Linux Desktop Deployment Postmortems?

duffbeer703 asks: "My employer runs alot of desktop and laptop computers -- something in the neighborhood of 40,000 PCs. Currently they are all Windows 2000 & XP managed by Active Directory and other big, complicated enterprise management tools, all of which can support Linux in one form or another. I'm looking for ways of making Linux (and maybe Unix or even Apple desktops) an option as we replace or add PCs. The problem is, most of the resources that you find online about deploying Linux focuses on server environment, and the articles that I do find about desktop Linux focus on standalone developer workstations, the IBM conversion to Linux (which doesn't seem to have happened) or things like LTSP, that won't integrate well with our infrastructure. Is anyone out there successfully using Linux for regular users? How did it go, and how did your IT and user communities adapt to the new kid on the block?"

Ubuntu?

[abscondment]

This article [slashdot.org] was posted a little while ago about a user who used Ubuntu in a completly MS environment without his boss noticing for a few months. (linked article [madpenguin.org] from the story)

My experience with it is that it's one of the most mature Desktop distributions, coming complete with most of the tools one would need to perform most jobs. Easy install, and you can use Syntaptic/apt-get for upgrades and additional installation since it's Debian based. You should check it out [ubuntulinux.org].

Not here, either

[NineNine]

Just so that nobody thinks that nobody is reading this thread... No Linux deployments at my company. I don't think that we'll look at Linux again for at least a few more years. None of our important apps work on Linux, and we have no Linux expertise in our small company.

Guitar Strings

[jag7720]

Take a look at the Ernie Ball guitar string company. They made the switch several years ago. It is only 300 +/- people but they did it cause they got hit with being out of compliance with M$

Read Rockin' on without Microsoft [com.com]

Re:Head first - kidding eh?

[saskboy]

I'm glad to see that at least an AC picked up on the obvious sarcasm, even if the moderator didn't.

WTF

[drownie]

You know I read your rant/article about gnome some time ago, posting it into random stories as comment doesn't make it any better ... http://linuxtoday.com/news_story.php3?ltsn=2005-11 -04-018-26-OP-SS-NV-0089 [linuxtoday.com]

In your environment it'll be tough

[Sycraft-fu]

If it's all Windows centric including backend and management, it'll be tough to add. Here we are a hybrid Windows/Solaris and are adding Linux. The way we do it is LDAP on Solaris for the backend. Sun has a product that syncs the AD to LDAP, and we are currently working with the Linux systems to get them all working. They use LDAP just fine, but we are having difficulty with our automounts and other such things.

If you want to do it in your the thing to look for would be a way to sync Linux with the AD. I don't have any experience in this area so I'm afraid I can't help, but Samba might be a place to start. I understand it works in Windows 2000 domains now. At any rate what you want is to design a solution such that the existing management tools will work more or less seemlessly with the Linux workstations. That means they need to get their account information from the AD, map the Windows file shares (Linux does that fine now) use the Windows printers CUPS has no problem with that) and so on.

You will probably need a Linux server that's the go-between and you might have to do some custom development work. However, I'm sure it's doable. Remember though, to sell it you need ot make your solution work with the existing one. If you demand a bunch of changes, you'll just get shut down. However if you make it integrate nice, it's much easier to push as an alternative. Ultimately a more platform-neutral back end would probably be good, but with infastructure that large, you can't start there because the cost will be enough to make everyone say no.

PRobably what you should do is just get permission to start experimenting. Get a Linux desktop and server up and running under your control and then start investigating what it's going to take to get some integration going on. Worst case, it doesn't work out, and you get some Linux experience out of it.

Re:Ubuntu?

[Anonymous Coward]

Finally the Ubuntu zealots came for me, and everyone was so sick of offtopic zealotry that no one spoke up at all.

The post you replied to was many times more:

• interesting
• insightful
• helpful
• on-topic
• generally worthwhile

than your post was.

The original poster was merely pointing out that Ubuntu is an excellent desktop distribution, which jibes with everything I've heard about it (I've not yet done an install). How does that constitute "zealotry" exactly?

Re:Not One

[Lumpy]

most small businesses freak when they see a real accounting package. Peachtree and Quickbooks are NOT real accounting packages but toy packages for the business owner that does not know accounting.

Real systems like Champion controller and sage and Cougar mountian or even Excalibur.

Those that are still using the toy packages the likes of Quickbooks really do not want powerful, they want braindead and to pay a service fee to get the hard stuff done.

but that is the difference between buying a $395-$595 toy at compusa or staples and a $1500-$6000 accounting suite from a professional.

kick it up a notch

[__aaitqo8496]

okay, i really hate the subject line (and emeril's show) but here goes:

i work in a very small environment... say roughly 25 employees and at least that many desktops with about 20 servers. i've been pushing to move away from being a microsoft shop. luckily, the guy before me was also very pro-Best Solution (note i didn't say pro-linux or anti-microsoft) and set up a number of linux servers.

i have taken hold and attempted ot push the idea of linux desktop solution for people that don't need windows (i.e. sales people). i actually set up a second box for myself before deploying a test box for a sales person. being a ubuntu user for 3 releases now, i choose it for it's polish, shine, and my comfort level. my experiences have been mostly good. anytime anyone needs a package, i just grab it from apt-get (or find a repo first if need be). i can take care of the whole box via ssh and never have to bother the user. it works GREAT except for a few small problems in a windows network:

1. setting up active directory authentication is a PAIN. it's not hard, but time-consuming and requires a lot of manual tweaking (see my request for an automated tool [ubuntuforums.org])
2. evolution-exchange connector is horribly in need of work. the basics work, but it's not fast or efficient - or stable. it gets the job done, albeit not eloquently
3. (i belive the following is a problem with nautilus, but idk) when accessing a shared windows folder, authentication gives a prompt for credentials, but it doesn't matter when you put here. the second prompt for credentials is the important one. in fact, you cannot get the first box to go away unless you click cancel
4. sudo & AD groups. for the life of me i can't figure out how to get sudo to recognize %domain\linuxadmins as a valid group. `groups` shows me as being part of it, but it's almost as if sudo doesn't like the slash. i've tried escaping it, and tried it without the domain to no avail. ideally, i'd like to set up a group to allow certain users to perform updates when ubuntu notifies them stuff is in need of updateing.

my gripes aren't HUGE, but they're annoying to me. of course i haven't touched on management needed for a 20,000 pc environment (pushed software & updates), so ymmv

Re:Out of compliance?

[CoderBob]

http://www.infoworld.com/articles/hn/xml/02/11/27/ 021127hnerniball.html?s=IDGNS [infoworld.com]

News story from the event. The article is light on the details, and at one point refers to "pirated copies" while at another refers to "more installations than licenses".

Having seen both many a time in a corporate environment, this is not always a company decision- users are to blame on occasion as well.

The reason for the shift matters, but the fact that they shifted successfully says a lot, especially to smaller organizations that might not be able to afford enough licenses. If those style shops start switching over to avoid being out of compliance, things could start to get real interesting.

by request only

[LodCrappo]

I work as a consultant for smaller companies. Although I use linux on my desktops and am quite happy with it, I wouldn't recommend any of my clients try to deploy it on the desktops for normal users unless there is some very compelling reason to do so. I've yet to come across such a situation, but I guess cost, performance and/or security might be reasons in some cases.

On the other hand I do have some clients where certain individuals have requested linux, and allowing them to run it has not caused any problems other than the obvious compatibilty issues that may apply. These individuals are linux savy and can generally deal with their own problems. Management does not want to spend extra money to support a second platform, and they understand this.

I guess the point I'm trying to make is that if you are considering rolling out some linux or even apple desktops, I would be careful to only migrate people that really want them and understand the consequences (and are able to deal with their own problems for the most part). Otherwise you're going to be incurring extra costs that probably outweight any licensing money you save. That usually doesn't go over well and will generate a negative attitude from management towards linux.

As for workstation management tools, there are solutions from Redhat and Novell and probably others, and IBM has some tools too. I don't have much experience with any of them, but again it is probably an extra cost and what would the point be? What is the boss going to like about this whole idea? Sometimes I think linux fans push too hard or don't fully evaluate the situation and actually reduce the opportunities they might have to use linux where it would really be a great solution.

How to be successful at migrations

[einhverfr]

First, be patient. I don't think the IBM migration is as dead as it appears. Most of the commercial migrations I have seen take 2-3 years to accomplish assuming that a fair amount of resources are thrown at the problem. If you want a smoother transition, I would suggest planning for 4-5 years. This timeframe should allow you to rewrite all your inhouse applications to support Linux if necessary

The first step is to identify those workstations that have the simplest requirements and/or the users who are most interested in switching. Start there and migrate a few stations at a time. Don't be afraid to rollback to WIndows for a while when you need to. Try to use Wine and other technologies to make the transition easier. I think that this is still where IBM is.

The second step is to do an analysis of what has/has not worked in this step and then look for the next group of workstations to migrate. Wash, rinse, repeat until you run out of shampoo.

Once you have a fairly established set of Linux workstations, I would suggest investing in infrastructure. Look at things like OpenAFS, X11 application servers, and the like. For desktops you can create a computing network that looks conceptually sort of like a SAN and is very easy to maintain (read up on Project Athena). This requires more care with laptops because of mobility requirements,but if you are careful about which applications you put on the laptop and which ones you run over the network, you should have few issues.

Hint: You can put an X server on the Windows systems to give them access to your X11 app servers, and therefore not immediately require everyone to rn Linux to gain access to certain applications.

Re:Out of compliance?

[Anonymous Coward]

This from a friend who worked there at the time...

Ernie Ball was out of compliance by less than 2% with their MS licences. They were on a quarterly purchase program, where they would purchase any out of compliance licenses, and made allocations in the budget beforehand to do so. The "Disgruntled Employee" called in the midpoint of the quarter to rat them out.

Even when Ernie Ball offered to make good the license quantity immediately, the BSA declined and chose to make an example of them. Following the local newspaper headlines about EB getting "busted", the BSA sent letters out to every local business "reminding" them of the dangers of being out of compliance.

Sterling Ball chose to switch his entire operation to Open Source at that point (minus the few CAD Systems that needed MS OS to run the CAD Software) to prove that an operation didnt need MS to work and work well.

And from what I hear, it was and still is a great success. My friend has gone on to do fun and exciting things with EB and their FOSS Computer Systems.

Desktop and Server technique convergence

[CrazedWalrus]

I'm sure it can be done, perhaps by remotely mounting common application and /home folders to a central server. But I've never seen any Howto's or even descriptions of anyone having done this in the enterprise before. Not to say it hasn't been done, just that noone's written how it's done (that I've been able to find).

Why is it that people think Desktop Linux and Server Linux are different animals when it comes to enterprise setups? Enterprises have been doing rapid deployment, diskless (or minimally local), network boot unix installs for ages.

HOW should linux desktops be set up in an enterprise? Exactly the same way as the *ix servers! Any enterprise unix admin worth their salt already has this worked out. The only difference is which applications get installed.

Need that latest patch deployed to all 1.7 bazillion desktops? Update the filesystem that the desktops are booting to and update all of them at once. Messing with symbolic links makes it easy to swing a link back to the old version and reboot the workstations if something goes bad.

Mounting remote filesystems allows users to write their files directly to the network, where it will be backed up according to firm policy. Mounting the system filesystems ensures that every machine is running the latest and greatest. Deploy your apps in OpenAFS, and you can control access to apps via ACL groups.

Making Linux an Option

[awkScooby]

1. Make sure you investigate Microsoft licensing issues. In our environment, we would have to purchase a CAL for every Linux, OS X and other *NIX system that wanted to play in the Active Directory. Just because you technically can do something doesn't mean you're legally allowed to do it. Microsoft licensing is extremely complex.

2. Decide on a method for authentication. I suggest using Kerberos 5, since that's what Active Directory uses. You must make a choice -- use Active Directory as your KDC, or use MIT or Heimdal as your KDC with a trust between it and the Active Directory. Due to licensing, and technical reasons, we use an MIT KDC, with a 1 way trust (AD trusts the MIT KDC, the MIT KDC doesn't trust AD). The technical reasons boil down to:

• Microsoft only supports DES-CBC-CRC, DES-CBC-MD5, RC4-HMAC encryption types. Lots of existing Kerberos clients don't support RC4-HMAC, which leaves DES. Yuk.
• Microsoft's Kerberos adds a PAC field to the ticket, which can make for very large kerberos tickets. Lots of existing Kerberos clients have problems with this.

Note that you could choose to have Windows systems authenticate against the AD or authenticate against the MIT Keberos realm, and have non-Windows systems use an MIT KDC.

2. Redirect passwd file lookups to LDAP. You already have an LDAP server -- Active Directory. You'll need to add the LDAP schema defined in RFC 2307, and will need to add the posixAccount auxillary class to all of your users. Part of that process involves putting the passwd file information like uid, gid, geckos, homeDirectory, and shell information in the appropriate attributes.

Again, due to licensing issues, and the fact that we already had an enterprise LDAP directory, we chose to not use Active Directory for this purpose. But, it certainly can be done.

3. On the linux desktop systems, use pam_krb5 to redirect authentication to kerberos, and configure nsswitch.conf and ldap.conf to redirect passwd file lookups to LDAP. On RedHat systems, you can do it all from authconfig, although I think it's helpful to know the files involved.

4. I like pam_access for restricting who is allowed to log in on a given workstation. pam_access can restrict to members of groups, and those groups can be posixGroup objects in LDAP/Active Directory.

I think it's helpful to have home directories on a central server. We use OpenAFS. I don't know if it's possible to have a user's home directory on a Microsoft share or not. If not, you'll probably still be in the business of creating home directories on desktops. Microsoft has some NFS thing for Windows. I haven't used it, so I'll refrain from commenting, other than to remind you to research potential licensing issues.

A lot of this will work across a number of platforms. I have it working on Linux and OS X.

Beyond the stuff above, for managing lots of Linux desktops there are lots of options, but they're probably all roll your own type things. If you have a few standard configurations, you could use rsync. Or have them all point to a central YUM repository, or... Well, there are tons of ways. I can't give you a postmortem on that, because we don't have lots of Linux desktops in our environment yet. Centralized management doesn't make sense for the few that we have.

Summary: pam_krb5 + pam_access + nsswitch + central filesystem == HAPPY

Read up on kerberos. There's a fair amount to get your head around. If you can explain why kerberos authentication is better than "ldap authentication" you should be in pretty good shape.

Re:How to be successful at migrations

[einhverfr]

First, if you set it up properly, there is no reason that upgrading your system should be harder on Linux than on Windows. THere are great tools like Yum, apt-get, etc that can be scheduled, and you can push out configuration files via scp and shell scripts if you like.

Secondly, you have far less work interruption from updates on Linux than with Windows. With tools like apt-get or yum you could indeed upgrade the distro without taking it down for the upgrade or booting the user off his/her applications (depending on the work, the user might notice a performance hit though). This is part of the bit about investing in infrastructure. With the right work, you can make Linux *far* easier to manage than Windows on the desktop (yes, I know what a GPO is). Secondly... with the right infrastructure of AFS, LDAP (or Hesiod), Kerberos, and X11, you can have something that requires very little work to maintain.

Linux desktop at FTSE 100 company

[weaselprince]

Background: I work (indirectly) for a FTSE100 company in the UK. Last year I architected and deployed approximately 100 Linux desktops to a group of highly technical users, migrating them away from Sun Solaris. I've worked with most flavours of *nix over the last 10 years so regard myself as reasonably experienced systems administrator. Of course that's all relative :)

The technical stuff: Users were running on ageing Sun hardware with relatively low performance (Blade 1000s, Ultra 60s). The applications they run are technical applications for which ports exist for both Solaris and Linux. The new hardware is high-end HP workstations with more memory and processors than you can shake a stick at, combined with Nvidia FX3000/3400/3450 GFX cards. OS is RedHat 3.0. That was forced upon us by the key application which is only supported on that distribution.

Rationale behind the move: Move to Linux because the applications run faster. That's it.

So what worked well?

The major factor in the success of this rollout was the relatively low degree of change in terms of what was presented to the users. The applications they use were simply ports of the Solaris versions. Nothing new to learn. The only difference is that they work a whole bunch faster. Instantly the user base is won over and there's buy-in.

Another, seemingly small, item was the look of the login screen and the desktop environment on first login. First impressions do matter, and getting this right turned out to be very good PR. As the desktops were deployed, users would crowd round the first of the new systems in their areas and "kick its tyres". People were genuinely interested in what they were seeing, and a buzz spread round quickly. On our feedback forms many commented on how much they liked the new, tricked out, environment. In reality little had changed in terms of usability and people weren't frustrated that they couldn't find their favourite application (or analog, where none existed)

There was a relatively low impact for the support team too. Accustomed to Sun's jumpstart, kickstart is an intuitive and easy mechanism for deploying to a large number of identical desktops very easily. Power on, press F12, and the whole thing is automated from that point onwards.

What didn't work well?

The desktop environment was customised from the standard Redhat KDE login so that the right click menu displays a cascaded list of technical applications. Non-essential stuff was removed. Working out how the KDE menuing system hangs together wasted 2 days of my time. Redhat support were useless and I had to use a combination of strace and the source to prove definitively how it works. My major gripe with this whole process was the total lack of adequate documentation. If you're coming from a commercial Unix vendor's platform you'll be accustomed to good quality documentation that gives you all you need to deploy in a couple of hours. Just compare the CDE guides on docs.sun.com [sun.com] to the KDE manuals on www.kde.org [kde.org] and you will see what I mean. This is a fundamental weakness in the OSS world that must improve before large organisations will consider widescale deployments.

What else?

There was no desire or justification to migrate the backend office applications to the Linux desktop. Don't go there - it's a hiding to nothing. If the rest of your enterprise is using MS Office and Exchange there is no sense in trying to fudge things with OpenOffice or Evolution or their ilk. If you do, you *will* have problems. Somethings just don't work, and the support team don't want to spend the rest eternity trying to figure out why a particularly obtuse Word document with some recondite macro is refusing to display in OpenOffice. So how do those users get their standard office tools? Citrix. It just works. Leave the pain of MS support to the masochists and get on with your day job

Re:How to be successful at migrations

[einhverfr]

Can you even get support for a 5 year old version of Linux?

I cannot find any information on how long RHEL versions are supported with Red Hat's support engineers. However, they maintains update support for (and expect you to be using it for up to) seven years, so I would assume that the answer to your question is probably "yes."

I admin about 30 linux desktops for normal users.

[Victor Tramp]

I'll be suprised if anyone reads this, or even believes it, but..

It's been my job professionally for about 5 years to manage Linux on the desktop for a biomedical company who designs their own ASICs and PCBs on Mentor Graphics..

First I migrated them away from HP-UX as Mentor Graphics ported more and more of their tools to Linux.. It was more cost effective to get brand new Dell machines running redhat [which gets replaced, because Dell's redhat install is crappy] for US$1800 than refurbed old PA-RISC workstations at US$5000+ a box.

Basically, I'm using:

Distro: Debian
GUI Xfree86 or Xorg [depending on which box]
Desktop Env: KDE [muggles love KDE]
Mail: Evolution and MS Outlook [a la crossover office, what a lifesaver!]
Web: Mozilla or Firefox [both are installed]
Office suite: OpenOffice 2.0 and MS Office 2000 [a la crossover office], planner, & MS Project
Music: amaroK or xmms, or whatever they want

The home directories, and proprietary Mentor software are all NFS automounted [it's fine, really], so the only data on the drives is the os and application data.. i lose a drive, no big deal, when the drive's replaced, i reinstall stock debian..

However, I -have- used apt-move [and apt-proxy] to make my own distro of debian in-house for building workstations.. it's a lot more convenient to install the netinst CD and be done, reboot the machine, point the sources.list at the internal repository, load aptitude, and just hit + on the top levels [which essentially loads everything in the repo.], and bam. Installation would probably be more efficient if i used something like Fully Automatic Install (FAI), but i haven't been smart enough to figure out how to get it installed.. It's only good for installs tho.. I maintain the separate repo for upgrades.. That and it keeps people from installing things willy-nilly from the net if the only repos the workstations have is an internal server with a subset.

User accounts are all managed via LDAP, tied in with the corporate ADS directory, one login to auth them all!

box configuration management is all handled by Cfengine2 -- all hail the university of oslo! Cfengine has made it possible for me to manage all the boxes at once, no matter what the hardware discrepancies.. i can do the work of 4 people, by myself. that and, the configuration repairs itself if discrepancies show up on the workstations for some reason..

Let's see, that's software centralization, user data centralization, user auth centalization, and workstation configuration centralization.. for 30+ boxes across two buildings, for engineers and managers, for almost 5 years.. There may be better ways to design a network of workstations, but the support model I've implemented has really worked out for me..

Once a "normal" user gets used to the idea that the computer will do whatever they want it to do, even though it's not windows, the questions about how to do things taper off after a while as they get used to the new system..

It's sad really. I've been doing the Linux desktop professionally longer than anyone i've ever even heard of. I know for a fact the Linux desktop is completely viable, but nobody seems to believe it. Non-technical and technical people alike all seem to have their doubts and never get up the energy to actually explore it.. Heh..

anyway, good luck