There are several key barriers to integrating Unix, Linux, and Mac OS X computers into Microsoft Active Directory:

• Joining Linux and Unix computers to an Active Directory domain.
• Authenticating users by using Active Directory.
• Mapping Linux and Unix UID and GID information to corresponding objects in Active Directory.
• Authorizing Active Directory users to access resources on Unix and Linux computers.
• Applying group policies to Linux and Unix computers by using Active Directory.
• Managing Active Directory objects from Unix, Linux, and Mac with the PowerBroker Identity Services Enterprise Edition Administrative Console.

Joining a Domain

PowerBroker Identity Services Enterprise Edition agent provides the foundation for interoperability by empowering you to quickly and easily join Linux, Unix, and Mac computers to an Active Directory domain. To join the domain, the agent uses the DCE-RPC, LDAP, and Kerberos protocols to communicate with Active Directory. When the domain join utility joins the computer to the domain, it establishes a machine account in Active Directory. The machine account can then be used to make authenticated LDAP and RPC calls to Active Directory.

Authentication

Authentication is the process by which a system verifies the identity of a user who wants to access a computer or application. Without using PowerBroker Identity Services Enterprise Edition, authentication on a Linux or Unix computer typically consists of using the Pluggable Authentication Modules (PAM) to validate usernames and passwords against the /etc/passwd and /etc/group files and using the name service (nsswitch) to associate the username with a user identifier (UID) and a group identifier (GID).

Likewise's ability to join non-Windows computers to an Active Directory domain immediately yields the benefit of making Active Directory's authentication process available to Unix, Linux, and Mac OS X computers. Because Active Directory functions as a Kerberos key distribution center, PowerBroker Identity Services Enterprise Edition can validate Unix and Linux usernames and passwords with the Kerberos 5 network authentication protocol. Kerberos lets users and computers communicating over an insecure network prove their identity to one another in a secure manner.

Processing UID-GID Information in Active Directory

The challenge: Allow AD users to access resources on Unix and Linux hosts. Why is this difficult? It's because the Unix and Linux permission settings for users and groups that are defined by UIDs and GIDs are simple integers, typically 32-bit numbers, while in Active Directory, security identifiers (SIDs) contain a domain-specific universally unique ID. In Active Directory, a SID uniquely identifies a user, group, or computer within a forest. Interoperability thus requires a method to map SIDs to UIDs and GIDs. PowerBroker Identity Services Enterprise Edition overcomes this mismatch by mapping SIDs to UIDs and primary GIDs and storing the information in Active Directory.

PowerBroker Identity Services Enterprise Edition has two operating modes: schema mode and non-schema mode. Schema mode takes advantage of the Unix- and Linux-specific RFC 2307 object classes and attributes to store Linux and Unix user and group information. In contrast, non-schema mode stores Linux and Unix data without requiring RFC 2307 object classes and attributes and without modifying the existing schema. Thus, with PowerBroker Identity Services Enterprise Edition, there is no requirement to change your schema and there is no need for additional infrastructure.

Authorization

With PowerBroker Identity Services Enterprise Edition, both schema mode and non-schema mode provide a method for storing Unix and Linux information in Active Directory -- including UIDs and GIDs -- so that Likewise can map SIDs to UIDs and GIDs and vice versa. This mapping enables Likewise to use an Active Directory user account to grant a user access to a Unix or Linux resource that is governed by a UID-GID scheme. When an AD user logs on a Unix or Linux computer, the PowerBroker Identity Services Enterprise Edition agent communicates with the Active Directory domain controller through standard LDAP protocols to obtain the following authorization data:

• UID
• Primary GID
• Secondary GIDs
• Home directory
• Login shell

PowerBroker Identity Services Enterprise Edition uses this information to authorize the user to access Unix and Linux resources.

Group Policies for Linux, Unix, and Mac

The final challenge in achieving interoperability between Active Directory and Unix, Linux, and Mac OS X computers is the application of group policy. Likewise empowers you to centrally manage non-Windows systems by using the Microsoft Group Policy Object Editor and the Microsoft Group Policy Management Console to apply more than 80 PowerBroker Identity Services Enterprise Edition group policies and thousands of Gnome-based policies to computers running Linux, Unix, and Mac OS X.

For example, you can use a group policy to control who can use sudo to access root-level commands by specifying a common sudoers file for target computers in a domain. Using a group policy for sudo gives you a powerful method to remotely and uniformly audit and control access to Unix and Linux resources.

In addition, PowerBroker Identity Services Enterprise Edition lets you set Managed Client Settings for Mac computers with Workgroup Manager, a free server administration tool from Apple for remotely managing user, group, and computer settings on Mac OS X machines. PowerBroker Identity Services Enterprise Edition integrates Workgroup Manager with Active Directory by storing and applying Managed Client Settings (MCX) as standard Microsoft Active Directory group policy objects, or GPOs.

Learn more about Group Policies for Linux, Unix, and Mac

Managing Active Directory objects from Unix, Linux, and Mac

The PowerBroker Identity Services Enterprise Edition Administrative Console is an extensible service for running management applications, called snap-ins or plug-ins, on a Linux or Mac computer. For example, the console lets you run an Active Directory User and Computers snap-in on a Linux computer so you can modify objects in Active Directory without leaving your Linux desktop.

Summary: Overcoming Barriers to Unix Active Directory Integration

PowerBroker Identity Services Enterprise Edition overcomes these barriers to interoperability by providing a solution that centralizes administration and identity management, as summarized in the following table:

Interoperability Barrier	PowerBroker Identity Services Enterprise Edition Solution
Different systems use different identity management systems, such as NIS for Unix computers, local authentication for Linux computers, an ad hoc Kerberos Key Distribution Center for Mac, and Active Directory for Windows computers.	Centralizes identity management for Linux, Unix, Mac OS X, and Windows computers within Active Directory.
Authentication	Uses Kerberos to authenticate users with their Active Directory domain credentials on Windows, Linux, Unix, and Mac OS X computers.
Authorization	Maps Unix and Linux user and group IDs to Active Directory objects.
Central Management: Unix and Linux computers are managed with .conf files while Windows computers are managed with group policies and Mac computers are managed with Managed Client Settings through Workgroup Manager.	Centralizes maintenance and management by providing more than 100 group policies within Active Directory for Linux, Unix, and Mac OS X computers. In addition, integrates Managed Client Settings for Macs as group policy objects in Active Directory.
Management of AD objects from Linux, Unix, and Mac	The PowerBroker Identity Services Enterprise Edition Administrative Console lets you access Active Directory objects on a Linux computer so you can modify AD objects without leaving your Linux desktop.

Try PowerBroker Identity Services Enterprise Edition