| ▲ | pjc50 2 hours ago |
| > Linux still doesn't have anywhere near as nice and cohesive as Group Policy, Active Directory etc. Isn't it about time someone developed one? The foundations are there; you can imagine an organization deploying laptops with, say, Ansible, and not giving users root on them. LDAP sort of matches the old capabilities of AD, but not completely. There's even a "SAMBA as fake domain controller" mode. Ironically what it needs is a product or service which organizations can pay to take the problem off their hands. But then people get stuck in never paying for anything in the open source world. |
|
| ▲ | xorcist an hour ago | parent | next [-] |
| > Isn't it about time someone developed one? Honest question: Why? If you want a Windows-like environment, run Windows. I get this all the time when people ask about a Linux equivalent for something, and aren't really satistied when it doesn't work or look the same. Linux isn't a clone of Windows. Linux comes from an older heritage, and has a unique culture. You are in for a hard time if you want to use Linux like you would use Windows. That's a suboptimal experience, at best. That said, of course Linux should be easy to manage. But Windows is from a single corporate entity, of course their management tools will be different. It used to be unix admins that laughed about people using Windows as servers. The culture around Linux is one of scriptabiliy where even the user interface, the basic shell, is one where every command is inherently a script. That's why management on Linux looks like Ansible and OpenSSH, not like Remote Desktop and Group Policies. You could write something like Group Policies for Linux of course, but it wouldn't be a complete solution so people would just continue using Ansible, OpenSSH, and the respective package managers. |
| |
| ▲ | pjc50 an hour ago | parent | next [-] | | > If you want a Windows-like environment, run Windows. One of these questions where we, those doing the discourse, need to pick apart what the word "you" refers to here. In this context, it is national governments, who have started to fear that there may come a day when they are not allowed to or able to or safe to run Windows. That gives rise to the question, "how can we get a system that minimizes the disruption of migrating away to Windows?" Ultimately it's not about specifically wanting AD or GP as technologies, either, but the things they enable: seamless single-sign-on across an organization, and management of software security and updates across a fleet of desktops. (possibly the thing that fills this hole is simply a fleet of consultants which go around explaining things to CIOs!) | |
| ▲ | ethbr1 an hour ago | parent | prev [-] | | What's the Linux version of AD and group policies? (honestly curious; linux sysadmin at scale not my day job) | | |
| ▲ | xorcist an hour ago | parent | next [-] | | I don't know. What's the Windows equivalent of dpkg (from 1993) and ssh (from 1995)? Still nothing, three decades later. Not because Microsoft engineers couldn't do it, of course, but becasue they didn't want to. It doesn't fit the Windows model. They did recently adopt SSH, but that was because they want to use Windows in cloud-like environments, where expectations are set by Linux-style tools. By the time Windows got to the point where it even could be centrally managed in any reasonable fashion, Linux environments was routinely run an order of magnitude larger still. There is a reason why the whole cloud runs Linux. Anything else is a rounding error. That's because Linux is inherently so much less work to manage at scale. If something like Group Policies would somehow be accepted by the Linux community, that could only be a step backwards. A well run Ansible or Puppet or similar environment works on a completely different scale. | | |
| ▲ | fainpul 43 minutes ago | parent | next [-] | | > What's the Windows equivalent of dpkg (from 1993) and ssh (from 1995)? PowerShell PackageManagement [1] and Remoting [2] [1] https://learn.microsoft.com/en-us/powershell/module/microsof... [2] https://learn.microsoft.com/en-us/powershell/module/microsof... | | |
| ▲ | xorcist 18 minutes ago | parent [-] | | They are not exactly equivalents, but that's not the point. I try to expand on this answer in the sibling comment. What's important to notice however, is that the oldest of these are from 2009. At no time in the intervening 15 years (!) did someone say "Windows is unusable for desktops because it is not manageable". |
| |
| ▲ | kklimonda an hour ago | parent | prev | next [-] | | Isn't WinRM/PowerShell/RDP equivalent of SSH, and dpdk/apt-get is basically .msi with group policies for installation? This has been there for decades probably? Group Policies also allow you to enforce things like browser configuration (proxy, homepage, search engine etc.) wallpapers, screen locks etc. Can this be done on Linux? Honestly, I have no idea - I think gnome with gsettings/dconf can do that, but can KDE? | | |
| ▲ | xorcist 25 minutes ago | parent [-] | | That's the point I want to convey is that while there are tools like MSI on Windows, many years after Linux had dpkg, it's not the same thing. On Linux the package manager rules the filsystem and keeps a complete database of which package owns which file. There are no exceptions, not on the parts of the filesystem where the package manager rules. Even the operating system itself and all patches is handled by the package manager. That's first and foremost a cultural difference, not a technical. Sure, there's nothing to prevent a Linux vendor to write "install scripts" that copy files willy-nilly across the file system, and many vendors have done this but always with disastrous results and since Linux people hate it, those products are either repackaged or stored in a separate directory far away from other files. This means installing software at scale (any number of systems), or the question how to cleanly uninstall software it not a question you should ever ask in a Linux environment. The questions you should ask are different in a Linux environment. That is why the tools look different. Tools like gsettings are culturally alien to the unix world. Instead, home directories are seeded with dotfiles. And dotfiles are kept in version control. Yes, that means that unix people can't answer the quesion how to lock the proxy settings so the user is unable to change them. Instead, should a sensitive system require it, they would instead manage by policy and disallow any traffic outside said proxy. |
| |
| ▲ | ethbr1 22 minutes ago | parent | prev [-] | | I wasn't curious about those things. I was asking about AD+GPO, because I was interested. |
| |
| ▲ | kklimonda an hour ago | parent | prev | next [-] | | Lixnux version of AD is FreeIPA, with group policies translating to dconf - at least that was the way "enterprise" linux vendors (like RH or Canonical) were moving towards. Now, how well is dconf integrated with all the software you want to run is another thing (it was done by GNOME, and ignored by KDE), and whether this is still the way they are all moving is yet another question but the infrastructure was being built. | |
| ▲ | pastage an hour ago | parent | prev [-] | | The concept does not really exist it is a Windows thing. You could call Puppet or other config managements group policies, but Linux is not a monolith so it is more organic. |
|
|
|
| ▲ | mbreese an hour ago | parent | prev | next [-] |
| Well AD is just a really opinionated LDAP/Kerberos setup, so you’d think that there would be something that Linux could do. But when you’re talking about enterprise management of thousands of devices, you need some kind of consistent security policy management. That requires running OS software that accepts remote policy management, which is a very specialized configuration and not just “vanilla Linux”. You can get really far with LDAP, but I’ve only used it for remote accounts, file shares, and sudoer config. I’m sure there are more policy configurations that would be possible with a more advanced tool. I suspect the RHEL world has something to offer here, but I’d love to see a more general and commonly supported solution developed. It would make Linux more of an option for enterprise managed endpoints. But, I agree with you - for an enterprise customer, this really needs to be some kind of paid/supported product. I wouldn’t want the French government to rely on some scripts that worked on my small cluster. |
| |
| ▲ | pjc50 an hour ago | parent [-] | | > That requires running OS software that accepts remote policy management Every Linux system that supports SSH potentially "accepts" remote management! The challenge is just putting it into a framework. | | |
| ▲ | unbrice an hour ago | parent [-] | | The gaps: Pull VS Push, Imperative vs Declarative and Discovery being hard. |
|
|
|
| ▲ | everdrive an hour ago | parent | prev [-] |
| Group policy is an annoying pain. Yes, there aren't many better options out there, but it's not as if group policy is _good_. |
