LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 09-11-2006, 02:56 PM   #1
dougnc
Member
 
Registered: Apr 2005
Posts: 236

Rep: Reputation: 31
Can Samba authenticate to AD only using LDAP?


Here's the thing. I want to gradually move from Active Directory to Linux LDAP, if that's possible. I now have a Windows 2003 server running Active Directory, and a SuSE linux server. Eventually I would like to shut down Active Directory and have both Windows XP and Linux systems log in via LDAP.

The first step, I think, would be to get Samba to authenticate thru LDAP to the Active Directory server. At this point the WINS seems to be working, Samba sees my two windows machines and the two windows machines see Samba directories. But I'm asked to login when I click on the directories, from either side.

What am I missing here?
 
Old 09-12-2006, 11:34 AM   #2
dougnc
Member
 
Registered: Apr 2005
Posts: 236

Original Poster
Rep: Reputation: 31
The "Active Directory Domain with Samba Domain Member Server" looks interesting: http://us1.samba.org/samba/docs/man/...html#ch9-adsdc

At this point I'm trying to get more of an overview. There are so many different ways in Linux to get something done, it's often hard to figure out the best way.

I have an Active Directory server now. I have one SuSE linux server and might be getting another one. I want to gradually move the log in functions from AD to linux.

At first I thought I wanted to make the linux machine into a secondary AD domain controller. The problem is that this gets into all sorts of issues like replication and Active Directory extensions I'm not really interested in.

So, I thought, if I can't make linux active directory, then why not make Windows LDAP? It's weird that AD uses LDAP, but you can't seem to use it from non-windows machines.

Has anyone tried to move from AD to linux LDAP?
 
Old 09-12-2006, 05:46 PM   #3
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
I haven't tried migrating from AD to Linux LDAP, but have worked with interoperability a little...

AD does offer a valid LDAP v3 service, but for security it does *not* allowing searches without a valid login, where as most other LDAP services do allow "anonymous binds". It also insists that you use the MS username formats for LDAP binds (from memory, either a UPN or DOMAIN\username is OK).

The other thing to be aware of is that AD is actually a set of services. As well as LDAP, Group Policy, software installation, and NT emulation, AD also provides Kerberos, which is actually the protocol used for authentication. To attach a Linux box to an AD domain as a "member server" Winbind is actually probably best, as it speaks the peculiar mix of protocols that AD uses when talking to Windows clients.

My own hunch is that it may be better to set up a "clean" authentication setup on Linux and then migrate the clients, rather than trying to fit the new authentication servers into the existing Linux-unfriendly AD. IIRC, Samba has a "vampire" function for extracting account details out of AD for migration, which may be helpful for transitioning.

You may also need to consider how to replace the Group Policy and software management functions that AD may be providing your Windows clients. If you are already using SUSE you may be interested in the proprietary authentication and management products that Novell offers, as these should support both SUSE and Windows.

Hope that helps
 
Old 09-14-2006, 01:23 PM   #4
dougnc
Member
 
Registered: Apr 2005
Posts: 236

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by hob
I haven't tried migrating from AD to Linux LDAP, but have worked with interoperability a little...

AD does offer a valid LDAP v3 service, but for security it does *not* allowing searches without a valid login, where as most other LDAP services do allow "anonymous binds". It also insists that you use the MS username formats for LDAP binds (from memory, either a UPN or DOMAIN\username is OK).

The other thing to be aware of is that AD is actually a set of services. As well as LDAP, Group Policy, software installation, and NT emulation, AD also provides Kerberos, which is actually the protocol used for authentication. To attach a Linux box to an AD domain as a "member server" Winbind is actually probably best, as it speaks the peculiar mix of protocols that AD uses when talking to Windows clients.

My own hunch is that it may be better to set up a "clean" authentication setup on Linux and then migrate the clients, rather than trying to fit the new authentication servers into the existing Linux-unfriendly AD. IIRC, Samba has a "vampire" function for extracting account details out of AD for migration, which may be helpful for transitioning.

You may also need to consider how to replace the Group Policy and software management functions that AD may be providing your Windows clients. If you are already using SUSE you may be interested in the proprietary authentication and management products that Novell offers, as these should support both SUSE and Windows.

Hope that helps
So, I could hook up the Linux box as a "member" server using winbind. With Samba winbind would also allow the Linux server to see shared directories on the Windows server, and vs versa.

I could then setup Linux as an LDAP autheniction. I assume this would be on a seperate domain, so that when I log in on a client xp box, I would use a different domain name depending on which box I wanted to log into. But I guess they would consider each other "trusted" domains, so no matter which I logged into I could get to the other one.

This I like. What I'm trying to do is take a Windows 2003 server running everything, and move it's functions to 2 redundent linux servers. And I'm trying to do this in such a way as I can always step back if I have to.
 
Old 09-23-2006, 09:03 AM   #5
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
Quote:
Originally Posted by dougnc
So, I could hook up the Linux box as a "member" server using winbind. With Samba winbind would also allow the Linux server to see shared directories on the Windows server, and vs versa.

I could then setup Linux as an LDAP autheniction. I assume this would be on a seperate domain, so that when I log in on a client xp box, I would use a different domain name depending on which box I wanted to log into. But I guess they would consider each other "trusted" domains, so no matter which I logged into I could get to the other one.

This I like. What I'm trying to do is take a Windows 2003 server running everything, and move it's functions to 2 redundent linux servers. And I'm trying to do this in such a way as I can always step back if I have to.
What I would probably recommend is building the new Linux domain without any overlaps to the existing domain, and with no clients. Add some test Windows clients to develop a solid deployment and management strategy. You may need to migrate DHCP first, with a setup to support both old and new configurations.

Then completely wipe and redeploy the Windows clients one room/department at a time with the new configuration, migrating the relevant data files to shares on the new servers before you let the users log in again.

My current employer went through an NT4 to Active Directory domain migration a couple of years ago, and we managed to minimise disruption by taking the line that at any given time we had to present the user with a single environment with all the supporting services.

Our experience is that if you reconfigure one network service then a random set of Windows systems will fail to cope and some users will have a desktop that is behaving unconsistently (or doesn't login properly!). It's then often faster to use automated installers to redeploy the whole Windows system with a known good configuration when this happens, rather than trying to coax the existing one to work again.

So we arranged outage timeslots in advance with each group, and locked their user accounts whilst we reinstalled their machines for the new domain that ran on the new servers. At any time they were either using the old servers/domain or the new setup. If things had gone bad we could have reversed by reimaging the machines with the old client configuration, and moving the user accounts back to the old servers.

Hope that helps.

Last edited by hob; 09-23-2006 at 09:32 AM.
 
Old 09-23-2006, 10:42 AM   #6
mpapet
Member
 
Registered: Nov 2003
Location: Los Angeles
Distribution: debian
Posts: 453

Rep: Reputation: 46
Hob's Right Plus...

I would run the two Linux boxes as a cluster. One can fail and take over easily. Running a PDC and BDC isn't perfect. It's going to take a few more resources to build a cluster (e.g. shared disk) but it's totally worth it.

If you don't want to DIY with OpenLDAP Novell directory services works great, very reasonably priced and easier to admin, runs on Linux.

Hob's got it right. I did an AD migration without wiping desktops and I got -very- inconsistent operation from desktop to desktop despite XP SP2 clients. And -wipe- as in format c: /u. What a PITA.

The new domain is also the way to go. Again, inconsistencies pop up if you attempt to "just" switch no matter if you go to Novell's product or DIY.
 
Old 09-23-2006, 12:53 PM   #7
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
Quote:
Originally Posted by mpapet
Hob's got it right. I did an AD migration without wiping desktops and I got -very- inconsistent operation from desktop to desktop despite XP SP2 clients. And -wipe- as in format c: /u. What a PITA.
We've spent a lot of time on maintaining an automated process for building Windows clients, and IMO it's one of the best investments that you can make. It takes under 10 minutes of technician's time to start off an automated installation, and a full build of XP with Office takes a computer out of use for about three hours, so we resolve any software issue that is likely to take longer with the Nuclear Build Option.

With an automated installation system, you also know that you can get all the machines in a section rebuilding in a hour and have them operational half-a-day later, and that's how we roll out Service Packs and any other big software change.

We use a proprietary product for this, but you can also use the built-in RIS functionality for quite complex installations. For simple networks a couple of disk images with Ghost is fine.
 
Old 09-25-2006, 07:45 AM   #8
dougnc
Member
 
Registered: Apr 2005
Posts: 236

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by mpapet
I would run the two Linux boxes as a cluster. One can fail and take over easily. Running a PDC and BDC isn't perfect. It's going to take a few more resources to build a cluster (e.g. shared disk) but it's totally worth it.

If you don't want to DIY with OpenLDAP Novell directory services works great, very reasonably priced and easier to admin, runs on Linux.

Hob's got it right. I did an AD migration without wiping desktops and I got -very- inconsistent operation from desktop to desktop despite XP SP2 clients. And -wipe- as in format c: /u. What a PITA.

The new domain is also the way to go. Again, inconsistencies pop up if you attempt to "just" switch no matter if you go to Novell's product or DIY.
I've been involved in Microsoft clusters, and I really wasn't impressed. Too many moving parts. We had one client who was down for 4 hours one morning because their primary machine rebooted, they went to the secondary, and then their accounting software shut down because it thought the primary machine was up while it was the secondary machine running things.

My ultimate goal tho is to have two servers, perhaps with one running at a different location, setup so one can take over if the other one fails.

That's one reason I'm trying to move off of Microsoft, duplicate MS licenses can get very expensive.
 
Old 09-25-2006, 11:17 AM   #9
mpapet
Member
 
Registered: Nov 2003
Location: Los Angeles
Distribution: debian
Posts: 453

Rep: Reputation: 46
Forget MS clusters

Quote:
Originally Posted by dougnc
My ultimate goal tho is to have two servers, perhaps with one running at a different location, setup so one can take over if the other one fails.
If it's a disaster recovery scenario, then that's a little different. If you are looking for an in-house failover solution, Linux has it. Now.

http://packages.debian.org/oldstable/net/openmosix

BTW. Don't discount Novell's product. If the PHB's can afford it, it's totally worth it. If you are looking for job security, then maybe DIY is the way to go.
 
  


Reply

Tags
directory, ldap


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
can't authenticate to ldap from apache using groups rem1986 Linux - Server 0 09-01-2006 11:56 AM
problem with jabberd2 (using ldap to authenticate) eantoranz Linux - Software 3 05-31-2006 03:51 PM
Authenticate from a LDAP SuperSerg Linux - Security 2 12-20-2004 11:16 AM
Cant authenticate to LDAP domain with Redhat9 shaughto Linux - Networking 1 07-01-2004 02:49 PM
Samba and LDAP in Linux to authenticate on Windows 2000 PDC Linh Linux - Networking 2 05-09-2003 07:24 AM


All times are GMT -5. The time now is 09:13 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration