Integrating Linux into a Windows Network?

Di0medies asks: "I work for a some-what small non-profit organization that uses a windows-based network. We currently have 6 servers supporting about 25 local domain users and about 25 remote users and we're planning on migrating from Server 2000 to Server 2003 in a month or so. Being a non-profit, we're always a little tight on cash and considering Microsoft charges ungodly amounts of money for server software, migrating portions of the network to Linux leaves more cash available for other IT goodies (like a new high-capacity file server!) and also adds more stability and security to the network. All of this depends on how well a Linux server will work on a Windows network. Does anyone have any suggestions regarding Linux integration? Can Windows and Linux be made to play well together? Is there anything out there to add limited Active Directory support to Linux?"

One word

[Fished]

The word is "samba." Samba will more or less allow a Linux server to fully integrate intoa Windows network. I would suggest that, if you are a Linux novice, you leave domain control on Windows and just use Linux as a workhorse. Time enough to move everything to Linux when you're more comfortable with Linux.

Give Samba and CUPS a look.

[Padrino121]

I've done similar things in the past and currently I run my print and file servers on Linux quite seamlessly. All of the Windows admins and users don't know any different.

Samba + PAM + CUPS gives you integrated authentication, SMB/CIFS file serving (Windows file sharing protocol), as well as SMB and IPP printing.

I don't know of any tutorials off the top of my head but Google gave me all I needed to figure it out.

Re:One word

[NTT]

not true
http://us4.samba.org/samba/docs/man/Samba-HOWTO-Co llection/domain-member.html#ads-member [samba.org]

AD integration

[tfiedler]

We use Vintela's VAS authentication product for active directory integration, and although it isn't free, it is by far the easiest thing to configure. You can completely manage user accounts from within the Users and Computers administrative tool with it and installation of the software can be as easy as an rpm command.

I know there are lots of free software bigots on this site and you can find lots of sites purporting to have easy configuration instructions for kerberos/AD set up, but I don't care. This product works, period. And it does it in an easy manner and it does it flawlessly, at least in our environment, which is a true 24x7 environment where uptime and accessibility matters -- a hospital.

Re:How this even got posted?

[BrynM]

Seriously? Just tell the poster to go to Samba and leave space for more interesting questions.

I'm going to give the guy a break instead of bonking the noob on the nose for asking. Let's gather from his question that he needs to make a case to a PHB (Pointy Haired Bastard - see Dilbert) and needs to know how the heck he'll install and support Samba without knowing what it is in the first place:

• An explanation [samba.org] of Samba
• A Google search [google.com] for Samba consultants
• Some companies [samba.org] that sell Samba support
• Another Google search [google.com] for problems with Samba and Windows Server 2003 - to know what may lay ahead
• And of course the classic Samba HowTo [samba.org] with another Google search [google.com] concerning install problems

Do I have a theme here? Yes. Am I doing a little hand-holding? Yes. Is it good gfor my spiritual geek karma? Yes. Am I having a Rumsfeld style self interview? Yes. Am I done now? Absolutely.

Licenses

[tenchima]

One thing we found when moving from 2000 to 2003 servers is that the terminal server licensing is not free. On a 2000 server each server had an unlimited TS License. On 2003, you have to purchase them. One extra cost to beware of.

The question is terribly incomplete.

[jotaeleemeese]

And thus the answers you will get will be equally useless (crap in-crap out model....).

If you are more specific about what your servers are currently doing I am pretty sure people will help you out.

Now, for basic servics:

- File server and print server: Samba.
- Authentication servers: I believe Samba can act as a domain controller.
- DNS server: bind running in Linux.
- Web server: Apache.
- Dsta Base servers: MySQL.
- Backup server: Amanda.
- email: sendmail, postfix....

So, exactly which services are you aiming to provide???

Don't jump down his throat

[imsmith]

This is an honest question, coming from a legitimate source, so all of those who think no one is out there stumbling along trying to understand all at once everything you have learned over the course of years need to take a deep breath.

To the question: Yes, you can phase out your Windows 2000/2003 server in favor of Linux servers. Whether it is worth it is up to you to determine - if you have a lot invested in your Windows server admin skills, and you don't have time to devote to raising your Linux server admin skills, this may not be for you. Both OS's require a degree of skill to manage, particularly for networks of desktops being employed by people who need the desktop to be perfect all the time (which is what my experience tells me small non-profit users expect).

If you are willing/able to meet the skill requirements for the system & network administration, and can translate that into desktop support that meets or exceeds that you deliver now, you need to come to an agreement with the organization about how best to deliver services using Linux. Some services can be moved off of Windows relatively transparently, but those which users seem to be most sensitive to generally aren't as easy to migrate.

If you are running Exchange, particularly if you are using group calendars, there isn't a terrific free-as-in-beer Linux solution. SuSE Openexchange Server offers what looks like a nice solution, but the pricing isn't a significant difference to the Microsoft non-profit pricings that I've experienced, and it comes with a recurring annual client license fee.

If you are extensively using Windows DFS for your file service, then the transition to a system that uses SAMBA, NFS, or DAV will be visible to the desktop user, with all the associated gnashing of teeth that brings. If you haven't implemented DFS, then the reproduction of home directories and shared directories with SAMBA should be simple and, with group policies, transparent.

Authentication of users against the Active Directory to Linux network services isn't as hard as it might seem. By installing the Microsoft Services for Unix (or whatever they are calling it this week) you will get POSIX fields in the Active Directory schema that can be used to write LDAP queries against for authentication via PAM, Apache modules, and PHP, Perl, and Java applications. Likewise, logins on Linux servers and workstations with AD credentials can be directed against the AD via LDAP, and SuSE has this option included in their default install process.

Finally, there are likely applications that are seen as critical to the success of the organization that are only supported on Windows. These niche applications will necessarily govern how much you can remove Windows from your back office.

In general, the introduction of a few Linux server into your back office is as painful as you want to make it. Moving user or customer facing services to Linux has to be an organizational decision, but it doesn't present a lot of technical problems. The biggest thing to remember is that you are meddling with the culture of the organization. These 50 people are doing something they consider very important, and they are not interested in what is cool to a bunch of geeks. If you thing Linux will save you enough money to buy 'IT goodies' then you shouldn't even bother, because it isn't the right motivation. Linux can save money, it can be more secure, and it can be more stable, but all of those things are irrelevant if they users are pissed off because 'it worked fine before you changed things'.

My advice is to use Linux to deploy new services, integrate it into the existing network, but only replace something that works when it is time to upgrade (since it will break anyway) or when it stops working. Be open and honest when you deploy something, when it breaks as well as when it works fine, and if you blow it up, take responsibility and don't blame someone else.

A real answer...

[eric2hill]

...instead of "go use Samba you fucktard".

I run a corporate AD forest that covers 3 countries. We have 3 primary AD controllers at the corporate office and a local AD controller at each major branch office. I've started integrating Linux into the mix, with an Oracle server, Mail server, DNS server, and a few application servers.

The hardest part has been getting Kerberos to properly authenticate with the AD tree. Basically, strip an off-the-shelf copy of Linux of anything related to Kerberos, then install a fresh copy of it from MIT. Once you've got that working, go pick up a copy of pam_krb5 and plug that into the PAM system. From then on out, all the linux services can authenticate with the AD tree through Kerberos.

If you want to share files, then you'll need to go the Samba route, but you don't have to start there. Plenty of Linux services (Courier IMAP, QMail, Bind, etc) work just fine on an AD forest without Samba.

I'm not sure if I'd trust my entire enterprise to Linux just yet. The time involved in figuring out which of the 5,000 configuration files I need to update to add a user isn't worth the ~$15 per user license of Windows. A single Windows 2003 server license plus users is very reasonable. It's the cost of 10+ server licenses that will kill you. Run a Windows AD controller and use Linux for the services on your network.