Authenticate Linux Devices Against Active Directory

By Rajat Bhargava Posted September 2, 2016

Today’s IT environments are rarely all Windows. While that may have been true in the late 1990s and the early 2000s, it’s not true today.

Linux and Mac OS X are now a big part of just about every IT infrastructure. In fact, estimates are that Windows is only one in five devices inside a corporation when you include all devices (desktops, laptops, servers, mobile). As organizations leverage different platforms, that puts a great deal of pressure on the ability to centrally manage user access.

Most organizations have leveraged Microsoft Active Directory, which works quite well with Windows machines and applications. That brings us to the question: how do you authenticate Linux devices against Active Directory?

More Than One Way To Authenticate Linux Devices Against AD

Historically, the approach to authenticating Linux machines against AD has been complex and required a great deal of effort. In addition to walking you through a couple of ways that IT organizations have done it in the past, we’ll also share two modern approaches that may be far easier.

Past Techniques

In the past, the two methods that have been leveraged to connect Linux machines to AD:

  1. Use the LDAP protocol
  2. Use Samba (which you can think of as a directory extender)
Linux-Logo

The first approach requires you to reconfigure your Linux servers to leverage the LDAP authentication of the PAM module. Since AD is more focused on Kerberos, it ultimately requires the LDAP authentication to be passed in clear text – i.e. your passwords are sent over the network unencrypted. If you do decide to encrypt them, you will be forced to manage the encryption process.

The other approach is to leverage Samba as an intermediary to support the authentication. This is a painful process as you will need to install and build Samba. You will then need to initiate its communication with AD. From there, you will need to make sure that your Linux systems are properly configured. If you want more details on this involved process, check out Microsoft’s own blog post on how to accomplish this.

But the truth is that either of these approaches fail to give IT admins the confidence that they can easily and quickly manage a heterogeneous infrastructure with Active Directory.

Present Approaches

There are better approaches to the problem of authenticating Linux machines to Active Directory. Then again, perhaps the best approach is to not even use AD. But first, let’s explain an approach that still maintains your AD infrastructure.

The difference with this approach is that we will add a cloud-based directory extension solution. A small agent goes on your AD server which syncs your users with the cloud directory. Another lightweight agent is placed on all of your Linux devices. And, that’s it. No servers to install, no software to configure, and no networking. Your AD users are automatically synced to the cloud-hosted directory and then those users and their credentials are passed down to your Linux machines. A change in AD automatically flows to all of your Linux devices. The best part of this approach is that your Linux servers can live anywhere: on-prem, in AWS, Google Compute Engine, or elsewhere. Your AD server is still located on-premises, but your Linux machines can be anywhere while you maintain full control.

Modern Solution To Authenticate Linux Devices

hi res logos

An even better approach to a mixed platform environment is to make the switch from Active Directory to an independent cloud directory service. In this case, there are no hoops to jump through. Linux machines are first-class citizens just like Windows and Macs.

The approach is simple – users are entered into the central user database via a Web console. Lightweight agents are installed on each machine which controls user access and provides the ability to remotely execute tasks on those devices. There isn’t any server software to install, hardware to purchase, or ongoing maintenance and management. Since the directory service is delivered as a SaaS-based solution, you simply consume what you need. Linux authentication is as simple as Windows auth or Mac auth for that matter. Those user accounts can also be leveraged for other platforms, including Google Apps for Work, Office 365, AWS, and more.

Complete Linux User Management And Authentication

If you would like help managing users on your Linux devices and perhaps authenticating them to Active Directory or a cloud-hosted directory service, drop us a note. We’d be happy to help.

If you’re interested in the potential of a cloud-based directory service at your organization (see above), please try the Directory-as-a-Service® platform. Your first 10 JumpCloud users are free forever.

Rajat Bhargava

Rajat Bhargava is co-founder and CEO of JumpCloud, the first Directory-as-a-Service (DaaS). JumpCloud securely connects and manages employees, their devices and IT applications. An MIT graduate with two decades of experience in industries including cloud, security, networking and IT, Rajat is an eight-time entrepreneur with five exits including two IPOs, three trade sales and three companies still private.

Recent Posts