Linux server, all linux clients, authenticate to central server + mapped drives?

[Superwormy]

So I've been given the go-ahead (from management none-the-less) to the office (about 10 PCs) from a Windows Server 2003 AD environment with Windows 2K/XP clients to a Linux server and Linux clients.

What's the best way to go (both in terms of ease of setup and ease of maintainance later) to get a bunch of Linux clients set up all authenticating log-ons via a central Linux server? Are there any distros that make this super-easy out of the box?

I'm familiar with Ubuntu so I'd like to go that route with the clients, but its negotiable and I have no idea what to go with for the server/how to set up the authentication thing using a central server for auths.

 

[InlineFive]

I'm surprised they even gave you the go ahead considering that you don't seem to have done any testing.

If you have valid licenses and your current system works, why change it?

 

[Superwormy]

Because we're getting new computers and the licenses, costs, and problems we've had with Windows justify a change.

 

[Brazen]

If you've already paid for Windows 2003, why would you want to switch? Why not just set up any NEW systems with linux? If you really do have a good reason for doing this, I would suggest at least waiting until Samba4 is released.

 

[Brazen]

Originally posted by: Superwormy
Because we're getting new computers and the licenses, costs, and problems we've had with Windows justify a change.

The fact that you are asking such an open-ended question would suggest that you are not in the best position to perform this migration and you are only going to continue having problems on linux. You need to do more reading and much more testing before you consider this.

That goes for Windows networks, too. The reason you are having problems on your current setup is probably because someone who didn't know what they were doing jumped in over their head when they set up your Windows system.

If you are getting new workstations in, you could put Ubuntu (I suggest Dapper for businesses) on them if they do not already come with Windows (we buy our computers as bare metal). I'm not sure if Ubuntu has any gui tools for connecting to AD, but you would use Samba to do it.

 

[Superwormy]

Wow, if you don't have anything to offer, don't offer it. This is *PART OF MY READING AND TESTING* posting here and finding out what experiences others have had/what the best route would be. I'm not doing this next week, I'm doing it in *4 to 5 MONTHS* after we figure out what the best way to go is.

I've looked into Ubuntu integration with Active Directory, it's not pretty. There are a couple of guides out there, but I'd prefer it we had something that was out-of-the-box ready instead of having to change all kinds of Samba or Kerberos settings to get things to work.

 

[Brazen]

Originally posted by: Superwormy

Wow, if you don't have anything to offer, don't offer it.

If you don't want to listen to what people have to say, don't post in a forum.

 

[n0cmonkey]

Suse is supposed to have decent AD integration...

You could make an open source AD: LDAP + Kerberos.

 

[Genx87]

Originally posted by: InlineFive
I'm surprised they even gave you the go ahead considering that you don't seem to have done any testing.

If you have valid licenses and your current system works, why change it?

This sounds like a small office where they know dick about their computers.
If I was the OP, I would give a demonstration before a rollout so they know what they are getting themselves into. Otherwise the OP might find himself out of a job when they cant communicate and collaborate effectively with their customers.

 

[Genx87]

Originally posted by: Superwormy
Because we're getting new computers and the licenses, costs, and problems we've had with Windows justify a change.

I have to ask, are the desktops\laptops you are buying from an OEM? Windows costs are pretty minimal when purchased with the hardware.

 

[Quinton McLeod]

Typical fanboy responses from the Anandtech forum members (as usual). Instead of "helping" people, they bash them. So very typical.

Stormwormy, you may be interested in Stateless Linux. It's part of the Fedora project. Basically, it allows you to keep snapshots (or images) of a client's Linux machine and keeps it stored on a master server. It works very much like active directory, but its more powerful.

http://people.redhat.com/dmalcolm/stateless/stateless-linux-HOWTO-en/

That way, all you would have to do is setup the master server to provide Stateless Linux and simply have the clients connect to it. It makes maintence 80% more easy and allows a faster transition from Windows to Linux.

 

[n0cmonkey]

Originally posted by: Quinton McLeod
Typical fanboy responses from the Anandtech forum members (as usual). Instead of "helping" people, they bash them. So very typical.

I didn't see anyone bashing anyone. I did see a few good questions however.

 

[Superwormy]

Stateless Linux looks promising, has anyone had any good/bad experiences with it? I'll have to look into it more.

 

[Genx87]

Originally posted by: Quinton McLeod
Typical fanboy responses from the Anandtech forum members (as usual). Instead of "helping" people, they bash them. So very typical.

Stormwormy, you may be interested in Stateless Linux. It's part of the Fedora project. Basically, it allows you to keep snapshots (or images) of a client's Linux machine and keeps it stored on a master server. It works very much like active directory, but its more powerful.

http://people.redhat.com/dmalcolm/stateless/stateless-linux-HOWTO-en/

That way, all you would have to do is setup the master server to provide Stateless Linux and simply have the clients connect to it. It makes maintence 80% more easy and allows a faster transition from Windows to Linux.

I'd think making sure management knows what they are getting before it shows up is a valid proposition, dont you? There is nothing fanboy about asking the right questions. Everything fanboy to plow headlong into a meat grinder, just for the sake of doing it.

 

[Quinton McLeod]

Originally posted by: Genx87

Originally posted by: Quinton McLeod
Typical fanboy responses from the Anandtech forum members (as usual). Instead of "helping" people, they bash them. So very typical.

Stormwormy, you may be interested in Stateless Linux. It's part of the Fedora project. Basically, it allows you to keep snapshots (or images) of a client's Linux machine and keeps it stored on a master server. It works very much like active directory, but its more powerful.

http://people.redhat.com/dmalcolm/stateless/stateless-linux-HOWTO-en/

That way, all you would have to do is setup the master server to provide Stateless Linux and simply have the clients connect to it. It makes maintence 80% more easy and allows a faster transition from Windows to Linux.

I'd think making sure management knows what they are getting before it shows up is a valid proposition, dont you? There is nothing fanboy about asking the right questions. Everything fanboy to plow headlong into a meat grinder, just for the sake of doing it.

I see what you're saying. You're saying that he should've had a strategy before he presented it to his boss for the go ahead. However, he boss maybe trying to get him to present a strategy first before they do anything. Stormwormy appeared to be applying that he has the go ahead as long as their is a stable strategy.

The best thing to do, instead of trying to manage someone else's network, is to give him the information he is requesting. We have no right to tell him what he's allowed to do in his own network.

 

[Superwormy]

The deal is, the problems we've had and the costs we incur in a Windows environment has prompted management to encourage me to investigate moving to Linux, with the goal of actually doing so, during the next 4 to 5 months. I *barely* presented anything to management, with minimal input from me management has already decided almost on their own that a Microsoft alternative is the way to go. We already use a couple of Ubuntu machines and a couple of FreeBSD machines in the office, but they're used primarily by developers and don't authenticate to the Windows AD server currently, something which has to change.

Thus, I'm now investigating the best way to do so. I'm not plowing into anything without planning, in fact this is *part of* my planning.

It's definitely a feasible thing to do, the vast majority of work done in our office is done using web applications (which work fine under Linux or *BSD) or using the Thunderbird email client (which also works fine). The only exceptions are one single graphic design station which I will most likely leave as a Windows machine. The only other requirement is that we have a central authentication system for client machines to log on using as people regularly use different machines or need to log on in multiple places.

 

[drag]

Originally posted by: Superwormy

Stateless Linux looks promising, has anyone had any good/bad experiences with it? I'll have to look into it more.

It's not mature enough for real world usage. I doubt anybody is using it seriously.

Using completely free software it's fairly difficult to do what you want correctly.

It would require that you setup a LDAP server, a Kerberos server, and then reconfigure how password authentication works on your Linux distribution to get similar functionality that you get when your using Active Directory.

I've done it before and it's very difficult to get done correctly. But I am no expert in this sort of thing.

Another simplier option is to use LDAP on it's own service to contain password authenication information. This is fairly common.

Here is a example on how to setup Ubuntu to authenticate against a Fedora LDAP server:
http://www.csse.uwa.edu.au/~ashley/fedora-ds/ubuntu-18082006.htm

Personally I would prefer to setup my own Certificate Authority and use TLS to encrypt all LDAP traffic and have strong rules on what sort of information this or that group of users are allowed to get from the LDAP server.

To get it to work you have to make sure that your familar with PAM, DNS, OpenLDAP (or Fedora directory server), OpenSSL and a couple other things and be familar with how to set it up. For example if you did not setup DNS absolutely correctly people will not be able to log into their machines and if you did not setup things like /etc/libnss-ldap.conf or /etc/nsswitch.conf correctly then it's going to cause machine to hang during bootup.

I would prefer to use Kerberos, probably the MIT version 5 variant, to deal with password authentication, however, but this opens up a whole new can of worms and is probably not realy needed except on more 'enterprise-ish' levels.


LDAP authentication isn't terrificly hard. But it's just one of those things were there are a lot of little detail things you have to get right. So you definately want to have some experiance with this stuff before going out and trying it for real.

Probably what you'd want to do is get 3 or four old machines and set them up to create a little mini domain.



Another alternative, since your dealing with 10 clients is just do it the old fasion way and give people passwords to their own machines and give the server passwords and let it all work with no central authentication method.


Probably if your looking to retain most of the functionality your familar with with Active Directory and you want to have professional support another very valid option is to use Novell's directory services.


Apparently they have a Small business starter pack.
http://www.novell.com/products/smallbiz/nsbs_starterpack/
http://www.novell.com/products/openworkgroupsuite/infrastructure.html

Not the cheapest way to go, of course:
http://www.novell.com/products/openworkgroupsuite/howtobuy.html

 

[drag]

It's definitely a feasible thing to do, the vast majority of work done in our office is done using web applications (which work fine under Linux or *BSD) or using the Thunderbird email client (which also works fine). The only exceptions are one single graphic design station which I will most likely leave as a Windows machine. The only other requirement is that we have a central authentication system for client machines to log on using as people regularly use different machines or need to log on in multiple places.

Central LDAP server can accomplish this. Shouldn't be very difficult.

You'll loose a lot of functionality compared to Active Directory.

Also people will use SAMBA for user authentication. So if your familar with Samba this may be a way to go:
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html

 

[Quinton McLeod]

Drag... Once you encrypt your internal network, things tend to break. I know someone popular said that once before.
Stateless Linux has been proven and has been around for a few years now. It's also easier to set up.

 

[drag]

Originally posted by: Quinton McLeod
Drag... Once you encrypt your internal network, things tend to break. I know someone popular said that once before.
Stateless Linux has been proven and has been around for a few years now. It's also easier to set up.

Of course they tend to break. You have to set it up right and it's not easy. This is why people use Active Directory. (if you don't think it's a big deal, then go and stick your /etc/shadow file on a anonymous FTP server and advertise it)

Who is using stateless Linux?

 

[Quinton McLeod]

Originally posted by: drag

Originally posted by: Quinton McLeod
Drag... Once you encrypt your internal network, things tend to break. I know someone popular said that once before.
Stateless Linux has been proven and has been around for a few years now. It's also easier to set up.

Of course they tend to break. You have to set it up right and it's not easy. This is why people use Active Directory. (if you don't think it's a big deal, then go and stick your /etc/shadow file on a anonymous FTP server and advertise it)

Who is using stateless Linux?

ROFL
That's just asking to be hacked.

That Stormy dude is/will be using Stateless Linux.

 

[Superwormy]

I don't need a whole heck of a lot of functionality, we *barely* use what AD gives us. We need a few shared network drives and authentication from the central server. And it's gotta be reasonably easy to setup and maintain. So I'm not too worried about losing a lot of AD functionality, in fact I think for what most people use it for, AD is *wayyyy* bloated.

This is something that Linux seems like it's really missing out on. It's pretty easy to get a Win2k3 server up and running with AD and clients authenticating to it. It's a shame there's no apparently easy way to get similar functionality under Linux out of the box without a lot of extra configuration.

Any other comments on stateless linux, as that seems to be the first thing I should investigate at the moment?

 

[drag]

This is something that Linux seems like it's really missing out on. It's pretty easy to get a Win2k3 server up and running with AD and clients authenticating to it. It's a shame there's no apparently easy way to get similar functionality under Linux out of the box without a lot of extra configuration.

Yep.

Once it's setup then it's easy to run and maintain. I ran Kerberos + LDAPS for my home for quite a few months and over a half a dozen computers (most of them old, most of them shut off most of the time) just to see how workable it is and it's ok. I haven't used it in a professional environment, so I dont' know, but I'd be happy to help out setting up a test environment.

At my work we support Windows clients with SAMBA and LDAP (for address books in the email and such things). I don't know exact details, but since you have to maintain at least one Windows client Samba and winbind may be the way to go. Not sure.

Active Directory itself is basicly modified MIT Kerberos with Microsoft's own LDAP directory service. Industry standard protocols + Microsoft's secret mystery sauce. The thing that Microsoft does well is the very tight integration with Windows and the administrative tools. (I still prefer Novel's NDS though)

If you want something like AD you would use Novell. Novell is the pioneer with all this stuff, at least for business desktops. Kerberos and such come out of the ancient Athena project for distributed computing. Novell made it work for normal people using Windows, which Microsoft copied off of to make AD. To bad what they offer is not Free software, but nothings perfect.

Stateless Linux certainly is very interesting and I like the concept a lot. I just don't like being early adopters for this sort of thing. If there are people using it in the real world I'd be very interested.