Discussion on:

How do I join a Linux machine to a Windows Domain?

Have you been looking for a way to connect a PC running Linux to a Windows domain?

> That?s it. Linux has come a long way and the ability
> to join a Windows domain speaks volumes for its maturity.

What a crock. Linux has always been able to join an LDAP domain, which MS used as a part of its 'embrace, extend, extinguish' methodology of taking good ideas (LDAP) and adding complexity. I don't think this article has anything to do with Linux's maturity, it just shows that using MS products requires admins to jump through hoops to get non-MS products to function when on a Microsoft-based (not standards-based) network.

Agreed!!

De facto standard vs de jure standard. One is the 'real world' most of us have to work with every day. The other is the way things ought to be done but, for whatever reason, aren't.

Jack's article is technically useful, but mostly just further evidence of why Linux has such minuscule mind and market share. Heck, it's enough to scare away all but the most fervent believers.

We'll know there has been real progress when a follow-up article reads something like this.

1. Download and install Win-AD module.
2. Click Join Domain button.
3. Follow the prompts.

... the process for doing it in Windows (other than step one, which is "Right click My Computer and choose the "Computer Name" tab and click the appropriate button").

J.Ja

In windows, I go to control panel and join the system to the domain. Having installed the latest OpenSuse on a test rig, I see a "join domain" utility right there in the control panel area.

I remember Jaqui recommending Suse for Active Directory compatibility back in 2008 or so. I haven't tested it, but it sounds like that feature alone might make it the distro of choice for integrating with AD.

I had a friend installing the latest OpenSUSE so I took an image of the disk and tossed it into a VM. I'd have to do my custom minimalinstall+stuff to see how bloaty the package dependencies where but the default install looks pretty good and YAST has a crapload of stuff for managing the config. At some point, I'm going to add it into the domain for further testing. Novell's goal was a platform that plugged into an existing Windows network so I'm optimistic.

That would be why Novell has an agreement with MS

That would be why I suggested OpenSUSE

Seinfeld.

that a Server 200x patch at some point in the future breaks this method by mistake?

Unless there is something special about this that I am not aware of, I don't see how this is anything new. Linux machines have been able to participate in Windows domains for a very, very long time now. In fact, you mention at the end that it can be done with Samba. I've seen it be very, very easy for a long time. Many Linux based NAS devices have been doing it forever, with a simple config tool.

Besides, joining the domain isn't the trick. The trick is truly participating in it, like using the domain to get printer information, or using domain security objects for local authentication (for example, tying the local admin group to the domain admin group).

J.Ja

The domain primarily provides configuration policy though obviously it provides authentication. *nix isn't going to recognize Windows policy rules and Windows isn't going to provide any *nix policy rules. Only benefit I've found is authentication when accessing CIFS shares though I do need to play more and get my workstation pulling login authentication from the domain also.

That's exactly it... the *only* reason to join a non-Windows machine to an Active Directory domain is for file share security (in which case I'll do it in Samba). Until someone adds some sort of weird overlay to Linux (or BSD or OSX or whatever) that allows it to fully work with AD (printers, group policies, etc. etc. etc.) then I really don't see much point.

J.Ja

Sometimes, in the enterprise, we must run apps that require a Linux platform.

However our user base only cares about one user name and one password.

It minimizes complexity to allow the Linux host to manage authentication just like a Windows system. That way, we can add Julie to the app users group and she can immediately login.

That is worth a lot.

If you purchase the commercial versions of theses programs you can supposedly use group policy rules. But wait, isn't Linux open source?

Open Source and most licenses have no rule against paying for software. It's perfectly acceptable to sell a "value add" version that builds on a no-cost base product. Running closed sorce or retail products on top of the open source base is also acceptable in most licenses.

Consider Mandriva Free and One distribution flavors available at no cost with PowerPack sold at a reasonable cost and including proprietary or patent licensed additions (media codecs, flash, some retail software like LinDVD).

Red Hat is another example, you can go download installs for Red Hat Enterprise but you'll need to purchase a service contract to recieve ongoing support and updates.

Novell; OpenSUSE is free to download while SUSE Linux Enterprise Edition is a retail product.

In terms of transparency because distributions are open source, Microsoft isn't including policy templates for *nix based distributions so source visibility doesn't help there. I'm not sure if any third parties are doing so or if the non-Microsoft folks simply focus on the non-Microsoft LDAP solutions (Active Directory being nothing more than LDAP embraced and extended)

I have been looking for it a long time and have not found it. If you are referring to CentOS, then yes; otherwise I would love it if you could provide a link. When I checked, you could get a 90 day evaluation copy. You must have a subscription to get the full extended version.
Also there are a couple of products that seem to be able apply MS GPO's *nix machines. Centrify is one (http://www.centrify.com/directcontrol/grouppolicy.asp)There is another one that appears to be good but I cannot remember the name right now.

Wow, there's the long, hard way, like Jack describes ... then there is vpn and tsc. Half as hard and twice as fast. Or maybe I am missing something here ...

Ok, this is good if you're looking to join one machine but will get complicated if you're looking to join a group of machines. If authentication is the primary need, here's a free tool (shameless plug) for Centrify Express which comes with a mgmt gui that detects and allows you to deploy the necessary bits to join Linux and Mac systems to AD...makes life a lot easier.

http://www.centrify.com/express/free-active-directory-tools-for-linux-mac.asp

I'm interested in the opposite of this - how to join a Windows machine to a Linux box running LDAP & Kerberos. This used to work using ksetup on Windows XP, but it doesn't work with Windows 7 or 2008 server.

Can one use LikewiseOpen if your organisation does not use kerberos, but uses AD?