Windows interoperability with Unix/Linux
Introduction to Active Directory Integration for Unix and Linux Systems Unix/Linux interoperability components in Windows File sharing
Active Directory Integration for Unix and Linux Systems Many IT shops in both large and small organizations use more than one operating system to solve their computing needs. While Windows is the market leader for desktop computing and has a grate market share in server computing , Linux is being used more and more – especially for server workloads. UNIX has a long history as a server operating system and is widely used for many business workloads.
Active Directory Integration for Unix and Linux Systems we will use Microsoft’s Active Directory as the central repository for user account information and passwords. The challenge that is addressed in these notes is how to enable Linux and UNIX systems to use Active Directory‐based user account information and passwords as the centralized directory system for authorizing and authenticating users who log in to the system.
Active Directory Integration for Unix and Linux Systems Using Active Directory system for Windows, Linux and UNIX has numerous advantages, including: Users have one login name and one password that can be used across Windows, Linux and UNIX If the user changes his or her password on one of the systems, the new password is automatically applicable to the other systems Help desk calls are reduced as users have fewer account names and passwords to remember Sys admin costs are reduced as you are no longer required to create user accounts on every system that is deployed – instead you now create the account once in Active Directory and each enabled Windows, Linux or UNIX system can now use that account information for validating users Consistent policies such as password length and complexity can now be enforced across Windows, Linux and UNIX
Integration Methods have chosen three common methods for Active Directory integration that leverage “free” software and use widely available software and tools. The three methods are: 1. Using Microsoft’s Server for NIS, Identity Management for UNIX and Kerberos for Directory and Authentication Services By using the UNIX NIS server capabilities in Windows Server 2008 R2 for directory services and the built‐in Kerberos system in Windows Server for authentication, Linux and UNIX systems can use Active Directory for user account information and password services. This solution uses native Kerberos on Windows, Linux and UNIX instead of password synchronization for validating users at log in, and the Active Directory NIS server for storing and retrieving user information instead of using the /etc/passwd file on Linux and UNIX.
What is NIS? Network Information Service (NIS) provides a simple network look‐up service that consists of databases and processes. An NIS domain consists of a client and one or more servers. Clients use the NIS protocol to look up information stored in NIS databases, which are replicated among servers. A single master server is used to update databases; subordinate (also known as slave) servers provide read‐only services. Databases are synchronized by copying them from master servers to subordinate servers periodically or upon change. A database served by NIS is called an NIS map. The NIS lookup calls require a map (database) name and an NIS domain name. An NIS domain consists of a collection of such maps. integrates UNIX NIS networks with Windows Active Directory. Identity Management for UNIX includes an easy‐to‐use wizard that a Windows domain administrator can use to export NIS domain maps to Active Directory entries. Once this is done, an Active Directory domain controller running Server for NIS becomes the master server for the NIS domain.
Integration Methods 2. Using native LDAP, native Kerberos and Windows Server 2008 R2 Active Directory services and schema for cross‐platform identity management Active Directory is an LDAP directory. Windows Server 2008 R2 even includes a standards‐based LDAP schema for typical UNIX user and group attributes.
Integration Methods 3. Using Samba client technology and Kerberos for Active Directory‐based identity management This solution also uses Kerberos for authentication but uses Samba / Winbind for user account information storage. Many customers use Samba file sharing technology on UNIX and Linux and wish to use Samba client technology to enable centralized integrated directory and identity management services with an Active Directory Windows Server.
What is Samba? Samba is a free software re‐implementation of SMB/CIFS networking protocol, The name Samba comes from SMB (Server Message Block), the name of the standard protocol used by the Microsoft Windows network file system. Samba provides file and print services for various Microsoft Windows clients and can integrate with a Windows Server domain, either as a Primary Domain Controller (PDC) or as a domain member. It can also be part of an Active Directory domain. Samba runs on most Unix and Unix‐like systems,
What is Winbind? Winbind is a component of the Samba suite that uses a UNIX implementation of Microsoft RPC calls, Pluggable Authentication Modules (PAMs), and the name service switch (NSS) to allow Windows AD users to appear and operate as UNIX users on a UNIX machine Winbind provides authentication of user credentials (via PAM), Identity resolution (via NSS). Winbind maintains a database in which it stores mappings between UNIX UIDs, GIDs, and Windows SIDs
Methods Comparison SOLUTION PROS CONS Microsoft’s Server for NIS, Identity Management for UNIX and Kerberos for Directory and Authentication Services Uses standard components that ship with Windows and Linux Easy to setup on Linux, requires configuration on Windows Server Uses standards‐based technology for all components (NIS, Kerberos) Centralized Unix Attributes UID, GUI mapping directely on Active Drectory Uses NIS for directory services rather than LDAP Does not allow for joining the Active Directory domain. Only provides centralized directory and authentication services. Native LDAP, native Kerberos and Windows Server 2008 R2 Active Directory services and schema for cross‐platform identity management Active Directory‐based identity management with LDAP instead of NIS Can use Centralized Unix Attributes UID, GUI mapping on AD Standards‐based solution (LDAP, Kerberos) Detailed setup instructions in Microsoft Solution Accelerator More complex to setup Does not allow for joining the Active Directory domain Samba / Winbind client technology and Kerberos for Active Directory‐based identity management Requires no special configuration on the Windows Server side Easy to setup on the Linux side Mature technology that is widely used Active Directory‐based identity management with Winbind Allows Linux system to join Active Directory domain Proprietary solution (Samba) vs. standards‐based solution (LDAP)
Unix/Linux interoperability components in Windows Windows operating systems support interoperability with UNIX platforms by means of a number of utilities, and services and protocols: Support for industry standard protocols such as: TCP/IP Domain Name System (DNS) Dynamic Host Configuration Protocol (DHCP) remote procedure call (RPC) For file sharing purposes, support for File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP). Cross platform database access support using open database connectivity (ODBC). Remote terminal emulation support through Telnet. For UNIX printing, support via Line Printer Daemon (LPD), Line Printer Queue (LPQ) and Line Printer Remote (LPR). Support for network management via Simple Network Management Protocol (SNMP) and Remote Network Monitoring (RMON).
Unix/Linux interoperability components in Windows The main Microsoft product used to enable interoperability with UNIX is the Microsoft Subsystem for UNIX based Applications (SUA). The Microsoft Subsystem for UNIX based Applications 3.5 components are listed here: Interix; includes the C and Korn command shells and numerous utilities which enables you to run UNIX applications directly on Windows based computers. User Name Mapping; enables Windows and UNIX users to access files on one another’s computers. This is done transparently and without causing security issues. UNIX accounts can utilize UNIX accounts from Network Information System (NIS) servers. User Name Mapping provides centralized mapping between Windows user accounts and UNIX accounts for: Interix (Interix is the Unix‐like system that runs on the Windows OS) Client for NFS : Windows based computers are able to map an exported NFS share to a drive letter so that users access files on the file system like they are on a local drive. Server for NFS : enables share directories to be shared as NFS exported file systems. Server for NFS Authentication and User Name Mapping map the identifier (UID) and group identifier (GID) of the user of the UNIX client to a Windows user account. UNIX clients therefore obtain the proper access to files hosted on Windows based servers.
Unix/Linux interoperability components in Windows Server for NIS; integrates UNIX Network Information System (NIS) networks with Active Directory. Server for NIS runs on Windows Server servers only, and not on Windows 7 Professional computers. Server for PCNFS; enables Windows users to access NFS file systems if the user supply the proper UNIX user name and password. Password Synchronization; enables a user to only require a single password for UNIX networks and Windows based networks: When a user changes a UNIX password, the password is automatically updated in the Windows network. When a user changes a Windows password, the password is automatically updated in the UNIX network. Telnet Client and Telnet Server; the Telnet terminal protocol is utilized to grant Windows users command‐line access to UNIX systems. Telnet Client users are able to directly log on to computers running Telnet Server.
Sharing Files Between NT and UNIX Systems Because NT and UNIX use different file systems‐‐NTFS for NT and NFS for UNIX‐‐file sharing between NT and UNIX systems usually requires running a product on the NT system that converts NTFS‐format files to NFS. NFS Permissions NFS, which Sun Microsystems originally developed, provides a file‐sharing standard that lets users on UNIX workstations access centralized files on a UNIX server or share files with other UNIX workstations. All major UNIX operating systems have built‐in NFS file‐sharing capabilities.