After much thought and (I thought) much research into the matter I decided to move to an Active Directory implementation for the office. It was not a decision made lightly and there are a few more pieces that have to be added to make everything work the way I want it. I was looking forward to group policy management, adding computers and users to the domain without have to spend too much time configuring accounts. Done right, Active Directory allows a single location for handling permissions and passwords. That’s the main thing I’m looking for – well that and some kind of certificate signon for our remote desktop logins.
My biggest concern was getting bogged down in the Windows Server 2008 implementation so I started by reading the Samba wiki Windows doesn’t like an external DNS, but I have a very customized DHCP/DNS server for the LTSP and I’m not moving that into Windows.
I managed to get Samba upgraded on the CentOS box and then…. Redhat Samba doesn’t work. At the time that I was attempting this, the encryption backend was still being worked on by Redhat and was incompatible with Windows. Really!? I ended up reverting to the prior install of Samba, which broke and I had to go through some magical incantations to remove cruft files and finally get Samba running properly again. I was so mad that I’ve only just now gotten to writing about it and some of the details have fallen out of my head*. Sorry. If you are going to use Active Directory on Redhat, just wait. It’s not ready yet.
One last glitch of installing Active Directory is Microsoft knows better than I do and disables Terminal Services because, you know, it’s safer that way. While I don’t disagree, that’s why I was trying to put AD on CentOS, that’s the only fuggin reason that I have Windows – to be able to use Windows (via Terminal Services). MS instead wants to force another server on me. Thanks, but no. We spent enough money on this server and I want it to do what I want it to do. It works for me. Maybe. There is a setting, buried in there somewhere (Google is your friend) that will allow you to re-enable the Terminal Services login.
So far I like the ability to join computers to the Domain and manage accounts and passwords in a central location. Create an account on the Domain and I can manage which computers the users have access to and I don’t have to go around creating accounts on laptops. If the laptop joined to the domain all a user has to do is login to it – if their account has privileges for the laptops. I have not joined my CentOS box to the domain, that is a task for another day. I do not, do not like. Absolutely hate might not be strong enough to express my vile hatred of Active Domain to actually do what some web sites say it can do (and I would love it if it did) and set policies so users would have a default printer and/or links on their desktops. This might work – I could have the wrong level of AD configured, but if it doesn’t work in the level I have it set at why the hell is the option there in the first place? It’s like having manual windows on your car, for future functionality the car company added the power window switch but the switch isn’t actually wired and the motor isn’t in the door cavity.
This is the kinda crap that makes computer Admins go absolutely nuts and joining some online role playing game where they hunt down Bill Gates or a likeness and beat him nearly to death but keep him alive so his suffering can continue. Cause you know, in real life it takes a lot of hams to get the gators to eat the body.
Just to be clear – in case I wasn’t – Samba should be ready to take on the AD role. Redhat broke it due to incompatible encryption libraries. Windows still fails in at least three ways that I normally would be using this software. (And I have a hard time figuring out where the hell all the configuration posts on the ‘net are referring to. Yeah, I’m an AD noob. When it takes 27 mufuggin clicks just to get close to where my screen looks like the one online – and mine still breaks!?… or doesn’t work, just as bad.)
*My initial draft was January 2, 2014.