Creating a domain: Samba, NIS, LDAP?
|
Author | Content |
---|---|
lderooy Mar 24, 2006 9:33 AM EDT |
My experience is in windows networks andI am a Linux newbie. Last month, I started exploring linux and so far I have created a linux computer that is working as my DHCP/router/firewall/proxy/content filter. I also have two workstations running linux (Suse 9.3 and 10.0) What I am looking for is the ablitliy of my computers to log onto a domain with a username and password. The domain controller (server) would handle the security and the user ids. If a user changes their password on one computer it should carry over to any other computer they log onto. The domain controller would also manage file shares with security. The workstations on the domain are mixed and use XP or linux (suse 9.3 and suse 10.0). The server is running Suse 9.3 but I could reformat it to windows server. There are at least three (I'm sure there are more)options for making a domain with mixed clients and a linux server: **Use Samba on the linux server which basically makes it emulate a Windows server. I assume that I could configure the Samba server to handel the user ids etc. and that I could run my linux box with a samba client as well. ** use NIS with the linux server and linux workstation. To get the windows client to connect run the MS NIS client. ** use openLDAP on the linux server and worstations. Which is the prefered method to manage a domain? It appears that NIS and LDAP are more native to the linux environment while the Samba is more native to the windows environment. |
cjcox Mar 24, 2006 9:49 AM EDT |
http://theendlessnow.com/ten/SSO It's extremely draft (I think Tom wanted me to post it as an article). Might help a bit. I use NIS because it is easy... and the document shows how the clear text encypted password issue of NIS is dealt with. But NIS doesn't scale well past 10,000 users... and the solution I present in the link above assumes a single AD Domain. I think it's a great solution for the SMB (if I can say SMB in a context where smb means something else). |
jdixon Mar 24, 2006 10:24 AM EDT |
If I were stuck implementing such a solution, I'd go with samba, simply because that lets you run umodified Windows boxes. IMO, modifying you Linux boxes to talk SMB is probably going to be a lot easier than modifying Windows boxes to talk NIS. |
lderooy Mar 24, 2006 11:25 AM EDT |
Remember, that I'm a linux newbie :-) Can a Linux Box running samba manage the authentication of windows and linux clients? for example, if a user changes thier password on a XP box will the change stick the next time they log onto a linux box? |
tuxtom Mar 24, 2006 11:40 AM EDT |
Samba alone will not do that, it is a proprietary "sharing" protocol/service, not a domain controller. I'd look into openLDAP for your heterogeneous needs, if you want to use linux for your domain controller. Samba will use LDAP for authenticating connections. This is not really a quick newbie setup, but I'm sure you could get it working with a little study and online help when you get stuck. Google is your friend. |
cjcox Mar 24, 2006 11:47 AM EDT |
The example I posted shows how to use pam_smb to authenticate to the Windows password server. The NIS server in the example runs on SUSE. The clients do not have to run a smbd or nmbd, but a valid smb.conf and joining to the Windows domain is wise for authentication. In my example, if the client is using pam_smb (running the pamsmbd with a valid /etc/pam_smb.conf and pam stack setup), then the passwords will be authenticated to the Windows Domain Controller IF you have a the options I listed in my sample smb.conf file. You can skip the DNS/DHCP stuff at the beginning if you want to get to the meat of things. It's wise to do away with M$'s DNS/DHCP since it fundamentally does not work for non-Windows Domain hosts. |
grouch Mar 24, 2006 12:14 PM EDT |
Samba's been able to function as a domain controller for a long time. Am I missing something in the discussion? |
cjcox Mar 24, 2006 12:20 PM EDT |
Certainly you can use Samba as a NT4 (emphasis, on NT4) domain controller. So, if an NT4 DC is all you need, you can certainly do that with Samba. The question is... will Vista work with an NT4 domain controller... probably not. Even WinXP has a couple of places where some registry changes are needed to work with a Samba style DC. |
grouch Mar 24, 2006 1:13 PM EDT |
Well, considering the only vistas I see are outside, I think I'd set up Samba 2 and see if it did what's needed. Personally, I'd nuke the MS machines, but some folks have to babysit those things for one reason or another. |
tuxtom Mar 24, 2006 5:07 PM EDT |
Sorry that my initial response was inaccurate. I was only trying to point someone new in the right direction, and ended up with my foot in my mouth. Here is a good breakdown of the current functionality of Samba as a domain controller, as well as some discussion regarding planned functionality for the future: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/s... |
grouch Mar 24, 2006 5:40 PM EDT |
tuxtom: Send me 3 mummified rats and I won't tell Herschel you admitted to biting your foot. |
Herschel_Cohen Mar 25, 2006 3:29 AM EDT |
Quoting: [grouch] ... and I won't tell Herschel [I] admitted to biting your foot. That will teach grouch! For listening in to private conversations. Caught you in the act, now what's your excuse? Mine is I am probably partially dyslexic. Top that. [Mistakenly called you grounch, before I caught it. Just have this thing about shell fish. You did say you were a crab, right?] [Would you have be angry with the typos I did catch. So I like em slow boiled, in salt water and sea weed, ship in an insulated container by FedEx.] |
jdixon Mar 25, 2006 5:42 AM EDT |
> Top that. I fell out of a moving vehicle and landed on my head when I was a child. |
tuxtom Mar 25, 2006 12:11 PM EDT |
...and who knew using Linux was just like tripping on acid... |
Herschel_Cohen Mar 25, 2006 1:43 PM EDT |
Sorry guys - it's imagination, I do not indulge in biochemically induced stupors. jd - yours might be the explanation closer to the truth. |
grouch Mar 25, 2006 2:59 PM EDT |
Is it harder to learn to samba than it is to just roll on the floor and twitch to the music? |
Herschel_Cohen Mar 26, 2006 4:48 AM EDT |
Quoting:[T]witch to the music We have the new dance sensaaattttiiiiooonnnnnnnnn: El'Groucho and "Twitch With the Music!!!" I thought this thread, began with a serious question. Was the interlocutor sufficiently informed or was he run out of here by the mad hatters? |
jdixon Mar 26, 2006 8:04 AM EDT |
> Was the interlocutor sufficiently informed or was he run out of here by the mad hatters? No idea, since he hasn't asked any more questions. lderooy, you still here? |
lderooy Mar 26, 2006 7:07 PM EDT |
I'm back. I see that the discussion got a little off track :-) Thanks for the input. I think that I will try to look at samba. This is a learning experience for me. I have been a NT administrator for the past 10 or so years administrating 3 different networks. I am just starting to learn Linux and would like to have some of the features that a NT type domain offers. I have to confess that the current network that I am experiementing on is my home network (4 computers: 2 Linux, 2XP, one linux server operating as router/firewall/web content filter/etc and a network attached external hard-disk. So my needs are not very large, but I would like to use this to learn the system and see how it compares to Windows server 2003 or 2000. It is interesting that if I have a mixture of computers (Linux and XP) that you recommend samba which mimics the functionality of a windows network. I guess this "must" be because Linux is more configurable than XP and it is easier to make Linux talk to XP than it is to make XP talk to linux (NIS or LDAP). Idealy I would say that I am phasing out XP and they will eventually be Linux boxes but I don't think that would happen for quite awhile. So far I have my family using Firefox, OpenOffice, Gimp and a few other open source applications - which is one reason why they appear to be able to switch between XP or Linux (SuSE 9.3/10) without much problem. If one only had Linux workstations and Linux servers then I assume that samba would not be recommended but rather NIS or LDAP in order to get a domain-like control of username/password management and security levels across a network. Or is there some other option for a pure linux network? If I had someone ask to set up a small network for a small business/school/church/group and they were currently using XP clients, then I can see setting up a samba server working as a primary domain controller would be a good option over a windows server. |
grouch Mar 26, 2006 7:30 PM EDT |
Samba outperforms MS Windows Server 2003.
http://www.itweek.co.uk/spotlight/1144289_graph See Samba's online guide. Example: "There are many and varied opinions regarding the usefulness of SWAT. No matter how hard one tries to produce the perfect configuration tool, it remains an object of personal taste. SWAT is a tool that allows Web-based configuration of Samba. It has a wizard that may help to get Samba configured quickly, it has context-sensitive help on each smb.conf parameter, it provides for monitoring of current state of connection information, and it allows networkwide MS Windows network password management." http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/S... SWAT is easier to use than that guide, though. Just fire it up in your browser and see. |
jdixon Mar 27, 2006 5:16 AM EDT |
> I guess this "must" be because Linux is more configurable than XP and it is easier to make Linux talk to XP than it is to make XP talk to linux (NIS or LDAP). Well, I've never played with Samba acting as a domain controller, so I can't speak from experience, but that would be my working hypothesis, yes. Since no one else has given any real world examples either, I assume they're in the same boat. I do know that it's been done. A quick Google search on Samba PDC howto turns up what looks like a bunch of useful hits: http://info.ccone.at/INFO/Samba-2.2.12/Samba-PDC-HOWTO.html http://www.unav.es/cti/ldap-smb-howto.html http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html http://www.sphaero.org/docs/w2k-samba-deploy-HOWTO.html http://samba.idealx.org/samba-ldap-howto.pdf http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ http://gentoo-wiki.com/HOWTO_Implement_Samba_as_your_PDC just on the first page. You'll probably want to take a look at the relevant ones for you're version of Samba. > If one only had Linux workstations and Linux servers then I assume that samba would not be recommended but rather NIS or LDAP in order to get a domain-like control of username/password management and security levels across a network. Since NIS is effectively built-in to Linux, I'd say yes, but since you never know when you'll want to add a Windows machine for some specific task, you might still wish to go with Samba in such a case, to preserve your options. |
energyradio Apr 03, 2006 2:33 PM EDT |
lderooy, Im glad there is someone else looking to do the same as me! I use "SMB Server" and wanted to go fully opensource - but have 2 machines running Windoze that I cant move over... yet! Did you manage to authenticate Suse 10.0 using an NT username. The only issue I do know exists (and I cant find a way around it easily at the moment) is that you can't change the password in Suse to replicate back to SMB Server (which is using Samba as it turns out!) If you did can you let me know how - like you Im a noob to Suse and Linux (but loving it)! Once I can do it with a small network of 20 machines then I move onto bigger fish (1,000 call centre :D) |
lderooy Apr 10, 2006 8:46 AM EDT |
Here's an update: I created a domain on my linux server and have my XP laptop authenticating to it. I was suprised to find that it even kept track of my profile (as in roaming profiles). I was away for spring break and will now continue to work with it during my spare time. My next task is to try to get my linux workstation to authenticate to it. So I currently don't know the answer to energyradio's question. |
You cannot post until you login.