An interesting discussion has been taking place on the OpenSolaris SysAdmin Community list, and I sense it will lead us toward some important changes in Solaris. Essentially it all comes down to the lack of spit and polish. What has always been something we perhaps ignored or downplayed has become far more starkly contrasted by truly easy to use yet complex things such as ZFS or SMF.
The clearest examples are technologies that currently are essentially useless without custom scripting. Such examples include LDAP, Extended Accounting, and BSM Auditing.
LDAP is one that’s really concerned me. Almost any Solaris environment would benefit greatly from an LDAP/Kerberos implementation, for ease of management and increased security… but frankly, just dropping in a directory server and authenticating to it isn’t so straight forward. Populating and maintaining the DIT is complex, commonly requiring custom scripts and possibly a 3rd party LDAP Browser. While the aging idsconfig script is suppose to jumpstart your experience, its not perfect and is tailored to Sun DSEE. In the community we commonly see people scratching their heads wondering if other directory servers, such as OpenLDAP even work with Solaris and how to get started.
Microsoft hit a home run with ActiveDirectory, and it pains me in the same way that NetApp kicked Sun’s ass at building NFS servers. Sun is a systems company and the leading provider of directory/identity management products, but if you want to use them in conjunction with Solaris you’ve got a lot of custom work to do. As far as Kerberos, most of the use continues to be in academic environments, which means that the best means to secure NFS in a corporate environment just isn’t used.
Sun is very good at engineering the big things, but I’ve noticed that when it comes to connecting all the dots they tend to turn toward the path of acquisition. A need arises for a management app or something, they find a decent software company doing it, aquire them, and then slowly let the thing rot. I mean, how many people still use Sun Management Center or N1 Provisioning Server? (Or ever did for that matter.)
A lot of focus has gone into the GNU-ification of Solaris and improving the desktop experience with Indiana… I mean OpenSolaris… but at some point we’ve got to get back around to focusing on what Solaris does best, being the enterprise class server operating system we know and love.
This is especially important in the face of Cloud Computing. The cloud needs solid server operating systems, and Solaris leads the pack. If we’ve proved one thing with Solaris 10, its that making Solaris more like Linux doesn’t have nearly the impact we hoped it would, but making the complex very simplistic and straightforward (ZFS, DTrace, SMF, FMA, …) is dramatic.
Monitoring, Management, and Infrastructure is what we need. Easy, quick, and powerful. We have the technology underneath, we just need to bring it all together.
What say you?
Absolutely agree – personally, I’m very at home with the command line, but sometimes you do turn around after doing a repetitive task for the umpteenth time [even if you've scripted some of the process] and say “y’know, I really wish there was a GUI tool to [insert fiddly task here]“. The examples you give of ZFS, SMF and DTrace are in fact perfect for illustrating this point.
[I'd think about helping develop this sort of thing myself, but I think I've become a "journeyman" in too many development environments already. If there were more compelling reasons for _developing_ on/for OpenSolaris, I might reconsider that idea, but I don't think that's going to be more than a wish for some time yet.]
I doubt anyone could disagree with that analysis. Recent Solaris changes have delivered awesome new tools (ZFS and zones spring to mind), but some basic and extremely important parts of the OS have been neglected : patching/upgrading, for instance, which is a necessity for just about every sysadmin, still is a real pain. LiveUpgrade, which is supposed to make that process easier, is a perfect example of what you describe : an unfinished implementation of an excellent idea.
Funny that you mention AD and Kerberos. A decent connection to AD from Solaris requires Kerberos and the last time I tried (basic Solaris 10) I couldn’t even use the small parts actually included from lack of headers and limitations in the builtin Kerberos libraries.
It comes with Samba but with kerberos disabled? Most people I know don’t run NT4 anymore. Thank god for 3rd party packages.
Ben, check-out FreeIPA: http://freeipa.org/page/Main_Page
Unfortunately, it requires either Fedora for the free version or costs 7k USD and comes with RHEL then…
But Solaris as a client is supported and the setup of the server is very simple.
Completely agreed. Let’s hope the message gets through.
Hi Ben! What’s your thoughts on the new xVM Suite (i.e. xVM Ops Center just hit 2.0). A step in the right direction? Or another set of tools that will die on the vine?
You couldn’t be more right in regards to LDAP. We use Sun’s LDAP server (Directory Server), but I use Softerra’s LDAP Administrator product to manage the entries rather than any of the built-in tools.
And as for xVM Ops Center, unless I’m wrong it doesn’t seem to be freely available or downloadable. This is rather strange for Sun, who had been moving towards a “Software’s free, support costs money” model.
At the same time, VMWare will give anybody who asks a 30-day trial license for vCenter and VMWare ESX.
Totally agreed. In Solaris’ defense, however, the linux competition isn’t exactly leading the charge. That kind of integration is pretty hard and needs investments on the scale that large corporation can make. Fishworks is a pretty good example of such a thing, so perhaps there is some hope that if they make an LDAP server appliance they’ll make it easier to connect solaris clients to it. One can dream.
If you want to see a slick and easy LDAP/Kerberos implementation, check out OS X Server. Creating an entire setup comes down to:
1. Configuring DNS
2. Telling the server to become an Open Directory Master
This can be done in either the GUI or CLI, takes 5 minutes to set up, and doesn’t require dynamic DNS or other AD specific changes to your network. Replicas of the master are just as quick and easy to set up.
The lack of this sort of functionality is the thing that kills alternate OS’s on the desktop, and one of the reasons Apple may succeed in businesses where say desktop Linux has failed.
Couldn’t agree with you more, Ben. If you’ve dealt with it enough, LDAP and Kerberos aren’t so bad. But that’s coming from someone who has done everything from the ground up and scripted around the short comings. If you’re dealing with it for the first time it would be beneficial to have a better guide along with polished tools. All the examples you pointed out would definitely be prime targets on my list for some spit and polish.
@Anders: Run into the same fun with Samba. The Solaris provided package has Kerberos compiled in last I checked. Kerberos headers are now included (see /usr/include/kerberosv5) at least as of 05/08 release, maybe earlier? It’s all still a little crufty, but with a little work it will integrate with AD.
I had a small environment with a few users (6 Solaris, 2 Windows, 10 users) that required account lockouts, expirations.
NIS can’t do it. NIS+ is too.. yuck & deprecated. I took the LDAP class & decided it was overkill.
Luckily, Solaris 10 does the account stuff in /etc/shadow. So I went with local /etc and would login with users to run passwd on all the systems. Over the last 3 years, I think it’s been less work then LDAP would have been.
I’m not sure LDAP would’ve worked for the Windows systems w/o lots of work.
FWIW, I run NIS for automount, DNS for IP. And Samba for the PCs to get to /home/username
I’m missing something like cfengine, puppet, bcfg2 …to be integrated into Solaris.
xVM Ops Center seems ok for what it does. but it covers only the start and the end of a server lifecycle. When all between is the most interesting part.
Your commentary is spot on. I’ve been at Sun for 10+ years in the field and I’ve said this a million times. We have great technology but my running joke has been non-jedi need not apply. While the joke is a little harsh since this is not true across the board but all to often we think getting into the red zone is the same thing as taking it across the goal line. All we have to do is look at history and who has gotten their technology in to the hands of a mass of people and you quickly see we have unnecessarily handcuffed ourselves. Our lack of attention to that last 5-10% of details has hurt the adoption of some truly superior technologies. I have looked at the string of acquisitions over the years or other investments and shook my head – not because these moves didn’t have some merit but because they in my mind don’t have a priority over getting our house straight.
When the bar to use a technology is too high I don’t care how good it is – its impact on the industry will be severely limited unless its so superior, differentiated, or low cost/free that people will put up with the pain to achieve certain goals. Microsoft has proved that making things at least reasonably accessible has grown their market share in the data center in spite of having many technologies not regarded as best in class. That said there is clear evidence this is changing at Sun (Amber Road, xVM gui, ZFS, time slider, OpenDS, etc.) but if it were up to me I would have reduced the number of bets we have made (no I don’t have a list of things I would have killed but if I was being paid to do so believe me I would have a list), staffed projects appropriately (a big source of this problem), and put down edicts long ago that if you don’t have a cli, gui, and bui that a non-jedi can use your product doesn’t ship – no exceptions. Apple more often than not has stuck to this standard and Sun should aspire to have the same ideal.
Huzzah! and +1
>I mean, how many people still use Sun Management Center or N1 Provisioning Server? (Or ever did for that matter.)
SMC is a great product it was the cost that kept it from being used. That has changed.
You are right about LDAP not being an integral part of a single/multi server install.
alan
One could easily argue that “making Solaris more like Linux doesn’t have nearly the impact we hoped it would” is due to the fact that Solaris has barely made any progress in this regard.
+1. I’ve so far focussed on Belenix on the destop, and we’ve been working during what little time we have on hand to improve the Belenix usage experience.
But now that I’ve started to deploy Solaris at work, I’m starting to understand your concerns better.
I’m myself a migrant from the Linux/GNUworld, but I fully empathize with each statement you’ve made.
Interesting thread, here’s my 2 cents.
* OpenLDAP is very easy to setup, build and populate for UNIX Authentication and Name service information, and with modern Linux distributions you can configure them to use the directory easily with authconfig (RHEL). But you do have to get your LDAP fundamentals down pat first, its not one of those things you can “just setup” without doing some research first. The O’Reilly OpenLDAP book is a great start, although another edition would be more than welcome.
* Solaris struggles because its got a clunky interface and from memory expects some unque schema extensions, which make interfacing it to anything except Sun’s LDAP server painful. We have found it much easier to cast this all aside and implement PADL’s PAM framework and take it from there.
* You do have to give it to microsoft, AD is good. On top of this, interfacing Linux (and Sun with PADL’s libraries) has never been easier.
1) Add the NIS schema to AD
2) Follow the Linux < --> AD Documentation that comes with PADL’s PAM framework after deciding if you want to use SASL or simple binding.
3) Done.
What Sun needs to do is have someone grab this by the horns and bring it up to date (Spit + Polish like you say). Maybe use the PADL libraries as standard, and if you want more advanced features that require schema mods, have it as an add on.
my 2 cents…
./kayjay
(Looking forward to seeing the end of NIS)
Solaris doesn’t strictly *need* any “unique schema extensions” for LDAP naming and PAM. Ripping out the current system LDAP libraries and replacing them with PADL realy isn’t necessary.
Better documentation about getting LDAP running on Solaris (with either profile objects in the directory or direct file configuration, with TLS/SSL certs, etc) is probably what’s *really* needed here. The tools are largely there except for, perhaps, an idsconfig replacement with additional non-DSEE support.
When it comes to money makin’ something to keep in mind is can the sales people sale it. They can sale Sun Rays, they can sale T- series and X- series servers, they can sale xVM and I am sure they can sale the new amber road based storage devices. Closing the loop and making a complete product makes it easier for a sales person to present. Does Sun have sales agents that are versed on selling LDAP, I would guess not… The product doesn’t look shiny or compelling on the show room floor.
OpenLDAP is solid technology and would benefit from high quality polish and integration you talk about. Kerberos and OpenLDAP just should not be as hard as they are to set up. The bare minimum is that they should be no more difficult than a LAMP stack … For sure BSD projects Apple and Linux would help spread and popularize any halfway decent alternative to Active Directory (which is only popular IMHO because of ubiquitous SMB/CIFS/NetBEUI and very tight bolted on integartion with XP/Vista Server).
I’m not sure how amenable the OpenLDAP project is to being “improved” to meet product requirements in the way Apache, MySQL and others have been. I mention it because it is well known. *All* LDAP projects need work if they are going to make /etc/passwd go away. It seems whenever possible unix admins avoid LDAP. Compared to LDAP approaches using OpenLDAP, native Sun LDAP, (even MS-AD in a multi-platform environment), or Apache’s project, the utter *ease* of setting up a Kerberos server for authentication *without* directory services is stunning. For 100′s even 1000′s of users we still use NIS (!!) for propagating user info and Kerberos for passwords. Sure NIS is really true legacy technology (it’s the *definition* of “legacy”) and you miss out on all the authorization, management goodies and other user info you can include in LDAP but adding an NIS user and telling the network their password is in Kerberos (and never propagating passwd files) is so relaxing it’s tempting (and easier) to stay isolated in a parallel UNIX universe. If we want to play nice with all the other hardware/software out there that is not going to work.
Would that LDAP solutions were as simple as traditional UNIX tools … then the scalability would look like a bonus. Right now it just seems like a lot of work so we get “!LDAP unless numberof.users > $somevalue” and $somevalue really depends on how long you think you’ll be the admin of the system.
I’d have to agree, setting up a simple windows domain requires just a few clicks, and adding a computer to it a few more. And AD does not only handle user authentication, it does quite a bit more than that, for example you can enforce the encryption of a given directory in each and every one of the computers of the organizations, configure a proxy server for everyone, etc
Solaris NEEDS that to succeed as a workstation in the enterprise. Real integration with windows users would be a huge plus too.
Apple got it right and made it easy for everyone.
Thoroughly agree on the LDAP front.
At least in Europe we have payment card industry (PCI) standards looming to boost security and consumer confidence, and my research on how to implement a Solaris LDAP master with RBAC has left me bewildered.
We are still struggling to come up with a good solution – and due to PCI standards we absolutely need one.
I don’t profess to be an LDAP expert but surely it’s possible to make this work on Sun so I don’t have to be?
How about starting with reasonable settings and blueprints? Gui tools can come afterwards but start documenting basic stuff and making some reasonable default *.conf for some basic usage scenarios. Or create some nice Sun Solaris blueprints that provide valid starting point. Personally several Sun blueprints about zones and security turned me looking into Solaris. And in the end we built nice Solaris webserver with zones. Every one was happy, including management, admins, and web team.
Considering samba and smb.conf for an example. Lots of lots stuff in smb.conf(check man smb.conf on a any recent linux distro) and no obivious good defaults to start with. Yes, setting a basic share in Samba is not that hard. But try to create OpenLDAP+Samba+Kerberos system. Now you enter world of pain, trial and hate. Most of the stuff is ancient, contains old and nasty stuff. For example google “Vista and Samba” the most of the resulting answers suggest that you should turn off NTLMv2.
Or OpenLDAP.. No good starting points on how to design a small directory structure and setup a basic acl. Unless you read several books, surf and test several setups. Then check how Microsoft AD setup is done. Simple effective and super easy, good documentation on technical and general setups. Or compare documentation between Sun Directory Server, Fedora/Redhat directory server and OpenLDAP. Which of those has good documents and good examples? Not for developer but for a sys admin who has to build, setup and admin the end product for next 2-4 years.
Amen.
A big reason I’m still using NIS on my Linux boxes is it’s always looked like way too much work to learn and set up LDAP. NIS is mostly turn-key, but LDAP seems to require lots of poking and prodding using commands with obscure and complex syntax, and there are few clear guides to how to do it. Maybe I’m just not as smart as I like to think I am, but I find it hard to get my head around.
Ben,
I whole-heartedly agree. I’ve been trying to give SunMC 4.0 a chance, due to the new containers module (zones) that is supposed to be available (Through the clunky web interface) but it’s been an utter failure. Not only that, the zfs module is now broken, since upgrading to the latest patch cluster. Sun can’t even seem to get their heads together to correct the issues, after numerous calls and sessions, trying to address it.
It’s not that I mind the command line (Hell, I prefer it) but I have Jr. admins who could benefit from the interfaces, not to mention that Management would like a pretty interface to look at, when I am trying to describe something to them or show them something (command line seems to make them run, lol).
Another convenience would be when VPNing in and trying to work with the Management Center. The Java console is nothing but un-spectacular, in performance, through VPN.
-W
I really wish there was a GUI tool to [insert fiddly task here]”. The examples you give of ZFS, SMF and DTrace are in fact perfect for illustrating this point.
You will be at the forefront of the fashion with ugg boots,and become the focus
in public.
http://www.inuggshopping.com
http://www.buykamagra.com buy kamagra
http://www.viagracialis.com viagra cialis
Good post! Thanks for your information!
nice post here, if you want to know more about best mbts and ugg boots, just click here
http://www.bestmbtshoes.com
http://www.uggbootsroom.com
Your article is very useful!Thank you for sharing.Nice post.
Get your favourite shoes, pls visit http://www.shoescollects.com.
A triathlon is divided into three components: swimming, cycling and running. This can be daunting for novices and those trying a triathlon for the first time. Novice triathlon training should focus on learning how mixing these three separate sports have an effect on your body.
If you’re in a not good position and have no money to get out from that, you will require to receive the credit loans. Because it should help you unquestionably. I get term loan every time I need and feel myself fine because of it.
MBT (Masai Barefoot Technology) shoes are comfortable and perfect for every men. These mbt shoes are the first physiological footwear that has an effect on the whole body.
MBT shoes: http://www.masai-mbt.com
Your article is very useful!Thank you for sharing,
I very intersted in the article
thank you for your appriciation
LiveUpgrade, which is supposed to make that process easier, is a perfect example of what you describe : an unfinished implementation of an excellent idea.
http://www.trademic.com
good
Nike air max have utilized the technology of air in it’s sole to give us a more comfortable and supportive cushion to walk on.You may also love nike shox and it is natural to attract most consumers.Waiting for the shoe store to open up so you can get your hands on the first pair of nike shoes what you like. http://www.airmax-online.com/
[[http://www.iaamart.com]] china wholesale usb mp3 player
china wholesale Computer Peripheral
china wholesale Adapters
china wholesale Connector
china wholesale Laptop Accessories
china wholesale Networking
china wholesale Storage Peripheral
china wholesale USB mouse
china wholesale USB Card Reader
drop shipping
printing consumable
flash memory
computer peripheral
multimedia player
mobile handset
camera to PDA accessories
china wholesale usb mp3 player
http://www.iaamart.com
sony vgp-bps2a battery http://www.adapterlist.com/sony/vgp-bps2a.htm
Buy Nike Air Max 90 Shoes just $45-55 USD in http://www.iofferitems.com, 40-70% Off. Cheap Air Max 90 Shoes, Free Shipping! Buy Air Max 90 Now!
Buy Nike Air Max 90 Shoes just $45-55 USD in
http://www.iofferitems.com, 40-70% Off. Cheap Air Max 90 Shoes, Free Shipping! Buy Air Max 90 Now!
Great post and now I know what to do, thank you! Site has been added to my RSS feed for later browsing. triathlon shoes
mbt shoes salebuy the collection of Mbt shoes Mbt sport white,save you up to 85%
http://www.discountmbt.com/
http://www.discountmbt.com/
http://www.mbtshoeslatest.com
http://www.nikeairmaxshoe.com
Your post is awesome, but why not take a look at our site: http://www.p90xwork.com
The first layer of MBT Shoes means a high quality MBT Footwear cowhide after processing of machine. The main feature of MBT first layer cowhide: Masai Shoes surface layer are made of grain materials with close woven fibers; MBT Sandals feature smooth feeling, good strength and great abrasive resistance. MBT Medical Shoes lining are composed of suede with thick fiber, big diameter and flocking wool on the surface. Comparing with second layer of Discount MBT Sheos, first layer of MBT Shoes Cheap with more smooth surface and better quality, can be worn longer time. Our website launches MBT Outlet with first layer cowhide, so you can feel free to shop here and get satisfied MBT Shoes Clearance, including MBT Sawa, MBT Sirima, MBT Kaya, MBT Changa and so on .
Welcome to our website: http://www.mbtshoesmasai.com
http://www.mvpjersey.com/ http://www.couponuggs.co.uk/
Buy a piece of ghd for yourself. Come and join us http://www.ghdiron-outlet.com/ to win the cheap ghd.
As we know, now GHD are loved by more and more people, which will save up to 45%.welcome to http://www.ghdoutlet-au.com/.
Come and join us http://www.ghdoutlet-uk.com/index.php to win the ghd iv styler.
http://www.avitoipadconverter.com AVI to iPad Converter is just the most suitable tool for iPad which let iPad user freely convert various video or audio files to iPad just with simple clicks.
http://www.magicdvdtoipad.com
It is very beautiful. Thank you for sharing. There is a site: http://www.lovemypursemall.com
Nice! Now I know what to do, thank you! And as this information is educational so this site has been added to my RSS feed for later browsing. To know more about
marathon training visit:
Top Online Stores is a SEO Friendly http://www.toponlinestores.org free directory where you can find the best online shopping stores selected by hand and sorted by category http://www.china-wholesale-directory.com china wholesale .
Nice and informative and educational post and the most interesting and informative post I’ve ever seen, so the post bookmared my browser for future visits. http://www.halfmarathontrainingschedule.net
[ half marathon training ]
GHD hair straighteners is a fashion tool and good to travel with. GHD Australia can provide many kinds of ghd styler to you. Such as cheap ghd, ghd iv styler, purple ghd etc. Welcome to ghd outlet store http://www.ghdstyle-au.com
come here to share