Tale from the Trenches: Linux Integration into AD

1
Tale from the Trenches Linux Integration into AD

• How Empire Today integrated dozens of Linux
  servers into a mature Windows 2000 Native-Mode
  Forest hosting over 300 Windows 2000 2003
  servers.

2
Intro

• Who is Robert Auch?
• MCSE, RHCE, 10 year MCP
• 12 years IT Experience
• 2 years professional Linux Experience
• Who is Empire?
• Empire Today is a leading provider of Home
  Improvements and Home Furnishings

3
What we'll discuss

• Problems integrating Linux into Windows
  environment
• Extend AD Schema?
• OU/GPO design chosen by Empire
• UID/GID collision avoidance.
• Get Linux team to accept AD.
• Problems encountered by Empire

4
Problem Description

• Empire Today has business requirement for an ERP
  solution which runs best on Linux
• IT Team must roll out new ERP solution in 12-18
  months.
• IT Team has little Linux experience.

5
Initial Rollout

• Linux Servers built with local authentication
• Plan to integrate with AD prior to QA testing.
• Manual user and security management across all
  development servers.

6
Linux problems for Empire

• Empire Today IT policy all solutions must use
  Active Directory
• True single sign-on (SSO) enhances security
• Built-in Linux kerberos nor Winbind support
  forwardable tickets or true SSO.

7
Linux Authentication Limitations for Empire

• UIDs only unique to local system
• Local Accounts
• Theyre local!
• Password expiration random across systems
• NIS
• Not Secure
• OpenLDAP
• Have to set up an entire new directory

8
User requirements

• Systems team (all have root-level access).
• Developers will need ssh with no root access.
• Environment contains 2000 users, some require
  access to Samba shares, but not ssh.

9
Requirements

• Site-awareness
• No directory synchronization or extra server
  requirements
• Leverage existing DC hardware
• DC-failure tolerant
• DC and ERP system maintenance windows do not
  overlap.

10
Kerberos Config in Linux
11
Requirements (2)

• Transparent logons between servers and to/from
  Windows systems (forwardable tickets).
• Some form of centralized, Group-Policy-like
  control.

12
Vendor Review
13
Answer

• Kerberized logons
• All user data pulled from AD.
• True Group Policy for centralized management
• No data needed to be synced to a separate
  directory (like NIS or OpenLDAP)
• Understands AD sites and DNS lookup of DCs

14
Description of Solution

• Zones / Cells
• MS-Kerberos v5
• GPO support via Administrative Templates

15
Zones / Cells

• What are they and why use them?

16
Zones / Cells chosen

• End-User zone
• Workstations and Laptops
• Non-ERP server zone
• Linux Backup servers, Web servers,
  Management/Monitoring servers
• ERP server zone
• DB, Application, and NFS for ERP system.

17
Empire Zone Structure
18
Kerberized logons

• Linux to Windows
• Linux to Linux (SSH and SMB)
• Windows to Linux (SMB)
• Windows to Linux (SSH)

19
SSO In Action

• ltbreak to video / demogt
• 1-sso-in-action.avi

20
Group Policy

• OpenSSH
• sudoers
• Desktop lockdown
• PuTTY

21
Implementation Project

• Planning
• Install AD / Mangement components
• Install Linux clients and tools.

22
Planning

• System type review
• OU planning and buildout
• GPO planning
• AD Users Computers modifications for Helpdesk
  team.
• Zone layout

23
OU/GPO Design
24
Installation to AD

• Installing AD Management components
• Create GPOs in proper OUs
• Importing existing accounts, utilizing UID/GID
  collision avoidance
• Username inconsistancy management
• Addition of agents (agent, sshd, samba) to
  deployment scripts

25
User /Group Properties
26
Group Policy Options
27
Importing Users

• ltbreak to video or demogt
• 2-importing-users.avi

28
Linux server installation

• Installation onto new production servers.
• Implementation on already-rolled out ERP servers.
• Shutdown of Application
• Installation of Agents
• Restart ERP Application
• Downtime used to patch OS
• Total downtime extension 20 minutes
• Downtime not required

29
Existing Problems

• Have to Linux-enable Samba-only users
• Current software version doesnt allow desktop
  manipulation
• No control of VNC-style sessions

30
Next Steps

• Workstation / laptop rollout
• Web server rollout
• Non-ERP support servers

31
Lessons Learned

• UID/GID collisions easy to avoid
• Proper Zone / cell design is essential to success
• Integrating Linux systems into AD improves
  security and managability