Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ethbr1 3 hours ago

What's the Linux version of AD and group policies? (honestly curious; linux sysadmin at scale not my day job)

xorcist 2 hours ago | parent | next [-]

I don't know. What's the Windows equivalent of dpkg (from 1993) and ssh (from 1995)?

Still nothing, three decades later. Not because Microsoft engineers couldn't do it, of course, but becasue they didn't want to. It doesn't fit the Windows model. They did recently adopt SSH, but that was because they want to use Windows in cloud-like environments, where expectations are set by Linux-style tools.

By the time Windows got to the point where it even could be centrally managed in any reasonable fashion, Linux environments was routinely run an order of magnitude larger still.

There is a reason why the whole cloud runs Linux. Anything else is a rounding error. That's because Linux is inherently so much less work to manage at scale.

If something like Group Policies would somehow be accepted by the Linux community, that could only be a step backwards. A well run Ansible or Puppet or similar environment works on a completely different scale.

fainpul 2 hours ago | parent | next [-]

> What's the Windows equivalent of dpkg (from 1993) and ssh (from 1995)?

PowerShell PackageManagement [1] and Remoting [2]

[1] https://learn.microsoft.com/en-us/powershell/module/microsof...

[2] https://learn.microsoft.com/en-us/powershell/module/microsof...

xorcist 2 hours ago | parent [-]

They are not exactly equivalents, but that's not the point. I try to expand on this answer in the sibling comment.

What's important to notice however, is that the oldest of these are from 2009. At no time in the intervening 15 years (!) did someone say "Windows is unusable for desktops because it is not manageable".

kklimonda 2 hours ago | parent | prev | next [-]

Isn't WinRM/PowerShell/RDP equivalent of SSH, and dpdk/apt-get is basically .msi with group policies for installation? This has been there for decades probably?

Group Policies also allow you to enforce things like browser configuration (proxy, homepage, search engine etc.) wallpapers, screen locks etc.

Can this be done on Linux? Honestly, I have no idea - I think gnome with gsettings/dconf can do that, but can KDE?

xorcist 2 hours ago | parent [-]

That's the point I want to convey is that while there are tools like MSI on Windows, many years after Linux had dpkg, it's not the same thing. On Linux the package manager rules the filsystem and keeps a complete database of which package owns which file. There are no exceptions, not on the parts of the filesystem where the package manager rules. Even the operating system itself and all patches is handled by the package manager.

That's first and foremost a cultural difference, not a technical. Sure, there's nothing to prevent a Linux vendor to write "install scripts" that copy files willy-nilly across the file system, and many vendors have done this but always with disastrous results and since Linux people hate it, those products are either repackaged or stored in a separate directory far away from other files.

This means installing software at scale (any number of systems), or the question how to cleanly uninstall software it not a question you should ever ask in a Linux environment. The questions you should ask are different in a Linux environment. That is why the tools look different.

Tools like gsettings are culturally alien to the unix world. Instead, home directories are seeded with dotfiles. And dotfiles are kept in version control. Yes, that means that unix people can't answer the quesion how to lock the proxy settings so the user is unable to change them. Instead, should a sensitive system require it, they would instead manage by policy and disallow any traffic outside said proxy.

kklimonda an hour ago | parent [-]

I mean, Linux package managers are so great that we have at least 2 different ways of delivering software (especially GUI software) to Linux distributions that depends on "app images". To me that shows that none of those approaches are solving 100% of problems that you encounter in the wild.

> This means installing software at scale (any number of systems), or the question how to cleanly uninstall software it not a question you should ever ask in a Linux environment.

And yet this is a problem that so many third-party vendors who try to support multiple Linux distributions have been struggling for years.

> Tools like gsettings are culturally alien to the unix world.

Sure, Linux and UNIX are coming from different roots, but "cultural" means nothing in large organizations, where computers are basically tools not that far from printers, projectors, even hammers. A way to do someone's job. I may hate locked systems, but then I don't have to support users who cannot find their trash bin on the desktop anymore.

You can seed dotfiles for all users, but you can't really enforce that user cannot for example move his taskbar from bottom to the top of the screen without policy enforcement. gsettings/dconf may be culturally alien to this world, but it is (or at least was) solving an actual problem. A problem we may not care about, but some companies do.

Now, I think there is an interesting discussion here to be had - given this latest push from Windows to Linux, as a way of distancing Europe from US, would adding features that bridge this policy enforcement gap between Linux and Windows is desirable?

15-20 years ago I was going to say yes, but back then I cared so much more about Linux as Windows alternative for office use. Today I actually prefer Linux Wild West and how hard it is to lock it into any sort of MDM.

ethbr1 2 hours ago | parent | prev [-]

I wasn't curious about those things. I was asking about AD+GPO, because I was interested.

kklimonda 2 hours ago | parent | prev | next [-]

Lixnux version of AD is FreeIPA, with group policies translating to dconf - at least that was the way "enterprise" linux vendors (like RH or Canonical) were moving towards.

Now, how well is dconf integrated with all the software you want to run is another thing (it was done by GNOME, and ignored by KDE), and whether this is still the way they are all moving is yet another question but the infrastructure was being built.

pastage 2 hours ago | parent | prev | next [-]

The concept does not really exist it is a Windows thing. You could call Puppet or other config managements group policies, but Linux is not a monolith so it is more organic.

holowoodman 44 minutes ago | parent | prev [-]

AD is LDAP+Kerberos, which has existed in the Unix/Linux world long before Microsoft bastardized it. So pick any of half a dozen LDAP server implementations and any of 3 or 4 Kerberos implementations and use those. If you want point-and-click/drool interfaces, use FreeIPA. If you really want it to look like AD, use Samba 4. Even Windows boxes will hardly know the difference.

Group policies don't exist and won't ever exist on Linux. Group policies are LDAP entries that are copied on system boot and user login into their respective parts of the local registry. Software may then read, interpret and use those registry entries. On Linux that wouldn't work for numerous reasons. First, on a multiuser system rebooting to apply configuration changes is not viable. On windows that's apparently fine because its single-user anyways, and reboots are an accepted fact of life. Also, to apply a system policy that is intended to limit what a user could do, asking the user's software nicely via registry entries is stupid and insecure. Lots of software won't even read the registry and have group policies that it will obey. Want to get around an Internet Explorer Group policy? Use Chrome or Firefox!

So what you do instead on Linux is: If it's just configuration, just copy it over, using the usual text configuration formats that are common on Linux. There are lots of tools to do this, starting from simple hack jobs like using scp to full configuration management systems like ansible or puppet. The "group" part is handled by those systems as part of their function, you can easily group/subgroup/discover/inventory/parameterize. If it's policy, so you want to restrict what a user can do, you use the higher-privileged layers of the system to put in actual restrictions, not just "group policy" suggestions. You can configure the user's home directory to be mounted noexec, so software execution after an unauthorized installation is impossible. You can put them in containers, namespaces, limit their resources and system access using cgroups, filesystem permissions, and more fine-grained permission systems like SELinux. If you are so inclined, you can forbid the user from opening files starting with the letter 'f', using eBPF syscall filters (this will of course break everything, but I needed a stupid example ;). All those can also be configured with your configuration management system of choice.

Just as a comparison: Our windows team needs 3h just to re-image a laptop, just for windows. After that, all the software needs to be reinstalled, all the data copied over. Then, after 2 days and 10 reboots or something, it will have picked up all the policies, updates and things and maybe be usable. Our Linux installation takes 45 minutes. Including all the software that was previously assigned to this system, including all the settings. It will be fully updated, configured and usable after the first reboot.