GNHLUG> GNHLUG Web>WindowsLinuxInterOpDec2005 (revision r1.1)EditAttach
Linux Windows Integration
Can’t we all just get along?
JD Fogg Technology

Infrastructure Consulting
Security Consulting
Network Engineering
Project Management & Implementation
What is Interoperability?
Application Sharing
Shared Data Resources (ODBC, etc.)
Network Services (DNS, etc.)
File Sharing
Internet Access (ISA issues)
Login “pass-through” / AD integration
Application Sharing
RDesktop & Terminal Services

Network Services
MS-DNS works well
MS-DHCP is integrated with DNS
NTP is native to AD
Split DNS is possible, but complicated
Exchange supports POP3 and IMAP
Outlook / Outlook Express support POP3 and IMAP
MBOX conversion possible
Integrated calendaring is the driver for Exchange adoption
Exchange Public Folders are evil
POP3 connectors in Exchange
Samba and Printing
Internet Access
ISA relies on AD for AAA
Outbound Internet access requires systems and users to be “known”
Exceptions can be made for non-AD machines
File Sharing
Samba – the well worn path
Browsing AD shares with Samba 3.0
Killing CIFS permissions
*nix-based NAS issues
MS-SUX and NAS tricks
MS-SFU 3.5 (beta)
Dramatic new capabilities, in W2003R2
Identity Management for Unix
MSNFS (client, server & gateway)
Subsystem for Unix Applications (Interix)
Full NIS with AD sync
Tools (awk, grep, sed, tr, cut, tar, cpio)
Permissions translations
Active Directory Integration
If you can’t beat them, join them
Understanding Linux
etc/passwd, etc/group

passwd and group
james:x:500:500:Mr. James User:/home/james:/bin/bash

Fields are colon-delimited

Shadow Passwords
World has RO rights to etc/passwd
Password stored using a simple hash
Many processes read etc/passwd

Password is replaced in /etc/passwd with a token
etc/shadow holds encrypted password data with Draconian rights
Pluggable Authentication Module
Native to Linux, available for all other *NIX
Allows for a variety of authentication systems to mimic /etc/passwd
Any AAA system with a PAM module can be used
Active Directory PAM modules are available
Active Directory
Hierarchical database of users, resources and rights
AD is standards-based (with a little DNS protocol extension)
Kerberos (authentication), DNS (naming) and LDAP (directory services)
All services accept queries from any host
Extensive resources available (bring aspirin and coffee)

Active Directory & DNS
DNS answers all queries (promiscuous)
DNS zones can be AD-integrated or stand-alone (using a BIND style zone file)
AD domain zone contains AD-specific extensions, must be AD-integrated
MS-DNS doesn’t support BIND 9 Views
MS-DHCP is integrated with DNS
Split DNS or Windows DNS, you choose
Beware zone transfers and updates
Active Directory and Kerberos
MS-Kerberos is standards based
Queries must be from “known” hosts
Kerberos authenticates users and hosts
Kerberos authorizes resource access
Used for domain trusts
Transitive nature extended to other OS’s
Active Directory and LDAP
MS-LDAP is standards compliant
Queries must be from “known” hosts
Resource of “known” hosts for services
Database of systems and resources
Integrated with Kerberos AA and rights management
LDAP is the “glue” of AD
Allows Linux users to use Windows domain resources as though they were native Linux resources 

Samba & Winbind
Winbind extends Samba functionality to integrate AD AAA
Samba 3.08 + IT Kerberos5 V1.3.1 + OpenLDAP
Winbind authenticates users against AD
Manages passwords, no local accounts

Thank You

-- TedRoche - 06 Dec 2005

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r1 - 2005-12-05 - TedRoche

All content is Copyright © 1999-2024 by, and the property of, the contributing authors.
Questions, comments, or concerns? Contact GNHLUG.
All use of this site subject to our Legal Notice (includes Terms of Service).