Honest question: Why? If you want a Windows-like environment, run Windows.
I get this all the time when people ask about a Linux equivalent for something, and aren't really satistied when it doesn't work or look the same. Linux isn't a clone of Windows. Linux comes from an older heritage, and has a unique culture. You are in for a hard time if you want to use Linux like you would use Windows. That's a suboptimal experience, at best.
That said, of course Linux should be easy to manage. But Windows is from a single corporate entity, of course their management tools will be different. It used to be unix admins that laughed about people using Windows as servers. The culture around Linux is one of scriptabiliy where even the user interface, the basic shell, is one where every command is inherently a script. That's why management on Linux looks like Ansible and OpenSSH, not like Remote Desktop and Group Policies.
You could write something like Group Policies for Linux of course, but it wouldn't be a complete solution so people would just continue using Ansible, OpenSSH, and the respective package managers.
> If you want a Windows-like environment, run Windows.
One of these questions where we, those doing the discourse, need to pick apart what the word "you" refers to here.
In this context, it is national governments, who have started to fear that there may come a day when they are not allowed to or able to or safe to run Windows. That gives rise to the question, "how can we get a system that minimizes the disruption of migrating away to Windows?"
Ultimately it's not about specifically wanting AD or GP as technologies, either, but the things they enable: seamless single-sign-on across an organization, and management of software security and updates across a fleet of desktops.
(possibly the thing that fills this hole is simply a fleet of consultants which go around explaining things to CIOs!)
Right, I see where you are coming from, I still want to make the stronger argument that we should not strive to re-work Linux in Windows' image. Most such initiatives, like gconf/dconf, have severely degraded the desktop experience.
I have some experience at places where Linux are run on desktops at scale, but they all have in common that these are engineers for whom Linux is the better experience to begin with. It's not like that for administrative staff and management. And as much as I'd like to tell people to use Prezi instead of Powerpoint, and Markdown instead of Word, sometimes Libre Office is the best answer.
We have to be practical. Still, I feel that too often it is engineering that has to use tools intended for administrative people. Once in a while, they other way around may not be that bad.
For a modern workplace, where smartphone and cloud based applications rule, the traditional Windows tools like AD and GP can only do so much. You also need MDM tools, and something like SAML. If you are looking for an out-of-the-box tool that can manage both Linux and Windows clients, Red Hat has FreeIPA. It's not AD, but it goes beyond that capability.
Because it works really well for a corporate environment where you require central management for your devices. Yes, the environments of Linux and Windows are different as you said, and unfortunately that means one will generally be better than the other within certain contexts. The corporate workstation use case is a gigantic one that Windows is currently dominating in, and this is terrible for Linux adoption because it means to get a job at a place that uses Windows you are incentivized to use it yourself so you can learn it. It also means that schools (which are often run like businesses internally) are way more likely to use it, so new students that are just learning how to use a computer are coming up on Windows.
Linux is indeed very different from Windows and that's fine, that isn't a problem at all and it has plenty of upsides. What should be clear is that this particular use case is a remarkable downside for Linux, and the mass adoption of Windows in the majority of businesses should make that self evident. Realistically Linux can and absolutely is used in business contexts in the same way as Windows (hence why France is going ahead with it), but it isn't as optimized for it as Windows is, when it totally could be. Macs have had some robust management platforms made for them that I've found pretty similar to AD for example. If someone developed a straight out AD clone for Linux that functioned more or less the same on the front-end it would be huge for Linux adoption in my opinion. Hopefully that answers your question.
I don't know. What's the Windows equivalent of dpkg (from 1993) and ssh (from 1995)?
Still nothing, three decades later. Not because Microsoft engineers couldn't do it, of course, but becasue they didn't want to. It doesn't fit the Windows model. They did recently adopt SSH, but that was because they want to use Windows in cloud-like environments, where expectations are set by Linux-style tools.
By the time Windows got to the point where it even could be centrally managed in any reasonable fashion, Linux environments was routinely run an order of magnitude larger still.
There is a reason why the whole cloud runs Linux. Anything else is a rounding error. That's because Linux is inherently so much less work to manage at scale.
If something like Group Policies would somehow be accepted by the Linux community, that could only be a step backwards. A well run Ansible or Puppet or similar environment works on a completely different scale.
They are not exactly equivalents, but that's not the point. I try to expand on this answer in the sibling comment.
What's important to notice however, is that the oldest of these are from 2009. At no time in the intervening 15 years (!) did someone say "Windows is unusable for desktops because it is not manageable".
Isn't WinRM/PowerShell/RDP equivalent of SSH, and dpdk/apt-get is basically .msi with group policies for installation? This has been there for decades probably?
Group Policies also allow you to enforce things like browser configuration (proxy, homepage, search engine etc.) wallpapers, screen locks etc.
Can this be done on Linux? Honestly, I have no idea - I think gnome with gsettings/dconf can do that, but can KDE?
That's the point I want to convey is that while there are tools like MSI on Windows, many years after Linux had dpkg, it's not the same thing. On Linux the package manager rules the filsystem and keeps a complete database of which package owns which file. There are no exceptions, not on the parts of the filesystem where the package manager rules. Even the operating system itself and all patches is handled by the package manager.
That's first and foremost a cultural difference, not a technical. Sure, there's nothing to prevent a Linux vendor to write "install scripts" that copy files willy-nilly across the file system, and many vendors have done this but always with disastrous results and since Linux people hate it, those products are either repackaged or stored in a separate directory far away from other files.
This means installing software at scale (any number of systems), or the question how to cleanly uninstall software it not a question you should ever ask in a Linux environment. The questions you should ask are different in a Linux environment. That is why the tools look different.
Tools like gsettings are culturally alien to the unix world. Instead, home directories are seeded with dotfiles. And dotfiles are kept in version control. Yes, that means that unix people can't answer the quesion how to lock the proxy settings so the user is unable to change them. Instead, should a sensitive system require it, they would instead manage by policy and disallow any traffic outside said proxy.
I mean, Linux package managers are so great that we have at least 2 different ways of delivering software (especially GUI software) to Linux distributions that depends on "app images". To me that shows that none of those approaches are solving 100% of problems that you encounter in the wild.
> This means installing software at scale (any number of systems), or the question how to cleanly uninstall software it not a question you should ever ask in a Linux environment.
And yet this is a problem that so many third-party vendors who try to support multiple Linux distributions have been struggling for years.
> Tools like gsettings are culturally alien to the unix world.
Sure, Linux and UNIX are coming from different roots, but "cultural" means nothing in large organizations, where computers are basically tools not that far from printers, projectors, even hammers. A way to do someone's job. I may hate locked systems, but then I don't have to support users who cannot find their trash bin on the desktop anymore.
You can seed dotfiles for all users, but you can't really enforce that user cannot for example move his taskbar from bottom to the top of the screen without policy enforcement. gsettings/dconf may be culturally alien to this world, but it is (or at least was) solving an actual problem. A problem we may not care about, but some companies do.
Now, I think there is an interesting discussion here to be had - given this latest push from Windows to Linux, as a way of distancing Europe from US, would adding features that bridge this policy enforcement gap between Linux and Windows is desirable?
15-20 years ago I was going to say yes, but back then I cared so much more about Linux as Windows alternative for office use. Today I actually prefer Linux Wild West and how hard it is to lock it into any sort of MDM.
> To me that shows that none of those approaches are solving 100% of problems that you encounter in the wild.
The problem is a self-enforced one by developers. They chase the newest updates instead of focusing on stability. And bundling security and feature changes. And they want to push those updates instead of people pulling it in.
> And yet this is a problem that so many third-party vendors who try to support multiple Linux distributions have been struggling for years?
Are those complaints done in good faith? Most repos allow for custom repositories. And writing a build script are not that difficult. If Calibre, VLC, Firefox, and Blender can be everywhere, so can those applications.
> A problem we may not care about, but some companies do.
Firefox has /usr/lib/firefox/distribution/policies.json which lets the sysadmin lock down what users can do with the browser. Example: If you wanted to block all extensions except for a whitelist, you could control that via that file.
There's a bazillion tools that let you manage files like that across thousands of servers/desktops but the hot one right now in enterprises is Ansible (which would make it trivial to push out an update to such a configuration).
Chrome has a similar file: /etc/opt/chrome/policies/managed/lockdown.json
"Ah yes, but what stops the user from downloading the portable version of a browser and using that?"
You can mount all user directories with +noexec. Also, Apparmor lets you control which applications can make network connections if you want to get really fine-grained.
Other applications have similar policy files. For example, Visual Studio Code has /etc/code/policy.json which—for example—would let your company lock down which extensions are allowed to be used/installed.
> Group Policies also allow you to enforce things like browser configuration (proxy, homepage, search engine etc.) wallpapers, screen locks etc.
Unix has always be about treating users like adults. The administration tools are more about the whole system and the hardware. You can always provide default or sample config, or prevent anything in HOME for being executed, but enforcing wallpapers is silly. But you can still do it by patching the software.
Lixnux version of AD is FreeIPA, with group policies translating to dconf - at least that was the way "enterprise" linux vendors (like RH or Canonical) were moving towards.
Now, how well is dconf integrated with all the software you want to run is another thing (it was done by GNOME, and ignored by KDE), and whether this is still the way they are all moving is yet another question but the infrastructure was being built.
On a Linux desktop you can lock down waaaaay TF more stuff than Group Policy allows. The only difference is you need a sysadmin that knows what they're doing. You can't just point and click a button that prevents users from connecting USB devices. Instead, you use a combination of groups, udev rules, and systemd-logind. There's also ways to do it with PAM if you want.
The most popular way to control user desktops that I've seen is to have your user login via LDAP (just like AD), optionally with Kerberos and then have their permissions to various things controlled via those groups. For example, if you were building a "desktop policy" for Linux users across your organization, you'd probably make a .deb or .rpm that installs some udev rules that grant or deny access to various things based on which groups the users are in.
Of course, you can also control things down at the user level. You could put a script in /etc/profile.d/ that does whatever you want when the user logs in. You can even make it dependent on how they login (detect remote SSH session or local login).
There's also dconf and KDE's Kiosk mode if you really want to lock shit down to annoy TF out of your users (haha).
Once you've got your Linux desktops setup the way you want (which is usually just a matter of making your_company_desktop.deb or .rpm) to customize things/permissions, you have so much power to do things you can't do on Windows. The fine-grain control in Linux is unreal: You can give a specific user access to run and do very, very specific things as root (Windows Administrator equivalent) without much effort at all.
Linux also lets you lock down the hardware in ways Windows doesn't support. For example, you can chattr +i to make certain devices/files immutable. You could compile a custom kernel that doesn't even have USB mass storage support. What's more secure than that? Haha.
BTW: You can also make all USB mass storage devices read-only with a simple udev rule. You can even add exceptions for special things!
The concept does not really exist it is a Windows thing. You could call Puppet or other config managements group policies, but Linux is not a monolith so it is more organic.
AD is LDAP+Kerberos, which has existed in the Unix/Linux world long before Microsoft bastardized it. So pick any of half a dozen LDAP server implementations and any of 3 or 4 Kerberos implementations and use those. If you want point-and-click/drool interfaces, use FreeIPA. If you really want it to look like AD, use Samba 4. Even Windows boxes will hardly know the difference.
Group policies don't exist and won't ever exist on Linux. Group policies are LDAP entries that are copied on system boot and user login into their respective parts of the local registry. Software may then read, interpret and use those registry entries. On Linux that wouldn't work for numerous reasons. First, on a multiuser system rebooting to apply configuration changes is not viable. On windows that's apparently fine because its single-user anyways, and reboots are an accepted fact of life. Also, to apply a system policy that is intended to limit what a user could do, asking the user's software nicely via registry entries is stupid and insecure. Lots of software won't even read the registry and have group policies that it will obey. Want to get around an Internet Explorer Group policy? Use Chrome or Firefox!
So what you do instead on Linux is: If it's just configuration, just copy it over, using the usual text configuration formats that are common on Linux. There are lots of tools to do this, starting from simple hack jobs like using scp to full configuration management systems like ansible or puppet. The "group" part is handled by those systems as part of their function, you can easily group/subgroup/discover/inventory/parameterize. If it's policy, so you want to restrict what a user can do, you use the higher-privileged layers of the system to put in actual restrictions, not just "group policy" suggestions. You can configure the user's home directory to be mounted noexec, so software execution after an unauthorized installation is impossible. You can put them in containers, namespaces, limit their resources and system access using cgroups, filesystem permissions, and more fine-grained permission systems like SELinux. If you are so inclined, you can forbid the user from opening files starting with the letter 'f', using eBPF syscall filters (this will of course break everything, but I needed a stupid example ;). All those can also be configured with your configuration management system of choice.
Just as a comparison: Our windows team needs 3h just to re-image a laptop, just for windows. After that, all the software needs to be reinstalled, all the data copied over. Then, after 2 days and 10 reboots or something, it will have picked up all the policies, updates and things and maybe be usable. Our Linux installation takes 45 minutes. Including all the software that was previously assigned to this system, including all the settings. It will be fully updated, configured and usable after the first reboot.
That link goes to the Greece financial crisis which, according to the Wikipedia page, started in 2009. Varoufakis was elected minister of finance in early 2015 and resigned only half a year later. From the outside, it seems impossible that his half year miniterial tenure could have caused a crisis half a decade earlier. At the time, Greece had already defaulted twice on their loans and were about to do it a third time.
This may sound reasonable but isn't at all how newspapers are run. You can absolutely buy an ad in the New York Times criticizing the New York Times. Within reason of course, as you said the are private entities allowed to take on any customers they want, but in general newspapers hold journalistic integrity as an ideal and will allow most things as long as they aren't defamatory, unethical or downright illegal.
The ad sellers and the journalists are normally separate and will not interfer much with one another's work. It also helps that they never say no to money. I don't know about the New York Times specifically but similar things have happened many times in other newspapers, and there is such a thing as a paid editorial. Those are usually clearly marked as such, but it's basically the same thing.
(However, there may be other reasons why you might want to go with a competitor instead, and not pay the newspaper you hate $100k.)
The problem is that Europe does not spend enough on US weaponry. Bulding nukes domestically does not help with that.
NATO was explicitly built to keep Europe in line. That worked to the benefit of everyone, until national security intrests and land expansion put a stop to it.
> If your money goes up in value, you have a huge incentive to stockpile it and not buy pizza
A lot hinges on this being true, but being deflationary is not unique to gold. It is also true for a lot of other things, including stocks. Yet we think it is good that regular people spend their earnings on stock, and it is generally considered to be one of the things which made American economy uniquely strong. So much so that other countries seek to mimic it.
The argument should cut both ways: A strong stock market which is deflationary should lead to economic stagnation. Why buy a pizza today when you can buy S&P500 and buy two pizzas tomorrow?
Reality seems to disagree here. People buy what they need and want, today, and whether the rest is stored in fiat currency, stocks, or gold seems to matter very little for economic productivity.
> Yet we think it is good that regular people spend their earnings on stock, and it is generally considered to be one of the things which made American economy uniquely strong
I...don't think you know what stocks actually are. Your argument doesn't make sense because stocks are the literal exact opposite of a deflationary good lol.
Companies issue stock to raise money. If you buy stock from a company, you're giving them that money in exchange for a small stake in ownership.
It gets more complicated with stock markets and all the other stuff, but the heart of it is taking money that would normally sit for decades doing nothing and giving it to those who can use it right now.
> Reality seems to disagree here.
It only does if you don't know how things work and don't want to learn lol
There is certainly some misunderstanding here, and I am unsure about where it is. Perhaps another example could have been more clear.
When you "buy the S&P500" you do not buy stock from companies. No S&P ETF takes part in private placements or IPOs. They buy "used" shares on the open market, with the single intention of selling it on the open market to someone else.
When you buy the S&P, at no point do you give money to any of the S&P companies (except perhaps a small fee to the ETF issuer, most of which are public companies, but let's not split hairs about that).
There are of course other methods of buying the S&P500, such as tracker certificates, but they only add layers of indirection to the above, they do not change the fundamental facts about it.
> you don't know how things work and don't want to learn
> the entire modern tech industry would not exist without ZIRP
The problem with zero interest rate is that it doesn't incentivize better ideas. Why would you work to increase productivity if capital has no cost?
The period 2016-2021 was one where interest rates were the lowest, sometimes even negative, and you saw companies hiring endlessly, and acquiring competitors with no intention of doing anything their their products.
It is very hard to compete on talent and good ideas in such an environment when your all competitors are burning through loaned and venture capital (which itself is also largely loaned at some point).
> Buying stocks hoping that it would appreciate doesn’t work when there is no economic growth
Why? If you and I earn $100 per year, every year, that means there is no economic growth. We spend half of it on food, clothes, and other necessities and buy stocks with the other half, stocks will go up in value.
An non-growing economy has aspects of a zero-sum game. Speculation can still occur, and can continue unbounded. Stocks, gold, bitcoin, have historically all been deflationary.
> Bitcoin, where users would need to migrate their coins to a quantum-resistant scheme
Is that so? I always thought that the design choice that only hashes of the public keys were public was a pretty clever way to make the whole scheme quantum-proof. What did I miss?
Honest question: Why? If you want a Windows-like environment, run Windows.
I get this all the time when people ask about a Linux equivalent for something, and aren't really satistied when it doesn't work or look the same. Linux isn't a clone of Windows. Linux comes from an older heritage, and has a unique culture. You are in for a hard time if you want to use Linux like you would use Windows. That's a suboptimal experience, at best.
That said, of course Linux should be easy to manage. But Windows is from a single corporate entity, of course their management tools will be different. It used to be unix admins that laughed about people using Windows as servers. The culture around Linux is one of scriptabiliy where even the user interface, the basic shell, is one where every command is inherently a script. That's why management on Linux looks like Ansible and OpenSSH, not like Remote Desktop and Group Policies.
You could write something like Group Policies for Linux of course, but it wouldn't be a complete solution so people would just continue using Ansible, OpenSSH, and the respective package managers.
reply