简体繁体 English

基于Linux的域管理解决方案？

[英]Linux-based solution for domain management?

原文 2008-09-24 22:31:18 2 6 linux/ active-directory/ sysadmin

Using any member of the Windows Server family, I can set up an active directory, and have a single pool of users for a large scale of computers; 使用Windows Server系列的任何成员，我可以设置一个活动目录，并为大型计算机提供单个用户池; access can be given / removed for any shared resources in the given domain (including access to client computers, etc). 可以为给定域中的任何共享资源（包括访问客户端计算机等）提供/删除访问权限。

What similar (and widespread) solutions exist for managing a multi-user, multi-computer environment using Linux? 使用Linux管理多用户，多计算机环境有哪些类似（和广泛）的解决方案？ What are their advantages/disadvantages? 它们的优点/缺点是什么？ And how can they interoperate with Windows? 他们如何与Windows互操作？

6 个解决方案

Not sure if this is what you had in mind, but Linux w/Samba can act as a domain controller for Windows desktops. 不确定这是否是您的想法，但Linux w / Samba可以充当Windows桌面的域控制器。 For example, see SAMBA (Domain Controller) Server For Small Workgroups at HowToForge. 例如，请参阅HowToForge上的小型工作组的SAMBA（域控制器）服务器。 This works for file/print sharing etc. 这适用于文件/打印共享等。

For something more akin to Microsoft's Active Directory, you might check out Red Hat Directory Server : 对于类似于Microsoft的Active Directory的内容，您可以查看Red Hat Directory Server ：

Red Hat Directory Server is an LDAP-based server that centralizes application settings, user profiles, group data, policies, and access control information into an operating system-independent, network-based registry. Red Hat Directory Server是一个基于LDAP的服务器，它将应用程序设置，用户配置文件，组数据，策略和访问控制信息集中到独立于操作系统的基于网络的注册表中。

If cost is a concern, there's a Fedora Directory Server version that's the community version for free. 如果成本是一个问题，那么Fedora Directory Server版本就是免费的社区版本。

Another potential offering would be Sun's OpenDS project: 另一个潜在的产品是Sun的OpenDS项目：

OpenDS is an open source community project building a free and comprehensive next generation directory service based on LDAP and DSML. OpenDS是一个开源社区项目，构建基于LDAP和DSML的免费且全面的下一代目录服务。 OpenDS is designed to address large deployments, to provide high performance, to be highly extensible, and to be easy to deploy, manage and monitor. OpenDS旨在解决大型部署，提供高性能，高度可扩展性以及易于部署，管理和监控的问题。

Joe: I think NIS is considered legacy Unix stuff these days. Joe：我认为现在NIS被认为是传统的Unix东西。 I wouldn't recommend it to anyone on a new deployment. 我不会向新部署的任何人推荐它。

At the company where I work, we run Apple's Open Directory for our LDAP directory and Kerberos KDC. 在我工作的公司，我们为我们的LDAP目录和Kerberos KDC运行Apple的Open Directory。 You can achieve the same thing using Red Hat's directory server (mentioned by Jay above), or something like Apache Directory . 您可以使用Red Hat的目录服务器（上面提到的Jay）或Apache Directory之类的东西来实现相同的功能。

While LDAP and Kerberos can be daunting at first, and a bit challenging to get working, I think the effort is quite worthwhile. 虽然LDAP和Kerberos最初可能令人生畏，而且工作有点挑战，但我认为这种努力非常值得。 You can easily scale both up to whatever size you need. 您可以轻松扩展到您需要的任何尺寸。

For the Windows end of things, you can hook Samba in to LDAP and authenticate your Windows clients against that. 对于Windows的结尾，您可以将Samba挂钩到LDAP并根据它对Windows客户端进行身份验证。

LDAP is clearly the way to go. LDAP显然是要走的路。 See for instance OpenLDAP Software 2.4 Administrator's Guide . 例如，参见OpenLDAP Software 2.4管理员指南。

An example of setting up user authentication with LDAP on Linux and FreeBSD is on my blog (in french), Comptes Unix stockés sur LDAP . 在Linux和FreeBSD上使用LDAP设置用户身份验证的示例在我的博客（法语）， ComptesUnixstockésurLDAP上。

Supposedly Linux computers can use Likewise Open to connect to Active Directory Domains. 据推测，Linux计算机可以使用“ 同步打开”连接到Active Directory域。 ie use the Active Directory credentials for authentication and access control. 即使用Active Directory凭据进行身份验证和访问控制。

I have tried it briefly myself and had no luck though (ended up inadvertently making my desktop system a domain controller and had to get network admins to reassign it!). 我自己尝试了一下并且没有运气（最终无意中使我的桌面系统成为域控制器并且不得不让网络管理员重新分配它！）。 Probably just needed to read the docs a bit better... 可能只需更好地阅读文档......

Samba provides interoperability with Windows domain controllers. Samba提供与Windows域控制器的互操作性。 With version 3 it can act as a primary domain controller. 使用版本3，它可以充当主域控制器。 From what I read, version 4 will improve support for ActiveDirectory. 根据我的阅读，版本4将改进对ActiveDirectory的支持。

Linux servers can be configured to participate in NIS domains , you should typically be prompted for this kind of setup when building the server. Linux服务器可以配置为参与NIS域 ，在构建服务器时，通常应该提示您进行此类设置。 NIS is a lot like Active Directory, providing common identity and authentication across many boxes . NIS与Active Directory非常相似，可在多个框中提供通用身份和身份验证 。 You can also configure home directories to be mounted off a common NFS share so that identity and working environment move with the user from box to box. 您还可以将主目录配置为从公共NFS共享安装，以便身份和工作环境随用户在框中移动。

I have experienced this from the user/tech-lead side of things, hopefully a Linux admin can provide further pointers on how to do it and where to find resources. 我从用户/技术主管方面经历过这一点，希望Linux管理员可以提供有关如何执行此操作以及在何处查找资源的进一步指示。