Authenticate Linux/Unix to Active Directory

  • Article

If you need guidance on a Microsoft technology, we probably have a Solution Accelerator for that!  Today's guide is brought to you by the letter "authentication".

Now... If you operate in a heterogeneous environment, you may one day be tasked with making your Linux boxes talk to Active Directory.  The Windows Security and Directory Services for UNIX Guide has everything you need to do so, walking you through the steps to reach one of 5 "end states".

End State 1. UNIX clients use Active Directory Kerberos for authentication but continue to use a UNIX-based store for authorization.

End State 2. UNIX clients use Active Directory Kerberos for authentication and use Active Directory Lightweight Directory Access Protocol (LDAP) for authorization.

End State 3. UNIX clients use Active Directory LDAP for authentication but continue to use a UNIX-based store for authorization.

End State 4. UNIX clients use Active Directory LDAP for both authentication and authorization.

End State 5. A cross-realm trust is established between UNIX-based Kerberos and Active Directory–based Kerberos in UNIX and Windows infrastructures that remain separate. Windows and UNIX clients each authenticate to their own Kerberos Key Distribution Center (KDC) and (if the trust is two-way) can then access resources hosted by computers on the other side.

Figure 1.1. Active Directory's central role in supporting a network infrastructure

From the guide:

Many organizations today include computers running both UNIX and Microsoft® Windows® operating systems in their network environments. Ensuring the security of information located on either type of network infrastructure requires validating every user's identity and specifying which network data each user can access.

Currently, most organizations with heterogeneous environments maintain separate systems for Windows and UNIX to authenticate a user's identity when the user logs on to the network (or authenticates to an application server) and to determine which network resources an authenticated user is authorized to access. Maintaining these separate systems incurs administrative overhead and requires users to log on separately to each system or service that they want to access.

The goal of this guide is to demonstrate that it is both feasible and advantageous to integrate Windows and UNIX more closely than the basic interoperation at the network level that is enabled by the fact that both are TCP/IP-based operating systems. Specifically, this guide describes how to integrate Windows and UNIX at the level of authentication (determining the identity of a user before allowing the user to log on) and, optionally, authorization (determining whether an authenticated user is authorized to access a given resource on the network).

This chapter provides a brief introduction to the following topics:

•The central role of the Active Directory® directory service in identity and access management.

•Overview of authentication and authorization.

•End states for integrating Windows and UNIX.

Get the rest here: https://www.microsoft.com/technet/solutionaccelerators/cits/interopmigration/unix/usecdirw/02wsdsu.mspx