linux domain equivalent

[Journer]

so, what is the linux equivalent to active directory? what is the difference between adding computers/users to a linux domain vs. a windows domain.

thanks for helping a n00b

 

[f1sh3r]

setting up a PDC with linux would involve Samba and openLDAP... ive looked into it before, but never got around to actually setting it up. there are some web based front end applications that can help out like http://phpldapadmin.sf.net

more info on the whole thing here... http://wiki.samba.org/index.php/Samba_&_LDAP

 

[drag]

Well it depends...

For larger enterprise-ish stuff you'd use OpenLDAP with Kerberos and then include a configuration management system like CFengine or Puppet. Then you'd use scripts or web interface or something like that to add users.

Stuff like that is very effective for large institutions and if you've properly designed the setup then handling hundreds of computers takes only a little more effort to manage then a couple dozen computers. Doesn't take much effort to run and automation is your friend.

But that sort of thing is hugely difficult to actually impliment. It's hard to setup, hard to get going, but effective (and relatively cheap to maintain over the long run).

People who already have active directory (which would be most small-medium sized businesses) going would probably just want to use Samba to keep Linux users the same as Windows.

For small people that want to use Linux.. then they could use samba. For small businesses Samba can offer a significant cost savings over a equivelent AD setup.

 

[Journer]

well, i'm just sitting around thinking up scenarios and wondering how i would implement something under a unix system.

Lets say there is a small company whose entire infrastructure is unix based. Workstations, servers, PBX, hell even the routers could be BSD. Now, lets say said small company wants to allow users to have roaming profiles, ability to log on to almost any machine on the domain (with different user levels), VPN into the domain, start up scripts (for mapping drives, updates, etc.), linked email accounts to domain users, etc. Is this something that openLDAP and some config programs that go with it should do or is there an easier way?

 

[skyking]

take a look at the samba official readme. It will lay it out for you in detail, regarding domain control.
The big shortcomings on windows networks are:
Lack of an analog to Active Directory
Lack of Group Policy Object management

You can't use it to deploy applications and manage windows machines in the same way, period.

It will support roaming profiles, LDAP authentication, and a host of other features.
I am rolling out a samba PDC in mid-January for a small office of about 40 users on 25 win2k-xp pro machines.

 

[drag]

Originally posted by: Journer
well, i'm just sitting around thinking up scenarios and wondering how i would implement something under a unix system.

Lets say there is a small company whose entire infrastructure is unix based. Workstations, servers, PBX, hell even the routers could be BSD. Now, lets say said small company wants to allow users to have roaming profiles, ability to log on to almost any machine on the domain (with different user levels), VPN into the domain, start up scripts (for mapping drives, updates, etc.), linked email accounts to domain users, etc. Is this something that openLDAP and some config programs that go with it should do or is there an easier way?

With a small business this can easily be acheived by using X terminals. You have a central server with 2-cpus and 2-4gigs of ram. Throw software raid 5 on it. Then for the X terminals you use old PCs or purchase 'thin clients'.

You manage users in the same way you'd manage a single computer. Effectively this makes the entire network a single computer. No network file system or directory system needed.

Network infrastructure required would be something like having a gigabit ethernet going out to a 20 port switch then running 100Mb/s lines out to the individual clients.

If correctly setup you'd probably be able to get up to about a couple hundred people on a system like that before you'd run in severe problems. Ideally you'd want to keep the numbers lower then that. This all depends on the type of work, of course. Office productivity would handle this no problem, but you wouldn't want to do heavy 3D CAD development on something like that.

This sort of solution is also extremely usefull for situations like Call centers were you have large amounts of workers that essentially use the computer as a extension to the phone and documentation system. Also ideal for educational situations were you'd have classrooms running on quiet, low-power terminals.

In a X terminal situation it does not matter what paticular X term a person does use. It's just a GUI front-end to their normal Unix account on the central server.

The LTSP makes it relatively simple to deploy systems like that.

For large numbers of users (say thousands with dozens or hundreds of application servers) you'd have to go back to managing the various groups of X terminals and central application servers using directory services such as LDAP and use configuration engines like puppet. But on large groups of users your going to need that anyways since X terminals are not good for everything and you'll have to have some people on full-fledged desktops or workstations and you'll have to integrate Windows for some stuff. (Linux has good support for Windows remote desktop protocol, so for limited Windows applications it's usefull to let users access those through rdesktop from Linux workstations/terminals)


So that's one approach.

 

[drag]

Originally posted by: skyking
take a look at the samba official readme. It will lay it out for you in detail, regarding domain control.
The big shortcomings on windows networks are:
Lack of an analog to Active Directory
Lack of Group Policy Object management

You can't use it to deploy applications and manage windows machines in the same way, period.

It will support roaming profiles, LDAP authentication, and a host of other features.
I am rolling out a samba PDC in mid-January for a small office of about 40 users on 25 win2k-xp pro machines.

Ya you sacrifice alot of functionality if you choose to try to abandon Active Directory for Samba if your managing Windows systems. If you want Linux-based solution then the best your going to find right now would be eDirectory system from Novell for Linux. It's proprietary and does per-seat licenses and such, of course.


Hopefully in a couple years this should turn around a bit. Samba4 integrates Microsoft's extensions to kerberos and recently Microsoft has released all of it's documentation for it's protocols to Samba for the price of $10,000.
http://news.samba.org/announcements/pfif/

Then Sun's Sunray group (Sun's X Windows terminals) has recently release APOC for Unix/Linux desktop application management:

APOC provides capabilities to centrally manage desktops and desktop applications in large scale deployments. It enables system administrators to deliver securely configured open source desktop environments tuned to the needs and privileges of specific users, roles, groups or hosts within the organisation.

Now, any system administrator can create grouped configuration settings as profiles for the most popular open source desktop applications and deploy them in their LDAP servers using their already existing hierarchy.

http://news.samba.org/announcements/pfif/

And then Likewise has released their Linux-AD intergation software under a open source license:
http://www.eweek.com/article2/...p=0&kc=DTEWK120407SJVN

Don't realy understand everything it's suppose to do, unfortunately.

Of course this stuff is going to take a while to get intgrated into Linux systems. Hopefully it all goes well and this stuff would work along side the LDAP/Kerberos support stuff already avialable in commercial Linux distros.

So things are looking better, but it's still going to take a while before open soruce stuff is up to AD levels.

 

[DaiShan]

Originally posted by: Journer
well, i'm just sitting around thinking up scenarios and wondering how i would implement something under a unix system.

Lets say there is a small company whose entire infrastructure is unix based. Workstations, servers, PBX, hell even the routers could be BSD. Now, lets say said small company wants to allow users to have roaming profiles, ability to log on to almost any machine on the domain (with different user levels), VPN into the domain, start up scripts (for mapping drives, updates, etc.), linked email accounts to domain users, etc. Is this something that openLDAP and some config programs that go with it should do or is there an easier way?

openLDAP is very extensible and can be modified to fit your needs. As for "roaming profiles" a better option would be to have an NFS mounted /home so your files are always available from server to server.

Personally I use mysql for a backend as it is very easy to plug into exim (the mta) has auth pam, easy auth for apache etc. I've had some difficulty implementing a from scratch LDAP based system (which would be more ideal) but several of my friends have these in production (postfix with ldap backend, auth ldap pam ldap etc)