FC1 and Windows workstations login

[fjleal]

Greetings!

I need to set up a centralized authentication service for both Windows (2K and XP) and FC1 workstations. My network has a Win2K server runnig Active Directory and a few tenths of Windows workstations. Now, for adding FC1 boxes to it, I want my users to share a single profile for both Windows and Linux workstations.

Is it possible to use the Win 2K AD for user authentication from the Linux workstations? Should I use a Linux server with OpenLDAP? And if I do, will the Windows workstations be able to login to that server? I tried using SMB authentication on a FC1 workstation, to no effect - it doesn't seem to work, even if the Win 2K AD is in mixed mode. How about using LDAP authentication in the Linux workstations to login to the Windows AD? It's basically a LDAP server, isn't it?

Does anyone have any experience with such a situation?

Thanks a lot!

[ghenry]

You should be abe to log into the Windows shares via the samba client.

[fjleal]

Sorry, I may not have made it clear: my problem is not allowing users to log in to the Windows shares. My problem is that I'd like each user to have a single profile, in a centralized network place (OpenLDAP? Windows AD? NIS server?), such that he'd be able to login both to Windows and to Linux workstations using the same username+password.

Thanks.

[johnydoe]

hmm....I wonder if it's possible at all, because, the settings in a profile are in a policy file, wich is made with templates (from and for windows only).

The difference between windows and linux is too big imho too put it into one policy file, but perhaps there is a way to narrow it down to let users just start kde and do certain things in it. So that's also a thing to think about: what gui are you using, because I can imagine gnome has other options with other names then kde (never used gnome as I was in love with kde the minute i saw it)

all in all, it COULD be possible, but I've never seen it, neither did my google (could also be due to a wrong search though).

Perhaps somebody else knows how to achieve this, but AFAIK it' s not possible, sorry

[fjleal]

I'm using Gnome, but I could use KDE. I've found a few interesting cases using Google, like some schools that have achieved this goal. They have several labs, some of them with Windows machines, others with Linux, all of them authenticating in a single centralized server. Some say them used OpenLDAP to do it, but I found none explaining how to configure the clients for such authentication (both Linux and Windows).

After searching a lot (uff...), I think both OpenLDAP and the Windows Active Directory may be used, but the Linux clients have to be configured using PAM modules. So I'm now in the process of studying PAM...

It'd be nice to find someone with some experience, that had already done such a thing... But I guess probably only a few have, it's not very common...

[ghenry]

I would try the fedora -list. There are a lot of "Enterprise" people on there.

[Woogie]

You can run redhat-config-authentication to enable LDAP authentication. Probably easier then editing the pam settings by hand.

[fjleal]

I did. Nothing changed.

[ghenry]

http://www.saas.nsw.edu.au/solutions/ldap.html

A good one. I am just trying to setup the same. A Openldap server for all my Linux box logins.

[kf6kmx]

Quote:

Originally posted by fjleal
Sorry, I may not have made it clear: my problem is not allowing users to log in to the Windows shares. My problem is that I'd like each user to have a single profile, in a centralized network place (OpenLDAP? Windows AD? NIS server?), such that he'd be able to login both to Windows and to Linux workstations using the same username+password.

Thanks.

Not sure, but I think this may be what your after:
---
Homepage: http://samba.org

Winbind is an nss switch module to map Windows NT Domain databases to Unix.

In combination with Samba and pam_ntdom, a Unix box will be able to integrate straight into a full Windows NT Domain environment, without needing a Unix Account database.

License: GPL

---

Hope that helps

[jeru]

If you already have the user accounts in AD just use winbind like kf6kmx said.

man winbindd

I've used it to do what your wanting to do.

[fjleal]

Thanks everybody for your support!

Yes, I think winbind may do the job of allowing Windows users (with a AD account) to login to Linux workstations. Later on, I'll replace the server by a Linux box, and then I'll have the other problem: logging in to a Linux server from Windows workstations. I've bee reading the Samba documentation and it is possible to create a PDC on Linux using the Samba server, so that Windows workstations may join that "domain" and windows users may login to it.

I'll be trying that out in a few days, so I'll get back to you by then... I'll need it for sure...

[kf6kmx]

Quote:

Originally posted by fjleal
Thanks everybody for your support!

Yes, I think winbind may do the job of allowing Windows users (with a AD account) to login to Linux workstations. Later on, I'll replace the server by a Linux box, and then I'll have the other problem: logging in to a Linux server from Windows workstations. I've bee reading the Samba documentation and it is possible to create a PDC on Linux using the Samba server, so that Windows workstations may join that "domain" and windows users may login to it.

I'll be trying that out in a few days, so I'll get back to you by then... I'll need it for sure...

I'm doing that here.. Samba as a PDC..
First Samba PDC I've setup.. still fine-tuning, but it seems to be working pretty well.

[skennedy]

Quote:

Originally posted by fjleal
Thanks everybody for your support!

Yes, I think winbind may do the job of allowing Windows users (with a AD account) to login to Linux workstations. Later on, I'll replace the server by a Linux box, and then I'll have the other problem: logging in to a Linux server from Windows workstations. I've bee reading the Samba documentation and it is possible to create a PDC on Linux using the Samba server, so that Windows workstations may join that "domain" and windows users may login to it.

If I may be the devils' advocate here:

If you have a network that is predomitately windows, and a windows 2000 server already setup in Active directory, leave it. Add to it. You could setup your 2kserver with SUS from MS ( free of charge ), that will keep your clients up to date on patches ( nightly, if you are as paraniod..make that lazy...as I am ). While I suspect it still can be done with a linux PDC, it's not as clean and elegant, plus I believe you need an IIS server to store the updates locally.

Further, if you have more than 10 window clients, you will want to look into mapping out specific parts of the profile to a seperate location ( ie: instead of Desktop, Start Menu, My Documents and Application Data being part of the profile, you can literally map them to another location. Which helps login speed, seeing how windows likes to load the profile on login...silly buggers ).

While a linux PDC is cool and all, it really isn't a practical replacement yet for a AD network. Sorry *shrug*

[merc73jeff]

Right now we have a Windows/Redhat network.

Our W2K Server runs AD and this is where all users are created and then we use "Services for Unix 3.5" from Microsoft to push all profiles/passwords to the Linux workstations. Not sure this is the best method.

For the most part this has been fine. Problem now is I find that Fedora Core2 ypbind makes the CPU on the W2K server run at 100%. I have only confirmed this by turning the service off on the Fedora machine and all was well again on the W2K server. Did this about four times. Now trying to see how to fix this.