Linux / Unix equivalent to Windows Domain

Hello!

What would be the equivalent to a Windows Domain in the Unix world?
What services / packages have i to look up?
What services would i have to set up, when i would have to manage a
large unix / linux network and would like to have single sign on and
common settings for applications and home directories automatically set
up for all members of this network?

For those not faimiliar with the conecept of a windows domain: A Windows
domain is a logiacl grouping of computers into a common realm. One
special computer acts as the domain controller. On the domain controller
you specify user settings and user rights (eg. membership of groups),
and you specify a home drive (a path which holds the users settings and
private data, ~ in unix, to assure a eg. a common look and feel of
applications). You can specify scripts which get executed when he logs
on. The domain controller also handles "policies", which are settings of
eg. applications. The user can log into all computers which are part of
the domain even simultanously. The best thing is that you can very
easily join a domain (given, that you have the rigt to join a new
computer to a domain) and your computer will inherit all common settings
which have been made for members of the domain. At log on you have the
ability to specify "log on locally" or "log on using domain"

All I have found so far is NIS, superseeded by NIS+ which does not seem
to have reached production quality on linux. Some mention Kerberos, but
is it ment to be areplacement of NIS?

Thank you,

Johann

On 2006-06-08, Johann Höchtl <(E-Mail Removed)> wrote:
> What would be the equivalent to a Windows Domain in the Unix world?

Samba. www.samba.org
Davide

--
The gates in my computer are AND, OR and NOT; they are not Bill.

Davide Bianchi wrote:
> On 2006-06-08, Johann Höchtl <(E-Mail Removed)> wrote:
>> What would be the equivalent to a Windows Domain in the Unix world?
>
> Samba. www.samba.org
No. Samba is about to mimic a linux host a windows computer. I was think
about the equivalent tools or services needed to do things the
unix/linux way, not to mimic the windows world.
> Davide
>

On 2006-06-08, Johann Höchtl <(E-Mail Removed)> wrote:
> about the equivalent tools or services needed to do things the
> unix/linux way, not to mimic the windows world.

There is no such thing in the Unix world, if you think about it
a little bit, you'll realize that you need a "domain" and "policies"
ONLY if you think to have a "client" that is a computer with his
own OS that is disconnected from the "server". The idea behind Unix
is that you have one server and users that don't have their own
OSes, but merely login and use the applications on the server throught
dumb terminals. You need something like that only if you want to
use Unix/Linux with Windows clients, at that point you NEED to mimic
the Windows way because Windows clients only know that way.

Davide

--
Windows hasn't increased computer literacy. It's just lowered the standard.
-- From a Slashdot.org post

=?ISO-8859-1?Q?Johann_H=F6chtl?= <(E-Mail Removed)> said:
>What would be the equivalent to a Windows Domain in the Unix world?
....
>For those not faimiliar with the conecept of a windows domain: A Windows
>domain is a logiacl grouping of computers into a common realm. One
>special computer acts as the domain controller. On the domain controller
>you specify user settings and user rights (eg. membership of groups),

user rights: LDAP (user information, group information)
authentication database: Kerberos

LDAP can be used for quite a lot of additional tasks as well; it's
a general access format for directory-type data.

>and you specify a home drive (a path which holds the users settings and
>private data, ~ in unix, to assure a eg. a common look and feel of
>applications).

Home directories: NFS+automount, or possibly AFS

>You can specify scripts which get executed when he logs on. The
>domain controller also handles "policies", which are settings of
>eg. applications.

Script to execute will always be the combination of system overall
session start scripts (per-system, in /etc) and per-user session
start scripts (stored in home directory). It is, of course, possible
to have a disk mounted on all nodes (or a set of files replicated
across all nodes) to provide some common startup actions.

>The user can log into all computers which are part of
>the domain even simultanously. The best thing is that you can very
>easily join a domain (given, that you have the rigt to join a new
>computer to a domain) and your computer will inherit all common settings
>which have been made for members of the domain. At log on you have the
>ability to specify "log on locally" or "log on using domain"

No, there is no separate local/domain authentication in Unix.
Root password should be stored locally for obvious reasons,
as well as information on some system accounts, but all the
regular end-user account data should be on ldap+kerberos.

>All I have found so far is NIS, superseeded by NIS+ which does not seem
>to have reached production quality on linux. Some mention Kerberos, but
>is it ment to be areplacement of NIS?

Yes, NIS can handle this as well (with support from NFS and automount);
much depends on how well you can trust your users (as there are some
security problems in using NIS).
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

=?ISO-8859-1?Q?Johann_H=F6chtl?= <(E-Mail Removed)> writes:

>Hello!

>What would be the equivalent to a Windows Domain in the Unix world?
>What services / packages have i to look up?
>What services would i have to set up, when i would have to manage a
>large unix / linux network and would like to have single sign on and
>common settings for applications and home directories automatically set
>up for all members of this network?

nfs mounting of home directory and using NIS for authentication.


>For those not faimiliar with the conecept of a windows domain: A Windows
>domain is a logiacl grouping of computers into a common realm. One
>special computer acts as the domain controller. On the domain controller
>you specify user settings and user rights (eg. membership of groups),
>and you specify a home drive (a path which holds the users settings and
>private data, ~ in unix, to assure a eg. a common look and feel of
>applications). You can specify scripts which get executed when he logs
>on. The domain controller also handles "policies", which are settings of
>eg. applications. The user can log into all computers which are part of
>the domain even simultanously. The best thing is that you can very

Apolloi (an old Unix system) used to have that. It was tremendously insecure.

>easily join a domain (given, that you have the rigt to join a new
>computer to a domain) and your computer will inherit all common settings
>which have been made for members of the domain. At log on you have the
>ability to specify "log on locally" or "log on using domain"

>All I have found so far is NIS, superseeded by NIS+ which does not seem
>to have reached production quality on linux. Some mention Kerberos, but
>is it ment to be areplacement of NIS?

Sorry, why do you claim it is not production quality?



>Thank you,

>Johann

Davide Bianchi wrote:
> On 2006-06-08, Johann Höchtl <(E-Mail Removed)> wrote:
>> about the equivalent tools or services needed to do things the
>> unix/linux way, not to mimic the windows world.
>
> There is no such thing in the Unix world, if you think about it
> a little bit, you'll realize that you need a "domain" and "policies"
> ONLY if you think to have a "client" that is a computer with his
> own OS that is disconnected from the "server". The idea behind Unix
> is that you have one server and users that don't have their own
> OSes, but merely login and use the applications on the server throught
> dumb terminals.

Ok, I understand the fundamental distinction. So in order to manage eg.
100 users i would assign them dumb terminals (simple computers) and all
applications are excuted on the server.

Sounds reasonable when the users restrict them to ssh and shell access.


What are the keywords i have to google for if i would like to give them
the same user experience when they use kde, gnome , <insert fovourite WM
here>. Does linux (here: kde) have sthg. like a built-in-terminal server
capability? A very small local infrastructur only to boot-strap into the
"remote kde" where home lives and the available applications are installed.

Johann

Juha Laiho wrote:
> =?ISO-8859-1?Q?Johann_H=F6chtl?= <(E-Mail Removed)> said:
>> What would be the equivalent to a Windows Domain in the Unix world?
> ...
>> For those not faimiliar with the conecept of a windows domain: A Windows
>> domain is a logiacl grouping of computers into a common realm. One
>> special computer acts as the domain controller. On the domain controller
>> you specify user settings and user rights (eg. membership of groups),
>
> user rights: LDAP (user information, group information)
> authentication database: Kerberos

Actually found this to be very helpfull:
http://www.ofb.net/~jheiss/krbldap/howto.html

Underlines what you think.
>
> LDAP can be used for quite a lot of additional tasks as well; it's
> a general access format for directory-type data.
>
>> and you specify a home drive (a path which holds the users settings and
>> private data, ~ in unix, to assure a eg. a common look and feel of
>> applications).
>
> Home directories: NFS+automount, or possibly AFS
>
AFS = andrew file system?
>> You can specify scripts which get executed when he logs on. The
>> domain controller also handles "policies", which are settings of
>> eg. applications.
>
> Script to execute will always be the combination of system overall
> session start scripts (per-system, in /etc) and per-user session
> start scripts (stored in home directory). It is, of course, possible
> to have a disk mounted on all nodes (or a set of files replicated
> across all nodes) to provide some common startup actions.
>
>> The user can log into all computers which are part of
>> the domain even simultanously. The best thing is that you can very
>> easily join a domain (given, that you have the rigt to join a new
>> computer to a domain) and your computer will inherit all common settings
>> which have been made for members of the domain. At log on you have the
>> ability to specify "log on locally" or "log on using domain"
>
> No, there is no separate local/domain authentication in Unix.
> Root password should be stored locally for obvious reasons,
> as well as information on some system accounts, but all the
> regular end-user account data should be on ldap+kerberos.
>
>> All I have found so far is NIS, superseeded by NIS+ which does not seem
>> to have reached production quality on linux. Some mention Kerberos, but
>> is it ment to be areplacement of NIS?
>
> Yes, NIS can handle this as well (with support from NFS and automount);
> much depends on how well you can trust your users (as there are some
> security problems in using NIS).

Thanks for the in-depth explanation.

Unruh wrote:

>
>> All I have found so far is NIS, superseeded by NIS+ which does not seem
>> to have reached production quality on linux. Some mention Kerberos, but
>> is it ment to be areplacement of NIS?
>
> Sorry, why do you claim it is not production quality?
>
On most pages i have found so far is written, that the adoption of linux
distrubutors and the ofs-community of nis+ from sun is slowly. Though
this does of course not mean that it's not a rock-solid system in the
sun world.
>
>
>> Thank you,
>
>> Johann

Johann Höchtl wrote:
> Hello!
>
> What would be the equivalent to a Windows Domain in the Unix world?
> What services / packages have i to look up?
> What services would i have to set up, when i would have to manage a
> large unix / linux network and would like to have single sign on and
> common settings for applications and home directories automatically set
> up for all members of this network?
>
> [snip]

As of Windows 2000, Windows domains are Kerberos realms, with an LDAP
directory thrown on top, which Windows calls AD. Lots of Linux distros
have some basic Kerberos functionality built in, but hardly any
applications are Kerberos-enabled to take advantage of the single
sign-on capability it provides.