Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Windows Operating Systems Software Linux

Linux Workstations in a Windows Domain? 78

gsperling asks: "As Windows licensing costs are gradually increasing, and options for those licenses are decreasing, I am forced to investigate Windows alternatives. I am trying to begin rolling out Linux as an alternative desktop solution to my enterprise. I am an IT Manager for a company of approximately 65 users. We are incorporating a second company into ours in the next six months, and that 65 number will grow to well over 150. This is a solution that I need to start working on TODAY. We currently have a Windows 2000 Server. It is primarily used as a file and printer sharing server, along with maintaining all of the user accounts domain-wide. I would like to know how it is possible to get a Linux Workstation to authenticate against the user database in our Windows 2000 Server. I have exhaustively Google'd, read thousands of mailing list archives, and have still come up short. After I receive my results, I plan on publishing a whitepaper on how this is done, of course giving credit where credit is due." For those of you using Linux in the Enterprise, how have you managed to get Windows to play nice with any Linux boxen in your domain?
This discussion has been archived. No new comments can be posted.

Linux Workstations in a Windows Domain?

Comments Filter:
  • Sad to say (Score:2, Informative)

    by Apreche ( 239272 )
    It's sad to say, but what you're looking for is actually a Microsoft product.


    That will most likely take care of your problem. I highly reccomend you wait for others to reply to see if there is a free alternative, but that's the easy way out.
    • by Anonymous Coward
      Ironically enough, I saw an ad for just such a Microsoft product yesterday right here on Slashdot on the top banner!
    • I think this is the other way around, isn't it? For integrating Windows stations into primarily Unix environments? As far as I know, this runs on Windows and allows it to better interact with NIS setups, but does nothing for *nix boxes in Active Directory environments.
      • I think this is the other way around, isn't it?
        It may be do both. But I think he's on the right path -- the link I posted [microsoft.com] is a bit more specific than the one he did, and this definately looks like it would solve the original question., assuming it works as promised.
    • Perhaps I've been here too long, but I first read that as windows/stfu/defalt.asp, which seems more in character.
    • OP: This is just a thought, and I may be totally off base here but it sounds to me like you have several (many) years of supporting a Windows network and Windows desktop clients, and zero experience supporting Linux either at the server or desktop level (in a work environment.)

      If you are the only guy supporting 65 users in a professional shop and you are going to be expected to support 150 users by yourself, you are going to need to be 100% on your game - that means supporting what you know. Yes adding 85
  • Not too hard ... (Score:4, Informative)

    by dougmc ( 70836 ) <dougmc+slashdot@frenzied.us> on Monday December 29, 2003 @11:39AM (#7827684) Homepage
    I would like to know how it is possible to get a Linux Workstation to authenticate against the user database in our Windows 2000 Server.
    When you say `user database', are you referring to the Windows domain, or something like LDAP? I suspect it's the former ...

    The Windows database doesn't contain all the information that a *nix system needs -- it doesn't know about shells or home directories, for example. (Well, it does know home directories, but they're different.) Even if there was a PAM module that would talk to it, I'm not sure where it would get this information from.

    In your case, most people will set up a seperate server for the *nix network, using NIS to share password information. Using PAM you can even set up the *nix box to change the password on the Windows network when it's changed locally.

    Alas, it's easier to set up a Linux box as a domain server for a bunch of Windows boxes than it is to make the Windows box act as a NIS server for a Linux network ...

    Waitaminute. That's it -- you just need a NIS server for the Windows box. Looks like our old friends Microsoft sells something [microsoft.com] that may do what you need. (Disclaimer: I've never used it, and probably never will.)

    I suspect it (the software) will cost more than a dedicated Linux box NIS server (the hardware), but it may be easier to maintain and sell to management. Personally, I'd prefer the Linux NIS server, but then again, I'm not a Microsoft guy.

  • If it's active directory you mean, you'll have to do quite some digging,
    and some black art configuration.
    www.samba.org is still a good starting place. Also check out the MIT kerberos archives.
    If its a traditional windows domain, samba has all you need including
    docs. Keywords are the winbind daemon, and some configuration of /etc/pam.d/* and /etc/nsswitch.conf files
  • by Alex ( 342 ) on Monday December 29, 2003 @11:41AM (#7827701)
    http://www.samba.org/samba/docs/man/winbindd.8.htm l

  • by Anonymous Coward on Monday December 29, 2003 @11:42AM (#7827711)
    Detailed instructions at the following: http://www.securityfocus.com/infocus/1563
    • While this article does work (I've implemented it myself) the key component (MKS AD4Unix) is MIA and showing no signs of being supported.

      The correct way to do this is through pam_smb; RH makes it easy w/ authconfig && SuSE 9 & enterprise have it through yast.
  • i have often wondered if it was possible to set up a group of linux machines to all authenticate from a single server without actually having to log into that server. sure anyone can ssh to another server on their network but how do you manage 200+ users in a linux setup without creating 200+ user accounts on EACH and every machine? is it me or is this just a gaping (goatse dot cx sized) hole in the linux arena? if im off base and this is something that can be done with samba or any other tool give me a
    • Well, there is a somewhat hole in bringing various things together, there are however may such things on linux. NIS is one. LDAP another common one, often used together with kerberos. Its perfectly doable, as I have a small network here using ldap for storing user information and kerberos for authentication and single signo on of services. Works amazingly well.http://www.bayour.com/LDAPv3-HOWTO.html provides a rather extensive howto. It's for debian, using RedHat/Fedora I found the patching and building fr
    • You can use mysql or ldap as a user information source and log people in against that without 'actual' account on each machine. If you really want to get exciting, you can do the same with Kerberos and Hesiod. You can also use NFS or (my preference) AFS to hold the user directories so they actually have home dirs. MIT has been doing it since the 80's with their Athena Project... I keep wondering why Windows has such an issue with single sign on.
    • NIS is the tool for this .. it's been around for a LONG time. Works great .. the last office I worked for used Windows to create Users, and using NDS for windows they were all put into a novell NDS where we had something that pulled the information and put it into NIS so the UNIX boxen would all be the same. It was pretty slick.

      Look into NIS though .. it's easy to setup and it's stable.

  • Rsync & winbind (Score:3, Interesting)

    by pauldy ( 100083 ) on Monday December 29, 2003 @11:46AM (#7827739) Homepage
    I currently use a mixture of rsync in a cron deamon and winbind from samba.org. The two allow syncing remote users accounts on workstations and authentication against the domain for the following services: ssh, ftp, telnet, pop3, kdm. Others can be added if they support pam. One that I have not gotten to work as of yet is cvs but I'm working on it.
    • use cvs over SSH and be happy (and secure).

      export CVS_RSH=ssh
      export CVSROOT=:ext:username@server.domain:/path/to/cvsro ot

      generate keys: ssh-keygen -d
      run an agent: ssh-agent
      add your keys: ssh-add

      newer versions of debian and fedora automatically run ssh-agent for you when you start X.

      You can also use a nifty program, "keychain", that automates a lot of this.

      We have disabled CVS PSERVER and exclusively use cvs over SSH. We have an rsync mirror of the cvs tree on a second machine with anonymous-r

  • Samba (Score:3, Informative)

    by barcodez ( 580516 ) on Monday December 29, 2003 @11:51AM (#7827777)
    Redhat 9 is configured to allow authentication agains a Windows Domain Controller right out the box. It uses Samba to do this and I expect it's not to hard to configure samba on other Linux distros to do the same. I would question why you want to keep Windows on the servers. Just use Linux with CUPS for printing, NFS for file share, NIS for user management.
    • Simple enough reason. One step at the time. Brave enough that apparently in a windows shop he is installing an evil job destroying communist unproven amateur OS. Let alone replace a WORKING setup with something new. If it ain't broken don't fix it.

      For him installing a single linux machine in to the existing windows network maybe the first step. Next may be to offload printing to easy the load on the windows server and the balance sheet. One small step at the time.

  • As with all MS software designed to aid interoperability, SFU is geared towards migrating users from another environment to Windows. It provides tools that allow communication, but they are specifically designed to not work well enough to be a long term solution.

    Some people have had success using kerberos as a security system, allowing both Windows and linux systems to authenticate off of it. It mean moving away from the AD user management, and I never got it to work right, but there is a fair amount of in
  • pam_smb (Score:3, Informative)

    by hab136 ( 30884 ) on Monday December 29, 2003 @11:55AM (#7827805) Journal
    pam_smb is a PAM module/server which allows authentication of UNIX users using an NT server.

    pamsmb.sourceforge.net [sourceforge.net]

    pam_smb FAQ:
    http://pamsmb.sourceforge.net/faq/pam_smb_faq.html [sourceforge.net]

    Features (v1 and v2):

    • Authenticates Linux users against SMB servers in user mode(95, NT, samba etc). Will not authenticate against share level systems.
    • Supported OSes: Linux (any PAM supporting distro), Solaris 2.6 or greater.
    • Supports NT/Lanman encrypted passwords.
    • Any service which uses PAM can authenticate against NT.
    • Can setup to ignore lack of a local password entry when something else provides the users information such as RADIUS.

    Features (v2 only)
    • HP/UX 11 and FreeBSD 4.8 or 5.1 support.
    • Caching support.
    • Username mapping of Unix usernames to NT usernames.
  • by Ayanami Rei ( 621112 ) * <rayanami@gm[ ].com ['ail' in gap]> on Monday December 29, 2003 @11:55AM (#7827806) Journal
    Samba 3.0 [hotham.net] can talk to an Active Directory PDC and using winbindd (for the NSS) along with pam_smb and kerberos (for authentication) and smbmount (for home directories) we can provide a full windows users on linux solution.
  • Samba - Winbind (Score:3, Informative)

    by jtosburn ( 63943 ) on Monday December 29, 2003 @11:57AM (#7827813)
    When it comes to interoperability between Windows and *nix, the answer is usually Samba [samba.org]. For you, you need Winbind [samba.org], which will authenticate against a Windows Domain's PDC, and can be hooked into PAM.

    Browsing the docs [samba.org] is a very good idea. And, you can read The Official Samba-3 HOWTO and Reference Guide [samba.org] online. In particular, see Chapter 21. Winbind: Use of Domain Accounts [samba.org].

    Good luck.
  • Interesting.... (Score:5, Insightful)

    by Neck_of_the_Woods ( 305788 ) on Monday December 29, 2003 @11:57AM (#7827816) Journal
    This is just a question to the linux public, this maybe be just a little off topic but here we go anyway. I have karma to burn.

    Why do so many linux guys ignore "best tool for the job" and just force linux into a solution? I mean it is clear that linux has very good uses, just as windows does. Yet I have watched time and time again someone force linux or solaris into a job that would have worked better as a windows machine.

    Before you get on your high horse and scream that there is nothing that windows can do that linux can not do better just save it. Your wrong, dead wrong. In an all windows shop running .net and nothing but microsoft on the workstations there is no good reason to try to force them to program on linux/apache. There is not a good reason to try to force them to use samba, and there is not a good reason for DNS to be run on Linux in that shop.

    There are plenty of awesome reasons to use linux, but for petes sake your shooting yourself in the collective foot when you try to force linux in. You end up having management hear "integration" issues...The linux DNS is not talking to the ADS correctly....the Syslog server is not responding....that damn linux.....I could go on and on on this because someone forced linux into a shop that was all windows. Then did it poorly on top of that.

    I guess what I am trying to say is that Linux is not always the answer. Sometimes, you have to pick the best tool for the job, and sometimes that is not linux. Pick your battles my friends, and put linux in where it will shine like a white knight if your looking to change minds. Don't just take on every job with the idea that your going to "make them use linux". Find that perfect high profile job that linux will shine at, not the problem child job that you know is going to have issues.

    You want more linux in the shop? Start by putting it in the right place and follow up on it like you should. Don't just 1/2 ass force it.

    Just my 2 bits...I may just be bitter cleaning up after 1/2 assed linux imps that have gone wrong this week.

    • Re:Interesting.... (Score:4, Insightful)

      by Johnny Mnemonic ( 176043 ) <mdinsmore@[ ]il.com ['gma' in gap]> on Monday December 29, 2003 @12:18PM (#7827956) Homepage Journal

      Why do so many linux guys ignore "best tool for the job" and just force linux into a solution?

      Because he has zero dollars to implement a solution, and not only does Microsoft cost more than Linux, it costs more than it used to--the cost to use Microsoft keeps increasing. So while I'll agree that Linux is not an end-all be-all, if you don't have any money to spend it's really the only solution available.
      • Re:Interesting.... (Score:5, Insightful)

        by Neck_of_the_Woods ( 305788 ) on Monday December 29, 2003 @12:38PM (#7828081) Journal
        I agree, if you have no other solution besides "free" you have a winner in linux.

        I was not really pointing at this story. As his needs and resources are the driving force here. If money is a major issue in the project then of course you are going with "the best tool for the job" in picking linux. Unless linux in the long wrong will cost you more man hours to support, eclipsing your savings on the free OS. This happens everyday, I know because I see it.

        The "best tool for the job" of course has to take money into consideration. But if you save 200 bucks on the OS, but then spend 10 hours trying to make it work with a windows domain what good has it done you. Unless management has no concept of TOS(total cost of ownership) this is a loosing battle. I will agree that most everything you do on Windows will cost you, but does it cost so much to get "ease of use", that you will to support it with you man hours?

        I guess if your time is worth nothing, then linux will always be the solution.

        • You would think I would have put TCO...ho well...can't win them all.

          Peace out and all the hippy stuff, this is just a flame war waiting to happen.

          I think we are both right.

          Happy Holidays, and best wishes Johnny.

        • Re:Interesting.... (Score:2, Informative)

          by Phillup ( 317168 )
          If I were to try and implement the Windows solution... it would take me a long time. Possibly even days.

          I don't do Windows... so, I'd have to fight a learning curve... and a trust curve, to implement it.

          I do Linux.

          I can implement a Samba domain in less than 30 minutes (including OS install). It is easy for me... because that is what I do.

          I *used* to do Windows, but I got tired of having to *redo* Windows. It just quit working a lot... for reasons unknown.

          Anyway... TCO can't be determined properly witho
        • >But if you save 200 bucks on the OS, but then spend 10 hours trying to
          >make it work with a windows domain what good has it done you.

          Presumably he's rolling out more then one machine. The prep work will be amortized over a few dozen PCs.

          BTW, how long did it take to develop a standardized WinXP image for your shop?

        • "But if you save 200 bucks on the OS, but then spend 10 hours trying to make it work with a windows domain what good has it done you."

          I don't understand this trying to make it work...It works. Just like any windows workstation works in a *nix domain. The configuration is about the only thing that doesn't come out the box setup for your network, but hey I cant hold your hand on this one RTFM's, or is that too time consumeing?

          "I guess if your time is worth nothing, then linux will always be the solution."

    • Re:Interesting.... (Score:4, Insightful)

      by mabhatter654 ( 561290 ) on Monday December 29, 2003 @12:30PM (#7828036)
      But the deal is trying to get out of the huge payments that he'll be making for a brand new MS AD Server + CALS for 150 users! For a small company, he's looking at probably $10k to get everything together for the MS solution [plus the actual PCs for users!]...when it's all stuff that's "free" in a standard Debian install!

      Having been in exactly this same situation, the only answer for a small busines [trying make a profit and stay OPEN!] nowdays is to look at a linux solution. But he probably needs to pull out the whole windows framework and replace it with Linux...and put the windows back as a add-on to the network.

      While MS has some great solutions, their licensing policies are way out of line, especially for a small business like he's describing...you're better off buying boxed copies at compusa than dealing with MS licensing 6.0...and who knows when MS will get "tired" of that and pump you for more cash? It's not a risk that small business can afford to take anymore. Uncertianty of fees is a HUGE deal although only recently have IT managers been trying to get license fees under control before their managers fire them for being stupid for 10 years!

      • Recently, during a chat with my techie wife, it became apparent that Linux may be making headway on the desktop, if only because MS's licensing issues are so overwhelming.

        It follows that it may not MATTER whether Linux is "ready for the desktop," as the alternative is cost prohibitive and legally tenuous by comparison.

        Not that I'm incredibly thrilled about either side of the argument here, but it is interesting.
      • Although fees and licensing is an issue for sure, it is not /that/ huge compared to the wage bill of most IT organisations - usually 60% of the cost are salaries then WAN etc then mtce then finally capitalised software purchases way down the list.
        • but if there's only 1 IT guy then this isn't an "IT orgainization" , it's some other kind of business that just uses computers. That's my beef with MS. Sure if you have a staff of programmers or sys admins for 1000 users, salary is more that the cost of software. In small shops, most IT guys are "it"...programming, sys admin, security, support, etc... MS tools are simply way to expensive for those people...and they represent a good 25-50% of all IT positions!!! He was talking about 60-120 users...unles
    • Best tool for the job is a mantra repeated in IT circles but that covers only the technical part of the problem.

      Well, there are also economic aspectes (Linux is cheaper), ethical aspects (some people dislike dealing with companies that brake the law) and political aspects (wanting to use software that I can mantain according to my needs).

      Some solutions may look the best from a technical point of view if you restrict your choices (i.e. what is the best choice to use as desktops in Windows only environment.
    • by dJCL ( 183345 )
      The person is probably not going to be the one to mess it up. He is looking for information on how to implement things, and will be running a test case to see how it works. He has stated his reasons(money, and since he's on slashdot: dislikeing of MS) and is looking for the best solution that there is available to him.

      He is not switching his whole server over to Linux with Samba and auth on it, he is moving some client systems over. Major difference in the disruption level if things don't work out.
    • Although I agree with you in some ways, I think that the real problem is with the "best tool for the job" approach to things. The issue with this is that "the job" is usually defined very narrowly and does not take other practical factors into account. It's true that there are zealots of every stripe out there who will simply choose a tool because it is what they love best or all that they are really familiar with, but simply looking at a narrow range of capabilities without taking into account the larger
    • *rolls eyes*

      Because, like 99% of Windows "admins," Linux is all they know, probably.

      Or possibly:
      a. reliability
      b. performance
      c. customizability
      d. price
      e. zealotry
      f. principle
      g. liability

      All valid reasons, sans 'e', IMHO.

      I think the more interesting question is, "Why do Windows admins waste so much money on Windows licensing when there are other solutions that are often more reliable?"

      The answer is, of course, "Because Windows is all they know."

      • And yet another question, "Why do Windows admins waste so much money on licensed software when they bootleg just as much if not more?"

        Seariously tho, I have not met a windows admin who was not running something unlicensed at his/her own little home/small business network.

    • Did you read the original post at all? He's not looking to use Linux because it's "better", but because he (like many other people) doesn't like Microsoft's licensing terms. But I guess you were probably just looking for a reason to flame somebody.
    • tossing linux in the middle of a windows shop may not always be the best idea. But a windows shop in general typically isn't the best idea either. For 90% of the functions out there ALL linux + basically anything but windows is a superior solution. In terms of cost, maintainence, stability, security, and performance. Gee, that's umm EVERY significant factor in determining what solution is the best for the job.

      When tossing linux into a windows shop however you add one, compatibility, and that makes thin
    • If you want to take the "right tool for the job" angle, I was just wondering why he wants to bend over backwards fighting to get linux workstations to talk to a solitary windows server which is only used for file and print, when in my opinion, the "right tool" would be replacing the win2k server with a Linux server running samba 3, and then be able to support windows and linux workstations with no problems. Also, you have the added bonus of no longer being locked in to proprietary protocols. Sounds like t
    • You indirectly make a very good point. The place Linux shines best is servers, so the obvious answer is to replace the Win2k server with a Linux one. Not only does this save considerably more money than replacing a few desktops, but it neatly solves the problem of "how do I connect a Linux desktop to my network".

    • Re:Interesting.... (Score:3, Insightful)

      by itzdandy ( 183397 )
      Windows: need license PER connection to server

      Linux: no license requried.

      Windows: High initial cost. MSCE positions also expensive

      Linux: FREE initial cost. Linux "guru" typically slightly cheaper that MCSE

      Windows: Modern Windows Server OS requires substantial hardware to run efficiently, large amounts of RAM.

      Linux: Can run effectively on very modest hardware. Very good at being used in "modular networks" where VERY low end hardware is used on a 1machine/service basis.

      Windows: continuous sercurity
  • If you have total control of your NOC, I would personally start with your servers - move those PDCs and BDCs over to Linux using Samba. Do this slowly, using the "soft rollout" technique. Move a small portion of the workstations over to the Linux servers gradually. Once you get all of your windows desktops looking to linux to get files and for any ldap, you can then begin adding linux desktops without fear of conflict. I dont really see a point in moving all of your desktops over to linux and keeping wi
  • Perhaps you should start with the server and convert that to Linux/BSD and Samba 3. It should handle file/print services for your Windoze users just fine.

    I recently replaced our aging NT server with Linux/Samba and it's working fine. (the server's primary job is file storage for front-end unix/linux servers so the Linux choice was easy. Setting up Samba on it allowed it to to replace our old NT machine for "free".)

    Another benefit from switching to Samba - XP Home can log into it but it could not attach to
  • Hi, maybe this can help you.

    pam_ldap/pam_krb5 Authentication Against Active Directory? [slashdot.org]


  • 1. To authenticate your Linux box logons against the windows domain, you need to do two things: (i). create an account on the linux box that has the SAME username as the windows domain account. Don't worry about making the password the same, just the username. (ii). run the command "authconfig" from a Linux shell. Go to the section to configure SMB authentication. Enable it and put it your domain controller IP address(es). Now when you logon to the Linux box will use the windows domain controller to auth
  • Here [vintela.com] is a product that will allow your Linux boxe[n|s] to authenticate with a Windows 2000 Active Directory. We were using it for awhile at my own place of employment, but we stopped when we found that the then-current version didn't work with Windows 2003. I haven't kept up to date with it, however.

    Oh, and Vintela happens to be a Canopy Group company, for what that's worth.

  • My advice on this is very simple: use redhat/fedora, or another (mandrake perhaps) system that has authconfig. You can go the AD4Unix route -- which works nicely-- but that project seems abandoned. I've tried to contact the authors of projects related to it, but authconfig just works (pam_smb) and it takes all of ten seconds.

    authconfig --enablesmbauth
    authconfig --smbworkgroup=<workgroup>
    authcnofig --smbservers=<server>

    You will need to have the users existing on your linux box
  • Consider using eDirectory by Novell -- this is an LDAP solution that would work with BOTH Winblows and non-Winblows architectures (and their environments). eDirectory works under Winblows, UNIX (Slowaris, HP-UX, BSD, et. al), Linux (Red Hat and generic), Novell (of course, since it's a Novell product) and (blech, pew) Microschloft's Winblows 2000. If not, consider getting OpenLDAP and/or Netscrape's Directory Services (which works under Linux as well...go to downloads.netscape.com). Something to consider
  • I want to take a moment and personally thank everybody for posting their version of how I should attack this particular problem. I also want to address some of the unknowns that were brought up in various replies to this post:

    My purpose for posting was to get opinions from Slashdot at large. I'm not expecting tech support, or a step-by-step "this is how you do it, let me hold your hand." Just as my original post said, I wasn't sure where to start, and I did do some pretty extensive Googling before I pos
  • We did a fair bit of work on this issue for the Department of Veterans Affairs here in Australia, using winbind/samba. All the kinks are pretty-much out of the system now, and are codified in a document called the 'security configuration guide'.

    Email me via our contact page - www dot intersectalliance dot com, and I'll bounce you the contact details for the current DVA security manager - he'd probably be willing to send you a (sanitised) copy of the config guide, which may help you out.

  • What's the deal?
    you can customize libnss_ldap to look up in an active directory ( via MSSFU ).
    pam_krb5 does the authentification-stuff.

    I think, that's the most native binding that you can get.
  • > I am trying to begin rolling out Linux as an alternative desktop solution
    > to my enterprise. [...] This is a solution that I need to start working
    > on TODAY. We currently have a Windows 2000 Server.

    If you're using Windows on the server, you probably don't have the Linux
    experience needed to manage Linux on 150 desktops. Seriously. (Unless there
    is something you're not telling us about your experience... have you used
    Linux yourself?) Do you really want to hire somebody else to do your Linux
  • I use the lone Linux workstation in a sea of Windows. I have managed to convince the powers that be to allow me to set up Linux servers for specialized purposes (IDS, SpamAssassin, etc.) but for the rest it's all Windoze.

    I'm using Samba for NTLM authentication and it's quite easy. The only manual setup is creating a file that contains my NTLM username, password, and domain name, and changing it each time I'm forced to change my NT password. Beyond that, I can easily mount network drives, print, etc.

Order and simplification are the first steps toward mastery of a subject -- the actual enemy is the unknown. -- Thomas Mann