The Linux Kerberos Project

I am absolutely a Windows engineer and an extremely avid advocate of most everything Microsoft, but more importantly I'm an enthusiast of all forms of technology that help to achieve business goals. Whatever it takes to further the state of the art. That means I occasionally enjoy dabbling in Linux too. Whatever gets me closer to the bleeding edge of technology. Not to mention that the vast majority of enterprises have some sort of mixture of both operating systems.

But it's rare to see a deployment in which the Unix/Linux servers participate in Active Directory. Yes, Active Directory is a Microsoft technology and *nix isn't just ready to jump into domain membership right out of the box, but I strongly believe that AD is the mortar that glues any corporate IT environment together. Let us not think Linux vs. Windows... but Linux and Windows!

So what are the ways *nix could benefit from Active Directory?

  • Secure, central management:
    No more maintaining a separate list of local user accounts and passwords on each and every machine. Why not keep just one database of users and machines in your Active Directory that is guaranteed to stay consistent and secure among every single member server forever?
  • Authentication:
    The main mode of authentication in an Active Directory domain is Kerberos. It was invented by some nerds at MIT. Kerberos is Greek for the three-headed hound that guards the gates of hell. (Cerberus in Latin.) This name is apt, because Kerberos is an authentication system that requires three parties. This authentication system involving a "trusted third party" has proven to be secure and trustworthy in any enterprise environment. And the best part? Kerberos is an open protocol that both Microsoft and *nix can both enjoy.
  • As if that wasn't enough:
    Authenticate from machine to machine to machine, without having to re-type your password; without any user intervention at all even! Use one account to run a service on every machine. Active Directory-integrated machines can securely and dynamically update their own DNS records. Log on to a freshly-built machine with domain credentials, without ever needing to manage the local accounts on each and every box. The list goes on and on...


As any IT company grows, it becomes increasingly important that they maintain a cohesive, easily manageable structure that includes all of their devices. So, to that end, I took the time to replicate in my personal lab the steps necessary to join a Linux machine to my existing Windows Active Directory domain. And I've documented the journey. So without further ado: 


As you can see, I've created a virtual machine and installed Linux on it. My domain is at the 2008 R2 forest and domain functional levels. It's pretty much the best domain ever. I'd put my AD architecting skills artistry up against anyone's.


Here I am on said virtual machine, downloading the Likewise (free edition) client. I was planning on doing it all the long, complex, hard way. This software saved me a lot of time.


I created a basic user, and delegated domain-joining permissions to him, but nothing else. I'm going to use this service account for the sole purpose of joining *nix machines to my domain.


Here's where the hair on the back of the neck of any real nerd would start standing up. See what I did there? I just joined my Linux machine to my Active Directory domain, using my specified service account. "SUCCESS" it says. I shall stand for nothing less.


Now we rush off to look at the security log on our domain controller. And what else do we see there but zero audit failures, and a handful of beautiful Kerberos ticket requests and grants. The machine account even popped up in my AD Users & Computers!


And finally - the one screenshot to rule them all - here I am SSH'ing into my Linux box for the first time using domain creds! Kerberos wins the day.

So, that's all I've got for now. I haven't really done any more in-depth research into this than what you've just seen. You're probably already wondering if I can make it do smartcards next, aren't you?

Comments are closed