LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-16-2012, 03:34 PM   #1
baronobeefdip
Senior Member
 
Registered: Jul 2009
Distribution: Debian Squeeze
Posts: 1,179

Rep: Reputation: 32
How do i get a Linux distribution to work with Windows 2008 Active Directory


I want a Linux distribution to work with the active directory feature in windows 2008, by that i want the roaming profiles to be able to implement in Linux distribution. so i want it to act just like a windows machine would when using the active directory

i want the Linux distribution to open up it's login screen when turned on and be able to use an active directory username and password in order to gain access to use the computer. just like a windows 7 client. i have heard of this being done before (except for the login screen part but this would be very cool) but a little fuzzy by what they meant by that

i also want the desktop to revert to it's original state when the user logs off and i want it to delete files and data that the user left behind once the user logs off.

the Linux distributions that i want this to work in are
-Debian
-Ubuntu
-Fedora (12, 14, and the latest)
-Mandriva
-Centos
-RedHat

plus if it's not too much trouble i would also like to do this in these OS as well
-FreeBSD
-OpenSolaris
-Solaris
-OpenIndiana
-MAC OS X (i might be able to find something on this since this OS is used in schools and Microsoft had MAC in mind when designing AD)

Last edited by baronobeefdip; 01-16-2012 at 03:39 PM.
 
Old 01-16-2012, 04:18 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
You're not asking for much then ..

The problem you're going to have will be that they don't all have the same apps or even the same versions, the process for each one may be different unless you just go really basic. My suggestion would be to use Kerberos for auth and ldap for identity, these should be available in all of the OS's you listed.

"Roaming Profiles" can be implemented using autofs for /home/*, but depending on geographical location you may need some sort of distributed file system underneath the NFS.
 
Old 01-16-2012, 04:22 PM   #3
baronobeefdip
Senior Member
 
Registered: Jul 2009
Distribution: Debian Squeeze
Posts: 1,179

Original Poster
Rep: Reputation: 32
they won't be roaming outside the LAN (for now) also the most commonly used OS's that i plan to use are just fedora 14, ubuntu and Debian i'll try to move on to the other later.
 
Old 01-16-2012, 08:01 PM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I don't think I've heard of MS style roaming profiles on Linux clients. Remember that the user home directory needs to have the users UID and GID. Also, copying all of the users files is a very expensive operation. AFAIK, presently, the user.dat file is copied, but copying the users documents and such hasn't been done since W98 because of the network load problems it entailed. I remember waiting forever after logging into a co-workers laptop years ago.

In Linux, you can use the NFS automounter to mount the users home directory when the user logs in.
Here is a HOWTO you may find useful:
http://www.linuxhomenetworking.com/w...FS_Automounter

The most recent Using Samba book has examples on using Linux with active directory. I don't know if it is possible to use AD in place of NIS for the purpose of automounting. However this blog post may help. Be sure to read the comment:
http://blog.scottlowe.org/2006/11/21...nd-automounts/

This blog may help as well:
http://blog.scottlowe.org/2006/11/21...nd-automounts/
 
Old 01-16-2012, 09:26 PM   #5
baronobeefdip
Senior Member
 
Registered: Jul 2009
Distribution: Debian Squeeze
Posts: 1,179

Original Poster
Rep: Reputation: 32
will I be able to use the login screen in the Linux distribution with the AD username and password to gain access to the machine?
 
Old 01-16-2012, 10:00 PM   #6
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
Yes.. it just passes it through to pam which invokes the relevant modules
 
Old 01-17-2012, 03:06 AM   #7
gardenair
Member
 
Registered: Oct 2004
Location: LH
Posts: 570

Rep: Reputation: 31
"kbp" as you said
Quote:
My suggestion would be to use Kerberos for auth and ldap for identity, these should be available in all of the OS's you listed.
The thing I want to ask is kerberos is a seperate package to install & ldap is seperate or it is embaded with ldap ?
please just guide me.

thanks,
gardenair
 
Old 01-17-2012, 03:44 AM   #8
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
For some distros if you select AD or ldap for authentication in the Users section of the configuration tool, the necessary packages will be installed, and PAM and /etc/nsswitch configured as needed.

The Samba 3 by Example book (available in samba-doc package and the samba.org website) has examples using Linux clients in an AD domain. http://www.samba.org/samba/docs/Samba3-ByExample.pdf

Having so many different Linux distro's may make it more difficult configuring and updating your Linux workstations.

Have a look at this Ubuntu page on using AD for authentication. LDAP, krb, PAM or winbind could be used to do this. Using the method your Linux distro uses would probably be the best way to go. Since you have several distributions, maybe concentrate one that has the best AD support, and using it as a model would be the approach to take.
https://help.ubuntu.com/community/Ac...toryHowto#LDAP
 
Old 01-17-2012, 05:32 AM   #9
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
Yes, they are separate packages - in Fedora/RHEL you're probably looking for krb5-workstation and openldap-clients. Depending on which version you use, you may need to add the separate modules like pam_ldap and pam_krb5.
 
Old 01-17-2012, 07:21 AM   #10
fritz001
Member
 
Registered: Aug 2004
Posts: 119

Rep: Reputation: 18
HERE is what u want !!!

- edit /etc/samba/smb.conf
[global]
workgroup = DOMAIN_NAME
realm = DOMAIN_NAME.CA
server string = Samba
interfaces = eth2, eth3, lo
security = ADS
log level = 3
log file = /var/log/samba/%m.log
idmap uid = 10000-25000
idmap gid = 10000-25000
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
cups options = raw
[homes]
browsable = yes


[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
browsable = No

- edit /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN_NAME.CA
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DOMAIN_NAME.CA = {
kdc = 192.168.200.100:88
#W2K3DC.CA:88
admin_server = 192.168.200.100:749
#W2K3DC.CA:749
default_domain = DOMAIN_NAME.CA
kdc = *
}
[domain_realm]
domain_name.ca = DOMAIN_NAME.CA
.domaoin_name.ca = DOMAIN_NAME.CA
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}


-edit /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
edit /pam.d/system-auth
add: auth sufficient /lib/security/pam_winbind.so
add: account sufficient /lib/security/pam_winbind.so


-join computer to domain:: net ads join –U administrator
-test join:: net ads testjoin
-create home directorys: mkdir –p /home/DOMAIN_NAME/administrator
-change permistions:: chown –R administrator /home/DOMAIN_NAME/administrator
-restart:: smm, nmb and winbind
-test domain connectivity:: wbinfo -u


P.S.: tested on RHEl and Fedora
 
Old 01-17-2012, 09:23 AM   #11
baronobeefdip
Senior Member
 
Registered: Jul 2009
Distribution: Debian Squeeze
Posts: 1,179

Original Poster
Rep: Reputation: 32
so for Debian i should install kerberos which is not in it's main repository and compiling a program like this from source is very difficult. is there another repo server that has the kerberos program on it? plus what needed to be set in the user setting in order for active directory login names and passowrds to work at the login screen for the distros?
 
Old 01-17-2012, 10:48 AM   #12
fritz001
Member
 
Registered: Aug 2004
Posts: 119

Rep: Reputation: 18
Question

Quote:
Originally Posted by baronobeefdip View Post
so for Debian i should install kerberos which is not in it's main repository and compiling a program like this from source is very difficult. is there another repo server that has the kerberos program on it? plus what needed to be set in the user setting in order for active directory login names and passowrds to work at the login screen for the distros?
apt-cache search winbind
libwbclient0 - Samba winbind client library
samba - SMB/CIFS file, print, and login server for Unix
winbind - Samba nameservice integration server
root@router2:~#
...
krb5-admin-server - MIT Kerberos master server (kadmind)
krb5-doc - Documentation for MIT Kerberos
krb5-kdc - MIT Kerberos key server (KDC)
krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
krb5-pkinit - PKINIT plugin for MIT Kerberos
krb5-user - Basic programs to authenticate using MIT Kerberos
libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
libkrb5-3 - MIT Kerberos runtime libraries
libkrb5-dbg - Debugging files for MIT Kerberos
libkrb5-dev - Headers and development libraries for MIT Kerberos
libkrb53 - transitional package for MIT Kerberos libraries
libkrb5support0 - MIT Kerberos runtime libraries - Support library
krb5-clients - Secure replacements for ftp, telnet and rsh using MIT Kerberos


Are u sure , u don't need glasses ????

Debian 6.0.2 !!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Bind DNS and Active Directory (Windows 2008) wirekof Linux - Server 3 01-04-2012 05:35 PM
Linux DHCP with windows server 2008 active directory server baggins2000 Linux - Server 1 10-10-2011 01:25 PM
LXer: How To Set Up And Integrate An Ubuntu 10.04 LTSPv5 Server Into A Windows 2008 Active Directory LXer Syndicated Linux News 0 07-06-2011 09:20 PM
Connecting Linux VM to Windows 2008 Active Directory user9999 Linux - Newbie 1 01-18-2011 02:46 AM
Having Problems with Active Directory with Windows Server 2008 PatrickBEN Linux - Server 1 05-31-2008 03:18 AM


All times are GMT -5. The time now is 07:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration