Posted by: ITKE
Administration, interoperability and integration, authentication, identity management, Windows
First, a little background information:
On Monday, SearchEnterpriseLinux.com posted a story on Active Directory and Linux authentication. The story gave a general overview, attempting to lay out some of the more mainstream ways IT pros are using AD to manage identity, authentication and security on their Linux servers. These include LDAP and Kerberos protocols, Samba 3, and proprietary third party cross platform management applications. While there was room to expand on the points made and some areas that could have been articulated better, the article was not intended to be in-depth from a technical point of view. But, as the reporter who filed that story, I can appreciate when an expert in the field takes the time to email me and explain, politely, that there were a few things that needed clarification.
Yesterday morning Doug Miller, a consultant with Interop Systems Inc., emailed me to point out a few things that could have been explained better in the article. Doug recently wrote a series of tech notes on this very subject, and has worked with Unix, Windows and Linux interoperability topics for several years.
The first point of contention was on Kerberos and LDAP. In the article, our sources described the technology as an expert tool, to be used in academic arenas where the manpower was such that all the tweaking they required would not affect business as usual. It was suggested that experts with these protocols should use them and do things on their own to avoid any uncertainty when it comes time to patch servers since third parties won’t be involved.
But not so fast — Miller explained that we goofed. “Standard Linux Kerberos can be easily used with Active Directory with no changes on either end other than setting up the configuration files on Linux,” he said in an email exchange. For now, it would seem, a correction was in order.
Also in the article, we discussed that Kerberos had some schema issues with Windows, and again more tweaking was necessary. Again, Miller says some clarification is in order:
“Microsoft has supported standard UNIX schema in Active Directory for a number of years via the Services for UNIX product. From Windows Server 2003 R2 and on, UNIX schema is built into Active Directory. UNIX schema information can be accessed via NIS or LDAP from Linux clients. These methods are fully supported by Microsoft.”
Subsequent research at LinuxToday.com, where this article now swings in tatters at the hands of the passionate Linux community, seem to support this point.
Pretty straightforward. There were what appeared to be inaccuracies in the reporting, and a correction was prepared. But wait, there’s even more. CC’d on that same email, and completely missed by my careless eyes, was Gartner analyst John Enck, from whom I had gleaned much of the analysis found in the article.
Enck subsequently responded to Miller’s points about Kerberos and those Unix schemas. First, he reiterated the fact that Kerberos and LDAP protocols are by no means “easily” implemented by IT managers–that’s why consultancies like Interop Systems exist. Second, AD does support the NIX-mapping schema extensions, but some Unix and Linux distributions require extensions beyond NIS; there is no universal Linux/Unix LDAP schema.
“And as for “fully supported,” do you really think you can call up Microsoft and ask them a question regarding any arbitrary version of Linux or Unix? They aren’t equipped (literally) to support all of the distributions and releases out there,” Enck said.
Later in the day the exchange continued, as Miller — a Windows and Unix expert by trade before he became a consultant — said Windows Server 2003 R2 and Windows Server 2008 are actually now really good infrastructure servers for UNIX/Linux authentication and directory services – even without buying third party software.
“The key point here is on the Windows side, this is all Microsoft supported software in mainline products. On the Linux side, you use standard Linux packages that are included with the standard distributions – no need for downloading new projects and compiling it yourself. This stuff works with out of the box Microsoft and Linux software and it actually works really well. And there are multiple ways to do this depending on what the customer needs,” he said.
On the NIS side, Miller said AD has supported the NIS extensions for several years via Services for UNIX. With the Microsoft Server releases starting with R2, there is now support for both NIS mapping *and* RFC2307 standards-based UNIX-style schema extensions, he said.
“These are built in. I would consider the RFC2307 schema ‘universal Linux/Unix LDAP schema’ as these are the same extensions UNIX-based LDAP servers use e.g. OpenLDAP. They are 100% supported by Microsoft and you can call Microsoft and get support for various scenarios related to accessing the UNIX schema in AD. You are right that they don’t have the ability to support every LDAP scenario related to every possible Linux or UNIX OS but that is a challenge for all software vendors given the number of Linux and UNIX OSes out there,” Miller said.
This all leads me to believe that people are still confused on this issue. On two sides of the aisle we had two experts with two entirely different takes on how to best synch up AD with Linux, if that’s route you’ve decided on for authentication, etc. There was a small patch of common ground or two, but finding that ground as a user is tough, and probably keeps consultants like Miller in business. Ultimately, this means more reporting has to be done, and more calls to be made — including an upcoming Q&A interview and podcast with Miller to flesh out his thoughts a little more than we could over email.