NOTES: This is being worked out. There are options including LDAP/SAMBA/NTLM/KERBEROS.

NTLM works for windows clients very well, even when connecting to Linux servers - but NTLM doesn't seem to work for Linux clients. It prompts them for a user/pass.

Kerberos is suppose to work, I'm testing this now.

I read * http://gentoo-wiki.com/HOWTO_OpenAFS_with_MIT-KRB5 * http://perlstalker.vuser.org/tiki/tiki-index.php?page=Gentoo+Kerberos5+HOWTO * http://www.linuxjournal.com/article/7336 * http://www.linuxjournal.com/article/6266 * http://www.linuxjournal.com/article/8374 * http://www.linuxjournal.com/article/8375 to get going

First we need to setup a KDC.

Add Kerberos to your use flag.

emerge krb5 on your pdc box.

might want to emerge -vautND world too.

create /etc/krb5.conf like this

<pre> [libdefaults]

default_realm = SQLS.NET

[realms]

REMINGTONPIPE = {
      kdc = kdc.sqls.net 

}

[domain_realm]

.example.com  = SQLS.NET

</pre>

there's a /etc/kdc.conf file but apparently you don't need to create it. We'll see

Now! Create the initial DB

# krb5_util create -s

Now add a user account.. Maybe your account?

# kadmin.local addprinc root

Now start the KDC.

# /etc/init.d/mit-krb5kdc start

And test it.

# kinit root

Then check your tickets.

# klist

You should have gotten a ticket! If so you've got Kerberos working.

We're using NTLM for auto-login via the web to our portal/intranet sites. To get this working with our environment.

Install Samba +winbind +ldap then configure winbind.

Once you compile samba with winbind on Gentoo you need to edit the file /etc/conf.d/samba and include “winbind” in the daemon_list string

If this Samba install isn't your primary samba server - then you'll want to join samba to your domain. I need to look up this step because I forgot it.

Then..

Just typing

# ntlm_auth –username=myusername password: NT_STATUS_OK: Success (0x0)

Should give you that. If it works, you're done. If not.. Good luck - Just just worked for me.

p.s. kerberos is not needed for a pure linux setup

Next, install mod_auth_ntlm_winbind to allow Apache to work with NTLM.

I guess I could copy it and paste it here. But why? Just read this. http://adldap.sourceforge.net/wiki/doku.php?id=mod_auth_ntlm_winbind

NTLM via Samba → LDAP for web and pam/nss → LDAP for server logins.

Over the last several years I have been involved in several implementations of Linux and/or OpenSource solutions for different corporate environments. Most recently I was hired put together a 99% Open Source solution for a start-up company. The company is a reseller with a corporate office and a handful of branch offices around the US. I thought it might be useful for others interested in a similar setup if I wrote about this implementation.

Right now this is a rough draft of notes. I should clean it up later.

In short. We put together a whole bunch of very effective, usable, and awesome Open Source software to run a corporate office and several branch offices. We used Thin Clients, Terminal Server, Samba, Apache, PHP, Scalable Open Groupware, and.. In the end we spent around 50k on hardware - most of which is now sitting at 1-10% and we've spend only about 2k on software and that was for 6 laptops with Windows and Microsoft Office for a couple of users that we felt would have a hard time adapting to a completely new environment. We've managed to provide every type of service you would typically find in a corporate environment for a couple hundred thousand dollars less then a conventional setup.

So far the system has been rock solid and new employee's have had little to no trouble adjusting to the minor differences from a pure-Windows environment.

I've previously had good luck sources hardware from Dell. They have outstanding service and a their warranty work is fairly hassle free. We first checked prices to get items off ebay or other sources and even get a few items here and a few there. But when buying everything all at once from Dell - we got a pretty good deal. So about 30k later we had all of our hardware we would need for the first couple years of business.

We picked up five 2950's with 8 2.0ghz cpu's and 8 gb of ram and 6 250GB SATA drives in raid-5. So far they've ran perfectly in our environment. They are probably overkill right now but that should keep us safe far into the future. They probably didn't all need to be the exact same spec. Some of them don't need a terabyte of HD space either. But it's nice having all of the the same especially since we've configured one as a hot-spare server that can very quickly ans easily take the role of any of the other servers.

For our corporate office we got a Dell 3115 all-in-one print/copy/fax thing. It worked instantly with Linux with zero problems.

We got a Dell PowerVault 124t with LTO-3 drives.

I think T1's are a waste of money. I bet a lot of people will argue that I'm an idiot. But I've worked at several places with T1's and it seems to be that they are no more reliable then my Cable modem at home. Actually, my current full-time job has 5 t1's and they are 'less' reliable then my cable internet at home using a 49 dollar buffalo router with linux installed on it.

We researched internet options that would give us the right amount of bandwidth. T1's would have been insanely expensive and would raise our monthly TCO substantially. So we checked into other options.

We got a 5mb up 30mb down fiber connect from a local provider called EasyTEL. So far, it's been rock solid. We needed a healthy about of bandwidth to support all the remote thin clients that would access our servers over the internet. Oh, this connection was about the price of a single T1 in our area.

Each office is a tad different but most of them have a cable internet connection with about 1-2mb up, and 5-10mb down. None of them really needed that much down speed but most packages come with a lot more down then up. Each branch office has a linksys wrt54gl router with DD-WRT linux software on it. That's what the cable internet plugs into and provides DHCP, Gateway, Firewall, Routing, VPN, QoS, and all that jazz. They are 50 bucks - a whole lot cheaper then a Cisco router. They work flawlessly. We'll talk about that setup in more detail later.

We had to spend some money here.. Well, didn't have to. But none of us knew enough to feel comfortable with a homebrew solution. Phones is also something we wanted to just have working day 1. But we still kept it very close to our open source goal.

We got four analog lines from a local provided called EasyTel. They work fine. Oh, and EasyTEL has been a blast to work with. Much nicer people then MCI/Verizon. We then got another dozen SIP lines from Bandwidth.com with a block of DID numbers. It was pretty easy to set them up on our PBX and a heck of a lot cheaper then buying a couple PRI's. So far we haven't had any trouble with these lines.

We went with Switchvox which sells pre-built Asterisk based (Open Source PBX Software that runs on Linux) PBX systems. They have been outstanding. Their tech support is far better then many of the other telecom companies I have worked with in the past.

We're using Polycom VoIP SIP POE phones. Haven't had any trouble with them yet. They are crystal clear and work.

We've got a very small number of laptop users. We went ahead and put them on Windows Vista. We picked up some Dell Precision - which I think are the only Dell Laptop's worth paying money for. They work, their sturdy, and don't suck.

We got a whole bunch of ThinClients from DisklessWorkstations.com - Yeah their website looks iffy, but these guys went the extra mile for us. They are officially support by the Linux Terminal Server Project and are highly motivated and involved in the Open Source world. We came to them with questions and questions and they even built a setup in their labs and tested our environment for us. Made us some modified thinclients and everything. That's far more then I ever expected and we're very devoted to these guys because of their effort. Also because of our request they have ThinClients that fully support the NoMachine NX Client.

We got a bunch of 2950's from dell with 8 cpus and 8 gb ram and 6x250GB HD's in raid-5. Most of these tasks are put on the same boxes but I'm breaking them up here just to make it easy to read and understand.

samba!

cups!

samba/ldap/pam