Slashdot Mirror
Linux Desktop Deployment Postmortems?
duffbeer703 asks: "My employer runs alot of desktop and laptop computers -- something in the neighborhood of 40,000 PCs. Currently they are all Windows 2000 & XP managed by Active Directory and other big, complicated enterprise management tools, all of which can support Linux in one form or another. I'm looking for ways of making Linux (and maybe Unix or even Apple desktops) an option as we replace or add PCs. The problem is, most of the resources that you find online about deploying Linux focuses on server environment, and the articles that I do find about desktop Linux focus on standalone developer workstations, the IBM conversion to Linux (which doesn't seem to have happened) or things like LTSP, that won't integrate well with our infrastructure. Is anyone out there successfully using Linux for regular users? How did it go, and how did your IT and user communities adapt to the new kid on the block?"
This article was posted a little while ago about a user who used Ubuntu in a completly MS environment without his boss noticing for a few months. (linked article from the story)
My experience with it is that it's one of the most mature Desktop distributions, coming complete with most of the tools one would need to perform most jobs. Easy install, and you can use Syntaptic/apt-get for upgrades and additional installation since it's Debian based. You should check it out.
IT's probably best to dive into a Linux or any OS migration for users head first, all at once, so everyone in the office has identical migration problems and can assist each other if the official tech support is busy. It's like the choice between staying with paper, or going with computers, that businesses had to make in the '70s, '80s, or '90s. There will be some people who would never bother to learn unless they are tossed into it kicking.
Saskboy's blog is good. 9 out of 10 dentists agree.
Your employer runs a pretty hefty workstation. Although I have worked for, or known people that made similiar switches the scale was not even close. So it worked pretty well as the community was close-nit and excited about the change.
In your case though, there will be more disruption, not everyone wants to use linux... Id suggest just inserting the new computers in one department, preferably one where the employees are already interested in linux. I would also suggest taking a workgroup poll to get interior feedback interest as well.
prof
Just so that nobody thinks that nobody is reading this thread... No Linux deployments at my company. I don't think that we'll look at Linux again for at least a few more years. None of our important apps work on Linux, and we have no Linux expertise in our small company.
Take a look at the Ernie Ball guitar string company. They made the switch several years ago. It is only 300 +/- people but they did it cause they got hit with being out of compliance with M$
Read Rockin' on without Microsoft
I was able, at some point a few years back, to produce a Ghost image with Red Hat, OpenOffice, and a login model that used my office's Windows infrastructure to authenticate users automatically. It worked very well. I used it on several test PCs and was able to boot them up, ghost them, and have them come up connected and ready to use.
/etc/skel. The only real kneebiter was the fact that the vast majority of the office required Outlook, and for some reason (I don't recall what) Evolution wouldn't quite cut it. I seem to recall problems with lookups in the Active Directory using Evolution, but for all I know that's been fixed by now.
It was fairly straightforward to set things up with simple additions to
I ran this thing on my PC for months before my employer even noticed. I used VMware for my Windows needs (as I was a network administrator, I needed to run some troubleshooting in Windows for user support) and Samba for all of my day-to-day shares and printing. In the end, the only reason anyone knew what I was running was that I was sick one day, and someone tried to sit at my desk, with very small amounts of success.
Now if only I'd kept a copy when I was let go!
Green's Law of Debate: Anything is possible if you don't know what you're talking about.
You could just give Red Hat or Novell a call and either one will be more than happy to give you their dog-and-pony show for their desktop offerings. I mean, they do do this kind of thing for a living these days.
s p
Do you have must-keep Windows apps? Try CrossOver Office
http://www.eweek.com/article2/0,1895,1886920,00.a
or
Verasora/Win4Lin
http://www.versora.com/
I've used and deployed them all in small businesses with AD management, and they've all worked. There's no reason why they wouldn't work in larger businesses. After all, as IBM and Oracle are showing, they already do.
Steven
There's a few reasons why an IS department won't roll out Linux into an Active Directory environment.
:)
First, is that they cannot control the desktop using policy. This is the biggest selling point of using Windows in a workgroup domain, and especially to manage as many servers and end users as they have. Active Directory, while not perfect, is awesome in its capabilities -- all stolen mostly from Novell's NDS
Next, is expertise. Why would you introduce something into an environment that nobody really knows how to use? Your executives aren't 100% sure but they know 100% that they need to hire staff that can take on Linux servers/desktops and supporting them. That means paying a premium for that labor, and it's not necessary when you can get Windows guys on the cheap.
Lastly -- companies are hesistant to change. Financial companies in particular go with the mantra, if it works, don't touch it. You will see lots of these smaller shops on NT 4 still because to them... it works. Larger corporations that have to meet with SOX compliancy issues are forced into upgrading. That's what happened where I work.
Anyways.. best of luck trying to introduce Linux into your environment. I am going to say that you will crash and burn trying, because a company that large doesn't likely have a *need* for Linux. And if's not a necessity, a good business decision is not to let it happen. Again the mantra, if it ain't broke...don't fix it.
The price is always right if someone else is paying.
You know I read your rant/article about gnome some time ago, posting it into random stories as comment doesn't make it any better ...
http://linuxtoday.com/news_story.php3?ltsn=2005-11 -04-018-26-OP-SS-NV-0089
*an infinite number of monkeys wrote this sig
I've been trying to get Linux instaslled on the desktop for a few of my customers, but had problems finding a suitable model for deployment. Say what you will about Microsoft (and here most people do) but their deployment tools are pretty good. All of my new deployments utilise RIS (Remote Install Services) which greatly reduces client installation times.
/home folders to a central server. But I've never seen any Howto's or even descriptions of anyone having done this in the enterprise before. Not to say it hasn't been done, just that noone's written how it's done (that I've been able to find).
Roaming Profiles and publishing applications via Active Directory also greatly reduces on site time. Workstations can be restored without anyone technical being required on site at all.
I've looked and looked and haven't been able to find any resources for doing similar tasks with Linux based desktops. The closest I've come up with is to use custom built CD Rom desktop OSes, but these are much slower than using a workstation with the OS installed on a local hard drive.
I'm sure it can be done, perhaps by remotely mounting common application and
Not much help I know, but it shows why my company is still an MS shop.
John the Kiwi
Let me state that I love Linux, and I am fortunate enough to be able to use it for my work.
In the past I've been responsible for switching a small company over (circa 150 desktops) from -- what was it now? -- DOS to WIN 3.1, or WIN 3.1 to WIN 95, I forget, I've burned it from my memory. And it was a nightmare. Not cuz it was Windows, cuz we were switching, period. Accounting gave us hell ("what are the cost benefits again?"), users gave me hell ("Time is Money, Y'Know!"), and Super Senior Mgt tweaked me more than once ("If you weren't switching us to this, um, upgrade thing, what is it that you would be doing, hmm?"). Learned an AWFUL lot about wacky boutique Accounting-Inventory-Shipping-Graphics-YouNameIt programs that all ran lovely on the OLD system but had to be bludgeoned into submission on the new.
Not saying you should not upgrade. Not saying Linux is not an upgrade from what you're using (not saying it IS, either; you really need to examine the apps). Just saying that you really need to look at this upgrade from every direction short of Sunday before you dive into the change. There's a large, cold room reserved in the House of Pain for Linux Evangelists who push their companies to make The Switch without having a whole pond worth of ducks in a row.
Good Luck, Bud, and God speed! And better you than me.
I can't believe PHB's are using "postmortem!" The term they are looking for is "After-Action Report", or "AAR" in mil-speak. Tell them that using military terms makes them sound bold and dynamic, while using medical pathology terms makes them sound weak and dying.
If you don't know where you are going, you will wind up somewhere else.
I used to work at a private high school in the Northeast. You can probably figure out what one by looking at my user name. Anyhow, we (read: I) tried a rollout of Linux on our file servers and routers. Here's what happened:
The Linux file server worked beautifully. We had a simple NT4 domain, setting up Samba with proper permissions was easy. It was easy to administer, very reliable, and fast.
The Linux router(s) worked well, too. I had a nice collection of scripts run with cron that would turn off internet access to the dorms at a specified time, and then turn it back on in the morning (remember: this was a high school).
I was even in the process of developing a grading system with the LAMP stack, since at the time, teachers did their grading manually, and often complained about it.
Everything was running beautifully for months, until politics entered the game. Some higher-ups bought software without consulting the IT department (me and one other guy) that of course only ran on Windows. They also decided that we were going to go with FileMaker for a grade database, that was maintained by some high-price consultant. In the end, they wanted everything to be Windows for some reason or another (misinformed about how Open Source works, you know, the whole deal). My wonderful little Linux environment disappeared, and eventually, so did I.
Moral of the story: technical challenges aside, your project can always be torpedoed by someone who is self-important and more powerful than you.
I have successfully deployed GNU/Linux networks, both servers and workstations. If you are at all serious about deploying a large amount of GNU/Linux Workstations the first thing you should do is replace the Windows Servers.
/home directories, especially when you use LDAP for the User Database. If you attempt to deploy Unix type workstations in a Windows Network enviornment you will ALWAYS be fighting with the servers.
It is much easier integrating a Unix type workstation if you use Unix type servers. It is trivial to have nfs mounted
If it's all Windows centric including backend and management, it'll be tough to add. Here we are a hybrid Windows/Solaris and are adding Linux. The way we do it is LDAP on Solaris for the backend. Sun has a product that syncs the AD to LDAP, and we are currently working with the Linux systems to get them all working. They use LDAP just fine, but we are having difficulty with our automounts and other such things.
If you want to do it in your the thing to look for would be a way to sync Linux with the AD. I don't have any experience in this area so I'm afraid I can't help, but Samba might be a place to start. I understand it works in Windows 2000 domains now. At any rate what you want is to design a solution such that the existing management tools will work more or less seemlessly with the Linux workstations. That means they need to get their account information from the AD, map the Windows file shares (Linux does that fine now) use the Windows printers CUPS has no problem with that) and so on.
You will probably need a Linux server that's the go-between and you might have to do some custom development work. However, I'm sure it's doable. Remember though, to sell it you need ot make your solution work with the existing one. If you demand a bunch of changes, you'll just get shut down. However if you make it integrate nice, it's much easier to push as an alternative. Ultimately a more platform-neutral back end would probably be good, but with infastructure that large, you can't start there because the cost will be enough to make everyone say no.
PRobably what you should do is just get permission to start experimenting. Get a Linux desktop and server up and running under your control and then start investigating what it's going to take to get some integration going on. Worst case, it doesn't work out, and you get some Linux experience out of it.
most small businesses freak when they see a real accounting package. Peachtree and Quickbooks are NOT real accounting packages but toy packages for the business owner that does not know accounting.
Real systems like Champion controller and sage and Cougar mountian or even Excalibur.
Those that are still using the toy packages the likes of Quickbooks really do not want powerful, they want braindead and to pay a service fee to get the hard stuff done.
but that is the difference between buying a $395-$595 toy at compusa or staples and a $1500-$6000 accounting suite from a professional.
Do not look at laser with remaining good eye.
okay, i really hate the subject line (and emeril's show) but here goes:
i work in a very small environment... say roughly 25 employees and at least that many desktops with about 20 servers. i've been pushing to move away from being a microsoft shop. luckily, the guy before me was also very pro-Best Solution (note i didn't say pro-linux or anti-microsoft) and set up a number of linux servers.
i have taken hold and attempted ot push the idea of linux desktop solution for people that don't need windows (i.e. sales people). i actually set up a second box for myself before deploying a test box for a sales person. being a ubuntu user for 3 releases now, i choose it for it's polish, shine, and my comfort level. my experiences have been mostly good. anytime anyone needs a package, i just grab it from apt-get (or find a repo first if need be). i can take care of the whole box via ssh and never have to bother the user. it works GREAT except for a few small problems in a windows network:
1. setting up active directory authentication is a PAIN. it's not hard, but time-consuming and requires a lot of manual tweaking (see my request for an automated tool)
2. evolution-exchange connector is horribly in need of work. the basics work, but it's not fast or efficient - or stable. it gets the job done, albeit not eloquently
3. (i belive the following is a problem with nautilus, but idk) when accessing a shared windows folder, authentication gives a prompt for credentials, but it doesn't matter when you put here. the second prompt for credentials is the important one. in fact, you cannot get the first box to go away unless you click cancel
4. sudo & AD groups. for the life of me i can't figure out how to get sudo to recognize %domain\linuxadmins as a valid group. `groups` shows me as being part of it, but it's almost as if sudo doesn't like the slash. i've tried escaping it, and tried it without the domain to no avail. ideally, i'd like to set up a group to allow certain users to perform updates when ubuntu notifies them stuff is in need of updateing.
my gripes aren't HUGE, but they're annoying to me. of course i haven't touched on management needed for a 20,000 pc environment (pushed software & updates), so ymmv
News story from the event. The article is light on the details, and at one point refers to "pirated copies" while at another refers to "more installations than licenses".
Having seen both many a time in a corporate environment, this is not always a company decision- users are to blame on occasion as well.
The reason for the shift matters, but the fact that they shifted successfully says a lot, especially to smaller organizations that might not be able to afford enough licenses. If those style shops start switching over to avoid being out of compliance, things could start to get real interesting.
On the other hand I do have some clients where certain individuals have requested linux, and allowing them to run it has not caused any problems other than the obvious compatibilty issues that may apply. These individuals are linux savy and can generally deal with their own problems. Management does not want to spend extra money to support a second platform, and they understand this.
I guess the point I'm trying to make is that if you are considering rolling out some linux or even apple desktops, I would be careful to only migrate people that really want them and understand the consequences (and are able to deal with their own problems for the most part). Otherwise you're going to be incurring extra costs that probably outweight any licensing money you save. That usually doesn't go over well and will generate a negative attitude from management towards linux.
As for workstation management tools, there are solutions from Redhat and Novell and probably others, and IBM has some tools too. I don't have much experience with any of them, but again it is probably an extra cost and what would the point be? What is the boss going to like about this whole idea? Sometimes I think linux fans push too hard or don't fully evaluate the situation and actually reduce the opportunities they might have to use linux where it would really be a great solution.
-Lod
Right tool for the right job. For many small companies (mine is around $1 mil/year), an expensive accounting package isn't worth the price. My $400 copy of Quickbooks does everything that I need it to do right now. Do you have a good business reason that I need a mid-range accounting package right now?
Not if you live on a continent full of "criminals" with success stories.
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
For a Gnome based desktop, Sabayon appears to be about the best thing I've found yet that allows you to create "profiles" for different users.
_ desktop_profiles which may be of some use as feedback/info)
I don't think it's anywhere as good as what I've heard group policy to be, but it's a start in the right direction. I've found it to be quite buggy and it took me a couple of days to get the desktop _as_I_wanted_it_.
(See http://www.codepoets.co.uk/sabayon_creating_linux
DG
The Ginger Dog
Especially in a company with that many desktops. When talking about a migration to Linux in a large environment like that means a bunch of things:
1. What do you do with ANY of the custom apps used on the desktop. Most large companies have at least a few apps their internal developers built for them, and I'll bet they weren't built with cross-platform use in mind. Sure, it may work for now in WINE, but what about when it throws a weird error? What about when a new feature is needed? Recoding the app isn't really an option for most places.
2. Time to fire and rehire your desktop support staff! And any IT group that is directly tied to desktop products, cause you're doing a complete 180 degree switch on them. You can argue that anyone worth paying should already know Linux, but the reality is a lot of people in IT are tied to MS, because that's what their company has bet the farm on. You would probably have to either rehire or retrain most of the desktop support group.
3. Your options are RedHat, or SuSE. A company that big is only going to switch if they can buy Linux from a vendor with the chops to support a large organization. Mom & Pop Linux Support Inc isn't going to be taken seriously since they may be in business today, but might not be tomorrow. Business wants a large company backing a product so they have someone to go back to when something goes really wrong.
4. Retraining Costs. Sure, there's adjustment when moving users from Windows Version X to Windows Version Y, but generally the user experience remains fairly consistent. Moving to Linux, unless you reskin it to look exactly like Windows and hide away anything that would hint that it wasn't Windows is going to require significant user retraining. Then there's all the new apps that they'll have to learn to use. You'll lost a LOT of time and money here.
5. What's the real benefit? Yeah, Microsoft is evil, vendor lock-in, security vulnerabilities blah blah blah and so on. But honestly, does Linux provide a real business value? Does it save money in the long run? Does it make the work easier to do? Don't answer these questions as techno-geeks who are already biased, look at it from a semi-objective standpoint.
I don't think you can make an effective case to begin the switch-over of 40,000 desktops to linux, even in much of a phased approach. Best you can probably hope for are a few pockets of Linux users within IT. The average user would probably never even get whif of its existance.
First, be patient. I don't think the IBM migration is as dead as it appears. Most of the commercial migrations I have seen take 2-3 years to accomplish assuming that a fair amount of resources are thrown at the problem. If you want a smoother transition, I would suggest planning for 4-5 years. This timeframe should allow you to rewrite all your inhouse applications to support Linux if necessary
The first step is to identify those workstations that have the simplest requirements and/or the users who are most interested in switching. Start there and migrate a few stations at a time. Don't be afraid to rollback to WIndows for a while when you need to. Try to use Wine and other technologies to make the transition easier. I think that this is still where IBM is.
The second step is to do an analysis of what has/has not worked in this step and then look for the next group of workstations to migrate. Wash, rinse, repeat until you run out of shampoo.
Once you have a fairly established set of Linux workstations, I would suggest investing in infrastructure. Look at things like OpenAFS, X11 application servers, and the like. For desktops you can create a computing network that looks conceptually sort of like a SAN and is very easy to maintain (read up on Project Athena). This requires more care with laptops because of mobility requirements,but if you are careful about which applications you put on the laptop and which ones you run over the network, you should have few issues.
Hint: You can put an X server on the Windows systems to give them access to your X11 app servers, and therefore not immediately require everyone to rn Linux to gain access to certain applications.
LedgerSMB: Open source Accounting/ERP
If you want to integrate Mac OS X computers into your existing Windows server infrastructure, be sure to check out http://macwindows.com/
This site is dedicated to enabling Mac OS X computers to coexist in the enterprise environment.
A year or two ago, I orchestrated an enterprise upgrade from Win 9x desktops with Banyan servers to WinXP with Win2K servers.
/etc/initab to customize the services running at a particular run level is a diverting amusement rather than an odious burden.
;-)
You would not believe how scared and panicky the users got. During the physical migration, users were given 4 hours of training on the changes from Win9X to WinXP. Then immediately went back to their desk to a newly converted workstation. It hardly helped at all. The shape of the MS Office icons changed, we got dozens of calls from users who said we had "taken away" MS Office. One department had their shared drive change from the P to the Q drive letter. Even after telling them verbally three times in class, and following it up with email, we still got dozens of calls from users who said their documents had been "deleted". We even got calls from people complaining that their spyware was missing! And some of them were PhD's.
Humans in general are dumb, easily panicked sheep. They fear and loathe change as if it were physically painful. They don't like Windows - in fact it is one of the favorite topics of water-cooler derision. But they would rather run their nuts through a clothes-wringer than have their toolbar move to the top of their screen.
Linux enthusiasts are generally highly intelligent malcontents. People who desire frequent chaotic change because it soothes the agony of their ADHD induced boredom. They love having to follow up the latest installation of Fedaro by trying to figure out where to download a multi-media player from because *someone* got pissy with the old player's authors and left it out of the distro. Tweaking
And Linux enthusiasts suffer from a terrible conceit, believeing that the rest of the world "wants" to be like them, but just doesn't know how. So if they can make the Linux desktop look 75% the same as windows, then they can lure the sheep in for a closer look. The implicit assumption being that once a sheep gets a good look at the "freedom" offered by vi and shell scripting, they'll have an epiphany and never want to go back to a point-and-click GUI.
Here's a clue for all the cult-of-linux followers out there. Most people HATE change. Flexibility is spelled c-o-n-f-u-s-i-o-n. Powerful tools are d-a-n-g-e-r-o-u-s. Configuration options are a t-a-r-p-i-t.
Memorize this commandment:
EASE OF USE is ***all*** that matters!
Until conversion to Linux represents LESS change for the average user to deal with than an upgrade to the next version of Windows, 90+ percent of the population won't touch it.
Or, you could go for an even lower common denominator, and develop XXX-windows with built-in pr0n. After all, it was x-rated content that created the market for VCRs and cable TV
"Sic Semper Path of Least Resistance"
I'm sure it can be done, perhaps by remotely mounting common application and /home folders to a central server. But I've never seen any Howto's or even descriptions of anyone having done this in the enterprise before. Not to say it hasn't been done, just that noone's written how it's done (that I've been able to find).
Why is it that people think Desktop Linux and Server Linux are different animals when it comes to enterprise setups? Enterprises have been doing rapid deployment, diskless (or minimally local), network boot unix installs for ages.
HOW should linux desktops be set up in an enterprise? Exactly the same way as the *ix servers! Any enterprise unix admin worth their salt already has this worked out. The only difference is which applications get installed.
Need that latest patch deployed to all 1.7 bazillion desktops? Update the filesystem that the desktops are booting to and update all of them at once. Messing with symbolic links makes it easy to swing a link back to the old version and reboot the workstations if something goes bad.
Mounting remote filesystems allows users to write their files directly to the network, where it will be backed up according to firm policy. Mounting the system filesystems ensures that every machine is running the latest and greatest. Deploy your apps in OpenAFS, and you can control access to apps via ACL groups.
duffbeer703 asks: "My employer runs alot of desktop and laptop computers -- something in the neighborhood of 40,000 PCs
Wow, I didn't realize the Springfield Nuclear Power Plant employed so many people.
Beauty is in the eye of the beerholder.
I think the key is to make the transition process as smooth as possible.
One department at a time is a good strategy, but I'd go even further:
Your users will gonna have to learn to use a lot of new softwares and they won't be happy with that. If all those changes appends all at once, there will be a perception that Linux is hard and complicated. And it will fail.
I'd replace one aplication at a time for as long as I can. Internet explorer would be the first (replaced by firefox), then maybe Outlook (by Thunderbird), and then I'd go with MS-Office (one component at a time, replaced by OpenOffice2).
The idea is to make them learn while they are using there "confortable Windows environment". That way they will be able to go back to there old software (for a while) if something doesn't work as expeceted or if they are in a rush.
And make sure some of the IT staff makes the changes before everyone elses, so they can offer some supports.
Anyway, I which you good luck !
...A mistake was made and a disgruntled employee noticed and reported it to the BSA.
Even nicer was the fact that the same former employee was responsible for keeping the licensing info.
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
2. Decide on a method for authentication. I suggest using Kerberos 5, since that's what Active Directory uses. You must make a choice -- use Active Directory as your KDC, or use MIT or Heimdal as your KDC with a trust between it and the Active Directory. Due to licensing, and technical reasons, we use an MIT KDC, with a 1 way trust (AD trusts the MIT KDC, the MIT KDC doesn't trust AD). The technical reasons boil down to:
Note that you could choose to have Windows systems authenticate against the AD or authenticate against the MIT Keberos realm, and have non-Windows systems use an MIT KDC.
2. Redirect passwd file lookups to LDAP. You already have an LDAP server -- Active Directory. You'll need to add the LDAP schema defined in RFC 2307, and will need to add the posixAccount auxillary class to all of your users. Part of that process involves putting the passwd file information like uid, gid, geckos, homeDirectory, and shell information in the appropriate attributes.
Again, due to licensing issues, and the fact that we already had an enterprise LDAP directory, we chose to not use Active Directory for this purpose. But, it certainly can be done.
3. On the linux desktop systems, use pam_krb5 to redirect authentication to kerberos, and configure nsswitch.conf and ldap.conf to redirect passwd file lookups to LDAP. On RedHat systems, you can do it all from authconfig, although I think it's helpful to know the files involved.
4. I like pam_access for restricting who is allowed to log in on a given workstation. pam_access can restrict to members of groups, and those groups can be posixGroup objects in LDAP/Active Directory.
I think it's helpful to have home directories on a central server. We use OpenAFS. I don't know if it's possible to have a user's home directory on a Microsoft share or not. If not, you'll probably still be in the business of creating home directories on desktops. Microsoft has some NFS thing for Windows. I haven't used it, so I'll refrain from commenting, other than to remind you to research potential licensing issues.
A lot of this will work across a number of platforms. I have it working on Linux and OS X.
Beyond the stuff above, for managing lots of Linux desktops there are lots of options, but they're probably all roll your own type things. If you have a few standard configurations, you could use rsync. Or have them all point to a central YUM repository, or... Well, there are tons of ways. I can't give you a postmortem on that, because we don't have lots of Linux desktops in our environment yet. Centralized management doesn't make sense for the few that we have.
Summary: pam_krb5 + pam_access + nsswitch + central filesystem == HAPPY
Read up on kerberos. There's a fair amount to get your head around. If you can explain why kerberos authentication is better than "ldap authentication" you should be in pretty good shape.
-AT
Working in a DevOps shop is like playing in a band made up entirely of keytarists.
Pop Quiz: Name a place where you can ask a question of a couple hundred thousand UNIX, Linux, Windows, and other IT/IS pros all in one place, many of whom may have experience relevant to your company's situation. In addition, this place cannot charge a fee for their services, and the answers must be diverse and rapid.
...
I don't know about you, but the only place that comes to mind is Slashdot. Vendors and consulting firms often have a bias to whatever products/services they feel they can offer at greatest advantage to themselves, and not necessarily to your best interest. With all that in mind, I think Slashdot is a pretty good place to start, like bouncing an idea off of a skilled friend except on a much larger scale. That's not to say they shouldn't do their own homework from that point onward, but a company doesn't often get to the point of having 40,000 workstations by sheer guesswork.
-AT
Working in a DevOps shop is like playing in a band made up entirely of keytarists.
The technical stuff: Users were running on ageing Sun hardware with relatively low performance (Blade 1000s, Ultra 60s). The applications they run are technical applications for which ports exist for both Solaris and Linux. The new hardware is high-end HP workstations with more memory and processors than you can shake a stick at, combined with Nvidia FX3000/3400/3450 GFX cards. OS is RedHat 3.0. That was forced upon us by the key application which is only supported on that distribution.
Rationale behind the move: Move to Linux because the applications run faster. That's it.
So what worked well?
The major factor in the success of this rollout was the relatively low degree of change in terms of what was presented to the users. The applications they use were simply ports of the Solaris versions. Nothing new to learn. The only difference is that they work a whole bunch faster. Instantly the user base is won over and there's buy-in.
Another, seemingly small, item was the look of the login screen and the desktop environment on first login. First impressions do matter, and getting this right turned out to be very good PR. As the desktops were deployed, users would crowd round the first of the new systems in their areas and "kick its tyres". People were genuinely interested in what they were seeing, and a buzz spread round quickly. On our feedback forms many commented on how much they liked the new, tricked out, environment. In reality little had changed in terms of usability and people weren't frustrated that they couldn't find their favourite application (or analog, where none existed)
There was a relatively low impact for the support team too. Accustomed to Sun's jumpstart, kickstart is an intuitive and easy mechanism for deploying to a large number of identical desktops very easily. Power on, press F12, and the whole thing is automated from that point onwards.
What didn't work well?
The desktop environment was customised from the standard Redhat KDE login so that the right click menu displays a cascaded list of technical applications. Non-essential stuff was removed. Working out how the KDE menuing system hangs together wasted 2 days of my time. Redhat support were useless and I had to use a combination of strace and the source to prove definitively how it works. My major gripe with this whole process was the total lack of adequate documentation. If you're coming from a commercial Unix vendor's platform you'll be accustomed to good quality documentation that gives you all you need to deploy in a couple of hours. Just compare the CDE guides on docs.sun.com to the KDE manuals on www.kde.org and you will see what I mean. This is a fundamental weakness in the OSS world that must improve before large organisations will consider widescale deployments.
What else?
There was no desire or justification to migrate the backend office applications to the Linux desktop. Don't go there - it's a hiding to nothing. If the rest of your enterprise is using MS Office and Exchange there is no sense in trying to fudge things with OpenOffice or Evolution or their ilk. If you do, you *will* have problems. Somethings just don't work, and the support team don't want to spend the rest eternity trying to figure out why a particularly obtuse Word document with some recondite macro is refusing to display in OpenOffice. So how do those users get their standard office tools? Citrix. It just works. Leave the pain of MS support to the masochists and get on with your day job
I work for Ernie Ball's IT department and was here 5 years ago when the shit hit the fan. The rockin' on article describes it all very well. The truth is, we downloaded the BSA tools and they DIDN'T WORK. I had proof that I had downloaded them a couple of weeks before the armed guards came storming in. It didn't matter to them. We have been completely M$ free since then and have had no problems at all.
When I've put my systems live, I normally stand in front of a large banner with the words "Mission Accomplished", before spending a few years fixing a broken system that was poorly designed and planned for.
I'll be suprised if anyone reads this, or even believes it, but..
It's been my job professionally for about 5 years to manage Linux on the desktop for a biomedical company who designs their own ASICs and PCBs on Mentor Graphics..
First I migrated them away from HP-UX as Mentor Graphics ported more and more of their tools to Linux.. It was more cost effective to get brand new Dell machines running redhat [which gets replaced, because Dell's redhat install is crappy] for US$1800 than refurbed old PA-RISC workstations at US$5000+ a box.
Basically, I'm using:
Distro: Debian
GUI Xfree86 or Xorg [depending on which box]
Desktop Env: KDE [muggles love KDE]
Mail: Evolution and MS Outlook [a la crossover office, what a lifesaver!]
Web: Mozilla or Firefox [both are installed]
Office suite: OpenOffice 2.0 and MS Office 2000 [a la crossover office], planner, & MS Project
Music: amaroK or xmms, or whatever they want
The home directories, and proprietary Mentor software are all NFS automounted [it's fine, really], so the only data on the drives is the os and application data.. i lose a drive, no big deal, when the drive's replaced, i reinstall stock debian..
However, I -have- used apt-move [and apt-proxy] to make my own distro of debian in-house for building workstations.. it's a lot more convenient to install the netinst CD and be done, reboot the machine, point the sources.list at the internal repository, load aptitude, and just hit + on the top levels [which essentially loads everything in the repo.], and bam. Installation would probably be more efficient if i used something like Fully Automatic Install (FAI), but i haven't been smart enough to figure out how to get it installed.. It's only good for installs tho.. I maintain the separate repo for upgrades.. That and it keeps people from installing things willy-nilly from the net if the only repos the workstations have is an internal server with a subset.
User accounts are all managed via LDAP, tied in with the corporate ADS directory, one login to auth them all!
box configuration management is all handled by Cfengine2 -- all hail the university of oslo! Cfengine has made it possible for me to manage all the boxes at once, no matter what the hardware discrepancies.. i can do the work of 4 people, by myself. that and, the configuration repairs itself if discrepancies show up on the workstations for some reason..
Let's see, that's software centralization, user data centralization, user auth centalization, and workstation configuration centralization.. for 30+ boxes across two buildings, for engineers and managers, for almost 5 years.. There may be better ways to design a network of workstations, but the support model I've implemented has really worked out for me..
Once a "normal" user gets used to the idea that the computer will do whatever they want it to do, even though it's not windows, the questions about how to do things taper off after a while as they get used to the new system..
It's sad really. I've been doing the Linux desktop professionally longer than anyone i've ever even heard of. I know for a fact the Linux desktop is completely viable, but nobody seems to believe it. Non-technical and technical people alike all seem to have their doubts and never get up the energy to actually explore it.. Heh..
anyway, good luck
US$0.02++