I just want...
to be able to manage Win clients via GPO from Samba servers. Easily. Tidlly.
Is that too much to ask? <sob>
Oh, and a WSUS-equiv'd be nice, too...
I was raised in the Red Hat world of Linux, starting with Red Hat 2, moving to Mandrake, and returning to Red Hat once more. Since then I have been using it through every iteration and have dabbled in Debian and Gentoo based distributions as well. Each camp has evangelical believers, but I tend to stick with Red Hat not because …
I would be perfectly comfortable running a four or five PC network on Samba 4 as it sits now. I would not run a Ten PC network on it, or anything with mission critical requirements. But simply: it's stable so long as once you get it running, you leave it the hell alone.
So it's a relative thing. if you are wanting "free GPO management" for a small network, it’s actually probably “good enough.” If you are trying to run anything much bigger than your home network or a “Ma & Pa” shop off of it, then I would have to point you elsewhere.
Actually, for SMEs, Novell’s stuff is, I think, cheaper /seat than Microsoft’s, so might be the natural compromise point.
And it's great. If you happen to know a fair amount about Unix to begin with. Puppet isn't for a junior admin, or someone new to Unix. If you have a guy with a Windows network who must now suddenly support a series of Unix systems, puppet is dense and terrifying. If the admin responsible for the Unix boxen is fresh out of school, I'm not letting him anywhere NEAR the puppet server.
For me, who has been using Unix in one form or another for at least two decades, Puppet is great. I can think of at least fifteen other sysadmins I have drinks with on a regular basis that would be openly weeping after trying to use it, because they are neither any good at scripting, nor do they really know that much about the underlying operating systems.
Every time they try to use Linux, they are handed a different distro, which hides it's files in a different place and they end up confused. Puppet can help with some of that, but it still relies on the admins having a fair amount of knowledge to start off with.
I look at puppet as a grown-up admin’s systems management tool. Great if you already know what you are doing, and are simply looking to save some time. Group Policy on the other hand is like IT training wheels. Eventually you have to take them off, but (most) people need them for a little while at least.
To me, Windows has always been needlessly complex. Why would you want Unix to be the same? The beauty of everything being a file, is that there is only one way to edit settings for everything. This makes version control very easy as you can just copy the old file and save it somewhere with a date. You need to roll back, no problem... To learn how to change settings all you need to know how to do is edit files and usually restart or HUP a service, with Windows you need to know how to change files, edit registry keys, run commands and sometimes I am pretty sure you can only do things by sitting at the machine itself. Then there is the registy hell. Find the key that controls what items are started when the system boots.. Oh. that is in HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, that makes a lot of sense, I would have looked there. With Unix if I don't know where something is, I can usually do a find on the filesystem.
All that is really needed is something that keeps the files the same on every system in an automated fashion. Something like Redhat Network/Spacewalk works well. Someone mentioned puppet. It isn't like Group Policy, but it can do so much more and it really is no different then just editing files from the local console, but now on a global level. The beauty of Unix is that the inner workings are simple (at the expense sometimes of the outer layer), last thing I want is some abstraction layer that I no longer understand.
Indeed, I also think AD is powerful but too complex, and I also think Linux should try to offer similar funtionality with less complexity (Plan 9 did nice things in this field). The problem is...there's not such software. And the several GPO alternatives we have are not standarized across the Linux distros. And we need a standard, because often software needs to be modified to be GPO-able, and configuration files have different formats, etc. There's a lot of work to be done in this field, to be fair.
We use Symantec's Control Compliance Suite Standards Manager which covers both standards (patches, OS levels, etc) and controls easily in an automated fashion. They cover all our platforms and we can simple run the tool to evaluation -> actions on the 8+ different platform versions (mult UNI* and Win*) so we can address variations between environments.
Routinely we don't use the GUI for anything other than reporting as we have scripts that work easily with what they've got OOTB. Our management is now having us upgrade / add in their Policy Manager as we have to do more checks and controls for Audit on things like our credit card transactions with PCI, and some ISO controls that the company is controlled in. We've had a few hiccups over the years, but we've done well overall.......