Buy New

Sign in to turn on 1-Click ordering.
Buy Used
Used - Very Good See details
Price: £3.70

More Buying Choices
Have one to sell? Sell yours here
Tell the Publisher!
I’d like to read this book on Kindle

Don't have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.

Linux in a Windows World [Paperback]

Roderick W Smith

RRP: £29.99
Price: £27.57 & FREE Delivery in the UK. Details
You Save: £2.42 (8%)
o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o
Only 1 left in stock (more on the way).
Dispatched from and sold by Amazon. Gift-wrap available.
Want it Wednesday, 28 Jan.? Choose Express delivery at checkout. Details
‹  Return to Product Overview

Product Description


"This is definitely one of those "jump up and down" books. A number of books on "Linux-Windows integration" have appeared in the last few years, but none have impressed me as much as Linux in a Windows World...O'Reilly has another winner with this one." - James Mohr, - Linux Magazine, July 2005 "A word on the last appendix. If you are a UNIX admin that has always viewed PAM with a mixture of awe and terror, buy the book simply for this appendix. It explains PAM simply, directly and with no fuss whatsoever. This is a truly marvellous reference on PAM and I would be happy to shell out (pardon the pun) the entire price of the book for this appendix alone! Thank you Mr. Smith for an excellent all-rounder. I feel that this is a book pitched just right to help Windows admin to take their first steps into a Linux world, and to help Linux admin overcome their suspicions of Windows. After all, in today's service-dominated society, our users want more and better service. This book should help achieve that." - Steven Ashley Woltering, Ping, March 2006

Book Description

Leverage Linux to make Windows more secure, responsive & affordable

About the Author

Roderick W. Smith is a well-known system administrator with a monthly Linux Magazine column and several highly respected books, including Advanced Linux Networking and Linux Power Tools.

Excerpt. © Reprinted by permission. All rights reserved.

CHAPTER 7 Using NT Domains for Linux Authentication

If your existing network uses an NT domain or an Active Directory domain, you may want to tap into your existing domain controller for Linux authentication. For instance, you might want a Linux POP server to use your existing Windows domain accounts. Doing so presents certain challenges, though; the Windows and Linux authentication systems require different types of information, so some information Linux needs isn’t available from the domain controller. Fortunately, Samba’s Winbind software helps bridge this gap. Winbind links together the domain controller’s database and Linux’s native authentication system, the Pluggable Authentication Modules (PAM). Using Winbind requires configuring Samba options for Winbind, as well as for PAM and another helper tool, the Name Service Switch (NSS).

Active Directory, introduced with Windows 2000, is the successor to NT domains. AD domain controllers support the older NT domain controller protocols for the sake of backward compatibility, so you can authenticate Linux systems against an AD controller using the methods described in this chapter. You can also authenticate Linux systems against an NT domain controller that runs Samba.

Because Winbind is part of Samba, you should understand the basics of Samba configuration before proceeding, even if you don’t want to run the full Samba server suite on the system you’re configuring. If you’re not already familiar with the basics of Samba, you should read Chapter 3. If you want to have Linux fill the role of the NT domain controller, you should read Chapter 5.

The Principles Behind Winbind
When configuring a Linux system to authenticate users against an NT domain controller, you should understand the basic principles behind this operation—that is, how Linux can work with an account database that wasn’t designed with Linux or other Unix-like OSs in mind. Essentially, the problem is one of integrating two dissimilar systems—the NT domain system and Linux’s PAM. Winbind is a tool that performs most of this integration, although some details are left to other tools.

The Problem: Linux Users on an NT Domain
As a practical matter, the desirability of running Linux as an NT domain controller’s client (that is, as a domain member server) varies from one network to another. The most common use for this approach is limited to file shares on a Samba server, and that procedure is described in Chapter 3. This configuration, though, works only for Samba shares, not for other services the computer might offer, such as a POP server, an SSH login server, or console logins. If a computer should be used in any of these ways in addition to or instead of being used as a Samba server, you must normally maintain local Linux-only accounts. On a network that already uses NT domain authentication for Windows systems, this separation can be a serious problem. You need to recreate your NT domain accounts on your Samba server—a tedious undertaking for you and for your users, who will have to re-enter their passwords. If you want to run multiple Linux server computers or add Linux desktop systems, you need to either maintain separate Linux account databases on each Linux system or use some other network authentication database. In other words, you’ll be throwing away the benefits of the NT domain controller for the new Linux systems.

Using an NT domain controller can be a good way to minimize the account maintenance difficulties when you start adding Linux systems. Instead of using a Unixcentric centralized account system or using local Linux account databases, you can tap into the NT domain controller. Once you’ve done this, a Linux POP server, SSH server, or most other servers automatically accepts logins using the usernames and passwords supported by the NT domain controller. You can even use this method to enable console logins using the NT domain’s accounts.

Typically, some accounts are still maintained locally. Most notably, you should leave the root account defined only in the local Linux account database. This practice enables you to log in even if network problems exist. It also enables you to set different root passwords for each Linux system, which can help improve your overall network security; a breach of one system won’t necessarily translate into a breach of all your systems.

NT domain authentication was designed with the needs of Windows computers in mind. These authentication tools provide some information that Linux requires, such as a username and password. This information isn’t always available in a form the Linux system will find immediately useful, though; for instance, the password is encrypted using a method that’s foreign to Linux. Worse, NT domain accounts lack some information that’s critical to Linux, such as the Linux account’s home directory and default shell. Thus, Winbind must make up some of this information using values set in Samba’s smb.conf file. Other differences, such as NT domain password encryption, are handled by Winbind’s PAM integration modules.

Linux’s PAM and NSS Systems
Linux relies on two systems to help manage accounts: PAM and NSS. PAM is described in detail in Appendix A. In brief, PAM tells login services whether a user may log in or not, helps programs change passwords, and handles a few related tasks. PAM is a modular system, so you can reconfigure PAM to use authentication modules based on authentication tools other than the common /etc/passwd and /etc/shadow files. In particular, this chapter describes how to configure PAM modules that link to an NT domain controller with the Winbind tool.

‹  Return to Product Overview