The Linux Kerberos Project

I am absolutely a Windows engineer and an extremely avid advocate of most everything Microsoft, but more importantly I'm an enthusiast of all forms of technology that help to achieve business goals. Whatever it takes to further the state of the art. That means I occasionally enjoy dabbling in Linux too. Whatever gets me closer to the bleeding edge of technology. Not to mention that the vast majority of enterprises have some sort of mixture of both operating systems.

But it's rare to see a deployment in which the Unix/Linux servers participate in Active Directory. Yes, Active Directory is a Microsoft technology and *nix isn't just ready to jump into domain membership right out of the box, but I strongly believe that AD is the mortar that glues any corporate IT environment together. Let us not think Linux vs. Windows... but Linux and Windows!

So what are the ways *nix could benefit from Active Directory?

  • Secure, central management:
    No more maintaining a separate list of local user accounts and passwords on each and every machine. Why not keep just one database of users and machines in your Active Directory that is guaranteed to stay consistent and secure among every single member server forever?
  • Authentication:
    The main mode of authentication in an Active Directory domain is Kerberos. It was invented by some nerds at MIT. Kerberos is Greek for the three-headed hound that guards the gates of hell. (Cerberus in Latin.) This name is apt, because Kerberos is an authentication system that requires three parties. This authentication system involving a "trusted third party" has proven to be secure and trustworthy in any enterprise environment. And the best part? Kerberos is an open protocol that both Microsoft and *nix can both enjoy.
  • As if that wasn't enough:
    Authenticate from machine to machine to machine, without having to re-type your password; without any user intervention at all even! Use one account to run a service on every machine. Active Directory-integrated machines can securely and dynamically update their own DNS records. Log on to a freshly-built machine with domain credentials, without ever needing to manage the local accounts on each and every box. The list goes on and on...

As any IT company grows, it becomes increasingly important that they maintain a cohesive, easily manageable structure that includes all of their devices. So, to that end, I took the time to replicate in my personal lab the steps necessary to join a Linux machine to my existing Windows Active Directory domain. And I've documented the journey. So without further ado: 

As you can see, I've created a virtual machine and installed Linux on it. My domain is at the 2008 R2 forest and domain functional levels. It's pretty much the best domain ever. I'd put my AD architecting skills artistry up against anyone's.

Here I am on said virtual machine, downloading the Likewise (free edition) client. I was planning on doing it all the long, complex, hard way. This software saved me a lot of time.

I created a basic user, and delegated domain-joining permissions to him, but nothing else. I'm going to use this service account for the sole purpose of joining *nix machines to my domain.

Here's where the hair on the back of the neck of any real nerd would start standing up. See what I did there? I just joined my Linux machine to my Active Directory domain, using my specified service account. "SUCCESS" it says. I shall stand for nothing less.

Now we rush off to look at the security log on our domain controller. And what else do we see there but zero audit failures, and a handful of beautiful Kerberos ticket requests and grants. The machine account even popped up in my AD Users & Computers!

And finally - the one screenshot to rule them all - here I am SSH'ing into my Linux box for the first time using domain creds! Kerberos wins the day.

So, that's all I've got for now. I haven't really done any more in-depth research into this than what you've just seen. You're probably already wondering if I can make it do smartcards next, aren't you?

A(nother) Fresh Start

This is my 4,223rd "Hello World!"

My domain, including this website, went down for a while due to a domain overhaul/migration.  Such is the life of an enthusiast who's never happy with good enough.

So once I got everything re-situated, tech refreshed, new domain set up and configured, new web server built, etc., I decided I'd try something new with my web presence.

See... I've been building websites for about 15 years now.  Never anything great or fancy, but I always had something.  Do you remember those early to mid-nineties websites with the flashing starry night backgrounds, animated gifs of rotating skulls and dripping blood, while Van Halen's Jump MIDI played in the background?  Yeah... I admit I was a part of that problem.  I'm always creating a new looking site, it lasts for a year or two, then I get bored and radically redesign it.  The thing is, I always used to build websites in Notepad. (Notepad++ once I wised up a little more.)  I got pretty good at it too.  I can bang out HTML, PHP, Javascript and CSS from scratch without much thought.  I do not aspire to ever be known as a web developer or designer, but a good technologist should know how to do a little bit of everything.

Anyway, eventually I got a little more evolved and decided to try Wordpress. Wordpress is pretty cool. It makes standing up a new website too fast and easy to ignore. It has a plethora of user-created themes and plugins and it's completely customizable. What's not to like?

But with this go-round I wanted to try something that is not only new to me, but is 100% Microsoft-integrated.  By "Microsoft-integrated" I mainly mean being able to use an MSSQL backend instead of MySQL and offering .NET integration.  Not that there's anything wrong with MySQL, and not that I can't install PHP on my IIS web server with the click of a button, it's just that this site's purpose, other than for my geeky catharsis, is for exploring and learning Microsoft technologies.  I'm very comfortable with HTML and PHP, so writing web pages in .NET is a little intimidating, but it's also exciting to think about the potential.  I already love .NET for Windows development.  So the choice was simple.

Wait no it's not simple.  There are a ton of Content Management Systems (blogging platforms) out there.  Umbraco, Orchard, DotNetNuke, etc... Which one do I choose?

After I built and patched up my new Windows 2008 R2 Web Server, the first thing I did was install the Microsoft Web Platform Installer.  It's seriously bad ass; if you run Microsoft Web Servers, you need to at least take a look.  It was from there that I started looking at blogging platforms.  Wordpress is there and is obviously very popular, and it tried to tempt me back into its comforting embrace of PHP and MySQL.  But I resisted the urge; I was determined to learn something new.  So I chose Umbraco.  I toyed with it for about a day until I couldn't take it any more and uninstalled it.  I mean, I appreciate that it's a good and powerful product, but for me it just seemed very complicated with a kludgy UI. So today I again resisted the urge to go back to Wordpress, and instead tried out BlogEngine.NET.  And so far I'm really liking it.  It's not too complex, but it still sports some really awesome features that .NET and ASP have to offer.

So bear with me as I continue customizing and fleshing out this site.  Partly because I wanted to see and learn something new to me, and partly because I'm hoping to uncover something new with it that will make my 4,223rd blog even cooler.