Linux-AD Integration

Question

I currently have this domain with about 25 PCUS running with AD and Windows Server 2008 R2. We are currently thinking of adding some Linux PCUS instead of more Windows PCS because of financial reasons.

My questions are:

• Is it possible to add a Linux PCU to AD?
• Will I be able to apply / manage GPOS to LINUX just like Windows?

We are also thinking of getting a couple of thin clients and remotely connecting them directly to the server to save money.

• Is it possible to remotely connect from a LINUX thin client to the Windows server with the GPOS applied?
• What Linux version do you guys recommend?

So, yeah, seems a little complicated, but we are trying to save money.

Answer 1

Yes Samba is what you're looking for to handle file sharing. For the GPOS I believe you can use something like Likewise to authenticate Linux users into the AD, see this article: Authenticating Active Directory users on Linux with Likewise Open and this one titled: Likewise Open - Ubuntu Documentation.

NOTE: I believe the LikeWise products were acquired by BeyondTrust. You can read more about the open sourced version of the product, PowerBrokerOpen.

Other resources to investigate

• This ArchLinux Wiki topic might also be helpful, Active Directory Integration.
• The Samba wiki contains a good primer page in helping to understand the choices involved in integrating Samba & Active Directory or in integrating these along with LDAP.
• This technet article includes excellent details on how you can get your Linux and Windows infrastructure to co-exist. The article is titled: Authenticate Linux Clients with Active Directory.

Which OS

I'd hands down suggest using either Ubuntu or CentOS in this scenario. Either of these 2 will have the best chance of integrating smoothly with your existing AD Windows infrastructure and there is a ton of resources on the internet using these very 2 distributions in this use case that will help you to be successful. Other distros might be workable, but you'll tend to go it alone, especially when trying to integrate them into a Windows environment.

Canonical and Red Hat have a large contingent of enterprise customers that demand this exact feature so you'd be on common ground with how most businesses are dealing with your exact issue(s).

Answer 2

The unix and windows models are very different. Any admin experienced with one will find the other frustrating.

First the good news: samba's winbind: with a little effort administering the users on your linux boxes is almost no more effort than your windows boxes.

Now the bad news: linux views AD as just another user database, so user, group and machine policies have no effect. In some ways this is an advantage because there is little direct mapping from a windows policy do doing the same thing in linux. The linux machines must be administered separately from the windows machines.

Answer 3

I'd recommend Red Hat (or CentOS) as the OS to use, very widely used within business environments and supported by Red Hat themselves if you need that. An Alternative would be Canonical's Ubuntu that also comes with support.

Samba is the primary tool to integrate Windows and Linux machines, but it is more about authentication only, so your group policy stuff will not work (obviously!). What you can do is use a tool like Puppet (or Chef, or Salt, or others) to provide group-policy-like administration. The bonus is that you can use Puppet to administer Windows machines too.

I'd say its a very worthwhile exercise, but you are going to have a bit of a learning curve getting it all working in the first place. However, once you've passed that hurdle, you'll be very happy, maybe even dropping all your Windows machines for a common linux-client environment. (most people have Linux server environments instead).