Weekly Edition
Return to the Press pageSponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Bake-Off: 4 Linux Desktops Tackle The Enterprise (CRN)
(Log in to post comments)
Bake-Off: 4 Linux Desktops Tackle The Enterprise (CRN)
Posted Mar 26, 2007 14:17 UTC (Mon) by muwlgr (guest, #35359) [Link]
Who cares about Flash/Java/filebrowsing ? Why force users to install this stuff by hand ???You have IT-admin for that, and there should be sshd running on every workstation. Drop a handful of icons on user's desktop and teach him/her how to use these business-related apps, while isolating him/her from other unrelated and probably harmful/wasteful activities.
What FL/OSS really lacks to reach enterprise usability, is Win.Domain or Active Directory replacement. I.e. commodity central directory and single-signon. LDAP+Kerberos ? Good, next, what about email client with KRB authentication forwarding (like Outlook to Exchange) ? What about screen locker with KRB credential refresh on unlock ? What about logon with cached credentials when your DC/KDC is unreachable ? Linux/FLOSS does not give an useful recipe for any of these q's.
Bake-Off: 4 Linux Desktops Tackle The Enterprise (CRN)
Posted Mar 26, 2007 21:04 UTC (Mon) by drag (subscriber, #31333) [Link]
Well for most stuff you have Kerberos PAM plugin, which takes care of all the tedious little authenitcation BS you have to put with in Linux (which there is a very good reason for putting up with). Stuff like screen locker, local logins, sudo, and anything else like that has nice integration.
But you have to BE VERY WEARY of using PAM for kerberos authentication for any network-based authentication.
The problem with PAM is that you have to send any passwords and such to that machine for it to be proccessed by PAM. Were as with kerberos it only works properly if you use your local cache'd credentials/tickets.
For example take FTP.
You can easily do two things for Kerberos integration. You can use a 'Kerbero'-ized FTP server OR you can use conventional FTP server and use PAM authentication.
With the kerberos FTP server you use your local cache'd ticket to the ticket granting service you obtained when you logged in originally (lasts 8 hours). You use that to get a encrypted ticket to the FTP service, then send that to ftp service. FTP service takes that and sends you back another certificate which you decrypt. Then that is authenitcation.
So the authentication goes both ways.. you authenticate to teh FTP server, the FTP server authenticates to you.
That way it totally removes any sort of network-based attack like DNS spoofing, or network sniffing or anything like that. If the FTP server is rooted they won't get your password since your password is NEVER transmited over the network. NOT ONCE at any time is any password EVER transmitted over the network with a proper kerberos-based domain. Encrypted or otherwise.
Now with PAM and convential FTP server you have to send your username and password in plain text over the FTP login protocol. The username and password get sent over the network and your FTP server takes that, runs it using PAM, which then re-does all the authentication stuff over kerberos local to that ftp server.
Needless to say that a improper kerberos domain is MUCH MUCH MUCH more dangerous then a traditional Unix environment with passwords everywere.
And many seperate passwords everywere is much safer then a proper kerberos domain since if your KDC is a central point of failure. If the KDC is rooted then your network has entirely been rooted and the attacker has instance access to any and all services or computers anywere on your network with any network account that they choose.
So whatever KDC server you plan on using it better damn well be a good one.
However Single Sign-on is nessicary (either through Kerberos or maybe a PKI) for a proper modern business desktop. It's may not be strictly nessicary, but it's expect functionality. Its a hard requirement in the minds of many administrators and business owners.
For name caching you have Nscd daemon, which is designed not so much for offline name caching, but for taking the load off of busy servers. But you want to disable that if ever your working on a server or workstation since it can cause havoc with troubleshooting network issues.
For small to medium sized Linux or Linux and Windows mixed networks probably the best solution I think would be SAMBA 4, which is currently in development preview release.
It supports proper Active Directory-based authentication, which depends on kerberos. Currently SAMBA uses the older NT4-style NT Lan manager protocol, which is vastly inferior to what is used in a proper AD place. So the integration between Samba/Kerberos/LDAP in one SAMBA product should make things much easier for small to medium sized networks.
90% of everybody uses Windows somewere and SAMBA is a requirement to support that, so I don't have any problem with using it for a proper domain controller either.
For bigger stuff it's just plain difficult for whatever your using. Probably Fedora directory services plus MIT kerberos (which you can use with samba right now, I beleive).
I'd kinda like to look at PKI-based solutions since everybody in Linux-land understands mostly how that works.
Bake-Off: 4 Linux Desktops Tackle The Enterprise (CRN)
Posted Mar 26, 2007 22:25 UTC (Mon) by muwlgr (guest, #35359) [Link]
You are right that PAM as a whole does not give a simple modular solution for Kerberos implementation&deployment. As we know, Kerberos is not just "one of" multiple auth.mechanisms. It wants to be "the" auth.mech. So applications-clients should be "kerberized" as well to support auth.cred.forwarding with optional fallback to traditional login/password. Not PAM, not even SASL are helpful in that. Only GSSAPI, with non-trivial application reworking, and today Kerberos is the only implemented underlying GSSAPI mechanism. I tried to deploy Kerberos "in pilot mode", so I think I had learned it to some degree.
Of course I look at Samba4 previews from time to time. Final Samba4 version would be good for Windows clients, but in most cases the final task is to get rid of Windows ! What adequate functionality is provided for Unix/Linux "workstations" logon ?
PKI with something like ssh passwordless logons - great, but much more client functionality still has to be developed on top of it.
BTW, we are digressing by misleading article title. See markhb note from Mar 26, 2007 17:25 UTC, I think he is right :>
Bake-Off: 4 Linux Desktops Tackle The Enterprise (CRN)
Posted Mar 26, 2007 23:12 UTC (Mon) by drag (subscriber, #31333) [Link]
Ya he is.
I don't know how true it is, but I read once about one of the main reasons Microsoft was able to trounce Novell for workgroups back when they released Windows 2000 and AD.
So Novell had directory system stuff locked down pretty well in a technical way AND they released it well in advance to Active Directory.
However adoption was slow because going from a flat file server system for workgroup computing to a directory system setup were you not only have C and D drive and such you have OU's and different positions in the directory system to take account of was to much for most people to handle. So most people were happy to stick with their existing Novell servers.
So resellers and such weren't making much money from Novell.
However here comes Windows 2000 and Active Directory, which is the bee's knees according to Microsoft and numerous articles and such.
So all of a sudden those same resellers and such are pushing Windows and Microsoft very hard because they are making huge commisions off of convincing people to drop a huge amount of money in changing their infrastructure from older Novell workgroup servers to the new Windows 2000-based solutions.
So if this story is true then this illistrates is one of those huge problems faced by Linux commercial distributions. The sales folk that are targetting businesses, governments, and educational institutions have a vested interest in convincing their customers to keep Windows, not because it's better, but because it's _more_expensive_. They make money from commisions, not by saving their customers money.
Bake-Off: 4 Linux Desktops Tackle The Enterprise (CRN)
Posted Mar 28, 2007 0:26 UTC (Wed) by wookey (subscriber, #5501) [Link]
"90% of everybody uses Windows somewere and SAMBA is a requirement to support that, so I don't have any problem with using it for a proper domain controller either."
I'm the other 10% and it seems to me that the functionality of 'general authentication' and 'accessing windows machines' should be separate/separable.
I do agree that 'normal users' can't cope with different passwords for different funcitons on their desktops. They want the same password to work whenever a dialog pops up asking for it. They have no understanding of the difference between the dialog to access the keyring on their machine and the one to access an ftp mount. Even user/root passwords are a problem, which is why the ubuntu 'sudo for everything' approach works well - you always use your password, not sometimes use yours and sometimes use roots.
I have never managed to understand LDAP or PAM, and have never tried to understand kerberos, so thanx for the above idiots guide to how some of this works in practice.
That's a good one
Posted Mar 26, 2007 14:47 UTC (Mon) by TRauMa (guest, #16483) [Link]
"The Linux File Manager is not as intuitive as Windows Explorer."
What is the "Linux File Manager"? How exactly is Windows Explorer "intuitive"?
And why do they talk about corporate deployments and Flash?
/me puzzled
That's a good one
Posted Mar 26, 2007 15:25 UTC (Mon) by superstoned (subscriber, #33164) [Link]
They clearly don't know much about linux, so they made beginner'smistakes - thus having wasted a lot of time with downloading and
installing flash and java by hand, instead of using the appropriate tools
from the distributions.
And linux filemanager, well... I wouldn't call explorer intuitive, ever.
But I could call it familiar, and I guess that's what they meant.
Still don't understand why they talk about 'the linux filemanager', as
Xandros uses KFM = pretty much explorere (their own filemanager),
Linspire has konqueror = explorer-on-steroids, and Novell and Red Hat
must have Nautilus = explorer-for-dummy's. So how can they speak
about 'the linux filemanager'?
That's a good one
Posted Apr 1, 2007 0:49 UTC (Sun) by dbreakey (guest, #1381) [Link]
Windows Explorer is "intuitive" in the same way that driving a car is "intuitive". Once you learn how, it doesn't take much effort, and anything else seems clunky and unusable, even if it demonstrably isn't.
"Familiar" I'd agree with; "relatively easy" I'd agree with. "Intuitive"? No, definitely not. "Intuitive" is an extremely subjective word, prone to reinterpretation again and again.
To pull up an example, compare Windows Explorer to something like Directory Opus (an astonishingly powerful file-manager that puts anything else I've ever used to shame):*
- To me, it's more "intuitive" than Windows Explorer because it facilitates the kinds of functions that I need from a file manager.
- Someone else, without my "power-user" requirements, might consider it less "intuitive" because it offers too much configurability.
Actually, that second point probably wouldn't be true simply because, for all of it's power and flexibility, the default DirOpus layout is extremely usable right out of the box, so to speak. However, that ruins the analogy.
* No, I am not employed by the company that makes it, but I am an enthusiastic supporter of it. For a power user, I think it is well worth the money they ask for it. Non-power users? Eh, probably not, but take a look at it anyway—you might be surprised.
I may have to use Windows on occasion, but that doesn't mean I have to use the standard toolset while I'm at it. I do wish they'd consider a Linux version, though…
That's a good one
Posted Apr 1, 2007 0:55 UTC (Sun) by dbreakey (guest, #1381) [Link]
Oh, before anyone points out the existence of worker as a viable Directory Opus clone, DirOpus hasn't used the fixed two-pane file manager presentation since version 5 for the Amiga…
The current release is designed to integrate tightly into Windows as an Explorer shell replacement.
That's a good one
Posted Mar 26, 2007 16:26 UTC (Mon) by k8to (subscriber, #15413) [Link]
Yeah, instead of surface-deep flawed evaluation, they went for slightly below surface-deep flawed evaluation. But it's a good trend. Maybe eventually these reviews might talk about features and differentiators that matter. Here's hoping.
Bake-Off: 4 Linux Desktops Tackle The Enterprise (CRN)
Posted Mar 26, 2007 16:06 UTC (Mon) by bk (guest, #25617) [Link]
The issue is that the mistaken assumptions this publication makes are likely to be similar to the experience of most Linux-naive Windows users trying a Linux distribution for the first time.
How can distributions make it more clear to users on the correct way to install proprietary browser plugins for instance (with the appropriate warnings about unsupported proprietary apps)? New users familiar with Windows will always assume that the way to install software is by going to a website and downloading an unsigned, unverifiable binary blob and then running it. We must anticipate this assumption and find ways to counter it.
Bake-Off: 4 Linux Desktops Tackle The Enterprise (CRN)
Posted Mar 26, 2007 16:44 UTC (Mon) by AJWM (subscriber, #15888) [Link]
How about a desktop icon labeled "find and install new software"? (Okay, that name is a bit long...) It would invoke whatever mechanism (apt-get, yast, etc) is appropriate to the distro.But the earlier posters make a valid point: anything the enterprise desktop user needs should be preinstalled in the image that the IT department rolls out.. In an enterprise environment further updates (and this may include custom packages not available from the distros) could be managed by something like LinuxCOE.
Bake-Off: 4 Linux Desktops Tackle The Enterprise (CRN)
Posted Mar 26, 2007 17:25 UTC (Mon) by markhb (guest, #1003) [Link]
One thing worth pointing out is the target audience for CRN, which stands for Computer Reseller News: computer retailers, especially smaller ones and the beige-box guys. So the POV of their articles tends not to revolve around the user experience, but more around "how can the reader make (more) money selling this stuff?" So points about installing Flash, etc. drive two issues: how much effort will the VAR have to expend configuring the install image for some particular contract, and how much will supporting Linux drive up support labor costs?
Is customization key?
Posted Mar 26, 2007 21:50 UTC (Mon) by drag (subscriber, #31333) [Link]
One of the things I noticed when visiting a HUGE hospital (Cleveland Clinic, which hosts one of the busiest and largest surgery wards in the world. 400 or so surgical operations planned to run on the day I visited) was how vastly easier it was for nurses to use the text-based terminals then it was for them to use the Windows GUI.
With the Windows GUI they had to hunt'n'peck around to find what they were looking for and frequently stuff just didn't work right and the applications they used frequently had ackward user interfaces and such. Keep in mind this is while they are walking around doing lots of multitasking. They use this stuff day in and day out.
Were in comparision the text-based (think ncurses) style interface was something they could use quickly and easily, relatively, while on the move.
My conclusion was that the difference was that the terminals had all the information and input areas they needed in one single interface rather then having to make them look for files and such. SO it was a interface that was created for what they needed to do specificly at hand.
And then I saw last week that one article that was taken down...
http://lwn.net/Articles/227037/
http://blogs.cio.com/more-hope-for-the-linux-desktop
http://72.14.203.104/search?q=cache:FriF2oBvLAoJ:blogs.ci...
Were they stated that one of the reasons why these large companies are looking at Linux is the fact that it can be customized to suite a specific task quite easily.
Like you have one distribution, but have a stripped down FVWM-based desktop with applications that launch on login from a server to a X terminal. OR you can have the full Gnome-based desktop for people who need it. Or you can have full screen custom application for quick data entry. Whatever works best for those people.
Something like that.
Is customization key?
Posted Mar 27, 2007 5:23 UTC (Tue) by nlucas (subscriber, #33793) [Link]
Yes, but you forgot to mention the use touchscreens are now having.
Nothing would beat the speed of work with the old text terminals (and DOS machines), but touchscreens are giving a new live to old programs, by being ported to a minimal linux system and a new graphics interface.
With touchscreens they can have an even easier user interface. Instead of learning to associate function keys to actions, they can just select the actions from the screen (and without having to move a mouse, many time standing and sideways, which makes it difficult).
And now they are pretty cheap, too.
Is customization key?
Posted Mar 27, 2007 15:02 UTC (Tue) by marduk (subscriber, #3831) [Link]
I've witnessed something similiar. When I worked for a major company in the U.S. healthcare industry in the 90s I was shocked that their main application was VT-based and in the "field" they all used DEC VT220s. I felt like I was taking a big step backwards. Yet the people who used them, most of which had little or no PC experience could navigate through the roll-and-scroll app so fast it was unbelievable.
The thing about the app was that everything they used was there and nothing else. Everything was key-stroke driven and repetetive; if you were using it long enough you could do it with your eyes closed.
The user interface of today is full of distractions. Don't get me wrong: I love distractions. But in the workplace it seems that they want just the opposite. I worked for a Windows shop for a while last year. This was pretty much my first (and hopefully last) Windows job. And in my experience a lot of time was spent actually "locking down" the desktop: making it so that users can't change wallpaper, fonts, install apps, burn cds, plug in USB keys, access web sites, etc.
Of course not many people want to go back to the roll-and-scroll days (though the health care company mentioned above still uses it, though they've migrated from VMS to Linux), wouldn't an alternative be a "web" terminal or perhaps some other kind of thin client? I always wonder why those never really took off.
Is customization key?
Posted Mar 27, 2007 11:09 UTC (Tue) by eru (subscriber, #2753) [Link]
One of the things I noticed when visiting a HUGE hospital (Cleveland Clinic, which hosts one of the busiest and largest surgery wards in the world. 400 or so surgical operations planned to run on the day I visited) was how vastly easier it was for nurses to use the text-based terminals then it was for them to use the Windows GUI.Heh, last time I peeked over the shoulder of a nurse handling reception, she was apparently using a Windows NT box - but doing everything via a terminal emulator window in the middle of the screen, running a text-based app (looked like it might have been accessing an IBM mainframe).