Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Workstations in a Windows Domain?

Posted by Cliff on from the penguins-and-glass-panes dept.

gsperling asks: "As Windows licensing costs are gradually increasing, and options for those licenses are decreasing, I am forced to investigate Windows alternatives. I am trying to begin rolling out Linux as an alternative desktop solution to my enterprise. I am an IT Manager for a company of approximately 65 users. We are incorporating a second company into ours in the next six months, and that 65 number will grow to well over 150. This is a solution that I need to start working on TODAY. We currently have a Windows 2000 Server. It is primarily used as a file and printer sharing server, along with maintaining all of the user accounts domain-wide. I would like to know how it is possible to get a Linux Workstation to authenticate against the user database in our Windows 2000 Server. I have exhaustively Google'd, read thousands of mailing list archives, and have still come up short. After I receive my results, I plan on publishing a whitepaper on how this is done, of course giving credit where credit is due." For those of you using Linux in the Enterprise, how have you managed to get Windows to play nice with any Linux boxen in your domain?

10 of 78 comments (clear)

  1. Not too hard ... by dougmc · · Score: 3, Informative
    I would like to know how it is possible to get a Linux Workstation to authenticate against the user database in our Windows 2000 Server.
    When you say `user database', are you referring to the Windows domain, or something like LDAP? I suspect it's the former ...

    The Windows database doesn't contain all the information that a *nix system needs -- it doesn't know about shells or home directories, for example. (Well, it does know home directories, but they're different.) Even if there was a PAM module that would talk to it, I'm not sure where it would get this information from.

    In your case, most people will set up a seperate server for the *nix network, using NIS to share password information. Using PAM you can even set up the *nix box to change the password on the Windows network when it's changed locally.

    Alas, it's easier to set up a Linux box as a domain server for a bunch of Windows boxes than it is to make the Windows box act as a NIS server for a Linux network ...

    Waitaminute. That's it -- you just need a NIS server for the Windows box. Looks like our old friends Microsoft sells something that may do what you need. (Disclaimer: I've never used it, and probably never will.)

    I suspect it (the software) will cost more than a dedicated Linux box NIS server (the hardware), but it may be easier to maintain and sell to management. Personally, I'd prefer the Linux NIS server, but then again, I'm not a Microsoft guy.

  2. part of samba can do this for you, by Alex · · Score: 4, Informative

    http://www.samba.org/samba/docs/man/winbindd.8.htm l

    Alex

  3. Google Is Your Friend by Anonymous Coward · · Score: 5, Informative

    Detailed instructions at the following: http://www.securityfocus.com/infocus/1563

  4. pam_smb by hab136 · · Score: 3, Informative
    pam_smb is a PAM module/server which allows authentication of UNIX users using an NT server.

    pam_smb:
    pamsmb.sourceforge.net

    pam_smb FAQ:
    http://pamsmb.sourceforge.net/faq/pam_smb_faq.html

    Features (v1 and v2):

    • Authenticates Linux users against SMB servers in user mode(95, NT, samba etc). Will not authenticate against share level systems.
    • Supported OSes: Linux (any PAM supporting distro), Solaris 2.6 or greater.
    • Supports NT/Lanman encrypted passwords.
    • Any service which uses PAM can authenticate against NT.
    • Can setup to ignore lack of a local password entry when something else provides the users information such as RADIUS.

    Features (v2 only)
    • HP/UX 11 and FreeBSD 4.8 or 5.1 support.
    • Caching support.
    • Username mapping of Unix usernames to NT usernames.
  5. Samba - Winbind by jtosburn · · Score: 3, Informative

    When it comes to interoperability between Windows and *nix, the answer is usually Samba. For you, you need Winbind, which will authenticate against a Windows Domain's PDC, and can be hooked into PAM.

    Browsing the docs is a very good idea. And, you can read The Official Samba-3 HOWTO and Reference Guide online. In particular, see Chapter 21. Winbind: Use of Domain Accounts.

    Good luck.

  6. Interesting.... by Neck_of_the_Woods · · Score: 4, Insightful

    This is just a question to the linux public, this maybe be just a little off topic but here we go anyway. I have karma to burn.

    Why do so many linux guys ignore "best tool for the job" and just force linux into a solution? I mean it is clear that linux has very good uses, just as windows does. Yet I have watched time and time again someone force linux or solaris into a job that would have worked better as a windows machine.

    Before you get on your high horse and scream that there is nothing that windows can do that linux can not do better just save it. Your wrong, dead wrong. In an all windows shop running .net and nothing but microsoft on the workstations there is no good reason to try to force them to program on linux/apache. There is not a good reason to try to force them to use samba, and there is not a good reason for DNS to be run on Linux in that shop.

    There are plenty of awesome reasons to use linux, but for petes sake your shooting yourself in the collective foot when you try to force linux in. You end up having management hear "integration" issues...The linux DNS is not talking to the ADS correctly....the Syslog server is not responding....that damn linux.....I could go on and on on this because someone forced linux into a shop that was all windows. Then did it poorly on top of that.

    I guess what I am trying to say is that Linux is not always the answer. Sometimes, you have to pick the best tool for the job, and sometimes that is not linux. Pick your battles my friends, and put linux in where it will shine like a white knight if your looking to change minds. Don't just take on every job with the idea that your going to "make them use linux". Find that perfect high profile job that linux will shine at, not the problem child job that you know is going to have issues.

    You want more linux in the shop? Start by putting it in the right place and follow up on it like you should. Don't just 1/2 ass force it.

    Just my 2 bits...I may just be bitter cleaning up after 1/2 assed linux imps that have gone wrong this week.

    --
    Neck_of_the_Woods
    #/usr/local/surf/glassy/overhead
    1. Re:Interesting.... by Johnny+Mnemonic · · Score: 3, Insightful


      Why do so many linux guys ignore "best tool for the job" and just force linux into a solution?

      Because he has zero dollars to implement a solution, and not only does Microsoft cost more than Linux, it costs more than it used to--the cost to use Microsoft keeps increasing. So while I'll agree that Linux is not an end-all be-all, if you don't have any money to spend it's really the only solution available.

      --

      --
      $tar -xvf .sig.tar
    2. Re:Interesting.... by mabhatter654 · · Score: 3, Insightful
      But the deal is trying to get out of the huge payments that he'll be making for a brand new MS AD Server + CALS for 150 users! For a small company, he's looking at probably $10k to get everything together for the MS solution [plus the actual PCs for users!]...when it's all stuff that's "free" in a standard Debian install!

      Having been in exactly this same situation, the only answer for a small busines [trying make a profit and stay OPEN!] nowdays is to look at a linux solution. But he probably needs to pull out the whole windows framework and replace it with Linux...and put the windows back as a add-on to the network.

      While MS has some great solutions, their licensing policies are way out of line, especially for a small business like he's describing...you're better off buying boxed copies at compusa than dealing with MS licensing 6.0...and who knows when MS will get "tired" of that and pump you for more cash? It's not a risk that small business can afford to take anymore. Uncertianty of fees is a HUGE deal although only recently have IT managers been trying to get license fees under control before their managers fire them for being stupid for 10 years!

    3. Re:Interesting.... by Neck_of_the_Woods · · Score: 4, Insightful

      I agree, if you have no other solution besides "free" you have a winner in linux.

      I was not really pointing at this story. As his needs and resources are the driving force here. If money is a major issue in the project then of course you are going with "the best tool for the job" in picking linux. Unless linux in the long wrong will cost you more man hours to support, eclipsing your savings on the free OS. This happens everyday, I know because I see it.

      The "best tool for the job" of course has to take money into consideration. But if you save 200 bucks on the OS, but then spend 10 hours trying to make it work with a windows domain what good has it done you. Unless management has no concept of TOS(total cost of ownership) this is a loosing battle. I will agree that most everything you do on Windows will cost you, but does it cost so much to get "ease of use", that you will to support it with you man hours?

      I guess if your time is worth nothing, then linux will always be the solution.

      --
      Neck_of_the_Woods
      #/usr/local/surf/glassy/overhead
  7. Re:[OT] boxen by Just+Some+Guy · · Score: 3, Informative
    From Jargon File (4.3.0, 30 APR 2001) [jargon]:

    boxen /bok'sn/ pl.n. [very common; by analogy with {VAXen}] Fanciful plural of {box} often encountered in the phrase `Unix boxen', used to describe commodity {{Unix}} hardware. The connotation is that any two Unix boxen are interchangeable.

    Choose to use it or not, but it's an accepted jargon term and has been for a long time.

    --
    Dewey, what part of this looks like authorities should be involved?