Ubuntu

Does ubuntu/linux have login feature as Window Domain Multiple Domain?

Asked by Rick Z

I am new to linux. Wondering how to configure linux login feature as Windows (Domain) or Novell (NDS). Each login will pull the permission for specific user to LAN. How does linux do this if there’re multiple Linux servers in one location? For example, when you login to Windows Domain, you gain specific permission/files(network drive) from which ever the Domain you login. For Novell, the login script will give you which network drive you can be mapped or the ZEN work will tell you which application to be deploy for specific user. Please help if Ubuntu has all these feature available.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Marcus Trautwig
Solved:
Last query:
Last reply:
Revision history for this message
Chris Rowson (christopherrowson) said : 		#1

Hi,

As of this moment Ubuntu doesn't have a built in GUI to join it to an Active Directory Domain. I believe that something is in development though.

If you don't mind editing config files however, you can set it up yourself.

There are a few tutorials on the internet which demonstrate how to authenticate to AD for example:

http://developer.novell.com/wiki/index.php/HOWTO:_Configure_Ubuntu_for_Active_Directory_Authentication

Revision history for this message
Rick Z (rickzhengfnf) said : 		#2

Hi Chris,
Let say I have two or more ubuntu server in my LAN. How could all the client boxes login to each server? I guess what I mean is that if the client boxes are windows or linux OS how could the client boxes mount to the server resource? For example, Window server will have their client boxes to join the domain. Novell will have each windows workstation install the Novell Client for Windows applications in order for the client boxes to mount/join the Novell Directry Services, NDS.
Thanks

Revision history for this message
Rick Z (rickzhengfnf) said : 		#3

I went on to the samba.org and I think Samba will do it all. Be a Domain controller, File server, and act as print server as well. Is there any other applications that Ubuntu has Window Domain controller and Novell Directory Services?

Revision history for this message
Marcus Trautwig (marcus-trautwig) said : 		#4

Hi,

I think that the Windows Domain concept is based on these four major technologies hidden behind a GUI:
- Active Directory - A database containing all domain users and hosts (and maybe also some other stuff)
- Kerberos - Secure Single Sign On, so you only have to enter your username/password once
- SMB - Used for accessing network drives and printers on the servers
- WINS - Host name to IP resolution, so you can use host names and don't have to remember IP addresses

Ubuntu also has these technologies integrated: The Active Directory is based on LDAP (use "slapd"), Kerberos is a standard and there are multiple implementations available (gssapi, heimdal, ...), SMB and WINS are provided by Samba and printer access by Cups. You might succeed in building a working Windows Domain with these tools, but that will for sure be complicated and time consuming. And of course you are not forced to use a service for everything.

Of course there are also a lot of alternatives to all these services. LDAP can be replaced by NIS (for user authentication at least), Host name lookup can be done by MDNS (which is the default as of 7.04), instead of SMB one can use NFS or even another network filesystem or maybe just SFTP. And finally you don't have to use all these services, if you only want the same user name/password logins on any computer, then just use either LDAP or NIS. Kerberos can be left out if you don't mind entering the same password over and over again (it needs special client support anyway).

I think the easiest way to get something like a Windows Domain is by just using Samba on the servers and the "winbind" package on any machine. "winbind" connects to a so-called "password server" (one of your Samba servers) and does user authentication and host name resolution. Samba does the SMB and WINS parts. Kerberos is not really needed if you don't mind entering your password multiple times (even without Kerberos it's the same on any server). For printing services you still need Cups, which can be integrated into Samba or not (Cups servers are auto-detected by enabling "Browsing"). Detailed instructions for setting this up should be found in the Samba documentation.

Revision history for this message
Rick Z (rickzhengfnf) said : 		#5

Hi Marcus,

Thank you for the excellent explanation. I will dig into your suggestion and go from there.

One last thing in my mind is that… Windows or Novell (NDS) can address user’s permission at the very first login. For example, if Joe login into XYZ domain, he will get specific network resource and authentication. Therefore, if 20 computers join the XYZ domain with certain group, they will have the similar network resource and authentication. Another word, if I have an account XYZ Domain, I could go to any computer in my LAN (part of the XYZ Domain) and will be able to login without have to configure the local client PC. I could just login as one of user account in XYZ domain. How about Ubuntu/Linux? What if I deploy 20 new computers (windows OS or Ubuntu)? Will each computer be configuring with certain user/password? What if Joe is switch from computer A to computer B, does that mean that computer B needs to add Joe’s username/password? Please advise…

Revision history for this message
Best Marcus Trautwig (marcus-trautwig) said : 		#6

Hi Rick,

As I understand your question, you want to have your user accounts unified all across your LAN. This is possible with either LDAP, NIS or Samba. With either solution, one of your computers acts as an "authentication" server and all other computers send the users' authentication credentials (username/password) to this one. This servers tells them whether to allow a user to login or not.

So Joe can easily switch from computer A to any other computer on your LAN without the need to create an extra account on each computer. All accounts are stored on the auth. server. But remember that you have to initially setup any new computer to ask the auth. server if the user supplied authentication credentials are correct (this is done by setting up PAM, you may have a look at /etc/pam.d/). Also, the server has to allow the clients to connect - this must also be done in Windows domains, new computers have to "join" your domain using a domain admin account. It's not (yet) as easy with Linux as it is with Windows though (there's lots of configuration file editing involved, at least when using LDAP; NIS and Samba should be easier).

Another problem that Joe has to deal with when switching computers is getting access to his files. It might be easier to also store them on a central "file" server. Please keep in mind that "mounting" central server storage on your client computers has to be done separately from the authentication stuff mentioned above. Your file server might use Samba (or NFS, but let's leave out SFTP as it needs a different setup) to hold any user's home directory within a single share. That share is mounted by the clients to /home on boot (using /etc/fstab), so that on any client computer /home/joe points to joe/ within the file servers' share. Again, your file server has to accept connections by client computers, this has to be set up somehow. I believe Samba needs a separate account for each computer - as does Windows; NFS by default just accepts every connection which might be a security hole.

Finally, I would recommend you to read a book or tutorial before setting up something like this. Afterwards, try setting it up in virtual machines using VMware or VirtualBox. I would recommend you to start out with Samba, as there is lots of documentation available for this one. [1] not only explains the simplest basics but also helps in installing the setup explained above. It might take some time to read though :-). A printed document might be easier to read than an online tutorial collection, so I found [2], which is a book linked from the Samba website (your favorite bookstore should offer the third edition, the online version is the second one). [3] and [4] are community sites where you might get some tutorials. Have a look on [3] first as it's Debian specific (and should also apply to Ubuntu).

[1] http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/
[2] http://www.samba.org/samba/docs/using_samba/toc.html
[3] http://www.debian-administration.org/
[4] http://www.howtoforge.com

Revision history for this message
Rick Z (rickzhengfnf) said : 		#7

Thanks Marcus Trautwig, that solved my question.