×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Linux Authentication Against Active Directory

kdawson posted more than 5 years ago | from the likewise-i'm-sure dept.

Communications 90

Bandman writes "For a while now I've been looking for something to integrate my Linux/Mac corporate environment with Windows Active Directory. I was hoping for centralized authentication at best. As I found out, Likewise Software has produced two products, the free Likewise Open and the commercial Likewise Enterprise. Both of them provide much more than just a centralized repository for accounts. I wrote a review of Likewise Open, but I don't have enough experience with Active Directory to really do justice to Likewise Enterprise. If you've been trying to integrate the Linux and Windows worlds, this could be the easiest way to do it."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

90 comments

And if you act now... (4, Informative)

mweather (1089505) | more than 5 years ago | (#24527955)

It can be yours for two payments of $19.95! When did Slashdot turn into an infomercial?

Re:And if you act now... (1, Funny)

Anonymous Coward | more than 5 years ago | (#24529289)

I've noticed lots of very advertisement-style articles in the Firehose, if you just search for -story.

Linux authenication aganist....can not connect (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24527961)

Why would anyone want to authenticate Linux against winblows AD. Why use a free and open product with a complete disaster? Why do people insist on using MS AD when the IT pros all know that you have to reboot a windows server regularly because the services lockup too often. Use LDAP on Linux and the windows fanboys can authenticate against that until they learn to use a real system.

Re:Linux authenication aganist....can not connect (2, Insightful)

PC and Sony Fanboy (1248258) | more than 5 years ago | (#24528061)

It isn't about teaching people to learn alternate operating systems - that is fine if you're running a home server, and want to force your mom to use something other than vista - but it is a really bad strategy when you're trying to do it for business.

If you went to a car dealership, and you wanted to buy an automatic, what would you do if the salesman said 'Oh, get a stick shift, you've got much more control'? - and then he refused to sell you a car with an automatic transmission?

Re:Linux authenication aganist....can not connect (0)

Anonymous Coward | more than 5 years ago | (#24528817)

pump him full of lead from a 'semi'-automatic rifle?

Re:Linux authenication aganist....can not connect (1)

AvitarX (172628) | more than 5 years ago | (#24529103)

Thank him for the money savings, in purchase price, fuel, and repair cost?

Re:Linux authenication aganist....can not connect (1)

BlackSnake112 (912158) | more than 5 years ago | (#24532379)

Fuel cost maybe (depends on how you drive) but repair costs? I have put over 200,000 miles on my v6 auto engine and transmission. The trans is electronic. Other then getting the trans fluid changed every 30,000-40,000 miles it has not cost me anything. No repairs no issues. If it is was a stick, I would have gone through a few clutches (at least) by now along with getting the fluid changed. Actually the engine hasn't been too bad either, besides plugs and wires at 104,000 and just last month, I have but in one water pump, on air mass sensor, and a lot of oil changes. The other stuff, tires, exhaust, shocks are the same for auto or stick. The whole stick is cheaper on repairs I do not think is true anymore. Do the normal maintenance the stuff can last a long time.

Re:Linux authenication aganist....can not connect (1)

Trogre (513942) | more than 5 years ago | (#24559851)

You would be correct, except we're talking manual transmission over automatic, not 2-wheel drive over 4WD.

Thanks for playing.

Re:Linux authenication aganist....can not connect (3, Insightful)

QuantumRiff (120817) | more than 5 years ago | (#24528219)

Ever work in a large environment? Its much easier to have one point of authentication and configuration. Do you want to deal with managing users (change passwords, disabled accounts, etc) on 8 different systems? I sure don't. Things will get forgotten, and accounts that should be disabled will not be.

You obviously haven't used AD very much, because it is not just an authentication system. It ensures policies (drive mappings, configurations, proxy settings, MS office behaviour and defaults, security standards, etc), deploys software and printers to users and computers

Re:Linux authenication aganist....can not connect (3, Insightful)

ratboy666 (104074) | more than 5 years ago | (#24529311)

"...it is not just an authentication system. It ensures policies (drive mappings, configurations, proxy settings, MS office behaviour and defaults, security standards, etc), deploys software and printers to users and computers"

Of what use is this in anything other than a Microsoft Environment?

How does AD "deploy software and printers" to anything that isn't a Microsoft Environment? And why would you even want it to?

So, from a network viewpoint, AD is just an authentication system. The rest is worthless in a heterogeneous environment.

[Proxy settings are useful].

Re:Linux authenication aganist....can not connect (4, Insightful)

hmar (1203398) | more than 5 years ago | (#24530097)

That's not really the point. Making a switch over to Linux can be done gradually if your Linux computers can play in AD. And it is not worthless, when 90% of your systems are MS, why have a second authentication server for the other 10%? Why not use what you can with Linux? It doesn't mean that those Windows computers can't take advantage of Active directory.

Re:Linux authenication aganist....can not connect (2, Interesting)

ratboy666 (104074) | more than 5 years ago | (#24532623)

It isn't Linux that I am concerned with. It's the entire datacenter.

I work with Solaris. We sell expertise. Used to be, our network was fine - no issues. Then, we had a merger. All of a sudden, the IT dept has to support Windows. What happens?

AD is deployed. This makes Windows happy happy. Not so happy on the Unix front. MS DHCP isn't quite right -- insists on resolv.conf entries that won't work. I can type machine.whole.damn.domain, works. Of course, if I could *use* AD, I would be only typing "machine". As well, printer definitions, etc. are all now Windows centric. Really nasty to access from anything else.

Windows came in, plopped its 800 lb body over EVERYTHING. And it just doesn't like to inter-operate. Says Windows, "I don't have to cooperate! No AD for you".

You know what? It doesn't. Sucks. Everything else inter-operates, and has to get along with new kid, who does things JUST ENOUGH DIFFERENTLY to force lock-in of users who just expect better. Yeah, we edit resolv.conf, and adjust it. Yeah, we have an extra server to buffer away the new printing pains. Yeah, we can export AD entries, and import into NIS. Yeah, we can run parallel file sharing (NFS and SMB). But its annoying to users. May as well just lock-in Windows and be done with it. And, the administration is different enough to create a divide as well.

And, you know what? I don't actually /blame/ Microsoft. After all, they /could/ pull this off. Admirable really. The creation of an entire software ecosystem that really doesn't have much to do with anything else. Jarring when an "external" technology is brought in (tumpet tcp/ip stack? Early MS inter-networking?). Eventually, folded and blended into the juggernaut that is Windows.

But I am still pissed. I understand, but I am not bothering to "learn" the Windows ecosystem. Others can do that, and leave me to my legacy stuff. Thank God I will probably retire soon (yeah, I am the crusty Mainframe & Unix guy here).

Sure, phase out the old, Sign me up; AD rulez! I wouldn't /bother/ to link up Linux (et. al.) to it. If needed, pull AD data, and import into NIS/NIS+ legacy, and get on with the work of replacing Unix with Windows.

K?

Re:Linux authenication aganist....can not connect (1)

Bandman (86149) | more than 5 years ago | (#24551001)

I'm late to the party, but from the documentation I've read (~300 pages so far), all of these policies, printers, etc are able to be added to linux machines using Likewise Enterprise. It' essentially extends the management environment to Unix machines

Re:Linux authenication aganist....can not connect (1)

buchanmilne (258619) | more than 5 years ago | (#24536565)

Ever work in a large environment? Its much easier to have one point of authentication and configuration. Do you want to deal with managing users (change passwords, disabled accounts, etc) on 8 different systems? I sure don't. Things will get forgotten, and accounts that should be disabled will not be.

Sure, but AD isn't the only solution to that, and Kerberos+LDAP+Samba (as the parent poster is using) is an adequate solution (and may be a superior one if you have more Unix to worry about than Windows).

Re:Linux authenication aganist....can not connect (1, Informative)

Anonymous Coward | more than 5 years ago | (#24528267)

Unfortunately in the corporate world, most applications only work in windows. I know this may be a suprise, but please try to get over it quickly.

Plus, AD gives you nice full bodied windows management (GPO's, etc). Once again, many apps only run on windows, and don't do nicely on wine/cedega/winex. If you're running a vm of a machine to run these apps, it may be in your interest to connect them to a domain to manage them, hello AD!

For those out there who don't believe AD is not LDAP compatible, I've worked quite deeply into AD, it is LDAP, it implements the LDAP standard (including TLS and SSL), as well as the Kerberos Standard properly. It then extends the LDAP standard to give it some extra options for windows domains.

As much as I absolutely love linux, and loathe microsoft and windows, the zealotness of some people pisses me off.... Fucking drop it.


(as a forethought: my AD server has been running for 3+ months without a reboot, patches aren't really a concern as all it does is AD and DHCP)

Re:Linux authenication aganist....can not connect (1)

afidel (530433) | more than 5 years ago | (#24528877)

Actually, AD is an X.500 directory that has LDAP added on. There was recently a thread on the history of AD over at Activedir and there was a post by the lead designer in this [activedir.org] thread (look for the post by DonH).

Re:Linux authenication aganist....can not connect (3, Insightful)

wrfelts (950027) | more than 5 years ago | (#24532703)

I was working on NDS when it first came out and AD when it first came out as well. AD was never an x.500 "compliant" directory. It was shoe-horned into semi-compliance. It still suffers from a lot of organizational and management problems because of this. That's not to say that the x.500 (actually x.509) is the best mechanism for organizational object management to begin with. The design suffers from huge limitations.

As of v4.11 of Novell's NDS (now eDirectory), NDS was a far superior system for managing objects. I was easily managing hundreds of servers and thousands of Windows workstations (using Zen Works) with NDS in the NetWare 4.11/4.12 time frame. This included enterprise software roll out, local NT registry management, software and hardware inventory, and on-demand software delivery. I could easily drop in a replacement PC for a user and it would auto-build the software profile for them. We didn't spend hours trying to fix a user's PC if it was hosed or infected. We swapped their old one for a new one. When they logged in they got their old tools and files (network stored). The old PC was diagnosed and wiped at our leisure.

The programming API for NDS was much simpler that for AD (or LDAP, for that matter). The limitation there was having to use the Watcom C compiler to wrap NetWare NLMs (NetWare Loadable Modules. The old 3.x versions were called VAPs - Value Added Processes).

AD still suffers from old holdover problems (like groups not showing up via one API, but visible in another, or simply showing some members and truncating the list, having to know which server to query, etc...)

Novell's NDS was stronger in the 4.11+ days than AD is now. This includes extensibility, manageability, API, etc... That doesn't mean that MS isn't making progress, just that they should have listened to us back in '97 when we were asking them to license NDS from Novell and drop the death-trap that was AD. We would be 11 years farther on stability and usability if they had.

I have no idea how stable or usable NDS/eDirectory is now. Very few shops depend on it now and I had to drop it from my bag of tricks so that I could focus on what paid the bills.

Here's a basic list of MS non-innovation over time:

  • CPM/MPM instead of MS-DOS: better stability and multi-threading on 8086/8088 hardware
  • GeoWork Ensemble instead of Windows 3.0: better stability and MUCH better performance under DOS. Great multi-threading! Killed by MS via anti-competitive no-bundle threats to OEMs
  • NDS instead of AD: better performance, stability, and usability in '97 for NDS than now for AD. We would have been many years ahead of where we are if MS had adopted it.
  • the list goes on...

Enough ranting... MS is doing better with AD than they were, but it still has a long way to go.

Re:Linux authenication aganist....can not connect (2, Informative)

Trigun (685027) | more than 5 years ago | (#24528283)

Authenticating to a Linux LDAP server is nice for central authentication, but it misses out one of the A's completely, and does a shit job on the remaining one.

Authentication - Easy to do against LDAP.
Authorization - Nope, not there, unless you're going to run Kerberos as well. Then you run into compatibility issues and integration nightmares.

Accounting - Horrible. Almost as unusable as the Event log.

Plus, you don't get any of the nice features of AD. Group policy is great for managing lots of computers and rolling out settings. Even after using KDE and their Kiosk tool, which can help you lock things down, I haven't found any out there that you can use that makes things easy.

Plus LDAP can be quite unwieldly. Have you ever built a forest across multiple geographic locations with LDAP? What about mult-master replication?

Re:Linux authenication aganist....can not connect (2, Informative)

raddan (519638) | more than 5 years ago | (#24529141)

I hate to break it to you, but LDAP is not a directory system. It is a directory protocol. AD provides an LDAP interface. So your directory system can be structured and provide storage in the backend pretty much any way you want. Microsoft, for instance, uses Jet for storing their data, and X.500 for structuring it. But if you wanted to build your directory using post-it notes and robot, then fine, as long as you provide an LDAP interface, you're an LDAP directory.

AD *can* store any arbitrary information with schema additions. So if you can query LDAP on the Linux side for window manager policy, and you can come up with a schema that represents that policy, go ahead, store it in AD. Mac people have been doing this for years, although Apple would prefer that you use their Open Directory system.

Also-- AD uses Kerberos. How do I know? Because I have Linux machines (MIT Kerb), OpenBSD machines (Heimdal), and Macs (MIT/Apple Kerb) all authenticating against our AD. There are some little oddities here are there (your machines have to support Microsoft's cipher-- which I believe is now installed by default on all recent Kerberos distributions), but in general, it works surprisingly well. For me, on Linux machines, the trick was learning the ins and outs of PAM and winbind. After that, it was easy.

Anyway, if you're expecting LDAP to provide authentication, you're mistaken about the purpose of LDAP. Think of it as a fancy phone book. What you need are a lock and key. Also-- accounting? For that, you want a piece of logging software. Microsoft supplies all of these things neatly packaged together, and if you don't want to bother with the details, then it's a decent choice. But don't confuse the two, because LDAP only provides a subset of the services that AD does. Complaining that LDAP does a "shit job" at authentication and accounting is like complaining that your tires do a "shit job" of steering. Well, duh.

Re:Linux authenication aganist....can not connect (3, Informative)

Trigun (685027) | more than 5 years ago | (#24529899)

I hate to break it to you, but LDAP is not a directory system. It is a directory protocol. AD provides an LDAP interface. So your directory system can be structured and provide storage in the backend pretty much any way you want. Microsoft, for instance, uses Jet for storing their data, and X.500 for structuring it. But if you wanted to build your directory using post-it notes and robot, then fine, as long as you provide an LDAP interface, you're an LDAP directory.

I could build it out of unicorn farts, I'm not arguing that. The fact remains that any of the Linux LDAP implementations are Directory Servers.

AD *can* store any arbitrary information with schema additions. So if you can query LDAP on the Linux side for window manager policy, and you can come up with a schema that represents that policy, go ahead, store it in AD. Mac people have been doing this for years, although Apple would prefer that you use their Open Directory system.

Again, I'm not disagreeing with you.

Also-- AD uses Kerberos. How do I know? Because I have Linux machines (MIT Kerb), OpenBSD machines (Heimdal), and Macs (MIT/Apple Kerb) all authenticating against our AD. There are some little oddities here are there (your machines have to support Microsoft's cipher-- which I believe is now installed by default on all recent Kerberos distributions), but in general, it works surprisingly well. For me, on Linux machines, the trick was learning the ins and outs of PAM and winbind. After that, it was easy.

And I'm sure that AD uses Kerberos as well. I've got stacks of books about it, traffic dumps, whatever you need. I've got more proof that AD uses Kerberos than people have that the moon landing was fake.

Anyway, if you're expecting LDAP to provide authentication, you're mistaken about the purpose of LDAP. Think of it as a fancy phone book. What you need are a lock and key. Also-- accounting? For that, you want a piece of logging software. Microsoft supplies all of these things neatly packaged together, and if you don't want to bother with the details, then it's a decent choice. But don't confuse the two, because LDAP only provides a subset of the services that AD does. Complaining that LDAP does a "shit job" at authentication and accounting is like complaining that your tires do a "shit job" of steering. Well, duh.

This is where I disagree with you. LDAP does a wonderful job of authentication. I know that it's not actually doing the authentication. When I was talking about LDAP, I pretty much meant an LDAP backend to a password system. What it doesn't do, and what I was replying to, was that, and I'll clarify so as to not confuse you again, an LDAP backend based password system does not provide the authorization portion of the three A's that are outlined and commonly required of any password system, without Kerberos as well. Yes, that goes for AD, but it's built in, so I'm discounting that. Most LDAP based auth systems that I have used, including AD, have very cryptic log messages. If I want to audit logging, it is a chore. In windows, you have to search for 670-something messages in the security log, then compare them to a chart to get anything meaningful. I have a copy of the chart right from MS's technet. It's there, why is it not in the details. For Linux based machines, grepping logfiles will get you results, maybe. If not, you're using the command line tools to see if you have valid tickets, etc.

The point I was making is that the OP was saying to throw out you active directory and authenticate all of your computers against LDAP, and I was pointing out that AD provided a lot more than just LDAP, that you have to configure more software to come close to the functionality of an LDAP backend to an authentication system, and even after that, you don't get the centralized management of group policy.

But thanks for the lesson on computers and auto mechanics. I'll treasure it.

Re:Linux authenication aganist....can not connect (1)

g1zmo (315166) | more than 5 years ago | (#24535047)

an LDAP backend to an authentication system

You used that phrase several times so I'm quite sure it's what you meant to say, but it's completely nonsensical. How can you have a Lightweight Directory Access Protocol backend? It's like saying your website has a TCP/IP backend.

Re:Linux authenication aganist....can not connect (0)

Anonymous Coward | more than 5 years ago | (#24531065)

For authorization, are you looking for functionality beyond pam_succeedif and sudo tied to LDAP-backed netgroups and sudoers configuration?

Although given your example of Kerberos, I suspect you're using authorization in a different sense than I am.

Re:Linux authenication aganist....can not connect (1)

Trigun (685027) | more than 5 years ago | (#24531909)

Authentication - Are you who you say you are?
Authorization - Do you have access to this resource?
Accounting - What did you do while you were connected to that resource.

Kerberos is usually tied in with the network file permissions, as well as single sign-on. If you start browsing windows shares in a domain from linux, you will have to supply credentials for each share each time you connect, then access is based off of those credentials. You can sign on using any valid username password combination. Using a windows PC, the credentials are sent for you (not actually, the computer is told to trust you. It's a lot more in depth, and a rather interesting read. Wikipedia it!). Based on that, you are allowed or denied.

That is very simplified, and not wholly accurate for brevity's sake. But I hope that it helps.

Re:Linux authenication aganist....can not connect (1)

buchanmilne (258619) | more than 5 years ago | (#24536555)

Authentication - Easy to do against LDAP.

Except you should be doing it against Kerberos ...

Authorization - Nope, not there, unless you're going to run Kerberos as well.

Actually, LDAP *should* be used for authorization, and can be quite easily, with or without Kerberos ...

Then you run into compatibility issues and integration nightmares.

Actually, my Heimdal KDCs integrate with my OpenLDAP server quite nicely, storing all their information in the directory server (in the same entries used for LDAP authorization and by samba). Also, my OpenLDAP servers will authenticate me against Kerberos (if I have a ticket). So, full circle integration ...

Plus, you don't get any of the nice features of AD.

The question is whether you need them ...

Group policy is great for managing lots of computers and rolling out settings.

Well, if you have Windows desktops to manage, then you would be using Samba (backed on your directory server) anyway, and you could use Group policy files (but, not GPOs). However, this isn't a deficiency in LDAP (the protocol) or any non-AD directory servers, but rather in Samba (which should be addressed in Samba4 which is in alpha now, but apparently quite usable), which is required to tie in all the non-LDAP or vendor-specific extensions MS has tied into their OS to make AD work for this.

For non-windows desktops, software management doesn't require GPOs really, and there are other systems for taking care of configuration (cfengine, puppet etc.).

Even after using KDE and their Kiosk tool, which can help you lock things down, I haven't found any out there that you can use that makes things easy.

Mandriva has some extensions to KDE to store KDE configuration in LDAP, and a GUI to manage the settings. AFAIK integrating it in upstream KDE is on the roadmap for KDE4 (4.2?).

Plus LDAP can be quite unwieldly. Have you ever built a forest across multiple geographic locations with LDAP?

I don't know what you mean by unwieldy, but I have no problems wielding my LDAP servers for a variety of different uses ...

I don't know what the equivalent is to the AD forest terminology, but yes I have got geographically dispersed environments with one consistent LDAP directory.

What about mult-master replication?

As far as I know, AD doesn't have true multi-master replication, AFAIK usually one of the DCs for a domain is elected as the master by the other DCs (one for each purpose, so there is e.g. a Schema master as well).

Anyway, Netscape Directory server (now Sun Directory server, or Red Hat/Fedora Directory Server) has had multi-master replication for quite a long time.

OpenLDAP 2.4 has true N-way multi-master replication. I am running it (multi-master) on my personal machines (workstation at work, laptop, desktop at home) to allow me to have a working dispersed samba domain. However, our production LDAP infrastructure is way too important to have any of the risks inherent in any multi-master implementation, we use HA clusters for masters instead.

Re:Linux authenication aganist....can not connect (0)

Anonymous Coward | more than 5 years ago | (#24531931)

I hate to break it to you, but the windows servers I run get rebooted just as often as the linux ones do: when an update forces it.

2003 R2 and 2008 are just as stable as Linux, in my experience.

Login to AD first (0)

Anonymous Coward | more than 5 years ago | (#24528013)

before can claim First Post

Sounds like spam to me (1)

zionian117 (1068050) | more than 5 years ago | (#24528037)

Apart from the fact that this news sounds more like a spam... oh yeah I haven't heard of anything remotely sounding like Likewise Enterprise. I do all my authentication using standard kerberos, pam.d and libnss-ldap May this be your guide. http://www.linux.com/articles/114087 [linux.com]

Re:Sounds like spam to me (1)

19thNervousBreakdown (768619) | more than 5 years ago | (#24528313)

No kidding, I've been doing this for, oh, three to four years using nothing but pam-krb5 and nss-ldap. Slashvertisement of the worst kind. The "review" is nothing of the sort, just, "hey, want AD integration? Use this!"

Re:Sounds like spam to me (0)

Anonymous Coward | more than 5 years ago | (#24602907)

No kidding, I've been doing this for, oh, three to four years using nothing but pam-krb5 and nss-ldap. Slashvertisement of the worst kind. The "review" is nothing of the sort, just, "hey, want AD integration? Use this!"

So have I and I've never had any issues besides the initial chore of testing and configuring everything properly.

Re:Sounds like spam to me (0)

Anonymous Coward | more than 5 years ago | (#24606771)

yep definitely spam.
Samba+kerberos does the job fine.

Re:Sounds like spam to me (1)

Omega996 (106762) | more than 5 years ago | (#24532667)

do you have your krb5/pam/nss mashup set up to allow you to do single sign-on against an Active Directory?

I think the big thing that likewise tries to promote with their product is that it's a one-stop configuration for a variety of UNIX and UNIX-like operating systems.

I know it's possible to set up linux machines to do SSO against AD with krb5 and pam and everything else, but it's not exactly an easy process. with likewise, it's a really quick process to join an existing AD.

i've used the likewise thing - it's all right. seems to work pretty well, and if it helps me get *nix servers into the BS windows shop where I work, I'm all for it.

enough with the lame tag! (2, Insightful)

X0563511 (793323) | more than 5 years ago | (#24528053)

Stop with the signed [slashdot.org] tag already!

Re:enough with the lame tag! (2, Funny)

Anonymous Coward | more than 5 years ago | (#24528215)

You can undo it with the 'designed' tag.

Yeah! (1, Funny)

Anonymous Coward | more than 5 years ago | (#24528317)

/signed.

This is a review? (5, Insightful)

QuantumRiff (120817) | more than 5 years ago | (#24528065)

Posting in your blog that you logged in with AD credentials is a review?

What is the downsides. How does it compare to other authentication systems, such as eDirectory, or Open LDAP? How is it any different from just using Samba, or some of the other tools that have been around for years. My Redhat EL 3 server had the option to authenticate against AD. How is this better? How is it better than using Microsoft's Services For Unix and NIS?

Does the directory information get carried to the new system? (Profiles, groups, mapped drives, printers, etc) Do you have to designate special groups to allow logging in? There is way more questions that I would like to see answered in a "review".

What capabilities does the Enterprise edition allow that the basic does not, what is the price, how difficult is it to move a currently running system, and all its users and permissions..

A blog post from someone that admits they don't know much about AD in the first part of the review doesn't really count does it?

Re:This is a review? (0)

Anonymous Coward | more than 5 years ago | (#24528295)

What makes this different from Samba's AD support?

Re:This is a review? (1)

faclonX (759436) | more than 5 years ago | (#24528585)

Samba isn't AD support, it uses the old method of logging in that was used with NT4, the name currently escapes my memory.

Re:This is a review? (3, Informative)

atomic-penguin (100835) | more than 5 years ago | (#24528923)

Samba isn't AD support, it uses the old method of logging in that was used with NT4, the name currently escapes my memory.

Samba does work with AD. But there is more than one technology that makes up the whole of AD (LDAP, Kerberos, DCE-RPC/MSRPC).

  1. pam_krb5 can do Kerberos authentication against your AD/Kerb. realm (not part of Samba, but usually part of the system as a whole)
  2. winbindd talks MSRPC for Samba 3. Some, but not all features are available and it can talk Win 2k native RPC (Active Directory). Samba can even resolve usernames over RPC this way, much the same way a domain "member server" works. Try looking at what you can do with the 'net ads' command sometime.
  3. As an alternative to winbindd, you can resolve user information through LDAP. It helps to have Unix schema extensions installed in your AD for certain things. However, Samba can template an account and create a pseudo /etc/passwd entry. Even if that Unix schema is not in place, the account just has to exist in AD.

I believe the NT technology you are referring to may be NTLM or LanManager.

Re:This is a review? (1)

wmac (1107843) | more than 5 years ago | (#24616067)

A few years ago i tried to do this. However every few days the time between samba and Active Directory would go out of sync and everything would stop. Permissions on samba would not work with some software (e.g. older FAT based software because of strange date maintenance...) At the end I gave up and obtained a NAS for the company (which was also based on Samba + a web interface etc) and even this one had the time sync problem (even though we had set time sync with AD on it). At the end the NAS company was sold to SUN and I was not even able to get updates/support for the device. I guess I have had no luck with Samba.

Re:This is a review? (4, Informative)

Jeremy Allison - Sam (8157) | more than 5 years ago | (#24530099)

You're talking about a Samba PDC. That uses old NT4 technology, not AD. But as a member server we support AD completely. In fact the current Likewise code is based off winbindd (part of Samba).
Jerry Carter, one of our release managers works for Likewise and supports it. It's open source too (at least the low end version is).

Jeremy.

No. It's a Slashvertisement (tm) (0)

Anonymous Coward | more than 5 years ago | (#24528311)

No. It's not a review. It's a Slashvertisement (tm), simply a pro-MS gob of advertising feebly
masquerading as a news item.

Samba can be used to replace much of that. Or you can use Kerberos. AD is too broken and on top of it tied to Windows, so you get all the maintenance and security nightmares.

Re:No. It's a Slashvertisement (tm) (0)

Anonymous Coward | more than 5 years ago | (#24528879)

No. It's not a review. It's a Slashvertisement (tm)

Correct. I've been seeing other random occurences of this software being conveniently mentioned in the comments to blog posts and what not (would love to post a link, but I dis-regarded it at the time).

My guess is that Likewise Software have hired a PR company [paulgraham.com]. And a pretty good one at that.

Posted as AC, because some wanker will no doubt try to censor this by modding it down.

Re:No. It's a Slashvertisement (tm) (1)

Bandman (86149) | more than 5 years ago | (#24551085)

While I don't know if they've hired a PR company, I can assure you that my blog entry isn't astroturf. I'm just a guy who finally found a completely painless way to get this done, and I've been trying for a long time. No astroturf here, I promise, In fact I'd never even heard of the software till I saw a submission on reddit the other day. It just worked so damned flawlessly and immediately that I thought I should tell other people about it.

Re:This is a review? (1, Informative)

Anonymous Coward | more than 5 years ago | (#24528333)

The general knowledge level about Linux/Windows inter-operability is very low. Try most of the "solutions" you find with Google: Pure SMB, no kerberos, no LDAP, and definitely no centralized administration support. His review might have been bad, but in the land of blind the one eyed is the king.

I have yet to see one single solution that a) wouldn't fall back into legacy versions of protocols etc, and b) would actually offer most if not all the ad's goodies for Linux administration. Considering those two things, what was reviewed seems actually quite good.

Re:This is a review? (1)

doomicon (5310) | more than 5 years ago | (#24528647)

"How does it compare to other authentication systems, such as eDirectory, or Open LDAP?"

Speaking of comparison's and Openldap, has a fix been made that will allow Linux workstations authenticating with Openldap to lock their screens, and be able to "unlock" them?

Re:This is a review? (1)

dAzED1 (33635) | more than 5 years ago | (#24528885)

uh, yeah, have never had a problem with that. And by "never" I mean that I've been authing linux systems to AD since...well...many years, can't even remember at the moment. But haven't had this problem. As the other poster pointed out, you probably just don't know how to set up PAM.

Re:This is a review? (1)

doomicon (5310) | more than 5 years ago | (#24529495)

Well I was going to provide a link to the bug, however I didn't bookmark and sifting the thru the results is daunting.

It's been a few years since I last tried it, will give it a go again :-)

Thanks for the helpful and friendly responses.

Re:This is a review? (1)

doomicon (5310) | more than 5 years ago | (#24529543)

Dazed, btw not against AD, Specifically Linux workstations authenticating against Openldap on Linux server.

I'm giving it a go again as we speak. Already have slapd setup, so just editing nsswitch, and pam confs.

thx again :-)

Re:This is a review? (1)

dAzED1 (33635) | more than 5 years ago | (#24574305)

there are a couple tricks to doing a complete openldap=>AD setup, and despite the years, it hasn't been documented well enough. That being said, drop a post if you still have the problem and I'll tell ya what is causing it.

Re:This is a review? (1)

dAzED1 (33635) | more than 5 years ago | (#24574571)

oops, yeah, forget I said ldap=>AD ;) it doesn't matter what is providing the tree, as it's not a tree problem, it's a pam problem. That, and you're not using AD ;)

Re:This is a review? (2, Informative)

Z00L00K (682162) | more than 5 years ago | (#24528849)

I have fiddled around with Windows/Linux integration for central authentication and found that the only alternative TODAY that works acceptable is to use the "Windows Services for Unix [microsoft.com]" (SFU) add-on for Windows Server. And you can download that from Microsoft.

It is possible to set up Linux as a LDAP server and with Samba as a domain controller for Windows, but currently it's tricky. I haven't done any digging in Samba4 yet, so all my experience is from Samba 3.

To me it seems like there is a lot of work to be done yet. But the most important thing is in reality that the administration of accounts for both environments has to be both easy and central for an IT organization to be adopted.

For a pure *NIX environment there is no big issues setting up an LDAP server using OpenLDAP and then let the *NIX boxes authenticate against that. At least it is a lot easier to get that to work than to get a working environment using NIS+.

I wouldn't claim that SFU is the best solution or without flaws, but at least it contains an acceptable level of functionality.

As for LDAP servers, OpenLDAP is one that are relatively well-known. I have been fiddling around with the 2.4 branch for the issues of symmetrical replication. The disadvantage of OpenLDAP is that it's quirky to work with, but that's another story.

Re:This is a review? (1)

styrotech (136124) | more than 5 years ago | (#24532087)

I have fiddled around with Windows/Linux integration for central authentication and found that the only alternative TODAY that works acceptable is to use the "Windows Services for Unix [microsoft.com]" (SFU) add-on for Windows Server. And you can download that from Microsoft.

Just an update - SFU is now built into Windows 2003 R2 and Windows 2008. And the AD schema extensions now use the standard RFC2307 attributes rather than the SFU specific ones.

ever hear of kerberos? (0)

Anonymous Coward | more than 5 years ago | (#24528187)

why dont you install the pam_krb5 rpm and not submit another lame article to slashdot?

but... (4, Informative)

jrothwell97 (968062) | more than 5 years ago | (#24528201)

Linux, *nix and OS X can already authenticate against AD, with a little effort. OS X does it out of the box.

Re:but... (1)

canuck57 (662392) | more than 5 years ago | (#24533505)

But why authenticate to fragile poorly managed MS-ADCs?

Why not setup a robust LDAP network on native Linux/UNIX and call it a day. Have 6 continuous years of service up-time on my service. Average per node is a few minutes per year, 9/10 fully planned. Maintenance, I do this part time. Highly automated and linked to HR including bi-directional password sync.

In fact, it feeds AD. Created in LDAP first, an admin enables AD including email if needed. All data is 100 in sync.

Aim small, get small. 18000 or so users in all.

They tried AD once....LOL.

Unnecessary... (0)

Anonymous Coward | more than 5 years ago | (#24528309)

I authenticate my Debian, Ubuntu, and Mac OS X systems to a Windows 2003 AD using standard LDAP and Kerberos with no problems. I use the same, AD username/password and UID/GID across all systems - all maintained in AD (using the free MS SFU).

It was a little tricky to set up (I'm not a system administrator by trade), but there are plenty of instructions on the Internet to walk a Linux-handy person through the process.

Mac OS X Leopard is just drop-dead easy to integrate; it has built-in mechanisms to do so.

http://ubuntuforums.org/showpost.php?p=1189857&postcount=8 [ubuntuforums.org]
https://help.ubuntu.com/community/ActiveDirectoryHowto [ubuntu.com]

I hope the editors got paid... (2, Insightful)

dave562 (969951) | more than 5 years ago | (#24528487)

...for passing through THE most obvious and poorly written advertisements I've ever read here. The summary reads like a template straight out of a Marketing 101 textbook.

Re:I hope the editors got paid... (1)

Bandman (86149) | more than 5 years ago | (#24551115)

I'm sure it sounded like that, but as someone who has fiddled with trying to get Linux to integrate nicely with Windows (which I know _nothing_ about), I was blown away by how this software worked, and I thought that other people might be able to use it like I did.

I guess it still qualifies as a slashvertisement, but it wasn't paid for, that's for sure. It just helped me do what I needed, and was painless. I wanted to share it with other people who might be able to use it.

/submitter

There's an easier way... (0)

Anonymous Coward | more than 5 years ago | (#24528495)

Why pay for something when you have all the tools (and 5 seconds on google) already?
http://www.linux.com/articles/40983 "Linux.com: Unite your Linux and Active Directory Authentication"

AD is not much more than an MS LDAP. Windows Services for Unix handled this nicely too.

It's not that hard (1)

lgbr (700550) | more than 5 years ago | (#24528593)

If you're just looking to authenticate, it's actually really easy using just kerberos.

/etc/krb5.conf looks like this:

[libdefaults]
default_realm = MYADSERVER

[realms]
MYADSERVER = {
kdc = adserver.mydomain.com
admin_server = adserver.mydomain.com
}

[domain_realm]
.kerberos.server = MYADSERVER

Change /etc/nsswitch.conf to have these lines in it:

passwd: files nis
shadow: files nis
group: files nis

Add the following to /etc/pam.d/system-auth:

auth sufficient pam_krb5.so use_first_pass

Bind:

kinit jsmith\$admin@AD.WSU.EDU

And you're done. All this does is provide authentication. Users still have to be created and home directories still have to be made. The rest can be setup using LDAP, which is quite horrendous IMHO. If you are going to use LDAP, please keep kerberos for authentication, as LDAP has serious security issues when authing against AD.

Re:It's not that hard (1)

dino2gnt (1072530) | more than 5 years ago | (#24529209)

Authentication is the easy part. We're in the middle of a Likewise integration right now, and the system management is what sold us on it. Having the ability to apply group policy objects to Linux/UNIX machines, enforce login restrictions, password management, and maintain compliance across both Windows and Linux is very nice, especially in a large environment. Being able to do it all from one MMC is gravy.

Re:It's not that hard (1)

Bandman (86149) | more than 5 years ago | (#24551121)

If I 'd have seen your instructions a week ago, I might not have submitted this article, since I probably wouldn't have needed the software, but honestly, if I had a choice between making those system changes and installing the open version of the software, the software is literally painless and instant. I'm really glad I found it

Likewise software. (4, Informative)

atomic-penguin (100835) | more than 5 years ago | (#24528653)

My $boss looked at this likewise software a while back, he didn't buy into it. He started listing off the features, and what all you could do with it. After he was done, I politely said, "Yeah we are doing all of that with our stock RHEL+Samba 3 systems, just fine. There's really no need to buy Kerberos+LDAP+Samba support from another vendor, that is why we pay Red Hat."

After I looked at their site, the only new value I have seen from this product is the graphical management console. On the other hand, I can use the compmgmt MMC snap-in to manage a properly configured Samba 3 server just fine.

Re:Likewise software. (4, Informative)

Gazzonyx (982402) | more than 5 years ago | (#24530685)

You know Likewises' primary developer is Gerry Carter of the Samba project, as well as the author of OReilly's LDAP Administration, right?.

It's just like buying Red Hat support; you get the backing of a company that employs the people who are developers for that project. With Red Hat you get a bunch of kernel developers and Andrew Barlette (another key Samba developer). You can't get better support for your money than support from key developers. Also, it enables the developers to work on open source projects as a day job, too.

Re:Likewise software. (1)

atomic-penguin (100835) | more than 5 years ago | (#24531575)

No, I was not aware of the relation between Samba developers and Likewise Software. But then again, I am having a difficult time finding reference to the Samba project on Likewise' website [likewisesoftware.com].

Just to clarify, I am not against supporting Open Source developers with monetary incentives. I just wanted to point out that 99% of the Likewise solution, does in fact, come from the Samba project. For whatever reason, Likewise is not really advertising the fact that what they are selling is Samba support.

Personally, for our organization, it does not make sense to pay Likewise for a turn-key solution. Especially, when we are paying Red Hat for support to get Samba, which does the exact same thing.

The conversation with the boss went something like this: "We can already do the exact same thing with Samba. We are already paying Red Hat for Samba support. Though Likewise may not be coming out and saying it directly, it looks to me like Samba is exactly what they are trying to sell you."

Re:Likewise software. (1)

Bandman (86149) | more than 5 years ago | (#24551137)

I agree with you that it's not in your best interest to pay for likewise, since, as you said, you get the same thing from RedHat.

Those of us who use CentOS, Ubuntu, MacOS, etc etc, find the additions useful. I'm trying to drum up support for buying likewise enterprise for my company.

Bogus Review and Sales Pitch (1)

xzvf (924443) | more than 5 years ago | (#24528693)

It has been mentioned that it can be done with a little configuration of pam, ldap clients and kerberos. But for a company without some Linux expertise, I've found Centrify to be an excellent solution at a reasonable cost. But I'm not going to submit a bogus review and sales pitch.

Re:Bogus Review and Sales Pitch (1)

Enry (630) | more than 5 years ago | (#24533267)

Even for experienced Linux admins, Centrify is really nice. We use it to provide authentication for our cluster.

Why would someone pay for this? (1)

kwabbles (259554) | more than 5 years ago | (#24528751)

AD support has been available for linux for years.

Hell - Suse has it built right into Yast now. PAM/Kerberos, LDAP, everything.

Setting it up on a vanilla distro is as easy as installing the kerberos libs, krb5, ntp (to keep time sync'd with the DC's time), samba, and winbind. Make sure you can resolve the DC via DNS, and you're good to go.

$50 per workstation license for this software? Hmmm...

You can't integrate Windows with a non-M$ OS (1)

BhaKi (1316335) | more than 5 years ago | (#24529367)

You can integrate any two OSs with minimal pain provided neither of them is made by M$.

PAM SMB (0)

Anonymous Coward | more than 5 years ago | (#24530173)

I have been using PAM SMB since 2001, and I bet that it was around a lot longer than that.

The user accounts get created by script run from samba when the user logs in and maps his network drives.

This is not new stuff.

kerberos works great (1)

Simon (S2) (600188) | more than 5 years ago | (#24530223)

You can authenticate from a linux machine to AD using the MIT kerberos client. There are plenty of HOWTOs about how to configure that. Plus you have SSO for webapps, databases, ssh and about anything you can think of. And on top of that, the identity of the user is propagated to all the machines you Single Sign In with forwardable tickets, and though the tiers of mult-tier applications (Frontend -> Middletier -> Database - every tier knows who the user is). Kerberos is definitively the way to go in an intranet.

The easiest what? (1)

Minwee (522556) | more than 5 years ago | (#24530803)

One would think that "The easiest way to do it" would be to install Winbind [samba.org], LDAP [yolinux.com] or Kerberos [scottlowe.org] and use those to authenticate against AD.

The advantage here is that you're dealing with free software, included and supported by default in most Linux-based operating systems, and in many cases integrated so tightly that you only need to run one command and tick a few check boxes to make it work.

What does this third party solution add to that besides the $250 per seat price tag?

Re:The easiest what? (1)

Lord Bitman (95493) | more than 5 years ago | (#24531111)

The word "supported" actually meaning something?

Re:The easiest what? (1)

Minwee (522556) | more than 5 years ago | (#24533651)

Yes, but "We give you a telephone number where you can wait on hold before being transferred to a call centre run by the company which bought the company which bought the company which made this product where all of the people you will speak to only know how to support our new competing product which we would really rather you buy instead of continuing to use what you already have and if you don't like it you can go screw yourself" isn't always what I want "supported" to mean.

I prefer that "supported" mean that new versions and security updates are produced in a timely manner and tested with each new release of the operating system. I'm funny that way.

nss ldap client (1)

gblfxt (931709) | more than 5 years ago | (#24530993)

I found the best method is to install kerberos, nss ldap client on linux, then install R2 AD extensions on Windows 2003.

The reason i dont like the likewise solution, is it assigns a random UID, vs being able to move from station to station with the same one.

If you REALLY want to waste money... (1)

Mr. Firewall (578517) | more than 5 years ago | (#24532153)

Heh. Here at my work, we're using something called Vintela. Interesting that it hasn't been mentioned at all here.

I asked, "why are we spending all this money on Vintela when I can set up AD integration with Linux' native tools?" and the answer was "because we've already paid for Vintela."

Since the Big Boss is an avid golfer, I'd be willing to make a small bet that the Vintela salesman is too....

It isn't a "bad" product -- at least it actually works. But their advertising really offends me (in which M$ Kerberos is referred to as "a standard", for instance).

linbox/mandriva MDS (1)

higuita (129722) | more than 5 years ago | (#24533207)

Linbox had several packages to add to a debian to turn it a easy to manage ldap/AD system... they were aquired by mandriva, but IIRC, you can still install in in other OS other than mandriva

http://mds.mandriva.org/ [mandriva.org]

take a look over it, it cant replace all AD, but if you dont need group policies and only want a central pointo to authenticate windows and mac/linux systems, check it out

SADMS is another good alternative (1)

calmond (1284812) | more than 5 years ago | (#24533869)

The SADMS [sourceforge.net] utility is a good alternative that uses WINBIND and makes it point and click easy. Winbind doesn't scale well due to a lack of centralized posix-SSID mapping, but it is quick and easy for just a couple of servers or laptops.

Security... (1)

Bert64 (520050) | more than 5 years ago | (#24535825)

What i always find, when doing a security test against an AD network...

If you root the DC, the network is completely owned...
If you root a workstation you can usually get access to the DC from it, hijack a logged in user, crack cached passwords or keylog as someone logs in (and then break something so an admin has to log in).
If you get the password hashes, they will usually be Lanman and NTLM... Lanman is laughably weak and trivially cracked, NTLM is better but still much weaker than the encryption used on todays unix systems.

There is also the shear number of services AD requires you to open up through firewalls, a number of incredibly complex services need to be opened up, including ports that provide access to multiple complex services. Unlike the unix philosophy where one service port has a defined function so it's possible to keep a strict eye on what's happening...

I would much rather use a unix system for centralised authentication, and make sure that access to the authentication server itself is not controlled by the centralised auth (ie you cant own a workstation and sniff your way into the master server).

I would also run it on a different OS to the rest of the systems.

Remember a server that controls authentication to every other device on your network has to be the most important device, and should be very closely guarded.

And as someone else just said:
"You can integrate any two OSs with minimal pain provided neither of them is made by M$."
Very true, everyone else follows the same published standards, MS make their own. So you end up having to reverse engineer and implement something just for MS, and follow a set of published standards to support everything else. If MS weren't so big they would be laughed out of business for not following the same standards everyone else does.

Re:Security... (0)

Anonymous Coward | more than 5 years ago | (#24544713)

>There is also the shear number of services AD

The word you were looking for is "sheer".

HTH. HAND

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...