Windows Domain auth for Linux boxes
Craig White
craigwhite at azapple.com
Fri May 28 18:21:25 UTC 2004
On Fri, 2004-05-28 at 10:40, Matt Morgan wrote:
> This is not specifically a Fedora question, but there are a lot of smart
> people on this list ... hopefully somebody can point me in the right
> direction.
>
> I would like to switch my organization from Windows 2000 professional to
> Linux on the desktop. I am satisfied enough with the performance of
> OpenOffice.org to substitute it for MS-Office, and we already use
> Thunderbird and Firefox for email/web. I'm not worried about the apps,
> in other words. What we have that is Windows-only can be run on our
> Terminal Servers.
>
> It's authentication that worries me. Our servers are a mix of Windows
> 2000/2003 and Linux, and our primary authentication is against Windows
> 2000 Active Directory servers. What we are having difficulty replicating
> under Linux is the ease of domain logins on the workstations, where
> essentially there are no local accounts; the workstation is a member of
> the domain and it trusts domain accounts for local login. So
> authentication is almost entirely centralized; anyone can login to any
> workstation (within limits we set) on the domain, and we don't have to
> do anything to copy accounts to each workstation. While we may
> eventually dispense with the Active Directory servers, they will be with
> us through the transition period (1.5 to 2 years, I estimate) and maybe
> longer, so some system that allows compatible, shared auth between
> Windows and Linux workstations is a requirement for our transition.
>
> Xandros Desktop Linux has done a lot of work, starting back when they
> were Corel Linux 1.0, in creating a system of Windows domain login that
> works under Linux. See
>
> http://www.desktoplinux.com/articles/AT4559768996.html
>
> for details of how this should work, and does work under Xandros. But
> Xandros is uncomfortably proprietary for me and I would much prefer a
> more open solution. As far as I can tell, Xandros does not make it easy
> to use their domain auth system generally, with other distros for
> example. In the interview at the link above, the Xandros rep claims
> there is no other distro that does this--while I don't know of any that
> do, it seems like such an obvious goal that I'd be very surprised if
> nobody else is at least working on it.
>
> Has anybody done this on their system with more open tools? Or another
> option seems to be maintaining an NIS server that somehow replicates
> accounts with the AD servers, so that NIS handles Linux login, while AD
> handles only Windows--anybody tried that? Or if anybody else has come up
> with other solutions to this or similar problems, please write in. We
> have looked at all the PAM options--kerberos, LDAP, etc.--and none of
> them look quite as good as what Xandros has done; but if they work for
> you, I'm very interested in hearing your stories.
-----
samba / winbind
if you need documentation
www.samba.org -> documentation, samba-3 howto
Craig
More information about the fedora-list
mailing list