enterprise-ubuntu team mailing list archive

Thread
Date
Re: Machine policies

To: "'enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx'" <enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx>
From: Longina Przybyszewska <longina@xxxxxx>
Date: Tue, 12 Feb 2013 14:09:54 +0000
Accept-language: en-GB, da-DK, en-US
Thread-index: Ac4JKqHM9tYe40fOQOquA/pWd+pYlA==
Thread-topic: [Enterprise-ubuntu] Machine policies

		
Thanks, for beginning  a very interesting thread!

We are planning migration  from NIS  to Active Directory+Kerberos.

I run sssd  as  evaluation project - and I really love it ...so far ;) - this is obviously  the road ahead.

Have a question for those who tried it - What is the best approach and practice to migrate users in the most possible transparent (for users) way?

All our (Linux) users have AD account beside entry in NIS  and usually a home directory 
NFS-mounted    from Linux storage server.   
Users can also access  MSWin storage .  

Do you know any helpful migration tools?
I mean scripts for extracting data from NIS and putting into AD's ldap.

For joining computers to  AD we use a 'msktutil' . 

Until now we have got ( for  testing) a container ' LinuxComputers'  in AD to put all  Linuxer there, when joining domain. 

We use FAI and puppet for automated  installation and configuration.
I can not see why we should use AD's GroupPolicy for computers.
    
Licensing is also interesting topics.

Med venlig hilsen/best regards

Longina Przybyszewska
Systemprogrammør, IT-service

Tlf.    +45 6550 2359
Mobil   +45 6011 2359
Fax     +45 6550 2467
Email   longina@xxxxxx
Web     http://www.sdu.dk/ansat/longina
Adr.    Campusvej 55, 5230 Odense M

SYDDANSK UNIVERSITET
_______________________________________________________________
Campusvej 55 * 5230 * Odense M * Tlf. +45 6550 1000 * www.sdu.dk
				
		
-----Original Message-----
From: enterprise-ubuntu-bounces+longina=sdu.dk@xxxxxxxxxxxxxxxxxxx [mailto:enterprise-ubuntu-bounces+longina=sdu.dk@xxxxxxxxxxxxxxxxxxx] On Behalf Of Boleslaw Tokarski
Sent: 12. februar 2013 13:27
To: enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx
Subject: [Enterprise-ubuntu] Machine policies

Hello,

How do you solve the machine policies topic?

I mean - how do you make sure that a Ubuntu machine in your environment runs according to some policies you specify? Microsoft defined this as a "Group Policy", perhaps the more general term is "System Configuration Management".

As we found no product that does this out of the box (not sure about Centrify, though, but we couldn't afford it), we glued together a number of components to do the job.

Firstly, we took CFEngine (www.cfengine.com) as the policy "enforcement" 
tool. This is a configuration automation tool. A valid choice would be Puppet as well, though we found CFEngine to be more lightweight and suits better for laptops. We defined a set of policies or configuration elements, like domain joining, authentication, firewall, VPN, etc.

Secondly, we used cfgen (http://dozzie.jarowit.net/trac/wiki/cfgen), a configuration template solution for flexibility.

Thirdly, we used plaintext, YAML-structured files to hold variables used for templating. This part seems trivial, but we allowed inheritance between the files, so we created sets of variables depending on country the machine originated from, the location the machine is in now (mostly for locating proxy servers and nearest mirror), the Active Directory domain the machine belongs to etc. We also provided a local override on the machines so the user can disable most policy enforcements (we preferred that over the user disabling the whole policy).

Lastly, we decided to get all the possible information about a machine we could from Active Directory. We acquired:
1. The place in the directory structure (OU) where the machine object resides, that gave us the machine original location.
2. The IP subnet to AD "Sites and services" mapping, so we were able to tell by the machine's location where the machine is now.
3. The owner of the machine (managedBy property).
4. The groups a machine belongs to.

Unfortunately, we could not get the native Group Policy properties of an object nor the ACLs of Active Directory objects. So, instead, we decided on a group naming convention. If a machine belongs to group called "policy_certificate", it receives the variables and policies for the "certificate" set.

I would be glad to learn how other people approached the topic, solved it? Perhaps there are tools out there that we missed?

Cheers,
Ballock

--
Mailing list: https://launchpad.net/~enterprise-ubuntu
Post to     : enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~enterprise-ubuntu
More help   : https://help.launchpad.net/ListHelp
Follow ups

Re: Machine policies
From: Bolesław Tokarski, 2013-02-13