Modern IT infrastructure has evolved into a heterogeneous mixture of Windows and Unix/Unix-like Operating systems, with the focus of this post being Linux.
Decentralised VS Centralised Authentication
Decentralised authentication is when each host maintains its own user authentication database and policies. This means if we have 700 hosts and we want 250 people to logon to those hosts, we need to create 250 accounts and other related policies on all these hosts which will be a very counter-productive exercise.
Decentralised authentication is usually used in small workgroups. As soon as the number of hosts increases, it becomes very hard to maintain. Workgroups are not ideal for large environments that demand flexibility and high security.
Centralised authentication allows hosts to be members of a domain or a realm. Domain controllers host the authentication database and are responsible for applying domain policies and permissions.
Most organisations use Windows Active Directory for centralised authentication. The problem arises when there are Linux hosts in the mix and those hosts have to be integrated with the Windows environment. There are two approaches to solving this problem. The first one is direct integration and the second one is indirect integration.
Direct integration simply implies joining Linux hosts to the Windows domain. The only advantage of direct integration is that users from the Windows domain can logon to Linux hosts. Further Linux-specific policies and permissions cannot be applied by Windows domain controllers, these still need to be manually configured on each host as is the case in workgroups. Direct integration is ok for small networks but does not scale well in environments with hundreds or thousands of Linux hosts.
Indirect Integration is currently the most efficient method of integrating Linux and Windows environments. It entails creating a separate domain for the Linux hosts. There will be domain controllers dedicated to this Linux domain. The domain controllers will be responsible for applying Linux-specific policies like sudo, su, and Host-Based Access Control Rules.
A cross-forest trust is then created between the Linux and Active Directory domains. Not just any AD user will logon to any Linux host. Linux domain controllers allow for fine-grained control on who can logon to which hosts and what they are allowed to do on those hosts.
Talk To Us!!!
If you have an heterogeneous infrastructure and would like to integrate your Linux and Windows environments, do not hesitate to reach out to us. We will assess your environment and assist in deploying a solution that will satisfy your technical and compliance requirements.