How to centralize adminsitration of multiple Unix machines (and others)?
September 9, 2009 11:45 AM Subscribe
I'm curious as to what are the current "best practices" when it comes to centralized administration of a network of Unix (primarily Linux, but not necessarily so) machines? Essentially, what is the equivalent of Active Directory for a network with one or more Unix hosts? The immediate answer I come up with would be something like OpenLDAP plus PAM but what I'm looking for is the suite of tools (GUI and CLI apps) for managing the directory, deploying software, centralizing sign-on and security, managing printers, etc.
In a perfect world, I would like to centralize administration of Windows, Unix, and OS X machines via a single directory service, though I imagine such a solution would be expensive and/or cumbersome if it even existed. Or is this something Samba 4 will do?
There is an entire class of enterprise software built for this purpose, but I guess it would depend on what "expensive" means to you and how many computers you need to manage. I work for one of these companies, but our software is designed for 10,000 and more endpoints. If you want more info, my contact info's in my profile.
posted by meowzilla at 12:08 PM on September 9, 2009
posted by meowzilla at 12:08 PM on September 9, 2009
Open Directory would give you GUI tools for management of an LDAP/Kerberos environment.
posted by Blazecock Pileon at 3:54 PM on September 9, 2009
posted by Blazecock Pileon at 3:54 PM on September 9, 2009
I am not a sysadmin, but I regularly send angry e-mails to one.
NIS for authentication and NFS for file sharing is really to set up, so a lot of places use it. The combo is very insecure though -- an evil user with root access on one machine can read everyone's files.
Kerberos lets you do single-sign-on, and is semi-interoperable with Active Directory. Can use LDAP as the back end.
OpenAFS does distributed file sharing with Kerberos authentication. It has clients for Windows, Linux and Mac, and can do some neat stuff that isn't built into the native file sharing systems. Very good on paper but I haven't used it.
CUPS is the standard print server. Unless your network is huge, just set up one CUPS server to handle all the printing. I think print authorization is usually done by writing scripts that sit inside CUPS.
Sharing software is the easy part -- just make a shared directory for each Unix platform, and put the software there. You can write a script to add the programs to the user's path. Most commercial Unix programs use flexlm to handle licensing, so you might need to set up a licensing server as well.
posted by miyabo at 5:37 PM on September 9, 2009
NIS for authentication and NFS for file sharing is really to set up, so a lot of places use it. The combo is very insecure though -- an evil user with root access on one machine can read everyone's files.
Kerberos lets you do single-sign-on, and is semi-interoperable with Active Directory. Can use LDAP as the back end.
OpenAFS does distributed file sharing with Kerberos authentication. It has clients for Windows, Linux and Mac, and can do some neat stuff that isn't built into the native file sharing systems. Very good on paper but I haven't used it.
CUPS is the standard print server. Unless your network is huge, just set up one CUPS server to handle all the printing. I think print authorization is usually done by writing scripts that sit inside CUPS.
Sharing software is the easy part -- just make a shared directory for each Unix platform, and put the software there. You can write a script to add the programs to the user's path. Most commercial Unix programs use flexlm to handle licensing, so you might need to set up a licensing server as well.
posted by miyabo at 5:37 PM on September 9, 2009
Active Directory provides a lot of stuff that's in separate components in UNIX. For example, DNS and Kerberos5, and plenty more. The advantage is that with separate components you can select the custom parts you need.
DNS: well, duh. Bind's the popular one here.
Directory Services: LDAP. I saw an LDAP viewer based on Eclipse if you need a GUI.
Single Signon: this is Kerb5 and maybe LDAP. If you want windows workstations to auth, you absolutely must support kerb5. pGina is crap.
Configuration management: cfengine is the oldest I know of, predating AD by at least 5 years. There's also puppet and chef. You describe the target state and these tools try to achieve it. There's also etckeeper if you want to log changes to /etc.
Deploying software: you've got package managers and repos to handle updates. Scaling further up, tools like puppet, cfengine and chef can serve similar purposes to GPOs.
Managing printers: I have no clue. I'm amazed my HP printer scanner works on Ubuntu, and I won't jinx this by pushing it.
On the subject of unified administration, we can't even get Linux distributions to agree on a package format.
posted by pwnguin at 8:24 PM on September 9, 2009
DNS: well, duh. Bind's the popular one here.
Directory Services: LDAP. I saw an LDAP viewer based on Eclipse if you need a GUI.
Single Signon: this is Kerb5 and maybe LDAP. If you want windows workstations to auth, you absolutely must support kerb5. pGina is crap.
Configuration management: cfengine is the oldest I know of, predating AD by at least 5 years. There's also puppet and chef. You describe the target state and these tools try to achieve it. There's also etckeeper if you want to log changes to /etc.
Deploying software: you've got package managers and repos to handle updates. Scaling further up, tools like puppet, cfengine and chef can serve similar purposes to GPOs.
Managing printers: I have no clue. I'm amazed my HP printer scanner works on Ubuntu, and I won't jinx this by pushing it.
On the subject of unified administration, we can't even get Linux distributions to agree on a package format.
posted by pwnguin at 8:24 PM on September 9, 2009
« Older What do I use to replace basement wall coating? | Where is a website where I can download an... Newer »
This thread is closed to new comments.
posted by iamabot at 12:01 PM on September 9, 2009