WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL
70
© CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED.
PAGE 70
Fortunately, in a UNIX environment, Kerberos is also well established; many applications
are already Kerberos-aware and include built-in support for making use of a user's
Kerberos ticket. These applications include telnet, SSH, and SMB-related technologies
such as Samba.
When you install DirectControl on a UNIX computer and join that computer to an Active
Directory domain, a complete standard Kerberos system is also automatically installed
and correctly configured on that computer. Correctly configured means that the UNIX
computer has joined the Active Directory Kerberos realm and that Kerberos requests are
forwarded and correctly serviced by the Kerberos system running on the Active Directory
server. To the UNIX computer, Active Directory looks like any other standard Kerberos
authority. Therefore, you can expect any Kerberized application to "just run" after
DirectControl is installed.
To demonstrate how this works, install a recent version of Samba (version 3.0.x or later,
available from
http://samba.org
) on your UNIX or Linux computer. Make sure that the
smbclient utility is also installed. Smbclient allows a UNIX user to browse an SMB file
share on any computer, including a share on a Windows file server. An smbclient option
lets Kerberos be used as the method for silently passing the user's credentials to the
domain controller.
You can use the steps in the following procedure to illustrate this capability.
To illustrate the capability of a Kerberos application using Active Directory
credentials
1. On a Windows file server (called, in this example, centrifyad) create a shared folder
called Sharedir and grant domain users write access on the share.
2. Log on to a UNIX or Linux computer with an Active Directory user account.
3. Type the following command to change to the /etc directory so that you can copy a
file to a Windows file share:
cd /etc
4. Type the following smbclient command with the -k (that is, use Kerberos silent
authentication) option to access the file share, and then copy a local file to that share
using the put subcommand.
smbclient -k //centrifyad/Sharedir
put passwd
dir
The above commands produce the following output:
$ cd /etc
$ smbclient k //centrifyad/Sharedir
OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2]
smb: \> put passwd
putting file passwd as \passwd (86.3 kb/s) (average 86.3 kb/s)
smb: \> dir
.
D
0 Tue Jul 5 21:52:36 2005
..
D
0 Tue Jul 5 21:52:36 2005
passwd
A
1502 Tue Jul 5 21:52:36 2005
60745 blocks of size 65536. 21875 blocks available
smb: \>
5. On the Windows computer, open Sharedir and confirm that the file passwd was
copied to the server.
6. Right-click
passwd, click Properties, and verify that passwd was created on
Sharedir with the appropriate ownership and properties.