Looking at options to integrate AIX and Linux hosts into Active Directory, to eliminate the licensing costs from IBM's Tivoli Directory Services.  The main stumbling block I'm encountering is that Windows 2012 R2 reportedly dropped some of the UNIX compatibility tools (I'm still researching that, I haven't had to administer Windows servers in years, and it wasn't my core responsibility even then).  I know there are some third-party solutions like PowerBroker I can use (either the open version or the paid version), I'm just trying to get a handle on what my best options are.

Is it just for user authentication?

https://technet.microsoft.com/en-us/library/cc754871.aspx

Yes, that's what I was looking at, it is apparently deprecated in 2012 R2, however I just talked to my Windows admins and while the AD servers are at 2012 R2, they're still running in 2008 R2 mode, so I may be able to use this, at least until they have to upgrade.



 

Yes, that is the case.

However, it was depreciated for various security reasons, and you really should be focusing on getting LDAP/Kerberos if this is a thing that needs to be long term.

I'm not opposed to LDAP/Kerberos, although I'd prefer to keep costs down because there aren't a lot of users who need direct access to the Linux/AIX servers, so spending a lot of money doesn't make sense, having it tied to AD simplifies internal auditing (fortunately, not currently in a position to need to worry about PCI DSS, HIPAA, or SOX right now, as this is a membership owned utility company, but having a single place to manage user access is always good.  If there's another single-sign on option (as mentioned PowerBroker is one we are looking at), I'll gladly look at it, this just hasn't been my focus in the past.



 

https://www.ibm.com/support/knowledgecenter/ssw_aix_72/com.ibm.aix.security/kerberos_install_config_krb5.htm

How many users are accessing how many UNIX/Linux servers in this scenario?  Unless it's a great number with regularly changing attributes (passwords, group membership, permissions, etc.) you are introducing more complexity into the solution than than the time it might save.

If you have to, LDAP and krb5 will get you authentication somewhat securely but that's about it.  Honestly, I would just create a bash script or use an automation tool to create/remove accounts, push user SSH keys to all servers to remove password insecurity from the picture, manage group membership, and keep them all in sync.  That and anything else you need to manage.

We use Vintela Authentication Services.

I've heard tell of Vintela but have never seen it in action.  Now I'm curious how they framework all the standard packages traditionally used for pseudo-AD interoperability into a much tighter integration than you would otherwise get.

ETA:  <rubs hands together and clicks on "download free trial">

Less than 100 total servers (well, virtual machines), fewer than 20 users who would need access (and not all users need access to all servers).  We previously had IBM Tivoli Directory Server, but IBM wanted too much money to keep it running (other than one TDS instance used by a particular application on one server that already bridges to AD, but that's a specialized case that was configured by a vendor and isn't an option to piggy back on) and there was some kind of funky database corruption going on that IBM couldn't fix (non-standard configuration, OS was no longer supported, real fun, set up by long-gone administrators almost a decade ago).  I know PowerBroker will do it, may have to just bite the bullet and go with that, the open version might have all we need for functionality, but there may be some budget if I need to get the enterprise version.



 

I wish I could help you there. Unfortunately in this regard I'm just a consumer. I know when I can't get onto a server I have to have someone give VAS a kick in the ass.

That's not too bad but probably more than you want to manage by hand if you expect to be making regular account changes.  Get a price quote from Dell on on the Vintela software that Jax mentioned.  Once you get to downloads/documentation the only refer to it as "Single Sign-on for Java" though.  I'm going to play with it tonight or tomorrow and see what it's all about for fun.

Dell Vintela/Single Sign On for Java

I'll find out soon enough!  I've downloaded the trial software.  It's a whopping 11MB zipped.  

Vintela and numerous group policies.




 

Did you try configuring the PAM stack on your Linux host to use LDAP and KRB on your Active Directory DC's?