Linux Windows Integration: Can’t we all just get along?

JD Fogg Technology

• Infrastructure Consulting
• Security Consulting
• Network Engineering
• Project Management & Implementation

What is Interoperability?

• Application Sharing
• Shared Data Resources (ODBC, etc.)
• Network Services (DNS, etc.)
• Mail
• Printing
• File Sharing
• Internet Access (ISA issues)
• Login “pass-through” / AD integration

Application Sharing

• RDesktop & Terminal Services
• VNC
• X-Windows
• Cygwin

Network Services

• MS-DNS works well
• MS-DHCP is integrated with DNS
• NTP is native to AD
• Split DNS is possible, but complicated

Mail

• Exchange supports POP3 and IMAP
• Outlook / Outlook Express support POP3 and IMAP
• MBOX conversion possible
• Integrated calendaring is the driver for Exchange adoption
• Exchange Public Folders are evil
• POP3 connectors in Exchange

Printing

• Samba and Printing
• CUPS

Internet Access

• ISA relies on AD for AAA
• Outbound Internet access requires systems and users to be “known”
• Exceptions can be made for non-AD machines

File Sharing

• Samba – the well worn path
• Browsing AD shares with Samba 3.0
• Killing CIFS permissions
• *nix-based NAS issues
• MS-SUX and NAS tricks

MS-SFU 3.5 (beta)

• Dramatic new capabilities, in W2003R2
• Identity Management for Unix
• MSNFS (client, server & gateway)
• Subsystem for Unix Applications (Interix)
• Full NIS with AD sync
• Tools (awk, grep, sed, tr, cut, tar, cpio)
• Permissions translations

Active Directory Integration: If you can’t beat them, join them

Understanding Linux

• Authentication
• etc/passwd, etc/group
• etc/shadow
• PAM

passwd and group

james:x:500:500:Mr. James User:/home/james:/bin/bash

• Fields are colon-delimited

uname:pword:userid:groupid:name:homedirectory:shell

Shadow Passwords

• World has RO rights to etc/passwd
• Password stored using a simple hash
• Many processes read etc/passwd
• Password is replaced in /etc/passwd with a token
• etc/shadow holds encrypted password data with Draconian rights

PAM

• Pluggable Authentication Module
• Native to Linux, available for all other *NIX
• Allows for a variety of authentication systems to mimic /etc/passwd
• Any AAA system with a PAM module can be used
• Active Directory PAM modules are available

Active Directory

• Hierarchical database of users, resources and rights
• AD is standards-based (with a little DNS protocol extension)
• Kerberos (authentication), DNS (naming) and LDAP (directory services)
• All services accept queries from any host
• Extensive resources available (bring aspirin and coffee)

Active Directory & DNS

• DNS answers all queries (promiscuous)
• DNS zones can be AD-integrated or stand-alone (using a BIND style zone file)
• AD domain zone contains AD-specific extensions, must be AD-integrated
• MS-DNS doesn’t support BIND 9 Views
• MS-DHCP is integrated with DNS
• Split DNS or Windows DNS, you choose
• Beware zone transfers and updates

Active Directory and Kerberos

• MS-Kerberos is standards based
• Queries must be from “known” hosts
• Kerberos authenticates users and hosts
• Kerberos authorizes resource access
• Used for domain trusts
• Transitive nature extended to other OS’s

Active Directory and LDAP

• MS-LDAP is standards compliant
• Queries must be from “known” hosts
• Resource of “known” hosts for services
• Database of systems and resources
• Integrated with Kerberos AA and rights management
• LDAP is the “glue” of AD

Winbind

• Allows Linux users to use Windows domain resources as though they were native Linux resources

Samba & Winbind

• Winbind extends Samba functionality to integrate AD AAA
• Samba 3.08 + IT Kerberos5 V1.3.1 + OpenLDAP
• Winbind authenticates users against AD
• Manages passwords, no local accounts

http://www.enterprisenetworkingplanet.com/netos/article.php/3487081

http://www.enterprisenetworkingplanet.com/netos/article.php/3502441

QUESTIONS?

Thank You

AUTHOR: JamesFogg

Converted from the PPT by TedRoche - 06 Dec 2005