Windows to Linux Migration in the Enterprise?

youngerpants asks: "There is a lot of talk at the moment about migrating applications from WIN32 to Linux. This certainly helps move the OSS movement along, however, the true test of Linux is in the enterprise. Whereas we can move applications, how can the enterprise itself (such as Active Directory to Open LDAP, Exchange Server to Sendmail and NTFS to Samba) be moved. Have Slashdot readers used any applications or followed any strategies to migrate their enterprise? How would you tackle an obviously risky migration?"

Open source procedure

[Adi]

1. Move from Windows to Linux.
2. ???
3. Profit! :)

Re:Open source procedure

[naros]

Realistically this just doesn't work because the overall best integrated system is still windows. Linux may be cheaper on a per seat basis but when you consider how many people are required to keep the systems running it becomes less and less clear that Linux us the way to go.

Re:Open source procedure

[shadowmas]

i cant agree with you on this one. at worst linux would require the same amount of people required to run windows system. it also helps that linux is much better at being remotely administrated (SSH/Commandline is much more efficient than Terminal Services). only reason i can think of linux requiring more people is because the admins arent properly trained.

Wrong examples

[passthecrackpipe]

"Active Directory to Open LDAP, Exchange Server to Sendmail and NTFS to Samba"

I understand the gist of your question, although I don't think you understand it yourself. None of your examples actually discuss the one thing the enterprise is interested in: "Functional Parity"

AD to OpenLDAP doesn't go, because OpenLDAP is just a directory protocol -- I wish people would start to understand that. There is no directly usable management interface, no business logic, no nothing. It is just a protocol....

Comparing Exchange Server and Sendmail earns you a good thwapping over the head in my team -- maybe Exchange Server vs. Open-Exchange, but again you are comparing the wrong things. Finally, go stand in the corner for comparing NTFS with Samba.

I usually don't complain about Ask Slashdot type stuff, but this takes the cake. Go learn something about IT before you ask stupid questions.

Re:Wrong examples

[passthecrackpipe]

Oh, and to answer the real questions:

1. Active Directory to Novell eDirectory, although that doesn't really give you much. No real Open Source functional alternative.
2. Exchange server to Open-Xchange
3. NTFS to perhaps XFS or Reiser, orOpenAFS, although OpenAFS is really lots better, and has tons more functionality

Have a lot of Fun!

Re:Wrong examples

[passthecrackpipe]

I did actually provide examples.

As for "chilling a little", I met a customer last week, who simply did not want to talk open source, because some clueless critter of an "IR Consultant" came in some time ago shouting something similar. "Get rid of all your Microsoft products! They are EVIL!" now, this customer is a relaxed dude, so went like "okay, but I replace it with what?" and something similar to the above list came up. For most people that list is simply unacceptable -- they don't *care* what they run, as long as it works. So someone coming around that can't even tell the difference between Exchange and Sendmail, and states "rip out all your groupware, calendaring, forums, imap, mail, pop, webmail, and some CRM functionality, and instead I give you Sendmail....it's FREE!" does not really impress.

Customer now thinks Open Source people are clueless freaks, and any mention of this stuff is taboo. I see this *all the time* and it really gets me upset.

Getting the revolution because you downloaded OpenOffice.org and found Slashdot is one thing, making the whole community look bad is another....

Re:Wrong examples

[Noksagt]

AD to OpenLDAP doesn't go, because OpenLDAP is just a directory protocol -- I wish people would start to understand that. There is no directly usable management interface, no business logic, no nothing. It is just a protocol....

Active Directory's primary feature is that it is an LDAP implementation. Also, OpenLDAP is an open source implementation of LDAP--not the protocol itself. The compination of OpenLDAP and SAMBA can deliver a lot of the backend functionality of Active Directory, but you are correct that they aren't a 1:1 replacement. Of all the examples of transitioning, that he gave in the post, this was the most accurate & he probably shouldn't be jumped on it because of this. I agree that the "NTFS to Samba" thing was quite ridiculous & is probably what motivated your post.

Re:Wrong examples

[passthecrackpipe]

Yeah, well, the NTFS to Samba thing was the final straw, athough I hear the AD to OpenLDAP thing all the time, and it pisses me right off. I do Enterprise Open Source Deployments for a living - primarily desktop and infrastructure (directory, groupware and file and print, heyhey, exactly his list!) and nothing is uglyer to an AD administrator then the mess that is the Kerberos/OpenLDAP/Samba mudheap that sort-of delivers something sort of similar, but really doesn't. Even the IDEALX stuff linked to elsewhere doesn't really make the grade. For all its warts, AD is actually pretty admin friendly, and what is more, many organisations have spent lots of money to get to AD in the first place. That is why my company specialises in integrating Linux infrastructures with existing AD and/or Novell eDirectory. (integrating linxu with AD actually works pretty well...)

Re:Wrong examples

[toddbu]

Man, I'm glad my doctor doesn't think like you. When I go to the doc, I tell him "Doc, my chest hurts". Now if I have a lung infection, would it be appropriate for my doctor to then tell me that I'm an idiot because I don't know the difference between my chest and lungs, and send me away with a harsh comment and a kick in the ass? What if I complained about a numb arm but I was really having a heart attack?

I get tired of reading crap like this from folks who "know better" than everyone else. I highly doubt that you were born with the knowledge between NTFS and Samba, which means that you possess your knowledge only because someone else was kind enough to pass along their understanding to you. So why do you repay other's kindness to you by calling someone else "stupid"? Is stroking your own ego more important than helping someone else who wants to learn something new?

Re:Wrong examples

[Undertaker43017]

nssldap, pamldap and MS Services for Unix...

Nssldap will have to be recompiled for schema mapping, since AD doesn't follow a standard LDAP schema. Last I checked FC2 and FC3 already had compiled nssldap this way, so no recompile was necessary.

MS Services for Unix is needed to modify the AD schema and for a couple of added screens in the admin tools for AD, to allow Unix attributes to be added.

If you want to be able to change passwords from *nix, you will need to setup SSL, since password changes can only occur over SSL in AD.

Just google on "AD nssldap". I have had my office running this way for almost 4 years, with no problems.

Re:Wrong examples

[bloo9298]

I would be interested to hear your opinion on the use of Kerberos in a UNIX environment. Personally, I am impressed by the way that MS have integrated Kerberos and made it relatively easy for application developers to use. The picture seems weaker in a UNIX environment, because few applications take advantage of Kerberos authentication (so people do not use Kerberos, so there is no incentive to add Kerberos support to applications, and so on). It is unfortunate. My question is, do you do anything interesting with Kerberos?

And before a weenie jumps all over this post with "you can do this, and do that", yes, I know that Kerberos is sort of usable on UNIX. I am hoping that someone with a clue, such as the parent poster, will go into more detail about complex deployments with custom apps. To the parent poster: I have written Kerberized apps for both UNIX and Windows, used pam_krb, etc.

Re:Wrong examples

[Noksagt]

I disagree that few *nix apps take advantage of Kerberos. Indeed, Samba and OpenLDAP, both mentioend here, do. OpenSSH, Cyrus IMAP, Netatalk, fetchmail, and many popular others do too. But you are right that it is far from universally implemented & many now choose to just run most traffic over SSL instead.

My two cents on what you didn't ask about: I, like you, am impressed that you basically get kerb for free for most traffic from a windows server. However, I hate MS for the way they did this. They use non-standard, undocumented features that prevent non-MS systems from actually being interoperable with them. Even the MIT Kerberos team has accused them of trying to embrace & extinguish. I suspect that some (though certainly not all) of the lack of Kerberos on *NIX has to do with this.

Re:Wrong examples

[Stinking+Pig]

"Active Directory's primary feature is that it is an LDAP implementation"

BZZT... primary feature is a trio of functions, the AAA as it used to be called in Cisco materials: authentication, authorization, and access.

Authentication: Who is this? do the username, password, and option crypto token match?

Authorization: What resources are you allowed to use?

Access: Is the authorization for this resource still valid?

If you just want a directory, OpenLDAP is great. If you want an AD replacement, you need OpenLDAP, Kerberos, PAM, and Samba.

Re:Wrong examples

[passthecrackpipe]

The only really interesting with Kerberos that we deploy with some success (and specifically use Kerberos for) is OpenAFS. for the rest, we don't bother, unless there is a path of very little resistance. Unfortunately, most of the time it is a case of too much effort for too little payback.

MS not only made it easy for appdev's to use Kerberos (I am personally not really bothered about appdev comfort, caring more for end-user experience), they made it transparent to the end-user i.e. the user will *never* have to deal with tickets, tokens, and any other form of virtual identity currency. Shift to *nix, and you all of the sudden have to be a rocket scientist just to get at your files. It is a real pity, and we can collectively learn something from how MS have cracked the Kerberos thing. Us, we find ways to route around the problem, and don't use Kerberos....

Start Small - Start New

[vmcto]

Very small...

Individual Pockets -> Workgroup -> Departmental -> Enterprise

As much as I love open source and think it provides tremendous value to organizations, I have to realistically evaluate any large migration and observe two obvious points:

1) It's different. There will be people who will not want to see it succeed. You will need to PROVE that the functionality provided is SUPERIOR and that the cost of migrating is overcome by the reduced ongoing TCO.

2) Is your organization ready to provide the level of support it has become accustomed too? Are you a MS Enterprise or Select customer? You need to prepare for the fact that to some extent the warm fuzzy blanket of misleading comfort is being pulled away from the organization.


I would NOT begin by migrating something. I would begin by looking for a new unit, group, or area of the business. New is much easier to accomplish than migrate.

Finally, if you are a hardcore MS shop, the financial pitch to MGT can be the leverage that doing something small can provide in price / service negotiations.

Re:Start Small - Start New

I would think that convincing a manager of a new business unit to add one more risk would be a tough sell unless you can show them some big advantage.

The easiest migration to sell within a big company these days is probably browser choice. IE -> Firefox has a lot of momentum. Hardest is probably entrenched Exchange/Outlaw email software. Although Evolution is a pretty good client for compatibility.

Middleware and infrastructure stuff, like the web server, you just need to convince a small group of IT types. They're more likely to make decisions based on $$ rather than personal opinion (tho not in all cases). If they save $20K/yr in licensing, then they're willing to spend $5K in migrating, as long as they feel safe doing so. Saving the company money while adding security looks good on your review. Taking down the website for a week does not.

Migration is never easy ...

[GNUALMAFUERTE]

Nowdays, with all this "Get the facts" FUD, the Free Software comunity reacts trying to show that it's not true that migration is a nightmare, and that it's not true that it costs money. The true is, Migration from ANY system to ANY other system, is a nightmare, and it does cost money.

The point we should make clear is: Migrating from Windows to Unix Is a good decition (I Say Unix to make clear that i'm not talking about Freedom or ethical or monetary issues, just about the technical stuff) and it will make things just easier and safer in the long run. Technically, there is no possible discussion.

About non-technicall stuff: Microsoft insists in their "get the facts" bullshit that if you use windows you can hire incompetent sysadmins, and with Unix, you can't. It's just not a good idea to hire incompetent people. Hire a good sysadmin, and pay him well, what do you prefere, to pay thousands to a big monopoly for the right to copy, or pay a worker for actual honest work??

ALMAFUERTE

Windows to Linux Migration Guide

Check out this link.

Advice from someone who has done it.

[Noksagt]

I have migrated to FreeBSD/Linux backed servers. The first key is to do it incrementally--migrate piece-by-piece.

(such as Active Directory to Open LDAP,

LDAP is so useful, that you might as well start here. Remember that LDAP is a multipurpose directory. If you want to replace AD authentication and a windows PDC, IDEALX has written some nice perl scripts and a tutorial on how to do this with OpenLDAP and Samba.

Exchange Server to Sendmail

If you want to replace Exchange Server, use Openexchange. If you want to replace only your MTA, consider using postfix. On the server end, this isn't a ton of work. But you will likely have to change the way clients are connecting to your server & also what they can do with it. Sendmail/postfix will probably not be enough for you...

and NTFS to Samba)

NTFS is a local file system. Samba is an open source SMB server/client. Big difference. See IDEALX for good Samba deployment.

do it step by step

[Pegasus]

If you want to do it all-in-one over-the-night type push, you're very likely to fail. Or at least your users will kill you.
Also, you may (or may not) hit many little annoying details that would make you belive m$ fud more and more.

I've been trough two migrations now and what i learned is this: go easy, keep the existing systems in place for their forseeable lifetime (dont fix if it's not broken approach), implement OSS stuff only for new services and gradually replace old systems with newer, running OSS. In a timeframe of 2-5 years or so.

For these, you don't

[j-turkey]

Sadly, Linux just isn't there yet when it comes to enterprise IT. Unless you're rolling your own core business applications, you're pretty much stuck with Windows. Want to run an integrated payroll/HRIS system from a shrinkwrapped package? No luck with Linux.

Further, IMO, while Suse's OpenExchange appears to be a compelling package (which I'd love to deploy in lieu of Exchange Server), I've had a very difficult time finding a local 3rd party vendor to support it.

The point of my post is not to denigrate Linux. I am generally a Linux advocate, and will still deploy it wherever it is practical (practical being the operant word here). The issue, however, is that much of these services are inside of niche markets where it doesn't make sense for the vendor to develop Linux support. Others are very bleeding edge and not commercially supported. If you don't have a very large IT department to support the services that you want to run, they're nearly useless -- that is, unless you've got gobs of free time on your hands.

OTOH; if you're rolling a custom app (and thus already have the staff you need), need a webserver, or a database backend, Linux may be an excellent choice. One way to look into it is to find out how Linux is most widely deployed and supported as a solution (ie web servers, database backends, etc). If you go the other way, choosing whatever solution you find that's "out there", you may find yourself in a heap of trouble -- looking for a new job. I supppose that this applies to all software, commercial or otherwise. Always ensure that you can support it...but it's something that one has to be especially cautious about when getting into a bleeding edge F/OSS package that is new enough where there is either no commercial support, or inadequate support for your needs...and unfortunately, there are currently quite a few of these out there.

Re:For these, you don't

[ratboy666]

It's a Troll, and I'm happy with it!

Seriously, the concept of "shrinkwrapped" software doesn't go with Enterprise -- a lot of customization and integration will need to be done. "QuickBooks" and its kin won't cut it. That's what I think of when "shrinkwrap" is mentioned. You are not going to find ADP software at your local computer store!

Now, if you are ARE talking enterprise accounting, the same number of solutions are going to be available on UNIX based platforms.

As to Windows "Enterprise" use... Microsoft does claim Enterprise ready software, but I haven't yet seen the hardware it would run on. My (old) clients don't have it either. Maybe its good, maybe not. I just don't know. That makes enterprise Windows the "risky" choice. Go buy an enterprise server from IBM or SUN; it works -- and both bundle hardware/software as a single stack. Microsoft doesn't, so you ALSO have the risk that the next version/patchset will render the server non-functional. (Yup, I can play the FUD game too!).

That said, Microsoft does have some interesting groupware and directory services offerings.

Anyway, thanks for the Troll endorsement -- it was, because I was feeling a mite impish.

Ratboy.

Wow

[Quattro+Vezina]

Damn, the title of this article is just begging for someone to make a Star Trek joke, and no one's done so yet.

Ah, Slashdotters genuinely surprise me sometimes...

Re:Wow

[x00101010x]

Scotty:
She can'nah take much more'o this captain! Th' opensource drivers for the warp core containment controller card are only version 0.2.1 and the project hasn't seen an update for nearly a century! While the hardware is capable of running the engines at 110%, these incomplete kernel drivers can'nah hold her much longer than five minutes over 80%!

Kirk:
Bones! You've got Familiar Linux running on your tricorder, get online and see if you can find a patch for the warp core containment driver!

Bones:
Damnit Jim, I'm a doctor, not a kernel hacker.

Re:Alot of talk, little real activity

[chris_mahan]

>The only places that can really migrate to Linux en-masse are places like call-centers where computers are used for specific and rigid purposes.

Yes. And when 50% of the company is on linux, then what?

The key is to make your applications fully web-based and be os-agnostic. There are three main reasons companies even look to replace their existing systems:
* Cost, short term and long term.
* Increased functionality.
* Effective staffing.

Right now linux provides visible short-term cost. Also, it can provide some long-term cost saving but that's more fuzzy.

On functionality, the gaming world will tell you going away from windows is a step back. I think you gain some and you lose some, so wash.

Staffing: You need fewer people but you have to pay them more.
My horrible analogy: 400 day laborers with pickaxes or 1 highly paid driver in a Komatsu D575A-2SD.

> The places that have successfully transitioned to Linux (federal labs, Burlington Coat Factory, City of Largo, small companies) were either established Unix shops already or started with small or completely disorganized IT organizations.

Most companies have completely disorganized IT organizations, so that's actually good for future open-source adoption prospects :)

No REALLY!! How can I get NTFS-like permissions?

[clickster]

I've always been curious about this. I love Linux, but one of the areas where I think it is sorely lacking is in file system permissions flexibility. For example, if I had a folder and wanted the following in Linux, how could I do it?

MKTG group = rwx
DEV group = r
EXEC group = r
ADVERT group = rx
ADMINS group = rw

Is there a way to do this in Linux? I have no idea. It has always been my understanding that I'm stuck with UGO and sitcky bits for permissions. Is this entirely true or is there another way.

Re:No REALLY!! How can I get NTFS-like permissions

[j-turkey]

I've always been curious about this. I love Linux, but one of the areas where I think it is sorely lacking is in file system permissions flexibility.

I'm hoping that one of the things that you love about Linux is its flexibility...most distributions can grow far beyond their packaging. :)

I believe that you're looking for ACL support (Access Control Lists). Check this out. Also, just do a google search for Linux ACL's. There are lots of projects in development, and considering how long these have been worked on, there are probably some implementations which are quite mature. YMMV.

It's really really really easy

[lorcha]

Here is a guide for POSIX ACLs in Gentoo. From there, you should be able to do it easily in any other distro (in case you are not a Gentoo user). Basically, you get to recompile the kernel if POSIX ACLs for your filesystem are not already compiled in and then you have to remount your filesystems with the acl flag enabled. For bonus points, you should also install your distro's ACL manipulation tools. ;)

The HOWTO that I linked to has a more detailed explanation of how to do it.