Linux / Unix equivalent to Windows Domain

Discussion in 'Linux Networking' started by =?ISO-8859-1?Q?Johann_H=F6chtl?=, Jun 8, 2006.

  1. Hello!

    What would be the equivalent to a Windows Domain in the Unix world?
    What services / packages have i to look up?
    What services would i have to set up, when i would have to manage a
    large unix / linux network and would like to have single sign on and
    common settings for applications and home directories automatically set
    up for all members of this network?

    For those not faimiliar with the conecept of a windows domain: A Windows
    domain is a logiacl grouping of computers into a common realm. One
    special computer acts as the domain controller. On the domain controller
    you specify user settings and user rights (eg. membership of groups),
    and you specify a home drive (a path which holds the users settings and
    private data, ~ in unix, to assure a eg. a common look and feel of
    applications). You can specify scripts which get executed when he logs
    on. The domain controller also handles "policies", which are settings of
    eg. applications. The user can log into all computers which are part of
    the domain even simultanously. The best thing is that you can very
    easily join a domain (given, that you have the rigt to join a new
    computer to a domain) and your computer will inherit all common settings
    which have been made for members of the domain. At log on you have the
    ability to specify "log on locally" or "log on using domain"

    All I have found so far is NIS, superseeded by NIS+ which does not seem
    to have reached production quality on linux. Some mention Kerberos, but
    is it ment to be areplacement of NIS?

    Thank you,

    Johann
     
    =?ISO-8859-1?Q?Johann_H=F6chtl?=, Jun 8, 2006
    #1
    1. Advertisements

  2. Samba. www.samba.org
    Davide
     
    Davide Bianchi, Jun 8, 2006
    #2
    1. Advertisements

  3. No. Samba is about to mimic a linux host a windows computer. I was think
    about the equivalent tools or services needed to do things the
    unix/linux way, not to mimic the windows world.
     
    =?ISO-8859-1?Q?Johann_H=F6chtl?=, Jun 8, 2006
    #3
  4. There is no such thing in the Unix world, if you think about it
    a little bit, you'll realize that you need a "domain" and "policies"
    ONLY if you think to have a "client" that is a computer with his
    own OS that is disconnected from the "server". The idea behind Unix
    is that you have one server and users that don't have their own
    OSes, but merely login and use the applications on the server throught
    dumb terminals. You need something like that only if you want to
    use Unix/Linux with Windows clients, at that point you NEED to mimic
    the Windows way because Windows clients only know that way.

    Davide
     
    Davide Bianchi, Jun 8, 2006
    #4
  5. =?ISO-8859-1?Q?Johann_H=F6chtl?=

    Juha Laiho Guest

    user rights: LDAP (user information, group information)
    authentication database: Kerberos

    LDAP can be used for quite a lot of additional tasks as well; it's
    a general access format for directory-type data.
    Home directories: NFS+automount, or possibly AFS
    Script to execute will always be the combination of system overall
    session start scripts (per-system, in /etc) and per-user session
    start scripts (stored in home directory). It is, of course, possible
    to have a disk mounted on all nodes (or a set of files replicated
    across all nodes) to provide some common startup actions.
    No, there is no separate local/domain authentication in Unix.
    Root password should be stored locally for obvious reasons,
    as well as information on some system accounts, but all the
    regular end-user account data should be on ldap+kerberos.
    Yes, NIS can handle this as well (with support from NFS and automount);
    much depends on how well you can trust your users (as there are some
    security problems in using NIS).
     
    Juha Laiho, Jun 8, 2006
    #5
  6. =?ISO-8859-1?Q?Johann_H=F6chtl?=

    Unruh Guest

    nfs mounting of home directory and using NIS for authentication.

    Apolloi (an old Unix system) used to have that. It was tremendously insecure.
    Sorry, why do you claim it is not production quality?
     
    Unruh, Jun 8, 2006
    #6
  7. Ok, I understand the fundamental distinction. So in order to manage eg.
    100 users i would assign them dumb terminals (simple computers) and all
    applications are excuted on the server.

    Sounds reasonable when the users restrict them to ssh and shell access.


    What are the keywords i have to google for if i would like to give them
    the same user experience when they use kde, gnome , <insert fovourite WM
    here>. Does linux (here: kde) have sthg. like a built-in-terminal server
    capability? A very small local infrastructur only to boot-strap into the
    "remote kde" where home lives and the available applications are installed.

    Johann
     
    =?ISO-8859-1?Q?Johann_H=F6chtl?=, Jun 8, 2006
    #7
  8. Actually found this to be very helpfull:
    http://www.ofb.net/~jheiss/krbldap/howto.html

    Underlines what you think.
    Thanks for the in-depth explanation.
     
    =?ISO-8859-1?Q?Johann_H=F6chtl?=, Jun 8, 2006
    #8
  9. On most pages i have found so far is written, that the adoption of linux
    distrubutors and the ofs-community of nis+ from sun is slowly. Though
    this does of course not mean that it's not a rock-solid system in the
    sun world.
     
    =?ISO-8859-1?Q?Johann_H=F6chtl?=, Jun 8, 2006
    #9
  10. As of Windows 2000, Windows domains are Kerberos realms, with an LDAP
    directory thrown on top, which Windows calls AD. Lots of Linux distros
    have some basic Kerberos functionality built in, but hardly any
    applications are Kerberos-enabled to take advantage of the single
    sign-on capability it provides.
     
    Allen Kistler, Jun 9, 2006
    #10
  11. =?ISO-8859-1?Q?Johann_H=F6chtl?=

    Bill Marcum Guest

    When you use the X Window system, the machine with the display is an X
    server. You can run applications on other machines using your local
    machine as a display.
     
    Bill Marcum, Jun 9, 2006
    #11
  12. DCE ?

    Even so, i'd look at Kerberos, NIS (or LDAP), DNS, NTP, and NFS (or AFS):
    http://www.vanemery.com/DAS/DAS-manual.html

    [snip]
    SSH and XDM... Plus (atleast) the latest Debian and Fedora distros include
    a bunch of GSS and/or SASL enabled applications that can.

    Would be nice should some krb ticket fetching (lib)nss_*.so.2 that wraps
    the get[spg]*() functions exist for this, in addition to libnss_pts:
    http://tarna.oit.unc.edu/~utoddl/
     
    Menno Duursma, Jun 9, 2006
    #12
  13. Well, assuming you want your login(s) autenticated against a realm, and
    fetch a ticket for single-sign-on: you either have to use kerberized
    versions of all programs that 'login', install/configure pam_krb5, or use
    Samba's libnss_winbind.

    With distros that don't include PAM (e.g. Slackware) the latter may even
    be the easiest way, since in that case you'd only have to install the
    (Heimdal or MIT) Kerberos libs and recompile Samba against them, configure
    winbindd, maybe download a 'kerberos travel kit' (for clients).

    And use NIS (or LDAP) for user/group identification only.
     
    Menno Duursma, Jun 9, 2006
    #13
  14. That was a good link ... wasn't aware of that site. Will investigate
    further in this topic. Thank you!

    Regards,
    Johann
     
    =?ISO-8859-1?Q?Johann_H=F6chtl?=, Jun 16, 2006
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.