Windows Domain auth for Linux boxes

[Matt Morgan]

This is not specifically a Fedora question, but there are a lot of smart 
people on this list ... hopefully somebody can point me in the right 
direction.

I would like to switch my organization from Windows 2000 professional to 
Linux on the desktop. I am satisfied enough with the performance of 
OpenOffice.org to substitute it for MS-Office, and we already use 
Thunderbird and Firefox for email/web. I'm not worried about the apps, 
in other words. What we have that is Windows-only can be run on our 
Terminal Servers.

It's authentication that worries me. Our servers are a mix of Windows 
2000/2003 and Linux, and our primary authentication is against Windows 
2000 Active Directory servers. What we are having difficulty replicating 
under Linux is the ease of domain logins on the workstations, where 
essentially there are no local accounts; the workstation is a member of 
the domain and it trusts domain accounts for local login. So 
authentication is almost entirely centralized; anyone can login to any 
workstation (within limits we set) on the domain, and we don't have to 
do anything to copy accounts to each workstation. While we may 
eventually dispense with the Active Directory servers, they will be with 
us through the transition period (1.5 to 2 years, I estimate) and maybe 
longer, so some system that allows compatible, shared auth between 
Windows and Linux workstations is a requirement for our transition.

Xandros Desktop Linux has done a lot of work, starting back when they 
were Corel Linux 1.0, in creating a system of Windows domain login that 
works under Linux. See

http://www.desktoplinux.com/articles/AT4559768996.html

for details of how this should work, and does work under Xandros. But 
Xandros is uncomfortably proprietary for me and I would much prefer a 
more open solution. As far as I can tell, Xandros does not make it easy 
to use their domain auth system generally, with other distros for 
example. In the interview at the link above, the Xandros rep claims 
there is no other distro that does this--while I don't know of any that 
do, it seems like such an obvious goal that I'd be very surprised if 
nobody else is at least working on it.

Has anybody done this on their system with more open tools? Or another 
option seems to be maintaining an NIS server that somehow replicates 
accounts with the AD servers, so that NIS handles Linux login, while AD 
handles only Windows--anybody tried that? Or if anybody else has come up 
with other solutions to this or similar problems, please write in. We 
have looked at all the PAM options--kerberos, LDAP, etc.--and none of 
them look quite as good as what Xandros has done; but if they work for 
you, I'm very interested in hearing your stories.

Thanks,
Matt Morgan
Manager of Information Systems
Brooklyn Museum