+ Post New Thread
Results 1 to 8 of 8
*nix Thread, Koroshi Linux in Technical; Hi all, Just been looking at Koroshi for schools. Looks great etc for an alternative to a windows domain controller. ...
  1. #1
    Steven's Avatar
    Join Date
    Apr 2007
    Location
    Morecambe
    Posts
    114
    Thank Post
    6
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Koroshi Linux

    Hi all, Just been looking at Koroshi for schools. Looks great etc for an alternative to a windows domain controller. Only thing I can see it lacks of is the ability to lock down the windows clients?

    Anyone know of a linux alternative to group policy?

  2. #2

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,935
    Thank Post
    1,628
    Thanked 1,898 Times in 1,410 Posts
    Blog Entries
    2
    Rep Power
    429
    mmmm... Not in such a direct way. By the sounds of it, you have an Active Directory Domain with some linux or UNIX servers or workstations.


    There is a lot you can do with Active Directory in linux, even have accounts in Active Directory log into Linux (though I do this now and I don't much care for it for different security reasons which I am in the process of proving)


    GPO In Windows is a set of objects based around Windows API and domain archtype. for a GPO to work in Windows, a machine account would first have to be created for that Linux machine, but the much more difficult task is that a GPO would have to be written for a linux OS, which I have never seen before.

    You have a few options, and the best approach, in my opinion, is NIS.

    with NIS, you can create a machine database from an NIS metafile with whatever information you want in it, and query it it with the ypcat command. This you can use to set your execution scope in your NIS domain.

    If we aren't talking about a lot of machines though, another option is to setup a .rhosts file on each linux machine and give yourself a trusted host that you can execute commands as root. Then, setup some cron jobs for the various things you want to perform.

    oh yeah, if you do NIS, you will still need the trusted host. NIS just makes it easier to administer multiple machines, and gives you the ability of network logins. Make your NIS server that trusted host.

    here is the deal though, even in a Microsoft world, you couldn't just "do GPO" without configuring machines to be on a domain. Same thing applies to linux.

    If you want a Linux domain, I would run NIS. run DNS on the same box.

    setup your .rhosts file to point to your NIS server (think of this as your domain controller where you are going to inforce policy from) you can use rcp (remote copy) to deploy these files.

    for inital deployment, you have a ton of options.

    If you use redhat, you have kickstart which allows you to do unattended installs of an OS. You also have traditional methods such as ghost or True Image. even G4L (ghost for linux)

    There are other things too, like Suns UCE product, which is more like Microsoft SMS for Linux, but that costs money

    If you have an unstructured environment already, it is going to take some extra steps in the beginning to get centralised.

    There is also Centrify Group Policy for UNIX, Linux and Mac.
    This allows you to centrally configure the policies that the DirectControl Agent uses to enforce authentication and authorization to that system.
    Apply consistent updates to the sudoers file, defining privileged commands that specific users can execute.
    Efficiently control crontab files, firewall settings, screensaver password lock, and other properties.

    It's a AD integration / GPO module for Linux. Comes at a cost though... and its not cheap.
    Last edited by nephilim; 5th July 2011 at 11:39 PM.

  3. #3

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,812
    Thank Post
    1,476
    Thanked 592 Times in 444 Posts
    Rep Power
    168
    Short answer is no and since it costs very liitle for a windows server licence/client cals its just not worth any pain.

    Simon

  4. #4
    RingOfFlame's Avatar
    Join Date
    Nov 2009
    Posts
    192
    Thank Post
    101
    Thanked 69 Times in 42 Posts
    Rep Power
    36
    Quote Originally Posted by nephilim View Post
    mmmm... Not in such a direct way. By the sounds of it, you have an Active Directory Domain with some linux or UNIX servers or workstations.


    There is a lot you can do with Active Directory in linux, even have accounts in Active Directory log into Linux (though I do this now and I don't much care for it for different security reasons which I am in the process of proving)


    GPO In Windows is a set of objects based around Windows API and domain archtype. for a GPO to work in Windows, a machine account would first have to be created for that Linux machine, but the much more difficult task is that a GPO would have to be written for a linux OS, which I have never seen before.

    You have a few options, and the best approach, in my opinion, is NIS.

    with NIS, you can create a machine database from an NIS metafile with whatever information you want in it, and query it it with the ypcat command. This you can use to set your execution scope in your NIS domain.

    If we aren't talking about a lot of machines though, another option is to setup a .rhosts file on each linux machine and give yourself a trusted host that you can execute commands as root. Then, setup some cron jobs for the various things you want to perform.

    oh yeah, if you do NIS, you will still need the trusted host. NIS just makes it easier to administer multiple machines, and gives you the ability of network logins. Make your NIS server that trusted host.

    here is the deal though, even in a Microsoft world, you couldn't just "do GPO" without configuring machines to be on a domain. Same thing applies to linux.

    If you want a Linux domain, I would run NIS. run DNS on the same box.

    setup your .rhosts file to point to your NIS server (think of this as your domain controller where you are going to inforce policy from) you can use rcp (remote copy) to deploy these files.

    for inital deployment, you have a ton of options.

    If you use redhat, you have kickstart which allows you to do unattended installs of an OS. You also have traditional methods such as ghost or True Image. even G4L (ghost for linux)

    There are other things too, like Suns UCE product, which is more like Microsoft SMS for Linux, but that costs money

    If you have an unstructured environment already, it is going to take some extra steps in the beginning to get centralised.

    There is also Centrify Group Policy for UNIX, Linux and Mac.
    This allows you to centrally configure the policies that the DirectControl Agent uses to enforce authentication and authorization to that system.
    Apply consistent updates to the sudoers file, defining privileged commands that specific users can execute.
    Efficiently control crontab files, firewall settings, screensaver password lock, and other properties.

    It's a AD integration / GPO module for Linux. Comes at a cost though... and its not cheap.
    Copy & Paste FAIL! It might be nice to let others know your source rather than palming it off as your own advice.

    Ubuntu Forums - View Single Post - Group Policy in Linux?
    Last edited by RingOfFlame; 5th July 2011 at 11:48 PM.

  5. #5

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,935
    Thank Post
    1,628
    Thanked 1,898 Times in 1,410 Posts
    Blog Entries
    2
    Rep Power
    429
    I never said it was mine and quote tags don't work on the mobile version of the site.

  6. #6

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,624
    Thank Post
    1,240
    Thanked 778 Times in 675 Posts
    Rep Power
    235
    Quote Originally Posted by Steven View Post
    Anyone know of a linux alternative to group policy?
    No - if you want an Active Directory / Group Policy server, that's what Windows is for. I don't think logging on and running a bunch of local applications on a workstation is the best model of computing, therefore I don't think it's worth spending any time trying to get Linux to catch up to Windows in this regard. If you want a Linux workstation, try a minimal GUI that can just run a web browser, Chrome style. If you need to maintain compatability with some Windows applications use remote desktop to connect to a Windows TS / RDS server

  7. #7

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,812
    Thank Post
    1,476
    Thanked 592 Times in 444 Posts
    Rep Power
    168
    I never said it was mine and quote tags don't work on the mobile version of the site.
    Re ROF - see previous advice

    Si

  8. #8
    linuxgirlie's Avatar
    Join Date
    Jul 2005
    Location
    Kent
    Posts
    340
    Thank Post
    106
    Thanked 33 Times in 18 Posts
    Rep Power
    31
    The system uses Kixart to lockdown users desktops, with a choice of mandatory or roaming profiles. What type of lockdown would you like?

SHARE:
+ Post New Thread

Similar Threads

  1. Linux is NOT windows (for the linux noob)
    By llawwehttam in forum General Chat
    Replies: 0
    Last Post: 17th December 2009, 11:24 PM
  2. Linux
    By Edu-IT in forum *nix
    Replies: 17
    Last Post: 1st October 2008, 11:51 AM
  3. New to Linux
    By Joni in forum *nix
    Replies: 4
    Last Post: 27th March 2007, 09:55 AM
  4. Replies: 30
    Last Post: 24th November 2006, 08:33 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •