Linux Windows Integration

1
Linux Windows Integration

• Cant we all just get along?

2
JD Fogg Technology

• Infrastructure Consulting
• Security Consulting
• Network Engineering
• Project Management Implementation

3
What is Interoperability?

• Application Sharing
• Shared Data Resources (ODBC, etc.)
• Network Services (DNS, etc.)
• Mail
• Printing
• File Sharing
• Internet Access (ISA issues)
• Login pass-through / AD integration

4
Application Sharing

• RDesktop Terminal Services
• VNC
• X-Windows
• Cygwin

5
Network Services

• MS-DNS works well
• MS-DHCP is integrated with DNS
• NTP is native to AD
• Split DNS is possible, but complicated

6
Mail

• Exchange supports POP3 and IMAP
• Outlook / Outlook Express support POP3 and IMAP
• MBOX conversion possible
• Integrated calendaring is the driver for Exchange
  adoption
• Exchange Public Folders are evil
• POP3 connectors in Exchange

7
Printing

• Samba and Printing
• CUPS

8
Internet Access

• ISA relies on AD for AAA
• Outbound Internet access requires systems and
  users to be known
• Exceptions can be made for non-AD machines

9
File Sharing

• Samba the well worn path
• Browsing AD shares with Samba 3.0
• Killing CIFS permissions
• nix-based NAS issues
• MS-SUX and NAS tricks

10
MS-SFU 3.5 (beta)

• Dramatic new capabilities, in W2003R2
• Identity Management for Unix
• MSNFS (client, server gateway)
• Subsystem for Unix Applications (Interix)
• Full NIS with AD sync
• Tools (awk, grep, sed, tr, cut, tar, cpio)
• Permissions translations

11
Active Directory Integration

• If you cant beat them, join them

12
Understanding LinuxAuthentication

• etc/passwd, etc/group
• etc/shadow
• PAM

13
passwd and group

• jamesx500500Mr. James User/home/james/bin/ba
  sh
• Fields are colon-delimited
• unamepworduseridgroupidnamehomedirectoryshel
  l

14
Shadow Passwords

• World has RO rights to etc/passwd
• Password stored using a simple hash
• Many processes read etc/passwd
• Password is replaced in /etc/passwd with a token
• etc/shadow holds encrypted password data with
  Draconian rights

15
PAM

• Pluggable Authentication Module
• Native to Linux, available for all other NIX
• Allows for a variety of authentication systems to
  mimic /etc/passwd
• Any AAA system with a PAM module can be used
• Active Directory PAM modules are available

16
Active Directory

• Hierarchical database of users, resources and
  rights
• AD is standards-based (with a little DNS protocol
  extension)
• Kerberos (authentication), DNS (naming) and LDAP
  (directory services)
• All services accept queries from any host
• Extensive resources available (bring aspirin and
  coffee)

17
Active Directory DNS

• DNS answers all queries (promiscuous)
• DNS zones can be AD-integrated or stand-alone
  (using a BIND style zone file)
• AD domain zone contains AD-specific extensions,
  must be AD-integrated
• MS-DNS doesnt support BIND 9 Views
• MS-DHCP is integrated with DNS
• Split DNS or Windows DNS, you choose
• Beware zone transfers and updates

18
Active Directory and Kerberos

• MS-Kerberos is standards based
• Queries must be from known hosts
• Kerberos authenticates users and hosts
• Kerberos authorizes resource access
• Used for domain trusts
• Transitive nature extended to other OSs

19
Active Directory and LDAP

• MS-LDAP is standards compliant
• Queries must be from known hosts
• Resource of known hosts for services
• Database of systems and resources
• Integrated with Kerberos AA and rights management
• LDAP is the glue of AD

20
Winbind

• Allows Linux users to use Windows domain
  resources as though they were native Linux
  resources

21
Samba Winbind

• Winbind extends Samba functionality to integrate
  AD AAA
• Samba 3.08 IT Kerberos5 V1.3.1 OpenLDAP
• Winbind authenticates users against AD
• Manages passwords, no local accounts
• http//www.enterprisenetworkingplanet.com/netos/ar
  ticle.php/3487081
• http//www.enterprisenetworkingplanet.com/netos/ar
  ticle.php/3502441

22
QUESTIONS?

23
Thank You