Integrating Linux and Active Directory isn't as daunting as you think

Administrators often must manage both Windows and Linux machines -- and figure out how to get the two to work well together. Expert Laura E. Hunter offers some advice on Active Directory and Linux interoperability.

While many small- and medium-sized networks are often homogeneous, comprised solely of Windows- or Linux-based

operating systems, this is usually not the case in a large-scale enterprise network. Often, enterprise administrators are required to manage both Windows and Linux machines and figure out how to get the two to work and play well together.

That has, luckily, become a much simpler proposition in Windows 2000 and Windows Server 2003. Microsoft's decision to support Kerberos authentication (with a certain amount of prodding, of course) now allows Microsoft clients to authenticate against Linux/Unix-based Kerberos realms and be able to join Linux clients to an Active Directory domain.

The easiest way to join a Linux client to Active Directory is by using the native Kerberos client. You'll specify your Active Directory domain as the Linux client's realm and the domain name server (DNS) of one of your domain controllers. You'll follow it up by editing the krb5.conf file on the Linux client to point to the Windows KDC.

If you have an existing Kerberos realm in place, you can also create a trust relationship between it and your Active Directory domain. This allows your Linux clients to authenticate against their Kerberos realm using their customary username and password and then access resources in the Windows domain.

Realm trusts can be one-way or two-way, which means that you can enable access only for your Linux clients to access Windows-based resources or only for your Windows clients to access Linux resources, or both. Realm trusts can be either transitive or intransitive. An intransitive trust only affects the specific domain where the trust was created; a transitive trust enables access to the trusted domain as well as any domains that are trusted by that domain. As an example, if you create an intransitive trust between the MIT Kerberos realm and the mycompany.com Active Directory domain, your Linux users will only be able to access resources that are located within mycompany.com. A transitive trust would allow access to mycompany.com, as well as any child domains such as east.mycompany.com.

For some great resources on Unix-Active Directory interoperability, check out Resources for Interoperability and Migration of Linux and Windows.


Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valued Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing).

Dig deeper on Microsoft Active Directory Design and Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close