List of Figures | Windows And Linux Integration Hands-on Solutions for a Mixed Environment

Chapter 1: Installation and Getting Around

Figure 1.1: This is what your test network will look like at the end of the chapter.
Figure 1.2: The Windows 2003 initial setup screen
Figure 1.3: You can partition your hard drive here if desired.
Figure 1.4: This is the last text-based setup screen.
Figure 1.5: Enter the computer name and the Administrator password.
Figure 1.6: Enter the static IP information.
Figure 1.7: Here you can select the optional Windows components to use.
Figure 1.8: Initial Fedora installation screen
Figure 1.9: Installation Type screen
Figure 1.10: Disk Partitioning Setup screen
Figure 1.11: Automatic Partitioning screen
Figure 1.12: Boot Loader Configuration screen
Figure 1.13: Network Configuration screen Edit Interface eth0
Figure 1.14: Network Configuration screen Hostname and Miscellaneous Settings
Figure 1.15: Firewall Configuration screen with choices appropriate for linserv1
Figure 1.16: Package Group Selection screen
Figure 1.17: The Congratulations screen
Figure 1.18: The Welcome screen
Figure 1.19: System User screen
Figure 1.20: Username screen
Figure 1.21: Desktop with up2date icon
Figure 1.22: Packages flagged to be skipped
Figure 1.23: Downloading Webmin
Figure 1.24: Logging in to Webmin
Figure 1.25: Webmin user interface
Figure 1.26: Webmin after successful Net_SSLeay.pm installation
Figure 1.27: Webmin SSL support form
Figure 1.28: Security level configuration
Figure 1.29: Forwarding configuration for DNS
Figure 1.30: Remember, your Active Directory is to be self-contained in its own domain entitled ad.corp.com .
Figure 1.31: Select the second option and make sure your Windows 2003 CD-ROM is in the drive.
Figure 1.32: Make sure your settings are correct and select " Next " to install Active Directory.
Figure 1.33: Use the Forwarders tab to forward to the LinServ1 domain controller that owns corp.com .
Figure 1.34: You must activate most editions of Windows Server 2003.

Chapter 2: Linux Authentication Services

Figure 2.1: Here's what a typical enterprise NIS structure might look like.
Figure 2.2: In the "NIS Settings" dialog, enter the NIS Domain and NIS Server names .
Figure 2.3: Set up pGina's NIS plug-in for your NIS domain.
Figure 2.4: You can now use NIS to authenticate Windows clients .
Figure 2.5: Use the WRQ Reflection NFS client utility to configure your NIS settings.
Figure 2.6: Enter your NIS username and password credentials.
Figure 2.7: Ensure that "openldap-servers" is selected.
Figure 2.8: You can easily get to the "LDAP Users and Groups" button from the main "System" button (at the top).
Figure 2.9: The Module Config can be hard to find. After you select "LDAP Users and Groups," it will be hiding in a little tab.
Figure 2.10: You're ready to move on to creating users and groups!
Figure 2.11: Be sure to configure the "LDAP Settings" dialog twice once for the "User Information" tab, and once here, on the "Authentication" tab.
Figure 2.12: After you double-click the "cacert.cer" file, you can install the certificate. Just follow the instructions in the text carefully .
Figure 2.13: Click the "Show physical stores" check, then drill down to "Local Computer."
Figure 2.14: pGina is using LDAPAuth plug-in; the LDAP server and context are added, as well as checking "Use SSL."
Figure 2.15: Here's how Samba might integrate into your environment.
Figure 2.16: Internal architecture of your Samba PDC
Figure 2.17: Downloading this latest version of the smbldap-tools
Figure 2.18: Webmin settings to support Samba accounts in LDAP Users and Groups
Figure 2.19: Upgrading an existing LDAP account to support Samba
Figure 2.20: The User Manager in Windows NT 4
Figure 2.21: Here you can join the Samba CORP domain.

Chapter 3: Authenticating Linux Clients to Active Directory

Figure 3.1: Create two new OUs Sales and Marketing
Figure 3.2: Use the "Log on to" drop-down to select the domain.
Figure 3.3: Windows and Linux clients can both bind to an Active Directory domain.
Figure 3.4: Use the "Authentication Configuration" screen to select both "Use Winbind" and "Use Winbind Authentication" options
Figure 3.5: Use these Winbind Settings to specify your Active Directory and shell information.
Figure 3.6: Edit /etc/pam.d/gdm to add the last line as shown.
Figure 3.7: Edit / etc/pam.d/login to create home directories for command-line logins.
Figure 3.8: Edit the /etc/pam.d/sshd file to tell it how to create home directories
Figure 3.9: Avoid installing the "Client for NFS" and the "Password Synchronization" features, but do install the "Gateway for NFS."
Figure 3.10: You can Unix-enable an Active Directory group.
Figure 3.11: You can Unix-enable your users and specify which Unix-enabled groups they are members of.
Figure 3.12: How a Linux client authenticates to an Active Directory with extended Unix attributes
Figure 3.13: Enter the name of the Active Directory distinguished name (dn) and the Active Directory server name.
Figure 3.14: Enter the Active Directory name and the name of our Active Directory Domain Controller in the Kerberos Settings in the Authentication tool.
Figure 3.15: For these examples, you'll be installing an Active Directory Certificate Server. In the real world, don't run out and do this without thinking about it first.
Figure 3.16: Enter some identifying information about your Active Directory CA.
Figure 3.17: Use LDP to connect to the Active Directory server with port 636.
Figure 3.18: Bind to Active Directory using the dirsearch account you created earlier.
Figure 3.19: Export your Active Directory certificate.
Figure 3.20: Vintela's VAS
Figure 3.21: Centrify's DirectControl

Chapter 4: File Sharing between Windows and Linux

Figure 4.1: You can set permissions directly on each Windows share.
Figure 4.2: You can see the files in the share on Windc1.
Figure 4.3: Enter the Active Directory NAME and the name of our Active Directory Domain Controller in the Kerberos Settings dialog in the Authentication tool.
Figure 4.4: Browsing domains via the "Network Servers" window, then browsing our Active Directory domain, then browsing the available shares on WinDC1 .
Figure 4.5: You can use the "Save password in keyring " option to avoid having to re-enter credentials for each share.
Figure 4.6: Users are asked to set a password for their individual keyring.
Figure 4.7: You can browse and open the file on Windows shares. This simple file opens with Linux's gedit.
Figure 4.8: Linux and Windows client computers can authenticate to Samba as a PDC and share files.
Figure 4.9: You can use Webmin to create a Samba share.
Figure 4.10: Creating home directory shares with Webmin
Figure 4.11: You can validate to Active Directory as any user and gain access to SMB shares hosted on Windows or Linux servers.
Figure 4.12: Configuring Samba's Windows networking options with Webmin
Figure 4.13: You'll want to configure your Samba file server's Winbind options as shown here.
Figure 4.14: Creating the research share with Webmin
Figure 4.15: Setting an ACL on the Samba Server via a Windows client
Figure 4.16: Confirmation message when changing ACLs on the root folder of a share
Figure 4.17: Linux and Windows clients can be set up to directly connect to servers exporting NFS.
Figure 4.18: You can leverage NFS to create an export of /home on linserv1 .
Figure 4.19: The NFS Exports page shows our new /home export. Click "Apply Changes" to make it take effect.
Figure 4.20: You can use SFU's NFS Gateway to make existing NFS exports on Unix and Linux appear as if they were regular SMB.
Figure 4.21: The Gateway for NFS Configuration application has its own icon. It's not part of the SFU console.
Figure 4.22: Input the name that should appear as the SMB share in the "Share Name" field and the name of the existing NFS resource in the "Network Resource" field.
Figure 4.23: Windows clients can now connect to the NFS resource as a plain ol' SMB share.
Figure 4.24: You can create unified home drives by using Windows 2003, SMB shares, and NFS exports.
Figure 4.25: You can set the permissions on the home directory share so Authenticated Users has Change access.
Figure 4.26: On the NFS tab, "Allow anonymous access" is not needed. On the "NFS Share Permissions" dialog box, ensure the "Allow root access" is selected.
Figure 4.27: Active Directory needs to know who your Linux UID 0 account should be. We suggest you create a new user named root and specifically grant it UID 0.
Figure 4.28: The User Name Mapping service maps Active Directory accounts with Unix Attributes over to the Active Directory NIS server components.
Figure 4.29: In the "NIS domain name" field, you must enter the exact NIS domain name you are using for the Active Directory NIS.
Figure 4.30: The "Display simple maps in Mapped users list" check box demonstrates that queries to NIS will return Unix UIDs stored in Active Directory.
Figure 4.31: Your Active Directory root user needs to have "Read & Execute", "List Folder Contents," and "Read" access on the homedirs directory. You also need to add "Authenticated Users" and give them "List Folder Contents" permissions.
Figure 4.32: Specifically grant each user access on their own home directory.
Figure 4.33: Use the "Profile" tab in "Active Directory Users and Computers" to specify which drive letter to map to the user's home directory. Be sure to specify the UNC path name for the homedirs share, including the user's specific directory.
Figure 4.34: salesperson1 's home drive, as seen from a Windows workstation. All of salesperson1 's files are visible, including files created in Linux.
Figure 4.35: salesperson1 's home drive, as seen from a Linux workstation. All of salesperson1 's files are visible, including files created in Windows.
Figure 4.36: You can create fake "nodes," like Sales, just by typing in the word "sales." Then enter a backslash (\) and what you want to call the share name. What you call it needn't have any relation to the underlying share name.
Figure 4.37: The DFS manager helps you sculpt your DFS so you can present a unified view for your shares (as seen in the other windows).

Chapter 5: Printer Sharing between Windows and Linux

Figure 5.1: We will be setting up our Linux Samba server and our Windows 2003 server to share printers and have our Windows and Linux clients print to them.
Figure 5.2: Use Add/Remove Programs to install "Internet Printing."
Figure 5.3: You can secure IIS to allow authentication in a number of ways. Here, we suggest you specify only "Integrated Windows authentication."
Figure 5.4: If desired, you can add automatic downloading driver support for older Windows clients.
Figure 5.5: "Print Services for Unix" is built into Windows 2003 and Windows XP and enables LPD printing.
Figure 5.6: You can enter the SMB name of the printer in the "Add Printer Wizard."
Figure 5.7: Windows Internet Printing offers an easy way to connect to printers.
Figure 5.8: Once your Windows server has LPD set up, you can choose LPD printing as an option.
Figure 5.9: Select your Windows queue and then enter your Active Directory credentials.
Figure 5.10: Printing to a Windows server with Windows Internet Printing requires you to specifically enter the port number (80) and the printer path.
Figure 5.11: The Linux printing architecture
Figure 5.12: Adding a local printer to a Linux server
Figure 5.13: We'll leverage a Windows workstation to upload any required printer drivers to our Linux server. Then we'll log on to another Windows workstation and watch the drivers automatically download.
Figure 5.14: Selecting LinPrinter1Raw from the Samba server via SMB browsing on a Windows client
Figure 5.15: The "Sharing" tab determines if the printer should be listed in Active Directory.
Figure 5.16: You can add any SMB printer to Active Directory to make it searchable.
Figure 5.17: You can select and enter attributes that can help users search for specific printers.
Figure 5.18: Just find the printer you want, double-click it, and go!

Chapter 6: Practical Windows Exchange and Linux Postfix E-mail Integration

Figure 6.1: Both Windows and Linux camps have independent e-mail systems that don't really talk to each other.
Figure 6.2: Using Webmin to configure the "What domain to use in outbound mail" and "What domains to receive mail for" options for the Postfix departmental mail server
Figure 6.3: Using Webmin to configure the "Network interfaces for receiving mail" option for the Postfix departmental mail server
Figure 6.4: Use Active Directory Users and Computers and right-click any user for their "Exchange Tasks."
Figure 6.5: To get the "Exchange Tasks" fly-out on Active Directory Users and Computers at the domain controller, load the Exchange System Management Tools where you do your management.
Figure 6.6: In Outlook setup, enter the name of the Exchange server and the user's name.
Figure 6.7: Use the Global Address List to locate Exchange-enabled users.
Figure 6.8: We'll create mail.corp.com outside the firewall to clean incoming mail and route mail to the correct e-mail server.
Figure 6.9: Add a primary and alternate destination address in the Default Policy Properties.
Figure 6.10: Setting mail.corp.com as a smart host forces all mail to be routed out to mail.corp.com .
Figure 6.11: Enter mail.corp.com as the destination address for forwarding unresolved e-mail.

Chapter 7: Application and Desktop Compatibility

Figure 7.1: Selecting packages to install with the Cygwin setup program
Figure 7.2: VMware Workstation for Windows running Fedora as a guest
Figure 7.3: Bochs is a virtual machine emulator that runs in Windows or Linux. Inside a Bochs guest, you can run Windows or Linux.
Figure 7.4: The top window shows Debian Linux running under coLinux. The bottom window is the monitor, which shows any errors during startup or runtime.
Figure 7.5: Win4Lin is a commercial application capable of running Windows XP within Linux.
Figure 7.6: WINE is part of Fedora Core 3, which makes it handy for running simple Windows applications.
Figure 7.7: CrossOver Office makes it easy to install all sorts of Microsoft and non- Microsoft applications.
Figure 7.8: OpenOffice is in the Fedora Core 3 distribution, so once you install Fedora Core 3 with our recommended package selections, OpenOffice is right there.
Figure 7.9: StarOffice 8 Writer running on the Fedora Linux desktop
Figure 7.10: Accessing the Exchange server via Outlook Web Access with the Firefox browser on a Linux Client
Figure 7.11: Once the Evolution-Exchange connector is installed, Microsoft Exchange is an available server type.
Figure 7.12: Specifying the global catalog server on the second page of the Evolution Exchange Connector Account Setup Wizard.

Chapter 8: Remote, Terminal, and Assisted Computing for Windows and Linux

Figure 8.1: You can enable Remote Desktop for either Windows XP or Windows 2003 systems.
Figure 8.2: Here, add in the users to which you explicitly want to grant remote access.
Figure 8.3: This is the error you will receive unless you expressly add the users you want to allow to remotely connect to a Domain Controller.
Figure 8.4: Because this is a Domain Controller, you need to expressly add the users (or groups) of users you want to allow to remotely connect.
Figure 8.5: The Remote Desktop Connection applet lets you remotely connect via RDP to other Windows machines.
Figure 8.6: Making a Windows Remote Desktop connection from Linux to Windows using the Terminal Server Client application. The "Password" field didn't seem to do much for us in our experiments.
Figure 8.7: Remote computing accessing a Windows host from a Linux guest workstation using RDP and the rdesktop application, started from Terminal Server Client
Figure 8.8: Since Windows Terminal Services is an optional component, you must also add licensing services somewhere on your Windows network.
Figure 8.9: Setting up the TightVNC host software to allow Linux guests to assist the user of a windows host
Figure 8.10: Adding a firewall rule allowing traffic on the VNC port 5900 to reach the Windows host
Figure 8.11: When VNC is used as the transport for Linux's Terminal Server Client application, the password field isn't passed through to the VNC viewer, so we leave that field blank. We will be prompted for the password separately later.
Figure 8.12: Entering the VNC password is a separate step when making a VNC connection from Linux to Windows using the Terminal Server Client application.
Figure 8.13: Assisting the user of a Windows host from a Linux guest workstation using VNC and the Terminal Server Client application
Figure 8.14: VNC traffic from xppro1 travels over the network to TCP port 5900 on linserv1. xinetd accepts the traffic and routes it to the correct Xvnc session for that particular user.
Figure 8.15: Configuring the VNC service in the Webmin Extended Internet Services ( xinetd ) module
Figure 8.16: Completing the configuration of the VNC service in the Webmin xinetd module by restricting access to the local subnet and securely forwarded connections
Figure 8.17: Configuring gdm to display the standard Fedora logon prompt to VNC guests
Figure 8.18: Configuring gdm to allow remote display of the logon prompt and to allow a sufficient number of simultaneous users on secure connections that appear to come from the server itself
Figure 8.19: Opening a VNC connection to linserv1.corp.com from xppro1.ad.corp.com using the TightVNC Viewer VNC guest application
Figure 8.20: Logging on to linserv1.corp.com from xppro1.ad.corp.com using the TightVNC Viewer VNC guest application
Figure 8.21: nurse1's Fedora Linux desktop on linserv1.corp.com , as shown via VNC guest application on xppro1.ad.corp.com
Figure 8.22: Traffic from the TightVNC guest application is handed off to PuTTY, which is listening on port 5950 on xppro1 . The traffic is then encrypted, forwarded to the ssh daemon on linserv1 , unencrypted, and finally forwarded on to the VNC port (5900) on linserv1 .
Figure 8.23: Configuring the PuTTY ssh client application on the Windows PC xppro1.ad.corp.com to connect to linserv1.corp.com
Figure 8.24: Configuring the PuTTY ssh client application to "tunnel" VNC connections from the local port 5950 to port 5900 on linserv1.corp.com
Figure 8.25: Configuring Fedora's Remote Desktop feature to accept VNC assisted computing connections
Figure 8.26: Accepting an assisted computing connection with Fedora's Remote Desktop on adlincli1.ad.corp.com

Chapter 9: Windows and Linux Network Interoperability

Figure 9.1: Creating a separate DNS zone for the peerad.corp.com subdomain on linserv1.corp.com
Figure 9.2: Be sure to specify the Active Directory Domain Controller from which to accept recordsin our case, 192.168.2.240, peerdc1.peerad.corp.com .
Figure 9.3: peerad.corp.com will be a new domain whose DNS records will "live" upon linserv1.corp.com .
Figure 9.4: Your new peer domain will be called peerad.corp.com .
Figure 9.5: If you get a DNS- related error message like this one, be sure that BIND's data directories are writable and that 192.168.2.240 is allowed to send updates to linserv1.corp.com .
Figure 9.6: Displaying service address records to verify that DNS updates from Active Directory have been accepted by linserv1.corp.com
Figure 9.7: We want to accomplish three goals when we put a Linux DNS server in the branch office.
Figure 9.8: Configure Windows DNS so that it allows zone transfers and will also automatically notify secondaries when changes are available.
Figure 9.9: Use these settings to create a slave zone such that linbranch1.ad.corp.com is a secondary DNS server for the ad.corp.com domain.
Figure 9.10: Forward queries not resolved directly by this server to the next in line windc1.ad.corp.com (192.168.2.226).
Figure 9.11: Once the trust to corp is established, it should be available within the "Log on to" drop-down
Figure 9.12: Using a Windows 2003 PPTP server, both Windows and Linux clients can log on with either corp domain or ad domain credentials. Now that the trust is in place.
Figure 9.13: PPTP is configured once the configuration of RRAS starts.
Figure 9.14: Ensure "Remote access connections (inbound only)" is selected.
Figure 9.15: Be sure to select the policy and allow people access. By default RRAS denies everyone access.
Figure 9.16: Ensure that the user you want to allow to dial in has been expressly assigned "Allow access" on the "Dial-in" tab.
Figure 9.17: You can enter credentials as anyone in Active Directory who has been granted the specific right to log on via dial-in.
Figure 9.18: A pop-up balloon for Windows XP shows that you're connected to the VPN.
Figure 9.19: Enter credentials for doctor1 , who lives in corp .
Figure 9.20: Your Samba accounts need to be specifically granted dial-in access.
Figure 9.21: Samba users need the "Grant dial-in permission to user" set within the NT 4 User Manager tool.
Figure 9.22: You can use pptpconfig to create a new PPTP VPN connection.
Figure 9.23: You'll see "connected" in the pptpconfig status window up successfully connecting from linmobile1

Chapter 10: Web Interoperability

Figure 10.1: Adding a new MIME type to file extension mapping in IIS
Figure 10.2: The MySQL-related portion of the output shown in our PHP test page when PHP and MySQL support are correctly configured on exchange2003.ad.corp.com
Figure 10.3: Because IIS has tight security policies, phpBB can't write to its configuration file directly.
Figure 10.4: The welcome page of phpBB, open-source PHP-based forum software running successfully under PHP for Windows on Internet Information Server
Figure 10.5: Sample C# ASP.NET pages, working successfully under Linux via the Mono project
Figure 10.6: When the JASP engine is correctly installed, ASP code found in a file with the .asp extension is correctly executed to generate the text of the page