Windows Domain auth for Linux boxes

Craig White craigwhite at azapple.com
Fri May 28 18:21:25 UTC 2004 

On Fri, 2004-05-28 at 10:40, Matt Morgan wrote:
> This is not specifically a Fedora question, but there are a lot of smart 
> people on this list ... hopefully somebody can point me in the right 
> direction.
> 
> I would like to switch my organization from Windows 2000 professional to 
> Linux on the desktop. I am satisfied enough with the performance of 
> OpenOffice.org to substitute it for MS-Office, and we already use 
> Thunderbird and Firefox for email/web. I'm not worried about the apps, 
> in other words. What we have that is Windows-only can be run on our 
> Terminal Servers.
> 
> It's authentication that worries me. Our servers are a mix of Windows 
> 2000/2003 and Linux, and our primary authentication is against Windows 
> 2000 Active Directory servers. What we are having difficulty replicating 
> under Linux is the ease of domain logins on the workstations, where 
> essentially there are no local accounts; the workstation is a member of 
> the domain and it trusts domain accounts for local login. So 
> authentication is almost entirely centralized; anyone can login to any 
> workstation (within limits we set) on the domain, and we don't have to 
> do anything to copy accounts to each workstation. While we may 
> eventually dispense with the Active Directory servers, they will be with 
> us through the transition period (1.5 to 2 years, I estimate) and maybe 
> longer, so some system that allows compatible, shared auth between 
> Windows and Linux workstations is a requirement for our transition.
> 
> Xandros Desktop Linux has done a lot of work, starting back when they 
> were Corel Linux 1.0, in creating a system of Windows domain login that 
> works under Linux. See
> 
> http://www.desktoplinux.com/articles/AT4559768996.html
> 
> for details of how this should work, and does work under Xandros. But 
> Xandros is uncomfortably proprietary for me and I would much prefer a 
> more open solution. As far as I can tell, Xandros does not make it easy 
> to use their domain auth system generally, with other distros for 
> example. In the interview at the link above, the Xandros rep claims 
> there is no other distro that does this--while I don't know of any that 
> do, it seems like such an obvious goal that I'd be very surprised if 
> nobody else is at least working on it.
> 
> Has anybody done this on their system with more open tools? Or another 
> option seems to be maintaining an NIS server that somehow replicates 
> accounts with the AD servers, so that NIS handles Linux login, while AD 
> handles only Windows--anybody tried that? Or if anybody else has come up 
> with other solutions to this or similar problems, please write in. We 
> have looked at all the PAM options--kerberos, LDAP, etc.--and none of 
> them look quite as good as what Xandros has done; but if they work for 
> you, I'm very interested in hearing your stories.
-----
samba / winbind

if you need documentation

www.samba.org  -> documentation, samba-3 howto

Craig

More information about the fedora-list mailing list