Slashdot Mirror
Linux Workstations in a Windows Domain?
gsperling asks: "As Windows licensing costs are gradually increasing, and options for those licenses are decreasing, I am forced to investigate Windows alternatives. I am trying to begin rolling out Linux as an alternative desktop solution to my enterprise. I am an IT Manager for a company of approximately 65 users. We are incorporating a second company into ours in the next six months, and that 65 number will grow to well over 150. This is a solution that I need to start working on TODAY. We currently have a Windows 2000 Server. It is primarily used as a file and printer sharing server, along with maintaining all of the user accounts domain-wide. I would like to know how it is possible to get a Linux Workstation to authenticate against the user database in our Windows 2000 Server. I have exhaustively Google'd, read thousands of mailing list archives, and have still come up short. After I receive my results, I plan on publishing a whitepaper on how this is done, of course giving credit where credit is due." For those of you using Linux in the Enterprise, how have you managed to get Windows to play nice with any Linux boxen in your domain?
It's sad to say, but what you're looking for is actually a Microsoft product.
p
http://www.microsoft.com/windows/sfu/default.as
That will most likely take care of your problem. I highly reccomend you wait for others to reply to see if there is a free alternative, but that's the easy way out.
The GeekNights podcast is going strong. Listen!
Ironically enough, I saw an ad for just such a Microsoft product yesterday right here on Slashdot on the top banner!
The Windows database doesn't contain all the information that a *nix system needs -- it doesn't know about shells or home directories, for example. (Well, it does know home directories, but they're different.) Even if there was a PAM module that would talk to it, I'm not sure where it would get this information from.
In your case, most people will set up a seperate server for the *nix network, using NIS to share password information. Using PAM you can even set up the *nix box to change the password on the Windows network when it's changed locally.
Alas, it's easier to set up a Linux box as a domain server for a bunch of Windows boxes than it is to make the Windows box act as a NIS server for a Linux network ...
Waitaminute. That's it -- you just need a NIS server for the Windows box. Looks like our old friends Microsoft sells something that may do what you need. (Disclaimer: I've never used it, and probably never will.)
I suspect it (the software) will cost more than a dedicated Linux box NIS server (the hardware), but it may be easier to maintain and sell to management. Personally, I'd prefer the Linux NIS server, but then again, I'm not a Microsoft guy.
If it's active directory you mean, you'll have to do quite some digging, /etc/pam.d/* and /etc/nsswitch.conf files
and some black art configuration.
www.samba.org is still a good starting place. Also check out the MIT kerberos archives.
If its a traditional windows domain, samba has all you need including
docs. Keywords are the winbind daemon, and some configuration of
http://www.samba.org/samba/docs/man/winbindd.8.htm l
Alex
Detailed instructions at the following: http://www.securityfocus.com/infocus/1563
i have often wondered if it was possible to set up a group of linux machines to all authenticate from a single server without actually having to log into that server. sure anyone can ssh to another server on their network but how do you manage 200+ users in a linux setup without creating 200+ user accounts on EACH and every machine? is it me or is this just a gaping (goatse dot cx sized) hole in the linux arena? if im off base and this is something that can be done with samba or any other tool give me a clue.
thanks,
frank
I currently use a mixture of rsync in a cron deamon and winbind from samba.org. The two allow syncing remote users accounts on workstations and authentication against the domain for the following services: ssh, ftp, telnet, pop3, kdm. Others can be added if they support pam. One that I have not gotten to work as of yet is cvs but I'm working on it.
Redhat 9 is configured to allow authentication agains a Windows Domain Controller right out the box. It uses Samba to do this and I expect it's not to hard to configure samba on other Linux distros to do the same. I would question why you want to keep Windows on the servers. Just use Linux with CUPS for printing, NFS for file share, NIS for user management.
----
As with all MS software designed to aid interoperability, SFU is geared towards migrating users from another environment to Windows. It provides tools that allow communication, but they are specifically designed to not work well enough to be a long term solution.
Some people have had success using kerberos as a security system, allowing both Windows and linux systems to authenticate off of it. It mean moving away from the AD user management, and I never got it to work right, but there is a fair amount of info out there about it.
I'm told that USC has used such a setup for a few years. Tale a look at these these.
I have misplaced my pants.
pam_smb:
pamsmb.sourceforge.net
pam_smb FAQ:l
http://pamsmb.sourceforge.net/faq/pam_smb_faq.htm
Features (v1 and v2):
Features (v2 only)
Samba 3.0 can talk to an Active Directory PDC and using winbindd (for the NSS) along with pam_smb and kerberos (for authentication) and smbmount (for home directories) we can provide a full windows users on linux solution.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
When it comes to interoperability between Windows and *nix, the answer is usually Samba. For you, you need Winbind, which will authenticate against a Windows Domain's PDC, and can be hooked into PAM.
Browsing the docs is a very good idea. And, you can read The Official Samba-3 HOWTO and Reference Guide online. In particular, see Chapter 21. Winbind: Use of Domain Accounts.
Good luck.
This is just a question to the linux public, this maybe be just a little off topic but here we go anyway. I have karma to burn.
.net and nothing but microsoft on the workstations there is no good reason to try to force them to program on linux/apache. There is not a good reason to try to force them to use samba, and there is not a good reason for DNS to be run on Linux in that shop.
Why do so many linux guys ignore "best tool for the job" and just force linux into a solution? I mean it is clear that linux has very good uses, just as windows does. Yet I have watched time and time again someone force linux or solaris into a job that would have worked better as a windows machine.
Before you get on your high horse and scream that there is nothing that windows can do that linux can not do better just save it. Your wrong, dead wrong. In an all windows shop running
There are plenty of awesome reasons to use linux, but for petes sake your shooting yourself in the collective foot when you try to force linux in. You end up having management hear "integration" issues...The linux DNS is not talking to the ADS correctly....the Syslog server is not responding....that damn linux.....I could go on and on on this because someone forced linux into a shop that was all windows. Then did it poorly on top of that.
I guess what I am trying to say is that Linux is not always the answer. Sometimes, you have to pick the best tool for the job, and sometimes that is not linux. Pick your battles my friends, and put linux in where it will shine like a white knight if your looking to change minds. Don't just take on every job with the idea that your going to "make them use linux". Find that perfect high profile job that linux will shine at, not the problem child job that you know is going to have issues.
You want more linux in the shop? Start by putting it in the right place and follow up on it like you should. Don't just 1/2 ass force it.
Just my 2 bits...I may just be bitter cleaning up after 1/2 assed linux imps that have gone wrong this week.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
My home network is bigger (and more complex) than the one this guy is a "manager" for.
On further reflection, I am not sure whether I am more pathetic or the story submitter is more pathetic.
If you have total control of your NOC, I would personally start with your servers - move those PDCs and BDCs over to Linux using Samba. Do this slowly, using the "soft rollout" technique. Move a small portion of the workstations over to the Linux servers gradually. Once you get all of your windows desktops looking to linux to get files and for any ldap, you can then begin adding linux desktops without fear of conflict. I dont really see a point in moving all of your desktops over to linux and keeping windows servers - it will be cheaper to run linux on those. Usually most companies keep the windows desktops for users and switch over the servers to linux for cost / maintanance reasons.
Just my thoughts though - if you are entrenched by politics and upper management, this will be tough for you no matter what. Just try to make those you dont have control over understand the reasons for Linux, provide them with TCO reports from independent sources. (i.e. not from Redhat and MS)
And no, it's not cool to type it that way. What's next?
Wind00z licensing c0$ts are increasing. I wanna ch4ng3 to da Linuxx-side widout virii. W00t!
Grrr...
Best tool for the job is a mantra repeated in IT circles but that covers only the technical part of the problem.
Well, there are also economic aspectes (Linux is cheaper), ethical aspects (some people dislike dealing with companies that brake the law) and political aspects (wanting to use software that I can mantain according to my needs).
Some solutions may look the best from a technical point of view if you restrict your choices (i.e. what is the best choice to use as desktops in Windows only environment. Answer: duh!).
But if you consider a wider context, the "best tool for the job" is not necessarily the one advisable for your situation (i.e. what is the best desktop if I have WIndows environment and we don't want to pay $300/seat for licenses and we don't like to pay a convicted monopolist and we would like to be able to audit the code we are using). This may narrow your choices but at least you are considering your problem in the full context and not narrowing it to a tehcnician's solution only.
IANAL but write like a drunk one.
Perhaps you should start with the server and convert that to Linux/BSD and Samba 3. It should handle file/print services for your Windoze users just fine.
I recently replaced our aging NT server with Linux/Samba and it's working fine. (the server's primary job is file storage for front-end unix/linux servers so the Linux choice was easy. Setting up Samba on it allowed it to to replace our old NT machine for "free".)
Another benefit from switching to Samba - XP Home can log into it but it could not attach to our old NT domain. This saved us $$$ in Home->Pro "upgrade" costs on some new laptops.
Naturally, the Linux desktops have no trouble logging in, either.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
pam_ldap/pam_krb5 Authentication Against Active Directory?
ciao
david
1. To authenticate your Linux box logons against the windows domain, you need to do two things: (i). create an account on the linux box that has the SAME username as the windows domain account. Don't worry about making the password the same, just the username. (ii). run the command "authconfig" from a Linux shell. Go to the section to configure SMB authentication. Enable it and put it your domain controller IP address(es). Now when you logon to the Linux box will use the windows domain controller to authenticate your password. There may be a way to do this without a local user profile on the linux box, but I don't know of it. It is still using the local profile, just verifying the password using SMB authentication back to the windows domain. 2. Shouldn't change at all in AD. We have the exact same setup in a win2k AD domain and it works just fine.
Oh, and Vintela happens to be a Canopy Group company, for what that's worth.
OP: This is just a thought, and I may be totally off base here but it sounds to me like you have several (many) years of supporting a Windows network and Windows desktop clients, and zero experience supporting Linux either at the server or desktop level (in a work environment.)
... and the money you could have spent on standardizing the shop will seem tiny in comparison.
If you are the only guy supporting 65 users in a professional shop and you are going to be expected to support 150 users by yourself, you are going to need to be 100% on your game - that means supporting what you know. Yes adding 85 seats of Windows (XPPro with Office 2003) is going to be expensive, plus CALs for you server - but the minute you need to hire a second guy for the IT department because you simply can't handle it the costs go up dramatically - $60,000 a year ($40,000 a year plus overhead for a new guy) for the next three years will buy a LOT of standardization in your shop.
What do I recommend? Standardize on one desktop OS, one Office suite, one exactly identical desktop computer (same make, model, configuration, hardware, everything!), one two or three identical servers that use identical parts to each other, and off the shelf hardware for routers, switches, etc - all the same brand. You can get half a dozen spare desktops for hot-swapping parts (or the entire machine) out when something craters, and because everything is the same your updates and maintenance can be done using images. With new hardware you can even get 3 year on-site maintenance agreements meaning you get an extra set of hands whenever something is broken - this is a little pricey though, but worth considering if uptime at the desktop level is not optional.
You can go the Franken-system approach, building each machine by hand using the best or cheapest parts available on a case by case basis, using whatever OS and office suite is cheapest or available but in approximately one year your system maintenance is going to be a freak show and you are going to need to hire a new guy to help out anyways
Glonoinha the MebiByte Slayer
Linux on windows domain works just fine, vice versa. It's easy to setup.
Read a freakin How-To for crying out loud...
Recently, during a chat with my techie wife, it became apparent that Linux may be making headway on the desktop, if only because MS's licensing issues are so overwhelming.
It follows that it may not MATTER whether Linux is "ready for the desktop," as the alternative is cost prohibitive and legally tenuous by comparison.
Not that I'm incredibly thrilled about either side of the argument here, but it is interesting.
ceci n'est pas un sig.
Because, like 99% of Windows "admins," Linux is all they know, probably.
Or possibly:
a. reliability
b. performance
c. customizability
d. price
e. zealotry
f. principle
g. liability
All valid reasons, sans 'e', IMHO.
I think the more interesting question is, "Why do Windows admins waste so much money on Windows licensing when there are other solutions that are often more reliable?"
The answer is, of course, "Because Windows is all they know."
Sticking feathers up your butt does not make you a chicken - Tyler Durden
My advice on this is very simple: use redhat/fedora, or another (mandrake perhaps) system that has authconfig. You can go the AD4Unix route -- which works nicely-- but that project seems abandoned. I've tried to contact the authors of projects related to it, but authconfig just works (pam_smb) and it takes all of ten seconds.
/etc/passwd
/etc/shadow:
authconfig --enablesmbauth
authconfig --smbworkgroup=<workgroup>
authcnofig --smbservers=<server>
You will need to have the users existing on your linux boxes:
skippy:x:500:10::/home/skippy:/bin/bash
skippy:!!:12410:0:99999:7:::
Note the '!!' -- you will need those.
Newer versions of other distros may be as easy via other means, I know that suse (which would be my choice if using it for a desktop system) does not provide configuration via yast in 8.2, but according to the grapevine it does in 9.
RandomAndInteresting.comdefending the world from stupidity since 1979
Consider using eDirectory by Novell -- this is an LDAP solution that would work with BOTH Winblows and non-Winblows architectures (and their environments). eDirectory works under Winblows, UNIX (Slowaris, HP-UX, BSD, et. al), Linux (Red Hat and generic), Novell (of course, since it's a Novell product) and (blech, pew) Microschloft's Winblows 2000. If not, consider getting OpenLDAP and/or Netscrape's Directory Services (which works under Linux as well...go to downloads.netscape.com). Something to consider -- good luck! -r
For him installing a single linux machine in to the existing windows network maybe the first step. Next may be to offload printing to easy the load on the windows server and the balance sheet. One small step at the time.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I want to take a moment and personally thank everybody for posting their version of how I should attack this particular problem. I also want to address some of the unknowns that were brought up in various replies to this post:
My purpose for posting was to get opinions from Slashdot at large. I'm not expecting tech support, or a step-by-step "this is how you do it, let me hold your hand." Just as my original post said, I wasn't sure where to start, and I did do some pretty extensive Googling before I posted to Ask Slashdot. I do intend, however, on publishing some form of written prose with my findings, possibly in a 'hand-holding' style document for others who wish to do the same thing. I can't be the first person to have ever wanted to do this, and I certainly won't be the last.
I kinda like 'boxen' -- Note, however, that I didn't make the boxen comment on my original post. The story poster (Cliff) did. What I typed was actually in italics.
I do have total control of my NOC. I report to the VP of IT, but he basically leaves most stuff up to me, and we both discuss changes together. The company purchased an HP DL360 1U about three months before I started with the company, and migrated to Windows 2000 Server from NT 4.0 Server. It would not be a financially sound decision to get rid of the Windows 2000 server in its first six months of life. My intent, at present, is not to rid the enterprise of Windows clients, we're actually just finishing migrating the Windows 98 machines to Windows 2000 Professional machines. The actual intent for the Linux client project is for accessing our business application (hosted on an HP 9000 box), accessing an Approach Database (through Wine), and authenticating to the Windows 2000 Domain, (hence this post). At the present time, plans for the Linux boxen do not include OpenOffice.org, although there might be plans for it in the future.
I'm glad to hear that somebody has a home network consisting of more than 65 computers. I'd hate to be paying his electric bill! That, my friends, is certainly pathetic! =) My home network consists of my Internet Service Provider business (6 servers) and somewhere between 12 and 16 client machines, depending on what day of the week it is.
I agree about using the 'best tool for the job.' I am, self admittedly, a Linux Zealot. I have been for years, and will continue to be. (I'm actually considering getting a Tux tattoo! Does anybody else have 'em?) However, I am not going to jeopardize my company's enterprise by randomly assembling machines that serve no real purpose, or those which will never be used because their intended audience does not understand them. I'm simply 'alpha testing' utilizing Linux as a desktop solution. If it doesn't work, then the project is scrapped. Regardless, I will continue to use Linux for all of my personal stuff, including my ISP business, I will continue to attend local LUG meetings and support OSS.
I would love nothing more than to come in on a Friday night, shut off all of the Windows machines and install Linux desktops in their place. I'd love to format the 36GB drives on our DL360 and put my favorite distro in place of Windows 2000 Server. Unfortunately, it will not be happening any time soon. It's not a good business decision, especially since our organization is an established Windows house. However, if I can phase out the old WFW3.11 and Win95 machines (Yes, we still have them!) with Linux machines, then I will be ahead of the game by light years.
Thanks again to all who provided links and advice. I'll keep reading and taking notes.
Cheers,
Gregg
We did a fair bit of work on this issue for the Department of Veterans Affairs here in Australia, using winbind/samba. All the kinks are pretty-much out of the system now, and are codified in a document called the 'security configuration guide'.
Email me via our contact page - www dot intersectalliance dot com, and I'll bounce you the contact details for the current DVA security manager - he'd probably be willing to send you a (sanitised) copy of the config guide, which may help you out.
Red.
What's the deal?
you can customize libnss_ldap to look up in an active directory ( via MSSFU ).
pam_krb5 does the authentification-stuff.
I think, that's the most native binding that you can get.
There are only 10 types of people in the world: Those who understand binary and those who don't.
> I am trying to begin rolling out Linux as an alternative desktop solution
> to my enterprise. [...] This is a solution that I need to start working
> on TODAY. We currently have a Windows 2000 Server.
If you're using Windows on the server, you probably don't have the Linux
experience needed to manage Linux on 150 desktops. Seriously. (Unless there
is something you're not telling us about your experience... have you used
Linux yourself?) Do you really want to hire somebody else to do your Linux
stuff? It'll be cheaper for the company and look better on your resume
(i.e., everybody wins) if you do it yourself, but do you have the experience
to do it all, right away? Maybe you should start out gradually and get
your feet wet?
Linux on the server is just a matter of installing once, configuring once,
and then glancing over the slashdot headlines once a day to make sure there
isn't any big security issue and when there is installing the update. It's
easy, because Linux was made to be like Unix, which was made for a
server/network environment, and because there are no user training issues.
Linux on the desktop also can work, but more familiarity is needed IMO on
the part of the IT staff. The internet community can help, but 150 is a
lot of desktops if you don't have some real experience yourself already.
Imagine if you had tried to manage 150 Win95 desktops when all you'd used
yourself was DOS and Windows 3. You'd be totally clueless about how to stop
some app from running all the time at startup out of the Run registry keys,
for example -- a very common thing. Going from Windows to Linux will present
similar challenges. A lot of them are under-the-hood things that the end
user doesn't need to know about, but *somebody* needs to know about them,
and that somebody is you, if you're the IT department. Quick, off the top
of your head, how do you get the scrolling features of a wheelmouse to work
in XFree? (This is easy, but unless there's something you're not telling
us about your experience you won't know.)
I recommend starting with one or two Linux desktops in the IT department
and a server. (It doesn't have to be your main server at first; get a cheap
used PC off ebay for $100 and see what you can make it do.) When you are
comfortable with Linux (three months to three years, depending on your
personality and learning pace), then start rolling it out to more systems.
If you have in fact been using Linux for a while and just failed to mention
it, then by all means, ignore the above and go forward with your project.
I just didn't see anything in your post to indicate that, and when you
mentioned a Win2000 server, I figured the server would've logically been
the *first* thing you switched away from Windows, so that probably meant
you'd not used Linux at all up till now...
Cut that out, or I will ship you to Norilsk in a box.
I use the lone Linux workstation in a sea of Windows. I have managed to convince the powers that be to allow me to set up Linux servers for specialized purposes (IDS, SpamAssassin, etc.) but for the rest it's all Windoze.
I'm using Samba for NTLM authentication and it's quite easy. The only manual setup is creating a file that contains my NTLM username, password, and domain name, and changing it each time I'm forced to change my NT password. Beyond that, I can easily mount network drives, print, etc.
However, this will work fine while we keep our Win2K network in mixed mode. I'm a little worried about what will happen when we flip to native mode. When Samba 3.0 came out I installed it and after a bit of work I was able to get Kerberos/AD authentication to function. Unfortunately, smbmount still doesn't support this method except on Samba servers.
If you get this part of the puzzle working let us know!
As the old adage goes:
m l
To assume it to make an "ass" of "u" and "me"
http://www.linuxinsider.com/perl/story/32452.ht
A Linux network might take a tad longer for a windows junkie as yourself to setup, but long term it is far better if you can set it up correctly.