WINDOWS XP and UNIX INTEROPERABILITY

[technoman]

My college would like to upgrade their workstations from Windows ME to Windows XP. The platform is UNIX-based (with SUN servers), running TCP/IP over Ethernet.

What would need to be installed on the workstations and/or servers so that the networking environment would permit any student to logon from any of 120 computers without creating separate student accounts on each workstation? Each student currently has a unique user ID and password on the UNIX servers.

All suggestions welcome.

 

[Garion]

Unix and XP really don't interoperate well, in an authentication scenario. You really have three choices:

1: Don't authenticate users - Create a generic username and don't require a password to reboot the XP workstation. As long as you don't need to create any client-centric configurations (ie, configuring Outlook for e-mail for an individual) on each machine, you're OK. You don't have as much accountability as to what happens, but that's OK, in most cases.

2: Install two Windows 2000 servers (can be on workstation-class hardware, for the most part) as primary and backup domain controllers and join all the XP workstations to the domain. This adds massive administrative overhead, but allows you much tighter control. users can create setups and profiles on each XP workstation and it will roam with them from box-to-box, wherever the user logs in.

3: Run something like Samba or TAS (TotalNet Advanced Server) on your Unix hosts that allow them to act as Windows NT 4.0 domain controllers. This will let you use your Unix logins as logins on your XP boxes, but without the ability to have roming profiles and consistant user settings from box-to-box (I think - Not 100% sure that it's not there. it might be)

IMHO, #1 is best. Easiest to manage, and if you use Ghost to create disk images of your workstations. If someone kills it, darn. Re-image and you're running in 10 mins. Depending on what kind of tracking you need, there are often ways around keeping track of activity on the workstation itself - For example, to track web access, force these machines to use a proxy server that they have to login to. This can run on a Sun box.

Good luck!

- G

 

[technoman]

Many thanks. I'll discuss this with our System Administrator and see if we can implement any of your suggestions.

 

[Nothinman]

You could setup AD and have the Unix boxes authenticate against it like it was a normal LDAP directory, any unix with PAM support would be very easy to do this with.

 

[JustinLerner]

Windows 2000/XP work fine in conjuction with Unix, most people just don't know how to integrate them.

Both Windows 2000/XP and Unix use Kerberos, it is not as easy to configure 2000/XP authentication from a Kerberos 5 Unix server, but it is possible. Check the information at MIT, SUN and MS and other appropriate vendors or your Unix vendor for interoperability.

MS says Kerberos 5 "Interoperability testing has also occured with Heimdal, CyberSafe, IBM and Sun implementations. " "Testing with MIT Kerberos versions 1.0.5, 1.0.6 and 1.1.1 indicate that interoperability exists for a number of scenarios that are described in the following Windows 2000 Kerberos Interoperability whitepaper." "The Microsoft Windows 2000 implementation of Kerberos V5 does not contain support for Kerberos V4."

The Microsoft Windows 2000 Kerberos implementation is compliant with the following RFCs: 1510 and 1964

This explains that 2000/XP clients can be authenticated through a Unix server (Kerberos) without a 2000 DC. Let me quote: "Windows 2000 Professional clients can be configured to use a Kerberos realm, with single sign-on to the Kerberos realm and the local Windows 2000 Professional-based client account."
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

Other useful FAQs and support info:
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q266080
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q248758
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q266080

Administration:
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q232179
Configuration:
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q244474
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q260123
Something to think about before implement Kerberos authentication on a 2000 DC.
(This doesn't apply to Unix)
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q279637

Other things to know:
IPSec exemptions apply to Broadcast, Multicast, RSVP, IKE, and Kerberos traffic.
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q254728

Interested in Kerberos, here's more info?
http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html

 

[technoman]

Thanks.

Can you give me a little help, 'though, with the 2 acronyms, AD and PAM? Unfortunately, I'm not that familiar with UNIX boxes and add-on services.

 

[technoman]

Again, thankyou.

I'll show this to our System Administrator.

 

[JustinLerner]

Windows 2000 Server Domain Controller: AD = Active Directory
http://www.microsoft.com/windows2000/technologies/directory/ad/default.asp

Sun Solaris: PAM = Pluggable Authentication Module
http://www.sun.com/software/solaris/pam/

 

[JustinLerner]

It seems to me that creating an inter-server two-way transitive trust between a 2000 Domain Controller and Solaris would be more difficult than just implementing a single authentication scheme.

As previously stated:
"Windows 2000 Professional clients can be configured to use a Kerberos realm, with single sign-on to the Kerberos realm and the local Windows 2000 Professional-based client account."

Follow these instructions:
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp