Hi Friends,

I have been playing around with different options for setting up a domain for a small network which has the opportunity of growing bigger in the near future.

The situation here is:

Currently there is going to be one physical server and multiple clients. The server must serve files to all possible clients. User should be able to log on from any platform with the same credentials and must have possibly identical directories mounted/mapped to his/her session, regardless of the platform he/she logs on from. In future any application should be able to be authenticated for the user (for example email, version control, bug tracking etc.).

Server must be Linux. Clients can be Windows XP, Vista, Windows 7 or any flavor of Linux.

After going through different options I got confused more.

Here are my questions - Is it possible to configure an LDAP only domain (without the use of samba) to which both Linux and Windows can join? If so is it efficient? If samba is needed should it be only for Windows clients or can it be for both Windows and Linux clients? Can we have NFS through LDAP for Linux and samba through LDAP for Windows? Do I need to join the clients to a domain to get authenticated or is it just enough to authenticate client to use the resources on the server(s)? Currently I am planning to use a Virtual authentication server (KVM) and am not sure whether to run the samba or not and if so not sure whether to run samba on a separate server from the LDAP server and configure samba to use the LDAP as the back end.

If I type more, I may confuse you more and therefore let you ask me what points you need to clarify me.

Thanks

LDAP has *nothing* to do with the concept of a domain that AD provides. it is not possible at all to do anything like a "join" of an LDAP server domain, it doesn't make sense outside of arbitrarily setting domain names on your system for DNS etc. Whilst you can use LDAP as the back end for all Linux user info and authorization there is no actual act taking place to join a domain in any form. if you want centralized authentication under windows then that's the Samba side of things for Windows, membership etc.

Thanks for your response Chris.

I can understand that LDAP is just an authentication method. As I have mentioned, is samba the only/right way for the Windows clients to get authenticated by a SSON (in my case a Linux server)? Is there a way to log on to a Windows client using the LDAP credentials and access shared resources(like files, version control repository) on the server? In th case of samba with LDAP back end, is samba used only to share files with Windows clients?

What is the difference between joining a client to a domain and getting a client authenticated through a sign on server? Which is better, efficient and standard practice?

Cheers

samba does all sorts of things with different components. Primarily it was designed for smb file access, but then grew to covering being an AD domain controller replacemnet and being a AD domain member. SO samba is used for both kinds of interfacing, and you *could* use samba for the purely linux side too if you wished, as pointless as it is. If you want to log on to windows using ldap credentials, then you would have an samba DC and that would be configured to use LDAP as it's user info back end.

When you're authenticating to a domain you are utilizing Kerberos and other domain level mechanisms which will allow you that "single sign on" functionality, which means that essentially you recieve a ticket from the DC which matches with your domain membership knowledge and you can then use this ticket to give to a third machine who will trust you. as for auth against LDAP, that's a simple one off check, nothign persists outside of you passing using a username and password against a central server.

That's getting better Chris.

Let's take an example case.
1) A single sign on server
2) A server in which files and source control repositories are stored to be shared across the network
3) An email server

So now, regardless of the platforms I log in from, if I want the facility of one time log in but need access to files, repositories and emails, which of the above servers should act as a domain controller? 1 or 2? If samba is the PDC, for the above mentioned access pattern, should Linux clients join the domain? In your post you specify using samba on Linux is pointless; how can achieve the 'single sign on' from Linux clients?

As I have specified in my original post, the users should find no difference between logging in from Windows or Linux. They should get possibly identical files, folder mappings etc.

Thanks for your patience and sorry if I annoy you.

Cheers

There's some good HOWTOs/info here on LDAP and Samba ; might be worth a read or just as a ref http://www.linuxhomenetworking.com/

There's really no such thing as a "single sign on" server. SSO is about being able to integrate applications and browser access and such, this doesn't come from a server. It's generally underpinned by kerberos technologies, but across multiple operating systems, it's really not something you should strive for and thing is a trivial thing to achieve. I think you're trying to obtain something that is not realistic in a normal budgetted IT environment, as nice an utopian the ideas are.

Hi Chris(s),

Thanks very much for your responses. I hope I have a better understanding of the setup (but not complete, for which I have to a long way).

I am trying out different setups and I shall come up with questions in future. Until then I mark this thread as solved.

Thanks for your time and support