Linux/Unix/Win2K domian in the small enterprise

Tue Feb 12 16:30:17 PST 2002

Quoting Daniel Curry (dcurry at cariocas.com):
> I have a small problem that is growing into an extremely large
> difficulty.

Not so small, you just are seeing iceberg tips.

> I have a Windows 2000 network running Active Directory for Domain
> management.

That is a problem.

> I also have a series of Solaris 8 boxes and will soon have the entire
> development staff migrating their development workstations to Linux.
> I am needing input on how to integrate the Sun, Linux, and Windows boxes
> to all use the same (or integrated) authentications system.  Management
> has determined that we will continue to use MS Exchange 2000, and all of
> the non-engineering staff will remain on Windows systems with Outlook.
> Currently all of the Unix systems are local logon only, with no
> centralized authenticator. 

Active Directory has some scaling issues.  So far, OpenLDAP
hasn't had those.  Active Directory also uses some schemae
in ways that are explicitely wrong per LDAP RFCs.  That's just
data within the Directory Server and can often be dealt with.

> Other elements needed are that anyone can take their notebook home,
> logon locally, and continue to work.  Once home or where ever they have
> internet access, same user can connect to VPN, re-authenticate, and
> access network resources.
> So far, I have been told to use NIS(+), LDAP, or Kerberos.  I am asking
> here for suggestions with arguments of why or why not a certain
> solution.  Any suggestions outside of these listed would be welcomed, as
> well.

Kerberos certainly might be worth looking at.  It's a bitch to
learn (there are very few beginning resources), but once known
is pretty powerful.  It works with Windows, Unix (all) and Mac.
It's just hell to learn.

LDAP is fine for AUTH as long as you ALWAYS AUTH OVER A SECURE
CONNECTION.  That can mean over an SSL connection, a private
network (e.g the imap server has a pocket network connection
to an LDAP replica) or over IPSEC.  Cleartext AUTH is generally
a Bad Thing.

NIS/NIS+ are pretty much useless at this stage.  NIS is too
unsecure for my liking (esp for home workers), NIS+ is a scaling
nightmare.

> I would prefer a system with a single login and password per user.
> Single point of user management would be nice, but is not mandatory.  I
> am considering using Samba for File and Print services.
Understandable.

>  Exchange is the required e-mail server.
God why?  It ends up costing something like $25/user/month to run
an Exchange Server.  There are so many decent IMAP servers and
calendaring products that are secure, scale and are cheaper in
both the short and the long run.  Frankly, I'd rather ssh to
my IMAP server and fix something using tools that have evolved for
system admins (magic things like "grep") than kick up some Windows
Anywhere type of thing.

I can take a dual CPU Intel box and run 800 Exchange users on
it, or perhaps 35,000 IMAP users.  It will have time to run SETI
if it's doing IMAP.

> VPN is PPTP and is currently a Win2K system.
> Will move off to a dedicated router/VPN server, with its own
> userid/Login, then user will have to authenticate into the network,
> after that tunnel has been established.

PPTP is not a secure VPN, unless they've fixed some things.
It's cute, but unsecure.

Other options are to use smartcards and public/private keys (certs).
IPSEC will certainly play nice with CERTS.

VPN is NOT user authentication.  It secures the network layer.
An attacker who can access the remote users' machine can then
route into your network.  Just cause it's coming from the CEO's
laptop doesn't mean its the CEO.  VPN + per service auth is
the Right Answer.  (If that means, for example, that web based
tools require a sign-on, fine).

You're coming into a very long standing area that system
administrators have been trying to address well for a LONG
time - heterogenous, location independant authentication and
user management.  We've done pretty well with mixed-Unixes.
MS has a different agenda and deliberately messes things up.

Chuck