Linux Workstations in a Windows Domain? 78
gsperling asks: "As Windows licensing costs are gradually increasing, and options for those licenses are decreasing, I am forced to investigate Windows alternatives. I am trying to begin rolling out Linux as an alternative desktop solution to my enterprise. I am an IT Manager for a company of approximately 65 users. We are incorporating a second company into ours in the next six months, and that 65 number will grow to well over 150. This is a solution that I need to start working on TODAY. We currently have a Windows 2000 Server. It is primarily used as a file and printer sharing server, along with maintaining all of the user accounts domain-wide. I would like to know how it is possible to get a Linux Workstation to authenticate against the user database in our Windows 2000 Server. I have exhaustively Google'd, read thousands of mailing list archives, and have still come up short. After I receive my results, I plan on publishing a whitepaper on how this is done, of course giving credit where credit is due." For those of you using Linux in the Enterprise, how have you managed to get Windows to play nice with any Linux boxen in your domain?
Sad to say (Score:2, Informative)
http://www.microsoft.com/windows/sfu/default.as
That will most likely take care of your problem. I highly reccomend you wait for others to reply to see if there is a free alternative, but that's the easy way out.
Re:Funny you should mention that (Score:1, Interesting)
Re:Sad to say (Score:2)
Re:Sad to say (Score:2)
Re:Sad to say (Score:1)
Time to consider TCO (Score:2, Insightful)
If you are the only guy supporting 65 users in a professional shop and you are going to be expected to support 150 users by yourself, you are going to need to be 100% on your game - that means supporting what you know. Yes adding 85
Not too hard ... (Score:4, Informative)
The Windows database doesn't contain all the information that a *nix system needs -- it doesn't know about shells or home directories, for example. (Well, it does know home directories, but they're different.) Even if there was a PAM module that would talk to it, I'm not sure where it would get this information from.
In your case, most people will set up a seperate server for the *nix network, using NIS to share password information. Using PAM you can even set up the *nix box to change the password on the Windows network when it's changed locally.
Alas, it's easier to set up a Linux box as a domain server for a bunch of Windows boxes than it is to make the Windows box act as a NIS server for a Linux network ...
Waitaminute. That's it -- you just need a NIS server for the Windows box. Looks like our old friends Microsoft sells something [microsoft.com] that may do what you need. (Disclaimer: I've never used it, and probably never will.)
I suspect it (the software) will cost more than a dedicated Linux box NIS server (the hardware), but it may be easier to maintain and sell to management. Personally, I'd prefer the Linux NIS server, but then again, I'm not a Microsoft guy.
Re:Not too hard ... (Score:3, Funny)
Shouldn't that be IANAMSG? Then again, people could get confused and think you were not an employee of a Chinese restaurant.
Re:Not too hard ... (Score:1)
Well. (Score:2)
and some black art configuration.
www.samba.org is still a good starting place. Also check out the MIT kerberos archives.
If its a traditional windows domain, samba has all you need including
docs. Keywords are the winbind daemon, and some configuration of
part of samba can do this for you, (Score:5, Informative)
Alex
Google Is Your Friend (Score:5, Informative)
Re:Google Is Your Friend (Score:1)
PAM/LDAP/NSS is the method I have used for almost two years to authenticate to an AD. I chose not to use AD4Unix, and purchased Microsoft's SFU instead (for the AD and MMC extensions only, I use none of the NIS features of the product). But AD4Unix is well written and would opted for that solution in the future.
Re:Google Is Your Friend (Score:1)
The correct way to do this is through pam_smb; RH makes it easy w/ authconfig && SuSE 9 & enterprise have it through yast.
not just against a windows domain (Score:1)
Re:not just against a windows domain (Score:3, Informative)
Re:not just against a windows domain (Score:2, Informative)
Re:not just against a windows domain (Score:1)
Re:not just against a windows domain (Score:1)
Re:not just against a windows domain (Score:2)
Look into NIS though
Rsync & winbind (Score:3, Interesting)
Re:Rsync & winbind (Score:1)
export CVS_RSH=ssh
export CVSROOT=:ext:username@server.domain:/path/to/cvsro ot
generate keys: ssh-keygen -d
run an agent: ssh-agent
add your keys: ssh-add
newer versions of debian and fedora automatically run ssh-agent for you when you start X.
You can also use a nifty program, "keychain", that automates a lot of this.
We have disabled CVS PSERVER and exclusively use cvs over SSH. We have an rsync mirror of the cvs tree on a second machine with anonymous-r
Samba (Score:3, Informative)
Baby steps (Score:2)
For him installing a single linux machine in to the existing windows network maybe the first step. Next may be to offload printing to easy the load on the windows server and the balance sheet. One small step at the time.
Kerberos (Score:1)
Some people have had success using kerberos as a security system, allowing both Windows and linux systems to authenticate off of it. It mean moving away from the AD user management, and I never got it to work right, but there is a fair amount of in
pam_smb (Score:3, Informative)
pam_smb:
pamsmb.sourceforge.net [sourceforge.net]
pam_smb FAQ:l [sourceforge.net]
http://pamsmb.sourceforge.net/faq/pam_smb_faq.htm
Features (v1 and v2):
Features (v2 only)
This should get you started. (Score:3, Informative)
Samba - Winbind (Score:3, Informative)
Browsing the docs [samba.org] is a very good idea. And, you can read The Official Samba-3 HOWTO and Reference Guide [samba.org] online. In particular, see Chapter 21. Winbind: Use of Domain Accounts [samba.org].
Good luck.
Interesting.... (Score:5, Insightful)
Why do so many linux guys ignore "best tool for the job" and just force linux into a solution? I mean it is clear that linux has very good uses, just as windows does. Yet I have watched time and time again someone force linux or solaris into a job that would have worked better as a windows machine.
Before you get on your high horse and scream that there is nothing that windows can do that linux can not do better just save it. Your wrong, dead wrong. In an all windows shop running
There are plenty of awesome reasons to use linux, but for petes sake your shooting yourself in the collective foot when you try to force linux in. You end up having management hear "integration" issues...The linux DNS is not talking to the ADS correctly....the Syslog server is not responding....that damn linux.....I could go on and on on this because someone forced linux into a shop that was all windows. Then did it poorly on top of that.
I guess what I am trying to say is that Linux is not always the answer. Sometimes, you have to pick the best tool for the job, and sometimes that is not linux. Pick your battles my friends, and put linux in where it will shine like a white knight if your looking to change minds. Don't just take on every job with the idea that your going to "make them use linux". Find that perfect high profile job that linux will shine at, not the problem child job that you know is going to have issues.
You want more linux in the shop? Start by putting it in the right place and follow up on it like you should. Don't just 1/2 ass force it.
Just my 2 bits...I may just be bitter cleaning up after 1/2 assed linux imps that have gone wrong this week.
Re:Interesting.... (Score:4, Insightful)
Why do so many linux guys ignore "best tool for the job" and just force linux into a solution?
Because he has zero dollars to implement a solution, and not only does Microsoft cost more than Linux, it costs more than it used to--the cost to use Microsoft keeps increasing. So while I'll agree that Linux is not an end-all be-all, if you don't have any money to spend it's really the only solution available.
Re:Interesting.... (Score:5, Insightful)
I was not really pointing at this story. As his needs and resources are the driving force here. If money is a major issue in the project then of course you are going with "the best tool for the job" in picking linux. Unless linux in the long wrong will cost you more man hours to support, eclipsing your savings on the free OS. This happens everyday, I know because I see it.
The "best tool for the job" of course has to take money into consideration. But if you save 200 bucks on the OS, but then spend 10 hours trying to make it work with a windows domain what good has it done you. Unless management has no concept of TOS(total cost of ownership) this is a loosing battle. I will agree that most everything you do on Windows will cost you, but does it cost so much to get "ease of use", that you will to support it with you man hours?
I guess if your time is worth nothing, then linux will always be the solution.
Re:Interesting.... (Score:2)
Peace out and all the hippy stuff, this is just a flame war waiting to happen.
I think we are both right.
Happy Holidays, and best wishes Johnny.
Re:Interesting.... (Score:2, Informative)
I don't do Windows... so, I'd have to fight a learning curve... and a trust curve, to implement it.
I do Linux.
I can implement a Samba domain in less than 30 minutes (including OS install). It is easy for me... because that is what I do.
I *used* to do Windows, but I got tired of having to *redo* Windows. It just quit working a lot... for reasons unknown.
Anyway... TCO can't be determined properly witho
Re:Interesting.... (Score:3, Interesting)
>make it work with a windows domain what good has it done you.
Presumably he's rolling out more then one machine. The prep work will be amortized over a few dozen PCs.
BTW, how long did it take to develop a standardized WinXP image for your shop?
Re:Interesting.... (Score:1)
I don't understand this trying to make it work...It works. Just like any windows workstation works in a *nix domain. The configuration is about the only thing that doesn't come out the box setup for your network, but hey I cant hold your hand on this one RTFM's, or is that too time consumeing?
"I guess if your time is worth nothing, then linux will always be the solution."
I
Re:Interesting.... (Score:4, Insightful)
Having been in exactly this same situation, the only answer for a small busines [trying make a profit and stay OPEN!] nowdays is to look at a linux solution. But he probably needs to pull out the whole windows framework and replace it with Linux...and put the windows back as a add-on to the network.
While MS has some great solutions, their licensing policies are way out of line, especially for a small business like he's describing...you're better off buying boxed copies at compusa than dealing with MS licensing 6.0...and who knows when MS will get "tired" of that and pump you for more cash? It's not a risk that small business can afford to take anymore. Uncertianty of fees is a HUGE deal although only recently have IT managers been trying to get license fees under control before their managers fire them for being stupid for 10 years!
Rave on, brother (Score:2)
It follows that it may not MATTER whether Linux is "ready for the desktop," as the alternative is cost prohibitive and legally tenuous by comparison.
Not that I'm incredibly thrilled about either side of the argument here, but it is interesting.
Re:Interesting.... (Score:2)
Re:Interesting.... (Score:2)
Technical considerations are not the only ones. (Score:2)
Well, there are also economic aspectes (Linux is cheaper), ethical aspects (some people dislike dealing with companies that brake the law) and political aspects (wanting to use software that I can mantain according to my needs).
Some solutions may look the best from a technical point of view if you restrict your choices (i.e. what is the best choice to use as desktops in Windows only environment.
Re:Interesting.... (Score:1, Redundant)
He is not switching his whole server over to Linux with Samba and auth on it, he is moving some client systems over. Major difference in the disruption level if things don't work out.
Re:Interesting.... (Score:2)
because... (Score:2)
Because, like 99% of Windows "admins," Linux is all they know, probably.
Or possibly:
a. reliability
b. performance
c. customizability
d. price
e. zealotry
f. principle
g. liability
All valid reasons, sans 'e', IMHO.
I think the more interesting question is, "Why do Windows admins waste so much money on Windows licensing when there are other solutions that are often more reliable?"
The answer is, of course, "Because Windows is all they know."
Re:because... (Score:1)
Seariously tho, I have not met a windows admin who was not running something unlicensed at his/her own little home/small business network.
Re:Interesting.... (Score:2)
Did you read the original post at all? He's not looking to use Linux because it's "better", but because he (like many other people) doesn't like Microsoft's licensing terms. But I guess you were probably just looking for a reason to flame somebody.
Re:Interesting.... (Score:2)
When tossing linux into a windows shop however you add one, compatibility, and that makes thin
Re:Interesting.... (Score:2)
Re:Interesting.... (Score:2)
Re:Interesting.... (Score:3, Insightful)
Linux: no license requried.
Windows: High initial cost. MSCE positions also expensive
Linux: FREE initial cost. Linux "guru" typically slightly cheaper that MCSE
Windows: Modern Windows Server OS requires substantial hardware to run efficiently, large amounts of RAM.
Linux: Can run effectively on very modest hardware. Very good at being used in "modular networks" where VERY low end hardware is used on a 1machine/service basis.
Windows: continuous sercurity
Re:Wow (Score:2)
Re:Wow (Score:2)
Thoughts (Score:2)
Re:[OT] boxen (Score:4, Informative)
Choose to use it or not, but it's an accepted jargon term and has been for a long time.
Invert the problem (Score:2)
I recently replaced our aging NT server with Linux/Samba and it's working fine. (the server's primary job is file storage for front-end unix/linux servers so the Linux choice was easy. Setting up Samba on it allowed it to to replace our old NT machine for "free".)
Another benefit from switching to Samba - XP Home can log into it but it could not attach to
pam_kbr5 and pam_ldap (Score:1)
pam_ldap/pam_krb5 Authentication Against Active Directory? [slashdot.org]
ciao
david
Authentication (Score:1)
Re:Authentication (Score:1)
Vintela Authentication System (Score:2)
Oh, and Vintela happens to be a Canopy Group company, for what that's worth.
Use RedHat (Score:1)
authconfig --enablesmbauth
authconfig --smbworkgroup=<workgroup>
authcnofig --smbservers=<server>
You will need to have the users existing on your linux box
Using LDAP with BOTH Winblows and Linux??? (Score:1)
Many Thanks To All! (Score:1)
My purpose for posting was to get opinions from Slashdot at large. I'm not expecting tech support, or a step-by-step "this is how you do it, let me hold your hand." Just as my original post said, I wasn't sure where to start, and I did do some pretty extensive Googling before I pos
Samba security configuration guide available. (Score:2)
Email me via our contact page - www dot intersectalliance dot com, and I'll bounce you the contact details for the current DVA security manager - he'd probably be willing to send you a (sanitised) copy of the config guide, which may help you out.
Red.
libnss_ldap and pam_krb5 (Score:1)
you can customize libnss_ldap to look up in an active directory ( via MSSFU ).
pam_krb5 does the authentification-stuff.
I think, that's the most native binding that you can get.
Not what you want to hear, but... (Score:1)
> to my enterprise. [...] This is a solution that I need to start working
> on TODAY. We currently have a Windows 2000 Server.
If you're using Windows on the server, you probably don't have the Linux
experience needed to manage Linux on 150 desktops. Seriously. (Unless there
is something you're not telling us about your experience... have you used
Linux yourself?) Do you really want to hire somebody else to do your Linux
st
Just recounting my experience... (Score:1)
I'm using Samba for NTLM authentication and it's quite easy. The only manual setup is creating a file that contains my NTLM username, password, and domain name, and changing it each time I'm forced to change my NT password. Beyond that, I can easily mount network drives, print, etc.