[ale] large scale system management

Brian Mathis brian.mathis+ale at betteradmin.com
Wed Nov 16 23:26:17 EST 2011


On Wed, Nov 16, 2011 at 9:22 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
> Prior quote from another thread:
>
>>Actually I have done such comparisons, and Windows wins in areas like
>>user authentication (Active Directory) and remote configuration
>>management (Group Policy).  I have performed audits on both Linux and
>>Windows servers, and Windows provides a unified way to access all
>>configuration data (WMI), while Linux uses a giant pile of
>>non-standard text files.  If you think that's easy to grep through
>>across multiple distro versions and different software packages, you
>>are sorely mistaken.
>
> OK. I have a few issues with large scale system management and the above
> quote.
>
> First, AD for user authentication is not that big of a deal compared to LDAP
> for Linux systems. Either can work for both. Gui tools exist for both but
> cli is almost not an option for windows so large scale _scripted_ processes
> are much harder. Yes, it can be done in Windows using .NET and specialty
> perl/python modules tools but the coding structure is quite arcane and
> convoluted to the point of being painful. I won't even mention the
> inconsistencies between various releases.


Everyone always brings up LDAP in response to Active Directory.  Yes,
AD uses LDAP, but it also uses Kerberos, DNS, and NTP to coordinate
everything.  This is *not* the same thing and LDAP, which, WHILE STILL
VERY GOOD, doesn't provide everything.  The very important feature
missing from LDAP is full integration of both Linux and Windows
clients into the same structure.  Single password is very important.
If you use LDAP, you are looking at 2 passwords and separate parallel
management structures for each (You will never get away from having
Windows clients around, not matter how hard you wish).

The FreeIPA project sounds really good and seems to be going towards
the idea of integrating things like AD does, and I hear it can even
replicate from AD controllers.


> WMI on the front cover looks like the cat's meow of configuration data tools
> until you start trying to access it across multiple platforms. so an office
> with a pile of XP Pro desktops, some win2k3 servers, a few win2k8 servers
> and a growing set of win7 desktops ALL provide different sets of data, and
> use different methods to access their WMI stuff. Imagine the fun of multiple
> windows domains with multiple types of windows systems in each domain.


I have done such a thing across different kinds of Windows, and
dealing with the small variations between flavors is still much easier
to handle than trying to figure out a specific data point on a bunch
of Linux servers that might all be running different kinds of syslog
daemons, for example.  And then doing it again for 100 other things
your auditors want to see.


> Then the line of "Linux uses a giant pile of non-standard text files" made
> me laugh out loud! Text files are the standard until someone puts things
> into a closed, binary format so they can sell you the tools to manage your
> own systems.


I know, right?!  Made me laugh too.  It's just so funny that people
think "text file" is some sort of standard thing!  I mean you have
some that are XML, others that are INI style, then you have apache
style, bash style, vim style, getpwent style, termcap, sendmail, and a
custom style for every other program that may or may not match any of
those other ones (or worse, might closely match but be just different
enough to break your general purpose parser) depending on how the
programmer felt that day (or whatever they were smoking that night).
It's just hilarious that anyone would think that "text" is some sort
of standard!

Hmm... or maybe I'm misreading what you meant...


> The multiple distros part is also laughable in light of the multiple
> versions of windows in a typical business LAN. Harsh reality is most places
> use ONE distro in their setup and the only changes are between versions.


Not sure how that's "harsh reality", but the real fact is that most
are not using a single distro.  Maybe some company with heroically
tight controls do, but otherwise there is always some department
somewhere with a guy who thinks it will be a good idea to setup Ubuntu
or Fedora, and before you know it every 6 months a new server is built
with the shiny new release of that distro.

If you think that's a lark, just remember how Linux got a foothold in
companies in the first place... sysadmins who got tired of their NT4
file servers crashing secretly replaced them with Linux/Samba servers.
 If you think that type of "ingenuity" has stopped, think again.


> As a RedHat specialist for a while and a fully recovered former windows
> admin, there is NOTHING windows world offers that can't be done better,
> slicker, cheaper, faster and more technically "correct" with a decent RedHat
> setup.


...except run all of that business-critical Windows software, and
support almost all consumer peripherals on the planet...


> 1. Fedora for the desktops that can be updated often, RedHat workstation for
> those that should be very stable.
> 2. Project 389 for LDAP
> 3. Dogtag for SSL certificate management
> 4. NFSv4 for shared storage
> 5. SELinux for hardened access rights
> 6. Satellite/Spacewalk for system package and configuration management
>
> This basic setup will work for access and management from LAN to WAN. Add in
> IPSWAN for vpn segments with user and office certs managed by dogtag and
> it's everything and more than windows offers.


Before the pile-on continues, I want to make it clear that I am a
Centrist who's just discussing different systems, and that both have
pros and cons.  Anyone perceiving this to be "Linux people vs. Windows
people" is simply arguing against a figment of their own imagination.

Technology is a tool, not an ideology.  When all you have is a hammer,
everything is a nail.  There's more than one way to skin a cat.  Yadda
yadda yadda...


❧ Brian Mathis



More information about the Ale mailing list