Slashdot Mirror
German Foreign Ministry Migrates Desktops To OSS
ruphus13 writes "Here's another example of 'German Engineering' — The Foreign Ministry in Germany is migrating all of its 11,000 desktops to GNU/Linux and other open source applications. According to the article, 'this has drastically reduced maintenance costs in comparison with other ministries. "The Foreign Ministry is running desktops in many far away and some very difficult locations. Yet we spend only one thousand euro per desktop per year. That is far lower than other ministries, that on average spend more than 3000 euro per desktop per year ... Open Source desktops are far cheaper to maintain than proprietary desktop configurations," says Rolf Schuster, a diplomat at the German Embassy in Madrid and the former head of IT at the Foreign Ministry ... "The embassies in Japan and Korea have completely switched over, the embassy in Madrid has been exclusively using GNU/Linux since October last year", Schuster added, calling the migration a success.' The Guardian has additional coverage of the move."
I certainly hope more countries follow this lead.
Dear Sir,
The chronometer in your time machine appears to be off by a few decades.
You apparently landed in the early 21st century, instead of the mid 20th.
I'm afraid a time machine repair shop won't be available for another 200 years. But hey, we have cable TV!
The 'additional coverage' is from Sunday June 22 2003...
Just now Microsoft made a statement to the press...
"OSS is not cheaper to maintain for the following reasons"
1. Employees will waste that extra time they get not waiting for reboots instead of using it for texting & other 'social' activities.
2. We pay people to stick their fingers in their ears and say "La La LA MS is cheaper La La Laaaaa".
3. Any money left will encourage your employees to steal it.
4. Steve Balmer needs it to develop sweat-proof chairs.
5. Windows 7 wont have any of the existing lock-in as previous versions of Windows. It'll all be new kinds of lock-in.
6. ???
7. Profit (for us not you)
Yeah. Did you read The Guardian article (actually The Observer)? It's dated June 22nd. Of 2003. Two Thousand And THREE.
Managing software installs, at least in Red Hat, is just a matter of setting up a local Red Hat Satellite repository. In Fedora, there is also Cobbler, which lets you spin a Fedora installer with customized software packages.
As for logins, there are a variety of mechanisms. You can go with old school NIS, or even just use Samba, which can be especially useful during migration when you will probably have a heterogeneous environment (assuming the migration is away from Windows). Also, there is autofs, which can automatically mount a network mapped home directory when a user logs in...
Palm trees and 8
According to the article, the migration is already well underway. From the 11.000 desktops, 4.000 already are migrated to Open Source and about half of the embassies are on Open Source Software now. That explains where they get their maintenance cost numbers from, good to see that the cost savings seem to be real and backed by their own data instead of being estimates :)
They also started the switch a long time ago, according to article, the infrastructure switch started in 2001 and the decision for the destop migration was done in 2004, so I think they have some solid experience with handling Open Source now, which I think is good.
Well, at least Germany had the balls to stand up to Microsoft and actually go with the GNU/Linux solutions vs most other countries and corporations that just do this to get a discount from Microsoft. Here's a good quote from the article:
The conversation between Ude and Ballmer was confidential, but anyone who knows the Microsoft CEO can guess how it went. Let us say negotiation is not his forte. Ballmer is no more designed for the art of persuasion than the Abrams tank is for delivering meals on wheels.
Life was hell, then I discovered Linux...
Interesting. Does that mean that there are still reasonable people in the world? Even in politics?
From TFA: The Foreign Ministry in 2001 began migrating its back-end IT systems to Open Source in order to provide all embassies and consulates with Internet access and email. "Our strategy was to use as far as possible Open Standards and Open Source. Reduction of costs was the main reason for this decision." Upon completion of this project, the ministry decided in 2004 to also migrate the desktops.
It's 2008, 7 years since they started the migration, I think they're sticking to it.
http://marriedmansexlife.com/
> List price for Satellite server is $13,500 (USD) annually.
That system sounded too nice to be true at first.
Though I asked for OSS alternatives, let me rephrase, are there any FREE OSS alternatives for this task?
Is the only alternative to write shell script to ssh into every machine and do the install?
There are no atheists when recovering from tape backup.
They know what GNU is, or at least use it by name. That's really the biggest story here.
Wasn't that Mussolini?
Mussolini made them run on thyme...
I wank in the shower.
From the Guardian article:
(emphasis mine)
And this is why, ladies and gentlemen, we won't be seeing this in many countries outside Germany. They have a politician who knows what he's talking about, and doesn't pander to the whims of industrial lobbyists.
I'm going to transform myself into a mighty hawk. Either that or I'll just go and work at Dixons, haven't decided yet.
All Linuxes come with package upgrade services that run. You simply point them at a local repository and the machines will self update on whatever frequency you want as part of your standard image.
puppet http://reductivelabs.com/projects/puppet/
The real story would be if they got the Interior Ministry to convert. In Europe, that (and the Agriculture Ministry) is usually where the deadbeats end up.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
at least for some distros (primarily redhat heritage, also some suse capabilities) there's http://dag.wieers.com/home-made/mrepo/
there's also http://www.redhat.com/spacewalk/, the recently opensourced satellite spinoff - but it still requires oracle as a backend, so screw that ;)
Rich
This is a joke, right?
Where the fuck do you think Microsoft stole Kerberos and LDAP for their AD from?! We've been using the stuff AD is made of years before it was even a wet dream in Microsoft's diseased minds.
As to automated installs, every damn Linux distro has a package management system capable of being remotely scripted, and designed for mirroring via localized caches!
What a dork.
Why not laptops as well?
This Sig is removed due to factual inaccuracy
Self-updating is not problem, apt-cron etc will handle that.
The problem is, I have new software which I need to deploy to 4000 machines overnight.
Do I really have to reimage 4000 machines to achieve that goal?
What about user files on those desktop machines? Reimaging would wipe them clear. (ok, home directory on separate partition/on network would fix this)
Having something automatically installed/uninstalled on machines centrally deployed is the problem here.
There are no atheists when recovering from tape backup.
This sounds like what I was after, Thanks for the link.
There are no atheists when recovering from tape backup.
Yeah. Did you read The Guardian article (actually The Observer)? It's dated June 22nd. Of 2003. Two Thousand And THREE.
Holy Shit, Bazman!
Yes, because governments never make bad decisions, then hide them with false data/reports.
So are you saying they didn't really start migrating in 2001 or that they aren't really still using F/OSS now? Or did you just want to say something and couldn't come up with anything sensible?
http://marriedmansexlife.com/
Is the only alternative to write shell script to ssh into every machine and do the install?
Back in the day, I had a text file with the names of all of our machines. for name in `cat machinlist.txt`; do ssh $name yum install -y software; done
You don't even need a script.
Don't bother pointing out all the problems with that, I know. But it does work (once you fix the syntax errors).
I know microsoft ripped kerberos and ldap to ad and crippled them while doing so.
Since this has been done years on unix systems, care to link a howto / etc documentation on deploying such system?
No, I don't mean guides explaining how to install kerberos and ldap.
I haven't been able to find guide on deploying active directory-like system with free software which would offer group policy features. When I already have groups deployed in LDAP, why do I need to script installers instead just defining policy to install software to that group?
There are no atheists when recovering from tape backup.
I'm sure there has to be a way. Clustering suites, say Sun's Grid Engine, or ROCKS http://www.rocksclusters.org/wordpress/ have utilities for pushing applications off to their nodes, you might be able to use that functionality in your environment. Also, not sure it is possible, but could you use kickstart (PXE) but rather than having commands to format the harddrive and install you just have to post install bit which you'd want to rcp the app over, run the installer and clean up for example. It would require a reboot but I think it should work.
Das Jahr des Linux Desktop-Computer.
This space up for sale.
At least the debian / ubuntu system easily support this, using meta packages.
you have an empty package, leys say blah-desktop-graphics that all employees working with graphics have installed. You want to install graphics program Foobar. You add Foobar to your local repository, and release a new version of the metapackage that depends on Foobar. So package manages sees "oh, new version of blah-desktop-graphics. Great, lets grab that. Hm, for that I need Foobar too, so lets grab that one, and install it."
Exactly how apt deals with new dependencies under updates can be configured, from ignore, to ask, to install automatically. Since you're deploying a default image, and have already pointed that image to your internal update server, it would just be a small additional step to set that option correctly. As a bonus you have 100% control over what gets pushed to your machines.
It's The Golden Rule: "He who has the gold makes the rules."
Handful of servers is easy to handle but how are logins and home directories handled in environment this scale?
Use LDAP to integrate RHEL clients (and other distros too) with OpenLDAP, MS Active Directory, Fedora Directory Server, or Sun Java System Directory Server. Any one of those accomplishes a central identification and authentication repository. LDAP-based directory servers can handle millions of entries in a distributed (i.e. global) environment.
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
Active Directory -> openLDAP & kerberos
WSUS -> cfengine or something similar
The tinker toys are all in the box...
When I already have groups deployed in LDAP, why do I need to script installers instead just defining policy to install software to that group?
Because of the Unix philosophy: do one thing and do it well. LDAP isn't a software installation system. Even AD's software installation pales in comparison to real software installation systems built for windows; AD can't even install an EXE file without scripting _and_ mandatory reboots (or encapsulating into an MSI).
Cluster SSH can be a good way. I never used it, though.
Seems like a simple script to login to each machine and run "yum update" would solve that issue.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Getting the latest version of Samba is the easiest way, if all you want to do is replicate the functionality of AD. In the past I have replicated an NT4 domain using Samba and LDAP, back before they had AD functionality, it was remarkably easy and the Windows clients couldn't tell it wasn't an NT server.
I'm not exactly sure what you do with GPOs, so I don't even know if it would make sense in a Linux context. There are a plethora of ways to install software on your Linux workstations. Trying do apply the Windows installation method to Linux will only lead to disappointment, but if you use the Linux methods you will find them quite capable.
http://www.mhall119.com
I wonder if this has anything to do with the (then, 2001, when this started) german Foreign Minister (Secretary of State) Joschka Fischer being a member of the Green Party.
The german Green Party has a tradition of rather sane maxims regarding IT. In late 1998 Germany elected a Social Democrat / Green Party coalition and 2001 seems like a reasonable date for the implementation of descisions made shortly after 1998.
This, of course, is pure conjecture, i'd be grateful if anyone from Germany had any background information on the reasons for the switch.
sig? Oh, that sig...
That is because of fundamental differences in the entire philosophy of Linux/FOSS vs. that of Microsoft. Microsoft aims to provide cookie-cutter, one-size-fits-all "solutions" whereby some doofus MSCE can read "AD for Dummies" and then click his way through system administration. It works, to a degree, in homogeneous environments which do not deviate in any way from "Microsoft Approved" designs.
Linux on the other hand is built around small, specialized components out of which a competent admin is supposed to construct a solution tailored to a specific environment. And the glue which links all of these components, which can be combined in a very large number of ways, is scripting.
That is why one cannot be a competent Linux admin without being also competent with a number of scripting languages. That is the price, but it is also the advantage as more demanding the deployment parameters grow, the more such approach becomes superior over the one-size-fits-all method.
So in effect you are asking for Linux to abandon all of its advantages and become "like Windows" just because you are too lazy to learn how to deploy it properly. And by this I do not mean reading some idiotic 20-step "how to" which cannot cover even a fraction of the possible configurations. By "learning" I mean understanding all the fundamentals of the system operation, learning all the involved scripting languages and being able to modify all the essential system scripts with thorough understanding of all the involved components.
And that is why such "how tos" are of a very limited use. There are "shortcuts", some of which were already pointed out to you - such as Samba, but they are intended for simplified scenarios whereby the scope of possible configurations is very narrow.
Once any serious sized Linux deployment is considered, a huge number of possible scenarios exists, beginning with basic considerations such as if to run the client systems via network mounted root file systems (in which case no home directory "roaming" exists) or if to deploy terminal servers or X-terminals etc and so on, all of which have impact on how users are authenticated and how their resources are allocated on the network, not to mention that LDAP and Kerberos are amongst many other ways of maintaining centralized user information. No "how to" guide is going to cover all of these complexities.
It's 2008, 7 years since they started the migration, I think they're sticking to it.
Those are 5 words to remember.
It's never as easy as "dump Windows and install Foo".
I haven't been able to find guide on deploying active directory-like system with free software which would offer group policy features. When I already have groups deployed in LDAP, why do I need to script installers instead just defining policy to install software to that group
First, quit thinking like Microsoft, their methods are ass backwards and overly complex. Look at a script as a hyper intelligent policy where you are in total control and not bound by the options presented to you.
So what you're saying is that LInux isn't viable for small/medium sized businesses.
You make whatever you have to deploy a package and have the machines update with your new package. Updating is install/uninstall you just change dependencies on some virtual package
Well, stick with the custom repository, add your apps to it, and make sure that your update scripts also support retrieving a list of mandatory packages that need to be installed, so that anything new gets installed at the same time as any updates.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
What i always found amusing about windows policies, is that they're implemented in userland and trivially easy to bypass...
As an example, the one that prevents you from using cmd.exe
Take a copy of cmd.exe and run it up in a debugger, you will notice it checks a registry key to see if it's allowed to run, and displays an error if it's not. Well, hexedit the binary and break the check (just rename the key so it wont find it) and run the modified cmd.exe on a machine with a group policy that doesn't allow it... Running cmd.exe will get around the userland restrictions in explorer.exe that prevent you seeing certain drives too.
Now how stupid is this? Surely a more sensible approach is a kernel level check?
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Only if small and medium businesses are restricted to hiring learning-impaired boneheads for all of their IT needs. A competent Linux admin can keep a far larger number of small businesses operational because as a reward for all the effort he spent learning how to do it he gets to automate and make reliable a far larger number of diverse systems then a Windows admin can, not to mention that his task is in the long run far less labour intensive (although there is a steep learning curve and up-front investment in good configurations and scripts).
I know this for a fact because I make a good living doing just that, having replaced a veritable horde of MSCEs over the years.
While i do fully agree with you, "replacing windows" is a simplified scenario and the scope of configurations is very narrow because as you pointed out, windows configurations do not deviate from "microsoft approved" designs...
So what people really need, are simple ways to migrate from windows to linux and achieve equivalent functionality. Yes, this will lose many of the benefits of linux, but it's a start. Once linux deployment is far more widespread, more people will be motivated to learn it and companies will see the benefits of using more highly skilled staff to set things up properly.
One step at a time...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I'd have them netboot over PXE and then there's just the morning spike to deal with. Department boot servers would deal with that.
The three terminals in my office boot PXE & I know that booting 64k blue gene nodes into Plan9 is possible. This lies somewhere between the two.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Unfortunately there is no way to do it. That is by trying to migrate the "functionality" of Windows to Linux one essentially has to ... emulate all of the Microsoft "technologies", which destroys bulk of the advantages of Linux. Efforts in doing so invariably result in sad, crippled, barely compatible, unwieldy "solutions" which do not conform to even the most basic of the best practices of the Linux world, and which serve only as an aid to Microsoft's marketing drones in pointing out that Linux cannot even hope to match Microsoft in all the Microsoft's most drooling of idiocies.
Examples of these include things such as Mono, various mis-guided "Exchange replacements", "universal" Windows/Linux "management solutions", etc and so on.
The hard truth is that there is no practical way to "easily" migrate from Windows to Linux (or to anywhere else for that matter). And that is so by Microsoft's design. Your only viable option is to re-design the system from scratch to take full advantage of your new platform.
"If it's good enough for Nazis, it's good enough for me. Hey everyone: let's all be like Nazis! Make Hitler proud!"
Be careful what you ask for. They gassed retards instead of modding them down.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
It'd be "rechner", not "komputor". The word "desktop" in the non-computer sense translates to "Schreibtisch" (lit. "writing table", same as in danish).
I don't know which words Germans use to distinguish between desktop/laptop/workstation systems and servers/clusters/phones/*, though.
"Jahr des Linux an die Schreibtisch Rechner" =~ Year of Linux on the desktop computer. Not sure.
This snipped caught my attention:
...construct a solution tailored to a specific environment...
The thing is, I'm a systems integrator, and as a part of my consulting job I have worked on small and large projects at something like 100 different companies and organisations of all sorts. Do you know what I discovered?
Companies all have the same needs when it comes to IT.
They all have the same need for home directories, application deployment, patching, security, backup, and the like. They all run the same kind of applications for the same reasons. It doesn't change as much as people think from company to company. So why should I have to reinvent the wheel every time? Why shouldn't I use a pre-packaged solution which does exactly what everyone needs? Isn't that a huge waste of time and money?
Notice that the Munich project ran over budget.
This is why Microsoft is so hugely successful. They realised that people don't want to "do it themselves" unless it's a hobby.
linux nerds think software should be more complex so sysadmin salaries are higher, reason #128 nobody listens to them
The truth is that the complexity of Windows and Linux is really not the important issue; the important issue is what happens when you reach some point not covered by the existing system. When that happens on Windows, you have to contract Microsoft to fix Windows for you in most cases, because they don't give the code to just any asshole. With Linux, that is precisely the case... Asshole.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Digg it!
Jorge was explaining how to handle my new role ...
"So when the updates come in, Karl looks at them and if they look sticky he applies them to the VM and runs the unit tests. As we update applications from our upstream providers, we test them against the same VMs. Our in-house developers write to the same VMs, and when they implement new features or use new libraries, they have to include unit tests to test the interfaces to validate that they work in the required ways. Each night the system builder builds a new VM from the latest updates. All you need to do is check the unit tests reports and make sure Karl knows right away if something goes wrong - just put the error report in the trouble ticket. The trouble ticket system will also notify the advocate teams for the specific package that fails. Usually it doesn't and we push the patch a few minutes after it comes in."
I wanted be mindful of security: "But Jorge" I said, "what if a horrid exploit happens overnight?"
"We're partnered with five other trusted NOCs that give us 24 hour coverage. We share unit tests so that if a patch has to be included any hour of the day, it's morning somewhere. We don't even come in anymore.
We used to have to come in on weekends too, but this new system doesn't have exploits as often so it's been a couple years since that happened."
Thinking to show I was interested in the long term, I asked "What do you do when you get new hardware?"
"It's weird. Once upon a time, the virtual machines were there to simulate the physical machines. Now it works out that the new hardware is just physical hardware to implement the virtual machine. We get samples, build the image from the VM and run the unit tests on them. If we can't make our software pass the tests, or we can't get our required upstream packages validated, we don't buy the hardware. If the vendor won't sell us hardware that works, we get a new vendor. If somebody wants to advocate some special hardware, they're responsible for maintaining the software for it, maintaining the fixes, and of course pushing them back upstream so that everybody can have them. The desktops sync to the user accounts on the server continuously so if they remote into their desktop from the road or from a thin client, they get the whole deal with all their preferences, email, files, desktop items and shortcuts intact.
Once a quarter we get together and compare the pots and pans of new hardware. That gets pretty lively. Wait 'til I show you my USB device collection. Did you know they made oscilloscopes?
Anyway, You wouldn't believe the system we had before. It was horrid. Applications didn't even come with the source code."
"What was it?"
"At the end, the very worst one was called Vista. They probably didn't even mention that one in school, it came and went so fast. When it was clear that this was as good as that software vendor was ever going to get, we had no choice but to change. I fought it at first but now I'm glad. The new system is, well, rational. I don't know how we survived before.
Now let me show you the cafeteria. We have our own Starbucks..."
Help stamp out iliturcy.
No, that's not even close to what I'm saying. Let me say it another way since you seem to be having difficulty.
âoeIt's entirely possible the move to FOSS (in this instance) was a bad decision for one or more technical and/or financial reasons, but if you put out a glowing report then nobody knows otherwise. Problem solved.â
Oh, you're just being offtopic then. I was answering the OP who was wondering if they would stick to in, they have. Whether that is a good or bad idea is irrelevant to the point answered, which is whether they stuck with it or not. I tend to expect a logical flow of conversation, that's why I didn't understand you.
http://marriedmansexlife.com/
Well, that figures - if you've got 200 MCSE drones hanging about looking after your systems, it's going to take a bit of work to convince them to learn new skills that don't depend on clicking here, there and everywhere.
Still, it looks like they've got it all up and running now, and at least some of the original drones must have blossomed into real admins along the way.
One swallow does not a fellatrix make
Troll? Oh for Pete's sake I wasn't serious...
Mods are retards. Should all be gassed.
I hate printers.
Is the only alternative to write shell script to ssh into every machine and do the install?
What's the problem? Such a script can be written in five minutes.
or something similar
I can recommend Puppet.
Yep. Absolutely true.
One of the main difference between the Windows admins at work, and me, the Linux/Unix admin, is that when any big changes need to be done in off-hours, is that the Windows admins run around at work pointing and clicking and re-checking settings at night or on the weekend, while I just SSH into work and fire of the script I wrote and tested during work hours.
If the script takes longer sometimes because it has to change a lot of machines or a lot of data, I just keep an eye on it while watching TV or do games, or have some friends over.
In *nix, once you have figured out how to do something, you basically know everything you need to know to script and automate it.
In Windows, it is a huge additional step to figure that out and implement it, and it's not even possible all the time.
So on *nix you need to spend a lot more time learning stuff, but you spend a lot less time doing repetitive boring stuff.
For example, one Windows admin spend about six ours on a weekend at work to change the EmployeeID in AD to a new numbering scheme. Now I'm PRETTY shure that could have been scripted some way, even in Windows, but he rather did it by hand than try to figure out how to script it. Weird people. ;-P
Bullshit. Every industry has its own unique requirements. Hospitality has its roaming staff, manufacturing has its CNC machinery, medical services have their wireless data entry and patient data access, etc and so on. And then each business has its own unique way of doing things, otherwise they cease to be competitive. You keep forgetting that the role of IT is to adapt to the business it serves! But instead, the Microsoft way is for business to adapt to IT! No wonder that Microsoft systems "integrators" soon come to the conclusion that all businesses are the same! That is because you forced them to become so!
Who says that businesses have to do it themselves? That is what competent Linux systems integrators are for. None of my customers would have the expertise, or the desire, to dabble in any of it themselves as their business is not IT but manufacturing, hospitality, service, etc and so on. You are telling me that my career as a Linux integrator did not happen. Who am I going to believe, you or my own lying eyes, eh?
cmd.exe is particularly stupid because it allows batch invocation, and practically noone on Windows forbids the creation of foo.bat.
Finally! A year of moderation! Ready for 2019?
On windows environment you use active directory and sus.
How do you centrally manage software installs and permissions on thousands of machines with oss? Handful of servers is easy to handle but how are logins and home directories handled in environment this scale?
If you're using Ubuntu, use landscape.
RedHat has a tool too--I'm not sure what it's called, I haven't RH or Centos in years.
There are lots of directory solutions too. AD is essentially LDAP with a few MS extensions. Most linux boxen now-a-days can hook into AD. On the flip-side, you can use plain 'ol LDAP if you have no Windows machines.
You can run apt-mirror on debian-like distros. You mirror all the updates locally on a machine and have all the others download from it.
There's even been talk recently of a bittorrent-like download system where you can download from neighbors on the network that have already downloaded the patch you need.
There's no place like
Self-updating is not problem, apt-cron etc will handle that.
The problem is, I have new software which I need to deploy to 4000 machines overnight. Do I really have to reimage 4000 machines to achieve that goal?
Re-imaging is not a solution--because like you said, it would wipe all the files on the machines and remove the customization, etc...
The same would happen with windows.
In a Microsoft environment, the easiest way (and cheapest way I've found) is to get an MSI package. Deploy it with group policy.
Use a similar packaging system in debian-like distros. Create a deb. Add it to the software repository for users to download--or use something like 'cssh' to issue the command 'apt-get install mypackage' on a bazillion machines.
I suppose if you wanted it more automated, you could create a virtual package (in the same vein as ubuntu-desktop or whatever) and just update the package to include your new package. Then the nightly apt-cron jobs would update the systems.
I have yet to find a free tool, operating system, and/or packaging format that makes deploying software to a ton of machines easy.
Although since I don't have too many linux desktops to manage, it's not worth too much of my time to go searching...
There's no place like
As a bonus you have 100% control over what gets pushed to your machines.
I am not a debian packager...can you use meta-packages to force removal of an existing installed package? Lets say you update blah-desktop-graphics to install GIMP and then later you want to have it removed and install something different, can you push out a removal of GIMP?
There's no place like
I am working with Apple's integration of LDAP, OpenDirectory and since it's pure LDAP and Kerberos it integrates nicely. It allows for you to define groups that have access or not to certain programs, to set up desktop environments uniformly etc. It's also much cheaper (even if you include the hardware).
Both Novell and Red Hat have similar solutions and there are plenty of guidelines out there to have LDAP do whatever you want. I find myself that enforcing stuff through Group Policies are too difficult to maintain and have an overview about (especially when you start getting exceptions) resulting in every year having to review all of them and re-apply them to much dismay of the users.
For software updates and the like there are other channels than Group Policy, GP makes a big mess out of the whole thing by stuffing everything in LDAP. I find it much more convenient to have specialized software integrated with LDAP handle specialized stuff (like apt-get or yum)
Custom electronics and digital signage for your business: www.evcircuits.com
"I am not a debian packager...can you use meta-packages to force removal of an existing installed package? Lets say you update"
Short answer: yes.
Long answer: have a look at the "conflicts" tag.
Well... There are always incompetent and stupid people. Windows admins tend to have more such colleagues, since of the steep learning curve. There are a lot of really smart Windows admins, just as there are a lot of talented engineers at MS.
The answer above is a bad cop-out.
It is frankly a poor excuse to invoke flexibility as the reason to abandon simplicity. Something that is flexible should by extension be configurable in a simple way that will fit many common cases.
A system administrator, even a competent one, is faced with an uphill struggle when faced with the diabolic combination of kerberos/LDAP.
The way this should work should be to get a basic install by means of a package install which works in simple, defined ways.Once this is done, the system administrator can configure things as needed, but for the time being he could show something that is up and running in a short time.
We are short changing ourselves against the Windows based competition by erecting a high barrier of entry to a replacement to Windows AD.
IANAL but write like a drunk one.
MS thrives in lock in, which by extension means lowly paid Systems Administrators.
We are putting ourselves in a competitive disadvantage by failing to understand that the high earning Linux SA is not seen sympathetically by HR people and managers trying to optimize depleting budgets.
We know a Linux/UNIX SA is more cost effective in the long run because the technology he is experienced in is more cost efficient, but the cost of entry to a position (high salaries combined with the perception that Linux is more difficult) is something that should not be dismissed lightly.
The comment above in the thread is very insightful: by being too complex, Linux fails to entice its natural constituencies: small and medium businesses.
IANAL but write like a drunk one.
If you present the non extensible AD solution against the extensible one in Linux, but the appearance is that AD gets up and running faster and in a simpler way in comparison to Kerberos/LDAP complexity, the decision making people will move to AD, past that point is moot point if Linux would be most extensible, since it was dropped at the start. That is the point of vendor lock in, to sell you something inferior that you can't drop easily any more.
To give Linux a better chance in small and medium environments we would need a solution with kerberos/LDAP generic enough to be perceived as equally simple as AD, at that point lock in would be challenged and what you talk about
would have some applicability.
IANAL but write like a drunk one.