Slashdot Mirror
Linux Workstations in a Windows Domain?
gsperling asks: "As Windows licensing costs are gradually increasing, and options for those licenses are decreasing, I am forced to investigate Windows alternatives. I am trying to begin rolling out Linux as an alternative desktop solution to my enterprise. I am an IT Manager for a company of approximately 65 users. We are incorporating a second company into ours in the next six months, and that 65 number will grow to well over 150. This is a solution that I need to start working on TODAY. We currently have a Windows 2000 Server. It is primarily used as a file and printer sharing server, along with maintaining all of the user accounts domain-wide. I would like to know how it is possible to get a Linux Workstation to authenticate against the user database in our Windows 2000 Server. I have exhaustively Google'd, read thousands of mailing list archives, and have still come up short. After I receive my results, I plan on publishing a whitepaper on how this is done, of course giving credit where credit is due." For those of you using Linux in the Enterprise, how have you managed to get Windows to play nice with any Linux boxen in your domain?
It's sad to say, but what you're looking for is actually a Microsoft product.
p
http://www.microsoft.com/windows/sfu/default.as
That will most likely take care of your problem. I highly reccomend you wait for others to reply to see if there is a free alternative, but that's the easy way out.
The GeekNights podcast is going strong. Listen!
The Windows database doesn't contain all the information that a *nix system needs -- it doesn't know about shells or home directories, for example. (Well, it does know home directories, but they're different.) Even if there was a PAM module that would talk to it, I'm not sure where it would get this information from.
In your case, most people will set up a seperate server for the *nix network, using NIS to share password information. Using PAM you can even set up the *nix box to change the password on the Windows network when it's changed locally.
Alas, it's easier to set up a Linux box as a domain server for a bunch of Windows boxes than it is to make the Windows box act as a NIS server for a Linux network ...
Waitaminute. That's it -- you just need a NIS server for the Windows box. Looks like our old friends Microsoft sells something that may do what you need. (Disclaimer: I've never used it, and probably never will.)
I suspect it (the software) will cost more than a dedicated Linux box NIS server (the hardware), but it may be easier to maintain and sell to management. Personally, I'd prefer the Linux NIS server, but then again, I'm not a Microsoft guy.
http://www.samba.org/samba/docs/man/winbindd.8.htm l
Alex
Detailed instructions at the following: http://www.securityfocus.com/infocus/1563
Well, there is a somewhat hole in bringing various things together, there are however may such things on linux. NIS is one. LDAP another common one, often used together with kerberos. Its perfectly doable, as I have a small network here using ldap for storing user information and kerberos for authentication and single signo on of services. Works amazingly well.http://www.bayour.com/LDAPv3-HOWTO.html provides a rather extensive howto. It's for debian, using RedHat/Fedora I found the patching and building from source unneeded.
You can use mysql or ldap as a user information source and log people in against that without 'actual' account on each machine. If you really want to get exciting, you can do the same with Kerberos and Hesiod. You can also use NFS or (my preference) AFS to hold the user directories so they actually have home dirs. MIT has been doing it since the 80's with their Athena Project... I keep wondering why Windows has such an issue with single sign on.
Redhat 9 is configured to allow authentication agains a Windows Domain Controller right out the box. It uses Samba to do this and I expect it's not to hard to configure samba on other Linux distros to do the same. I would question why you want to keep Windows on the servers. Just use Linux with CUPS for printing, NFS for file share, NIS for user management.
----
pam_smb:
pamsmb.sourceforge.net
pam_smb FAQ:l
http://pamsmb.sourceforge.net/faq/pam_smb_faq.htm
Features (v1 and v2):
Features (v2 only)
Samba 3.0 can talk to an Active Directory PDC and using winbindd (for the NSS) along with pam_smb and kerberos (for authentication) and smbmount (for home directories) we can provide a full windows users on linux solution.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
When it comes to interoperability between Windows and *nix, the answer is usually Samba. For you, you need Winbind, which will authenticate against a Windows Domain's PDC, and can be hooked into PAM.
Browsing the docs is a very good idea. And, you can read The Official Samba-3 HOWTO and Reference Guide online. In particular, see Chapter 21. Winbind: Use of Domain Accounts.
Good luck.
And no, it's not cool to type it that way. What's next?
Wind00z licensing c0$ts are increasing. I wanna ch4ng3 to da Linuxx-side widout virii. W00t!
Grrr...
If I were to try and implement the Windows solution... it would take me a long time. Possibly even days.
I don't do Windows... so, I'd have to fight a learning curve... and a trust curve, to implement it.
I do Linux.
I can implement a Samba domain in less than 30 minutes (including OS install). It is easy for me... because that is what I do.
I *used* to do Windows, but I got tired of having to *redo* Windows. It just quit working a lot... for reasons unknown.
Anyway... TCO can't be determined properly without looking at the skills of the people implementing the solutions.
And... the reason people around here push linux solutions may have something to do whith their skills. You push what you know.
--Phillip
Can you say BIRTH TAX