# How do I create a linux domain?

## cappycdn

Most info regarding the above subject is a windows domain with linux clients.  I want to know how to create a linux domain with maybe a few windows clients but, mostly linux clients.

Anyone have info or links to where I can figure out how to do this?

Thanx!

----------

## fvant

Can you be a bit more specific in what you're trying to do ?

for example: 

a) linux machines sharing files

b) a bunch of machines in the same network domain e.g.  bla.net

c) 1 central repository of user information and authorisation

----------

## cappycdn

All of the above.  I want to have network user accounts as opposed to local accounts. ( btw can root have a network account or something similar to it? i.e. Domain Admin ).  I want to have network shares and be able to access all filesystems of clients on network.  I will be using dynamic DNS for the domain from the internet.  Any other answers needed?  I assume this will be a collage of technologies to accomplish this i.e. ldap etc.

Also, all server related items will be linux/BSD. No Windows servers.

----------

## jmbsvicetto

Hi.

I think you should start reading on SAMBA, especially if you want to have windows clients. If not, NIS+NFS or LDAP might be enough for you.

About your question for root, although root might be an external account, I think that's a very bad idea. If you ever have any problem logging into the network, how will you be able to log in locally to solve the issues?

----------

## cappycdn

The local accounts would still exist and be available if neccesary.

Forgive me but, my Domain knowledge lies in the windows world so I am trying to apply that to a linux framework.

What I gather from above is that the only way for a windows client to be used in a 'linux domain' using nis/nfs or ldap is samba?  I was under the impression samba is used to emulate windows server services(smb/cifs)?  This is what I want to stay away from.  No application available for a windows client to use nfs or the other protocols mentioned above?

Anyways the windows clients are not that important   :Wink:   I will serach the forums/wiki etc for more info on the above linux protocols but if someone has a link to something specific that may foot my bill then please let me know here.

Thanks.

----------

## jmbsvicetto

Well, if you used SAMBA you would be likely using SMB/CIFS.

Howerver, I talked about SAMBA because it can serve as the central authentication and authorization server. You could use instead NIS or LDAP for that role, but I think they're not the best option. NIS was never very good, in my opinion, and I think doesn't work very well with windows clients. SAMBA can work as a Domain controller and offer more services than LDAP.

About the local versus network accounts, you must realize that unlike windows, there aren't local and remote accounts. Or to be more precise you can't have a local root and a network root. The users that exist locally cannot exist remotely. Therefore, root should always exist locally - if you have any problem connecting to the network server, you will still be able to login locally.

----------

## cappycdn

So what I am gathering from this is that I will be best served by creating a 'windows domain' using SAMBA to serve my needs?

I would have thought that an OS touted for being natively network savvy that there would be a linux implementation that would supercede that of SAMBA emulating windows.

As far as remote accounts go I was looking for something along the lines of being able to log into a client with a remote accoount that would be similar in permissions as root?

Thanx for your input...

----------

## cappycdn

Looks like this is going to be my best option...

http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC_Basic_Setup

----------

## GetCool

 *cappycdn wrote:*   

> Looks like this is going to be my best option...
> 
> http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC_Basic_Setup

 

Yeah, something like that would be your best bet with Windows clients.  You can achieve pretty similar functionality to Active Directory using Samba, and with LDAP on top, you can do a lot of nice things (integrate a mail server, etc.).

What you obviously won't get is the whole Active Directory "unified interface" (i.e. the Group Policy stuff, the Exchange integration, etc.).  I think, however, that everything you want to do can be implemented with a Linux backend, so I believe you're on the right path.

If you want me to try to help, let me know.  I never actually implemented a Samba/LDAP replacement for Active Directory, but I researched it and was planning it before I decided to quit my Windows sysadmin job instead  :Smile: 

----------

## cappycdn

Well thanx for the future help...but I really didnt care if the windows clients could interact or not...wanted a 'active directory' type setup but, only all linux.  Guess that just doesn't exist...I am truly baffled.

----------

## jmbsvicetto

Well, I can understand your feeling, I also feel the same. However, you have to realize that although Unix/Linux are network beasts, they were never created for working on workgroups. Unix was mostly used as a company mainframe with dumb terminals, and Linux is mostly used as an infrastructure server or a replacement for windows servers. Since Linux Desktop is starting to gain momentum, we might start to see new options soon.

By the way, you can use NDS, novell directory e-service, SUN ... or other commercial products. They're just not open source or free. NDS is as old as AD and has always been thought to be better. Since I've never worked with NDS or netware, and that I've yet to see it running on Linux, I can't comment on its merits and limitations.

----------

## GetCool

 *jmbsvicetto wrote:*   

> Well, I can understand your feeling, I also feel the same. However, you have to realize that although Unix/Linux are network beasts, they were never created for working on workgroups. Unix was mostly used as a company mainframe with dumb terminals, and Linux is mostly used as an infrastructure server or a replacement for windows servers.

 

While I agree with this general statement, I fail to see what a Windows-based AD infrastructure can do that Linux can't.

With Samba, you can have your virtual PDC.

With LDAP, you have your directory lookups (and keep in mind that AD was built to be LDAP-compliant).

With bind servers, you have your domain name lookups.

With any mail server of your choice, you have your email.

After that, it's all a matter of configuring things (give your machines some host names, set up group-level access to file servers, etc.).

The biggest thing that administrators miss from Active Directory is the central interface to everything.  All your user/group permissions for everything are right there, Exchange integrates with the directory, DNS is integrated as a requirement for the "domain", etc.  And I can see how this is an advantage (although AD can get extremely complex, and quickly become more of a pain than it's worth).

My point is that with some work, you could have an entirely Linux-based infrastructure that would serve Windows clients just fine.  About the only thing I can think of that couldn't be used on the client side is the Outlook mail client (with its Exchange server functionality, that is); although I hear the drop-in Exchange replacements with MAPI connectors are coming along these days.

----------

## Diezel

The only problem I've found using LDAP is that it does not store any passwords locally. This might not be a problem for everyone, but for a laptop user going out of the corporate network it is.

Windows is easier since it stores a few users in a local repo, this way if the domain controller cannot be contacted it will check the local repo.

Otherwise LDAP works nicely, it's ofcours alot more work to set up than AD.

----------

## jmbsvicetto

You didn't understood my comment.

 *GetCool wrote:*   

> 
> 
> While I agree with this general statement, I fail to see what a Windows-based AD infrastructure can do that Linux can't.
> 
> 

 

I wasn't stating that Linux can't replace, at least in part, AD for windows clients.

What I was saying, and what I miss, is that there is still no similar AD technologies that work for Linux servers and clients. It would be good if it could also work with windows clients. At this time, I know of several solutions that are starting to appear for Linux, but most are just starting. Samba can obviously work for Linux, but it has been mostly developed for Windows. I would like to see it starting to care more for Linux.

Then there's the commercial alternatives. Novell pushing NDS into Linux is an example. I think SUN has also an solution for Linux. These might be good solutions, but they're not open source or free. I'm hoping that we might start to see some open source solutions soon.

----------

## cappycdn

Glad I could start a debate  :Smile: 

Ok...I thought it was just me missing something but I will proceed with the Samba/ldap project.  I look forward to a complete linux solution to give AD a run for its money  :Wink: 

----------

## GetCool

 *Diezel wrote:*   

> The only problem I've found using LDAP is that it does not store any passwords locally. This might not be a problem for everyone, but for a laptop user going out of the corporate network it is.

 

The PAM module pam_ccreds is supposed to take care of this, although I've never actually tried it so I can't say how well it works.

 *jmbsvicetto wrote:*   

> What I was saying, and what I miss, is that there is still no similar AD technologies that work for Linux servers and clients.

 

I guess I still don't understand exactly what sort of technology you're after.

If you mean that there is no Linux-based AD replacement, which would have a similar interface with all network resources under your control all in one place, thes yes, I'll agree that there is no Linux-based solution.

But between LDAP, Samba and DNS, you can have all the functionality of a Windows AD domain for both Windows and Linux clients.  Of course, your administration tools will never be the same, and instead of working nearly exclusively on the PDC, you'll have to configure more servers individually.  So if this is what you mean when you say there are no sufficient AD replacements, then you're right.  But I guess it is up to the administrator/management to decide what the administration interface is worth to them.  As far as pure functionality goes, though, there's nothing really to be missed.

----------

## Diezel

 *GetCool wrote:*   

>  *Diezel wrote:*   The only problem I've found using LDAP is that it does not store any passwords locally. This might not be a problem for everyone, but for a laptop user going out of the corporate network it is. 
> 
> The PAM module pam_ccreds is supposed to take care of this, although I've never actually tried it so I can't say how well it works.
> 
> 

 

Sweeeeet. I guess I'll have to dig out my docs and setting on the last trial and see if we might be able to start authenticating against LDAP.

----------

## jmbsvicetto

OK, to wrap up the debate, I'm not after AD tools nor it's gui.

As I've said in the beggining, I have no doubt that Linux can replace the infrastructure. I run DNS server in Linux, although not for the Windows Domain currently, and I know DHCP can also run there - the ability to have a distributed database is also a "big advantage". I currently don't run any of those services in Linux for a 2K* domain, but I could and would like to if the circunstances were different.

What I've been really talking about is the "centralized management" and integrated tools. The ability to create a "Linux domain" where you had centralized user management, where one could easily "join a machine" to the domain, with group policies, with an improved WSUS - and I'm not advocating the use of binary packages - would be a "good thing", at least in my book!  :Wink: 

----------

## GetCool

 *jmbsvicetto wrote:*   

> What I've been really talking about is the "centralized management" and integrated tools.

 

Okay, I see what you're saying, and I could see how this would be attractive to some administrators.  By "interface," however, I didn't just mean the AD GUI; I meant the whole set of management tools that the administrator would use.  I think that you and I are talking about the same thing; we just have differing opinions.

I personally can't stand the "centralized" aspects of AD, especially when your networks start getting somewhat complicated.  Maybe if it was done in a way that was actually intuitive, I'd find it useful.  But Microsoft takes the hierarchical security model to ridiculous extremities, and even their terminology is proprietary (tree, forest, enterprise, etc.).

Maybe if an open-source solution was developed that had a similar management interface, yet was entirely standards-compliant, I'd like it.  As you point out, however, no such tool exists currently.

I worked for five years administering a Windows-based network with AD, Exchange, IIS and friends.  It drove me crazy enough that if I could design the whole thing from the ground up, I wouldn't touch MS server products again.  As such, I may be biased, but I certainly look forward to seeing what kind of improvements can be made in the open source world.

----------

## jmbsvicetto

 *GetCool wrote:*   

> I think that you and I are talking about the same thing; we just have differing opinions.

 

I'm starting to think the same.

 *GetCool wrote:*   

> 
> 
> Maybe if an open-source solution was developed that had a similar management interface, yet was entirely standards-compliant, I'd like it.  As you point out, however, no such tool exists currently.
> 
> I worked for five years administering a Windows-based network with AD, Exchange, IIS and friends.  It drove me crazy enough that if I could design the whole thing from the ground up, I wouldn't touch MS server products again.  As such, I may be biased, but I certainly look forward to seeing what kind of improvements can be made in the open source world.

 

Well, I've been working with this environment for over 6 years, but I'm also not a fan of MS technology. As an example, I think that the GPO is a good thing and could be even better, I just feel that parts of it don't work, or worse, you can't depend on them working. The worse troubles I got were related to the software installation through GPO - that was with win2K, but the experience was so bad that I didn't dare to try it with win2k03.

I would also prefer to use non MS proprietary solutions, but at this time, I think they still provide more features than other solutions - at least for some environments. I do eagerly await an open-source solution, that is standards-compliant. I would do my best to switch over.

PS - I've had the "luck" of being able to avoid Exchange. However, I've heard the "horror reports"  :Wink:  Oh, and I was able to avoid ISS also - in large part due to its security record.

----------

