Linux authentication against Active Directory
August 7, 2008
If you’ve been reading the blog for a while, you might remember me saying that I have been (and perpetually am) fighting with centralized authentication. Well, I’m here to update you.
I have found the answer, at least for authentication against Active Directory. Salvation, thy name is Likewise Software
Likewise produces two pieces of software. The first is Likewise Open, a free piece of software that authenticates your Linux/Mac/AIX/etc machine against active directory. It does this by making several changes to the default configuration of things like PAM and Samba. The end result is that you can log into your linux machine with Windows’ Active Directory credentials. It’s very neat, it’s free, it’s incredibly easy to install AND uninstall. Best of all, it really really integrates with Active Directory in, as far as I can tell given what little I know of AD, the Right Way(tm). I submit for your approval:
You can see there, all of the machines that I’ve installed this on show up in Active Directory. When I log into the machine, I can log in with domain credentials and it knows about my default group (as specified in AD Users and Computers):
<
bandman@newcastle[504]:~$ ssh int\\msimmons@a-fs1
Password:
Last login: Thu Aug 7 10:18:02 2008 from 10.1.1.24
[INT\msimmons@a-fs1 ~]$ ls -al
total 36
drwxr-xr-x 3 INT\msimmons INT\enterprise^admins 4096 Aug 7 10:18 .
drwxr-xr-x 3 root root 4096 Aug 5 21:17 ..
-rw------- 1 INT\msimmons INT\enterprise^admins 124 Aug 7 10:18 .bash_history
-rw-r--r-- 1 INT\msimmons INT\enterprise^admins 33 Aug 5 21:17 .bash_logout
-rw-r--r-- 1 INT\msimmons INT\enterprise^admins 176 Aug 5 21:17 .bash_profile
-rw-r--r-- 1 INT\msimmons INT\enterprise^admins 124 Aug 5 21:17 .bashrc
-rw-r--r-- 1 INT\msimmons INT\enterprise^admins 32 Aug 5 21:17 .k5login
drwxr-xr-x 4 INT\msimmons INT\enterprise^admins 4096 Aug 5 21:17 .mozilla
-rw------- 1 INT\msimmons INT\enterprise^admins 58 Aug 7 10:18 .Xauthority
Let me tell you, I’m impressed.
Now, this is just Likewise Open, the free version. It only modifies the configuration on the Unix based machines. Also available is Likewise Enterprise, which provides the same service, but goes above and beyond Likewise Open, in that it actually makes changes to the AD structure. As far as I know, all of those changes are benign, in that they break nothing related to any other Windows service. I haven’t worked my way through the nearly 500 pages of documentation that I had printed and bound at Kinkos the other day.
I’m sure this post sounded like a commercial, but it’s not. I haven’t been paid (or even contacted, other than the initial autogen email) by Likewise software, I’m just a grateful user who is happy to share knowledge of a tool that works. Finally.
Posted in General
Email me
content rss
August 7th, 2008 at 12:03 pm
Have you looked at Samba and Winbind in your travels?
We’ve been using it with success for a few years.
August 7th, 2008 at 12:21 pm
Dan,
No, I’ve not. Do you happen to have a sample configuration laying around? I’d be interested in seeing how it works.
August 8th, 2008 at 6:42 am
Umm, this is really easy with Samba and winbind – no need for any other product.
See http://wiki.samba.org/index.php/Samba_&_Active_Directory
August 8th, 2008 at 9:01 am
Like so many other things, it’s really easy once you know how to do it. Until then, it’s difficult.
Thanks for the link. It looks like, among other things, Likewise Open does a version of what that wiki is talking about.
August 8th, 2008 at 1:50 pm
Thanks,
I’ve done this the hard way enough times, I’m ready to have it happen automatically!
Added to the toolkit.
Dale
August 8th, 2008 at 2:43 pm
we are in the middle of a large ish implementation, and I can say first hand the likewise stuff is good, and they have some sharp guys hiding in the back room somewhere making this work. They even handled our very *ahem* unique network design well.
the 4.x client uses bits of winbind, an works as well as winbind. The biggest pluses for us are:
1- no meta directory.
2- addresses our multiple nis domains across the globe, with mismatched accounts across them.
3- single account!
I’ll keep anyone who is interested posted as we get further into our deployment, but so far, pretty darn good stuff.
-
August 8th, 2008 at 2:46 pm
To anonymous—
for single machines it is easy. when you have to match uids/gids across thousands of workstations and nodes, you need a proper directory service.
if you don’t have windows, there is openldap, and plenty of open source tools to help you manage it.
In the real world we have silos and mixed environments we have to make play nice with each other.
August 8th, 2008 at 3:04 pm
Luis,
I would be really interested in learning more about the whole process.
Instead of integrating the linux machines into a pre-existing directory, I’m building a directory and then including a dozen-ish linux servers to access it. The cart before the horse, in many people’s opinion.
If you don’t want to put the information on the forum, you can get me at standalone.sysadmin@gmail.com
Thanks, and thanks a lot for the comments!
August 8th, 2008 at 3:38 pm
hi Matt-
I would be happy to work with you on the side and share our experiences. After sanitation of data, you can share it with the blog-o-sphere.
-luis
August 8th, 2008 at 4:43 pm
Here’s a little trick.
Add your Active Directory user to about 30 or so groups. Then try to log in to a Linux machine using Likewise Open (which is based on samba).
Because of a bug (for which a patch was published in April), winbindd will start going into an endless cycle of start/die, making the machine useless.
The response to this critical bug (which made it impossible to use at our site) has been less than stellar, with a fix still not published as of a week ago.
This was a problem because it was something that only showed up in production, not in the small test installations we did. Something to check before widespread adoption…
August 8th, 2008 at 6:48 pm
Wow, interesting stuff. We are a research laboratory, and we started writing our own directory management software some years before Active Directory was announced.
Our (GPL’ed) software is called Ganymede, and can be found at http://www.arlut.utexas.edu/gash2/. Ganymede solves the problem of intelligent management of the data at the head-end, but doesn’t do much for getting the data out to the clients.. we depend on Active Directory, NIS, DNS, MySQL, Radius, etc., to do that.
In our environment, we don’t need Active Directory for anything but the Windows clients.. all of our non-Windows authentication is currently done by non-AD means, our DNS is done using BIND, etc., but Likewise’s stuff looks like it could really tie the room together.
Nice especially to see that the Likewise guys are working with the Samba and OpenLDAP folks to get some of their interoperability stuff contributed.
August 9th, 2008 at 4:56 am
I do this on Ubuntu with a set of directions that I standardized on and wrote up for my company.
We don’t have any non-Windows desktops, all my Linux is for servers which are always online and hardwired to the network. If the Likewise product allows caching AD credentials, then it’s got my standard procedures beat.
August 18th, 2008 at 6:49 am
Interesting post,
Thanks for sharing this useful information and i was looking for the same.
SoftwareDirectory
April 1st, 2009 at 3:27 pm
Luis.. we are also researching a Likewise implementation. Can you provide any more feedback on your experience? Thanks!