| Domain authentication sets Xandros Desktop apart |
by DesktopLinux.com staff
In part one in a series of chats with key members of the Xandros team, DesktopLinux.com gives you an insider's view of the Xandros project philosophy and architecture. We'll get a closer look at some of the features that set the Xandros Desktop apart from the rest of the LinuxOS pack. Oleg Noskov, Xandros software development manager, talks about domain authentication -- one of the essential keys to integrating with, and eventually migrating from, existing Windows networking infrastructures.
DesktopLinux.com: Can you give us some details on how Windows domain authentication works in Xandros? Is this feature is unique to the Xandros Desktop? How does it benefit enterprises with Windows networks that are seeking to migrate to Linux?
Oleg: Yes, we are the only Linux distribution that supports native Windows domain logins. We also come first in other areas, such as usability and the ease of installation and configuration. Our hardware detection is excellent well. So basically Xandros is the obvious choice for many enterprises.
DesktopLinux.com: Why can't other distributions hook into the Windows domain controllers?
Oleg: Because they don't have the feature. Most distributions are not desktop-oriented, so they were never concerned with Windows network integration.
DesktopLinux.com: How does this authentication work?
Oleg: Basically, on a technical level, the authentication in the domain is performed by a package called Winbind that is part of Samba. But we do a lot more -- we provide the login dialog that allows them to enter the user name and password, not from the local machine but from the domain.
DesktopLinux.com: So this part is not part of Samba?
Oleg: No. Samba is the lower-level package that actually does the work, but we do the GUI for it.
DesktopLinux.com: What steps are involved?
Oleg: Your computer first needs to join the domain. Windows 95 and Windows 98 machines did not need to be registered with the domain -- you could just operate as if they were part of the domain. But Windows NT boxes and Windows 2000 boxes always needed to have an account created for them.
To go through this formal procedure with a Xandros machine, you go to the Windows Networking portion of the Control Center to add your computer to the Windows domain. You can find the domain controller and it will allow you to join, provided you know the administrator's password. Essentially, it's mimicking the same thing that Windows users go through.
That's one scenario. Another option is for the administrator to preconfigure the domain controller to include accounts for the Xandros Desktop machines. Then, when you join the domain, you are not prompted for the password, you will just join.
DesktopLinux.com: Once your machine is hooked up to the Windows domain controller, how does the user authenticate against the domain?
Oleg: Users automatically get dialogs that allow them to join the domain. Your login widget will not only have your username and password, it will also have a field for domain. If you want to log in as a local user, you can do that, or you can select a Windows domain and log in to that.
DesktopLinux.com: The first time you log in it creates the home directory and sets up the domain authentication?
Oleg: Yes. It creates a home directory when you login. When you log out, it doesn't go anywhere -- it will stay in the system.
Authentication requires creating user accounts on the fly. Before you log in, this account doesn't exist in this machine. When you enter your user name and password, but before you push that Login button, the system has no idea that you exist. It contacts the domain controller and figures out that you do exist -- it does authentication -- and then, transparently, creates a virtual user account. You will then see your network resources transparently, according to the permissions established for your user account.
Xandros is basically mimicking what happens with a Windows NT, a Windows 2000, or a Windows XP box. If you log into the domain, it will transparently let you in, even though that machine had no idea about you, the user. That's the whole concept of the Windows domain and why Windows is so popular, because this is really good for organizations.
We are just tapping into the existing architecture of Windows domain authentication -- making our Xandros box act exactly like Windows boxes.
DesktopLinux.com: So essentially you're writing this stuff to configuration files which must be dynamic, since they're changing all the time?
Oleg: Yes. We search a domain controller -- for PDC -- dynamically. At login we find all the domain controllers. No other distribution has integrated this capability into their login. Outside of the Samba project, other distributions are not integrating this back-end work into the GUI.
DesktopLinux.com: Since it's not built into the OS originally, it's going through Samba to set up their configuration files?
Oleg: Yes.
DesktopLinux.com: So as an example, if I'm using Red Hat, how do I tie into the Windows network?
Oleg: There is no way, because Red Hat is not designed for this. Red Hat requires you to have a local user account.
DesktopLinux.com: So Red Hat can't tie into existing Windows servers?
Oleg: No. When you have a Red Hat desktop, you have to log in using the local user account. The native UNIX way of doing this was NIS [Network Information System]. With Red Hat desktops you will need to have to have the NIS server somewhere, and you will need to replicate your Windows domain users on your NIS server so Red Hat can authenticate against that. That still requires a lot of manual configuration -- it's not like you can use Red Hat out of the box, the way you can with Xandros Desktop.
DesktopLinux.com: If you're coming into a shop where shared resources are managed by Windows domain controllers, you really need a simple way for your Linux desktop to access them?
Oleg: Yes. They don't want shared resources to be world-readable. Resources are shared for members of particular domains. They concern printers as well -- you can print to printers if printers authenticate you. If you are a domain user you can print; if you're not a domain user you cannot print.
This is basically why organizations use domain authentication -- to simplify access routes and assign proper permissions to users. Like I may want to share a folder for managers only. If a particular user on the Windows domain is part of the manager group they will get access. So it's a group management tool as well. Here Xandros Desktop works just like a Windows box.
DesktopLinux.com: And no other distribution uses that approach?
Oleg: No other distribution can do that. Probably, with a lot of manual configuration, you could, I presume, reconfigure Red Hat or other Linux distributions, but none of them provides a means to do this easily.
Basically, other distributions, with a couple of exceptions, are not interested in desktops at all. So it's very natural that they don't have this. They usually have stock Gnome or stock KDE, which don't have anything like that. It takes more than that -- it takes some integration with the underlying OS in order to enable domain authentication.
DesktopLinux.com: What about security? If you were using Red Hat, you would have to first log in as a local user, and then access network shares by issuing the domain password?
Oleg: Yes. And every time you go to access your network resources through Konqueror, there is a dilemma: what credentials do you use? The first time, no matter what, you are prompted, since the system doesn't know who you are. Now, Konqueror will try to be smart -- it will try to cache these passwords. So, of course, the second time you go to that same place you will not be prompted because you already entered the password.
So what is happening is that you are allowed to store this password information in a config file. Since they don't have native domain authentication, they try to be smart and not to prompt you many times for a password. So they are creating a file on your system that contains your username and password for a particular Windows share.
Well, needless to say, that's a bad decision because your username and password are stored in regular, plain text file. Regular KDE will allow you to do this. So users, instead of typing their password endlessly, will be tempted to go and create this file. That's a security hole.
DesktopLinux.com: Anyone can access your password?
Oleg: Anyone who can get physical access to your hard drive. Or if you can go through so security hole in Linux somewhere, a hacker can read the file and know your network passwords. It's a major security breach to your organization -- not only to your computer, but to your LAN as well.
Disclosing network passwords is a bad idea. Storing them in a file is a very stupid idea. But KDE has no other way of doing this -- otherwise they will be prompting for passwords endlessly. Any distribution with regular, plain KDE has this feature.
DesktopLinux.com: What about Gnome?
Oleg: Gnome doesn't have that feature at all. In that sense, it is even weaker than KDE. KDE has this so-called "solution", but it's not a solution at all -- it's a non-secure solution. They don't have domain login at all -- what they have is an attempt to access a share using a password.
Our authentication is at the main login, so you're not compromising security by having passwords in a file.
DesktopLinux.com: And no other Linux distribution does that?
Oleg: No. What we did, essentially, is we ripped all the Samba integration out of plain KDE and threw it away. We wrote new components.
I should also mention that the Samba share support in regular KDE is not stable. You try to do something, and it just crashes on you. It's more than just being able to log into the domain -- Xandros has a much more robust system.
Essentially, we have been working on this for many years -- we released domain login in Corel Linux 1.0. Even Corel Linux 1.0 was more robust than today's Linux distros, in that area.
That was one of the very first things we did on our own. We just took regular KDE 1.1 or 1.2 and added the Corel File Manager that had all these Windows networking improvements.
The Corel/Xandros philosophy is to fit in with what exists already in the enterprise. The KDE philosophy is to create an independent alternative that's not talking to the old solution.
DesktopLinux.com: Interesting approaches to get customers on the path to Desktop Linux. Thanks for your time!
Talk back! Do you have comments or questions about this story? talkback here
(Click here for further information)
|
|
|
Approaching the Linux Desktop
The purpose of this paper is to help organizations evaluate the Linux desktop against their own enterprise needs and discover what benefits the Linux desktop might bring to their organizations.
Migrating To Linux: Application Challenges and Solutions
Several solutions exist to help organizations migrate in an orderly fashion from Windows to Linux desktops. This paper establishes the characteristics of an ideal cross-platform solution and reviews these alternatives in light of this ideal standard. The paper takes a closer look at the pros and cons of various solutions and outlines the business benefits that can be achieved.
Linux Advantages: Publicly Available Information on Linux Software
This paper offers a brief summary of readily-available Linux information to help businesses sort out this widely misunderstood operating system.
Top 5 Strategies for Managing Linux
Despite continuous evolution in the manageability of Linux, a 2006 survey cited manageability concerns as a top reason why organizations are hesitating to adopt Linux. Levanta believes Linux can be as manageable, if not more so, than other operating systems by following key strategies. These strategic recommendations were developed from experiences in numerous customer environments, both large and small.
Why Choose Novell for Linux?
This paper outlines the benefits of switching to the Linux platform and choosing Novell as a high-performance, enterprise solution.
Enterprise Linux Selection Guide
Considering moving your enterprise to the Linux operating system? Since there are so many similar versions, choosing the right one can be tough. This paper offers a clear process to help you make an informed decision and get the features, support, and cost that are right for your business and technical needs.
Overcoming Challenges in Managing Linux
Levanta has created a new administration model with innovative technology that breaks down the barriers to making the most of Linux systems. This paper will provide an in-depth look at the workings of Levanta’s product, the first Linux appliance of its kind.
SUSE Linux Enterprise 10 for Retail Businesses
Discover why major retailers have switched to SUSE Linux Enterprise Desktop in the back office. SUSE Linux Enterprise Desktop 10 is a low-cost desktop that offers a complete set of productivity applications and interoperates seamlessly with the other Windows, Macintosh and UNIX desktops in your store.
Moving to a Linux Desktop
Migrating from Windows to Linux on the desktop can be a substantial undertaking because it has the potential for touching -- and perhaps disrupting -- every user in your organization. Unlike a data center (server and infrastructure) migration that is largely transparent to users, the cultural and administrative transitions and environment readiness required to support a Linux desktop migration are extensive.
Seven Good Reasons to Exchange Exchange
This paper describes seven compelling reasons why you should switch from Exchange to Scalix.
|
|
|
|
|
news feed