Hey everyone, this is my first post here.

So we have a rather large corporation, around 5000 employees, I am a linux user (home user) since a few years back and now I have finally gotten a meeting with the higher ups to try out linux in our offices.

Our company is strictly based on microsoft, O365, MS AD, MS windows (a few linux servers) and so on.

My question(s) is:
Are there any best practices for incorporating a few Linux OS:s into a MS based environment?
Is it possible to manage the Linux OS:s and Users with MS software that's already in place?
Is there anything obvious that I need to think about when adding a Linux OS to the corporation?

I'm sure that the initial test will only be a few machines with Linux Desktop on them, maybe 3 - 4.

Even though I run Linux at home, I am by no means an expert, and the other people that's going to try this out is even more unexperienced than me.

So, do you guys have any thought on how I can do this with as little problems as possible?

Thanks in advance,

Regards,
Martin

I wouldn't use MS software to manage linux.
You will need to create a group (of people) to manage, maintain, support it.
Linux hosts can be connected to AD, have office app, so can handle docs, slides, mails, whatever you wish.

Indeed. The presence of microsoft products is more a staffing problem and less a technical problem. So you will need to hire in people for that, and human nature is such that the embedded microsoft resellers entrenched there will see that as a threat. In my experience microsoft resellers cannot be retooled to work with actual IT for a variety of reasons. At the top of the list, but by no means the only reason, is that microsoftianism is spread by word of mouth, an oral tradition, while IT is primarily a written activity. The word-of-mouth transmission allows them better leverage to be gatekeepers and bottlenecks as well as to check for loyalty to their cause.

Also, beware the sunk cost fallacy in regards to the pre-existing microsoft products. Nothing economic or technical would prevent staff from having both LibreOffice (or Calligra) along side legacy productivity software, on systems that support both. Yet there will be a lot of push back about it.

That aside, computers are about data. So, addressing the file and data formats would be one of the places to start. Many are nonetheless distracted by programs rather than the file formats which the programs manipulate. If multiple programs were to fully support the same file formats, the programs could be used interchangeably and companies could then select the programs for reasons other than vendor lock-in. Therefore, M$ has fought open standards hammer and tongs for decades and their programs manage open file formats (such as the OpenDocument Format or for that matter HTML) very, very poorly on purpose in order to raise exit barriers.

tldr; focus on open data standards and formats early on

Thanks alot for the replies!

I was thinking of suggesting on the meeting next week, that maybe we should use a distro with an immutable filesystem (Fedora Silverblue?) for security reasons, any thoughts?

/M

What aspects of an "immutable" file system are you interested in and what problem are you trying to solve with it?

I would also ask what characteristics are most important to you for the desktop and how will these systems be used? And what are the evaluation criteria?

The choice of distro depends on a lot of factors about goals and usage. On the desktop, a generic short list would include Linux Mint and Manjaro. One of the main strengths of GNU/Linux is how well it can be customized. A distro is only a set of defaults. From there you can basically take any distro and then add, remove, or re-configure it to look or act like any other. Some are freaked out and frightened by the range of choices, but the flexibility is a real strength. You buy clothes and shoes and other items so that they fit you and enable a given task, why not also the computer software?

Though, if you aim to pay outside companies for a desktop support contract then obviously that would limit you to desktop oriented distros with prominent companies backing them, such as how Canonical sells support contracts for Ubuntu. GNU/Linux deployments scale quite well so a few people could manage all 5000. Though if you have the hardware in use over five years and have staggered replacement, that'll be around 1000 new machines per year. Maintenance and, to a certain extent, setup can be orchestrated with Chef, Puppet, Ansible, Terraform, SaltStack, or other tools including even simple, custom shell scripts.

Most distros have live images which can boot and run just fine without actually installing anything. They are great for testing the defaults and getting a feel for what's out there and what can be customized. The desktop environment is probably the most visible component which can be swapped out or customized. Be sure that your tests take a look at KDE Plasma, XFCE4, Cinnamon, and MATE. See also: https://linux.oneandoneis2.org/LNW.htm

(By the way, with GNU/Linux on the server side you could base file sharing services on OpenZFS RAIDZ2 with snapshots, even to the legacy desktops. While not a substitute for a proper backup discipline, the snapshots take very few resources and would make recovery from a Windows-based ransomware incident rather quick, once the desktops are cleaned up since they would enable rolling back to the last-known-good copies of files.)

The problem was like, that we do not want our users to be able to modify the root filesystem.
And if they somehow manages to blow up their OS, I'm thinking that maybe OS-tree would be a good choice?

I think the main issue they/we will be wondering/discussing will be how to manage what specific users can do on the desktops, our windows machines are quite locked down and the need to apply for local admin rights if they want to do anything that requires it.

//Martin

simply don't give root access to the users. You need to manage remotely your hosts (=install/upgrade/config/whatever)

1 members found this post helpful.

I was involved in similar PoC a few years back that, sadly, didn't get past PoC. These days I'm on the Mac team for my sins.

From our perspective, the main lesson learned (At the time.) is that if we were to go ahead we would engage Red Hat who supply our Linux server OS needs.

On the + side, you're in a reasonably good place in terms of MS. You can install Edge and Teams even. Also, www.office.com gives you a cut down but usable O365.

The other thing we ended up trying to get going was an innersource community around our solution. This might be worth looking at as you may find there are other people in the organisation who have Linux chops and maybe even use already in a corporate setting. I'm thinking infosec types...

Good Luck!

Might think about paying Red Hat or Suse.

Thanks alot for all replies, now I have something to say in the meeting today.

//M

I am aware that I found this thread far too late, but maybe I can still share some piece of advice that might be useful for others...

From my point of view, at home you usually have a PC, a Personal Computer. At work, you have workstations and servers.

A Personal Computer is usually used and administered by a single person. A typical uptime for a PC is counted in hours or days.

A workstation might have multiple users logged in simultaneously, both at different consoles and logged in from the network with something like ssh. Those users usually do not have administrative (root) privileges. With Linux, the man with full root privileges will not only be able to administer the software on the machine, but also all the files of every user as root can become any user. A typical uptime for a workstation is counted in weeks or months, rebooting such a machine might affect multiple users.

A server does not have many users logged in but provides some kind of service to machines in the network. That service might be the home directories for all users, a web-server, or some kind of database. Again, many users will be affected if a server goes down so these machines usually have redundant power supplies, redundant disks (RAID) and UPS to continue running at power outages. A typical uptime for a server is counted in months or years.

In a corporate environment you will need some people responsible to maintain the environment. You might become one of these people.

The three most important things for system administrators are:

1) backup
2) backup
3) backup

At a hardware crash you will need to quickly bring a new system up again from scratch. You will also need to be able to restore data from users home directories and project data. What if the entire house burns down? Did you store the backups together with the data that you have lost? A good page about backup strategies is http://www.taobackup.com/index.html . RAID is not a substitute for backups, the most common reason to restore a backup is that someone comes and says something like "I accidently erased/overwrote..."

As an administrator of several machines you will sooner or later want to have shared files on some kind of file server or NAS. This is going to mean trouble unless all those machines have the same point of view on users and their numeric uid. On only a few machines, you can manually make sure that /etc/passwd looks the same on all machenes, but you will soon want some kind of domain service like NIS or LDAP. You might be able to connect the machines to an Active Directory server, but that will require both skills and assistance from the maintainers of the Active Directory server.

The users of the machines will need to say what software they want. However, it is the administrator(s) of the machines that will need to select the distribution. The administrators will then have to make routines for installation and maintenance (including security patches) of machines. With an easy workflow to install a machine from scratch that workflow might work as a backup plan for local installations. A good advice is to try to automate as much as possible of the installation, manually following a long checklist during the installation of a machine is labour intensive. If you feel tempted to use some kind of disk cloning software for backing up local installations you are probably doing something wrong. Those disk image clones might be useful as backups in the short term, but in a few years you will find that they do not work on newer hardware or that you have no idea of what they contain when you want to upgrade to a newer version of the distribution.

regards Henrik