Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have heard linux gurus at my work talk about implementing a UNIX Schema to Windows 2000 AD, to allow UNIX workstation (and future linux clients) to log on to the windows domain. I am curious to find out information on this setup (they will not tell me because I am a contractor)
Does anyone happen to know what (Win2k) application or server can implement this type of setup? I would like to read some documentation on it.
Well, not sure what Schema is, but right now i am using Samba 3.0.3 to connect to a massive Windows server 2003 ADS (or AD) network and i can log on to the Linux machine fine. Actually any user can and it's checked via AD. I am using Samba for file/printing and all user/name resolutions are done using Kerbose. The Samba site has tons of good reading. I hope that was what you were looking for.
**Edit - Hope you weren't looking for info on UNIX implementations. If so sorry.
OK. Then how did you do it? We are using various versions of RedHat Linux. When I run the command line program setup and tell it to use Samba to authenticate. It sets the SMB entry in the PAM system after the local Passwd database. When I login with an account that is on that machine locally and is on AD it doesn't let me in unless I put the local password in.
If you goto the Samba site and download the 2 manuals (the How To and the Examples) it literally will walk you through it. One thing i know for sure, is the ADS server has to be running in "Native" mode or it won't work. Meaning ( i think it means this) that it will allow NT 4 clients to be authenticated and allowed to log on to the network. In Chapter 9 of the Samba Examples, it shows you how to do this. Just have to make sure everything it needs is there and set up. Also, i just did what it said and it worked. Like in smb.conf, realm=my.ads.server so it checks via ADS and security = ADS. I might make a little how-to for a Gentoo (SELinux) file/print server on a Windoze ADS network. At the moment, i don't have time to go into detail, but gimmie a bit and i will.
Oh, i also found this in my travels - pretty sweet just to get started.
All of the clients are either Win2000 or XP. Both work fine when using the Samba server and ADS as the pw backend. The entire network is running on Wincrap Server 2003. My Samba server is (was) the only Linux server in our company. I actually started using it as my production computer using VariCad instead of MicroStation or AutoCad while the Samba server was running in the background. I also started to mess with Evolution and the Exchange server plugin that Novell just GPL'd. It's really cool. I get all of the calendar stuff and basically anything i would find useful in Outlook. Gotta love Linux.
Though a bit off topic from LDAP, the key is winbindd with reards to authentication. So if you already have a means by which your *ix accounts are setup, you can use winbindd to authenticate those accounts via your AD infrastructure. Just an FYI.
Re: Re: Pure LDAP authentication against AD (native)
Quote:
Originally posted by trey85stang awesome document!! how big of a network have you tested this in??
EDIT: also you mentioned Windows 2003 server.. does this work with 2000?
This architecture was developed to be implemented in a network with approximately 30 windows servers, and a moderately sized farm of webservers using LDAP auth.
It should work with 2000 with nearly no changes, with the exception of the MS HotFix. Keep an eye on your ldap schema...that is the only thing that could be different, but if you use MSSFU35, then the extended schema will be the same anyway.
Originally posted by cjcox Though a bit off topic from LDAP, the key is winbindd with reards to authentication. So if you already have a means by which your *ix accounts are setup, you can use winbindd to authenticate those accounts via your AD infrastructure. Just an FYI.
That depends on if you are using LDAP authentication for Unix or not. If you are using ldap for unix, and you leverage winbind in your nsswitch.conf, then you will have trouble mapping your users, because the uids are going to be produced based on a hash of the SID, as opposed to the UID in the directory.
Actually, you can map request them to be mapped to your local authentication mechanism... but as I stated, my suggestion was for those not considering LDAP. I work with a lot of ISVs and they run many version of *ix. Some have LDAP support, others do not. So it's just an alternative. I do recommend the Samba by Example guide (downloadable from Samba)... as it does a pretty good job of showing the integration techniques using LDAP (and the winbindd example I suggested as well).
Originally posted by cjcox Actually, you can map request them to be mapped to your local authentication mechanism... but as I stated, my suggestion was for those not considering LDAP. I work with a lot of ISVs and they run many version of *ix. Some have LDAP support, others do not. So it's just an alternative. I do recommend the Samba by Example guide (downloadable from Samba)... as it does a pretty good job of showing the integration techniques using LDAP (and the winbindd example I suggested as well).
Sure...the configuration of this is found in the nsswitch.conf file. That's what I was discussing in the previous post. If you are using the rest of the posix implementation in the directory, you are better off using that information in the directory, as opposed to having it create infomation by leveraging winbind.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.