Linux Sysadmins: Is there an "Active Directory" for Linux?

[djBon2112]

After learning more about Active Directory and Windows domains in my Windows Administration class, I'm interesting in trying something like this out. The issue: I use Linux on all my machines Is there a similar concept in Linux that I'm not aware of? I've never heard of anything.

 

[FibreChanMan]

It's called LDAP if I recall...

 

[Zlash]

Samba, or interface samba with AD using winbind.

 

[requiemnoise]

Try OpenLDAP. It is very clunky. I don't think AD will ever go away. If you don't have a site license in your company, you are better off only buying licenses for DC and set Linux servers as a standalone servers and join it to the domain. That will save you some money. AD integration with kerbose for Linux went through a lots of headaches in the few years. Everything should work fine.

 

[HoppyChris]

Check out Novell eDirectory, they've even written a PDF comparing it to AD: http://www.novell.com/collateral/4621396/4621396.pdf

 

[djBon2112]

Well, I just want to add first of all that I'm only a home user: I've got about 3 computers I'll be using this with. I'm really just interested in stuff like roaming profiles and shared folder quotas. My server is Linux (Ubuntu 8.04) and all the clients are also Linux (Ubuntu 8.10).

 

[Xipher]

Basicly the majority of the parts that make up active directory are standard tech such as LDAP, Kerberos, and DNS. While the Windows specific RPC protocols aren't there, you can use LDAP to handle the user/group details, kerberos for authentication (or LDAP if you want), and then NFS to handle the roaming profiles.

 

[XOR != OR]

Check out Novell eDirectory, they've even written a PDF comparing it to AD: http://www.novell.com/collateral/4621396/4621396.pdf

eDirectory sucks. I support that right now.

Don't get me wrong, it's rock solid...mostly. But the management tools fucking suck. Can I do this through ConsoleOne? Or how about iManager? Or is it remote manager? Or do I have to get on the console and use monitor?

I've done about equal time supporting both, and I much prefer Active Directory. For what it does, it is the cutting edge in desktop management.

Well, I just want to add first of all that I'm only a home user: I've got about 3 computers I'll be using this with. I'm really just interested in stuff like roaming profiles and shared folder quotas. My server is Linux (Ubuntu 8.04) and all the clients are also Linux (Ubuntu 8.10).

Check out fedora's ldap server, it's pretty spiffy. Then, all you need is nfs for your file sharing and you're good to rock.

Now, you don't get workstation management like you do with active directory and windows. You can basically control everything through the file shares, but it's not nearly as easy as with an AD domain.

 

[bigdogchris]

A lot of people at my school bash AD. Even my school is on a samba ad with ldap authentication. Is the cost of win server licenses really bad compared to Novell or even worth it if you can use Open Source?

 

[requiemnoise]

eDirectory sucks. I support that right now.
Don't get me wrong, it's rock solid...mostly. But the management tools fucking suck. Can I do this through ConsoleOne? Or how about iManager? Or is it remote manager? Or do I have to get on the console and use monitor?

Novell Netware 3.x and 4.x were great. New shit is crap. Novell only has Suse going for them. Of course, it was a purchase.

 

[XOR != OR]

Novell Netware 3.x and 4.x were great.

I'll give you 3.x. With the 4 series they had just introduced the directory ( instead of bindry ), and it was absolute shit. And while it eventually stabilized, the damage was done.

Right about that time MS came up with their stuff that was more polished, and netware not seeing the writing on the wall screwed their customers over by charging full price for a .1 patch upgrade.

A lot of people at my school bash AD. Even my school is on a samba ad with ldap authentication. Is the cost of win server licenses really bad compared to Novell or even worth it if you can use Open Source?

yes, absolutely. I'll give you a few reasons

1) Administration overhead. Active Directory makes managing the desktops easier than simply pushing registry keys via a login script.

2) Easier to find window admins. Let's face it, Active Directory is far easier to administrate than ldap+samba.

3) More versatility in software integrations; a lot of apps out there use windows/ad authentication. While you can sometimes trick them in to working with the home brewed stuff, that's not always the case.

While I certainly wouldn't shy away from ldap+samba, if I have a lot of window desktops to manage I'm going to want AD to do it with. Makes my job so much easier.

 

[Jay_2]

Use OpenLDAP and Samba for Linux servers and Windows Clients and OpenLDAP and NFS for Linux Server and Linux Clinets

Use Webmin for general server admin and phpLDAPadmin to add your users etc.

Don't get me wrong its a real pain in the arse no matter how you do this on Linux

 

[Zlash]

A lot of people at my school bash AD. Even my school is on a samba ad with ldap authentication. Is the cost of win server licenses really bad compared to Novell or even worth it if you can use Open Source?

For a school especially there's no reason not to run AD, you pretty much pay nothing for any microsoft product with an education or non-profit discount.

 

[requiemnoise]

I'll give you 3.x. With the 4 series they had just introduced the directory ( instead of bindry ), and it was absolute shit. And while it eventually stabilized, the damage was done.

3.12 was so freaking sweet and stable. Some servers I was babysitting were up for 2.5 years. Things just worked. Since, it is DOS based and you only have to copy exe and com to get it working. The best part is pre-95 days, it was so simple to set a batch file to make Win3.x clients run off from the server without a hard disk. Talk about the days of maintaining 250 or more clients by one administrator. Those days are over. Thanks to bloated client OSes. Most admins will start committing suicide if they are given that much workloads.

4.x had a serious growing pain, because of Novell's Intranetware client. Microsoft purposely released a client for 4.x that totally broke everything. That is war between Windows and Netware grew stronger. Ms realized, they can use the power of being desktop dominate player to gain advantage in the server market. This made so many client software revision for Netware 4.x. That is why so many nightmares sank in for admins. Revisiting the client desktops every few months to install a new client app. 4.x improved with an age, but Intranetware went through nightmares. That is why so many people switched to NT platform.

Right about that time MS came up with their stuff that was more polished, and netware not seeing the writing on the wall screwed their customers over by charging full price for a .1 patch upgrade.

yes, absolutely. I'll give you a few reasons

1) Administration overhead. Active Directory makes managing the desktops easier than simply pushing registry keys via a login script.

2) Easier to find window admins. Let's face it, Active Directory is far easier to administrate than ldap+samba.

3) More versatility in software integrations; a lot of apps out there use windows/ad authentication. While you can sometimes trick them in to working with the home brewed stuff, that's not always the case.

While I certainly wouldn't shy away from ldap+samba, if I have a lot of window desktops to manage I'm going to want AD to do it with. Makes my job so much easier.

AD is pretty good, but it isn't perfect. It has lots of options and tools, but it is so bloated that things do break easily and fall apart. Here is how I look at things. If the client OSes are Linux and OSX, there is no need for AD at all. OSX is a drag and drop installer. Installing apps are just simple copy and paste. Linux has SSH, so if you implemented firewall rules on the desktop to trust certain IP address such as an admin's desktop, username, and holds a public key from admin's private key. You can launch an automated script that will install all the machines in the network within an hour. You can even setup a CRON to grab a new public key on certain machine's share folder. Windows can be very painful to maintain when the application isn't a msi installer. Some times, converting the exe installer to msi and dump registry settings, profile settings across the network can cause headaches. There isn't a perfect desktop maintenance solutions in this world. That is why I always been a believer of desktops need to constantly get thinner, not bigger.

 

[XOR != OR]

AD is pretty good, but it isn't perfect. It has lots of options and tools, but it is so bloated that things do break easily and fall apart.

I'd argue that it's down to the administrator. My AD trees tend to be complex and weird ( by necessity, sadly ), but they are absolutely stable. I haven't had any issues with AD in 4 years now, and that was due to me not fully understanding how NTFRS worked.

Here is how I look at things. If the client OSes are Linux and OSX, there is no need for AD at all. OSX is a drag and drop installer. Installing apps are just simple copy and paste. Linux has SSH, so if you implemented firewall rules on the desktop to trust certain IP address such as an admin's desktop, username, and holds a public key from admin's private key. You can launch an automated script that will install all the machines in the network within an hour. You can even setup a CRON to grab a new public key on certain machine's share folder. Windows can be very painful to maintain when the application isn't a msi installer. Some times, converting the exe installer to msi and dump registry settings, profile settings across the network can cause headaches. There isn't a perfect desktop maintenance solutions in this world. That is why I always been a believer of desktops need to constantly get thinner, not bigger.

I will absolutely agree that software installation on windows is a pain in the arse. No two ways about it.

If you must have windows desktops, then AD makes the most sense.

 

[requiemnoise]

If you must have windows desktops, then AD makes the most sense.

I'm not denying this fact. If you have more than 100 Windows desktops, I say AD is required. If you have less, you got options and 100% Windows servers don't make sense to me.