Linux Authentication Against Active Directory

Bandman writes "For a while now I've been looking for something to integrate my Linux/Mac corporate environment with Windows Active Directory. I was hoping for centralized authentication at best. As I found out, Likewise Software has produced two products, the free Likewise Open and the commercial Likewise Enterprise. Both of them provide much more than just a centralized repository for accounts. I wrote a review of Likewise Open, but I don't have enough experience with Active Directory to really do justice to Likewise Enterprise. If you've been trying to integrate the Linux and Windows worlds, this could be the easiest way to do it."

And if you act now...

[mweather]

It can be yours for two payments of $19.95! When did Slashdot turn into an infomercial?

Re:

[Anonymous Coward]

I've noticed lots of very advertisement-style articles in the Firehose, if you just search for -story.

Re:

[smittyoneeach]

Roughly around the time of the first Visceral Stupido advert.

Re:

[PC and Sony Fanboy]

It isn't about teaching people to learn alternate operating systems - that is fine if you're running a home server, and want to force your mom to use something other than vista - but it is a really bad strategy when you're trying to do it for business.

If you went to a car dealership, and you wanted to buy an automatic, what would you do if the salesman said 'Oh, get a stick shift, you've got much more control'? - and then he refused to sell you a car with an automatic transmission?

Re:

[AvitarX]

Thank him for the money savings, in purchase price, fuel, and repair cost?

Re:

[BlackSnake112]

Fuel cost maybe (depends on how you drive) but repair costs? I have put over 200,000 miles on my v6 auto engine and transmission. The trans is electronic. Other then getting the trans fluid changed every 30,000-40,000 miles it has not cost me anything. No repairs no issues. If it is was a stick, I would have gone through a few clutches (at least) by now along with getting the fluid changed. Actually the engine hasn't been too bad either, besides plugs and wires at 104,000 and just last month, I have but in

Re:

[Trogre]

You would be correct, except we're talking manual transmission over automatic, not 2-wheel drive over 4WD.

Thanks for playing.

Re:Linux authenication aganist....can not connect

[QuantumRiff]

Ever work in a large environment? Its much easier to have one point of authentication and configuration. Do you want to deal with managing users (change passwords, disabled accounts, etc) on 8 different systems? I sure don't. Things will get forgotten, and accounts that should be disabled will not be.

You obviously haven't used AD very much, because it is not just an authentication system. It ensures policies (drive mappings, configurations, proxy settings, MS office behaviour and defaults, security standards, etc), deploys software and printers to users and computers

Re:Linux authenication aganist....can not connect

[ratboy666]

"...it is not just an authentication system. It ensures policies (drive mappings, configurations, proxy settings, MS office behaviour and defaults, security standards, etc), deploys software and printers to users and computers"

Of what use is this in anything other than a Microsoft Environment?

How does AD "deploy software and printers" to anything that isn't a Microsoft Environment? And why would you even want it to?

So, from a network viewpoint, AD is just an authentication system. The rest is worthless in a heterogeneous environment.

[Proxy settings are useful].

Re:Linux authenication aganist....can not connect

[hmar]

That's not really the point. Making a switch over to Linux can be done gradually if your Linux computers can play in AD. And it is not worthless, when 90% of your systems are MS, why have a second authentication server for the other 10%? Why not use what you can with Linux? It doesn't mean that those Windows computers can't take advantage of Active directory.

Re:

[ratboy666]

It isn't Linux that I am concerned with. It's the entire datacenter.

I work with Solaris. We sell expertise. Used to be, our network was fine - no issues. Then, we had a merger. All of a sudden, the IT dept has to support Windows. What happens?

AD is deployed. This makes Windows happy happy. Not so happy on the Unix front. MS DHCP isn't quite right -- insists on resolv.conf entries that won't work. I can type machine.whole.damn.domain, works. Of course, if I could *use* AD, I would be only typing "machine". A

Re:

[Bandman]

I'm late to the party, but from the documentation I've read (~300 pages so far), all of these policies, printers, etc are able to be added to linux machines using Likewise Enterprise. It' essentially extends the management environment to Unix machines

Re:

[buchanmilne]

Ever work in a large environment? Its much easier to have one point of authentication and configuration. Do you want to deal with managing users (change passwords, disabled accounts, etc) on 8 different systems? I sure don't. Things will get forgotten, and accounts that should be disabled will not be.

Sure, but AD isn't the only solution to that, and Kerberos+LDAP+Samba (as the parent poster is using) is an adequate solution (and may be a superior one if you have more Unix to worry about than Windows).

Re:

[Anonymous Coward]

Unfortunately in the corporate world, most applications only work in windows. I know this may be a suprise, but please try to get over it quickly.

Plus, AD gives you nice full bodied windows management (GPO's, etc). Once again, many apps only run on windows, and don't do nicely on wine/cedega/winex. If you're running a vm of a machine to run these apps, it may be in your interest to connect them to a domain to manage them, hello AD!

For those out there who don't believe AD is not LDAP compatible, I've

Re:

[afidel]

Actually, AD is an X.500 directory that has LDAP added on. There was recently a thread on the history of AD over at Activedir and there was a post by the lead designer in this [activedir.org] thread (look for the post by DonH).

Re:

[wrfelts]

I was working on NDS when it first came out and AD when it first came out as well. AD was never an x.500 "compliant" directory. It was shoe-horned into semi-compliance. It still suffers from a lot of organizational and management problems because of this. That's not to say that the x.500 (actually x.509) is the best mechanism for organizational object management to begin with. The design suffers from huge limitations.

As of v4.11 of Novell's NDS (now eDirectory), NDS was a far superior system for man

Re:

[Trigun]

Authenticating to a Linux LDAP server is nice for central authentication, but it misses out one of the A's completely, and does a shit job on the remaining one.

Authentication - Easy to do against LDAP.
Authorization - Nope, not there, unless you're going to run Kerberos as well. Then you run into compatibility issues and integration nightmares.

Accounting - Horrible. Almost as unusable as the Event log.

Plus, you don't get any of the nice features of AD. Group policy is great for managing lots of computers

Re:

[raddan]

I hate to break it to you, but LDAP is not a directory system. It is a directory protocol. AD provides an LDAP interface. So your directory system can be structured and provide storage in the backend pretty much any way you want. Microsoft, for instance, uses Jet for storing their data, and X.500 for structuring it. But if you wanted to build your directory using post-it notes and robot, then fine, as long as you provide an LDAP interface, you're an LDAP directory.

AD *can* store any arbitrary inform

Re:

[Trigun]

I hate to break it to you, but LDAP is not a directory system. It is a directory protocol. AD provides an LDAP interface. So your directory system can be structured and provide storage in the backend pretty much any way you want. Microsoft, for instance, uses Jet for storing their data, and X.500 for structuring it. But if you wanted to build your directory using post-it notes and robot, then fine, as long as you provide an LDAP interface, you're an LDAP directory.

I could build it out of unicorn farts, I'm not arguing that. The fact remains that any of the Linux LDAP implementations are Directory Servers.

AD *can* store any arbitrary information with schema additions. So if you can query LDAP on the Linux side for window manager policy, and you can come up with a schema that represents that policy, go ahead, store it in AD. Mac people have been doing this for years, although Apple would prefer that you use their Open Directory system.

Again, I'm not disagreeing with you.

Also-- AD uses Kerberos. How do I know? Because I have Linux machines (MIT Kerb), OpenBSD machines (Heimdal), and Macs (MIT/Apple Kerb) all authenticating against our AD. There are some little oddities here are there (your machines have to support Microsoft's cipher-- which I believe is now installed by default on all recent Kerberos distributions), but in general, it works surprisingly well. For me, on Linux machines, the trick was learning the ins and outs of PAM and winbind. After that, it was easy.

And I'm sure that AD uses Kerberos as well. I've got stacks of books about it, traffic dumps, whatever you need. I've got more proof that AD uses Kerberos than people have that the moon landing was fake.

Anyway, if you're expecting LDAP to provide authentication, you're mistaken about the purpose of LDAP. Think of it as a fancy phone book. What you need are a lock and key. Also-- accounting? For that, you want a piece of logging software. Microsoft supplies all of these things neatly packaged together, and if you don't want to bother with the details, then it's a decent choice. But don't confuse the two, because LDAP only provides a subset of the services that AD does. Complaining that LDAP does a "shit job" at authentication and accounting is like complaining that your tires do a "shit job" of steering. Well, duh.

This is where I disagree with you. LDAP does a wonderful job of authentication. I know that it's not actually doing the authen

Re:

[g1zmo]

an LDAP backend to an authentication system

You used that phrase several times so I'm quite sure it's what you meant to say, but it's completely nonsensical. How can you have a Lightweight Directory Access Protocol backend? It's like saying your website has a TCP/IP backend.

Re:

[Trigun]

Authentication - Are you who you say you are?
Authorization - Do you have access to this resource?
Accounting - What did you do while you were connected to that resource.

Kerberos is usually tied in with the network file permissions, as well as single sign-on. If you start browsing windows shares in a domain from linux, you will have to supply credentials for each share each time you connect, then access is based off of those credentials. You can sign on using any valid username password combination. Using

Re:

[buchanmilne]

Authentication - Easy to do against LDAP.

Except you should be doing it against Kerberos ...

Authorization - Nope, not there, unless you're going to run Kerberos as well.

Actually, LDAP *should* be used for authorization, and can be quite easily, with or without Kerberos ...

Then you run into compatibility issues and integration nightmares.

Actually, my Heimdal KDCs integrate with my OpenLDAP server quite nicely, storing all their information in the directory server (in the same entries used for LDAP authorizati

Re:

[19thNervousBreakdown]

No kidding, I've been doing this for, oh, three to four years using nothing but pam-krb5 and nss-ldap. Slashvertisement of the worst kind. The "review" is nothing of the sort, just, "hey, want AD integration? Use this!"

Re:

[Omega996]

do you have your krb5/pam/nss mashup set up to allow you to do single sign-on against an Active Directory?

I think the big thing that likewise tries to promote with their product is that it's a one-stop configuration for a variety of UNIX and UNIX-like operating systems.

I know it's possible to set up linux machines to do SSO against AD with krb5 and pam and everything else, but it's not exactly an easy process. with likewise, it's a really quick process to join an existing AD.

i've used the likewise thing - i

enough with the lame tag!

[X0563511]

Stop with the signed [slashdot.org] tag already!

Re:

[Anonymous Coward]

You can undo it with the 'designed' tag.

Yeah!

[Anonymous Coward]

/signed.

This is a review?

[QuantumRiff]

Posting in your blog that you logged in with AD credentials is a review?

What is the downsides. How does it compare to other authentication systems, such as eDirectory, or Open LDAP? How is it any different from just using Samba, or some of the other tools that have been around for years. My Redhat EL 3 server had the option to authenticate against AD. How is this better? How is it better than using Microsoft's Services For Unix and NIS?

Does the directory information get carried to the new system? (Profiles, groups, mapped drives, printers, etc) Do you have to designate special groups to allow logging in? There is way more questions that I would like to see answered in a "review".

What capabilities does the Enterprise edition allow that the basic does not, what is the price, how difficult is it to move a currently running system, and all its users and permissions..

A blog post from someone that admits they don't know much about AD in the first part of the review doesn't really count does it?

Re:

[Svenne]

Nothing. It is using Samba.

Re:

[faclonX]

Samba isn't AD support, it uses the old method of logging in that was used with NT4, the name currently escapes my memory.

Re:

[Trigun]

NTLM or NT LanMan

Re:This is a review?

[atomic-penguin]

Samba isn't AD support, it uses the old method of logging in that was used with NT4, the name currently escapes my memory.

Samba does work with AD. But there is more than one technology that makes up the whole of AD (LDAP, Kerberos, DCE-RPC/MSRPC).

1. pam_krb5 can do Kerberos authentication against your AD/Kerb. realm (not part of Samba, but usually part of the system as a whole)
2. winbindd talks MSRPC for Samba 3. Some, but not all features are available and it can talk Win 2k native RPC (Active Directory). Samba can even resolve usernames over RPC this way, much the same way a domain "member server" works. Try looking at what you can do with the 'net ads' command sometime.
3. As an alternative to winbindd, you can resolve user information through LDAP. It helps to have Unix schema extensions installed in your AD for certain things. However, Samba can template an account and create a pseudo /etc/passwd entry. Even if that Unix schema is not in place, the account just has to exist in AD.

I believe the NT technology you are referring to may be NTLM or LanManager.

Re:

[wmac]

A few years ago i tried to do this. However every few days the time between samba and Active Directory would go out of sync and everything would stop. Permissions on samba would not work with some software (e.g. older FAT based software because of strange date maintenance...) At the end I gave up and obtained a NAS for the company (which was also based on Samba + a web interface etc) and even this one had the time sync problem (even though we had set time sync with AD on it). At the end the NAS company w

Re:This is a review?

[Jeremy Allison - Sam]

You're talking about a Samba PDC. That uses old NT4 technology, not AD. But as a member server we support AD completely. In fact the current Likewise code is based off winbindd (part of Samba).
Jerry Carter, one of our release managers works for Likewise and supports it. It's open source too (at least the low end version is).

Jeremy.

Re:

[Bandman]

While I don't know if they've hired a PR company, I can assure you that my blog entry isn't astroturf. I'm just a guy who finally found a completely painless way to get this done, and I've been trying for a long time. No astroturf here, I promise, In fact I'd never even heard of the software till I saw a submission on reddit the other day. It just worked so damned flawlessly and immediately that I thought I should tell other people about it.

Re:

[Anonymous Coward]

The general knowledge level about Linux/Windows inter-operability is very low. Try most of the "solutions" you find with Google: Pure SMB, no kerberos, no LDAP, and definitely no centralized administration support. His review might have been bad, but in the land of blind the one eyed is the king.

I have yet to see one single solution that a) wouldn't fall back into legacy versions of protocols etc, and b) would actually offer most if not all the ad's goodies for Linux administration. Considering those two th

Re:

[doomicon]

"How does it compare to other authentication systems, such as eDirectory, or Open LDAP?"

Speaking of comparison's and Openldap, has a fix been made that will allow Linux workstations authenticating with Openldap to lock their screens, and be able to "unlock" them?

Re:

[0racle]

I believe it's called PAM.

Re:

[dAzED1]

uh, yeah, have never had a problem with that. And by "never" I mean that I've been authing linux systems to AD since...well...many years, can't even remember at the moment. But haven't had this problem. As the other poster pointed out, you probably just don't know how to set up PAM.

Re:

[doomicon]

Well I was going to provide a link to the bug, however I didn't bookmark and sifting the thru the results is daunting.

It's been a few years since I last tried it, will give it a go again :-)

Thanks for the helpful and friendly responses.

Re:

[doomicon]

Dazed, btw not against AD, Specifically Linux workstations authenticating against Openldap on Linux server.

I'm giving it a go again as we speak. Already have slapd setup, so just editing nsswitch, and pam confs.

thx again :-)

Re:

[dAzED1]

there are a couple tricks to doing a complete openldap=>AD setup, and despite the years, it hasn't been documented well enough. That being said, drop a post if you still have the problem and I'll tell ya what is causing it.

Re:

[dAzED1]

oops, yeah, forget I said ldap=>AD ;) it doesn't matter what is providing the tree, as it's not a tree problem, it's a pam problem. That, and you're not using AD ;)

Re:

[Z00L00K]

I have fiddled around with Windows/Linux integration for central authentication and found that the only alternative TODAY that works acceptable is to use the "Windows Services for Unix [microsoft.com]" (SFU) add-on for Windows Server. And you can download that from Microsoft.

It is possible to set up Linux as a LDAP server and with Samba as a domain controller for Windows, but currently it's tricky. I haven't done any digging in Samba4 yet, so all my experience is from Samba 3.

To me it seems like there is a lot of work to b

Re:

[styrotech]

I have fiddled around with Windows/Linux integration for central authentication and found that the only alternative TODAY that works acceptable is to use the "Windows Services for Unix [microsoft.com]" (SFU) add-on for Windows Server. And you can download that from Microsoft.

Just an update - SFU is now built into Windows 2003 R2 and Windows 2008. And the AD schema extensions now use the standard RFC2307 attributes rather than the SFU specific ones.

Re:

[Matt Perry]

Welcome to Slashdot!

but...

[jrothwell97]

Linux, *nix and OS X can already authenticate against AD, with a little effort. OS X does it out of the box.

Re:

[canuck57]

But why authenticate to fragile poorly managed MS-ADCs?

Why not setup a robust LDAP network on native Linux/UNIX and call it a day. Have 6 continuous years of service up-time on my service. Average per node is a few minutes per year, 9/10 fully planned. Maintenance, I do this part time. Highly automated and linked to HR including bi-directional password sync.

In fact, it feeds AD. Created in LDAP first, an admin enables AD including email if needed. All data is 100 in sync.

Aim small, get small. 18000

Re:

[atamido]

Because the tools are excellent, and it's been a very reliable system for quite some time.

Re:

[bill_mcgonigle]

with a little effort

yes, force TCP connections in your kerberos conf file. DAMHINT.

I hope the editors got paid...

[dave562]

...for passing through THE most obvious and poorly written advertisements I've ever read here. The summary reads like a template straight out of a Marketing 101 textbook.

Re:

[Bandman]

I'm sure it sounded like that, but as someone who has fiddled with trying to get Linux to integrate nicely with Windows (which I know _nothing_ about), I was blown away by how this software worked, and I thought that other people might be able to use it like I did.

I guess it still qualifies as a slashvertisement, but it wasn't paid for, that's for sure. It just helped me do what I needed, and was painless. I wanted to share it with other people who might be able to use it.

/submitter

It's not that hard

[lgbr]

If you're just looking to authenticate, it's actually really easy using just kerberos.

/etc/krb5.conf looks like this:

[libdefaults]
default_realm = MYADSERVER

[realms]
MYADSERVER = {
kdc = adserver.mydomain.com
admin_server = adserver.mydomain.com
}

[domain_realm]
.kerberos.server = MYADSERVER

Change /etc/nsswitch.conf to have these lines in it:

passwd: files nis
shadow: files nis
group: files nis

Add the following to /etc/pam.d/system-auth:

auth sufficient pam_krb5.so use_first_pass

Bind:

ki

Re:

[dino2gnt]

Authentication is the easy part. We're in the middle of a Likewise integration right now, and the system management is what sold us on it. Having the ability to apply group policy objects to Linux/UNIX machines, enforce login restrictions, password management, and maintain compliance across both Windows and Linux is very nice, especially in a large environment. Being able to do it all from one MMC is gravy.

Re:

[Frankie70]

as LDAP has serious security issues when authing against AD.

Please elaborate.

Re:

[Bandman]

If I 'd have seen your instructions a week ago, I might not have submitted this article, since I probably wouldn't have needed the software, but honestly, if I had a choice between making those system changes and installing the open version of the software, the software is literally painless and instant. I'm really glad I found it

Likewise software.

[atomic-penguin]

My $boss looked at this likewise software a while back, he didn't buy into it. He started listing off the features, and what all you could do with it. After he was done, I politely said, "Yeah we are doing all of that with our stock RHEL+Samba 3 systems, just fine. There's really no need to buy Kerberos+LDAP+Samba support from another vendor, that is why we pay Red Hat."

After I looked at their site, the only new value I have seen from this product is the graphical management console. On the other hand, I can use the compmgmt MMC snap-in to manage a properly configured Samba 3 server just fine.

Re:Likewise software.

[Gazzonyx]

You know Likewises' primary developer is Gerry Carter of the Samba project, as well as the author of OReilly's LDAP Administration, right?.

It's just like buying Red Hat support; you get the backing of a company that employs the people who are developers for that project. With Red Hat you get a bunch of kernel developers and Andrew Barlette (another key Samba developer). You can't get better support for your money than support from key developers. Also, it enables the developers to work on open source projects as a day job, too.

Re:

[atomic-penguin]

No, I was not aware of the relation between Samba developers and Likewise Software. But then again, I am having a difficult time finding reference to the Samba project on Likewise' website [likewisesoftware.com].

Just to clarify, I am not against supporting Open Source developers with monetary incentives. I just wanted to point out that 99% of the Likewise solution, does in fact, come from the Samba project. For whatever reason, Likewise is not really advertising the fact that what they are selling is Samba support.

Personally,

Re:

[Bandman]

I agree with you that it's not in your best interest to pay for likewise, since, as you said, you get the same thing from RedHat.

Those of us who use CentOS, Ubuntu, MacOS, etc etc, find the additions useful. I'm trying to drum up support for buying likewise enterprise for my company.

Bogus Review and Sales Pitch

[xzvf]

It has been mentioned that it can be done with a little configuration of pam, ldap clients and kerberos. But for a company without some Linux expertise, I've found Centrify to be an excellent solution at a reasonable cost. But I'm not going to submit a bogus review and sales pitch.

Re:

[Enry]

Even for experienced Linux admins, Centrify is really nice. We use it to provide authentication for our cluster.

Why would someone pay for this?

[kwabbles]

AD support has been available for linux for years.

Hell - Suse has it built right into Yast now. PAM/Kerberos, LDAP, everything.

Setting it up on a vanilla distro is as easy as installing the kerberos libs, krb5, ntp (to keep time sync'd with the DC's time), samba, and winbind. Make sure you can resolve the DC via DNS, and you're good to go.

$50 per workstation license for this software? Hmmm...

You can't integrate Windows with a non-M$ OS

[BhaKi]

You can integrate any two OSs with minimal pain provided neither of them is made by M$.

kerberos works great

[Simon (S2)]

You can authenticate from a linux machine to AD using the MIT kerberos client. There are plenty of HOWTOs about how to configure that. Plus you have SSO for webapps, databases, ssh and about anything you can think of. And on top of that, the identity of the user is propagated to all the machines you Single Sign In with forwardable tickets, and though the tiers of mult-tier applications (Frontend -> Middletier -> Database - every tier knows who the user is). Kerberos is definitively the way to go in an

The easiest what?

[Minwee]

One would think that "The easiest way to do it" would be to install Winbind [samba.org], LDAP [yolinux.com] or Kerberos [scottlowe.org] and use those to authenticate against AD.

The advantage here is that you're dealing with free software, included and supported by default in most Linux-based operating systems, and in many cases integrated so tightly that you only need to run one command and tick a few check boxes to make it work.

What does this third party solution add to that besides the $250 per seat price tag?

Re:

[Lord Bitman]

The word "supported" actually meaning something?

Re:

[Minwee]

Yes, but "We give you a telephone number where you can wait on hold before being transferred to a call centre run by the company which bought the company which bought the company which made this product where all of the people you will speak to only know how to support our new competing product which we would really rather you buy instead of continuing to use what you already have and if you don't like it you can go screw yourself" isn't always what I want "supported" to mean.

I prefer that "supported" mean

nss ldap client

[gblfxt]

I found the best method is to install kerberos, nss ldap client on linux, then install R2 AD extensions on Windows 2003.

The reason i dont like the likewise solution, is it assigns a random UID, vs being able to move from station to station with the same one.

If you REALLY want to waste money...

[Mr. Firewall]

Heh. Here at my work, we're using something called Vintela. Interesting that it hasn't been mentioned at all here.

I asked, "why are we spending all this money on Vintela when I can set up AD integration with Linux' native tools?" and the answer was "because we've already paid for Vintela."

Since the Big Boss is an avid golfer, I'd be willing to make a small bet that the Vintela salesman is too....

It isn't a "bad" product -- at least it actually works. But their advertising really offends me (in which M$ K

linbox/mandriva MDS

[higuita]

Linbox had several packages to add to a debian to turn it a easy to manage ldap/AD system... they were aquired by mandriva, but IIRC, you can still install in in other OS other than mandriva

http://mds.mandriva.org/ [mandriva.org]

take a look over it, it cant replace all AD, but if you dont need group policies and only want a central pointo to authenticate windows and mac/linux systems, check it out

SADMS is another good alternative

[calmond]

The SADMS [sourceforge.net] utility is a good alternative that uses WINBIND and makes it point and click easy. Winbind doesn't scale well due to a lack of centralized posix-SSID mapping, but it is quick and easy for just a couple of servers or laptops.

Security...

[Bert64]

What i always find, when doing a security test against an AD network...

If you root the DC, the network is completely owned...
If you root a workstation you can usually get access to the DC from it, hijack a logged in user, crack cached passwords or keylog as someone logs in (and then break something so an admin has to log in).
If you get the password hashes, they will usually be Lanman and NTLM... Lanman is laughably weak and trivially cracked, NTLM is better but still much weaker than the encryption used on