Windows Domain auth for Linux boxes
Matt Morgan
matt.morgan-fedora-list at brooklynmuseum.org
Fri May 28 17:40:03 UTC 2004
This is not specifically a Fedora question, but there are a lot of smart
people on this list ... hopefully somebody can point me in the right
direction.
I would like to switch my organization from Windows 2000 professional to
Linux on the desktop. I am satisfied enough with the performance of
OpenOffice.org to substitute it for MS-Office, and we already use
Thunderbird and Firefox for email/web. I'm not worried about the apps,
in other words. What we have that is Windows-only can be run on our
Terminal Servers.
It's authentication that worries me. Our servers are a mix of Windows
2000/2003 and Linux, and our primary authentication is against Windows
2000 Active Directory servers. What we are having difficulty replicating
under Linux is the ease of domain logins on the workstations, where
essentially there are no local accounts; the workstation is a member of
the domain and it trusts domain accounts for local login. So
authentication is almost entirely centralized; anyone can login to any
workstation (within limits we set) on the domain, and we don't have to
do anything to copy accounts to each workstation. While we may
eventually dispense with the Active Directory servers, they will be with
us through the transition period (1.5 to 2 years, I estimate) and maybe
longer, so some system that allows compatible, shared auth between
Windows and Linux workstations is a requirement for our transition.
Xandros Desktop Linux has done a lot of work, starting back when they
were Corel Linux 1.0, in creating a system of Windows domain login that
works under Linux. See
http://www.desktoplinux.com/articles/AT4559768996.html
for details of how this should work, and does work under Xandros. But
Xandros is uncomfortably proprietary for me and I would much prefer a
more open solution. As far as I can tell, Xandros does not make it easy
to use their domain auth system generally, with other distros for
example. In the interview at the link above, the Xandros rep claims
there is no other distro that does this--while I don't know of any that
do, it seems like such an obvious goal that I'd be very surprised if
nobody else is at least working on it.
Has anybody done this on their system with more open tools? Or another
option seems to be maintaining an NIS server that somehow replicates
accounts with the AD servers, so that NIS handles Linux login, while AD
handles only Windows--anybody tried that? Or if anybody else has come up
with other solutions to this or similar problems, please write in. We
have looked at all the PAM options--kerberos, LDAP, etc.--and none of
them look quite as good as what Xandros has done; but if they work for
you, I'm very interested in hearing your stories.
Thanks,
Matt Morgan
Manager of Information Systems
Brooklyn Museum
More information about the fedora-list
mailing list