In part one in a series of chats with key members of the Xandros team, DesktopLinux.com gives you an insider’s view of the Xandros project philosophy and architecture. Oleg Noskov, Xandros software development manager, talks about domain authentication — one of the essential keys to integrating with, and eventually migrating from, existing Windows networking infrastructures.
Domain Authentication Sets Xandros Desktop Apart
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
If an admin has windows domain controllers in place already, then this Xandros workstation could authenticate with little extra configuration.
I of course, run a linux pdc, which runs samba, nfs, & nis. All users logon via authentication against my linux pdc.
I have no need of a linux workstation that can logon to a windows domain controller, because my file, print, authentication, web,ftp and mail servers are all running on linux.
That said, I do see this as useful in an organization that is large (read: complex domain structure, bureaucratic, slow to change…e.g. 10,000 plus desktops) and has no plans to change their DCs. Individual linux workstations can be painlessly added.
(may be off topic?) I saw this used in the Mandrake 9.1 article, too. What’s a PDC?
PDC = Primary Domain Controller
Windows NT 4 Servers used a PDC and BDC (B = backup) for authentication and resource control. That model has been phased out with MS’s Windows 2000 and more specifically, Active Directory, which does’t rely on a single master like NT4 domains.
However, since NT4 domains are still so prevalent, and millions of network use NT4 domain authentication, this is useful because you can use Xandros clients and still use centralized authentication without a new system.
I only wish a Linux disto could authenticate through Novell NDS (Netware 4 – 5, I know about Netware 6). Xandros sounds good, but I couldn’t care less about NT domains.
Yeah… that would be really nice! Since I prefer NDS over ADS and since NDS runs on other platform than Windows (we have a NDS server runnning on Solaris). Now I only need to read and guess how we can make our 50 Sun Server use NDS for authentification. I guess it is possible… but I cross my finger I don`t need to modify the NDS schema.
See ya!
DesktopLinux.com: So as an example, if I’m using Red Hat, how do I tie into the Windows network?
Oleg: There is no way, because Red Hat is not designed for this. Red Hat requires you to have a local user account.
seems like RedHat allows you to set up pam_smb from the authencitation screen during an install. since I haven’t needed to use this, I’m not sure that the support is complete, but to say “There is no way” is ridiculous. I’m sure Xandros has a prettier configuration, but his comment seems like a little friendly misinformation to me.
Re: NDS
pam_ldap would probably be able help in this area. have a look here:
http://tiger.nwsc.k12.ar.us/support/docs/nds_to_linux.htm
and google a little for any missing bits or problems and you should be able to get this working.
actually, I’m a bonehead. they’re using pam_winbind and winbindd, instead of pam_smb… which would justify their claim that you still need to create user accounts.
BUT, Oleg seems not to have seen a recent version of RedHat, because everything necessary to use winbindd for authentication in RedHat 8.0 seems to be included, “out of the box”. at least with Samba installed.
Any linux distro can access a windows server, whether that server is part of a windows domain or not. This has been in samba for a _long_ time.
What we are talking about is adding a linux system into a windows domain. This is about authentication. A windows domain system is about centralized accounts & authentication.
Like I said, any linux distro can access any file server regardless. That’s samba. But you need to create user accounts on the linux box, so that users can login in for example to KDE. Once in KDE, they could try and connect via samba to NTSERVER1…but there will have to be duplicate accounts created on the NTSERVER1 to match the ones on the linux box.
i have not seen this in redhat.
what it comes down to-
either a xandros or redhat system will allow a user to login and access a windows file server.
the xandros system does not need to know about the user’s account, because it will authenticate login info against the pdc.
the redhat system will need the accounts duplicated locally, or the users will not be able to login. (thereby ruining your centralized accounts)
But you need to create user accounts on the linux box, so that users can login in for example to KDE.
no, I think you might be confused about what I’m talking about. the combination of the pam_winbind module + the winbindd, allows you to set winbind as a source in your /etc/nsswitch.conf. meaning you can bypass the creation of local accounts/groups, because your groups and user accounts are accessed remotely like nis accounts:
passwd: files winbind
group: files winbind
this is all ready to go in RedHat, you just need to finish the configuration, since RedHat didn’t add this method to the ‘authconfig’ or “authconfig-gtk”.
again, there is no need for local user accounts when using the winbindd. the Xandros guy is simply making it seem hard to do, but RedHat does have support and it is straight forward.
anyone with a RedHat 8.0 system can see this in:
//usr/share/doc/samba-2.2.7/docs/htmldocs/winbind.html
I administer a Windows 2000-based domain network at a girls’ school. I’ve really wanted to switch to Linux on our public use desktops but this has been the main problem. I can’t believe it’s taken this long for this to happen. I guess most of the focus Linux has had initially has been in the server arena. I believe this support is critical to viability of Linux on the desktop. I hear RH is working on a workstation version. I’d bet any of you real money that Windows domain support will be included.
Consider our situation (not unusual): Each student/teacher/administrator has their own home directory centralized on a Windows server. In addition, depending on login, these users may get certain rights and auto-mapped shares to other areas shared by various departments. Our rights schema is fairly complex.
While I have gotten RH8 and Mandrake to access the domain, it’s not clean at all. I can’t afford to go around to every machine with Linux and create user accounts and passwords for EVERY user here. Even if I ‘Ghosted’ an image to each machine, what if the user changes his/her password? What happens when I get a new user? Nightmarish!
If Xandros does what they say it does, it would be a great foot in the door for Linux here and other schools and businesses. We’ve already started using Open Source software like OpenOffice.org and GiMP. For us, MS Office compatibility isn’t critical, and the Windows desktop OS has been the biggest lock-in I’d love to phase out.
Complete Windows domain support is the single most important feature that ANY Linux distro needs to compete with Windows XP as a corporate or educational workstation. The truth is, most networks out there use an NT or 2000 domain. They are easier to administer (mostly GUI tools), and are scalable for larger networks. Of course, the same can be said for Novell also. Were it not for MS’s dominance, their cross platform directory services would be #1.
So when is Xandros going to release a KDE3.1 or later version of their desktop environment so I can go and purchase it?
Seriously does anyone have any info on this.
but on the other hand, why don’t we see a Open Source alternative to NDS, AD, NT Domains, …
Some kind of Linux Directory with whom you could authenticate from all kind of platforms, providing the right PAM’s, providing a Windows Client (just like Novell does), ….
Now combining this with file & print, etc. THAT would be a killer app IMHO
We’ve been running our userinfo and other stuff on OpenLDAP, and using Kerberos for authentication for a long time. Very nice alternative to NDS/ADS if you ask me.
Keywords: Kerberos, LDAP , PAM , nsswitch
I was under the impression that it could be achieved via apt-get, changing to unstable, my friends run Xandros on their home network, i will ask them if KDE 3.1 messes up any of Xandors other functions…
We’ve been running our userinfo and other stuff on OpenLDAP, and using Kerberos for authentication for a long time.
No doubt about it. The technology exists.
– But I want to see a ompany like redhat offering this nicely integrated in their products.
– I want to be able to seemless integrate Windows clients also, so I would need a client setup à la Novell client.
– The apps you use need to be Kerberos aware. Not sure to what extet this is default behavior or might be a problem?
You can install KDE 3.1 on Xandros but it will break some of the specialized Xandros functionality. I installed gnome 2.2 backported to woody (which is the majority of Xandros) and it worked, but it too broke somethings and was pretty flaky afterwards. Xandros is pretty impressive, the only problem really is the speed and the old KDE. But I would think that someone with some better skills than me could probably figure out how to upgrade Xandros to Debian unstable and retain at least most of the functionality.
Xandros can’t be upgraded to KDE 3.1 as the Xandros File Manager won’t work with KDE 3.X. The networking functionality appears to be built into their file manager.
I use Xandros at work in a windows environment, and I have been able to integrate into the local IT infrastructure very easily and I have very limited IT skills! I can see all the other windows computers on the network and I can easily share any directory I want with a few clicks of the mouse. It would be impossible for me to use a different distro as things currently stand.
The word on the Xandros forums is that Xandros are currently very busy developing Desktop 2.0 and their Server product which will further extend their networking capability.
xandros did this back in their corel linux 1.0 days.. it is a nice feature.. one that has not really been implemented on any other distro.. The login screen that is.. so that is a coo feature that should take some consideration..
I haven’t tried, but I suppose if you or someone build packages for KDE 3.1 with the prefix on /opt/kde like SuSE they can coexist with the KDE 2.2 of Xandros with their file manager that is /usr like all Debian packages.
But I don’t have the ability/cash/time to convert everything here at once to a new directory system. Not only that, but we do have apps here that require the use of Windows.
Some of this will be ameliorated through Terminal Services and rdesktop, but it will take time to test and transition all of this.
I wish I could drop everything and start over but that’s just not an option at this point.
I like what Xandros is trying to do–make Linux work on the first try and make it simple.
I don’t like the fact that the Xandros distribution is horribly out of date. KDE 2.x? Give me a break!
As a business owner, I also don’t like that they have a license that legally requires me to buy a license for every computer/user who will be using their software. Sounds just like Microsoft. Part of the advantage with most other Linux distributions is that I don’t need to pay for individual licenses. Sure, I WILL pay for support–if I need it. I also have no problem making monetary “donations” to support their effort.
What it boils down to is that for a business owner, Xandros looks just like Windows–sure it’s substantially cheaper, but in the long run if given the choice between Windows and Xandros, I’d choose the former.
Why didn’t they ask the REAL question on everyone’s mind about Xandros?
I hear they have lost most of their developers, closed their office down, and the few remaining are working from hom and haven’t been paid in months.
First Mandrake went BK, sounds like Xandros is next.
Mark
This functionality was in mandrake 9, you just had to go enable winbind in the nice little gui menu, and if you’d done the latest update to samba at the time they had a nice little default conf file that……..CREATED THE LOCAL USERS, and directories (for example they were a login option in kdm). This is really outlandish claims from xandros.
http://us4.samba.org/samba/docs/man/winbindd.8.html
also note the line:
To setup winbindd for user and group lookups plus authentication from a domain controller use something like the following setup. This was tested on a RedHat 6.2 Linux box.
Xandros is NOT going BK!
http://forums.xandros.com/viewtopic.php?t=1820&postdays=0&postorder…