Giving up on AD, need some server advice
 

It's just impossible to get a Linux workstation to play well with our Active Directory domain...
I'm the IT director at a school, and we would love to use Linux here. Software wise, I could roll Linux out tomorrow on a majority of our machines, since most of what they do is just internet browsing and word processing.
However, we have an Active Directory domain (Windows 2003 R2 server). Everyone logs into this, and they have network drives that are mapped on login and everyone saves their stuff in there. So, in trying to set up computers running Linux, my first concern has been being able to log in to our AD domain.
I've tried Ubuntu, PCLinuxOS, and OpenSuse. OpenSuse actually has a GUI that will let you join a domain, and I was able to briefly join our domain, but I was never able to actually log in to it. I've followed every conceivable guide I can find for doing this, and never had any luck. Add to that that every guide is different. I've wasted a couple days on this project, with nothing to show for it. Then I read about Likewise, a program that promises easier integration between Windows and Linux. I can't even get it to join my domain. It tells me that it can't contact my domain controller. I don't know why this is, because I can ping my domain controller, calling it by name!
Anyways, my point is, this is asinine. It shouldn't be this hard, and I'm not ready to shell out some money for a third party solution or hire someone to do it for me. Why shouldn't I be able to do it? I'm a programmer, and I have almost 10 years of Linux experience, and I've been working in IT for almost 5 years.
Now, I recognize that I could probably eventually figure out how to join a stupid client to our AD domain (which by the way was here when I started, not my choice). Anyways, it doesn't have the reliability or ease that is expected in an educational environment, and I'm also looking to reduce support headaches. So I'm ready to examine other solutions. I desperately want to use Linux workstations on our network, and if I can't make them work with our Windows server, then I'm ready to look at setting up a server.
I know all about Windows Server, and I've set up Linux web servers and mail servers many times. However, I don't know what to look for when it comes to setting up a server that will do what I want to do. Mainly I want the whole login process to be as windows-like as possible. I don't want to confuse my users too much. I would want all the user accounts to be stored on the server, of course, because we have hundreds of users sharing machines. Secondly, I want the computers to automatically map some sort of networked drive upon login, similar to what they do now in Windows. I like to encourage my users to save their files on the network, which is backed up daily. Everyone has their own network space, which is mapped as a drive for them.
Those are my two main requirements: User Login and automatically map drive. Any security settings I could do over the network would be a nice bonus. I enjoy group policy on the Windows server.

So my question to you, good people of LinuxQuestions, what do you recommend for a server solution? Are there any guides that would help me get things set up for this? To start out with I just want to install a server, and maybe have a few clients connecting to it, so I can get an idea. If it works out, I'd be rolling it out on hundreds of computers. If not, then I'll just have to stick with Windows for the meantime. As much as I hate it, I have to stick with what best fits our needs, so I can't move to Linux I can create the kind of environment that fits our needs.

Thanks for your help! I look forward to hearing your answers and trying your suggestions.

Hi LinuxCowboy

Yes there is a solution, but you need to remember that Linux is linux, its not windows. Feel free to contact me to discuss in further detail. One way to start is to use Microsoft Services for UNIX. This extends the AD schema giving additional attributes and allows you to run AD through NIS which is natively supported in all linux distributions. Redirecting home drives is also a simple task using drive mounts to an NFS share.

I hope this helps in some way. In my previous role I did alot of testing and this was one of my geeky challenges. We did not use it for more than testing as my boss was a 100% windows Man, but yes it is possible.

Dale

LinuxCowboy03,

You should try using this tool by likewise software they have a paid version and a free version. check out the link below. you will be using the free opensource version like me. http://www.likewisesoftware.com/

This tool give you a GUI frontend to join a linux workstation to a windows domain. just remember when you join your domain make sure your linux workstation Time is in Sync with your your Windows AD or else things will act strange because of Kerberos.

I've been using this tool for about 3 months on Fedora and Ubuntu it works like a charm. When your enter your user name you will have to enter like >> domainname\username since you wont's have a box to enter a domain name seperately

Let me know how it work out for you..



Tim

Thanks for the suggestion. A while ago, I did install the Services for Unix. However, I wasn't sure how to proceed from that point. How do you connect a Linux client after you install services for unix?

Thanks for the suggestion. I've tried Likewise, but it won't work. It says something to the effect of "Can't find Domain Controller" and suggests checking my DNS settings. Which I've checked and are fine, and to add insult to injury, I can ping the domain controller by name from the client! Also, I've set it up to get the time from the NTP server, so I know that's not the issue either. So I'm not too impressed with Likewise.
Besides, it's not practical to ask my users (kids!) to type in domainname/username, which some of them have a hard enough time just getting their username and password right.

Just bumping the thread -
No one has any suggestions for a good school server setup??
Please please help! I'm tired of using MS!

once the servicecs for unix are installed you will find extra attributes when you view the properties of the user. I am between jobs at the moment so I cant attach a screenshot. but it gives you fields where you select an NIS domain, which is your AD domain that is now being sent via NIS. then under the unix attributes tab, you can specify a server/share where your user profiles can be stored. Linux profiles are different to windows ones. How you can do this is create a share and then export the share via NFS(Network File System)

lets say you have fedora clients. what you can do is run "system-config-authentication", i think thats right off the top of my head. then you can enable the NIS domain by typing in your NIS domain name and authenticating the machine with your username/password which has adequate rights to do so. this handles the username and password information.

then as part of your desktop image. you can mount your NFS share that you want your user profiles stored on. lets say you mount it to /home/AD/ and add the information to /etc/fstab to make it persistent after a reboot.

in the AD attributes for the student. the unix attributes should read
Home Directory: "/home/AD/testuser"

once you've applied those settings and your nfs mount is in place. give it a reboot just incase something else is getting in the way and stopping what should be happening. then try logging in as testuser. this way using NIS, you dont have to worry about using the domain\username log in method. the system will query local users and if there is no local user called testuser then it will ask the NIS server.

dbmacartney,

Thanks for your reply. It sounds like you know what you are doing. I'm going to give this a try and let you know how it goes. I'm still trying to wrap my head around how this works. I'm so used to windows networking, and Linux seems sooo different! But I really want to make it work.

I'll make a diagram for you and i'll post it when I have completed it. I love doing geeking drawings of infrastructure. Some people like reading, my passion seems to be documentation. haha.

Just a tip though. The changes required for this to work requires changes to your active directory schema. if your familiar with LDAP then changing the layout can get messy if something goes wrong. I'd recommend making a testing environment. eg. grab a PC and install 2K3 server, use R2 if you have a license for it. make it a domain controller for a new domain. create a few test users. then install services for unix. set up your NFS server to export the share. and then try connecting your client PCs to your test domain. This way you can play around with it, break it, fix it.... You will be able to rest assured knowing that through all of your troubles and learning that you haven't broken your company network in the process.

;-)

freeipa is looking pretty promising, unfortunately it's still in beta. You can check it out here: http://freeipa.com/page/Main_Page

Others have already touched based on mapping the users' home directories to an NFS mount. This would mean that any document they save to their home folder would actually be saved to a folder somewhere on your network, so that takes care of that requirement.

My suggestion would be to wait a few weeks/months for an official release of freeipa, and then go with that. It sounds like a very promising open source alternative to AD, plus it'll support Windows and Mac OSX clients :D

Cheers!

When you used openSUSE's dialog for using AD for authentication, did you also authorize that host to join the domain from the windows side?

Hi,
We have a similar issue and trying to implement LINUX logon. We have AD setup and initially had some difficulties integrating this. So we made a NIS setup and all UX,LNX systems aunticaticate using NIS. We are in the process of setting LDAP onto this network;

As stated in your thred , send me your infra document and we shall try and help you on this.
Cheers,
Abhinesh

Mplike: If you currently have Active Directory then you already have a form of LDAP already in existance. You can setup NIS to read straight from Active Directory.

E.g. AD user "johnmichaels" is configured with the NIS username "johnmichaels". So that when a NIS client requests the username and password information from the NIS domain server (Your Domain Controller), it will log in with an AD username and password, although it is operating via NIS to obtain the information.

------------------------------------------------------------------

Attached is a picture of roughly how it works. My apologies its not very flashy, It is my first time using Dia and it was very rushed.
the Linux systems query Active Directory as a NIS domain, part of the information is "User's home directory" which is configured in active directory to be "/home/ADUsers/johnmichaels". As the /home/ADUsers folder is mounted to an NFS share on Server3 which is a Windows server, exporting a shared folder via NFS, the linux clients can view this and have read/write access to it, this will also give the linux clients the ability to utilise roaming profiles as such.

ok this might be a silly question. How do I attach a pic in a forum?

Yes I did. I actually succeeded in joining the domain at one point, however, it didn't seem to work right, as I was still unable to login with a user account on the server, and subsequent testing of it failed to join the domain again.
When you say authorize the host to join from the windows side, do you mean creating a computer in AD matching the hostname of the computer I'm trying to join? See.. with Windows, I don't need to do that, I just join the domain and it will create the computer in AD for me. But I've tried both ways with Linux, doesn't seem to matter.