About This Volume
On This Page
Overview of Volume 2
How to Use This Volume
Overview of Volume 2
The Windows Security and Directory Services for UNIX Guide focuses on the use of Microsoft® Windows Server™ 2003 or Windows® 2000 Server Active Directory® directory service to provide centralized authentication and authorization services for users in a network that includes both UNIX-based and Windows-based computers.
Volume 1: Overview and Envisioning provided an overview of authentication and authorization and a description of the five end state technology solutions implemented in this guide. Volume 1 also included information about the Envisioning Phase of your project.
This volume, Volume 2: Solutions Using Kerberos Authentication (End States 1 and 2), provides Kerberos-specific information on the planning, developing, stabilizing, deploying, operating, and evolving stages for End States 1 and 2. Volume 2 discusses two commercially available solutions and several custom, or do-it-yourself, solutions. Volume 2: Chapter 1, “Choosing the Right Technology and Planning Your Solution” includes job aids to help you choose the specific technology solution that you want to deploy.
This guide is intended for business and computer professionals who are responsible for planning, designing, and implementing interoperability solutions for security and directory services, including:
Business analysts and business decision makers who determine which changes to the network are important enough to include in the budget.
Architects and planners who are responsible for network structure in the organization, including designing the interaction between workstations and servers for both Windows and UNIX operating systems.
IT security specialists who focus on providing security across platforms within an organization.
Consultants, from both Microsoft Worldwide Services and partners, who help develop solutions for integrating Windows and UNIX for enterprise customers and partners.
IT professionals, such as Corporate Information Officers (CIOs), IT directors, data center managers, and senior network engineers who assess an organization's authentication and authorization options and who develop and deploy a new or updated solution.
This guide assumes an understanding of Windows and UNIX or Linux operating systems as well as a sound knowledge of information security terminology and techniques. You should also be familiar with the UNIX Migration Project Guide (UMPG), which is available at http://go.microsoft.com/fwlink/?LinkId=20012.
Specifically, this guide assumes that your technical team has, in aggregate, the following competencies:
Familiarity with UNIX administration.
Familiarity with Windows administration, including Active Directory.
Knowledge of DNS in both Windows and UNIX environments.
Proficiency with Windows Services for UNIX if you choose a solution that requires Services for UNIX. Windows Services for UNIX is needed for some solutions that use Active Directory authorization for UNIX clients. It is not needed for solutions that use only Active Directory authentication.
Familiarity with LDAP protocols.
Familiarity with the Kerberos protocol.
How to Use This Volume
This section outlines the guide's organizational structure and provides resources for using this guide.
Guide Organization by Volume
The following figure depicts the structure of the guide. The portion shaded in white illustrates the position of the current volume in the layout of the entire guide.
Figure 0.1. Volume and chapter structure of the Windows Security and Directory Services for UNIX Guide
All volumes, appendices, and job aids are included in the download of this solution guide.
Chapters in This Volume
This section describes the chapters in Volume 2: Solutions Using Kerberos Authentication (End States 1 and 2) of the Windows Security and Directory Services for UNIX guide.
About This Volume. Provides an overview of the volume’s purpose, content, organization, and conventions.
Chapter 1: Choosing the Right Technology and Planning Your Solution. Provides information that can help you select the most appropriate technology solution for your organization. This chapter also provides information about how to develop your solution's design and architecture, create a functional specification, develop detailed project plans, and set up the development and test environments. Job aid templates are provided for the documents that you use to perform these tasks.
Note: Chapters 2 and 3 are each "out-of-the-box" solutions that you can purchase:
Chapter 2: Using Quest Software VAS to Develop, Stabilize, Deploy, Operate, and Evolve End State 2. Provides guidelines to develop, stabilize, deploy, operate, and evolve the VAS solution. Because VAS is a compact, complete solution for security and directory services, a single chapter includes all MSF Process Model phases for this solution.
Chapter 3: Using Centrify DirectControl to Develop, Stabilize, Deploy, Operate, and Evolve End State 2. Provides guidelines to develop, stabilize, deploy, operate, and evolve the DirectControl solution. Because DirectControl is a compact, complete solution for security and directory services, a single chapter includes all MSF Process Model phases for this solution.
Chapters 4–8 are a set that describes several custom, or "do-it-yourself," solutions that you can develop yourself:
Chapter 4: Developing a Custom Solution. Provides guidelines for developing any of several technology solutions by using either native operating system components included in the base UNIX or Linux operating system, or by using the native operating system as a foundation but adding Kerberos and LDAP components and tools, which are available as open source software and free downloads from third parties.
Chapter 5: Stabilizing a Custom Solution. Provides guidelines for testing and stabilizing the custom solution that you want to deploy.
Chapter 6: Deploying a Custom Solution. Provides guidelines for deploying the solution that you have chosen to implement in your production environment and for transferring ownership of the solution to your operations team.
Chapter 7: Operating a Custom Solution. Focuses on what is likely to be different in an operational sense as a result of the interoperability solution that you implemented versus the original state of the environment.
Chapter 8: Evolving a Custom Solution. Helps you determine your next steps in developing your security and directory services infrastructure. This chapter provides examples of which aspects of your system can benefit from further development.
This section describes the various resources that are included in the Windows Security and Directory Services for UNIX Guide and information that will assist in using the guide.
The guide includes a set of the appendices referred to throughout the guide. Some appendices are intended for specific solutions; others are more general in nature—for example, the “Acronym List” and “Bibliography/References” appendices.
The following appendices are included with this solution guide:
Appendix A: Architectural Overview of UNIX and Windows Authentication and Authorization
Appendix B: Pertinent RFCs
Appendix C: Kerberos and LDAP Error Messages
Appendix D: Kerberos and LDAP Troubleshooting Tips
Appendix E: Relevant Windows and UNIX Tools
Appendix F: Migrating Digital Identity Information to Active Directory
Appendix G: Configuring DNS for a Heterogeneous UNIX and Windows Environment
Appendix H: Configuring Time Services for a Heterogeneous UNIX and Windows Environment
Appendix I: Sample Configuration Files for Custom Solutions
Appendix J: Custom Technology Solutions Capabilities Matrix
Appendix K: Acronym List
Appendix L: Installing and Configuring Active Directory and DNS in Your Lab
Appendix M: Bibliography/References
The following job aids are included with this solution guide:
Budget Plan Template. Provides a high-level look at the estimated costs to the organization to build and deploy the solution.
Current State Infrastructure Report Template. Describes the environment into which the solution will be placed. Provides information on any legacy systems that might affect or must be accounted for in the solution design.
Deployment Plan Template. Defines the actions required for a smooth deployment and transition of the solution to the production environment.
Development Plan Template. Describes the solution development process used for the project.
End State Selection Tool. Compares all of the end states on the basis of their capability to meet common business and technical requirements that can be expressed as design goals.
Operations Plan Template. Defines the actions required to ensure that the solution will be operated appropriately in the production environment.
Pilot Plan Template. Describes what the pilot deployment will include and provides information about how to conduct the pilot successfully. Explains how to evaluate the pilot, including determining whether you are ready to move the solution to production or need to conduct another pilot.
Project Structure Template. Defines the approach the team will take in organizing and managing the project, including goals, work scope, team requirements, team processes, and risk.
Project Team Skills Template. Lists the required skill sets for the project team. It also includes training resources.
Risk Assessment Tool. Helps to identify, prioritize, and manage project risks. Contains an extensive list of common risks associated with each end state.
Security Plan Template. Defines the actions required to ensure a secure solution in the production environment.
Solaris_native_LDAP_config file. File that contains the script to configure the Solaris host as an LDAP client for the native OS Solaris End State 2 solution.
Test Plan Template. Defines the actions required to ensure that the solution is tested and approved for release.
Vision/Scope Template. Provides a high-level view of the solution and includes business opportunity, solution concept, scope, and solution design strategies.
Depending on the solution you choose to deploy, the following software is required to implement the solutions described in this guide:
Windows Server 2003.
Depending on your solution, you need UNIX or Linux environments that include one or more of the following:
Some end states require a development environment that must be either preexisting or built using the instructions in the guide for downloading and installing a development environment.
Some custom solutions described in Volume 2: Chapter 4, “Developing a Custom Solution” require the 1.3.5 (or later) version of the MIT Kerberos package (krb5-1.3.5.tar), available from Kerberos v5 Release 1.3 Source Distributions at http://web.mit.edu/kerberos/dist/historic.html#krb5-1.3-src.
Note The configuration for custom solutions described in Volume 2: Chapter 4, "Developing a Custom Solution" is not directly compatible with 1.4.x versions of MIT Kerberos and will need some modification to work with that version of the software.
Some custom open source solutions include the CSS pam_krb5.so module and the CSS ADKadmin tool. These are available for download at http://www.css-security.com.
Some custom solutions require the Cyrus SASL library, available from Download Cyrus Software at http://asg.web.cmu.edu/cyrus/download/.
Some custom solutions require LDAP v3-compliant LDAP libraries and client tools.
Some solutions require Windows Services for UNIX 3.5, which is available from Windows Services for UNIX 3.5 Downloads at http://www.microsoft.com/windowsserversystem/sfu/downloads/default.mspx.
The Quest Software Vintela Authentication Services (VAS) product, if you choose to deploy this solution, available at http://www.vintela.com.
The Centrify DirectControl product, if you choose to deploy this solution, available at http://www.centrify.com.
For specific information about which solution requires which software, see the chapters about the solution or solutions that you might want to consider deploying in Volumes 2, 3, and 4 of this guide.
This guide uses the document conventions shown in the following table.
Table 0.1 Document Conventions
Bold text is used for commands; literal arguments to commands (including paths when they form part of the command); switches; and programming elements such as methods, functions, UNIX and Linux system calls, LDAP object classes, LDAP attribute names, data types, data structures, and daemon (program) names. User interface elements are also identified with bold font.
Italic text is used for variables to be replaced by the user. It is also used to emphasize important information, such as a key term used for the first time.
Used for excerpts from configuration files, code examples, and terminal sessions.
Monospace bold font
Used to represent commands or other text that the user types exactly as shown.
Monospace italic font
Used to represent variables the reader supplies in command-line examples and terminal sessions.
Used to indicate neutral or positive information that emphasizes or supplements important points of the main text.
Used to provide information that is essential to the completion of a task.
Used to advise users that failure to take or avoid a specific action could result in damage to software, hardware, or data.