Windows to Linux Migration in the Enterprise?

youngerpants asks: "There is a lot of talk at the moment about migrating applications from WIN32 to Linux. This certainly helps move the OSS movement along, however, the true test of Linux is in the enterprise. Whereas we can move applications, how can the enterprise itself (such as Active Directory to Open LDAP, Exchange Server to Sendmail and NTFS to Samba) be moved. Have Slashdot readers used any applications or followed any strategies to migrate their enterprise? How would you tackle an obviously risky migration?"

Windows to Linux Migration Guide

Check out this link.

Advice from someone who has done it.

[Noksagt]

I have migrated to FreeBSD/Linux backed servers. The first key is to do it incrementally--migrate piece-by-piece.

(such as Active Directory to Open LDAP,

LDAP is so useful, that you might as well start here. Remember that LDAP is a multipurpose directory. If you want to replace AD authentication and a windows PDC, IDEALX has written some nice perl scripts and a tutorial on how to do this with OpenLDAP and Samba.

Exchange Server to Sendmail

If you want to replace Exchange Server, use Openexchange. If you want to replace only your MTA, consider using postfix. On the server end, this isn't a ton of work. But you will likely have to change the way clients are connecting to your server & also what they can do with it. Sendmail/postfix will probably not be enough for you...

and NTFS to Samba)

NTFS is a local file system. Samba is an open source SMB server/client. Big difference. See IDEALX for good Samba deployment.

Re:No REALLY!! How can I get NTFS-like permissions

[j-turkey]

I've always been curious about this. I love Linux, but one of the areas where I think it is sorely lacking is in file system permissions flexibility.

I'm hoping that one of the things that you love about Linux is its flexibility...most distributions can grow far beyond their packaging. :)

I believe that you're looking for ACL support (Access Control Lists). Check this out. Also, just do a google search for Linux ACL's. There are lots of projects in development, and considering how long these have been worked on, there are probably some implementations which are quite mature. YMMV.

Re:Wrong examples

[Undertaker43017]

nssldap, pamldap and MS Services for Unix...

Nssldap will have to be recompiled for schema mapping, since AD doesn't follow a standard LDAP schema. Last I checked FC2 and FC3 already had compiled nssldap this way, so no recompile was necessary.

MS Services for Unix is needed to modify the AD schema and for a couple of added screens in the admin tools for AD, to allow Unix attributes to be added.

If you want to be able to change passwords from *nix, you will need to setup SSL, since password changes can only occur over SSL in AD.

Just google on "AD nssldap". I have had my office running this way for almost 4 years, with no problems.

Re:Wrong examples

[Noksagt]

I disagree that few *nix apps take advantage of Kerberos. Indeed, Samba and OpenLDAP, both mentioend here, do. OpenSSH, Cyrus IMAP, Netatalk, fetchmail, and many popular others do too. But you are right that it is far from universally implemented & many now choose to just run most traffic over SSL instead.

My two cents on what you didn't ask about: I, like you, am impressed that you basically get kerb for free for most traffic from a windows server. However, I hate MS for the way they did this. They use non-standard, undocumented features that prevent non-MS systems from actually being interoperable with them. Even the MIT Kerberos team has accused them of trying to embrace & extinguish. I suspect that some (though certainly not all) of the lack of Kerberos on *NIX has to do with this.

Re:Wrong examples

[Stinking+Pig]

"Active Directory's primary feature is that it is an LDAP implementation"

BZZT... primary feature is a trio of functions, the AAA as it used to be called in Cisco materials: authentication, authorization, and access.

Authentication: Who is this? do the username, password, and option crypto token match?

Authorization: What resources are you allowed to use?

Access: Is the authorization for this resource still valid?

If you just want a directory, OpenLDAP is great. If you want an AD replacement, you need OpenLDAP, Kerberos, PAM, and Samba.

Re:For these, you don't

[ratboy666]

It's a Troll, and I'm happy with it!

Seriously, the concept of "shrinkwrapped" software doesn't go with Enterprise -- a lot of customization and integration will need to be done. "QuickBooks" and its kin won't cut it. That's what I think of when "shrinkwrap" is mentioned. You are not going to find ADP software at your local computer store!

Now, if you are ARE talking enterprise accounting, the same number of solutions are going to be available on UNIX based platforms.

As to Windows "Enterprise" use... Microsoft does claim Enterprise ready software, but I haven't yet seen the hardware it would run on. My (old) clients don't have it either. Maybe its good, maybe not. I just don't know. That makes enterprise Windows the "risky" choice. Go buy an enterprise server from IBM or SUN; it works -- and both bundle hardware/software as a single stack. Microsoft doesn't, so you ALSO have the risk that the next version/patchset will render the server non-functional. (Yup, I can play the FUD game too!).

That said, Microsoft does have some interesting groupware and directory services offerings.

Anyway, thanks for the Troll endorsement -- it was, because I was feeling a mite impish.

Ratboy.

It's really really really easy

[lorcha]

Here is a guide for POSIX ACLs in Gentoo. From there, you should be able to do it easily in any other distro (in case you are not a Gentoo user). Basically, you get to recompile the kernel if POSIX ACLs for your filesystem are not already compiled in and then you have to remount your filesystems with the acl flag enabled. For bonus points, you should also install your distro's ACL manipulation tools. ;)

The HOWTO that I linked to has a more detailed explanation of how to do it.