The
goal of Single Sign-On (SSO), in which users on a network log on once
and then have access to multiple resources and environments, is still a
long way off. It is common for a regular user to maintain and use three
or more separate usernames and associated sets of passwords.
Windows Server 2008 R2 UNIX Integration goes a long way toward making
SSO a reality, however, with the Identity Management for UNIX role
service.
Identity Management for UNIX is
an additional role service on a Windows Server 2008 R2 machine that
includes three major components, as follows:
Server for Network Information Services (SNIS)—
Server for NIS allows a Windows AD DS environment to integrate directly
with a UNIX NIS environment by exporting NIS domain maps to AD entries.
This allows an AD domain controller to act as the master NIS server.
Password Synchronization—
Installing the Password Synchronization role on a server allows for
passwords to be changed once, and to have that change propagated to both
the UNIX and AD DS environment.
Administrative Tools—
Installing this role service gives administrators the tools necessary
to administer the SNIS and Password Synchronization components.
The Identity Management for
UNIX components have some other important prerequisites and limitations
that must be taken into account before considering them for use in an
environment. These factors include the following:
Server for Network
Information Services (SNIS) must be installed on an Active Directory
domain controller. In addition, all domain controllers in the domain
must be running Server for NIS.
SNIS
must not be subservient to a UNIX NIS server—it can only be subservient
to another Windows-based server running Server for NIS. This
requirement can be a politically sensitive one and should be broached
carefully, as some UNIX administrators will be hesitant to make the
Windows-based NIS the primary NIS server.
The
SNIS authentication component must be installed on all domain
controllers in the domain in which security credentials will be
utilized.
Installing Identity Management for UNIX Components
To install one or all of the
Identity Management for UNIX components on a Windows Server 2008 R2
server, perform the following steps from a domain controller:
1. | Open Server Manager (Start, All Programs, Administrative Tools, Server Manager).
|
2. | Expand the Roles node in the tasks pane, and select Active Directory Domain Services.
|
3. | Right-click
the Active Directory Domain Services role, and select Add Role
Services. Check the box next to Identity Management for UNIX, which
should automatically check the remaining boxes as well, as shown in Figure 1. Click Next to continue.
|
4. | Review the installation options, and click Install to begin the process.
|
5. | Click Close when complete, and choose Yes to restart the server.
|
6. | After
restart, the server should continue with the configuration of the
server before allowing you to log on. Let it finish and click Close when
the process is complete.
|
Configuring Password Change Capabilities
To
enable password change functionality, a connection to a UNIX server
must be enabled. To set up this connection, perform the following steps:
1. | Open
the MMC Admin console (Start, All Programs, Microsoft Identity
Management for UNIX, Microsoft Identity Management for UNIX).
|
2. | In the node pane, navigate to Password Synchronization, UNIX-Based Computers.
|
3. | Right-click on UNIX-based Computers, and choose Add Computer.
|
4. | Enter
a name in the Computer Name text box, and specify whether to sync
passwords to/from UNIX. Enter the port required for password sync and an
encryption key that is mutually agreed upon by the UNIX server, similar
to what is shown in Figure 2. Click OK.
|
5. | Click OK to confirm the addition of the UNIX system.
|
Adding NIS Users to Active Directory
For users who want their
existing NIS servers to continue to provide authentication for UNIX and
Linux servers, the SNIS component might not be the best choice. Instead,
there is a package of Korn shell scripts downloadable from
Microsoft.com that simplifies adding existing NIS users to AD. The getusers.ksh
script retrieves a list of all users in a NIS database, including the
comment field. This script must be run with an account with the
permission to run ypcat passwd. The makeusers.ksh script imports these
users to Active Directory. The makeusers.ksh
script must be run by a user with domain admin privileges. The –e flag
enables accounts—by default, the accounts are created in a disabled
state. This is a perfect solution for migrations that will require the existing NIS servers to remain intact indefinitely.
