So I am not trying to be pro-Microsoft and Anit-open source with this comment. I like both and want that to be clear. However, Active Directory is the single most used authentication source for workstations in a corporation. It is hard to obtain new FreeBSD users if we cannot make it easier for corporate users who must have their machine joined to an Active Directory domain and they must authenticate to active directory. There is both too much effort and not enough effort in the Open Source world to integrate with Windows features such as Active Directory. I think that may be because often the open source community’s computers are probably rarely joined to a domain and just like there are too many Linux distros, there are two many ways to authenticate with Active Directory.
Active Directory is so common in the corporate world, it shouldn’t be so hard to join an Active Directory domain in FreeBSD. I mean, seriously, does it have to be such a pain? FreeBSD really needs a one command script to integrate with Active Directory, or a single port….imagine it. You run one command: joindomain or go to an “activedirectoryintegration” port and type make install. The script/install would prompt you for the domain and then it would look up a server and if it couldn’t find one it would prompt you for a domain controller name or IP, it would prompt your for credentials, etc…, when the script ended, the workstation would be a member of the domain and domain users would be able to login. Maybe also there should be a config file where you can add domain users/groups that can sudo to root.
Alas, it is not so easy. (Google summer of code project idea, anyone…)
You might be thinking to yourself that if I want a feature, I should write and contribute it myself. Which is in part true. However, I am already doing what I can to contribute and have other projects I am working on (for example, writing walk-thrus like the one you are about to read).
So, there are multiple documents and online resources and so here are my sources. However, I found none of them to be 100% correct and the writers words themselves drip with uncertainty about whether they are using the best way.
It is good to have competition…among competitors in a market place…but not in a product itself. We need one difinitive method for authenticating to Active Directory. I don’t care if multiple methods exist as long as there is one method that the FreeBSD team can rally around, recommend, considers secure, and include in base, or as a single port.
I have never configured FreeBSD to authenticate its users to Active Directory before and I have hardly touched Kerberos 5, I consider myself a newbie in this area. However, the only way to move from being a newbie to being an expert is to learn it and configure it and troubleshoot it, so I can gain experience and then be an expert.
So I have been researching the past week and half (In the evenings outside of work). I had hoped to make it last Friday’s FreeBSD Friday post, but It probably won’t be finished by this Friday.
It will take me a while to research because:
- I don’t want to say something is needed when it is not.
- I don’t want to leave something out or forget to document a setting that is needed.
- I don’t like to change settings that I don’t understand.
- When writing a walk-thru, I don’t like telling some one what to do without explaining why when the why is not obvious.
So far it there are articles on integrating with Active Directory using the following:
- FreeBSD + Samba 3.x
- FreeBSD + Kerberos 5
- FreeBSD + Kerberos 5 (built-in) + Samba 3.x
- FreeBSD + Kerberos 5 (from ports) + Samba 3.x
- FreeBSD + LDAP + Samba 3.x
The ones I have tested so far have not been fully functional, but I have not tested all the articles yet. Maybe I doc on each method is warranted.
So which method is the best for the largest majority of FreeBSD users?
So if you are in a Windows environment, you may want samba anyway so number 1 in the list looks like a good choice. However, some articles say that samba alone won’t work with Active Directory 2003/2008. If that is true, then number 3 in the list may be better. I don’t like number 4 because why install something that is already installed (however, Heimdal is installed not MIT and if there is a reason you need MIT then number 4 makes sense). Number 5 I haven’t even researched but the guy who wrote the doc now says it is not as good of an option as method 1.
Ok, so Active Directory has multiple settings, and the first thing I want to test is a default clean Active Directory install. And then if I increase the security, do any of the above methods break?
No one really seems to have taken this to the next level of research, so anyway…you can see my confusion and frustration. This is definitely an area that needs to be cleaned up documented and probable coded into a long term manageable solution.