We didn't... We have some custom tools which force things like screensaver locks and pam policies, and complain at the user if they are wrong.
Shared filesystems are a custom NFS server with a client binary for authenticating to the server, rather than host-based access. I'm not sure if it is the right solution, but it is what was implemented for our ~6k Ubuntu users and ~40k redhat users (and many more windows users) On 12 February 2013 12:26, Bolesław Tokarski <boleslaw.tokar...@tieto.com> wrote: > Hello, > > How do you solve the machine policies topic? > > I mean - how do you make sure that a Ubuntu machine in your environment runs > according to some policies you specify? Microsoft defined this as a "Group > Policy", perhaps the more general term is "System Configuration Management". > > As we found no product that does this out of the box (not sure about > Centrify, though, but we couldn't afford it), we glued together a number of > components to do the job. > > Firstly, we took CFEngine (www.cfengine.com) as the policy "enforcement" > tool. This is a configuration automation tool. A valid choice would be > Puppet as well, though we found CFEngine to be more lightweight and suits > better for laptops. We defined a set of policies or configuration elements, > like domain joining, authentication, firewall, VPN, etc. > > Secondly, we used cfgen (http://dozzie.jarowit.net/trac/wiki/cfgen), a > configuration template solution for flexibility. > > Thirdly, we used plaintext, YAML-structured files to hold variables used for > templating. This part seems trivial, but we allowed inheritance between the > files, so we created sets of variables depending on country the machine > originated from, the location the machine is in now (mostly for locating > proxy servers and nearest mirror), the Active Directory domain the machine > belongs to etc. We also provided a local override on the machines so the > user can disable most policy enforcements (we preferred that over the user > disabling the whole policy). > > Lastly, we decided to get all the possible information about a machine we > could from Active Directory. We acquired: > 1. The place in the directory structure (OU) where the machine object > resides, that gave us the machine original location. > 2. The IP subnet to AD "Sites and services" mapping, so we were able to tell > by the machine's location where the machine is now. > 3. The owner of the machine (managedBy property). > 4. The groups a machine belongs to. > > Unfortunately, we could not get the native Group Policy properties of an > object nor the ACLs of Active Directory objects. So, instead, we decided on > a group naming convention. If a machine belongs to group called > "policy_certificate", it receives the variables and policies for the > "certificate" set. > > I would be glad to learn how other people approached the topic, solved it? > Perhaps there are tools out there that we missed? > > Cheers, > Ballock > > -- > Mailing list: https://launchpad.net/~enterprise-ubuntu > Post to : enterprise-ubuntu@lists.launchpad.net > Unsubscribe : https://launchpad.net/~enterprise-ubuntu > More help : https://help.launchpad.net/ListHelp -- Anton Piatek email: an...@piatek.co.uk blog/photos: http://www.strangeparty.com pgp: [74B1FA37] (http://www.strangeparty.com/anton.asc) fingerprint: 7401 96D3 E037 2F8F 5965 A358 4046 71FD 74B1 FA37 No trees were destroyed in the sending of this message, however, a significant number of electrons were terribly inconvenienced. -- Mailing list: https://launchpad.net/~enterprise-ubuntu Post to : enterprise-ubuntu@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-ubuntu More help : https://help.launchpad.net/ListHelp
