<<O>>  Difference Topic WindowsLinuxInterOpDec2005 (r1.2 - 06 Dec 2005 - TedRoche)
META TOPICPARENT WebHome
Changed:
<
<		 
Linux Windows Integration
Can’t we all just get along?
JD Fogg Technology

Infrastructure Consulting
Security Consulting
Network Engineering
Project Management & Implementation
What is Interoperability?
Application Sharing
Shared Data Resources (ODBC, etc.)
Network Services (DNS, etc.)
Mail
Printing
File Sharing
Internet Access (ISA issues)
Login “pass-through” / AD integration
Application Sharing
RDesktop & Terminal Services
VNC


X-Windows
Cygwin
Network Services
MS-DNS works well
MS-DHCP is integrated with DNS
NTP is native to AD
Split DNS is possible, but complicated
Mail
Exchange supports POP3 and IMAP
Outlook / Outlook Express support POP3 and IMAP
MBOX conversion possible
Integrated calendaring is the driver for Exchange adoption
Exchange Public Folders are evil
POP3 connectors in Exchange
Printing
Samba and Printing
CUPS
Internet Access
ISA relies on AD for AAA
Outbound Internet access requires systems and users to be “known”
Exceptions can be made for non-AD machines
File Sharing
Samba – the well worn path
Browsing AD shares with Samba 3.0
Killing CIFS permissions
*nix-based NAS issues
MS-SUX and NAS tricks
MS-SFU 3.5 (beta)
Dramatic new capabilities, in W2003R2
Identity Management for Unix
MSNFS (client, server & gateway)
Subsystem for Unix Applications (Interix)
Full NIS with AD sync
Tools (awk, grep, sed, tr, cut, tar, cpio)
Permissions translations
Active Directory Integration
If you can’t beat them, join them
Understanding Linux
Authentication
etc/passwd, etc/group
etc/shadow
PAM

passwd and group
james:x:500:500:Mr. James User:/home/james:/bin/bash

Fields are colon-delimited

uname:pword:userid:groupid:name:homedirectory:shell
Shadow Passwords
World has RO rights to etc/passwd
Password stored using a simple hash
Many processes read etc/passwd

Password is replaced in /etc/passwd with a token
etc/shadow holds encrypted password data with Draconian rights
PAM
Pluggable Authentication Module
Native to Linux, available for all other *NIX
Allows for a variety of authentication systems to mimic /etc/passwd
Any AAA system with a PAM module can be used
Active Directory PAM modules are available
Active Directory
Hierarchical database of users, resources and rights
AD is standards-based (with a little DNS protocol extension)
Kerberos (authentication), DNS (naming) and LDAP (directory services)
All services accept queries from any host
Extensive resources available (bring aspirin and coffee)

Active Directory & DNS
DNS answers all queries (promiscuous)
DNS zones can be AD-integrated or stand-alone (using a BIND style zone file)
AD domain zone contains AD-specific extensions, must be AD-integrated
MS-DNS doesn’t support BIND 9 Views
MS-DHCP is integrated with DNS
Split DNS or Windows DNS, you choose
Beware zone transfers and updates
Active Directory and Kerberos
MS-Kerberos is standards based
Queries must be from “known” hosts
Kerberos authenticates users and hosts
Kerberos authorizes resource access
Used for domain trusts
Transitive nature extended to other OS’s
Active Directory and LDAP
MS-LDAP is standards compliant
Queries must be from “known” hosts
Resource of “known” hosts for services
Database of systems and resources
Integrated with Kerberos AA and rights management
LDAP is the “glue” of AD
Winbind
Allows Linux users to use Windows domain resources as though they were native Linux resources 

Samba & Winbind
Winbind extends Samba functionality to integrate AD AAA
Samba 3.08 + IT Kerberos5 V1.3.1 + OpenLDAP
Winbind authenticates users against AD
Manages passwords, no local accounts
>
>		 Presented by James Fogg to the Central LUG on 5 Dec 2005

Linux Windows Integration: Can’t we all just get along?

JD Fogg Technology

  • Infrastructure Consulting
  • Security Consulting
  • Network Engineering
  • Project Management & Implementation

What is Interoperability?

  • Application Sharing
  • Shared Data Resources (ODBC, etc.)
  • Network Services (DNS, etc.)
  • Mail
  • Printing
  • File Sharing
  • Internet Access (ISA issues)
  • Login “pass-through” / AD integration

Application Sharing

  • RDesktop & Terminal Services
  • VNC
  • X-Windows
  • Cygwin

Network Services

  • MS-DNS works well
  • MS-DHCP is integrated with DNS
  • NTP is native to AD
  • Split DNS is possible, but complicated

Mail

  • Exchange supports POP3 and IMAP
  • Outlook / Outlook Express support POP3 and IMAP
  • MBOX conversion possible
  • Integrated calendaring is the driver for Exchange adoption
  • Exchange Public Folders are evil
  • POP3 connectors in Exchange

Printing

  • Samba and Printing
  • CUPS

Internet Access

  • ISA relies on AD for AAA
  • Outbound Internet access requires systems and users to be “known”
  • Exceptions can be made for non-AD machines

File Sharing

  • Samba – the well worn path
  • Browsing AD shares with Samba 3.0
  • Killing CIFS permissions
  • *nix-based NAS issues
  • MS-SUX and NAS tricks

MS-SFU 3.5 (beta)

  • Dramatic new capabilities, in W2003R2
  • Identity Management for Unix
  • MSNFS (client, server & gateway)
  • Subsystem for Unix Applications (Interix)
  • Full NIS with AD sync
  • Tools (awk, grep, sed, tr, cut, tar, cpio)
  • Permissions translations

Active Directory Integration: If you can’t beat them, join them

Understanding Linux

  • Authentication
  • etc/passwd, etc/group
  • etc/shadow
  • PAM

passwd and group 

james:x:500:500:Mr. James User:/home/james:/bin/bash
  • Fields are colon-delimited 
uname:pword:userid:groupid:name:homedirectory:shell

Shadow Passwords

  • World has RO rights to etc/passwd
  • Password stored using a simple hash
  • Many processes read etc/passwd
  • Password is replaced in /etc/passwd with a token
  • etc/shadow holds encrypted password data with Draconian rights

PAM

  • Pluggable Authentication Module
  • Native to Linux, available for all other *NIX
  • Allows for a variety of authentication systems to mimic /etc/passwd
  • Any AAA system with a PAM module can be used
  • Active Directory PAM modules are available

Active Directory

  • Hierarchical database of users, resources and rights
  • AD is standards-based (with a little DNS protocol extension)
  • Kerberos (authentication), DNS (naming) and LDAP (directory services)
  • All services accept queries from any host
  • Extensive resources available (bring aspirin and coffee)

Active Directory & DNS

  • DNS answers all queries (promiscuous)
  • DNS zones can be AD-integrated or stand-alone (using a BIND style zone file)
  • AD domain zone contains AD-specific extensions, must be AD-integrated
  • MS-DNS doesn’t support BIND 9 Views
  • MS-DHCP is integrated with DNS
  • Split DNS or Windows DNS, you choose
  • Beware zone transfers and updates

Active Directory and Kerberos

  • MS-Kerberos is standards based
  • Queries must be from “known” hosts
  • Kerberos authenticates users and hosts
  • Kerberos authorizes resource access
  • Used for domain trusts
  • Transitive nature extended to other OS’s

Active Directory and LDAP

  • MS-LDAP is standards compliant
  • Queries must be from “known” hosts
  • Resource of “known” hosts for services
  • Database of systems and resources
  • Integrated with Kerberos AA and rights management
  • LDAP is the “glue” of AD

Winbind

  • Allows Linux users to use Windows domain resources as though they were native Linux resources

Samba & Winbind

  • Winbind extends Samba functionality to integrate AD AAA
  • Samba 3.08 + IT Kerberos5 V1.3.1 + OpenLDAP?
  • Winbind authenticates users against AD
  • Manages passwords, no local accounts

http://www.enterprisenetworkingplanet.com/netos/article.php/3487081
Added:
>
>

http://www.enterprisenetworkingplanet.com/netos/article.php/3502441
Deleted:
<
<		 QUESTIONS?

Added:
>
>

QUESTIONS?

Thank You


Changed:
<
<		 Thank You
>
>		 AUTHOR: JamesFogg?

Changed:
<
<		 -- TedRoche - 06 Dec 2005
>
>		 Converted from the PPT by TedRoche - 06 Dec 2005

META FILEATTACHMENT LinuxWindowsIntegration?.ppt attr="" comment="PowerPoint Slides" date="1133840007" path="Linux Windows Integration.ppt" size="54272" user="TedRoche" version="1.1"
 <<O>>  Difference Topic WindowsLinuxInterOpDec2005 (r1.1 - 05 Dec 2005 - TedRoche)
Line: 1 to 1
Added:
>
>		 
Linux Windows Integration
Can’t we all just get along?
JD Fogg Technology

Infrastructure Consulting
Security Consulting
Network Engineering
Project Management & Implementation
What is Interoperability?
Application Sharing
Shared Data Resources (ODBC, etc.)
Network Services (DNS, etc.)
Mail
Printing
File Sharing
Internet Access (ISA issues)
Login “pass-through” / AD integration
Application Sharing
RDesktop & Terminal Services
VNC


X-Windows
Cygwin
Network Services
MS-DNS works well
MS-DHCP is integrated with DNS
NTP is native to AD
Split DNS is possible, but complicated
Mail
Exchange supports POP3 and IMAP
Outlook / Outlook Express support POP3 and IMAP
MBOX conversion possible
Integrated calendaring is the driver for Exchange adoption
Exchange Public Folders are evil
POP3 connectors in Exchange
Printing
Samba and Printing
CUPS
Internet Access
ISA relies on AD for AAA
Outbound Internet access requires systems and users to be “known”
Exceptions can be made for non-AD machines
File Sharing
Samba – the well worn path
Browsing AD shares with Samba 3.0
Killing CIFS permissions
*nix-based NAS issues
MS-SUX and NAS tricks
MS-SFU 3.5 (beta)
Dramatic new capabilities, in W2003R2
Identity Management for Unix
MSNFS (client, server & gateway)
Subsystem for Unix Applications (Interix)
Full NIS with AD sync
Tools (awk, grep, sed, tr, cut, tar, cpio)
Permissions translations
Active Directory Integration
If you can’t beat them, join them
Understanding Linux
Authentication
etc/passwd, etc/group
etc/shadow
PAM

passwd and group
james:x:500:500:Mr. James User:/home/james:/bin/bash

Fields are colon-delimited

uname:pword:userid:groupid:name:homedirectory:shell
Shadow Passwords
World has RO rights to etc/passwd
Password stored using a simple hash
Many processes read etc/passwd

Password is replaced in /etc/passwd with a token
etc/shadow holds encrypted password data with Draconian rights
PAM
Pluggable Authentication Module
Native to Linux, available for all other *NIX
Allows for a variety of authentication systems to mimic /etc/passwd
Any AAA system with a PAM module can be used
Active Directory PAM modules are available
Active Directory
Hierarchical database of users, resources and rights
AD is standards-based (with a little DNS protocol extension)
Kerberos (authentication), DNS (naming) and LDAP (directory services)
All services accept queries from any host
Extensive resources available (bring aspirin and coffee)

Active Directory & DNS
DNS answers all queries (promiscuous)
DNS zones can be AD-integrated or stand-alone (using a BIND style zone file)
AD domain zone contains AD-specific extensions, must be AD-integrated
MS-DNS doesn’t support BIND 9 Views
MS-DHCP is integrated with DNS
Split DNS or Windows DNS, you choose
Beware zone transfers and updates
Active Directory and Kerberos
MS-Kerberos is standards based
Queries must be from “known” hosts
Kerberos authenticates users and hosts
Kerberos authorizes resource access
Used for domain trusts
Transitive nature extended to other OS’s
Active Directory and LDAP
MS-LDAP is standards compliant
Queries must be from “known” hosts
Resource of “known” hosts for services
Database of systems and resources
Integrated with Kerberos AA and rights management
LDAP is the “glue” of AD
Winbind
Allows Linux users to use Windows domain resources as though they were native Linux resources 

Samba & Winbind
Winbind extends Samba functionality to integrate AD AAA
Samba 3.08 + IT Kerberos5 V1.3.1 + OpenLDAP
Winbind authenticates users against AD
Manages passwords, no local accounts
http://www.enterprisenetworkingplanet.com/netos/article.php/3487081
http://www.enterprisenetworkingplanet.com/netos/article.php/3502441
QUESTIONS?

 
Thank You
META TOPICPARENT WebHome

-- TedRoche - 06 Dec 2005

META FILEATTACHMENT LinuxWindowsIntegration?.ppt attr="" comment="PowerPoint Slides" date="1133840007" path="Linux Windows Integration.ppt" size="54272" user="TedRoche" version="1.1"
View topic | Diffs | r1.2 | > | r1.1 | More
Revision r1.1 - 05 Dec 2005 - 22:33 - TedRoche
Revision r1.2 - 06 Dec 2005 - 09:00 - TedRoche