TOM KEMP'S CENTRIFY BLOG
Performing a NIS Migration the Centrify and Active Directory Way
Monday, December 17, 2007
Recently I visited a large enterprise organization that has over 30 Network Information Services ("NIS") domains in their UNIX and Linux environment. Microsoft was kind enough to introduce us to this account, which is looking at integrating Windows with UNIX/Linux. The customer is now looking to deploy Centrify DirectControl to de-commission their NIS infrastructure and move to using Active Directory as the central directory identity store for not only their Windows environment but their thousands of UNIX and Linux systems as well. I have done a video chalktalk with our Director of Engineering, Mike Patnode, on how Centrify DirectControl delivers NIS Migration and Interoperability, and we have a nice whitepaper on Migrating UNIX Directories (e.g. /etc/passwd, NIS/NIS+, LDAP directories, etc.) to Active Directory, but I thought it would be nice to complement this material with this blog entry on how our customers are migrating NIS services to Active Directory with DirectControl.
First some background on NIS. For the last 20 years, NIS (originally known as Sun Yellow Pages) has been the primary choice for managing UNIX identity information in a networked environment. NIS had quite an amazing run, given the number of management and security headaches it presents:
- Security. UNIX password hashes are sent over the network in the clear. Using modern dictionary and brute force attacks, simple 8-character passwords can be cracked in less than 1 minute, with secure 8-character passwords (special characters and mixed case required) taking less than 15 hours (and these numbers are 2 years old! -- see http://www.patrickmcdaniel.org/pubs/iciss06.pdf for this analysis).
- Maintenance. NIS database maintenance is done by hand editing data files on a NIS master, and then using a combination of Makefiles and scripts to generate various maps and load that data into the NIS master server. There is no mechanism to change a single value in a map without reloading the entire map again.
- Network Dependency. Any NIS system administrator knows that a NIS client machine can take hours to boot when the NIS server is unavailable. The NIS interface to DNS via nsswitch can cause every user, group and host lookup to hang up to 15 minutes before recovering.
Sun tried to address some of these issues with NIS+, but it was never widely accepted as a standard and suffered from a complicated user password management policy that proved difficult to manage in real-world enterprise environments.
Now with the success of LDAP and Sun's end-of-life announcement for NIS and NIS+ support, system administrators need to either deploy new network services or leverage existing directory deployments. DirectControl provides a number of features to migrate your authentication and NIS data services to Active Directory so you can get great Active Directory-based UNIX and Linux single sign-on within your environment.
First off, NIS domains can map very nicely to DirectControl Zones in that each NIS domain represents a unique set of user and group profile information. Furthermore, the DirectControl Management Console allows you to import users and groups directly from a NIS server (note that no additional software is required to be purchased for DirectControl's migration wizards - it is a standard part of DirectControl). Once this process is complete, all user and group information is sent over encrypted LDAP connections, and user authentication is handled by Kerberos. The end result is that UNIX authentication leverages Active Directory.
[New feature plug: with DirectControl 4 we improved the import process for migrating NIS domains to support the ability to modify data during import, which is important if you are making some changes to your environment as you migrate users' UNIX accounts that are stored in NIS into Active Directory. Additionally, the import process has been extended to support either multi-operator processing of the import data (where the pending UNIX data is stored in Active Directory) or single-operator processing (where the data is stored in an XML file on the operator's workstation).]
If you are using NIS for other maps such as netgroups, automount, or even custom maps, DirectControl also includes a NIS server, which allows these maps to be stored in Active Directory. Once again, the DirectControl Administrator Console includes an import utility to import and migrate the NIS maps into LDAP via the Zone container (in DirectControl 4 the Zone data can also be stored as an OU within Active Directory). Note, you do not need to import or maintain the "by" maps (hosts.byname, netgroup.byhost, protocols.bynumber, etc..) since those will be generated automatically by the DirectControl NIS service. Once the maps are imported into the Zone, individual map entries can now be edited using the Centrify Administrator Console, or standard LDAP utilities. Note the passwd and group maps will be derived from the existing Zone information.
After installing the DirectControl NIS server package, the local machine can be configured to bind as a client to the DirectControl NIS server. Although password hashes are not provided in the NIS passwd map by default, the default configuration only allows localhost connections. Hence all the NIS map data is still encrypted when delivered over the network. Furthermore, the DirectControl Agent will cache the NIS data, thus protecting the system NIS interfaces from network issues.
Finally, if you have legacy operating systems that cannot support the DirectControl Agent, the NIS server can provide a UNIX password hash in the NIS passwd map. This requires the installation of a password synchronization service on the Domain Controller. Centrify provides such a service with the DirectControl Administrator Console, or DirectControl can be configured to use the Microsoft SFU UNIX password synchronization service provided with Windows 2003 R2. This requires at least one UNIX server joined to Active Directory via the DirectControl UNIX Agent, with the NIS server package installed and configured to allow remote connections. Centrify recommends allowing connections only from the IP addresses of the NIS clients. The password hash security can also be improved by increasing the password length and complexity policies in Active Directory, which will then be applied to DirectControl users, and in turn passed on to your NIS users. But note that the NIS users will need to change their passwords on either a UNIX machine with the DirectControl Agent installed, or a Windows desktop. NIS password change requests are not supported.
The Bottom Line re: Migrating NIS to Active Directory
Centrify makes it easy to move off of a legacy NIS-based infrastructure to a modern LDAP- and Kerberos-based directory infrastructure that works across a heterogeneous environment comprised of Windows, UNIX, Linux and Mac systems. The benefits of this Windows and UNIX interoperability are significant: not only do you replace an unsecured, out-dated, and end-of-lifed infrastructure (NIS) with a secure, fully supported, and modern identity infrastructure (Active Directory), but IT personnel get the advantages of centralized administration, authentication and access control across a mixed environment while leveraging their existing investment and skill set in their Active Directory deployment. And your end-users get the advantage of single sign-on to UNIX and Linux systems using their Windows credentials.
The nice thing is Centrify helps you navigate to your desired end destination with a broad spectrum of features. We provide migration tools for a variety of scenarios: NIS and /etc/passwd import wizards, our Zones capability to map multiple UNIX UIDs to a single Active Directory account, and our adfixid utility that can help you rationalize UNIX UIDs and move to a single UID-to-Active-Directory-account mapping if you want to go down that path. But through our NIS Server we also deliver interoperability capabilities that customers require as they move and migrate from NIS to Active Directory. The reality is that most customers can't migrate over night, so having a robust NIS Server that supports the storing of NIS maps within Active Directory is a must.
And finally, if you want additional expert advice, check out these videos with one of our resident gurus, Mike Patnode: Migrating UNIX Identities to Active Directory and NIS Migration and Interoperability (plus we have other great chalktalks on authenticating UNIX and Linux against Active Directory), or log on to our support portal and check out the documentation on our NIS Migration tools as well as our Active Directory-enabled NIS Server.
< Previous Article: What's New in DirectControl 4, Part 3: Further Extending Active Directory to non-Microsoft Platforms
> Next Article: More Examples of Customers Leveraging Active Directory for Linux and UNIX Authentication
About Tom
Tom Kemp is President and CEO of Centrify. He blogs regularly on the topics of Entrepreneurship and Centrify. (Full biography.)
Recent Posts
- SAP Certifies DirectControl for SAP on UNIX and Linux
- New Survey Details Top Mac/Windows Integration Needs
- Mac Shipments to Hit 3 Million This Quarter? And an Upcoming Webinar on "Managing Macs in a Windows Environment"
- Another Award: Best in Identity Management
- Centrify to Host Three-Part Webinar Series on Identity Management Featuring Gartner Group
- What Another Great Year!
Categories
- Centrify (48)
- Customers and Press (35)
- DirectControl for Databases (22)
- DirectControl for Systems (42)
- DirectControl for Web Apps (20)
- Group Policy (34)
- Partners (9)
- Regulatory Compliance (29)
- Mac OS X (17)
- DirectAudit (11)
- Open Source Tools (7)
- All (65)
Other Blogs
Subscribe
RSS Feed
