Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been playing around with different options for setting up a domain for a small network which has the opportunity of growing bigger in the near future.
The situation here is:
Currently there is going to be one physical server and multiple clients. The server must serve files to all possible clients. User should be able to log on from any platform with the same credentials and must have possibly identical directories mounted/mapped to his/her session, regardless of the platform he/she logs on from. In future any application should be able to be authenticated for the user (for example email, version control, bug tracking etc.).
Server must be Linux. Clients can be Windows XP, Vista, Windows 7 or any flavor of Linux.
After going through different options I got confused more.
Here are my questions - Is it possible to configure an LDAP only domain (without the use of samba) to which both Linux and Windows can join? If so is it efficient? If samba is needed should it be only for Windows clients or can it be for both Windows and Linux clients? Can we have NFS through LDAP for Linux and samba through LDAP for Windows? Do I need to join the clients to a domain to get authenticated or is it just enough to authenticate client to use the resources on the server(s)? Currently I am planning to use a Virtual authentication server (KVM) and am not sure whether to run the samba or not and if so not sure whether to run samba on a separate server from the LDAP server and configure samba to use the LDAP as the back end.
If I type more, I may confuse you more and therefore let you ask me what points you need to clarify me.
LDAP has *nothing* to do with the concept of a domain that AD provides. it is not possible at all to do anything like a "join" of an LDAP server domain, it doesn't make sense outside of arbitrarily setting domain names on your system for DNS etc. Whilst you can use LDAP as the back end for all Linux user info and authorization there is no actual act taking place to join a domain in any form. if you want centralized authentication under windows then that's the Samba side of things for Windows, membership etc.
I can understand that LDAP is just an authentication method. As I have mentioned, is samba the only/right way for the Windows clients to get authenticated by a SSON (in my case a Linux server)? Is there a way to log on to a Windows client using the LDAP credentials and access shared resources(like files, version control repository) on the server? In th case of samba with LDAP back end, is samba used only to share files with Windows clients?
What is the difference between joining a client to a domain and getting a client authenticated through a sign on server? Which is better, efficient and standard practice?
samba does all sorts of things with different components. Primarily it was designed for smb file access, but then grew to covering being an AD domain controller replacemnet and being a AD domain member. SO samba is used for both kinds of interfacing, and you *could* use samba for the purely linux side too if you wished, as pointless as it is. If you want to log on to windows using ldap credentials, then you would have an samba DC and that would be configured to use LDAP as it's user info back end.
When you're authenticating to a domain you are utilizing Kerberos and other domain level mechanisms which will allow you that "single sign on" functionality, which means that essentially you recieve a ticket from the DC which matches with your domain membership knowledge and you can then use this ticket to give to a third machine who will trust you. as for auth against LDAP, that's a simple one off check, nothign persists outside of you passing using a username and password against a central server.
Let's take an example case.
1) A single sign on server
2) A server in which files and source control repositories are stored to be shared across the network
3) An email server
So now, regardless of the platforms I log in from, if I want the facility of one time log in but need access to files, repositories and emails, which of the above servers should act as a domain controller? 1 or 2? If samba is the PDC, for the above mentioned access pattern, should Linux clients join the domain? In your post you specify using samba on Linux is pointless; how can achieve the 'single sign on' from Linux clients?
As I have specified in my original post, the users should find no difference between logging in from Windows or Linux. They should get possibly identical files, folder mappings etc.
Thanks for your patience and sorry if I annoy you.
There's really no such thing as a "single sign on" server. SSO is about being able to integrate applications and browser access and such, this doesn't come from a server. It's generally underpinned by kerberos technologies, but across multiple operating systems, it's really not something you should strive for and thing is a trivial thing to achieve. I think you're trying to obtain something that is not realistic in a normal budgetted IT environment, as nice an utopian the ideas are.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.