enterprise-ubuntu team mailing list archive

[Anton Piatek <anton@xxxxxxxxxxxx>]

We didn't...

We have some custom tools which force things like screensaver locks
and pam policies, and complain at the user if they are wrong.

Shared filesystems are a custom NFS server with a client binary for
authenticating to the server, rather than host-based access.

I'm not sure if it is the right solution, but it is what was
implemented for our ~6k Ubuntu users and ~40k redhat users (and many
more windows users)

On 12 February 2013 12:26, Bolesław Tokarski
<boleslaw.tokarski@xxxxxxxxx> wrote:
> Hello,
>
> How do you solve the machine policies topic?
>
> I mean - how do you make sure that a Ubuntu machine in your environment runs
> according to some policies you specify? Microsoft defined this as a "Group
> Policy", perhaps the more general term is "System Configuration Management".
>
> As we found no product that does this out of the box (not sure about
> Centrify, though, but we couldn't afford it), we glued together a number of
> components to do the job.
>
> Firstly, we took CFEngine (www.cfengine.com) as the policy "enforcement"
> tool. This is a configuration automation tool. A valid choice would be
> Puppet as well, though we found CFEngine to be more lightweight and suits
> better for laptops. We defined a set of policies or configuration elements,
> like domain joining, authentication, firewall, VPN, etc.
>
> Secondly, we used cfgen (http://dozzie.jarowit.net/trac/wiki/cfgen), a
> configuration template solution for flexibility.
>
> Thirdly, we used plaintext, YAML-structured files to hold variables used for
> templating. This part seems trivial, but we allowed inheritance between the
> files, so we created sets of variables depending on country the machine
> originated from, the location the machine is in now (mostly for locating
> proxy servers and nearest mirror), the Active Directory domain the machine
> belongs to etc. We also provided a local override on the machines so the
> user can disable most policy enforcements (we preferred that over the user
> disabling the whole policy).
>
> Lastly, we decided to get all the possible information about a machine we
> could from Active Directory. We acquired:
> 1. The place in the directory structure (OU) where the machine object
> resides, that gave us the machine original location.
> 2. The IP subnet to AD "Sites and services" mapping, so we were able to tell
> by the machine's location where the machine is now.
> 3. The owner of the machine (managedBy property).
> 4. The groups a machine belongs to.
>
> Unfortunately, we could not get the native Group Policy properties of an
> object nor the ACLs of Active Directory objects. So, instead, we decided on
> a group naming convention. If a machine belongs to group called
> "policy_certificate", it receives the variables and policies for the
> "certificate" set.
>
> I would be glad to learn how other people approached the topic, solved it?
> Perhaps there are tools out there that we missed?
>
> Cheers,
> Ballock
>
> --
> Mailing list: https://launchpad.net/~enterprise-ubuntu
> Post to     : enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~enterprise-ubuntu
> More help   : https://help.launchpad.net/ListHelp



-- 
Anton Piatek
email: anton@xxxxxxxxxxxx
blog/photos:            http://www.strangeparty.com
pgp: [74B1FA37]    (http://www.strangeparty.com/anton.asc)
fingerprint: 7401 96D3 E037 2F8F 5965  A358 4046 71FD 74B1 FA37

No trees were destroyed in the sending of this message, however, a
significant number of electrons were terribly inconvenienced.