Back in Sydney after visiting Port Douglas (dove the Great Barrier Reef and visited Daintree Rainforest National Park), and Uluru and Kata Tjuta National Park. That makes 3 UNESCO (United Nations Education, Science, and Cultural Organization) World Heritage sites in 3 days. With the Greater Blue Mountains area near Sydney and the Sydney Opera House tomorrow, that’ll be 5 in just this vacation. I’ve only visited 3 in the US so far (Yellowstone, Statue of Liberty, and Redwood National Park).
Back in another week!
Today is my last day on the job before starting a 2 week long vacation to Australia, visiting Sydney, Port Douglas, and Uluru. I’ve been asked several times if I got a GSM phone to be able to take calls there in case something went horribly wrong at the office, and as a follow up, if Sprint has service out there (when they hear I’m not taking a GSM phone).
I make it a point in my work to make sure someone else can effectively back me up on all aspects of my work. There are some people I’ve worked with who seem to think that if they are indispensable, then the company can’t fire them. However, it also means, to me, that they can’t be promoted, can’t go on vacation, and can’t even have an evening at home with family. So, when I design things, or fix something that broke, or make changes to make something work better, I make sure to include as many team members as I can, so that I can do things like take my wife out, and not be tied to my phone, worried that it may ring, even when I’m not officially on-call.
To that end, I spent a lot of time over the past few weeks giving a lot of history to the newer members of our team, so that they understand the decision making process that led us to the system state we’re at now. Why do we have to reboot Terminal Servers every weekend? Because of a memory leak in Windows 2000 that our application and settings trigger fast enough to require it. Not just “which servers do we have to have up 24/7″, but why those servers, and not others, even if they’re in the same priority group. This has been tremendously helpful to them in their day-to-day work, evidenced by the lower volume of questions they’re asking to other members of the team.
So, after all this work, how are things set? Does everyone in the team have the exact same skillset at the same level as me? No, because we’re different people. Will it maybe take them a few minutes more to solve <insert particular problem here>? Maybe, because I may be the most knowledgeable person on that application, but that doesn’t mean that they can’t fix it quickly. So I spent half of the day today re-iterating those facts to people who are worried that the company will fail if I’m not here (it surely won’t – I’m not that important).
Now, then, off to vacation – I’ll write a blurb about it in 2 weeks, then a few days later about how busy I am catching up!
I just finished evaluating an excellent piece of software for Windows / Linux hybrid shops: Centrify Corporation’s DirectControl Suite. This is a fantastically well executed integration suite which allows administrators to bring their GNU/Linux and Unix boxes into the Windows ActiveDirectory domain. This brings centralized control of UID/GID (like NIS), the mutual authentication of Kerberos, and centralized Group Policy control to Linux/Unix.
First off, I’d like to mention that the software installs first on a Windows “console” system. That install has the option of extending the schema, but it is not required (the extensions allows administrators to use the Centrify Profile tab for users and computers without installing the Centrify Console locally). All required pieces work with the standard out-of-the-box Windows 2003 AD schema. Although the view extensions are well worth it, if you can get them approved by your AD administrative team.
I installed this on a Debian Etch system and a Red Hat Enterprise Linux 4 box. They ship RPM and DEB installers, so installation is a snap, and shows up in your package manager. Restarting the systems was not required, but a few systems may not pick up the new PAM settings without at least a reload (OpenSSH did fine).
One of the best parts of this software, however, is in their updated version of OpenSSH to support Windows Kerberos tickets for authentication of users. Single-signon to any Linux box from Linux or Windows (customized Putty for the same reason) without having to copy RSA keys across your network every time you build a box. Now my Oracle admins can log into the 10g databases seamlessly (yes, they support Oracle authenticating through AD as well).
Of course, no solution that integrates into AD would be complete without support for Group Policy. As a huge user of Group Policy (I have 8 GPOs on my home domain), this is key for me. The thing that makes it so spectacular, is that they just install new ADM files to your console system. That’s it – no new trees needed, just new ADM files with settings specific to Linux like “SuDoers entries” and “SSH settings”. Just like GPO on Windows, they’re applied every 90+-30 minutes, and when you remove the system from the policy, the settings get pulled. For the Sudoers settings, they are appended to the end of the existing file. Also, many of your security settings for Windows boxes are read directly by the Centrify systems as well, including password expiration notices, lockout policy handling, etc.
There are so many other little features that show how well thought-out the system is. The client can be configured to cache logons similar to Windows, so you can control your Linux laptops, and still enable the users to log in when they’re on the road. There are several scripts and other tools to help “suck” the users out of /etc/passwd and NIS into AD, to help keep your UIDs in check if you’re installing the client into existing servers.
And that’s just the operating system. JBoss, WebSphere, Apache and other applications and middleware can be AD-enabled, and anything that uses PAM is automatically AD-enabled, giving you the ability to set up true single sign-on everywhere in your network, if you so choose.
Needless to say, we purchased it, and I’ll be integrating this into all my deployments from this point forward.