In an enterprise setting, you’ll often have hundreds or thousands of users and computers that you need to manage. So, logging in to each network server or each user’s workstation to perform the procedures that we’ve just outlined would be quite unworkable. (But do bear in mind that you still need those skills.) What we need is a way to manage computers and users from one central location. Space doesn’t permit me to give the complete details about the various methods for doing this. So for now, we’ll just have to settle for a high-level overview.
Microsoft Active Directory
I’m not exactly a huge fan of either Windows or Microsoft. But when it comes to Active Directory, I’ll have to give credit where it’s due. It’s a pretty slick product that vastly simplifies the management of very large enterprise networks. And yes, it is possible to add Unix/Linux computers and their users to an Active Directory domain.
I’ve been keeping a dark secret, and I hope that you won’t hate me for it. Before I got into Linux, I obtained my MCSE certification for Windows Server 2003. Mostly, my clients work with nothing but Linux computers, but I occasionally do need to use my MCSE skills. Several years ago, a former client needed me to set up a Linux-based Nagios server as part of a Windows Server 2008 domain, so that its users would be authenticated by Active Directory. It took me a while to get it figured out, but I finally did, and my client was happy.
Unless you wear many hats, as I sometimes have to do, you—as a Linux administrator—probably won’t need to learn how to use Active Directory. Most likely, you’ll just tell the Windows Server administrators what you need, and let them take care of it.
I know, you’ve been chomping at the bit to see what we can do with a Linux server. So, here goes.
Samba on Linux
Samba is a Unix/Linux daemon that can serve three purposes:
- Its primary purpose is to share directories from a Unix/Linux server with Windows workstations. The directories show up in the Windows File Explorer as if they were being shared from other Windows machines.
- It can also be set up as a network print server.
- It can also be set up as a Windows domain controller.
You can install Samba version 3 on a Linux server, and set it up to act as an old-style Windows NT domain controller. It’s a rather complex procedure, and it takes a while. Once it’s done, you can join both Linux and Windows machines to the domain and use the normal Windows user management utilities to manage users and groups.
One of the Linux community’s Holy Grails was to figure out how to emulate Active Directory on a Linux server. That became something of a reality just a few years ago, with the introduction of Samba version 4. But setting it up is a very complex procedure, and isn’t something that you’ll likely enjoy doing. So, perhaps we should keep searching for something even better.
FreeIPA/Identity Management on RHEL/CentOS
Several years ago, the Red Hat company introduced FreeIPA as a set of packages for Fedora. Why Fedora? It’s because they wanted to give it a thorough test on Fedora before making it available for actual production networks. It’s now available for RHEL 6 through RHEL 8 and all of their offspring, including CentOS. This is what IPA stands for:
It’s something of an answer to Microsoft’s Active Directory, but it still isn’t a complete one. It does some cool stuff, but it’s still very much a work in progress. The coolest part about it is how simple it is to install and set up. All it really takes is to install the packages from the normal repositories, open the proper firewall ports, and then run a setup script. Then, you’re all set to start adding users and computers to the new domain via FreeIPA’s web interface. Here, I’m adding Cleopatra, my gray-and-white tabby kitty:
Although you can add Windows machines to a FreeIPA domain, it’s not recommended. But, starting with RHEL/CentOS 7.1, you can use FreeIPA to create cross-domain trusts with an Active Directory domain.
The official name of this program is FreeIPA. But, for some strange reason, the Red Hat folk refuse to mention that name in their documentation. They always just refer to it as either Identity Management or IdM.
That’s pretty much it for the user management topic.