Slashdot Mirror
Where are the 'Modern' Directory Services?
MarcQuadra asks: "I've been a Linux user since 1998, and I admin Mac OS X machines at work, but I have yet to find a distribution that comes out-of-the-box with modern directory services. Sure, there are guides to kerberize and set up OpenLDAP, but before I can start pushing Linux as an alternative at work I'll need a few things. Are there any distributions out there that can auto-mount SMB shares as home directories without heavy modification? How about a distro that's based on OpenLDAP and can easily be configured with LDAP-enabled SAMBA and Kerberos? Am I missing something, or is this not a priority with the community at-large?"
The World Wide Web is dying. Soon, we shall have only the Internet.
Why not go the way of the market and just go with ADS?
the IronGhost
Sounds like you want Windows and Active Directory.
/me blinks
What about Netware and EDirectory? I hear they use open standards for Linux.
Where are the 'Modern' Directory Services?
Google.com -- let your fingers do the walking
I believe SUSE Enterprise Server (and SUSE Open Exchange server too) has a yast module to setup LDAP easily.
I might be wrong though - I'm still waiting for my copy...
sigaar
The YourOwn (tm) Linux distribution is based on OpenLDAP and all the other out-of-the-box features you're looking for.
It can be downloaded from YourOwnBox.org.
Solaris automounts my home directory just fine. Just point the machine to the NIS domain and it works
WHat reading 50 different howto's with half assed conflicting information not good enough for you? Surely this is blasphamy against the community.
You're one of the luckiest people in the world, an OS X admin, and you want to push Linux?
It has to be mentioned. There will be a 100+ open source solutions proposed but none will come close to either of the two.
I know this is a different issue, but why push for Linux if you're already using OS X at work?
You didn't ask for open source.
:)
Novell eDirectory has been available for many years running on Linux (as well as other platforms). Novell now own SUSE so I'd expect closer and tighter integration moving forward.
Take a look at some of the new integrations coming in Novell Open Enterprise Server built on SLES 9 server.
Disclaimer - I'm a Novell person
Evil ZEN Scientist
.. you would know your directory is Right There already.
One OSX Server, 100 OSX client boxes, easy propogation of profiles, shared applications, personal file folders..
Honestly, I'm not sure what you're talking about.
"Are there any distributions out there that can auto-mount SMB shares as home directories without heavy modification?"
It takes 3 shellcommands and inserting your favorite validation-server to hook up an osx-client on an AD-server, SMB-shares included (not DFS though, as far as I know)
All those moments will be lost in time, like tears in rain. Time to die.
What is within Yast is an OpenLDAP Client component.
If you are setting up an OpenLDAP server, you still need to do everything 'by hand' in order to get it setup and running. I have only started looking into this myself and I have to say that it isn't something you can just fire up and get running in just a few minutes.
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
Of course this is a critical problem! If you want people to "switch" to Linux, than the new OS (that's Linux) needs to be able to talk to the old (their old WIN98 machine in the basement, their pocket PC, etc...). It also has to be easy enough for a highly trained monkey to install. If Linux can't do it with a basic install, the masses will NEVER come around. That's just reality, folks.
A hungry man will tell you anything if you give him a cookie.
we believe that the idea of data is obsolete, and that, in the future, users will demand less and less of it, and more and more menu animations.
That's "Mr. Soulless Automaton" to you, Bub.
I work for an IT environment at a Canadian University and for Single Sign On solution we use a linux server/clients (debian but it really doesn't matter which you use) which uses the pam_mount module to mount a user's Windows samba share to /home/$username/$folder_name and we also use a log in script which copies back and forth any settings (.dot files) to and from the samba share to the local filesyste as smb does not be default work for home directories as it does not support all of the unix filesystem standards... CIFS was a push in the right Direction to change that but wasn't ready for prime time last time I checked. For authentication we use kerberos against the Windows ADS but any ldap or similar pam module should work for you.
There's this company called Novell that has this product called, variously, "NetWare Directory Services", "Novell Directory Services", "eDirectory", and "Nsure/exteNd/Nterprise/Ngage".
Okay, so maybe their marketing department has sucked big donkey dongs for like the last ten years and that's why you've never heard of them.
But rumor has it they purchased this outfit called SuSE, and that all their stuff has been ported to the Linux kernel, and they also purchased this other outfit, called Ximian, so that all their stuff would play nice with .NET, and...
Well, you get the picture.
Doesn't OS X server include OpenLDAP with some fancy GUI wrappers (packaged as OpenDirectory)?
What are the features that you are looking for that you can't get with OS X Server?
Sorry originally posted under a reply... I work for an IT environment at a Canadian University and for Single Sign On solution we use a linux server/clients (debian but it really doesn't matter which you use) which uses the pam_mount module to mount a user's Windows samba share to /home/$username/$folder_name and we also use a log in script which copies back and forth any settings (.dot files) to and from the samba share to the local filesyste as smb does not be default work for home directories as it does not support all of the unix filesystem standards... CIFS was a push in the right Direction to change that but wasn't ready for prime time last time I checked. For authentication we use kerberos against the Windows ADS but any ldap or similar pam module should work for you.
LDAP, Kerberos, Samba and all the things that come with that are critical to Linux's survival now. Linux will either live or Die on its ability to use LDAP, Kerberos, SSL and Samba.
LDAP is Linux's ultimate ability that permiates everything Linux can do and makes the many peices of Linux whole. Only the greatest of Linux Users cann use LDAP.
The thing is, its too damn hard, too damn difficult, and there is not enough documentation and configuration too;s for LDAP out there. I've spent three years on LDAP - I know.
LDAP/Samba/Kerbros on Suse works real well out of the box in the latest Suse Server offerings. I don't play with many distros so I can't recommend it against others.
But for professional use on networks of any real size, I really try to push my customers to NDS. Say what you want about Novell, but I have yet to find a beter DS that Novell's.
Kerberize is a term that Apple coined if I ever heard one.
Suse will hold your hand through the whole process of setting up and authenticating to OpenLDAP and integrating with Samba. You still need to know what you're doing, and you'll probably want to tweak a thing or two, but Suse makes it nice and friendly. You need the enterprise version (which you pretty much need to pay for) to setup the server, that's the only real catch.
So why not use it? It's a full featured directory service based on OpenLDAP with Kerberized AFP and SMB built in, so why use a Linux server and "roll your own" with everything, and do all the extra work?
I have to be missing something here.
Just wondering, ya know.
the latest SuSE Professional
StreetTalk > AD or NDS (and arrived many years earlier)
Another example of how having a superior product won't make you successful in the long run if you don't know how to market it.
BITD there was talk of Microsoft buying Banyan for StreetTalk instead of developing AD, but was told by their lawyers that it wouldn't pass antitrust muster (at the time Banyan still had like 15% of the market)
Yes having a setup for LDAP with SAMBA tied in would be a plus, you have to consider why it hasen't happened yet.
Only fairly large shops NEED that and they only need to set it up once. The existing howtos appear to be addressing that need well enough that it has not become a big enough itch for anyone to scratch. Again, because once you know enough about it to write the wizards to make setting it all up easy, you have your site done and will probably will never need to do it again. So until a distro vendor sees it as a big enough selling feature to undertake the work I doubt it will happen.
Democrat delenda est
I recently setup a *nix server to act as a Windows PDC for our small workgroup. It wan't that difficult, particularly with the scripts and how-to from IDEALX. Any distro with sane, centrally-managed package management will be equally easy. By this, I mean apt or portage or even the *BSDs. I wouln't undertake this with an RPM distro, unless I had plenty of support.
I don't yet run Kerberos, as I wouldn't gain much from it. There aren't enough Kerberized apps & MS's approach to "embracing and extinguishing" Kerberos has left *nix implementations largely incompatible with MS's implementation. I run OpenLDAP solely over SSL. SMB traffic is limited to out intranet (basically one room) & we are a small shop, so Kerberos isn't a priority. We will later add it.
Home directories are all on the server. Samba is configured to allow windows to mount them & windows is configured to use them as the "My Documents" directories.
I have setup Kerberised SAMBA, OpenLDAP, and SSH at my previous employer. It isn't difficult.
Novell's eDirectory is nice if your ethics & wallet can afford it. OS X also has a decent implementation.
The "modern" approach is to do something OTHER than SMB, but that requires a MS-free zone.
"Joining the Active Directory with OS X.3 Client"- ad.html
http://www.infodiv.unimelb.edu.au/lansg/osx/os-x3
I have nothing to add to the article.
All those moments will be lost in time, like tears in rain. Time to die.
Mac OS X Server 10.3 includes a nice LDAPv3 directory server. You can even make it a Windows PDC for single signon across platforms, if you have a mixture of PCs and Macs.
Also, it must be mentioned in the other direction that the standard desktop Mac OS X also supports authenticating via ActiveDirectory.
Overall, it has never been a better time for LDAPv3.
I mount NFS home directories with automount on Red Hat 9.
/etc/auto.master, or NIS to get the auto.master. No biggy -- isn't updating /etc/auto.master easy enough (assuming you don't push it with NIS)?
So, I push an auto.master using NIS. Works peachy. I've never tried it -- but I think that using an SMB share as a home directory would be as simple as changing the automount specification? This doesn't work?
As to NIS: its what I use, and RH9 is happy with it.
However, RH9 does offer "NIS", "LDAP", "Kerberos 5", "SMB" authentication schemes on installation.
Note that autofs uses
What are you trying to do?
Ratboy
Just another "Cubible(sic) Joe" 2 17 3061
Actually if you are a software developer you can work with Novell and bundle upto 250k seats of eDirectory 'free/beer' with your product.
:)
So the directory side of things is not 'pay-at-the-door'
Usual disclaimers.
Evil ZEN Scientist
I agree to a large extent with the issue regarding documentation, etc.
But OpenLDAP is improving. I am still not happy with it, but it is largely designed to be a good toolkit for building a directory services architecture than it is such an architecture itself.
This being said, it should not be that hard to set up Linux to do these things.
LedgerSMB: Open source Accounting/ERP
ISODE-8.0, a complete and BSD-licensed X.500 server, has been available since 1992.
(available at http://opendce.hands.com)
except of course nobody _noticed_ because in 1992, things like free software didn't really exist.
and, of course, X.500 was "far too complicated".
now, of course, everyone is whining that "oo, wouldn't it be nice if only LDAP could do X" and if you look at X.500 you find it _can_ do X.
repeat for any value of X...
you also might want to look at XAD.
which isn't free, because it's based on FreeDCE, which is BSD-licensed, and therefore it's not a requirement for the source code to be made available.
but it utilises and brings together all of the pieces of the puzzle that you're looking for, in a way that no free software project yet does...
The venerable 4.4BSD automounter (am-utils) is nice for auto-mounting nfs. nis isn't ideal but works, and can do much more than just throw passwd around. In fact, I'd not use it for the passwd stuff, but just announce amd maps with it.
samba is quite useful, even if I still have to look at its new 3.* features. LDAP is somehow the obvious directory choice, even if it is clearly not ideal. Maybe that is because all others are even less-than-ideal, or just not open and/or sane enough. RADIUS is often only used by (I)SPs and the like, but could be used in the local network, too. And of course there's kerberos.
The only real problem is lack of vision (because there's so many ways to do it, and every company needs something different, maybe?) and, as already remarked, the combination of all the HOWTOs into something more closely knit together.
But the parts are all there, no doubt about that. So far it's only been the commercial sector that's been doing the integration and/or building their own solution.
Apple has integrate OpenLDAP and Samba very tightly. They have also separate out the authentication information from LDAP to a separate Password Server (essentially a SASL repository). Kerberos is also set up so that the passwords sync to Kerberos too for kerberize apps.
Here's what I think we need as far as enterprise linux directory services go:
1. Standardize on a sasl repository with hooks into Kerberos for maintaing and authenticating all passwords (md5, nt hashes, sendmail auth mechanisms)
2. Tightly integrate OpenLDAP into SASL so that all binds (plain or native SASL) use the sasl repository directly. Come up with a password changing mechanism (either through pam, an LDAP mechanism, or some API) that will change passwords in the SASL repository when ldap clients request it.
3. integrate Samba into SASL to get hashes from there instead of storing them in LDAP. Samba also tied to LDAP to get samba attributes such as homeDirectory, etc.
4. Provide an API (perhaps PAM-based?) that allows clients a mechanism to transparently access LDAP, Samba, and the SASL database. Keeps everything in sync. Also makes possible things like running custom scripts and creating remote home directories when accounts are created.
What I have described is pretty much Apple's OpenDirectory. I'd love to see something similar on Linux. We currently have many of the pieces but they have to be hacked together.
I've looked into porting the components to linux, but I find they have a lot of Mach hooks an parts of it are proprietary. Anyway. This is a start. There's much more to an enterprise directory service than just a directory.
Michael
I've a similar question myself: Is there a Linux distro which, upon installation, aids in the setup of a Directory Services server, a network filesystem for storing user data (possibly including $HOME directories) and installation of client workstations which use those services?
...
I'm talking of the same installation disks, but at the very onset, instead of just asking (or perhaps more than just asking) if I want a Desktop, Server or workstation install, it include sub-options like:
Server:
[] Directory Services Server
[] Network File Server
[] User $HOME directory (or some other friendly name)
[] Print Services Server
Workstation:
In other words, the very things one would need and in the order one would install for a small- to medium-sized enterprise.
http://www.djack.com.pl/Suse9hlp/ch21s08.html
See 21.8.5. LDAP Server Configuration with YaST
IANALBIPOOGL (I am not a Lawyer, but I play one on GrokLaw.)
Check out http://bkbox.com/ It integrates OpenLDAP, Kerberos, OpenAFS, Apache, and WebDAV.
We for one are working on an Open Source offering at server and workstation levels based on our ideas of Goal Driven Computing within the corporation. I for one would enthusiastically welcome a thorough listing of those things you believe should come in the box.
Luckily, Linux is more stable than Solaris, and will work no matter which way the computer's facing ;)
Everybody else has addressed most of the issues.
I only want to throw out one additional item. Why use SMB for the remote shares? Why not sue shfs (think ssh for NFS). http://shfs.sourceforge.net/
This was asked (actually a subset) at a LinuxWorld BOF this week. There seemed to be a lot of knowledgeable folk there, and the answer was... a lot of glazed stares. One guy said he'd been around the floor all day asking this query and found no real solution. Unfortunatly Linux is still for Hax0rs.
XAD brings together OpenLDAP, Kerberos, and other open source software to provide single sign-on across Linux, UNIX and Windows.
Actually I read your posts and your journal.
It's just that I don't take Slashdot that seriously either.
You can't talk about Wikipedia's flaws on Wikipedia
I've been testing it on RHEL ES 3 for a couple of weeks now and so far no complaints. Never thought I would say this but....... thanks Novell!
Excellent documentation too.
It has been mentioned in above posts, but you need to seriously check their stuff out. eDirectory is over a decade old (read mature) and multi-platform (Windows, Netware, Linux at the server level and pretty much everything at the client level). It has implemented LDAP access almost since Netscape creamed their pants over it (8 years ago?).
My company have Mac's authenticating to Netware/eDirectory today and for the past 1-2 years using LDAP. We have bidirectional synchronisation with MS Active Directory using DirXML and there are other connectors available for things like SAP and Oracle etc. Or write your own - the API is there are available for your viewing pleasure.
Last week I installed the beta OES using the linux option (aka SLES 9) on a test server and things are looking fantastic for a beta. All of the great Novell stuff is there such as NSS (the hierarchical and very granular trustee rights being the main seller over other file-systems), eDirectory, web-based management and monitoring, all running on a late model Linux kernel.
Trust me. OES is going to be a kick-arse server OS and will definitately kill off Netware (the NLM kernel) and hammer Windows Server. Once the linux option gets tier-1 vendor support from the likes of hardware and backup software suppliers of course.
Apologies for sounding like a Novell fanboy. But I can't help my enthusiasm for where this is heading.
The XAD identity server from PADL provides single sign-on across Windows, Linux and UNIX. It is based on OpenLDAP and Heimdal Kerberos.
WTF are you talking about?
Maybe mod this "funny"? HAHAH
I browse at +5 Flamebait- moderation for all or moderation for none.
C'mon OpenLDAP is not that hard. We went from flatfile distribution to LDAP in about two months with only me working on it. There are migrations scripts and hints all over the place. Linux and Mac OS X both draw from it, so far. 197 machines so far. It (LDAP) is extensible and easy to program for, and I'm integrating a whole bunch of other things into it (like, kickstart files, last install dates?)
If you're going to use a directory service, you should know what you're doing, and not be afraid of a little customization. If your directory-serving daemon dies or corrupts something, the easiest tool GUI in the world won't help. So many people have different setups and requirements, you couln't have an out-of-the-box anything on linux. You can have NFS/CIFS/AFS, LDAP/Kerberos+LDAP/NIS/FLAT setups - how could you turn those into a common out-of-the-box solution?
Microsoft uses both Kerberos and OpenLDAP for directory stuff - they just mask it with easy-to-use tools. If you know the schema a little bit, you can use something like LDAP Browser in linux.
I'm setting up a new RHEL 4 server with OpenLDAP+Kerberos. From what is looks, Kerberos is easier to administer then OpenLDAP (made a framework in a few minutes) - I'm pretty hopeful.
Since RHEL supports NFSv4, we should be moving to that soon (Fedora desktops) - not going to hold my breath for Mac OS X to catch up, though.
...before I can start pushing Linux as an alternative at work I'll need a few things.
Let me get this straight. Before you can push Linux at work, it needs to have a whole bunch of stuff configured and turned on by default, or you'll have to go with a competing OS that does. Please tell me which competing OS has all this stuff configured and on by default?
Don't blame me, I didn't vote for either of them!
I'm still waiting for the hover-cars we were promised in the 60's, let alone reliable directory services that have just started to be used!
I know at least Novell/SuSE out of the box nowadays allow LDAP auth configuration. Expect big things to come of Novell/SuSE in the future, but for now they have a good start.
XML is like violence. If it doesn't solve the problem, use more.
Is there something wrong with the Open Directory solution already on all of those Mac OS X boxes you're supposed to be administering?
r ectory/
http://developer.apple.com/darwin/projects/opendi
Works great, open source, what more do you want?
Freedows is a brazilian distribution aiming at Windows interoperability. They are implementing it on Brazil largest bank (Bank of Brazil) (+50k machines), the servers on the bank will remain Windows AD, while the clients will all be Linux
with *working out of the box* authentication/mouting of network shares for about ~150k of their users.
http://www.freedows.com/
Any linux or BSD will do this just fine. He wants to have it magically setup out of the box without him having to learn anything. Windows doesn't do this either, you still have to learn AD.
Active Directory is ldap + kerberos. How do you figure ldap + kerberos won't come close to that?
OpenLDAP, as an implimentation of LDAP v3 right now, is lightyears beyond Active directory in functional sophistication. Its not OpenLDAP that sucks.
Its the fact that Configuration is too hard because the nessessary interfaces aren't there. The only thing that comes close is "Directory Administrator"
OpenLDAP is a superb LDAP implimentation from a technical standpoint. Far outpacing ADS. ADS just has ease of use, that Open LDAP needs.
Linux needs OpenLDAP replacements for things like useradd, usermod, and passwd, or some way of modulizing them.
OK, a turnkey alternative to AD is highly desirable, but doesn't solve the whole puzzle.
What is needed is for OSS applications to be tightly integrated into this environment.
Microsoft's biggest selling point is integration of it's applications with each other and AD. That's what enterprise customers want(and need) to hear, and are willing to spend $$$ on.
You mention automounting, SMB, etc. I didn't understand if you meant having a Linux server allow Windows clients to authenticate and mount against Linux. If you did, there's a handy piece of software that allows Windows clients to authenticate directly to LDAP. Amusing name, but nice product...pGina.. It also features plugins that allow for roaming profiles, etc.
The free seats have been on offer for years. They aren't going away anytime soon. Why? Strategy. Novell *wants* people to develop eDirectory applications and not be turned off by licence costs.
You should check out the Hurderos project. The goal of Hurderos is to create a framework for directory and authentication using open tools. In other words, an open-source equivalent of Active Directory and NDS.
Although the project is in its infancy, it has really good ideas for integrating identity management, authn, and authz.
http://www.hurderos.org
How can you say that?
I mean get real, OpenLDAP stores ACLs in configuration files
SJS Directory Server can provide integration with Active Directory, allowing your Windows and Unix networks to seamlessly interoperate. Furthermore, SJS Messaging Server and SJS Calendar Server provide complete Outlook/Exchange compatiblity. Solaris provides complete LDAP integration as a client. And with Solaris 10's massively expanded hardware compatibility on x86/AMD64, it certainly makes a compelling alternative to Linux for those who are looking for better enterprise management. Solaris 10 also features binary compatibility with Linux through the Janus subsystem.
Ripper: Mandrake,
Mandrake: Yes, Jack?
Ripper: Have you ever seen a Hacker use a mouse ?
Mandrake: Well, no I... I can't say I have, Jack.
Ripper: Text. That's what they use, isn't it? Never GUIs?
Mandrake: Well I... I believe that's what they use, Jack. Yes.
Ripper: On no account will a hacker ever use a GUI, and not without
good reason.
Mandrake: Oh, ah, yes. I don't quite.. see what you're getting at, Jack.
Ripper: Text. That's what I'm getting at. Text. Mandrake, text is
the source of all life. Seven tenths of the internet is text.
Why, you realize that.. seventy percent of you is text.
Mandrake: Uhhh God...
Ripper: And as human beings, you and I need fresh, pure ASCII text to
replenish our precious configurations.
Mandrake: Yes. [chuckles nervously]
Ripper: You beginning to understand?
Mandrake: Yes. [chuckles. begins laughing/crying quietly]
Ripper: Mandrake. Mandrake, have you never wondered why I use only
C or shell, and only pure ASCII text?
Mandrake: Well it did occur to me, Jack, yes.
Ripper: Have you ever heard of a thing called orthogonalization?
Orthogonalization of configuration?
Mandrake: Ah, yes, I have heard of that, Jack. Yes.
Ripper: Well do you now what it is?
Mandrake: No. No, I don't know what it is. No.
Ripper: Do you realize that Directory Services is the most monstrously
conceived and dangerous pointy headed plot we have ever had to face?
Mandrake: [laughs] Jack, don't you think we'd be better off in some other
part of the board, away from all these flames?
Ripper: Ah, naah. We're ok here. Mandrake, do you realize that in addition
to orthogonalized configuration, why, there are studies underway to
to orthogonalize processors, instructions sets, access control,
networks, printing, fonts, graphics, pr0n?
Pr0n! Mandrake. Joe Sixpack's pr0n?
Mandrake: Good Lord.
Ripper: You know when orthoganilzation first began?
Mandrake: No. No, I don't, Jack. No.
Ripper: Nineteen hundred and Eighty Four. Nineteen Eightfour, Mandrake.
How does that coincide with your monopolist conspiracy, huh?
It's incredibly obvious, isn't it? A foreign substance is
introduced into our precious processors without the knowledge
of the individual, and certainly without any choice. That's the
way your hard core monopolist works.
Mandrake: Jack... Jack, listen, tell me, ah... when did you first become,
well, develop this theory.
Ripper: Well, I ah, I I first became aware of it, Mandrake,
doing the business.
Mandrake: [sighs fearfully]
Ripper: Yes a profound sense of fatigue, a feeling of emptiness followed.
Luckily I was able to interpret these feelings correctly:
loss of essence.
Mandrake: Yes...
Ripper: I can assure you it has not recurred, Mandrake.
Users... users sense my power, and they seek the hacker essence.
I do not avoid users, Mandrake, but I do deny them my priviledges.
Mandrake: Heh heh... yes.
[someone posts a 'new' story, moderation points have mostly been given out.
rate of posting drops]
Ripper: Boys must have surrendered.
Mandrake: It's the way it is. Heh heh. Now Jack, listen.
While there's still time, I beg you, let's do directory services.
Ripper: [struts over to an available chair, using machinegun as a
walking stick, kicking debris en route. sits.]
Those boys were like my children, Mandrake. Now they let me down.
Mandrake: No no, Jack. Not a bit of it. No, I'm sure they all gave you
their very best. And I'm equally sure they all died thinking of
you, every man jack of them, heh, Jack. Supposing a bit of config
has gone off, eh? And
So I sit here finishing up an install and upgrade.
FC3 out of the box will auth against ldap,nis,smb, and winbind.
It's not terribly difficult to setup all of this on your own.
I get the idea, it would be terribly nice to have it create and fill the local ldap server as well as sync system accounts to the local passwd file.
In the end, its all rather trivial for seasoned admin. The problem of setup is not so difficult. In fact, you can click over to samba.idealx.org and check out thier howto as well as nab the samba idealx tools (to manage ldap/samba accounts). With that you will have samba + ldap + pdc...
Auth will work for both linux and samba logins and other linux systems that support ldap auth can be pointed to the server.
Now if you really don't want to do any work, over at source forge is an installer script that will configure everything.
Toss in the samba imc console and you have an all around manager.
Now, the act of just handing over things comes with one problem. The setup is fairly trivial (even without a box install), but if something breaks you will need to understand all the components to fix it. (Well maybe not all, but you get the idea)
All in all, it sounds like a worthwhile distribution or modificiation to an existing distribution. Still, no perfect installer will replace the necessary knowledge to fix problems when they occur.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
Howabout 411?
...runs away
(Rimshot)
Vote monkeys into Congress. They are cheaper and more trustworthy.
Apache is inclubating a new unified directory service that promises to be the cat's meow.
He wants to have it magically setup out of the box without him having to learn anything. Windows doesn't do this either, you still have to learn AD.
Not with Windows Server 2003, we don't. We don't have to learn nuffin'! All dem wizards can get you set up with a complete, albeit poorly functioning and insecure, AD system within minutes. The learning comes from the error logs and debugging of erronious AD behaviour. I was so glad to find the online help system was unfinished when I got into dire straits during install of services, and at the time technet had pretty much zero info on Server 2003.
You'd have been a lot more zelous. Come on, that wasn't enough effort! Give it some oomph!
this sounds like windows users whining about mountpoints. yeah, docs are lacking, but all the components are there, some twice over. just glue it all together with a little bash. done -- probably even with lower TCO.
Don't thank God, thank a doctor!
CIFS is just MS marketing speak. Go read about Samba a bit more and the standard that they implement, but Microsoft does not (exactly) follow.
use centrify check out www.centrify.com -- integrate with microsoft Active directory.
Right now, at work I'm setting up a bunch of machines that dual-boot win98 (which is what the company owns for its OLD hardware) and debian.
/homes are on that. Clients automount their nfs homedirs.
I have to say that there are some kinks in the system still, and I may move from debian to FC3 because I can get binary non-free stuff that people really want (flash, realplayer...) in rpm for FC3 but not debian.
Since we have a windows domain set up and windows users who will still want to use the windows domain, I am just integrating into it. So I have a debian server that is a nis/nfs server. Users
There are also public smb shares on a win2k server that I mount w/pam_mount when a user logs in. They log in w/their windows accounts, and I authenticate w/pam and kerberos (pam_krb5.so). Then they also have duplicate account names on my one nis server (although they use kerberos w/windows pwords for authentication -- not nis).
I still haven't deployed the system, and I may switch from nfsv3 to nfsv4 and from using mount.smbfs to mount.cifs w/pam_mount. It all works except there's something screwed up w/the automounter on the clients (it works, but it doesn't shut down cleanly -- a bug somewhere). Anyway, if you wanted an all *nix environment you could use openldap and mit's kerberos in place of AD, but I use AD cuz the company already has it and cuz I'm not gonna just shut off all the windows stuff at once overnight.
Still happens. Job on Dice a couple weeks ago wanted "9+ years Active Directory experience" and "5+ years Exchange 2003."
I sent a message to the company about how this was impossible, and he was a real idiot back to me.
- It's not the Macs I hate. It's Digg users. -
I didnt spend 3 years, but more like 3 months, trying to (1) use linux as a regular AD client, (2) let apache users login into AD for authentication and (3) setup linux as a win2k AD server.
I failed in all 3, while I learned alot about PAM openldap, activedirectory and the likes.
Samba is huge simply because it bridges the gap between windows and linux in the enterprise. All the purists and kids who put down any interoperation between linux and win32, were themselves weaned off win32, by the use of X, KDE/GNOME, opengl video drivers, mozilla/netscape, mount.msdos and games like doom, quake2 etc.
We are waiting for the day we can replace all desktop OSes at work, so we wouldnt have to browse Ms technet sites, and browse the knowledgebase for known bugs all day.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
I'm working on a RHEL4 machine that I setup to use LDAP during the install. It was very easy, all done through a simple GUI. Worked great.
sigs are a waste of space
Seeing as LDAP is one of the most god awful inventions ever thrust upon the computer industry, I can see why it's not a priority...
Where I work, I had a Microsoft admin come to me the other day and tell me of the WONDERFUL thing he just did by packaging all his desktop apps into a "push" type SMS2003 distribution package. He looked at me expecting me to say "HOLY SHIT! That's Cool". Image his surprise when I calmy told him I did the same thing with Novell Zenworks like 7 or more years ago. I also told him how microsoft AD is an unsuable pile of dung compared to novell's NDS.
It's sad to see the world's youth so uneducated *tsk tsk tsk*
Sounds to me like you're asking for two seperate things.
1) A Linux desktop distribution which can automount $HOME directories (from a central server?) on normal workstations with a fair amount of ease (in terms of configuration).
Answer: There's nothing that I know of that can do this "out of the box" so to speak, but it should be fairly trivial to do.
I'll make note that mounting a share on a Windows server to a Linux desktop seems to often result in the share mount dying - it's kind of messy without using automount, and I've not personally used automount much.
I can't speak for kerebos auth itself, as I'm not too familiar with that element...
Other than that, though, it should be relatively trivial to set automount up to mount a samba share using credentials provided by OpenLDAP or what have you. As you can mount SMB shares via fstab, it's not really an issue to jump up one step and use automount. I am, of course, assuming you'll be making a single "desktop deployment" image and not doing the antiquated thing and manually configuring each machine - that would be just dumb.
2) A Linux server distribution with OpenLDAP + Samba + Kerberos set up, out of the box, so that all you'd have to do would be populate the OpenLDAP server with username/password combinations.
There's nothing that does this which I'm aware of. That's why a company should hire competent people; maybe that's partially why no distro has done it - it's hard, and the distro people don't want to piss off the competent admins by making their skillset "outdated". But that's just a guess.
Another guess is that it's simply not a widely deployed combination. The organization I work for now has (only) several thousand NetPCs deployed in the field, and it's just an NT4 domain login with LDAP on the backend. Groupwise is used on the client side to tie into LDAP directly.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Welcome to my foe list, you ass-holier-than-thou pussy. Now go fuck a pony.
Yeah, but... if I might be so bold (having been about 12 in 1992 and not being "into" computers) what the hell is it?
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Red Hat Directory Server 7.1 will be released in a few months. It will be open source.
richm at stanfordalumni dot org
SuSE... which now became NLD - Novell Linux Desktop. Probably the best choice for corporate/enterprise linux.
I've been setting up RedHat boxes for years using authconfig. If you want the home directories automounted, guess what... use automount! It's amazing, really... the things that have been working and people just did not pay attention to them. Mind you, I'm not sure what the app is called these days, I've been using OS X on my desktop for a while now, and my last home network RH install was so long ago, I can't remember what it was then! lol
I guess my point is, it's there, just take a look at the documentation. It is there, in the handbook. You can get it at redhat.com easily.
Cheers!
Mind you, setting up an Authentication Server can be something else altogether... in that case, grab a copy of OS X Server... the Apple implementation of OpenLDAP is superb, used it several times.
I currently have two books on the subject of Open LDAP/Samba integration but have yet to get a working configuration. Thank you for sharing your knowledge. If I had mod points I would use them all.
Jeff Michels
macintosh apples are the devil.
However, for those who know little or nothing of X.500 and are just looking for simple directory services, this makes the LDAP documentation pretty much worthless or extremely annoying, depending on just how tenacious you are.
I don't mean to pick on the various LDAP projects. This kind of thing happens all over the place with free enterprise software.
Red Hat acquired the Netscape/iPlanet directory server (LDAP) code from AOL, along with the original team working on it (i.e. its not open source and dump software). Its about 1.8 million lines of code, and RH is releasing it as free / open source software ASAP. Chris Blizzard of mozilla fame had a great presentation at the Fedora Conference (FUDcon ;-) today about their progress. Very cool stuff.
Blizzard wants to learn from Mozilla and not release the code until a standard build system (such as autoconf) is in place... You can imagine with that much code its going to take a little time to work through in a new build system, but his current estimate is they'll release the first functional useful code "on the order of weeks". There are some smaller chunks that are going to have to be rewritten owing to dependencies on external proprietary code we did not acquire, but it looks like nothing really bad, and the core should be coming along quickly.
This codebase is one of the major commercial directory servers in use, is supposed to scale to giant enterprise loads, and is (according to some RH hackers who just got their hands on it internally) much easier to setup than OpenLDAP. It comes with a nice GUI config interface, etc. Naturally, it'll be integrated into Fedora pretty quickly, and hopefully Debian, Gentoo, SuSE and other distributions too.
-Seth
According to Chris Blizzard (mozilla hacker and generally cool guy) who's one of the people spearheading this project. He had a great presentation at FUDcon (Fedora conference) today, and demoed some of the cool bits of the directory / auth server (key auth where you pull out the key and encrypted messages are unreadable in thunderbird, similar for web pages in firefox, etc). They haven't finalized the license, but it sounds like the current front runner is GPL (with an exception to allow some forms of commercial linking... sort of a slightly stricter LGPL).
;-)
They're not releasing the code immediately because they don't want to dump "useless bits" onto the web and claim its a release. They're currently working hard to get it buildable by mortals, which is a tricky problem when you have a codebase designed for building in a magic build environment inside one company. When I asked Chris when they'd be dropping the first functional code, he said no exact dates but "on the order of weeks". Sounds pretty good given the 1.8 million lines they're wrangling to the ground
If you haven't yet, check out Mandrake Linux. A number of the developers (and community members) have made a lot of progress in LDAP-ifying (is that a word?) pieces of the Mandrake Linux distribution. The archives of the "Cooker" mailing list are probably a good place to start (as well as the spin-off list "Cooker-Server"). I don't have a lot of the details, but I've been keeping an eye on them for quite a few years, and I've seen their work (I prefer and use Mandrake Linux for my personal stuff, so my opinion may be biased).
Don Head
UNIX/Linux Administrator
Hummm k that sounds a good project to be more productive in the long run. Here's the solution. Take one of your box, do all the changes you need to and make a ghost of it. Then, deploy your brand new linux entreprise system and become one the first person to ignore all these critics and make something concret!!! And by the way, you'll be the most proud man to do it first! Ok it's a lot of work.I can tell you this, but you won't have nothing, for nothing.
Yeah, I remember back in 2002 or so, I saw an ad for a job requring 5 years experience with Windows2000.
No, that's easy. Just hire 3 part-timers with 2 years experience each. That's how everybody else does it!
The problem is that each flavor/vendor uses its own brand of automount schema. OS X uses that awful 'mounts' mapping with its equally awful automounter. Solaris has its own brand. Then there is amd. Etc. Until someone RFCs a decent LDAP schema for automounting and everyone follows along, I suspect this is going to remain a dream.
In the meantime, if you work in a heterogeneous environment, expect to do some work (and in some cases, quite a bit) to build shims between flavors.... and thats before you get to things like Kerberized NFS and/or NFSv4.
In most other respects, everything else is fairly standard. RFC2307b gets you almost all the way via LDAP and Kerberos lets you do it all in an SSO'd environment.
Actually, there was plenty of free software available in 1992.
...) have been augmented as new requirements have been encountered and are still relatively simple (to understand, to implement, to debug, to use, ...) today.
At about that time I was writing X.500 based applications using ISODE.
In my estimation, X.500 failed to take off for five reasons. The first was that it was overly complex. The protocol was certainly complex. While ISODE made things easier, building applications was still too complicated.
The second is that X.500 was a resource pig, both on the client and the server.
The third is that there were too many optional features in the protocol. No vendor could practically support all of the options and no two vendors could agree on a reasonably common subset of features. Interoperability was a nightmare.
The fourth is that due to its complex data model and binary data encoding, debugging X.500 sessions was extremely difficult using a packet sniffer or other protocol capturing tool. It also meant that writing scripts to do reasonably interesting X.500 things was not going to happen.
The fifth was that once LDAP was fielded, the practical need for X.500 disappeared. The first 3 reasons above created LDAP and once it existed, X.500 was an answer in search of a question.
One might say that there was no mission critical need to directory services. We had DNS for host to address mapping. Directory services was a "would be nice to have" not a "must have".
In addition, because it was originally conceived to be operated by the PTTs of the world, there was an organizational element with regard to who ran what servers and served what branches of the X.500 name space. That never really came together.
Many thought that company employee directories would be on-line for the world to browse. Except nobody checked with the companies to see if they thought that that was a good idea. It wasn't.
Reasons 1 through 4 above apply to many if not most if not all ISO (or OSI) protocols. We used to say that ISO protocols were designed to solve all problems for all people for all time. It turns out that because the protocols were too complex and too resource hungry, and the implementations didn't interoperate, that in the end they solved few problems, for few people, for a very short time. And that was on a particularly good day.
Designing protocols to solve every problem and provide every feature that we will ever need lost out to designing protocols that were the simplest things that would serve the desired purpose and solve the current problem. And these simple protocols (FTP, HTTP, NNTP, SMTP, POP3, TFTP,
LDAP, however, is not one of these simple protocols. LDAP was a compromise, like SNMP, and like SNMP, LDAP has paid for not being what it could have been: small, simple, and elegant. Both protocols use the ISO data model (ASN.1) and the ISO encoding model (BER,DER,...). In fact, both protocols were designed to be transitional protocols to get things going until their ISO replacements (X.500 and CMOT (CMIP over TCP)) were ready to be deployed.
The funny thing is that once LDAP and SNMP were fielded, X.500 and CMOT were no longer needed. And funnier yet, the authors of the LDAP and SNMP protocols secretly knew that LDAP and SNMP would not be replaced by X.500 and CMOT, but they had to make the design compromise to ease the transition that they knew would never occur in order to keep the peace while they pulled the rug from beneath the X.500 and CMOT proponents. Of course this was back in the day when most people believed that X.400 would be replacing SMTP in no time at all. But some knew better.
Also, it looks like there is a "Reduced Network Support" install option that is appropriate for this, too, but I've never used it.
/etc
It goes like this:
# cd
# for each in hostname.*; do ifconfig `cut -c 10- $each` down; done
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Hence the ask slashdot, dipshit. ;-)
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
You fucking retarded Linux Jihad Zealot. Once again, Microsoft has been doing for years what you can only dream of. Please, lobotomize yourself already.
End of Line.
I think you give the LDAP "designers" far more credit than is due. They had no idea what they were doing, as anyone with network protocol design experience can see. And as LDAP use continues to grow it becomes more and more obvious where all the shortcuts they took by dropping X.500 features have come back to bite everyone.
-- *My* journal is more interesting than *yours*...
I imagine the "flat" thread is in reference to people not using containers to their fullest extent, but if it's in reference to "forests, trees, etc", flat is the answer.
At Microsoft's recommendation, I implemented "one domain, worldwide", no trusts, no trees, literally one domain. Works great, no serious admin overhead. I'm sure you're orders of magnitude larger in terms of numbers of hosts, but with locations in countries, just an OU per nation and break down inside by groups works great.
AD might be the only Microsoft product I've ever really liked, top to bottom. Easy to implement very "simple" solutions which easily scale to hundreds of hosts while maintaining maintainability (uhh).
Gotta agree with you, light years beyond NT4. And I haven't really even messed with 2k3 AD yet.
I like music
if you have to include MacOSX as part of your solution, pay attention, their solution is pretty much non-standard. all the OSX components have been modified to include Apple hooks, mostly Netinfo & pals.
integrating a multi-platform (linux+OSX+windows) single authentication system with LDAP _is_ possible, but you have to think about it from the beginning, and certainly no distro will do it out of the box.
Use the force Luke......
search freshmeat for mkautosmb, its absolutely top.
It browses your LAN and creates automount config files for them, yee hah!
I had to edit it to do "autofs --version" when checking which version of autofs you have, and to make it write out "cifs" instead of "smbfs" to ge around a current smbfs/win2003-server compatability problem.
Either that or look at smb4k, but it suffers from the same smbfs problem I mentioned.
Sam
blog.sam.liddicott.com
Yes solaris with ldap/nis works very good, but. 1) If you use windows clients you are bound to use AD since all managemnt tools, especially the sescurity and user rights managment tools requier AD. 2) Every vendor intergrates with AD but when it comes to ldap they ship their own. Anyway, we use solaris with nis and ldap tied to an Nt domain, automount directories are easy to present through samba, but you shold make them "static" samba mounts and let a script generate them from the automount map every night ( or you will sort the weak nfs servers from the good ). Slap good webmangment gui ontop of ldap and your go. For the reasons stated at top we will migrate to ad, might keep an ldap in unix though ; )
I have been using tinysofa enterprise, tinysofa.org, for a while and find their position on preconfigured LDAP and Kerberos to be very good. If tinysofa is not 100% what you need it to be in regards to OpenLDAP out of the box, please participate to help get it there as I beleive the community is serious about this requirement. good luck
you sir, are correct.
no points to help you get the point across though.
And ... you're doing the same thing, albeit with a supposed technical claim.
Got proof? Not a flame, genuinely interested in your info.
No he's right, AD has many other features other than broken standards support :)
Kerberos + LDAP alone can't manage group policies. Being able to manage workstation configurations (including new software installs) in this way is the killer feature of AD imo.
Then theres the GUI tools for managing it all, last time I looked Linux only had directoryadministrator which was a basic GUI for adding/removing groups and users.
This stuff could probably be done with a *nix solution but none do it out of the box. Afaik samba acting as domain controller can't apply group policies, although theoretically it should be possible to hack up some login scripts to emulate this functionality. To get it all running and have GUI control of the entire lot would involve a lot of programming and certainly cost more than a few win2k3 licenses.
(I'd love to be proven wrong if software does exist to do all these please point it out)
An awesome number of applications are set up to be LDAP-aware and all of the service config files typically have the LDAP parts already in there and commented out.
Certainly Samba, PAM, Apache, PHP, CUPS, ProFTPd and every other serious service I can think of are like this.
I'm sure they have a wizard for it somewhere but have never had to use it yet.
Got time? Spend some of it coding or testing
I think this will be of interrest to you : http://www.redhat.com/about/presscenter/2004/press _neighbor.html
>Are there any distributions out there that can auto-mount SMB shares as home directories without heavy modification?
The performance would be awful, and if the network
went down your computer would be worthless. This
is a bad idea
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
The friends/foes thing has a use: Comment visibility.
You can up the score of friends and lower the score of foes. If you see someone who consistently posts comments worth reading, you can raise their comments automatically, while browsing at higher levels. You can do the opposite with people that are consistent enough trolls that you'd rather never hear from them again.
This is modified under the "comments" tab under prefrences.
I hope this is some help. It has been my experience that most slashdaughters aren't as bad your journal seems to suggest. You, for example, seem to be a non-lame slashdot member.
There are many others.
********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
I just have to make some advertisement:
During the last two years, I've been hacking on a generalized system for managing an LDAPized system, including all sysadmin tasks like home-dir-creation etc, for my employer. The system is GPL:ed and available from http://grimoire.takeit.se (the webdemo doesn't work ATM, sorry).
The aim of the system is to carry out any sysadmin task on any host in the system, and combine those tasks into more complex ones, even if executed on different machines, and then control access to tasks in a very fine-grained way (a bit similar to Novell:s trustees, in that you have inheritance down the tree).
ATM, the system can handle users, groups (it can let users create their own groups in a controllable fashion), machine accounts and printer ques interacting with Samba, OpenLDAP, Courier, Postfix, CUPS, pam/nss-ldap and some other tools. It is however in beta-stage...
--The knowledge that you are an idiot, is what distinguishes you from one.
Fuckface.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I know I am getting off-topic but I feel I *have* to explain this! ;-)
What they probably meant is that they are looking for someone who has spent, effectively, 5 man years on the stuff. Can be managed if you work overtime. If you work 8 hours a day on something for a year, you'll have effectively 1 man year worth experience. Work 16 hours a day on something for a year and you'll have 2 man years worth experience. Work weekends too and you can manage more.
Basically it means they are looking for a person who is willing to work more than twice as hard as a normal person.
This is not my sig.
First response:
Scott Gordon [sgordon@vaco.com]
RE: Inquiry about Dice Job Number ADMEM
Thanks very much for your inquiry. We've filled this position today with someone of 12+ total years of experience.
Good luck in your job search!
------------
My response to that:
Alas, how is this possible? Active directory was first included with Windows 2000. The "2000" means the year, 2000. Being 2005 now, that means it's only been available for five years.
While I'm not trying to argue with you here, I thought I might let you know so you could fix the job description as it's inaccurate.
I consider myself very good at my trade, and I wouldn't apply for a job when the company can't get the job requirements correct - you know you're in for trouble when the boss apparently knows nothing about the technology; not even enough to realize 2000 means the year 2000. If you're a recruiting firm, you may attract more skilled people if you have an accurate description.
Fortunately I'm not looking for a job as I am already employed. Sometimes I look to see how the market is looking.
Good luck!
-------------
His response:
Joseph,
If you are not searching for a job, then it should not matter.
I appreciate your concern for my job description but it is unnecessary.
Perhaps you should apply your editing skills to your own employment and further yourself in your current company. What task are you not completing while surfing the internet looking for jobs? Does your employer - Future Foundations - know that you are spending company time, money and bandwidth looking for another job? Perhaps, they should know Mr.. Jamieson?
Again, we've filled this opening and the position is no longer available.
Regards,
------------------
Now, "Future Foundations" is just my own e-mail domain name. Like many other people around here, I host my own e-mail so I keep my address no matter what ISP I use. How does this guy think he's going to scare an IT person by calling out their e-mail domain name?
I think he's a small recruiting shop, maybe even just him, as he claims to be CEO or something but also writes these job descriptions. Figures.
But these are the unprofessional people that us professionals have to deal with to get a job these days. It sucks.
- It's not the Macs I hate. It's Digg users. -
Actually, I thought that it was more properly a ripoff of Banyan VINES' StreetTalk, which was an excellent directory system that only needed a few field additions to make it X.500 compliant...
http://samba.idealx.org/index.en.html
Windows and Active Directory are a proprietary ripoff of LDAP and kerberos with some gui tools.
Sort of. But I think stealing good ideas and implementing anything that makes use of open standards is a Good Thing, even if it is done by the Evil Empire. In fact, especially if it is done by the Evil Empire.
And while I've railed against MS for how their tactics have hurt competition in the IT industry for a long time, here is one instance where their heavy-handed grip on defining standards helped them rollout a directory service (nevermind that NDS was there already).
Yes, Linux has had all the ingredients for a long time, but my UNIX enterprise used NIS which was Good Enough, but insecure, incomplete, etc.
The sheer variety of Linux systems (LSB compliance, anyone?) and the competition between distro vendors (Red Hat, SuSE, etc.) makes it more difficult for them to settle on 1 way of doing a new thing.
We need a super-intellgient benign dictator (one doesn't exist in this arena) to roll up some nice pam/ldap/nss/ntlm/kerberos/nfsv4/samba combination with easy configuration that includes dynamic testing and discovery of services which more than 1 distro vendor would pick up.
Novell, Sun and IBM have some of the most experience in this area, but it will require buy-in from Red Hat to succeed. But Red Hat and Novell/SuSE are competitors.
One of the reasons this hasn't been done is that each of the distro vendors is hoping to corral the potentially lucrative enterprise market for its own. They should admit that it belongs to no One, that even though Enterprises want the convenience of One system, they want it standardized, uniform, and to be able to buy it from more than One supplier, not to be locked in like they have been historically.
This is a perfect project for OSDL.
"Provided by the management for your protection."
and configure 1000's of them in various levels of detail and to fine tune the access to different features of the config system. This is a normal Unix sysadmin task and has been around for decades.
If you're saying it's not possible to configure Windows workstations from a Unix server well, maybe so, but a few filesystem images, LDAP and SAMBA can go a long way.
The thing is, in your suggestionabove, you still miss the thing that isn't there... group policy and the myriad of things you can manage and manage well with it. This is one of the things that differentiate AD from NDS and other competitors. In a world where investors think that CMM is the holy grail, in a world where you've got to have very stringent security policies but still have server apps not only work but perform, in a world where you need to be able to manage ten stock configurations across 500 servers and never miss a beat on a patch, a configuration change or a rebuild, AD, group policy and their add-ons are power. The nay sayers can cast aspersions all they lke, but I'm in the trenches and I'm telling you it is far more efficient and stable than anything I've seen elsewhere. And I've been in the RH deployment labs, I done racks of RLX with their Control Tower tools, etc., so I do have something to compare it against.
I want to stress just like you have that this is not a task that is beyond the capabilities of the FOSS community. It is a challenge and it is high time somebody got going on an answer. For a long time I watched SaMBa-TNG to see when they'd hit a full head of steam, but they never did. You are right on that somebody has to really reign it in and get a standardized reference design together and have all the majors behind the effort. And you point out RedHat's stand-off. I suspect that they'll be releasing pieces of Netscape directory server as GPL soon to try to coax some sweat from developers and let their ES implemetation ultimately become THE implementation. But it won't happen. All it'll do is worsen the fragmentation in this arena and guarantee that redmond keeps a stranglehold in this division for at least another generation or two of major enterprise OS releases. IMO, with convergence getting hotter and hotter, it is a bad time for the vendors to be playing this gambit. They need to be working up a solution together. If they don't get it on soon, you know who'll be the big player in convergent apps based on integrated directory services on Linux? Nobody.
Can I bum a sig? I left mine at the office.
If you're saying it's not possible to configure Windows workstations from a Unix server well, maybe so
.msi's from their logon scripts (again talking about windows workstations).
Yes that was the meaning, although if you're talking about doing that on Linux there aren't any out-of-the-box ways of doing it via a central interface (unless you count the console but that isn't really a fair comparison). I know its possible but the question wasn't really about general possibilities, more about pre-provided solutions.
A few filesystem images, LDAP and samba don't go far enough for a lot of networks. Most are too diverse and that doesn't provide a solution for remote management. It's not really feasable to hold an image for every workstation configuration and you have no way of remotely installing software this way other than making all users administrators so they can run the