About This Guide
On This Page
The Windows Security and Directory Services for UNIX Guide focuses on the use of Microsoft® Windows Server™ 2003 or Windows® 2000 Server Active Directory® directory service to provide centralized authentication and authorization services for users in a network that includes both UNIX-based and Windows-based computers.
Authentication (the validation of user identity) and authorization (the approval of users to access data) are important requirements in ensuring data security. As the world becomes more and more connected, the vision of information available anywhere, at any time, and on any device comes closer to reality. However, organizations will trust such an interconnected environment to store sensitive data only if they can verify the identity of any user who requests access to that data. In addition, no organization wants to allow even an identified user unlimited access to all of its information assets.
The Windows Security and Directory Services for UNIX Guide provides guidance in selecting the best solution to meet the authentication and authorization needs of your organization. The guide also explains the best practices and the major issues that you are likely to face as you implement the solution that is most appropriate for your organization.
This guide is intended for business and computer professionals who are responsible for planning, designing, and implementing interoperability solutions for security and directory services, including:
Business analysts and business decision makers who determine which changes to the network are important enough to include in the budget.
Architects and planners who are responsible for network structure in the organization, including designing the interaction between workstations and servers for both Windows and UNIX operating systems.
IT security specialists who focus on providing security across platforms within an organization.
Consultants, from both Microsoft Worldwide Services and partners, who help develop solutions for integrating Windows and UNIX for enterprise customers and partners.
IT professionals, such as Corporate Information Officers (CIOs), IT directors, data center managers, and senior network engineers who assess an organization's authentication and authorization options and who develop and deploy a new or updated solution.
This guide assumes an understanding of Windows and UNIX or Linux operating systems as well as a sound knowledge of information security terminology and techniques. As noted later in "Guide Overview," you should also be familiar with the UNIX Migration Project Guide (UMPG), which is available at http://go.microsoft.com/fwlink/?LinkId=20012.
Specifically, this guide assumes that your technical team has, in aggregate, the following competencies:
Familiarity with UNIX administration.
Familiarity with Windows administration, including Active Directory.
Knowledge of DNS in both Windows and UNIX environments.
Proficiency with Windows Services for UNIX if you choose a solution that requires Services for UNIX. Windows Services for UNIX is needed for some solutions that use Active Directory authorization for UNIX clients. It is not needed for solutions that use only Active Directory authentication.
Familiarity with LDAP protocols.
Familiarity with the Kerberos protocol.
If you choose to implement one of the two commercial solutions provided in this guide, the required competency levels will be less than if you choose to implement one of the several included do-it-yourself solutions.
In order to develop and deploy a centralized Windows Active Directory authentication and authorization solution that includes both UNIX-based and Windows-based computers, you must first investigate your possible options. This guide presents several possible options, each handling authentication and authorization in a different way, and provides specific solutions to reach each end state.
In this guide, an end state is a model that defines a specific set of authentication and authorization—or authentication only—interoperability options for Windows and UNIX.
This guide shows you how to achieve implementation of five significantly different end states:
End State 1. UNIX clients use Active Directory Kerberos for authentication but continue to use an existing UNIX-based data store for authorization.
End State 2. UNIX clients use Active Directory Kerberos for authentication and use Active Directory LDAP for authorization.
End State 3. UNIX clients use Active Directory LDAP for authentication but continue to use an existing UNIX-based data store for authorization.
End State 4. UNIX clients use Active Directory LDAP for both authentication and authorization.
End State 5. UNIX and Windows infrastructures remain separate: UNIX clients use UNIX-based Kerberos for authentication, Windows clients use Active Directory Kerberos for authentication, and a cross-realm trust enables UNIX and Windows users (if the cross-realm trust is a two-way trust) to access services in the other side.
To achieve End States 1–4, you either migrate only authentication data for UNIX users to Active Directory, or you migrate both authentication and authorization data for UNIX users to Windows Active Directory. To achieve End State 5, no UNIX user information is migrated.
Technology Solutions to Implement Each End State
The implementation of each end state is referred to in this guide as a solution, or technology solution. Technology solutions are distinct from end states because of the variety of means that you can use to achieve any one end state.
The centralized authentication and authorization functionality presented in this guide for End States 1–4 is based on the Active Directory Kerberos and LDAP services provided by a domain controller running Windows Server 2003 or Windows 2000 Server.
Note The procedures for all of the solutions presented in this guide were developed and tested on servers running Windows Server 2003.
You can use any of the following approaches to configure solutions for the various end states:
Custom , or do-it-yourself , technology solutions:
Native OS solutions. UNIX or Linux native operating system components (End States 1–4). In this guide, these are referred to as "native OS" solutions.
CAUTION We do not recommend deploying the native OS Red Hat 9 solution in your production environment because of the security risks inherent in this solution. For more information, see the discussion in the section "Use Red Hat 9 with Native OS Components for End States 1 and 2" in Volume 2: Chapter 4, "Developing a Custom Solution." (This limitation does not apply to the native OS Solaris solution or to the open source Red Hat solution.)
Open source solutions. UNIX or Linux native operating system components used in conjunction with open source software (End States 1–4). In this guide, these are referred to as "open source" solutions.
Relevant open source software includes, for example, MIT Kerberos (available at http://web.mit.edu/kerberos/www/), PAM modules provided by Certified Security Solutions (available at http://www.css-security.com), or the LDAP modules provided by PADL (available at http://www.padl.com).
Cross-realm trust (End State 5 only).
Commercial technology solutions:
This guide provides prescriptive guidelines for determining which of these approaches—used to implement one or more of the five end states—best meets your business goals and requirements.
This guide provides end-to-end guidance for completing a Windows Security and Directory Services for UNIX project; it addresses the several audiences who will be responsible for different aspects of the project.
The organization of the guide is based on two viewpoints:
Organization by project structure. The guide’s content is organized generally according to the widely accepted solution life cycle stages of plan, build, deploy, and operate as described by Microsoft Solutions Framework (MSF) and Microsoft Operations Framework (MOF). Background information about MSF and MOF and how they correlate to each other is discussed in the following section.
Organization by volume. Because the guide covers several different authentication and authorization solutions (called end states), not all of the content in the guide will be relevant to you based on the end state solution you choose to implement. See the “Guide Organization by Volume” section for information about determining which volumes you should read.
Guide Organization by Project Structure
Figure 0.1 illustrates the correlation between the IT solution stages and the MSF and MOF phases around which this guide is organized. See the following sections for background information about MSF and MOF.
Figure 0.1. Correlation of project life cycle stages with MSF and MOF
MSF and Real-World Scenarios
This guide is based on the industry-proven Microsoft Solutions Framework (MSF) method for managing IT projects. MSF 3.0 is a linear, milestone-based framework for IT projects that defines five distinct project phases: Envisioning, Planning, Developing (in this case, developing an interoperability solution), Stabilizing, and Deploying. The volumes making up the Windows Security and Directory Services for UNIX Guide are organized around these phases and provide the technical and solution-specific information needed to complete your project.
In addition, this guide employs real-world scenarios that translate abstract principles and concepts into practical, prescriptive advice. Separate chapters step you through the stages involved in developing, testing and stabilizing, deploying, operating, and evolving each technology solution presented in this guide.
The UMPG and MOF Guidelines
The Windows Security and Directory Services for UNIX Guide is designed to be used with a companion guide, the UNIX Migration Project Guide (UMPG). Both guides are organized according to the five MSF project phases, but the UMPG focuses on providing "people and process" guidance. The UMPG describes the processes and deliverables associated with each MSF phase and the MSF Team Model roles responsible for each phase. It also includes a brief description of Microsoft Operations Framework (MOF), which informs the Operations chapter of this guide.
The process guidance provided by the UMPG is separated from the technical and project-specific guidelines available in this guide in order to keep this guide as concise as possible. Project management and team leaders should read the UMPG in order to apply its recommendations to the project as a whole. However, many team members need to focus on only those project tasks described in the Windows Security and Directory Services for UNIX Guide for which they are responsible.
Note Although this guide and the UMPG guide are designed to be used together, your organization might use an alternative project methodology. In that case, you can use the UMPG to map the MSF phases and team structure to the elements of your organization's methodology. To do so, you can read the overview of MSF in the UMPG to familiarize yourself with the MSF Process Model, the MSF Team Model, and MSF terminology.
For more information on MSF and MOF, see:
The MSF Web site at http://www.microsoft.com/technet/itsolutions/msf/default.mspx.
The MOF Web site at http://www.microsoft.com/technet/itsolutions/cits/mo/mof/default.mspx.
You can download the UMPG at http://go.microsoft.com/fwlink/?LinkId=20012.
Guide Organization by Volume
This guide is divided into four volumes. You need to read Volume 1: Overview and Envisioning to evaluate which end state is appropriate for your organization. After that, you need to read only one of Volumes 2, 3, or 4, depending on the end state you choose to implement. Note: It is likely that different audiences will be most interested in different content sections within specific volumes. For example, decision makers will need to read the Envisioning chapter and developers will be more interested in the Developing chapters. In addition, applicable appendices are available for each end state.
The following figure depicts the guide’s organization by volume. The white-shaded portion indicates the position of the current volume in the layout of the entire guide.
Figure 0.2. Volume and chapter structure of the Windows Security and Directory Services for UNIX Guide
Volume 1: Overview and Envisioning. This volume is for every reader who is potentially interested in any of the solutions in this guide. It includes an overview of authentication and authorization and a description of the five end states as well as information about the Envisioning Phase of your project. The Envisioning chapter includes job aids to help assess which end state to choose.
Volume 2: Solutions Using Kerberos Authentication (End States 1 and 2). This volume provides information on the planning, developing, stabilizing, deploying, operating, and evolving stages for End States 1 and 2. Volume 2 provides two commercially available solutions and several custom, or do-it-yourself, solutions. Volume 2: Chapter 1, “Choosing the Right Technology and Planning Your Solution” includes job aids to help you choose the specific technology solution that you want to deploy.
Volume 3: Solutions Using LDAP Authentication (End States 3 and 4). This volume provides information on the planning, developing, stabilizing, deploying, operating, and evolving stages for several do-it-yourself solutions for End States 3 and 4. Volume 3: Chapter 1, “Choosing the Right Technology and Planning Your Solution” includes job aids to help you choose the specific technology solution that you want to deploy. (Note: Volume 3 will be included in the next release of this guide.)
Volume 4: Solutions Using Kerberos Interoperability (End State 5). This volume provides information on the planning, developing, stabilizing, deploying, operating, and evolving stages for do-it-yourself solutions for End State 5. Volume 4: Chapter 1, “Choosing the Right Technology and Planning Your Solution” includes job aids to help you choose the specific technology solution that you want to deploy. (Note: Volume 4 will be included in the next release of this guide.)
All volumes, appendices, and job aids are included in the download of this solution guide.
Chapters in This Volume
This section describes the chapters in Volume 1: Overview and Envisioning of the Windows Security and Directory Services for UNIX Guide. (Note: “About This Volume” for Volumes 2, 3, and 4 provides summaries of each of the chapters included in that volume.)
About This Guide. Provides an overview of the guide's purpose, content, organization, and conventions.
Chapter 1: Overview of Authentication and Authorization Technologies and Solution End States. Introduces Active Directory (which you can use to provide authentication and authorization for users of UNIX as well as for Windows), the concepts of authentication and authorization, and key technologies such as the Kerberos v5 protocol and LDAP. This chapter also introduces the end states and technology solutions provided in this guide.
Chapter 2: Envisioning Your Windows Security and Directory Services Solution. Provides information that can help you determine your business goals and requirements, produce vision/scope documents, determine which end state is most appropriate for your organization, and assess the project's level of risk. Job aid templates are provided for the documents that you use to perform these tasks.
This section describes the various resources that are included in the Windows Security and Directory Services for UNIX Guide and information that will assist in using the guide.
The guide includes a set of the appendices referred to throughout the guide. Some appendices are intended for specific solutions; others are more general in nature—for example, the “Acronym List” and “Bibliography/References” appendices.
The following appendices are included with this solution guide:
Appendix A: Architectural Overview of UNIX and Windows Authentication and Authorization
Appendix B: Pertinent RFCs
Appendix C: Kerberos and LDAP Error Messages
Appendix D: Kerberos and LDAP Troubleshooting Tips
Appendix E: Relevant Windows and UNIX Tools
Appendix F: Migrating Digital Identity Information to Active Directory
Appendix G: Configuring DNS for a Heterogeneous UNIX and Windows Environment
Appendix H: Configuring Time Services for a Heterogeneous UNIX and Windows Environment
Appendix I: Sample Configuration Files for Custom Solutions
Appendix J: Custom Technology Solutions Capabilities Matrix
Appendix K: Acronym List
Appendix L: Installing and Configuring Active Directory and DNS in Your Lab
Appendix M: Bibliography/References
The following job aids are included with this solution guide:
Budget Plan Template. Provides a high-level look at the estimated costs to the organization to build and deploy the solution.
Current State Infrastructure Report Template. Describes the environment into which the solution will be placed. Provides information on any legacy systems that might affect or must be accounted for in the solution design.
Deployment Plan Template. Defines the actions required for a smooth deployment and transition of the solution to the production environment.
Development Plan Template. Describes the solution development process used for the project.
End State Selection Tool. Compares all of the end states on the basis of their capability to meet common business and technical requirements that can be expressed as design goals.
Operations Plan Template. Defines the actions required to ensure that the solution will be operated appropriately in the production environment.
Pilot Plan Template. Describes what the pilot deployment will include and provides information about how to conduct the pilot successfully. Explains how to evaluate the pilot, including determining whether you are ready to move the solution to production or need to conduct another pilot.
Project Structure Template. Defines the approach the team will take in organizing and managing the project, including goals, work scope, team requirements, team processes, and risk.
Project Team Skills Template. Lists the required skill sets for the project team. It also includes training resources.
Risk Assessment Tool. Helps to identify, prioritize, and manage project risks. Contains an extensive list of common risks associated with each end state.
Security Plan Template. Defines the actions required to ensure a secure solution in the production environment.
Solaris_native_LDAP_config file. File that contains the script to configure the Solaris host as an LDAP client for the native OS Solaris End State 2 solution.
Test Plan Template. Defines the actions required to ensure that the solution is tested and approved for release.
Vision/Scope Template. Provides a high-level view of the solution and includes business opportunity, solution concept, scope, and solution design strategies.
Depending on the solution you choose to deploy, the following software is required to implement the solutions described in this guide:
Windows Server 2003.
Depending on your solution, you need UNIX or Linux environments that include one or more of the following:
Some end states require a development environment that must be either preexisting or built using the instructions in the guide for downloading and installing a development environment.
Some custom solutions require the 1.3.5 (or later) version of the MIT Kerberos package (krb5-1.3.5.tar), available from Kerberos V5 Release 1.3 Source Distributions at http://web.mit.edu/kerberos/dist/historic.html#krb5-1.3-src. The custom solutions in Volume 2: Chapter 4, "Developing a Custom Solution" were developed and tested with MIT Kerberos 1.3.5.
Note The configuration for custom solutions described in Volume 2: Chapter 4, "Developing a Custom Solution" is not directly compatible with 1.4.x versions of MIT Kerberos and will need some modification to work with that version of the software.
Some custom open source solutions include the CSS pam_krb5.so module and the CSS ADKadmin tool. These are available for download from http://www.css-security.com.
Some custom solutions require the Cyrus SASL library, available from Download Cyrus Software at http://asg.web.cmu.edu/cyrus/download/.
Some custom solutions require LDAPv3-compliant LDAP libraries and client tools.
Some solutions require Windows Services for UNIX 3.5, which is available from Windows Services for UNIX 3.5 Downloads at http://www.microsoft.com/windowsserversystem/sfu/downloads/default.mspx.
Quest Software Vintela Authentication Services (VAS) product, if you choose to deploy this solution, available at http://www.vintela.com.
Centrify DirectControl product, if you choose to deploy this solution, available at http://www.centrify.com.
For specific information about which solution requires which software, see the chapters about the solution or solutions that you might want to consider deploying in Volumes 2, 3, and 4 of this guide.
This guide uses the document conventions shown in the following table.
Table 0.1 Document Conventions
Bold text is used for commands; literal arguments to commands (including paths when they form part of the command); switches; and programming elements such as methods, functions, UNIX and Linux system calls, LDAP object classes, LDAP attribute names, data types, data structures, and daemon (program) names. User interface elements are also identified with bold font.
Italic text is used for variables to be replaced by the user. It is also used to emphasize important information, such as a key term used for the first time.
Used for excerpts from configuration files, code examples, and terminal sessions.
Monospace bold font
Used to represent commands or other text that the user types exactly as shown.
Monospace italic font
Used to represent variables the reader supplies in command-line examples and terminal sessions.
Used to indicate neutral or positive information that emphasizes or supplements important points of the main text.
Used to provide information that is essential to the completion of a task.
Used to advise users that failure to take or avoid a specific action could result in damage to software, hardware, or data.
The Microsoft Interoperability and Migration Solutions (MIMS) group would like to acknowledge the team that produced the Windows Security and Directory Services for UNIX Guide. The following people were either directly responsible for, or made a substantial contribution to, the writing, development, and testing of the solutions described in this guide.
Luis Camara Manoel (Microsoft Corporation)
Mark Short (Microsoft Corporation)
Jason D. Zions (Microsoft Corporation)
Sarah Duncan (Certified Security Solutions)
Peter Larsen (Microsoft Corporation)
Doug McDorman (Certified Security Solutions)
Doug Miller (Centrify)
Jason D. Zions (Microsoft Corporation)
Sandor Kiss (Microsoft Corporation
Chris Edgin (Excell Data Corporation)
Dhilip Gopalakrishnan (Microsoft Corporation)
Gaile Simmons (Microsoft Corporation)
Laurie McKnight (Volt Technical Services and Wadeware)
Authors/Subject Matter Experts
Arlene Berry (Certified Security Solutions)
Sarah Duncan (Certified Security Solutions)
David Eyes (Vintela)
Doug McDorman (Certified Security Solutions)
Doug Miller (Centrify)
Thomas Olsen (Volt Technical Services)
Gaile Simmons (Microsoft Corporation)
Tatsuo Yamada (Volt Technical Services)
Patricia Rytkonen (Volt Technical Services)
Bill Miller (Interopsystems)