[SGVLUG] Active Directory and linux
Joel Witherspoon
joel.witherspoon at gmail.com
Wed Apr 25 13:14:27 PDT 2012
2008 AD is pretty solid. Much better than 2000, 2003. It's all LDAP
(suspiciously similar to OpenLDAP), so you'll need to have a DNS that
handles SRV records. If your Linux DNS doesn't deal with SRV records, you
can set up DNS on the Windows server. You'll need to point the client's
primary DNS to that AD servers DNS for auth.
It took me less than an hour to have a functional DNS and Tree set up. I've
attached several OpenFiler servers using the AD connector tool and it
worked great. I haven't tried connecting Linux workstations yet, but Mac OS
X can connect with limited functionality.
A few things:
1) Always make sure you have a second domain controller (DC). You can
promote any server to become a DC. Replication should be automagic but
check to make sure.
2) GPOs are your friend. Forget mapping drives via client properties,
mapping drives and security is A LOT easier.
2a) Make sure your clients always have the latest GPO updates.
2c) There are workstation (computer) and user policies. Some policies in
both categories do the same thing, but most are remarkably different. MS
has cleaned up a lot of their GPO handling so it's been a lot easier to
deal with them lately.
3) Use BGInfo on your desktops. It provides some WMI information that's
good for troubleshooting
4) Brush up on PowerShell. It's better than cmd for scripting and it's good
with Windows. However, compared to SSH, it blows and it's security
structure blows.
4a) In the same vein, disable UAC on Vista and 7 workstations. You don't
really need it with a sound GPO plan.
5) Unlike Novell's eDirectory (which was context-based), EVERY object in AD
(context-less) needs to be unique. You can't have a username with the same
name as a host, for example. We had to rethink our naming scheme because of
that.
6) When the user first logs in on a Windows workstation, they will have
very little rights. So you want to make sure your users have the correct
rights for their position. GPO is good for this.
7) OSX workstations require a third party tool. We are currently testing
Centrify on our Mac OS X's .
On Wednesday, April 25, 2012, matti wrote:
> Hi,
>
> I'm looking at setting up active directory services..
>
> 1) expect to have linux, mac OS X, and windows clients...
>
> 2) would like to use a linux server, but may have to setup a windows
> server..
>
> Curious what sort of experiences people have had with it?
> Recommendations? pitfalls? etc..
>
> thanks!
> matti
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.sgvlug.net/pipermail/sgvlug/attachments/20120425/9e55c39b/attachment.html
More information about the SGVLUG
mailing list