Unix/Linux interoperability components in Windows - Home
Download
Report
Transcript Unix/Linux interoperability components in Windows - Home
Windows interoperability with
Unix/Linux
• Introduction to Active Directory Integration
for Unix and Linux Systems
• Unix/Linux interoperability components in
Windows
• File sharing
Active Directory Integration for Unix
and Linux Systems
• Many IT shops in both large and small
organizations use more than one operating
system to solve their computing needs.
• While Windows is the market leader for desktop
computing and has a grate market share in server
computing , Linux is being used more and more –
especially for server workloads.
• UNIX has a long history as a server operating
system and is widely used for many business
workloads.
Active Directory Integration for Unix
and Linux Systems
• In fact, in a recent Gartner report 92% of IT
organizations that responded to a recent
survey stated that their company uses
Windows and Linux or UNIX for server
computing (as well as other operating systems
such as mainframes in some cases).
Active Directory Integration for Unix
and Linux Systems
• we will use Microsoft’s Active Directory as the
central repository for user account
information and passwords.
• The challenge that is addressed in these notes
is how to enable Linux and UNIX systems to
use Active Directory-based user account
information and passwords as the centralized
directory system for authorizing and
authenticating users who log in to the system.
Active Directory Integration for Unix
and Linux Systems
• Using Active Directory system for Windows, Linux and UNIX has
numerous advantages, including:
– Users have one login name and one password that can be used across
Windows, Linux and UNIX
– If the user changes his or her password on one of the systems, the
new password is automatically applicable to the other systems
– Help desk calls are reduced as users have fewer account names and
passwords to remember
– Sys admin costs are reduced as you are no longer required to create
user accounts on every system that is deployed – instead you now
create the account once in Active Directory and each enabled
Windows, Linux or UNIX system can now use that account information
for validating users
– Consistent policies such as password length and complexity can now
be enforced across Windows, Linux and UNIX
Integration Commercial Products
• It should be noted that there are at least two popular
commercial products that provide solutions to these
challenges.
– Centrify’s DirectControl product line
– Quest’s Vintela Authentication Services
• both allow Linux and UNIX systems to join an Active
Directory domain and use Active Directory as the
centralized authority for authentication,
authorization, directory information and policy
management.
• However, many users need only basic identity management
capabilities and wish to solve this need using “free”
software.
Integration Methods
• have chosen three common methods for Active Directory
integration that leverage “free” software and use widely available
software and tools. The three methods are:
• 1. Using Microsoft’s Server for NIS, Identity Management for UNIX
and Kerberos for Directory and Authentication Services
– By using the UNIX NIS server capabilities in Windows Server 2003 R2
for directory services and the built-in Kerberos system in Windows
Server for authentication, Linux and UNIX systems can use Active
Directory for user account information and password services.
– This solution uses native Kerberos on Windows, Linux and UNIX
instead of password synchronization for validating users at log in, and
the Active Directory NIS server for storing and retrieving user
information instead of using the /etc/passwd file on Linux and UNIX.
What is NIS?
• Network Information Service (NIS) provides a simple network look-up
service that consists of databases and processes. An NIS domain consists
of a client and one or more servers. Clients use the NIS protocol to look up
information stored in NIS databases, which are replicated among servers.
A single master server is used to update databases; subordinate (also
known as slave) servers provide read-only services. Databases are
synchronized by copying them from master servers to subordinate servers
periodically or upon change.
• A database served by NIS is called an NIS map. The NIS lookup calls require
a map (database) name and an NIS domain name. An NIS domain consists
of a collection of such maps.
• integrates UNIX NIS networks with Windows Active Directory. Identity
Management for UNIX includes an easy-to-use wizard that a Windows
domain administrator can use to export NIS domain maps to Active
Directory entries. Once this is done, an Active Directory domain controller
running Server for NIS becomes the master server for the NIS domain.
Integration Methods
• 2. Using Samba client technology and Kerberos
for Active Directory-based identity management
– This solution also uses Kerberos for authentication but
uses Samba for user account information storage.
– Many customers use Samba file sharing technology on
UNIX and Linux and wish to use Samba client
technology to enable centralized integrated directory
and identity management services with an Active
Directory Windows Server.
What is Samba?
• Samba is a free software re-implementation of
SMB/CIFS networking protocol, The name Samba
comes from SMB (Server Message Block), the
name of the standard protocol used by the
Microsoft Windows network file system.
• Samba provides file and print services for various
Microsoft Windows clients and can integrate with
a Windows Server domain, either as a Primary
Domain Controller (PDC) or as a domain member.
It can also be part of an Active Directory domain.
Samba runs on most Unix and Unix-like systems,
Integration Methods
• 3. Using native LDAP, native Kerberos and
Windows Server 2003 R2 Active Directory
services and schema for cross-platform
identity management
– Active Directory is an LDAP directory.
– Windows Server 2003 R2 even includes a
standards-based LDAP schema for typical UNIX
user and group attributes.
Methods Comparison
SOLUTION
Microsoft’s Server for NIS, Identity
Management for UNIX and Kerberos for
Directory and Authentication Services
PROS
CONS
Uses standard components that ship
Uses NIS for directory services rather
with Windows and Linux
than LDAP
Easy to setup on Linux, requires
Does not allow for joining the Active
configuration on Windows Server
Directory domain. Only provides
centralized directory and authentication
Uses standards-based technology for all
components (NIS, Kerberos)
services.
Centralized UID, GUI mapping
Self-supported solution
Samba client technology and Kerberos for
Active Directory-based identity management
Requires no special configuration on
the Windows Server side
Easy to setup on the Linux side
Mature technology that is widely used
Allows Linux system to join Active
Directory domain
Native LDAP, native Kerberos and Windows
Server 2003 R2 Active Directory services and
schema for cross-platform identity
management
Uses LDAP instead of NIS for directory
services
Standards-based solution (LDAP,
Kerberos)
Detailed setup instructions in Microsoft
Solution Accelerator
Commercial solutions such as Centrify’s
DirectControl or Quest’s Vintela
Authentication Services >
Very easy to set up
Provides virtually all AD client services
to Linux and UNIX
Allows Linux system to join Active
Directory domain
Fully supported commercial solution
Stores some user information on each
Linux system instead of centrally,
requiring manual synchronization in some
cases
Proprietary solution (Samba) vs.
standards-based solution (LDAP)
Self-supported solution
More complex to setup
Does not allow for joining the Active
Directory domain
Self-supported solution
Proprietary software installed on both
server and client
Requires per system license to be
purchased
Unix/Linux interoperability
components in Windows
• Windows operating systems support interoperability with UNIX platforms
by means of a number of utilities, and services and protocols:
• Support for industry standard protocols such as:
–
–
–
–
TCP/IP
Domain Name System (DNS)
Dynamic Host Configuration Protocol (DHCP)
remote procedure call (RPC)
• For file sharing purposes, support for File Transfer Protocol (FTP) and
Hypertext Transfer Protocol (HTTP).
• Cross platform database access support using open database connectivity
(ODBC).
• Remote terminal emulation support through Telnet.
• For UNIX printing, support via Line Printer Daemon (LPD), Line Printer
Queue (LPQ) and Line Printer Remote (LPR).
• Support for network management via Simple Network Management
Protocol (SNMP) and Remote Network Monitoring (RMON).
Unix/Linux interoperability
components in Windows
•
•
•
•
The main Microsoft product used to enable interoperability with UNIX is the
Microsoft Windows Services for UNIX. The Microsoft Windows Services for UNIX
3.0 components are listed here:
Interix; includes the C and Korn command shells and numerous utilities which
ultimately enables you to run UNIX applications directly on Windows based
computers.
Interix Software Development Kit; includes documentation, and tools and libraries
that you can use to make UNIX applications run on Windows computers via the
Interix subsystem.
User Name Mapping; enables Windows and UNIX users to access files on one
another’s computers. This is done transparently and without causing security
issues. UNIX accounts can utilize UNIX accounts from Personal Computer Network
File System (PCNFS) servers or from Network Information System (NIS) servers.
User Name Mapping provides centralized mapping between Windows user
accounts and UNIX accounts for:
– Interix (Interix is the Unix-like system that runs on the Windows OS)
– Client for NFS
– Server for NFS
– Gateway for NFS
Unix/Linux interoperability
components in Windows
• Client for NFS; provides a number of features:
– Windows based computers are able to map an exported NFS share to a drive
letter so that users access files on the file system like they are on a local drive.
– Users can also access NFS shares through Universal Naming Convention (UNC)
names.
– Users are able to obtain UNIX authentication credentials via User Name
Mapping or a PCNFS server.
• Server for NFS; enables share directories to be shared as NFS exported file
systems. Server for NFS Authentication and User Name Mapping map the
identifier (UID) and group identifier (GID) of the user of the UNIX client to
a Windows user account. UNIX clients therefore obtain the proper access
to files hosted on Windows based servers.
• Gateway for NFS; enables Windows users to access exported file systems
on NFS – no client software is needed on the computers. For Gateway for
NFS to work, it needs User Name Mapping to provide the proper UID and
GID for the Windows user. Gateway for NFS runs on Windows Server
servers only, and not on Windows XP Professional computers.
Unix/Linux interoperability
components in Windows
• Server for NIS; integrates UNIX Network Information System (NIS)
networks with Active Directory. Server for NIS runs on Windows Server
servers only, and not on Windows XP Professional computers.
• Server for PCNFS; enables Windows users to access NFS file systems if the
user supply the proper UNIX user name and password.
• Password Synchronization; enables a user to only require a single
password for UNIX networks and Windows based networks:
– When a user changes a UNIX password, the password is automatically
updated in the Windows network.
– When a user changes a Windows password, the password is
automatically updated in the UNIX network.
• Telnet Client and Telnet Server; the Telnet terminal protocol is utilized to
grant Windows users command-line access to UNIX systems. Telnet Client
users are able to directly log on to computers running Telnet Server.
Sharing Files Between NT and UNIX
Systems
• Because NT and UNIX use different file systems--NTFS
for NT and NFS for UNIX--file sharing between NT and
UNIX systems usually requires running a product on the
NT system that converts NTFS-format files to NFS.
• NFS Permissions
NFS, which Sun Microsystems originally developed,
provides a file-sharing standard that lets users on UNIX
workstations access centralized files on a UNIX server
or share files with other UNIX workstations. All major
UNIX operating systems have built-in NFS file-sharing
capabilities.
Thank you