That article summed up.
There is different kit and now it's easier to connect.
When you run a corporate IT infrastructure, the chances are you run Active Directory underpinning a predominantly Windows-based array of servers, desktops and laptops. And that's fine: it probably serves 90 per cent of the kit you have and is a secure, easy-to-use way of authenticating user logins. But it's very unusual to …
Trouble is, what to replace it with. It's no good decrying something unless you have valid replacements.
And the replacements are:
Samba (still wouldn't trust a DC on this, sorry).
Red Hat Directory Server.
And so you end up with problems because you either have to use Windows management tools and basically replaced the "no front end" servers with something else that's probably more unreliable (so nobody but you will care, and all your users will scream the moment something doesn't work as expected), or with a system that involves quite a lot of replacement and messing around.
And, at the end of the day, the killers are not AD. AD is a good idea, works well, or we wouldn't use it. No, the killer is things like Exchange (no viable, cheap, compatible replacement that I'm aware of) and other things that plug into AD.
The problem is not AD, you can run AD on linux now with no microsoft software involved. It's the programs that tie into it and that you use to manage it which are the problem.
I speak as someone who has set up a school entirely on the Google Apps platform, as someone who hates Exchange with a vengeance, who has deployed Linux machines and LibreOffice in a school and always has several Linux VMs for certain jobs no matter where I work. I'd love to do it. What stops you is not the back end stuff like AD, which is usually just fine to run on a Windows server and forget about all those compatibility worries. It's the stuff that plugs into it. And the stuff users want to use.
You can wean users off. And if you had the power to solely dictate what the users must use, you wouldn't have this problem in the first place. But that's the sticking point.
Samba offers now its own implementation of AD - you can also use your combination of Kerberos and LDAP, just it will require more work to setup and maintain it.
Linux distros should agree on an AD competitor easy to setup up and use, but it looks nobody is really interested in it. Why I can't explain.
Maybe graybearded Linux admins are afraid to lose their job if Linux becomes too easy to administer in larger setups... <G>
LDAP. It's what most companies do. Pretty much any authentication platform has LDAP integration and thus can use LDAP as their main authentication registry.
AD is basically the usual renegade Microsoft implementation of usually open protocols, in this case it's LDAP and Kerberos v5.
"When you run a corporate IT infrastructure, the chances are you run Active Directory underpinning a predominantly Windows-based array of servers, desktops and laptops."
I'll fade that bet ... Not a snowball's chance in hell, in fact.
"And that's fine: it probably serves 90 per cent of the kit you have"
Nope.
"and is a secure"
Post proof, or retract.
"easy-to-use way of authenticating user logins."
Easy is secure? Since when?
"When you run a corporate IT infrastructure, the chances are you run Active Directory underpinning a predominantly Windows-based array of servers, desktops and laptops."I'll fade that bet ... Not a snowball's chance in hell, in fact.
If you took that bet, you'd probably lose as all he says is the "chances are" - not that you "are." This means your experience of a different environment isnt enough to falsify his statement.
The reality, for better or worse, is that the majority of corporate environments will use Active Directory to manage a server farm where most devices have a little windows logo.
"If you took that bet, you'd probably lose as all he says is the "chances are" - not that you "are." This means your experience of a different environment isnt enough to falsify his statement."
I took the bet. He was wrong. Ergo ...
::fades to black::
Nowhere is said you should have a single domain managing everything.
For the perimeter stuff you could setup a dedicated domain - you still get the benefit of centralized management of accounts (instead of having them replicated on every device, probably with the same password stored locally...), while keeping the domain segregated from the internal network.
I was a bit surprised the article talks about TACACS+ and not RADIUS. It is true the former should be more secure than the latter, but it is also less supported. Both can be anyway integrated with AD, and perform thing like putting the user - after authentication - on the correct VLAN regardless where it connects to (wired or wireless).
«Why would you have centralised authentication on your computers and mobile devices and then a load of distributed user databases on your LAN kit?»
Because when said LAN kit can't talk to the AD for whatever reason, I want to still be able to connect to it and fix it?
The idea is not completely impossible to envision, but it's a rather bolder step than this sentence make it sound.
Rarely a single domain fits the needs of medium and large companies. Sometimes, you'll need a forest and proper trusts to ensure authentication (and authorization) happens the correct way while trying to get more elevated privileges is not so easy from "less" trusted domain. I.e. the network gear administration domain should not accept blindly users - and even administrators - form the sales one.
Also, use delegation to make some common tasks available to other people without giving them full administrator permissions.
I agree with Steve Davies 3 (actually my namesake) - having never used AD, I'm sweating on keeping an aging Netware system going (it pretty much "just works") in the hope that I can find a viable alternative to Microsoft products on the server for a small business.
Given my push to have more Linux on the desktop (thanks to Windows 10) it would be ironic to have to use Microsoft on the server.
Samba looks to be a reasonable starting point, but I haven't found time to bone up on what else is needed yet.
There's another problem: AD does more than just authenticate users. It defines what groups they're in (which, really, is just another aspect of authentication), but more importantly, it does all that good stuff like applying policies to the users and the devices that are connected to it.
You'll generally have policies applied to your Windows machines (even if it's only basic stuff like defining default printers, or disabling the "Shut Down" menu option on servers to stop numpties like me inadvertently hitting it when I really mean to log out).
No, that's not "really just another aspect of authentication". It's more like the second A, authorization.