Presented by James Fogg to the Central GNHLUG on 5 Dec 2005

Linux Windows Integration: Can’t we all just get along?

JD Fogg Technology

  • Infrastructure Consulting
  • Security Consulting
  • Network Engineering
  • Project Management & Implementation

What is Interoperability?

  • Application Sharing
  • Shared Data Resources (ODBC, etc.)
  • Network Services (DNS, etc.)
  • Mail
  • Printing
  • File Sharing
  • Internet Access (ISA issues)
  • Login “pass-through” / AD integration

Application Sharing

  • RDesktop & Terminal Services
  • VNC
  • X-Windows
  • Cygwin

Network Services

  • MS-DNS works well
  • MS-DHCP is integrated with DNS
  • NTP is native to AD
  • Split DNS is possible, but complicated


  • Exchange supports POP3 and IMAP
  • Outlook / Outlook Express support POP3 and IMAP
  • MBOX conversion possible
  • Integrated calendaring is the driver for Exchange adoption
  • Exchange Public Folders are evil
  • POP3 connectors in Exchange


  • Samba and Printing
  • CUPS

Internet Access

  • ISA relies on AD for AAA
  • Outbound Internet access requires systems and users to be “known”
  • Exceptions can be made for non-AD machines

File Sharing

  • Samba – the well worn path
  • Browsing AD shares with Samba 3.0
  • Killing CIFS permissions
  • *nix-based NAS issues
  • MS-SUX and NAS tricks

MS-SFU 3.5 (beta)

  • Dramatic new capabilities, in W2003R2
  • Identity Management for Unix
  • MSNFS (client, server & gateway)
  • Subsystem for Unix Applications (Interix)
  • Full NIS with AD sync
  • Tools (awk, grep, sed, tr, cut, tar, cpio)
  • Permissions translations

Active Directory Integration: If you can’t beat them, join them

Understanding Linux

  • Authentication
  • etc/passwd, etc/group
  • etc/shadow
  • PAM

passwd and group

james:x:500:500:Mr. James User:/home/james:/bin/bash
  • Fields are colon-delimited

Shadow Passwords

  • World has RO rights to etc/passwd
  • Password stored using a simple hash
  • Many processes read etc/passwd
  • Password is replaced in /etc/passwd with a token
  • etc/shadow holds encrypted password data with Draconian rights


  • Pluggable Authentication Module
  • Native to Linux, available for all other *NIX
  • Allows for a variety of authentication systems to mimic /etc/passwd
  • Any AAA system with a PAM module can be used
  • Active Directory PAM modules are available

Active Directory

  • Hierarchical database of users, resources and rights
  • AD is standards-based (with a little DNS protocol extension)
  • Kerberos (authentication), DNS (naming) and LDAP (directory services)
  • All services accept queries from any host
  • Extensive resources available (bring aspirin and coffee)

Active Directory & DNS

  • DNS answers all queries (promiscuous)
  • DNS zones can be AD-integrated or stand-alone (using a BIND style zone file)
  • AD domain zone contains AD-specific extensions, must be AD-integrated
  • MS-DNS doesn’t support BIND 9 Views
  • MS-DHCP is integrated with DNS
  • Split DNS or Windows DNS, you choose
  • Beware zone transfers and updates

Active Directory and Kerberos

  • MS-Kerberos is standards based
  • Queries must be from “known” hosts
  • Kerberos authenticates users and hosts
  • Kerberos authorizes resource access
  • Used for domain trusts
  • Transitive nature extended to other OS’s

Active Directory and LDAP

  • MS-LDAP is standards compliant
  • Queries must be from “known” hosts
  • Resource of “known” hosts for services
  • Database of systems and resources
  • Integrated with Kerberos AA and rights management
  • LDAP is the “glue” of AD


  • Allows Linux users to use Windows domain resources as though they were native Linux resources

Samba & Winbind

  • Winbind extends Samba functionality to integrate AD AAA
  • Samba 3.08 + IT Kerberos5 V1.3.1 + OpenLDAP
  • Winbind authenticates users against AD
  • Manages passwords, no local accounts


Thank You

AUTHOR: JamesFogg

Converted from the PPT by TedRoche - 06 Dec 2005

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2023-12-13 - BenScott

All content is Copyright © 1999-2024 by, and the property of, the contributing authors.
Questions, comments, or concerns? Contact GNHLUG.
All use of this site subject to our Legal Notice (includes Terms of Service).