discussion has been archived. No new comments can be posted.

Linux Authentication Against Active Directory

Comments Filter:
  • by mweather (1089505) on Friday August 08, 2008 @01:08PM (#24527955)
    It can be yours for two payments of $19.95! When did Slashdot turn into an infomercial?
    • Re: (Score:1, Funny)

      by Anonymous Coward
      I've noticed lots of very advertisement-style articles in the Firehose, if you just search for -story.
    • Roughly around the time of the first Visceral Stupido advert.
  • by X0563511 (793323) on Friday August 08, 2008 @01:14PM (#24528053) Homepage Journal

    Stop with the signed [slashdot.org] tag already!

    • Re: (Score:2, Funny)

      by Anonymous Coward
      You can undo it with the 'designed' tag.
    • Yeah! (Score:1, Funny)

      by Anonymous Coward

      /signed.

  • This is a review? (Score:5, Insightful)

    by QuantumRiff (120817) on Friday August 08, 2008 @01:14PM (#24528065)

    Posting in your blog that you logged in with AD credentials is a review?

    What is the downsides. How does it compare to other authentication systems, such as eDirectory, or Open LDAP? How is it any different from just using Samba, or some of the other tools that have been around for years. My Redhat EL 3 server had the option to authenticate against AD. How is this better? How is it better than using Microsoft's Services For Unix and NIS?

    Does the directory information get carried to the new system? (Profiles, groups, mapped drives, printers, etc) Do you have to designate special groups to allow logging in? There is way more questions that I would like to see answered in a "review".

    What capabilities does the Enterprise edition allow that the basic does not, what is the price, how difficult is it to move a currently running system, and all its users and permissions..

    A blog post from someone that admits they don't know much about AD in the first part of the review doesn't really count does it?

    • Re: (Score:1, Informative)

      by Anonymous Coward

      The general knowledge level about Linux/Windows inter-operability is very low. Try most of the "solutions" you find with Google: Pure SMB, no kerberos, no LDAP, and definitely no centralized administration support. His review might have been bad, but in the land of blind the one eyed is the king.

      I have yet to see one single solution that a) wouldn't fall back into legacy versions of protocols etc, and b) would actually offer most if not all the ad's goodies for Linux administration. Considering those two th

    • by doomicon (5310)

      "How does it compare to other authentication systems, such as eDirectory, or Open LDAP?"

      Speaking of comparison's and Openldap, has a fix been made that will allow Linux workstations authenticating with Openldap to lock their screens, and be able to "unlock" them?

      • by 0racle (667029)
        I believe it's called PAM.
      • by dAzED1 (33635)
        uh, yeah, have never had a problem with that. And by "never" I mean that I've been authing linux systems to AD since...well...many years, can't even remember at the moment. But haven't had this problem. As the other poster pointed out, you probably just don't know how to set up PAM.
        • by doomicon (5310)

          Well I was going to provide a link to the bug, however I didn't bookmark and sifting the thru the results is daunting.

          It's been a few years since I last tried it, will give it a go again :-)

          Thanks for the helpful and friendly responses.

        • by doomicon (5310)

          Dazed, btw not against AD, Specifically Linux workstations authenticating against Openldap on Linux server.

          I'm giving it a go again as we speak. Already have slapd setup, so just editing nsswitch, and pam confs.

          thx again :-)

          • by dAzED1 (33635)
            there are a couple tricks to doing a complete openldap=>AD setup, and despite the years, it hasn't been documented well enough. That being said, drop a post if you still have the problem and I'll tell ya what is causing it.
          • by dAzED1 (33635)
            oops, yeah, forget I said ldap=>AD ;) it doesn't matter what is providing the tree, as it's not a tree problem, it's a pam problem. That, and you're not using AD ;)
    • Re: (Score:3, Informative)

      by Z00L00K (682162)

      I have fiddled around with Windows/Linux integration for central authentication and found that the only alternative TODAY that works acceptable is to use the "Windows Services for Unix [microsoft.com]" (SFU) add-on for Windows Server. And you can download that from Microsoft.

      It is possible to set up Linux as a LDAP server and with Samba as a domain controller for Windows, but currently it's tricky. I haven't done any digging in Samba4 yet, so all my experience is from Samba 3.

      To me it seems like there is a lot of work to b

      • by styrotech (136124)

        I have fiddled around with Windows/Linux integration for central authentication and found that the only alternative TODAY that works acceptable is to use the "Windows Services for Unix [microsoft.com]" (SFU) add-on for Windows Server. And you can download that from Microsoft.

        Just an update - SFU is now built into Windows 2003 R2 and Windows 2008. And the AD schema extensions now use the standard RFC2307 attributes rather than the SFU specific ones.

    • Welcome to Slashdot!

  • but... (Score:5, Informative)

    by jrothwell97 (968062) <`jonathan' `at' `notroswell.com'> on Friday August 08, 2008 @01:22PM (#24528201) Homepage Journal
    Linux, *nix and OS X can already authenticate against AD, with a little effort. OS X does it out of the box.
    • by canuck57 (662392)

      But why authenticate to fragile poorly managed MS-ADCs?

      Why not setup a robust LDAP network on native Linux/UNIX and call it a day. Have 6 continuous years of service up-time on my service. Average per node is a few minutes per year, 9/10 fully planned. Maintenance, I do this part time. Highly automated and linked to HR including bi-directional password sync.

      In fact, it feeds AD. Created in LDAP first, an admin enables AD including email if needed. All data is 100 in sync.

      Aim small, get small. 18000

      • by atamido (1020905)

        Because the tools are excellent, and it's been a very reliable system for quite some time.

    • with a little effort

      yes, force TCP connections in your kerberos conf file. DAMHINT.

  • by dave562 (969951) on Friday August 08, 2008 @01:37PM (#24528487) Journal
    ...for passing through THE most obvious and poorly written advertisements I've ever read here. The summary reads like a template straight out of a Marketing 101 textbook.
    • by Bandman (86149)

      I'm sure it sounded like that, but as someone who has fiddled with trying to get Linux to integrate nicely with Windows (which I know _nothing_ about), I was blown away by how this software worked, and I thought that other people might be able to use it like I did.

      I guess it still qualifies as a slashvertisement, but it wasn't paid for, that's for sure. It just helped me do what I needed, and was painless. I wanted to share it with other people who might be able to use it.

      /submitter

  • If you're just looking to authenticate, it's actually really easy using just kerberos.

    /etc/krb5.conf looks like this:

    [libdefaults]
    default_realm = MYADSERVER

    [realms]
    MYADSERVER = {
    kdc = adserver.mydomain.com
    admin_server = adserver.mydomain.com
    }

    [domain_realm]
    .kerberos.server = MYADSERVER

    Change /etc/nsswitch.conf to have these lines in it:

    passwd: files nis
    shadow: files nis
    group: files nis

    Add the following to /etc/pam.d/system-auth:

    auth sufficient pam_krb5.so use_first_pass

    Bind:

    ki

    • by dino2gnt (1072530)
      Authentication is the easy part. We're in the middle of a Likewise integration right now, and the system management is what sold us on it. Having the ability to apply group policy objects to Linux/UNIX machines, enforce login restrictions, password management, and maintain compliance across both Windows and Linux is very nice, especially in a large environment. Being able to do it all from one MMC is gravy.
    • by Frankie70 (803801)

      as LDAP has serious security issues when authing against AD.

      Please elaborate.

    • by Bandman (86149)

      If I 'd have seen your instructions a week ago, I might not have submitted this article, since I probably wouldn't have needed the software, but honestly, if I had a choice between making those system changes and installing the open version of the software, the software is literally painless and instant. I'm really glad I found it

  • Likewise software. (Score:5, Informative)

    by atomic-penguin (100835) <wolfe21 AT marshall DOT edu> on Friday August 08, 2008 @01:45PM (#24528653) Homepage Journal

    My $boss looked at this likewise software a while back, he didn't buy into it. He started listing off the features, and what all you could do with it. After he was done, I politely said, "Yeah we are doing all of that with our stock RHEL+Samba 3 systems, just fine. There's really no need to buy Kerberos+LDAP+Samba support from another vendor, that is why we pay Red Hat."

    After I looked at their site, the only new value I have seen from this product is the graphical management console. On the other hand, I can use the compmgmt MMC snap-in to manage a properly configured Samba 3 server just fine.

    • by Gazzonyx (982402) on Friday August 08, 2008 @03:43PM (#24530685)
      You know Likewises' primary developer is Gerry Carter of the Samba project, as well as the author of OReilly's LDAP Administration, right?.

      It's just like buying Red Hat support; you get the backing of a company that employs the people who are developers for that project. With Red Hat you get a bunch of kernel developers and Andrew Barlette (another key Samba developer). You can't get better support for your money than support from key developers. Also, it enables the developers to work on open source projects as a day job, too.

      • No, I was not aware of the relation between Samba developers and Likewise Software. But then again, I am having a difficult time finding reference to the Samba project on Likewise' website [likewisesoftware.com].

        Just to clarify, I am not against supporting Open Source developers with monetary incentives. I just wanted to point out that 99% of the Likewise solution, does in fact, come from the Samba project. For whatever reason, Likewise is not really advertising the fact that what they are selling is Samba support.

        Personally,

        • by Bandman (86149)

          I agree with you that it's not in your best interest to pay for likewise, since, as you said, you get the same thing from RedHat.

          Those of us who use CentOS, Ubuntu, MacOS, etc etc, find the additions useful. I'm trying to drum up support for buying likewise enterprise for my company.

  • It has been mentioned that it can be done with a little configuration of pam, ldap clients and kerberos. But for a company without some Linux expertise, I've found Centrify to be an excellent solution at a reasonable cost. But I'm not going to submit a bogus review and sales pitch.
    • by Enry (630)

      Even for experienced Linux admins, Centrify is really nice. We use it to provide authentication for our cluster.

  • AD support has been available for linux for years.

    Hell - Suse has it built right into Yast now. PAM/Kerberos, LDAP, everything.

    Setting it up on a vanilla distro is as easy as installing the kerberos libs, krb5, ntp (to keep time sync'd with the DC's time), samba, and winbind. Make sure you can resolve the DC via DNS, and you're good to go.

    $50 per workstation license for this software? Hmmm...

  • You can integrate any two OSs with minimal pain provided neither of them is made by M$.
  • You can authenticate from a linux machine to AD using the MIT kerberos client. There are plenty of HOWTOs about how to configure that. Plus you have SSO for webapps, databases, ssh and about anything you can think of. And on top of that, the identity of the user is propagated to all the machines you Single Sign In with forwardable tickets, and though the tiers of mult-tier applications (Frontend -> Middletier -> Database - every tier knows who the user is). Kerberos is definitively the way to go in an

  • One would think that "The easiest way to do it" would be to install Winbind [samba.org], LDAP [yolinux.com] or Kerberos [scottlowe.org] and use those to authenticate against AD.

    The advantage here is that you're dealing with free software, included and supported by default in most Linux-based operating systems, and in many cases integrated so tightly that you only need to run one command and tick a few check boxes to make it work.

    What does this third party solution add to that besides the $250 per seat price tag?

    • The word "supported" actually meaning something?

      • by Minwee (522556)

        Yes, but "We give you a telephone number where you can wait on hold before being transferred to a call centre run by the company which bought the company which bought the company which made this product where all of the people you will speak to only know how to support our new competing product which we would really rather you buy instead of continuing to use what you already have and if you don't like it you can go screw yourself" isn't always what I want "supported" to mean.

        I prefer that "supported" mean

  • I found the best method is to install kerberos, nss ldap client on linux, then install R2 AD extensions on Windows 2003.

    The reason i dont like the likewise solution, is it assigns a random UID, vs being able to move from station to station with the same one.

  • Heh. Here at my work, we're using something called Vintela. Interesting that it hasn't been mentioned at all here.

    I asked, "why are we spending all this money on Vintela when I can set up AD integration with Linux' native tools?" and the answer was "because we've already paid for Vintela."

    Since the Big Boss is an avid golfer, I'd be willing to make a small bet that the Vintela salesman is too....

    It isn't a "bad" product -- at least it actually works. But their advertising really offends me (in which M$ K

  • Linbox had several packages to add to a debian to turn it a easy to manage ldap/AD system... they were aquired by mandriva, but IIRC, you can still install in in other OS other than mandriva

    http://mds.mandriva.org/ [mandriva.org]

    take a look over it, it cant replace all AD, but if you dont need group policies and only want a central pointo to authenticate windows and mac/linux systems, check it out

  • The SADMS [sourceforge.net] utility is a good alternative that uses WINBIND and makes it point and click easy. Winbind doesn't scale well due to a lack of centralized posix-SSID mapping, but it is quick and easy for just a couple of servers or laptops.
  • What i always find, when doing a security test against an AD network...

    If you root the DC, the network is completely owned...
    If you root a workstation you can usually get access to the DC from it, hijack a logged in user, crack cached passwords or keylog as someone logs in (and then break something so an admin has to log in).
    If you get the password hashes, they will usually be Lanman and NTLM... Lanman is laughably weak and trivially cracked, NTLM is better but still much weaker than the encryption used on

Machines certainly can solve problems, store information, correlate, and play games -- but not with pleasure. -- Leo Rosten

Working...