While many small- and medium-sized networks are often homogeneous, comprised solely of Windows- or Linux-based...
operating systems, this is usually not the case in a large-scale enterprise network. Often, enterprise administrators are required to manage both Windows and Linux machines and figure out how to get the two to work and play well together.
That has, luckily, become a much simpler proposition in Windows 2000 and Windows Server 2003. Microsoft's decision to support Kerberos authentication (with a certain amount of prodding, of course) now allows Microsoft clients to authenticate against Linux/Unix-based Kerberos realms and be able to join Linux clients to an Active Directory domain.
The easiest way to join a Linux client to Active Directory is by using the native Kerberos client. You'll specify your Active Directory domain as the Linux client's realm and the domain name server (DNS) of one of your domain controllers. You'll follow it up by editing the krb5.conf file on the Linux client to point to the Windows KDC.
If you have an existing Kerberos realm in place, you can also create a trust relationship between it and your Active Directory domain. This allows your Linux clients to authenticate against their Kerberos realm using their customary username and password and then access resources in the Windows domain.
Realm trusts can be one-way or two-way, which means that you can enable access only for your Linux clients to access Windows-based resources or only for your Windows clients to access Linux resources, or both. Realm trusts can be either transitive or intransitive. An intransitive trust only affects the specific domain where the trust was created; a transitive trust enables access to the trusted domain as well as any domains that are trusted by that domain. As an example, if you create an intransitive trust between the MIT Kerberos realm and the mycompany.com Active Directory domain, your Linux users will only be able to access resources that are located within mycompany.com. A transitive trust would allow access to mycompany.com, as well as any child domains such as east.mycompany.com.
For some great resources on Unix-Active Directory interoperability, check out Resources for Interoperability and Migration of Linux and Windows.
Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valued Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing).