Think about that you are managing a network with 20 or more Workstations with various Operating Systems like Windows, Mac and Linux and that you have to manage or troubleshoot them one by one if you have authentication problems or just want to change passwords on those machines. This would be a lot of work, right? So what you need is a centralized user/group management like OpenLDAP or Active Directory. Most Businesses utilize already Microsoft’s Active Directory because of the majority of Microsoft Windows Workstations. Because of that I like to talk about Active Directory Authentication for non Windows workstations and introduce you to several solution that will help you do that.
The first solution is the full hands on solution which involves a lot of script modifications and the installation of additional libraries. The entire procedure is written down in the TechNet issue of December 2008 and available for download at Microsoft and because of that I am not going into detail on that one, instead I like to introduce you to three third party applications that will do all that by just installing it and performing a few little configuration steps. Those three Applications are Likewise, Quest Authentication Services and Centrify.
Likewise offers basically two solutions. The first one is Likewise Open which is free and just allows you to join workstation to your Active Directory, authenticate your users against Active Directory and let you manage group memberships at the Active Directory side. The second Solution is Likewise Enterprise. Likewise Enterprise offers Single Sign-On for Enterprise Applications like Microsoft Sharepoint or other Application or Services that can Authentication via directory Services like apache, JBoss, MySQL, WebSphere and other systems via SSH and without Directory Service it would required separate User and Password credentials. With Likewise Enterprise Single Sign-On, LDAP, Kerberos and Applications or Services tied to Directory Authentication only one username and password will be managed centralized in the Datacenter. Likewise Enterprise also provides group policies tools to create granular access policies to ensure users have all the permissions they need to do their job and more. If you use Likewise Enterprise you can also produce reports of users activity and with Likewise Enterprise and Operations Dashboard Administrator can see what’s going on with users in real time which makes security and policy monitoring simple and effective. Considered all the features described above makes Likewise Enterprise complaint with SOX, PCI BSS, Base II, HITECH and HIPAA. Likewise Enterprise let you also add additional security with its optional smart card feature. If your organization still uses SUN’s Network Information Services (NIS) you should migration to the more secure Active Directory from Microsoft since its not secure and no longer supported by SUN. Likewise Enterprise provides NIS Migration tools which moved user accounts and password files to Active Directory. Likewise Enterprise also provides Hypervisor Management tools so users managing VMware vSphere and Citrix XenServer are authenticated against Microsoft Active Directory. Likewise has Binary Packages available for Red Hat, Suse, Fedora, Centos, Debian, Ubuntu, Mac OS X, Solaris, HP-UX, AIX and FreeBSD in 32 Bit and 64 Bit Architecture.
You can join your Workstation to Active Directory with one command for example on Linux type: /opt/likewise/bin/domainjoin-cli join domainName ADjoinAccount and press enter. To authentication against Active Directory in the GUI use DOMAIN\username and on the CLI use: DOMAIN\\username and that is all you have to do.
Overall I think Likewise solution is well build and should offer you solutions for most of your IT challenges.
Quest Authentication Services
Quest Authentication services is a patented technology. If I look over the information about this solution it appears that you need to installed a portion on the Server it self and then the Agent on the non Windows clients. Quest claims to have 1000 customers with over over 5 million installed seats. It supports Linux, Unix and Mac OS X Clients. It also appears to be that this solution is not offering a free solution to at least authenticate your non Windows clients.
Quest extend the authentication, authorization and administration infrastructure of Active Directory to the rest of the enterprise, enabling Unix, Linux and Mac OS X systems to act as full citizens within Active Directory. It also enables Audits, alerts and shows the detailed change of history. This solution also enables a Group Policy framework which allows you to manage Linux and Mac Clients through Microsoft’s Group Policy management. Access control capabilities will also be extended to non Windows clients. Single Sign-on will be available to non Windows client by enabling Kerberos and LDAP like Windows Clients and you could authenticate to Applications like SAP, Siebel and DB2. Quest provides migration tools to migrate from NIS to Active Directory.
Quest appears to be that is provides all necessary features to run your heterogeneous network and manage all user accounts through Active Directory. The only thing I would wish for is that Quest would offer a free agent other than that I think its good.
Centrify offers its product in basically four version, Express, Standard, Enterprise and Platinum. Lets go over each edition and see what its features are.
Express Edition: Includes Centrify DirectControll Express and Centrify DirectManage Express plus Centrify-enabled open source tools.
Standard Edition: Includes Centrify DirectControl, Centrify DirectManage and DirectAuthorize plus Centrify enabled open source tools
Enterprise Edition: Includes everything in the Standard Edition plus Centrify DirectAudit
Platinum Edition: Includes everything in the Enterprise Edition plus Direct Secure
In edition add-on modules are available for Single Sign-On to SAP, web applications for apache and J2EE and DB2.
So lets have a look over all these editions and its features.
Centrify DirectControl (Express): Enables Active Directory-based single sign-on to Unix, Linux and Mac.
Centrify DirectManage (Express): Discovers non-Windows systems and join them to Active Directory.
Centrify-Enabled Open Source Tools: Enhances productivity with painless remote access and Samba integration.
Centrify Direct Authorize: it enables you to lock down sensitive systems and eliminate uncontrolled use of root permissions.
Centrify DirectAudit: helps you to run detailed logging and spot suspicious activity by showing which user access what system and it allows you to monitor current user sessions.
Centrify DirectSecure: can block untrusted systems from communicating with trusted systems, encrypt data in motion.
Centrify also offers Centrify-Enabled Compnents like Kerberos Utilities, NIS Services, OpenSSH, Putty and SAMBA. Centrify supports the following Operating Systems: Apple Mac OS X, Centos, Citrix XenServer, Debian, HP-UX, IBM AIX, Mandriva, Suse, Solaris, Red Hat, Fedora, IRIX, Ubuntu and VMWare ESX Server all in 32 Bit and 64 Bit. Centrify also is the only one that is Microsoft Certified which means a lot for businesses that uses already Microsoft and like to integrate non Windows clients. The only difference I found between the Centrify Express and the other suites is that the Express Edition only offers Community Support and the other Editions offer 24/7 professional support.
My conclusion is that I like Centrify Suite the best because you get the most features in the free Edition compared to the other solutions and it supports the most Operating Systems. Coming in on second place is Likewise it offers basic features for free to get you started and the ability to integrate your non Windows clients and then if you like more you could upgrade and purchase one of the more advanced features and last but not least is Quest Authentication Services because I was not able to find a free client that at least enables you to authenticate your non Windows clients against Active Directory and I think their package offers you the most important features but not all the features that the other two offers. Overall I think either one of those solutions will get you where you like to be.
Please let me know if you know any other solutions that might be better or at least worth mentioning here also let me know if I stated something wrong here and I am happy to correct it. I hope that this article helped you to make a decision with which product you like to go or at least get you started with Active Directory Authentication for non Windows Clients.