4622044.app 12/7/06 2:02 PM Page a

Technical White Paper www.novell.com DESKTOP

Using SUSE® Linux Enterprise Desktop with Microsoft* Active Directory* Infrastructure 4622044.app 12/7/06 2:02 PM Page 1

Using SUSE Linux Enterprise Desktop with Microsoft Active Directory Infrastructure

Table of Contents: 2 . . . . . Simplifying Management, Security and Usability in a Heterogeneous IT Environment

2 . . . . . Active Directory Integration: A Typical Scenario

4 . . . . . Core Components of the Active Directory Integration Solution

7 . . . . . What Makes the Novell Implementation Different?

8 . . . . . Configuring SUSE Linux Enterprise Desktop as an Active Directory Client

9 . . . . . Logging In

9 . . . . . Learn More About SUSE Linux Enterprise and Active Directory Integration

p. 1 4622044.app 12/7/06 2:02 PM Page 2

Simplifying Management, Security and Usability in a Heterogeneous IT Environment

SUSE Linux Enterprise Heterogeneous IT environments are a fact That’s exactly what SUSE® Linux Enterprise

Desktop 10 is the only of life. Today’s information-driven enterprises Desktop 10 from Novell® allows you to do. enterprise-class Linux have grown up with Microsoft* and have come It’s the only enterprise-class Linux desktop desktop operating to depend heavily on Microsoft operating operating system designed to allow direct system designed to systems. And that means they have had to integration with Windows domains—giving you allow direct integration work hard to integrate home-grown, legacy a heterogeneous environment that behaves with Windows domains— and proprietary solutions within a predomi- like a unified network for both users giving you a heterogen- nantly Microsoft environment. and administrators. eous environment that behaves like a unified Today, Linux* and open source software With SUSE Linux Enterprise Desktop 10, network for both users promise to transform IT economics, security there’s no complex synchronization or and administrators. and functionality for companies looking for metadirectory scheme to maintain, and no an alternative to Microsoft. But for the fore- need to administer two separate systems or seeable future, many companies will only deal with multiple vendors. There’s no need be able to implement open source software to pay for a proprietary solution to install on side by side with Microsoft, rather than as top of your Linux OS. And there’s no need a rip-and-replace alternative. Or they may to manage separate environments using attempt to migrate to open source over time, separate tools. gradually phasing out Microsoft platforms to avoid the cost and disruption of deploying Most important, your users have a single a completely new IT infrastructure. identity and a single, secure sign-on to access network services and resources In either scenario, adding Linux to the mix no matter which operating system they’re threatens to make the IT environment more using—Windows or Linux. complex to manage and use, because the IT staff now has to deploy, retrain and maintain Active Directory Integration: two separate environments for authenticating A Typical Scenario to the network and accessing services Over the years, most enterprises have and resources. made a huge investment in Windows servers and workstations, using Active Directory to One of the greatest attractions of the organize and manage the network, define Microsoft environment is Active Directory*, workgroups, enforce authentication policies which provides a hierarchical framework for and assign privileges. At the same time, managing, controlling access to and enforc- forward-thinking IT managers have kept an ing security for all Windows* objects on the eye on the world of Linux and open source network—resources, services and users. software, waiting for the day when enterprise- If only Active Directory could also be used class, license-free solutions would emerge to manage Linux-based objects, you would to offer significant cost savings and greater have a single point of administration for all freedom of choice. Windows and Linux systems, while providing a single sign-on experience for users to That day has arrived with SUSE Linux access all the resources they need. Enterprise Desktop 10—a general-purpose,

p. 2 4622044.app 12/7/06 2:02 PM Page 3

Using SUSE Linux Enterprise Desktop with Microsoft Active Directory Infrastructure www.novell.com

license-free desktop platform that provides provides clear advantages, keeping Windows Active Directory unparalleled flexibility and performance for in other areas. integration supports the business users. SUSE Linux Enterprise business and IT goals Desktop 10 is designed to help businesses In each of these scenarios, the company that drive the decision to dramatically reduce costs, improve end-user is introducing Linux clients into an existing migrate to Linux in the security and increase workforce productivity. environment of Windows servers and clients first place: improving So now companies can choose from several to achieve specific business goals. By allow- the match between options. They can ignore the new open source ing newly deployed Linux systems to join the technology and task, opportunities altogether and stick with the Windows domain, companies can minimize eliminating single-vendor familiar Windows environment. They can disruption for end users, allow single sign-on dependence, easing migrate the entire IT environment to Linux. authentication and access without regard to the transition for users, OS type, keep a single IT management improving security and— Or—by far the most likely choice for a typical framework and enforce a single set of above all—cutting costs. enterprise—they can keep much of their security policies. Windows infrastructure intact while migrating selected groups to Linux as time, budget Active Directory integration supports the and user roles allow. They may specify Linux business and IT goals that drive the decision for all new purchases, and replace older to migrate to Linux in the first place: improv- Windows machines with Linux at the end of ing the match between technology and task, the Windows lifecycle. Or they may identify eliminating single-vendor dependence, easing operational areas where moving to Linux the transition for users, improving security

Benefits of an Integrated Linux and Microsoft Environment Integrating SUSE Linux Enterprise Desktop Share files and folders transparently machines with Active Directory enables between Linux and Windows workstations you to: Manage all user accounts, authentication data and security policies centrally, Make Linux clients behave as Windows with no need to touch every workstation clients, taking all account information from or run separate consoles for each the Active Directory domain controller environment and seamlessly accessing services and Ensure that account and password resources within the Active Directory policies are enforced uniformly on both infrastructure Windows and Linux clients Use single sign-on for secure access Support offline authentication so that to a Windows domain, including Web users can log on to their local machines servers, proxy servers, e-mail servers even while they’re unable to contact the and other network services domain controller—for example, while Tighten security by requiring users traveling—or when the Active Directory to remember just one login and pass- server is unavailable word—with no need to reauthenticate Avoid vendor lock-in with the freedom to against different servers choose the best platform for each user Mount network shares to allow Linux and application and to migrate at your users to work with data stored on own pace Windows servers without having to Reduce costs for licensing software, provide user credentials separately training users and managing the for each share heterogeneous environment

p. 3 4622044.app 12/7/06 2:02 PM Page 4

SUSE Linux Enterprise Desktop 10 ships migrate to Linux and become quickly pro- ductive using conventional menus, dialogs with a choice of desktop environments: and folders. No modifications to Linux or the GNOME and KDE. Both of these desktops desktop environment are required, except for the simple client configuration that enables provide a familiar and convenient GUI that SUSE Linux Enterprise Desktop clients to makes it easy for former Windows users to join an existing Windows domain. migrate to Linux and become quickly Core Components of the Active productive using conventional menus, Directory Integration Solution dialogs and folders. Let’s take a closer look at the core tech- nologies that enable easy integration of SUSE Linux Enterprise Desktop with Active and—above all—cutting costs. To fulfill these Directory. In order for the Active Directory needs while appealing to users and IT admin- server and the Linux client to properly istrators formerly working in a Windows communicate, both sides need to adhere environment, a Linux solution must meet to two protocols: four essential criteria: LDAP. Lightweight Directory Access It must seamlessly integrate Linux-based Protocol (LDAP) is widely used to structure, client machines into a Windows domain. manage and query directory services over It should provide a desktop feature set TCP/IP networks. It provides a hierarchical substantially equivalent to the Windows “tree” model for organizing objects in desktop. the directory, and allows you to create It must provide an easy-to-use graphical schemas that define object classes, user interface (GUI) that former Windows and to assign attributes that define the users can adopt with a minimal learning members of each class. A Windows curve. domain controller with Active Directory It should require no configuration changes can use LDAP to exchange directory on the server side, retaining compatibility information with Windows clients—and, with the existing Windows infrastructure in this solution, with Linux clients. An open and minimizing disruption as users migrate. source version of LDAP, OpenLDAP, is used for integrating SUSE Linux Enterprise SUSE Linux Enterprise Desktop 10 is Desktop with Active Directory. designed to meet all these criteria by Kerberos. Using symmetric-key enabling easy, complete integration with cryptography mediated by a trusted third Active Directory. After a simple configuration, party, Kerberos allows clients and servers described later in this paper, a Linux client to mutually authenticate to one another can log into the Windows domain as easily and to communicate securely even over as a Windows client. Linux users then have a public network. Because a client can the same authentication, file, print and other trust Kerberos to reliably authenticate network functionality as Windows users. the identity of all other client devices, “kerberized” single sign-on solutions can SUSE Linux Enterprise Desktop 10 ships grant access to any authorized service or with a choice of desktop environments: resource on the network. And because GNOME and KDE. Both of these desktops Windows supports Kerberos, it can be used provide a familiar and convenient GUI that to enable single sign-on even for Linux makes it easy for former Windows users to clients authenticating to a Windows domain.

p. 4 4622044.app 12/7/06 2:02 PM Page 5

Using SUSE Linux Enterprise Desktop with Microsoft Active Directory Infrastructure www.novell.com

In addition to the LDAP and Kerberos applications that rely on authentication, Novell is the only vendor protocols, certain components on the client independent of the underlying authentication that offers a complete, machine enable processing of account mechanism. The details of specific authen- enterprise-class desktop and authentication data. These core com- tication mechanisms are implemented that includes full Active ponents include: as separate plug-in modules. Different Directory compatibility as PAM modules can be “stacked” on one a standard feature, rather Winbind. Part of the Samba project, the another to enable complex authentication/ than as an add-on that’s winbind daemon handles all communication authorization scenarios. In the Novell difficult to configure and with the Active Directory server. Essentially, solution, the pam_winbind module interacts limited in functionality. the winbind daemon binds the Linux directly with the winbind daemon to workstation to the Windows domain, authenticate Linux users to the Windows making the Linux client “look like” an domain using Kerberos. Stacked on top ordinary Windows machine to the Windows of pam_winbind, the pam_mkhomedir server and eliminating the need for module is used to create the user’s duplicate accounts and passwords. home directories after authentication NSS. The Name Service Switch (NSS) has succeeded. provides a standardized programming interface for accessing all kinds of naming With these components in place, each information on Linux systems, including application that uses PAM for authentication users, groups, networks, hostnames and purposes—including login, ssh and Gnome IP addresses. NSS is designed to allow the Display Manager (GDM) and KDE Display creation of separate modules to access Manager (KDM)—can authenticate users naming information from various sources. against the Active Directory server. The NSS module used in the Novell solution ‘ is nss_winbind, which interacts directly Kerberized applications—including file with the winbind daemon to access user managers, Web browsers and e-mail and group names located on an Active clients—use the Kerberos credential Directory server. cache created by pam_winbind during the PAM. The Pluggable Authentication authentication process to access Kerberos Modules (PAM) framework provides a tickets for users, making them part of the set of libraries you can use to develop single sign-on framework as well.

p. 5 4622044.app 12/7/06 2:02 PM Page 6

You can join an existing This architecture, enabling single sign-on to the Windows domain for Linux machines and Active Directory domain applications, is shown in the accompanying figure. during installation of SUSE Linux Enterprise Desktop, or you can join from a previously installed system by activating Windows user authentication using YaST.

Figure 1. Linux to Active Directory Authentication

p. 6 4622044.app 12/7/06 2:02 PM Page 7

Using SUSE Linux Enterprise Desktop with Microsoft Active Directory Infrastructure www.novell.com

What Makes the Novell upon reconnecting. These offline capabilities Implementation Different? are essential for users who roam between networks or who need to work in-flight or Other vendors offer solutions for integrating other places a network is unavailable. Linux machines with Active Directory. But Novell is the only vendor that offers No Server-side Configuration a complete, enterprise-class desktop that includes full Active Directory compatibility The SUSE Linux Enterprise Desktop solution as a standard feature, rather than as an for Active Directory integration works out add-on that’s difficult to configure and limited of the box. in functionality. Active Directory integration within SUSE Linux Enterprise Desktop 10 On the desktop side, only a simple offers several advantages over any other configuration is required, which can be solution available today: applied retroactively to Linux systems already in deployment. On the server side, Active Full Integration with the Directory integration requires no change Desktop Environment whatsoever from your current configuration. Competing solutions require modifications All the components for full Active Directory to the Active Directory domain controller integration are included in the standard and Domain Name System (DNS) server, desktop operating system. There’s nothing and may require you to use particular else to buy or integrate. versions and configurations of Web and application servers as well. Active Directory integration can be easily configured using the YaST Domain Open Source Membership module, which can be run either during the Linux desktop installation With SUSE Linux Enterprise Desktop, all tools process or on a previously installed system. and features for Active Directory integration Both of the desktop display managers are built using open source code. included in the solution—GDM and KDM— fully support authenticating against and Extensions to existing projects—such as logging into Active Directory domains. Samba—that make the solution possible Users can enjoy full support for Active were finalized in close cooperation with the Directory in the desktop applications open source community, and have been they use, whether working in a KDE or embraced and integrated into the official GNOME desktop environment. open source code base by the appropriate The solution offers full support in offline project teams. environments as well as online. The winbind The development model is transparent, daemon enforces password policies even and because the source code is available in an offline state, reacting according to to anyone, there’s a worldwide community the policies configured in Active Directory of engineers working to find and fix any and tracking failed login attempts. Valid issues, add enhancements and ensure Kerberos tickets that were acquired before security. Open source code is subject to losing the connection with the Active very broad testing and review, and thus any Directory server can still provide access software bugs and security vulnerabilities to other network resources, and when a are typically found and fixed much more machine is completely disconnected, it can quickly than in proprietary products. receive new Kerberos tickets immediately

p. 7 4622044.app 12/7/06 2:02 PM Page 8

Other Active Directory integration solutions zone, or else disable the firewall entirely. for Linux rely on proprietary source code, To change the firewall settings on your client, forcing you to trust a single vendor to log in as root and start the YaST firewall provide reliable operation, future enhance- module. Then do one of the following: ments and timely security patches. – Option 1: To make the interface part Configuring SUSE Linux of the internal zone, select Interfaces. Enterprise Desktop as an Select your network interface from the Active Directory Client list of interfaces and click Change. Select Internal Zone and click OK to For flawless interaction between client apply your settings. Exit the firewall and server when joining an Active Directory module by choosing Next, then Accept. domain, Novell recommends the following – Option 2: To disable the firewall, client-side configurations: set Service Start to Manually and exit the firewall module by choosing Next, DNS. In a common Microsoft Windows then Accept. environment, DNS is configured via Dynamic Host Configuration Protocol It is also possible to configure or disable the (DHCP). If DHCP does not provide the firewall during installation. DNS information (for example, in a test environment), you can configure the Linux Active Directory Account client manually to use a DNS server that can forward DNS requests to the Active To log in to an Active Directory domain, Directory DNS server. Alternatively, you you need a valid user account for the can configure the client to use the Active domain. This account is provided by the Directory DNS server as the name service Active Directory administrator. Be prepared data source. with the valid Active Directory username and NTP. The Linux client must have its time password for a domain administrator account set accurately in order to successfully when you’re ready to join the domain from authenticate via Kerberos. Novell recom- your Linux client, as described below. mends using a central Network Time Protocol (NTP) time server for this purpose. You can join an existing Active Directory This can be the NTP server that’s running domain during installation of SUSE Linux on your Active Directory domain controller Enterprise Desktop, or you can join from a already. If the clockskew between your previously installed system by activating Linux host and the domain controller Windows user authentication using YaST. exceeds a specified limit, Kerberos Let’s take a look at the latter method— authentication fails and the client is joining the Active Domain directory from an logged in using the weaker NT LAN existing Linux desktop. Here are the steps: Manager (NTLM) authentication. DHCP. If your client uses dynamic network 1. Start YaST and provide your root configuration with DHCP, you should (administrator) password. configure DHCP to provide the same IP 2. Start Network Services _ Windows Domain and hostname to the client. The most Membership. foolproof way of doing this is to use 3. Enter the domain to join at Domain or static IP addresses. Workgroup in the Windows Domain Firewall. To browse your network Membership screen. neighborhood, either mark the interface ≥ If the DNS settings on your host are used for browsing as part of the internal properly integrated with the Windows

p. 8 4622044.app 12/7/06 2:02 PM Page 9

Using SUSE Linux Enterprise Desktop with Microsoft Active Directory Infrastructure www.novell.com

DNS server, enter the Active Directory 1. At the login prompt, enter: domain name in its DNS format ssh DOMAIN\\user@hostname (msdomain.example.com). You can escape the \domain and login with If you enter the short name of your another \sign. domain (also known as the pre-Windows 2. Provide the user password. 2000 domain name), YaST must rely on NetBIOS name resolution instead of DNS Note that in all cases—GUI, text console to find the correct domain controller. If the or remote login—a single sign-on provides domain controller is on the same subnet access to all the authorized services and as the Linux client, you can click Browse resources in the Active Directory domain. to list the NetBIOS domains and select And the same login can even authenticate the desired domain. users to their local machine while it’s discon- 4. Check Also Use SMB Information for Linux nected from the network—a useful feature Authentication to use Active Directory for for mobile and occasionally connected PCs. Linux authentication. 5. Check Create Home Directory on Login to Learn More About automatically create a local home directory SUSE Linux Enterprise and for your Active Directory user on the Active Directory Integration Linux machine. We’ve given you an overview of Active 6. Check Offline Authentication to allow Directory support in SUSE Linux Enterprise domain users to log in even if the Active Desktop 10, including what it does, how it’s Directory server is temporarily unavailable typically used, the benefits it provides to end or a network connection is unavailable. users and the enterprise, core components, 7. Click Finish and confirm the domain join how to configure the solution and join the when prompted. Active Directory domain and how to log in 8. Provide the password for a Windows with single sign-on to access all authorized domain administrator account on the services and resources on the domain. Active Directory server and click OK. If this overview has sparked your interest, That’s all it takes to configure an existing there’s a lot more information available that SUSE Linux Enterprise Desktop 10 machine lets you really get under the hood and learn as an Active Directory desktop client. And it’s all there is to know about this unmatched even easier to perform the configuration solution for integrating your heterogeneous when first installing Linux on a new or Windows and Linux environment. To learn redeployed machine. more, check out these resources: Logging In For the IT Administrator You can now log in to the Active Directory SUSE Linux Enterprise Desktop Deployment domain from either a GNOME or KDE Guide, Chapter 11, “Active Directory Support” desktop by simply selecting the domain and entering the username and password. For the End User Just as easily, you can log in using a text- SUSE Linux Enterprise Desktop GNOME User based console by entering DOMAIN\user at Guide, Chapter 1, “Getting Started with the the login: prompt and providing the password. GNOME Desktop,” Section 1.1.4, “Accessing And you can even log in to the Active Directory Files on the Network” client machine remotely using SSH:

p. 9 4622044.app 12/7/06 2:02 PM Page 10

www.novell.com

SUSE Linux Enterprise Desktop KDE User All of these documents are available on Guide, Chapter 9, “Accessing Network the Novell Web site at: www.novell.com/ Resources,” Section 9.4, “Managing documentation/sled10/. And of course, Contact your local Novell Windows Files” you’re always welcome to contact your Solutions Provider, or call Novell representative for more information. Novell at: 1 888 321 4272 U.S./Canada 1 801 861 4272 Worldwide 1 801 861 8473 Facsimile

Novell, Inc. 404 Wyman Street Waltham, MA 02451 USA

462-002044-001 | 12/06 | © 2006 Novell, Inc. All rights reserved. Novell, the Novell logo, the N logo and SUSE are registered trademarks of Novell, Inc. in the United States and other countries.

*Linux is a registered trademark of Linus Torvalds. All other third-party trademarks are the property of their respective owners.