Embed Size (px)
Citation preview
Windows interoperability with Unix/Linux
• Introduction to Active Directory Integration for Unix and Linux Systems
• Unix/Linux interoperability components in Windows
• File sharing
Active Directory Integration for Unix and Linux Systems
• Many IT shops in both large and small organizations use more than one operating system to solve their computing needs.
• While Windows is the market leader for desktop computing and has a grate market share in server computing , Linux is being used more and more – especially for server workloads.
• UNIX has a long history as a server operating system and is widely used for many business workloads.
Active Directory Integration for Unix and Linux Systems
• In fact, in a recent Gartner report 92% of IT organizations that responded to a recent survey stated that their company uses Windows and Linux or UNIX for server computing (as well as other operating systems such as mainframes in some cases).
Active Directory Integration for Unix and Linux Systems
• we will use Microsoft’s Active Directory as the central repository for user account information and passwords.
• The challenge that is addressed in these notes is how to enable Linux and UNIX systems to use Active Directory-based user account information and passwords as the centralized directory system for authorizing and authenticating users who log in to the system.
Active Directory Integration for Unix and Linux Systems
• Using Active Directory system for Windows, Linux and UNIX has numerous advantages, including: – Users have one login name and one password that can be used across
Windows, Linux and UNIX – If the user changes his or her password on one of the systems, the
new password is automatically applicable to the other systems – Help desk calls are reduced as users have fewer account names and
passwords to remember – Sys admin costs are reduced as you are no longer required to create
user accounts on every system that is deployed – instead you now create the account once in Active Directory and each enabled Windows, Linux or UNIX system can now use that account information for validating users
– Consistent policies such as password length and complexity can now be enforced across Windows, Linux and UNIX
Integration Commercial Products• It should be noted that there are at least two popular
commercial products that provide solutions to these challenges. – Centrify’s DirectControl product line – Quest’s Vintela Authentication Services
• both allow Linux and UNIX systems to join an Active Directory domain and use Active Directory as the centralized authority for authentication, authorization, directory information and policy management.
• However, many users need only basic identity management capabilities and wish to solve this need using “free” software.
Integration Methods• have chosen three common methods for Active Directory
integration that leverage “free” software and use widely available software and tools. The three methods are:
• 1. Using Microsoft’s Server for NIS, Identity Management for UNIX and Kerberos for Directory and Authentication Services – By using the UNIX NIS server capabilities in Windows Server 2003 R2
for directory services and the built-in Kerberos system in Windows Server for authentication, Linux and UNIX systems can use Active Directory for user account information and password services.
– This solution uses native Kerberos on Windows, Linux and UNIX instead of password synchronization for validating users at log in, and the Active Directory NIS server for storing and retrieving user information instead of using the /etc/passwd file on Linux and UNIX.
• Network Information Service (NIS) provides a simple network look-up service that consists of databases and processes. An NIS domain consists of a client and one or more servers. Clients use the NIS protocol to look up information stored in NIS databases, which are replicated among servers. A single master server is used to update databases; subordinate (also known as slave) servers provide read-only services. Databases are synchronized by copying them from master servers to subordinate servers periodically or upon change.
• A database served by NIS is called an NIS map. The NIS lookup calls require a map (database) name and an NIS domain name. An NIS domain consists of a collection of such maps.
• integrates UNIX NIS networks with Windows Active Directory. Identity Management for UNIX includes an easy-to-use wizard that a Windows domain administrator can use to export NIS domain maps to Active Directory entries. Once this is done, an Active Directory domain controller running Server for NIS becomes the master server for the NIS domain.
What is NIS?
Integration Methods
• 2. Using Samba client technology and Kerberos for Active Directory-based identity management – This solution also uses Kerberos for authentication
but uses Samba for user account information storage.– Many customers use Samba file sharing technology on
UNIX and Linux and wish to use Samba client technology to enable centralized integrated directory and identity management services with an Active Directory Windows Server.
What is Samba?• Samba is a free software re-implementation of
SMB/CIFS networking protocol, The name Samba comes from SMB (Server Message Block), the name of the standard protocol used by the Microsoft Windows network file system.
• Samba provides file and print services for various Microsoft Windows clients and can integrate with a Windows Server domain, either as a Primary Domain Controller (PDC) or as a domain member. It can also be part of an Active Directory domain. Samba runs on most Unix and Unix-like systems,
Integration Methods
• 3. Using native LDAP, native Kerberos and Windows Server 2003 R2 Active Directory services and schema for cross-platform identity management – Active Directory is an LDAP directory.– Windows Server 2003 R2 even includes a
standards-based LDAP schema for typical UNIX user and group attributes.
Methods ComparisonSOLUTION PROS CONSMicrosoft’s Server for NIS, Identity Management for UNIX and Kerberos for Directory and Authentication Services
Uses standard components that ship with Windows and Linux
Easy to setup on Linux, requires configuration on Windows Server
Uses standards-based technology for all components (NIS, Kerberos)
Centralized UID, GUI mapping
Uses NIS for directory services rather than LDAP
Does not allow for joining the Active Directory domain. Only provides centralized directory and authentication services.
Self-supported solution
Samba client technology and Kerberos for Active Directory-based identity management
Requires no special configuration on the Windows Server side
Easy to setup on the Linux side Mature technology that is widely used Allows Linux system to join Active
Directory domain
Stores some user information on each Linux system instead of centrally, requiring manual synchronization in some cases
Proprietary solution (Samba) vs. standards-based solution (LDAP)
Self-supported solution
Native LDAP, native Kerberos and Windows Server 2003 R2 Active Directory services and schema for cross-platform identity management
Uses LDAP instead of NIS for directory services
Standards-based solution (LDAP, Kerberos)
Detailed setup instructions in Microsoft Solution Accelerator
More complex to setup Does not allow for joining the Active
Directory domain Self-supported solution
Commercial solutions such as Centrify’s DirectControl or Quest’s Vintela Authentication Services >
Very easy to set up Provides virtually all AD client services
to Linux and UNIX Allows Linux system to join Active
Directory domain Fully supported commercial solution
Proprietary software installed on both server and client
Requires per system license to be purchased
Unix/Linux interoperability components in Windows
• Windows operating systems support interoperability with UNIX platforms by means of a number of utilities, and services and protocols:
• Support for industry standard protocols such as: – TCP/IP – Domain Name System (DNS) – Dynamic Host Configuration Protocol (DHCP) – remote procedure call (RPC)
• For file sharing purposes, support for File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP).
• Cross platform database access support using open database connectivity (ODBC).
• Remote terminal emulation support through Telnet. • For UNIX printing, support via Line Printer Daemon (LPD), Line Printer
Queue (LPQ) and Line Printer Remote (LPR). • Support for network management via Simple Network Management
Protocol (SNMP) and Remote Network Monitoring (RMON).
Unix/Linux interoperability components in Windows
• The main Microsoft product used to enable interoperability with UNIX is the Microsoft Windows Services for UNIX. The Microsoft Windows Services for UNIX 3.0 components are listed here:
• Interix; includes the C and Korn command shells and numerous utilities which ultimately enables you to run UNIX applications directly on Windows based computers.
• Interix Software Development Kit; includes documentation, and tools and libraries that you can use to make UNIX applications run on Windows computers via the Interix subsystem.
• User Name Mapping; enables Windows and UNIX users to access files on one another’s computers. This is done transparently and without causing security issues. UNIX accounts can utilize UNIX accounts from Personal Computer Network File System (PCNFS) servers or from Network Information System (NIS) servers. User Name Mapping provides centralized mapping between Windows user accounts and UNIX accounts for: – Interix (Interix is the Unix-like system that runs on the Windows OS)– Client for NFS – Server for NFS – Gateway for NFS
Unix/Linux interoperability components in Windows
• Client for NFS; provides a number of features: – Windows based computers are able to map an exported NFS share to a drive
letter so that users access files on the file system like they are on a local drive. – Users can also access NFS shares through Universal Naming Convention (UNC)
names. – Users are able to obtain UNIX authentication credentials via User Name
Mapping or a PCNFS server. • Server for NFS; enables share directories to be shared as NFS exported file
systems. Server for NFS Authentication and User Name Mapping map the identifier (UID) and group identifier (GID) of the user of the UNIX client to a Windows user account. UNIX clients therefore obtain the proper access to files hosted on Windows based servers.
• Gateway for NFS; enables Windows users to access exported file systems on NFS – no client software is needed on the computers. For Gateway for NFS to work, it needs User Name Mapping to provide the proper UID and GID for the Windows user. Gateway for NFS runs on Windows Server servers only, and not on Windows XP Professional computers.
Unix/Linux interoperability components in Windows
• Server for NIS; integrates UNIX Network Information System (NIS) networks with Active Directory. Server for NIS runs on Windows Server servers only, and not on Windows XP Professional computers.
• Server for PCNFS; enables Windows users to access NFS file systems if the user supply the proper UNIX user name and password.
• Password Synchronization; enables a user to only require a single password for UNIX networks and Windows based networks: – When a user changes a UNIX password, the password is automatically
updated in the Windows network. – When a user changes a Windows password, the password is
automatically updated in the UNIX network. • Telnet Client and Telnet Server; the Telnet terminal protocol is utilized to
grant Windows users command-line access to UNIX systems. Telnet Client users are able to directly log on to computers running Telnet Server.
Sharing Files Between NT and UNIX Systems
• Because NT and UNIX use different file systems--NTFS for NT and NFS for UNIX--file sharing between NT and UNIX systems usually requires running a product on the NT system that converts NTFS-format files to NFS.
• NFS PermissionsNFS, which Sun Microsystems originally developed, provides a file-sharing standard that lets users on UNIX workstations access centralized files on a UNIX server or share files with other UNIX workstations. All major UNIX operating systems have built-in NFS file-sharing capabilities.
Thank you
