Microsoft Active Directory and SCCM
The administrative computing and network unit at my institution seem to want to force us to use Microsoft Active Directory and SCCM. The generalities that have been released to date are quoted below: *Recommendation* 1. Work with the ITC’s across the University to join all University owned PC’s and Mac’s to an organizational unit (OU) of the CSUSB AD Domain. 2. Provide training to all ITC’s on Microsoft Active Directory and SCCM Administration *Cost:* $25,000 Estimated *Rationale:* With the availability of advanced tools to maintain and upgrade machines from a central console, Faculty and Staff will greatly benefit from patches and updates being done for them remotely and in an automated fashion. They will also be able to install campus licensed software themselves. NB: ITC Information Technology Consultant (a California State University staff position designation) -- a technician, typically with a BS in IT or a related field, who has hardware and software control over non-administrative-computing Faculty MS Windows or Mac OS X workstations. End quote. Does anyone on the list have to use these Microsoft proprietary systems with EL open systems -- both servers and workstations? If so, what are your experiences and how does one do the integration? Under no circumstances are we willing to share root passwords with the administrative unit. Replies off list are welcome. Yasha Karant
Re: Microsoft Active Directory and SCCM
NB: ITC Information Technology Consultant (a California State University staff position designation) -- a technician, typically with a BS in IT or a related field, who has hardware and software control over non-administrative-computing Faculty MS Windows or Mac OS X workstations. End quote. Does anyone on the list have to use these Microsoft proprietary systems with EL open systems -- both servers and workstations? If so, what are your experiences and how does one do the integration? Under no circumstances are we willing to share root passwords with the administrative unit. Replies off list are welcome. Well, you can easily join RHEL 6, RHEL 6, RHEL 7 and clones to AD domain if you have access to administrative account on AD. Works with basic tools, no special tools or software needed. You can easily get groups and user authentication via pam services. For advanced use, FreeIPA or Redhat IPA and some complexity is required. -- Eero
Re: Microsoft Active Directory and SCCM
When Fermilab deployed Kerberos 5 on all of our unix and linux, and simultaneously Windows 2000 on our Windows side, it was the intent that eventually everything would run off of the windows Active Directory side. 14 years later that has never happened. There are others on this list that know in detail why that is. There are some Microsoft services for Unix that in theory can do all the things you need to do to make the windows domain controller serve as a master kdc for Linux machines. I have never heard anyone use or try to use SCCM for Linux. It is certainly worth the money within the Windows domain though. I've never heard of anyone hooking Macs into Active Directory. Steve Timm On Tue, 5 Aug 2014, Yasha Karant wrote: The administrative computing and network unit at my institution seem to want to force us to use Microsoft Active Directory and SCCM. The generalities that have been released to date are quoted below: *Recommendation* 1. Work with the ITC’s across the University to join all University owned PC’s and Mac’s to an organizational unit (OU) of the CSUSB AD Domain. 2. Provide training to all ITC’s on Microsoft Active Directory and SCCM Administration *Cost:* $25,000 Estimated *Rationale:* With the availability of advanced tools to maintain and upgrade machines from a central console, Faculty and Staff will greatly benefit from patches and updates being done for them remotely and in an automated fashion. They will also be able to install campus licensed software themselves. NB: ITC Information Technology Consultant (a California State University staff position designation) -- a technician, typically with a BS in IT or a related field, who has hardware and software control over non-administrative-computing Faculty MS Windows or Mac OS X workstations. End quote. Does anyone on the list have to use these Microsoft proprietary systems with EL open systems -- both servers and workstations? If so, what are your experiences and how does one do the integration? Under no circumstances are we willing to share root passwords with the administrative unit. Replies off list are welcome. Yasha Karant -- Steven C. Timm, Ph.D (630) 840-8525 t...@fnal.gov http://home.fnal.gov/~timm/ Fermilab Scientific Computing Division, Scientific Computing Services Quad. Grid and Cloud Services Dept., Associate Dept. Head for Cloud Computing
Re: Microsoft Active Directory and SCCM
I've never heard of SCCM but the Microsoft's AD thing is doable but difficult.The Unix extensions help but they don't automatically assign UID numbers or GID numbers to users so people often time use 3rd party software to do it for them.Kerberos integration is simple all you need is the Pam Kerberos5 module but if you want to be able to change passwords from a linux host you will have to manually create and deploy keytabs. On the Kerberos level Microsoft is surprisingly compliant with the RFC's.-- Sent from my HP Pre3On Aug 5, 2014 10:12 AM, Steven Timm t...@fnal.gov wrote: When Fermilab deployed Kerberos 5 on all of our unix and linux, and simultaneously Windows 2000 on our Windows side, it was the intent that eventually everything would run off of the windows Active Directory side. 14 years later that has never happened. There are others on this list that know in detail why that is. There are some Microsoft services for Unix that in theory can do all the things you need to do to make the windows domain controller serve as a master kdc for Linux machines. I have never heard anyone use or try to use SCCM for Linux. It is certainly worth the money within the Windows domain though. I've never heard of anyone hooking Macs into Active Directory. Steve Timm On Tue, 5 Aug 2014, Yasha Karant wrote: The administrative computing and network unit at my institution seem to want to force us to use Microsoft Active Directory and SCCM. The generalities that have been released to date are quoted below: *Recommendation* 1. Work with the ITC’s across the University to join all University owned PC’s and Mac’s to an organizational unit (OU) of the CSUSB AD Domain. 2. Provide training to all ITC’s on Microsoft Active Directory and SCCM Administration *Cost:* $25,000 Estimated *Rationale:* With the availability of advanced tools to maintain and upgrade machines from a central console, Faculty and Staff will greatly benefit from patches and updates being done for them remotely and in an automated fashion. They will also be able to install campus licensed software themselves. NB: ITC Information Technology Consultant (a California State University staff position designation) -- a technician, typically with a BS in IT or a related field, who has hardware and software control over non-administrative-computing "Faculty" MS Windows or Mac OS X workstations. End quote. Does anyone on the list have to use these Microsoft proprietary systems with EL open systems -- both servers and workstations? If so, what are your experiences and how does one do the integration? Under no circumstances are we willing to share root passwords with the administrative unit. Replies off list are welcome. Yasha Karant -- Steven C. Timm, Ph.D (630) 840-8525 t...@fnal.gov http://home.fnal.gov/~timm/ Fermilab Scientific Computing Division, Scientific Computing Services Quad. Grid and Cloud Services Dept., Associate Dept. Head for Cloud Computing
Re: Microsoft Active Directory and SCCM
2014-08-05 20:29 GMT+03:00 Paul Robert Marino prmari...@gmail.com: I've never heard of SCCM but the Microsoft's AD thing is doable but difficult. Doable, not difficult as it required only authconfig command twice. man authconfig -- Eero
Re: Microsoft Active Directory and SCCM
Well the if you read my post the difficult part is setting the UID numbers and GID numbers in the AD server. yes the authconfig portion is the easy part. On Tue, Aug 5, 2014 at 3:17 PM, Eero Volotinen eero.voloti...@iki.fi wrote: 2014-08-05 20:29 GMT+03:00 Paul Robert Marino prmari...@gmail.com: I've never heard of SCCM but the Microsoft's AD thing is doable but difficult. Doable, not difficult as it required only authconfig command twice. man authconfig -- Eero
RE: Microsoft Active Directory and SCCM
For integrating non-Windows OSes into Active Directory, we use software from Centrify. There are some issues that we've run into with Mac systems, but there really aren't that many COTS products in that space. The key is that it allows for application of Group Policies to the Mac systems. As far as using SCCM to manage Linux systems, I still have nightmares about the System Center products from Microsoft. I have successfully used Dell's KACE kBox product to manage RH-family Linuxes and the integration is not difficult. All of that said, I'm much more a fan of using IBM's Tivoli products to manage systems - it does things right out of the box that Dell's product promised and never delivered. --- A Sent from my Windows Phone From: Steven Timmmailto:t...@fnal.gov Sent: 8/5/2014 10:12 AM To: Yasha Karantmailto:ykar...@csusb.edu Cc: scientific-linux-users@listserv.fnal.govmailto:scientific-linux-users@listserv.fnal.gov Subject: Re: Microsoft Active Directory and SCCM When Fermilab deployed Kerberos 5 on all of our unix and linux, and simultaneously Windows 2000 on our Windows side, it was the intent that eventually everything would run off of the windows Active Directory side. 14 years later that has never happened. There are others on this list that know in detail why that is. There are some Microsoft services for Unix that in theory can do all the things you need to do to make the windows domain controller serve as a master kdc for Linux machines. I have never heard anyone use or try to use SCCM for Linux. It is certainly worth the money within the Windows domain though. I've never heard of anyone hooking Macs into Active Directory. Steve Timm On Tue, 5 Aug 2014, Yasha Karant wrote: The administrative computing and network unit at my institution seem to want to force us to use Microsoft Active Directory and SCCM. The generalities that have been released to date are quoted below: *Recommendation* 1. Work with the ITC’s across the University to join all University owned PC’s and Mac’s to an organizational unit (OU) of the CSUSB AD Domain. 2. Provide training to all ITC’s on Microsoft Active Directory and SCCM Administration *Cost:* $25,000 Estimated *Rationale:* With the availability of advanced tools to maintain and upgrade machines from a central console, Faculty and Staff will greatly benefit from patches and updates being done for them remotely and in an automated fashion. They will also be able to install campus licensed software themselves. NB: ITC Information Technology Consultant (a California State University staff position designation) -- a technician, typically with a BS in IT or a related field, who has hardware and software control over non-administrative-computing Faculty MS Windows or Mac OS X workstations. End quote. Does anyone on the list have to use these Microsoft proprietary systems with EL open systems -- both servers and workstations? If so, what are your experiences and how does one do the integration? Under no circumstances are we willing to share root passwords with the administrative unit. Replies off list are welcome. Yasha Karant -- Steven C. Timm, Ph.D (630) 840-8525 t...@fnal.gov http://home.fnal.gov/~timm/ Fermilab Scientific Computing Division, Scientific Computing Services Quad. Grid and Cloud Services Dept., Associate Dept. Head for Cloud Computing
Re: Microsoft Active Directory and SCCM
On Tue, Aug 5, 2014 at 3:17 PM, Eero Volotinen eero.voloti...@iki.fi wrote: 2014-08-05 20:29 GMT+03:00 Paul Robert Marino prmari...@gmail.com: I've never heard of SCCM but the Microsoft's AD thing is doable but difficult. Doable, not difficult as it required only authconfig command twice. man authconfig authconfig is *extremely* limited. Any sophisticated *removal* of prevous Kerberos configurations, for example, requires manual editing or managed redeployment of /etc/krb5.conf. And don't get me *started* on tuning the Linux password policies in /etc/pam.d if anyone runs authconfig to enable something else, like Kerberos or NIS or LDAP. Not a full AD integration, but I've had good success with managing user accounts locally with puppet, cfengine, chef, etc. and using only the Kerberos service on the AD servers to keep centralized password management. I've also worked with Centrify, which some others mentioned. It provides pretty well designed integration and management tools, but it is *bloody expensive* on a host by host licensing basis. If you're investing that kind of money, you're probably also using RHEL directly instead of a free rebuild, to get commercial support.