TOM KEMP'S CENTRIFY BLOG
Centrify LISA Presentation on Integrating Linux with Microsoft Active Directory
Wednesday, November 19, 2008
Last week our VP of Technology, Mike Patnode, presented on the topic of integrating Linux (and UNIX and Mac) identity management in Microsoft Active Directory at LISA 2008 (aka the Large Installation System Administration Conference). You can view this presentation on authentication in heterogeneous environments by clicking here.
Mike told me that the presentation went great, with about 150-200 people attending his talk and afterwards a lot of people came up to him and shared their war stories of "I tried to configure [Samba, AIX, Sun] to talk to AD and never got it to work...".
Ironically this theme of first trying open source to do Linux/AD integration and then realizing it technically did not work OR it did sorta work on one specific platform but in a limited manner and is not an easily scaleable and repeatable approach across multiple platforms and systems is echoed in this month's (i.e. December 2008) cover story in TechNet Magazine. Entitled "Authenticate Linux Clients with Active Directory," the article goes through the many steps to get Samba up and running (including the initial step of initially downloading Samba and compiling it). [Ironically, this article parallels much of the content found in this video interview that Sam Ramji at Microsoft did with our CTO Paul Moore a few years back.]
But back to the article ... after 10 pages of gory details the article concludes with the following:
"But there are a several things that are missing to make this solution truly useful."
Now he tells us after we went through all that. :-) OK, so what are some of the problems/issues? The author writes:
"First, getting technical support is a bit of a hit-or-miss operation. Most Linux organizations are somewhat in the dark when it comes to Active Directory, and the support you can get from the Linux community depends entirely on who happens to read your post and how they feel that day.
There are also no migration or deployment tools with Samba. If you have existing Linux accounts with their associated user IDs and permissions, you will have to manually ensure that they maintain their UIDs when you migrate them to Active Directory.
Finally, one of the most important Active Directory apps, Group Policy, isn't yet available with Samba, although it is in the works. Even though you can join a Linux system to Active Directory with Samba, you can't manage it using Group Policy."
To the author's first point, I 100% agree it is hit-and-miss, as a customer after spending many hours (or, in more likelihood, days) may get basic AD authentication up and running on say Fedora 8 but the same steps won't necessarily work on Fedora 9 and will certainly require a completely different set of steps on AIX or HP-UX etc. — and of course most customers have heterogeneous Linuxes and UNIXes deployed in their environment. In other words, there is significant value in making heterogeneous AD integration to be, well, homogenous, and just, well, work. And getting support is huge, as Gartner Group notes on this very topic that leveraging open source for AD integration will "require significant staffing effort and may provide limited functionality, so enterprises should be prepared to receive little support from Microsoft or the Unix vendors if any problems arise." (Gartner Report ID G00149425).
To the author's second point about being forced into rationalizing UIDs, I 100% agree with that too. What most customers need is the flexibility to map multiple UIDs to a single AD account so they are not forced into a painful rationalization process. That is why Centrify has the most robust capability in this regard: our patent-pending Zone capability. If a customer does want to go down this path of UID rationalization, we do also provide the most robust set of migration tools to enable that, again something you don't get with open source. Check out this video chalktalk for more information on our tools for UNIX account migration to Active Directory.
As it relates to his third point, I think the author misses some additional key drawbacks of the open source approach for AD integration, namely this approach flat out won't work in many complex AD environments (as Mike articulates in slide 20 of his LISA presentation) nor does Samba winbind have additional enterprise features (beyond group policy) that most customer need such as support for Windows 2008 read-only domain controllers, role-based access control, superuser privilege management, user-level auditing, application support for apps such as DB2 and SAP, etc. (as Mike articulates in slide 27 and 28 of his presentation).
At Centrify, we have actually seen the number of prospective customers seriously considering using open source to address their cross-platform AD integration needs decrease over the last few years as opposed to increase, as I think customers are getting more sophisticated in knowing what open source in this particular area really entails. I think the mind set is "sure it's free, but who has time for that?" i.e. free as in "free puppies" and why screw around trying to implement something that probably won't work well (e.g. does not support complex AD environments), lacks support (e.g. phone, bug fixes, upgrades, maintain currency with new revs of the OS, etc.), lacks basic capabilities that my business requires (e.g. group policy, Zones for access control, specific platform support, etc.), and lacks an upgrade path to more advanced capabilities that I will eventually need (e.g. application support, superuser privilege management, user-level auditing, etc.).
The few prospects that went down this open source/freebie path invariably come back for a commercial solution, and of course we welcome them back. At Centrify we believe we offer not only the best Active Directory / Linux integration solution with advanced capabilities such as our Zones, our depth of application and platform support, etc. but we give them a seamless path to additional capabilities - that go beyond authentication services - in the areas of authorization, auditing, federated identity, etc. that are all built on a single integrated architecture. [Speaking of "going beyond authentication services", please check out this webinar on this exact topic that we did with Gartner Group.] Unfortunately for a few customers out there they first need to experience the pain ("but this open source stuff looked so easy in that article") before they realize it was not the best path to go down, but hopefully an article like this will reduce the number of people heading down that painful path to begin with. :-)
< Previous Article: Strong Authentication for the Mac
> Next Article: We've Moved!
About Tom
Tom Kemp is President and CEO of Centrify. He blogs regularly on the topics of Entrepreneurship and Centrify. (Full biography.)
Recent Posts
- Superuser Privilege Management
- We've Moved!
- Centrify LISA Presentation on Integrating Linux with Microsoft Active Directory
- Strong Authentication for the Mac
- How DirectAuthorize Compares to sudo for Root Access Control
- How DirectAuthorize Leverages Active Directory to Enable Privilege Account Management on UNIX/Linux
Categories
- Centrify (56)
- Centrify Suite (4)
- Customers and Press (38)
- DirectAudit (13)
- DirectAuthorize (5)
- DirectControl for Databases (27)
- DirectControl for Systems (48)
- DirectControl for Web Apps (25)
- Group Policy (38)
- Regulatory Compliance (36)
- Mac OS X (19)
- Partners (9)
- Open Source Tools (7)
- All (73)
Other Blogs
Subscribe
RSS Feed
