|
How do i get a Linux distribution to work with Windows 2008 Active Directory
I want a Linux distribution to work with the active directory feature in windows 2008, by that i want the roaming profiles to be able to implement in Linux distribution. so i want it to act just like a windows machine would when using the active directory
i want the Linux distribution to open up it's login screen when turned on and be able to use an active directory username and password in order to gain access to use the computer. just like a windows 7 client. i have heard of this being done before (except for the login screen part but this would be very cool) but a little fuzzy by what they meant by that i also want the desktop to revert to it's original state when the user logs off and i want it to delete files and data that the user left behind once the user logs off. the Linux distributions that i want this to work in are -Debian -Ubuntu -Fedora (12, 14, and the latest) -Mandriva -Centos -RedHat plus if it's not too much trouble i would also like to do this in these OS as well -FreeBSD -OpenSolaris -Solaris -OpenIndiana -MAC OS X (i might be able to find something on this since this OS is used in schools and Microsoft had MAC in mind when designing AD) |
You're not asking for much then .. :)
The problem you're going to have will be that they don't all have the same apps or even the same versions, the process for each one may be different unless you just go really basic. My suggestion would be to use Kerberos for auth and ldap for identity, these should be available in all of the OS's you listed. "Roaming Profiles" can be implemented using autofs for /home/*, but depending on geographical location you may need some sort of distributed file system underneath the NFS. |
they won't be roaming outside the LAN (for now) also the most commonly used OS's that i plan to use are just fedora 14, ubuntu and Debian i'll try to move on to the other later.
|
I don't think I've heard of MS style roaming profiles on Linux clients. Remember that the user home directory needs to have the users UID and GID. Also, copying all of the users files is a very expensive operation. AFAIK, presently, the user.dat file is copied, but copying the users documents and such hasn't been done since W98 because of the network load problems it entailed. I remember waiting forever after logging into a co-workers laptop years ago.
In Linux, you can use the NFS automounter to mount the users home directory when the user logs in. Here is a HOWTO you may find useful: http://www.linuxhomenetworking.com/w...FS_Automounter The most recent Using Samba book has examples on using Linux with active directory. I don't know if it is possible to use AD in place of NIS for the purpose of automounting. However this blog post may help. Be sure to read the comment: http://blog.scottlowe.org/2006/11/21...nd-automounts/ This blog may help as well: http://blog.scottlowe.org/2006/11/21...nd-automounts/ |
will I be able to use the login screen in the Linux distribution with the AD username and password to gain access to the machine?
|
Yes.. it just passes it through to pam which invokes the relevant modules
|
"kbp" as you said
Quote:
please just guide me. thanks, gardenair |
For some distros if you select AD or ldap for authentication in the Users section of the configuration tool, the necessary packages will be installed, and PAM and /etc/nsswitch configured as needed.
The Samba 3 by Example book (available in samba-doc package and the samba.org website) has examples using Linux clients in an AD domain. http://www.samba.org/samba/docs/Samba3-ByExample.pdf Having so many different Linux distro's may make it more difficult configuring and updating your Linux workstations. Have a look at this Ubuntu page on using AD for authentication. LDAP, krb, PAM or winbind could be used to do this. Using the method your Linux distro uses would probably be the best way to go. Since you have several distributions, maybe concentrate one that has the best AD support, and using it as a model would be the approach to take. https://help.ubuntu.com/community/Ac...toryHowto#LDAP |
Yes, they are separate packages - in Fedora/RHEL you're probably looking for krb5-workstation and openldap-clients. Depending on which version you use, you may need to add the separate modules like pam_ldap and pam_krb5.
|
HERE is what u want !!!
- edit /etc/samba/smb.conf [global] workgroup = DOMAIN_NAME realm = DOMAIN_NAME.CA server string = Samba interfaces = eth2, eth3, lo security = ADS log level = 3 log file = /var/log/samba/%m.log idmap uid = 10000-25000 idmap gid = 10000-25000 template shell = /bin/bash winbind use default domain = true winbind offline logon = false cups options = raw [homes] browsable = yes [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No browsable = No - edit /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN_NAME.CA dns_lookup_realm = false dns_lookup_kdc = false [realms] DOMAIN_NAME.CA = { kdc = 192.168.200.100:88 #W2K3DC.CA:88 admin_server = 192.168.200.100:749 #W2K3DC.CA:749 default_domain = DOMAIN_NAME.CA kdc = * } [domain_realm] domain_name.ca = DOMAIN_NAME.CA .domaoin_name.ca = DOMAIN_NAME.CA [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } -edit /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind edit /pam.d/system-auth add: auth sufficient /lib/security/pam_winbind.so add: account sufficient /lib/security/pam_winbind.so -join computer to domain:: net ads join –U administrator -test join:: net ads testjoin -create home directorys: mkdir –p /home/DOMAIN_NAME/administrator -change permistions:: chown –R administrator /home/DOMAIN_NAME/administrator -restart:: smm, nmb and winbind -test domain connectivity:: wbinfo -u P.S.: tested on RHEl and Fedora |
so for Debian i should install kerberos which is not in it's main repository and compiling a program like this from source is very difficult. is there another repo server that has the kerberos program on it? plus what needed to be set in the user setting in order for active directory login names and passowrds to work at the login screen for the distros?
|
Quote:
libwbclient0 - Samba winbind client library samba - SMB/CIFS file, print, and login server for Unix winbind - Samba nameservice integration server root@router2:~# ... krb5-admin-server - MIT Kerberos master server (kadmind) krb5-doc - Documentation for MIT Kerberos krb5-kdc - MIT Kerberos key server (KDC) krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin krb5-multidev - Development files for MIT Kerberos without Heimdal conflict krb5-pkinit - PKINIT plugin for MIT Kerberos krb5-user - Basic programs to authenticate using MIT Kerberos libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism libkrb5-3 - MIT Kerberos runtime libraries libkrb5-dbg - Debugging files for MIT Kerberos libkrb5-dev - Headers and development libraries for MIT Kerberos libkrb53 - transitional package for MIT Kerberos libraries libkrb5support0 - MIT Kerberos runtime libraries - Support library krb5-clients - Secure replacements for ftp, telnet and rsh using MIT Kerberos Are u sure , u don't need glasses ???? Debian 6.0.2 !! |
| All times are GMT -5. The time now is 07:59 AM. |