Thursday, 10 May 2007

Connecting to Active Directory

As you may recall, my To-Do list looks like this:

  1. Connect to my company's Exchange Server and get my mail.
  2. Connect to my company's Windows 2003 Server and access files.
  3. Print stuff.
  4. Optionally authenticate via Active Directory.

As it turns out, the last and "optional" requirement is the first one that I've tackled. This is because it showed up on the "Create User" screen when I was installing. There is good news and then there is... well let me explain.

First the good news. Getting Fedora to authenticate via Active Directory turned out to be surprising easy. From the "System" menu you choose "Administration" and then "Authentication" - this brings up the "Authentication Configuration" dialog box. On the "Authentication" tab, you tick "Enable Kerberos Support" and click the "Configure Kerberos" button. The Kerberos "Realm" is just the DNS name of your domain; the KDCs are your Domain Controllers (port 88 by default); and the "Admin Servers" are your Domain Controllers again, this time using port 749.

Next tick "Enable SMB Support" and click the "Configure SMB..." button. The "Workgroup" is your domain; the "Domain Controllers" are your domain controllers. Simple.

Finally, tick to "Enable Winbind Support" and click the "Configure Winbind..." button. The "Security Model" needs to be "ads" and you just have to fill in the boxes with your domain details. Having done that, you click the "Join Domain" button and... not for the first time on Fedora nothing happens. I ran the "Active Directory Users and Computers" MMC Snap-in on a Windows machine, and sure enough my Linux workstation appeared in the default "Computers" container in AD. Would it have been so difficult to have a confirmation messagebox? I sometimes think that for Linux developers the GUI is an afterthought, and ease of use is not thought about much at all.

I logged off, and logged on again with my domain username and password - and it worked! Perhaps I shouldn't be surprised that this worked, but I was expecting the worst.

I then logged off again, and logged on with another Active Directory account. This time the logon failed with "Incorrect username or password." What was going on? It turns out that the reason the logon failed was that the user account did not already exist on the machine. There is a suble and important distinction to be made here between Linux and Windows. Linux only uses AD to authenticate the user's logon: the user's account exists on the machine. Windows also uses AD to authenticate a user's logon, but the user's account exists in AD.

So you may be wondering, with some justification, what's the point of authenticating via AD? There are some advantages, however. You can mount Windows network shares on the domain (via "Connect to Server..." on the "Places" menu) without needing to specify a username and password. Additionally, I hoped that I would be be able to browse my domain in "Windows Network." Unfortunately I'm getting an error:

There are obviously still some issues to be resolved.

No comments: