In-Depth

Manage and Manage Alike

In today's inherently disparate networks, you need a management tool that can take control of all your Windows and open source systems.

• By Ben Brady
• 05/01/2007

Much to my consternation, I have to admit that several of these open source systems have found their way into the networks that I have to manage either directly or indirectly. So even though I've been exposed to FreeBSD, Red Hat, CentOS, Fedora, SCO and several other Linux- and Unix-based systems, I've always shied away from really sinking in my teeth and learning how they work.

Out of pure necessity, I've learned how to dub around in these operating systems, do some basic maintenance and troubleshooting, and lend "hands and eyes" support to my users. Some of my Linux friends have told me I've learned just enough to be dangerous.

With acquisitions, mergers, buyouts, downsizing and reengineering, sometimes even the most carefully planned and meticulously managed networks can become a confusing mess. I've always been told that networks are living, breathing entities that continue to grow throughout the lifecycle of an organization. It's no longer a rarity to see Windows, Unix, Linux and Macintosh systems all sharing the same wire in a network environment.

This is especially true in a company that has grown through acquisitions or mergers. Even simple churn within the IT staff can result in disparate OSes and different flavors of Unix/Linux as each administrator leaves behind his or her preferred systems. There's a certain comfort in managing your Windows-based AD infrastructure, but what about all those Linux servers? This is where Centeris Likewise, Vintela Authentication Services and Centrify DirectControl may be able to help.

The Big Easy:
Centeris Likewise
As I was getting ready to evaluate the Centeris Likewise package, I was reading through the documentation on their Web site. In several places in the documentation, they boasted the product could be up and running in 30 minutes -- this I had to see.

My lab setup consists of a Microsoft 2003 Server, four Windows XP Professional computers and two Fedora Core 5 servers. All these boxes are fully updated, and the Fedora boxes have no configuration beyond the initial install.

Indeed, installing the Centeris package on the Windows server was completely painless. Once I'd finished, I was presented with a GUI management console (see Figure 1). The look and feel is not exactly like a Windows Management Console, but any Windows admin should be able to navigate it effectively and defeat the learning curve within a few minutes.

[Click on image for larger view.]

Figure 1. Centeris' Likewise offers a GUI management console that most admins should be able to navigate.

From there, all you need to do is add your first Linux box to your domain with the hostname of the Linux server (provided that you have it set up in your DNS listings) or the IP address and the root password. Centeris Likewise then creates a Secure Shell (SSH) session to the box and installs all the components necessary to administer it from your Windows GUI. The total time for the installation, plus a few extra minutes to review the documentation and set up my first Linux box on my AD domain, was about 25 minutes.

Once adding that first Linux server was complete I moved on to the second. At this point, I noticed there isn't any apparent method of scripting or creating a batch for this process. In the lab environment I only had to add two servers, but that number could certainly be much higher in a large-scale production environment. Also, after installing the second server, I noticed you can only manage one server at a time.

Still, setting up a mixed network was easy. Over the next 30 minutes, I set up an Apache Web site with a DNS up and running, a file share and a network printer on the two servers. It was quickly apparent that seasoned Windows veterans would certainly benefit from this product when adding Linux and Unix boxes to their networks.

On the downside, however, there are several popular services found on most Unix/Linux boxes that you can't manage through the Centeris console. MySQL and PHP are examples of services you must configure and maintain manually.

All of the benefits conferred by Centeris Likewise could certainly be accomplished with a fair amount of scripting and manual setup on any Unix and Linux machines spread throughout your network. For many with limited experience in this arena, however, Centeris Likewise is a good package to have available.

Sign Once:
Quest Software Vintela Authentication Services
Quest Software's Vintela Authentication Services (VAS) takes a much different approach to "integrating" Unix and Linux systems into an AD environment.

Just about everyone in a mixed environment is familiar with the phrase "Single Sign-On," or SSO. Many of us are accustomed to providing our front-line users with a single username and password for Windows environments. Administrators and power users often have more than one account, each set up for performing various network administration roles. The non-IT user, though, typically needs only one easily-managed account.

Those of us fortunate enough to have a mixed environment also understand what it's like to have various flavors of Unix/Linux on our network that require different credentials for each user. It can quickly get cumbersome.

Now imagine you're supporting an enterprise-class organization that has typically been a Microsoft AD environment. You acquire another company with 152 Unix/Linux-based servers. At the outset, this could be a nightmare. You can certainly see how the concept of SSO could be beneficial.

Both VAS and Centrify's DirectControl do require a bit more skill with Unix/Linux. I'd strongly recommend having a good plan in place before beginning an integration project on a production network. Both Quest and Centrify also offer integration services that will help you smooth the process.

AD stores certain attributes for each user in its data store. Unix and Linux machines typically store several more attributes for each user. This makes it difficult to integrate your Unix/Linux users into AD. One way to do this is to extend the schema on your AD servers to store the additional attributes. Quest's VAS takes this approach.

I installed VAS on a new and fully updated Windows 2003 Server machine. VAS gives you a utility for extending your AD schema. This was a relatively quick and painless procedure on my new server. In a large production environment with many users and other objects, this process might be a bit more time consuming. I'd recommend a very recent full backup of your AD servers in a production environment on the slight chance that you encounter problems.

After updating the schema, VAS completes the installation and installs the remaining VAS Administrative Tools. You can then register these tools on your server (see Figure 2). I created a Unix/Linux users group where you see the newly added ability to select the "Enable Unix Group" check box under the Properties menu. Then I selected a user, went to properties and selected "Enable Unix User."

[Click on image for larger view.]

Figure 2. Admins can register the VAS Administrative Tools on their servers.

Management setup on the client-side install was a bit more daunting. VAS supplies a tool called Vastool that lets you add your Unix/Linux machine to the AD domain. Vastool is a command-line tool, so you should be comfortable with the Unix/Linux command line before you start on this endeavor.

I did my client installation on two Fedora Core 5 machines. VAS also supports AIX, Debian, VMware ESX Server, Red Hat, SuSE and Solaris Unix. It also supports a wide range of Unix/Linux-based applications such as DB2, Java, Oracle and SAP.

Now that I'd configured my AD and client machines, my Fedora machines were full members of the AD domain. The machines' Kerberos and LDAP implementation created a true single sign-on "trusted realm" in my AD.

One of the major benefits of VAS is that it's completely standards-based. It extends the capabilities of AD to your Unix/Linux environment. One of the nightmares network supervisors experience in a mixed environment is the issue of compliance and the associated management and reporting requirements. VAS will give you the same auditing and reporting capabilities in your Unix/Linux environment that you've grown accustomed to in your AD world.

VAS is very scalable. It can accommodate networks with 10 or 10,000 users. While the package doesn't let you set up Web sites and DNS servers on your Unix/Linux servers, hopefully you can see how using VAS to create an SSO environment to integrate your Unix/Linux servers into your AD could potentially be a huge benefit.

Easy Rider:
Centrify DirectControl
The second product in the single sign-on arena is Centrify DirectControl. DirectControl uses native AD capabilities to store multiple Unix and Linux identities. Like VAS, this also requires a bit more familiarity with Unix and Linux than Likewise.

DirectControl doesn't actually change or extend the schema of your existing AD -- although the end result is still the SSO, DirectControl takes a different approach. Centrify DirectControl lets you store multiple Unix and Linux identities for one AD user and then maps those identities back to "zones" of systems.

These "zones" are collections of systems that share similar attributes and let you provide access for users who have membership in the zone. Many seasoned Linux and Unix veterans are familiar with NIS maps: there's a utility that lets you import these maps.

Centrify DirectControl also lets you integrate Macs into your AD, in addition to Unix/Linux machines. For the purpose of my evaluation, I started with a fresh network consisting of a Windows 2003 server, four Windows XP Professional clients and two Fedora Core 4 machines.

At the time of this review, Fedora Core 5 was not listed as a supported OS. Still, installing it on the server was quite simple. Once again, the client installation requires a bit of knowledge in the Unix/ Linux environment. That being said, the client installation is fairly well scripted and went off without any problems.

One feature I do like about Centrify DirectControl is the DirectControl Administrator Console (see Figure 3). This is a clean and intuitive environment in which you can set up your Centrify DirectControl zones, add users to zones and view reports.

[Click on image for larger view.]

Figure 3. DirectControl's Administrator Console presents a cleaner environment for adding users to zones and viewing reports.

In my opinion, the built-in reporting left a bit to be desired. I prefer add-on reporting and auditing tools that pull information directly from my AD. I also question the wisdom of mapping multiple user accounts to one AD account.

Singularly Qualified
If you have Unix and Linux machines on your network, or if you're thinking about adding one for Web hosting, DNS, or file and printer sharing, Centeris Likewise would certainly be worth a look.

Both Centrify DirectControl and Quest's Vintela Authentication Services have thorough documentation. They also have "Resource Centers" on their Web sites with vast resources available.

If you truly want to integrate your Unix and Linux systems into your AD environment and use single sign-on features like ease of administration and compliance, both VAS and DirectControl are worth a look. I'd recommend giving them serious consideration. There certainly are benefits to this type of choice, including the ease of directly mapping existing users.

As I mentioned earlier, making a full backup prior to installation would give you absolute protection in the event of any critical problems. Although I didn't really encounter any major problems in my tests, I'm a bit leery of manipulating my production AD environment. VAS does let you use traditional Windows applications for user and group management. DirectControl adds their management console.

All this may come down to a matter of personal preference with how you'd rather manage your systems.