Linux Domain Controller/Resara Server

Tom Buskey tom at buskey.name
Fri Jan 27 16:02:05 EST 2012 

On Fri, Jan 27, 2012 at 2:47 PM, Ben Scott <dragonhawk at gmail.com> wrote:

> On Fri, Jan 27, 2012 at 12:35 PM, Warren Luebkeman <warren at resara.com>
> wrote:
> > Yes, its an Active Directory DC, and can host FSMO roles.  Once you have
> the
> > domain setup, you can create/manage standard AD group policies via
> > Microsoft's group policy tools.
>
>   *Very* impressive.  You can bet I'll be checking this out.  Thanks
> for the info.
>

The Samba folks have been trying to do this for a long time too.  I have
been in the middle of a migration from AD on Win 2000 to Win 2003 to Win
2008 and implementing GPOs.  It's worth having them.


>
>  For those *nix-heads on the list wondering what all this
> gobbledygook is about:
>
>  Active Directory (AD) is Microsoft's directory service.  It manages
> things like users, groups, email addresses, passwords, computers, etc.
>  It's vaguely LDAP based.  A Domain Controller (DC) is a server
> hosting the AD services.  In order to do just about anything with
> MS-Windows on a network at a business, you need AD.
>
>

It is LDAP with Kerberos wrapped in (in a proprietary way).  I have to
admin AD and a Solaris LDAP server.  As a Unix bigot (like most of us here
:-) I wish I could get off the LDAP and use AD where it has been done right.

AD also does DNS (static and dynamic) and DHCP very well.  We use it and
not BIND with all our Unix boxes.


>  DCs are mostly peers.  The FSMO roles (Flexible Single Master
> Operation) are a handful of special tasks which need to be assigned to
> a single DC.  One is responsible for generating unique IDs, for
> example.
>

Replication and redundancy (only one needs to be up).  Again, AD does this
easily with a few clicks.


>
>  Group Policy Objects (GPOs) are how Windows computers are managed.
> Pretty much everything about Windows management starts there.
>

With our GPOs, we've going from hours configuring a PC (300+ files need
specific permissions and auditing set) to minutes.  If it gets out of spec,
the GPO resets it.

I'm looking to puppet/CFengine/chef to do something similar for the Unix
boxes.  If it works 1/2 as well as the GPOs to, I'll be happy.


>
>  The ability to do the above means a Linux server can handle the
> proper care and feeding of Windows clients.
>
>
AD is a case where MS really did things right.

Back to Resara, does it handle Likewise or Centrify?  These are products
that allow a Unix client (Linux, Solaris, MacOSX) to use AD for its
authentication.  If you have an AD environment, it's more secure for
authenticating then NIS and.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20120127/14349ef4/attachment.html

More information about the gnhlug-discuss mailing list