I have heard linux gurus at my work talk about implementing a UNIX Schema to Windows 2000 AD, to allow UNIX workstation (and future linux clients) to log on to the windows domain. I am curious to find out information on this setup (they will not tell me because I am a contractor)

Does anyone happen to know what (Win2k) application or server can implement this type of setup? I would like to read some documentation on it.

Thanks!

Well, not sure what Schema is, but right now i am using Samba 3.0.3 to connect to a massive Windows server 2003 ADS (or AD) network and i can log on to the Linux machine fine. Actually any user can and it's checked via AD. I am using Samba for file/printing and all user/name resolutions are done using Kerbose. The Samba site has tons of good reading. I hope that was what you were looking for.

**Edit - Hope you weren't looking for info on UNIX implementations. If so sorry.

OK. Then how did you do it? We are using various versions of RedHat Linux. When I run the command line program setup and tell it to use Samba to authenticate. It sets the SMB entry in the PAM system after the local Passwd database. When I login with an account that is on that machine locally and is on AD it doesn't let me in unless I put the local password in.

Thanks,
Ben

If you goto the Samba site and download the 2 manuals (the How To and the Examples) it literally will walk you through it. One thing i know for sure, is the ADS server has to be running in "Native" mode or it won't work. Meaning ( i think it means this) that it will allow NT 4 clients to be authenticated and allowed to log on to the network. In Chapter 9 of the Samba Examples, it shows you how to do this. Just have to make sure everything it needs is there and set up. Also, i just did what it said and it worked. Like in smb.conf, realm=my.ads.server so it checks via ADS and security = ADS. I might make a little how-to for a Gentoo (SELinux) file/print server on a Windoze ADS network. At the moment, i don't have time to go into detail, but gimmie a bit and i will.

Oh, i also found this in my travels - pretty sweet just to get started.

http://info.ccone.at/INFO/Samba/doma...tml#ads-member

Hoped it helped a bit.

Definatly good info here, and I like what I have heard about samba 3.0.3, that sounds very interesting I did not think that could be setup..

But I was just looking to get a jump on what they plan on using here...

Phorem, just curious what client are you using?

All of the clients are either Win2000 or XP. Both work fine when using the Samba server and ADS as the pw backend. The entire network is running on Wincrap Server 2003. My Samba server is (was) the only Linux server in our company. I actually started using it as my production computer using VariCad instead of MicroStation or AutoCad while the Samba server was running in the background. I also started to mess with Evolution and the Exchange server plugin that Novell just GPL'd. It's really cool. I get all of the calendar stuff and basically anything i would find useful in Outlook. Gotta love Linux.

I have posted a howto on this on my consulting site, for those who are interested...

You can reach it at Unix authentication against AD (LDAP) . If you have any questions, please feel free to e-mail me.

Nice. I like the *.conf examples. It will save some people a lot of time. :-)

This absolutely rocks! Thanks - you've probably just saved me a week of my life!

Though a bit off topic from LDAP, the key is winbindd with reards to authentication. So if you already have a means by which your *ix accounts are setup, you can use winbindd to authenticate those accounts via your AD infrastructure. Just an FYI.

awesome document!! how big of a network have you tested this in??

EDIT: also you mentioned Windows 2003 server.. does this work with 2000?

This architecture was developed to be implemented in a network with approximately 30 windows servers, and a moderately sized farm of webservers using LDAP auth.

It should work with 2000 with nearly no changes, with the exception of the MS HotFix. Keep an eye on your ldap schema...that is the only thing that could be different, but if you use MSSFU35, then the extended schema will be the same anyway.

That depends on if you are using LDAP authentication for Unix or not. If you are using ldap for unix, and you leverage winbind in your nsswitch.conf, then you will have trouble mapping your users, because the uids are going to be produced based on a hash of the SID, as opposed to the UID in the directory.

Actually, you can map request them to be mapped to your local authentication mechanism... but as I stated, my suggestion was for those not considering LDAP. I work with a lot of ISVs and they run many version of *ix. Some have LDAP support, others do not. So it's just an alternative. I do recommend the Samba by Example guide (downloadable from Samba)... as it does a pretty good job of showing the integration techniques using LDAP (and the winbindd example I suggested as well).

Sure...the configuration of this is found in the nsswitch.conf file. That's what I was discussing in the previous post. If you are using the rest of the posix implementation in the directory, you are better off using that information in the directory, as opposed to having it create infomation by leveraging winbind.

Edited to modify .com to .conf