I would like to switch my organization from Windows 2000 professional to Linux on the desktop. I am satisfied enough with the performance of OpenOffice.org to substitute it for MS-Office, and we already use Thunderbird and Firefox for email/web. I'm not worried about the apps, in other words. What we have that is Windows-only can be run on our Terminal Servers.
It's authentication that worries me. Our servers are a mix of Windows 2000/2003 and Linux, and our primary authentication is against Windows 2000 Active Directory servers. What we are having difficulty replicating under Linux is the ease of domain logins on the workstations, where essentially there are no local accounts; the workstation is a member of the domain and it trusts domain accounts for local login. So authentication is almost entirely centralized; anyone can login to any workstation (within limits we set) on the domain, and we don't have to do anything to copy accounts to each workstation. While we may eventually dispense with the Active Directory servers, they will be with us through the transition period (1.5 to 2 years, I estimate) and maybe longer, so some system that allows compatible, shared auth between Windows and Linux workstations is a requirement for our transition.
Xandros Desktop Linux has done a lot of work, starting back when they were Corel Linux 1.0, in creating a system of Windows domain login that works under Linux. See
http://www.desktoplinux.com/articles/AT4559768996.html
for details of how this should work, and does work under Xandros. But Xandros is uncomfortably proprietary for me and I would much prefer a more open solution. As far as I can tell, Xandros does not make it easy to use their domain auth system generally, with other distros for example. In the interview at the link above, the Xandros rep claims there is no other distro that does this--while I don't know of any that do, it seems like such an obvious goal that I'd be very surprised if nobody else is at least working on it.
Has anybody done this on their system with more open tools? Or another option seems to be maintaining an NIS server that somehow replicates accounts with the AD servers, so that NIS handles Linux login, while AD handles only Windows--anybody tried that? Or if anybody else has come up with other solutions to this or similar problems, please write in. We have looked at all the PAM options--kerberos, LDAP, etc.--and none of them look quite as good as what Xandros has done; but if they work for you, I'm very interested in hearing your stories.
Thanks, Matt Morgan Manager of Information Systems Brooklyn Museum
