LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Group Policy: Windows vs Linux (http://www.linuxquestions.org/questions/linux-server-73/group-policy-windows-vs-linux-825661/)

ellakano 08-11-2010 06:41 PM

Group Policy: Windows vs Linux
 
Background info: I'm soon to be making a jump from doing mostly desktop admin (mostly "on the side") to being hired to plan, build and be sysadmin to a small company network for my friend's business (for whom I've been doing work for hire on his websites for a while now). I'll be learning much as I go along (he's well aware of this): I've dabbled somewhat with Ubuntu server on my own but I've never implemented networking more complex than an average home network (router, cable modem, switch for upstairs, Windows networking and DHCP).

We expect to have 6-20 workstations (the 20 being what we expect to grow to), an internal SAN and some other miscellaneous boxes for special functions. The general attitude between us is a preference for *nix servers and a decision will have to be made whether to go with Win 7 or OS X Macs for the desktops (my bias is towards Windows but I ought to give it a fair comparison.) For both security and my sanity, I'm pretty sure we're going to need some form of centralized policy management: Active Directory on Windows and I-have-no-idea-what for OSX/Unix (for the sake of argument let's focus on the fact that it's UNIX under the hood and should respond to Linux server controls - I know OSX Sever exists and that people I know have panned it and that's it.)

Question 1: If we go the Windows route, do we absolutely need Windows Server inside the network just to run Active Directory's group policy?

I have looked at other threads on the subject, and read a bit about OpenLDAP and Samba: it seems they aren't drop in replacements but they don't talk about Samba 4 which boasts some group policy features.

Question 2: If we go with the Macs, what's the equivalent on the UNIX side - not in terms of "protocol compatible with Windows" but in administrative functionality? I'm looking for a basic summary and terms/links that I can read through and search on to find out more.

custangro 08-11-2010 07:13 PM

Quote:

Originally Posted by ellakano (Post 4063525)
Background info: I'm soon to be making a jump from doing mostly desktop admin (mostly "on the side") to being hired to plan, build and be sysadmin to a small company network for my friend's business (for whom I've been doing work for hire on his websites for a while now). I'll be learning much as I go along (he's well aware of this): I've dabbled somewhat with Ubuntu server on my own but I've never implemented networking more complex than an average home network (router, cable modem, switch for upstairs, Windows networking and DHCP).

We expect to have 6-20 workstations (the 20 being what we expect to grow to), an internal SAN and some other miscellaneous boxes for special functions. The general attitude between us is a preference for *nix servers and a decision will have to be made whether to go with Win 7 or OS X Macs for the desktops (my bias is towards Windows but I ought to give it a fair comparison.) For both security and my sanity, I'm pretty sure we're going to need some form of centralized policy management: Active Directory on Windows and I-have-no-idea-what for OSX/Unix (for the sake of argument let's focus on the fact that it's UNIX under the hood and should respond to Linux server controls - I know OSX Sever exists and that people I know have panned it and that's it.)

Question 1: If we go the Windows route, do we absolutely need Windows Server inside the network just to run Active Directory's group policy?

I have looked at other threads on the subject, and read a bit about OpenLDAP and Samba: it seems they aren't drop in replacements but they don't talk about Samba 4 which boasts some group policy features.

Question 2: If we go with the Macs, what's the equivalent on the UNIX side - not in terms of "protocol compatible with Windows" but in administrative functionality? I'm looking for a basic summary and terms/links that I can read through and search on to find out more.

If you want group policy functionality use Active Directory with centrify direct

http://www.centrify.com/default.asp

With centrify direct you can "control" Windows/Mac/Linux/Unix clients...

You can also take a look at FreeIPA

http://freeipa.org/page/Main_Page

-C

ellakano 08-11-2010 09:23 PM

To make sure I understand, both of those are intended to integrate Mac or *NIX clients with an existing Windows Server AD implimentation, right?

linuxlover.chaitanya 08-12-2010 12:59 AM

Centrify is used to use Linux and OSX in windows active directory as clients. Where freeIPA is a complete identity management. I suspect that SAMBA in current form is complete replacement for windows active directory server. It will also depend on how much control you want to have over your clients. Is just the authentication? Or you are looking into more of granular control?
If you have worked a bit on Ubuntu server, then I will suggest you also take a look at Turnkey Linux project PDC: http://www.turnkeylinux.org/domain-controller

ellakano 08-12-2010 07:28 AM

For the sake of argument, I mean the more granular settings/permissions control part that AD would provide. Whether we end up actually using it I guess is still a question. If it were just the authentication, Samba or OpenLDAP would be sufficient.

linuxlover.chaitanya 08-12-2010 08:03 AM

Yes. You are just looking at authentication and authorization on files, then Samba can do the job for you. Granular control as in, preventing users from changing the proxy settings for IE and setting those from GPO and like.

ellakano 08-12-2010 08:20 AM

Yes, that. And by the same token, if we don't go with Windows at all, how to do that sort of thing sanely on Mac/Linux - I presume most of it is handled in the *nix permission system.

jamrock 08-12-2010 08:33 AM

Perhaps you will find these links interesting. I got them from the Samba mailing list.

Please note that NT 4.0 policies write to the workstation's registry. The Active Directory policies reside in memory so they disappear once the workstation is turned off.

You need to test your policies properly before putting them into production since they write to the registry. You should also create policies for reversing them.

http://wiki.samba.org/index.php/Impl...ies_with_Samba

http://www.novell.com/coolsolutions/tools/15478.html

http://www.pcc-services.com/custom_poledit.html

http://wpkg.org/WPKG_overview

Samba 4 should provide a smoother solution. However, the developers have not published a date for completion of that project.

linuxlover.chaitanya 08-13-2010 12:10 AM

Quote:

Originally Posted by ellakano (Post 4064114)
Yes, that. And by the same token, if we don't go with Windows at all, how to do that sort of thing sanely on Mac/Linux - I presume most of it is handled in the *nix permission system.

Just for Linux clients, you will not even require Samba. OpenLDAP will be sufficient for authentication.


All times are GMT -5. The time now is 10:50 PM.