How I got Involved, and What They Had
When I knocked on this company's door two years ago looking
for a metal-working shop a few doors down, they had Windows
95 machines and a Windows NT File Server that nobody had the
password to, files everywhere, no Internet Access, no web site:
basically they were living in the Dark Ages of the early 1990s,
where the computers were glorified calculators.
The users' attitude was, and to some extent still is, that
each machine was (is) "owned" by the person using it, and
therefore in order to access the machine you have to give your
username and password to your colleague in order for them to
use your machine. They were (are) afraid of the server, and,
incredibly, despite having a network and a file server, still
pass files around between members of staff on floppy disks (!!).
Migrating to Linux
The decision to install Linux on the Desktop stemmed from
a "Because I Can" attitude and also because I had heard of
CrossOver Office from a friend. Without the possibility to
migrate the users via Microsoft Office I simply could not
take the risk of making two distinct and radical operational
changes. With CrossOver Office I can at least say "hey, you're
running Word and Excel, what more do you want?" but more on
I have had two servers plus a shop floor machine running
at this company for eighteen months now. One server is
the email (Exim4, Cyrus21, SpamAssassin, SA-Exim) server,
firewall (hand-built rules), Internet Proxy (Squid, Frox);
the other is the File Server (Samba, NFS), Login Server (Samba,
NIS), Sales/Ordering and Web Server (Custom), and Print Server
(lprng). Other than a complete reinstall on both these machines
due to them both being rootkitted last year - by a rootkit that
ISN'T on the detected list (chrootkit) - these two machines,
both approximately Pentium III 400s with 128mb RAM and 20gb
drives - have been very reliable.
So why am I putting an office full of incredibly stupid and
bigotted users onto Linux? Why am I putting up with the hate
phone calls and having to hunt the warehouse for a machine
that I was taking away for the weekend for a Linux install,
which one of the users had hidden so that when I left he could
put it back on the network?
There are several reasons. The first is because it is convenient
to me. The second is cost of licensing. The third is easy roll-out.
The forth is policy enforcement.
By introducing NIS and Samba onto the File and Print
Server, I can remotely log in, add a new user account, then I can
ssh tunnel X-windows back over to my machine at home
(edit my x-windows config to allow TCP connections;
ssh -v -R 6001:127.0.0.1:6000 gavinpc;
run an xterm and from in that xterm, then run any programs that need
configuring, such as kmail and mozilla. Over an ADSL connection,
it's a little slow - but I can live with it, especially as the
site is 90 minutes drive away.
This is compared to having to maintain several different machines:
some Windows 95, some Windows 2000 where the Administrator Password
has been forgotten. Each time a new member of staff joins, or even
if someone wants to use someone else's computer, it's a nightmare.
I have to configure the Mozilla settings PER COMPUTER, PER PERSON,
and on some of the machines, that's not even an option without
a reinstall of Windows (yes I know about the Linux boot floppy
which can edit the SAM database). Yes, I also know about how
to set up Samba as an NT Domain Controller and then have the
machines join the domain, and No, Windows 95 and Windows 2000
profiles are NOT compatible, so it still wouldn't solve the problem.
Plus, I would have to ask them to pay for Terminal Server Licenses
in order for me to Remote Desktop login. Plus, I would have to work
out how to ssh tunnel that because I wouldn't trust it. Plus, I
would have to deal with my own psychological sickness of remotely
managing a Windows Machine on my Linux laptop, and that's NOT a
prospect i fancy greatly.
In other words, I know full well what the options are for Windows
Setup and Administration, and I'd rather learn how to replace that
same functionality with Linux Software and tools rather than face
dealing with my own resentment and guilt at having forced a company to fork
out money and then STILL have to learn how to work the Microsoft
tools, knowing FULL well that if it didn't work, the chances of
fixing it myself are ZERO, and the chances of _microsoft_ fixing it
are very very slim.
By contrast, problems reported with Debian's "reportbug"
actually stand a chance of being fixed within a couple of
months, as long as you ask politely and provide the Debian
Maintainer with a really useful report.
As an aside which may be of interest, I did investigate
using WinBind instead of NIS. WinBind provides pam_winbind
and libnss_winbind which give you, amazingly, a much better
"Unified Login" than anything else that is available for Unix.
The trouble is that since its initial development in 2000,
it hasn't progressed or been properly integrated into Samba.
What should have been a trivial setup (especially for someone
who used to work on Samba for nearly 10 to 12 hours a day for
four years) turned into a really frustrating two-day reminder of
why I gave up working on Samba - not least because Winbind (in
Samba 3.0) is actually incompatible with the implementation
of the NT Domain protocol in Samba 3.0!
In the end, I made one final search on the Internet for NIS and
one more apt-cache search nis, and found, after about my tenth
attempt to locate it over the past two years, that yes, you
CAN do apt-get install nis (duh). Two hours later, I had an operational
remote login and, despite the security risks (which, frustratingly,
Winbind would alleviate) I have a working and centrally manageable
Cost of Ownership
Every desktop I roll out is one less license fee to worry about. The cost
of desktop machines is being kept artificially high by Windows being
pre-installed, and I object very strongly to that. Also, Microsoft Office
costs a staggering FIVE HUNDRED POUNDS in PC-World. I can buy three
NEW machines for the same cost of two Microsoft Office Licenses.
Roll-out is easy. What I've done is to partition the drive into five:
hda2 is /, hda1 is /boot, hda3 is swap, hda4 is an extended partition
containing hda5 which is /usr and hda6 which is /var. the root
partition I make 512mbyte; the boot partition 40mbyte; the /usr
partition is 1400mbyte; the /var partition is 512mbytes... and if
you add that all up there's approx 200 mbyte left on a 4.3gbyte
drive for a small emergency /home partition or extra swap partition,
if needed. Ridiculously, I can't even get less than 40gbyte drives
these days, so literally 90% of the drive is wasted. MS-Office and
CrossOver Office (see later) ended up on the Server, via NFS -
an Install Once, Access Many implementation.
Then, on one of the machines on which I performed the first
install, I tar'd up each of the partitions (uncompressed),
and then booted from David Kimdon's excellent 2.4.18-bf2.4
Debian Network Install, repartitioned each new machine and then
untarred the partitions. The two things that got me - several
times - was that /dev doesn't tar up: I have to do a cp -a /dev/*
into the new root partition. This Is Really Annoying To Forget
Other things to remember, if you too are going to recreate
this path, is to remember to do an apt-get clean to remove as much
from the /var partition as you can. The size of boot.tar is about
10mbytes; root.tar is 80mbytes; usr.tar is 1gbyte; var.tar is 100mbytes.
Compressed, these are definitely small enough to fit onto a CD but
I cannot be bothered: the number of machines doesn't fully justify
On reboot, I then run lilo, edit /etc/hostname, edit
/etc/network/interfaces (no, I haven't set up DHCP), edit
/etc/hosts (no, I'm not using the full capabilities of NIS or
DNS :) to change the name of the machine and its IP address,
and then take it down to the customer's site for some test
logins and for installation of the user's local DeskJet Printer
(CUPS foomatic-gui: the only thing to remember is to make the
queue name the same on all machines for all users even if the
printer manufacturer or model is different, otherwise users
move from machine to machine and find that the printer doesn't
work because the queue name is different).
Now, yes I have of FAI (Fully Automatic Install) and yes I have heard
of Knoppix and Morphix (Live CD Linux) - but only recently. If
this was an Office of twenty members of staff, I'd seriously
investigate setting up an FAI server (which the company could
likely pay for) and I would seriously investigate setting up a
Module for Morphix to do CrossOver Office, and to do various
other customisations. I would then be able to order machines
with more memory and NO HARD DRIVE. But, I am stuck with 128mb
RAM, 4.3gbyte drives in most cases, and to be honest, only
seven machines? Not worth the extra effort.
The final reason for installing Linux on the Desktop is easy
policy enforcement. These users are genuinely... well... stupid.
I tell them till I am blue in the face not to give out their
passwords. I tell them to ring me when a new member of staff
joins. The Reception PC nobody knows the Administrator password
so what do they do? In order for the new receptionist to do some
work, they give her someone else's username and password.
They put files on the local drive when I tell them that I am going
to be wiping the machine over the next few months. So they put
files on floppy disk instead, rather than put them on the server.
I tell them that floppy disks and Windows 95 machines I am in no
way going to back up, and this makes no difference (well, they
get two floppies instead of one).
Now that is all fine and dandy, and quite amusing from a techie
point of view, but in light of the UK Data Protection Act, it's
not in the least bit funny. If one of those Windows 95 machines
with no password protection gets pinched from Reception by either
a thief walking in off the street, or by one of the minimum wage
part-time members of staff (some of whom cannot read or write),
then any customers whose details get made public can result
in the Directors - and Managers - being PERSONALLY prosecuted.
In all, this helps determine my strategy for setup and machine purchasing.
Firstly, the servers are locked in the Director's office.
Secondly, the Linux Desktop machines have an NFS mounted home
directory, so that EVEN if they save files on the "Desktop", they
are in fact plonking them on the server. Thirdly, I have started
ordering machines without a floppy drive. I don't know of a way
to get Windows to do the equivalent of an NFS mounted home directory,
and I have heard of nightmare management issues by Lehman Brothers
in enforcing a ban, by NT Security Descriptors, on write access to
the C drive (the problem they then ran into was that Stupid-Applications
required write access to C:\windows\system...)
OpenOffice vs CrossOver Office
... which brings me neatly onto installing CrossOver Office and
Microsoft Office. Stupidly, I installed MS-Office over an NFS
partition, which is something to behold: at a write speed of 20
KILOBYTES per second, you can expect the install to take overnight.
But, once achieved, I have banned write access by ordinary users
to the entire fake_windows directory. This did initially cause
some problems with the Normal.dot template (which didn't exist)
on Word, so I reactivated access to that file, created one, and
then deactivated write access again: problem solved.
As mentioned once before, the reason why I have kept the users on
MS-Office is to make my task of convincing them to use Linux a lot
easier. Plus, they use Mail-Merge and I sure as hell ain't gonna
get involved in 1) OpenOffice "oh you have to do file save-as and
save it as a word document" 2) explaining or supporting OpenOffice
mail-merge 3) explaining to some users why the document looks
different and why they can't do black backgrounds and borders
Not least of all is that on a 128 mbyte of RAM and only a Pentium
III 300 machine it takes five seconds to load a Word Document
on CrossOver Office, and a full MINUTE to load OpenOffice. Now,
I know full well that OO QuickStart cuts that time down to a
couple of seconds, but it's at the expense of boot-up time.
All of these reasons lead me to believe that I would be genuinely
stupid to make these people swallow two bitter pills at once,
especially when one of them would permanently disrupt the day-to-day
operation of the company (OpenOffice).
The decision on which desktop to use was quite tricky. I have put
60 and 70-year-olds on Fvwm2 only to find that they were perfectly capable
of finding the Games menu all by themselves. I have put Fvwm2 onto
Compaq Armadas with only 16mbyte of RAM (it takes well over 5 minutes
from switch on to actual typing on "ted" - the only editor small enough
to fit onto a 1Gbyte hard drive and still leave the machine operational).
So my first experiment was to place one particularly low IQ member of
staff (don't laugh: she is a GREAT telesales worker, is a genuine
and friendly but not very bright individual) on Fvwm2. The other reason
for doing this was because KDE and Gnome came up on the screen with
Fonts reduced to single pixels! I still, to this day, have not
managed to track that one down but I have a vague suspicion that it
was to do with there being only 128mb of RAM and me forgetting to
add any swap space).
I also placed Wings Display Manager (wdm) on the machine in
a desperate attempt to get rid of this font problem (xdm is
_too_ basic). Plus, KDM and GDM are too complicated, and they
also force a dependency on their respective environments. Both
KDM and GDM suffered from this weird font issue: wdm didn't.
When it came to cloning the machine for another member of staff,
they complained bitterly about the lack of desktop. I enabled KDE
for them and that complaint stopped (and the fonts were okay,
bizarrely enough). I don't know why I picked KDE 3.2.2, but Gnome
just didn't seem to cut it. KDE I find painful and over-busy,
and it is very difficult to find configuration tools and then
even more difficult to use them. I keep looking on the menus
for "Email Settings", only to find that it's actually called
"Configure Kmail". Only recently did I actually find out how to
add a printer - not for lack of looking. I use foomatic-gui
instead, even though it depends on Gnome for some bizarre reason,
simply because it's REALLY straightforward. Big Stupid Buttons
With Really Obvious Words like "Add Printer".
Under KDE, It took ages to work out how to put CD-ROM and Server
links onto the desktop: you have to left-click drag-and-drop
(I was expecting right) and then a little menu comes up "copy or
link". Under Gnome's Oroborus Desktop, you just right-click and
select "Drives" from the context menu, or select "Link" to create
I should have installed them on Gnome, because Gnome, by being
slightly behind in functionality, is actually easier to use.
But KDE 3.2.2 is a lot faster (snappier) than Gnome 2.6, and on these
older machines, mostly Pentium 300s, it makes a difference.
I can't really explain it, but I have put my dad's machine on
Gnome, and his 55-year-old former business partner on Gnome, but
I wouldn't put an Office full of people on Gnome.
Let's recap. I have a bunch of windows-users who think they each
own the company machines they use. I have nightmares about how
much it would cost this little company to have Windows do all of
the things I am doing for them, and how much they would have to
pay an MCSE certified person to do it for them. I can sit at home
and wait for phone calls. I can remotely log in and sort things out.
I have hand-held some of the members of staff through the process
of clicking on their desktop in order to access the Server and to
work with Excel and Word. I have shown them that printing works.
I've stopped them from saving stuff on machines that aren't locked
There are things that I could have done differently: there are things that I could have done better. If I had thought in advance about what I wanted to achieve, and had the hindsight of some of my own experiences, I would have done things differently. But instead, I have experimented, and found what works reasonably well - for me - having got there in a roundabout route.
What would make my life easier?
Well, Winbind working correctly, for a start. Samba being as
easy to configure and set up as a Windows NT Domain Controller
is, and a Winbind-enabled system being as easy to configure
as a Windows NT Workstation (on installation of Winbind I
was never asked to type in the Domain name nor asked for the
Administrator username and password, which is all that is
required for an NT workstation to join an NT domain).
I must investigate OpenOffice alternatives, or at least it would
be great if OpenOffice could actually be a viable alternative.
an 80 mbyte download, and all the implications for developers thereof,
and it still isn't good enough (makes you wonder why we have commercial
software products, doesn't it?) I must try my CorelOffice stuff
out on them, and also that port of Office to Linux by a German
company, plus there's also a Chinese company that's done an Office
Suite written in Java...
Debian running SE/Linux would alleviate some of my fears about the
servers, and then consequently the entire network, being rootkitted.
Yes I know Redhat do Fedora Core (by way of employing Russell), but I don't
like Redhat (the management, the funding, the IPO nor the Package Manager).
Yes I know about Gentoo (Hardened by default), but the prospect of
downloading everything as source code I can't entirely justify _quite_
just yet :)
KDE having easier-to-look-at configuration options, and having more
intuitive use of the Right Mouse Button (it's the one on the right :)
for context-sensitive options such as, on the Desktop, pulling up
a menu that includes "Mount Drive e.g. CD or Floppy on Desktop"
and "Create Link" rather than having to run the file manager.
Gnome and KDE having cross-application support so I can expect to
install Evolution or any othe application under any desktop, or
I can build myself my own Desktop Manager from the BEST of both
environments. I expect to be able to install a Gnome Desktop
running Oroborus and to have KDE's Kmail and its better applications,
and to have KAddressBook... or vice-versa. I expect to replace
Kmail and KAddressBook with Evolution, or vice-versa, and for the
configuration setup involved to be ZERO WORK, a confident no-brainer
Linux on its own isn't quite ready for the Desktop for Businesses:
in key areas, it simply doesn't stack up. That won't stop me from
throwing this company in at the deep end and seeing if the staff don't
quit in disgust, but I'm definitely NOT prepared to cut the dependency
on commercial software completely.
I can't tell you what the best direction to go from here is: all I can
really say is that the "Not Invented Here" syndrome of stubborn
developers that keeps Linux away from the ordinary Business User has
got to go.
Linux on its own isn't quite ready for the Desktop for Businesses: in key areas, it simply doesn't stack up. That won't stop me from throwing this company in at the deep end and seeing if the staff don't quit in disgust, but I'm definitely NOT prepared to cut the dependency on commercial software completely.
You've just given advantages of the distributions using the Linux kernel... why windows doesn't stack up...
- With Linux Don't need to purchase a lot of expensive software
- Easier rollout with Linux
- Greater flexibility in policy enforcement options...
With Windows, it's a nightmare
- Better remote management (costly and complicated in windows)
- With Linux you were able to run CrossOver-office well on your very low-end 128Mb ram Pentium III 300 machines (try doing that with Office XP on Windows XP Home!).
- The fact that you have setup systems using Linux desktops, and
the people can actually work in them...
Windows... as you said, lost passwords to servers, and ...
Blue Screen of death, anyone?
Not least of all is that on a 128 mbyte of RAM and only a Pentium III 300 machine it takes five seconds to load a Word Document on CrossOver Office, and a full MINUTE to load OpenOffice.
What you need is better hardware, say Athlon >= 800 Mhz, >= 256 Mb of RAM if you're using a bloated desktop like KDE. And OpenOffice should run more than acceptably. As for the difficulties for MS Word users, those are migration issues that don't indicate anything about the merits of OpenOffice or the Linux desktop.
[As if CrossOver made it a non-Linux desktop (bleah)]
The reduction in boot time from Windows 9x to Linux should make
the increase for OO quickstart more than manageable.. many
Linux distributions are starting more services than needed and
not launching them in parallel. If you didn't make changes already,
you can probably reduce the time to boot significantly.
Whether a Desktop is good or not needs to be evaluated based not on migration but on first use (IE: for users that don't have expectations that they got from years of using Windows and MS Word), and you can't really expect miracles out of the box with Linux (yet),
especially out of Debian or Gentoo: the person setting up the machines will need to do extra work, writing scripts/conf files, tailoring menus/preferences/resources/etc.
People had to learn how to use Windows and Word fully/efficiently, they will need to learn some things through training, support, and experience in order to fully and efficiently use OpenOffice or KDE or Gnome or Linux too.
The expectation that everything will be exactly the same as a person's already used to from a different OS, is, well, unreasonable, IMO.
Samba? Why this if you're moving to Linux...
NFS and NIS/PAM/LDAP/Kerberos/whatever.. you have a lot of choices other than Samba for both authentication and file shares. With all the Windows Machines moved to Linux, there's no reason to bother with the headache of running Samba / Winbind as a domain controller... targetted at an OS you aren't using :)
Time for a little offtopic rant...
The users' attitude was, and to some extent still is, that each machine was (is) "owned" by the person using it ...
So when an employee has a certain office, or a desk, don't you say that's (Such and such)'s office, or that's (Such and such)'s desk?
While an employee's not the legal and ultimate owner/controller of their work computer systems.. the setup of the space or their computer can have a profound effect on how they do their work... in a very real sense, it is theirs, in this sense that they have very good reason to be concerned and be notified about other people mucking around with it, or changes that others have suggested to be made to the equipment, etc, etc.
Certainly it's not yours either [eg]
Esp. Without someone around to help maintain their systems, it's only
natural... it's a thing they put work into/part of their work space.
It's rather sensible that other people need to get a password (like a BIOS password) from the primary user to muck around with the working configuration of the machine they have to use on a daily basis.. of course if the person's replaced, or some supervisor needs to get at their work-related docs, the contingency always needs to be prepared
for, so it can be handled swiftly. :)
There's something bad to be said about "enforcing policies" technologically. It's a bad idea.. it limits flexibility.
Get a bunch of machines without floppy drives... then suddenly users may find they could use floppies for some other perfectly legitimate reason: like exchanging files; moving some documents from a laptop to their workstation, or whatever, there are lots of things floppy drives can be used for.
Users should be involved directly in making policies.. should understand why they are there, and explicitly what kind of special efforts they need to make to ensure things go smoothly.
Going around them and simply silently stripping capabilities out of their systems is not very nice.
As for people giving out their passwords... You might ditch password authentication? Get something like the RSA tokens where authantication
is based on something the person has (token) and something they know (Pin#)... or use biometric ID.
Forget it though, they can always have another employee login and turn
the console over (EG)
More appropriately provide people on site with instructions on how to manage the user accounts: adding and deleting users should not ever involve making phone calls to the person who set up the network originally. There are definitely graphical tools like linuxconf
(for instance) available for that. People on location should know
how to handle routine things.
[No wonder people would hide their boxes, sounds as if you made it hard for them to administer their own machines. And dropped a bunch notions on their heads that they could easily view as quite bureaucratic/irrelevant... truly individual usernames, passwords, but they have to call you from afar (kind of like asking your greatness) just to let the new person in...]
Yes, individual usernames/passwords are commonplace now, especially on the internet.. But just because users aren't familiar with all the nuances of computers that geeks are does not mean they are stupid blind sheep or don't deserve every bit of consideration that anyone else does.
in some ways i am quite lucky, in that the requirements of this particular company are simple: they are still using excel to do invoices, they do mail merges to send out letters for prospective business, and they have a mixture of staff who _have_ worked at large corporations with full-time windows admin staff, one person who knows how to upgrade Outlook and know what voodoo invocation to do when it then crashes on adding a new contact, and some staff who phone me up whenever their HP deskjet has a paper jam and automatically disables its own print queue.
that they haven't objected and over-ruled my endeavours to convert the entire office from fully windows to fully linux is leaving me slightly confused and bewildered, rather than impressed with myself.
the person who hid his old machine was an early victim: i had cloned the machine that had fvwm on it (that my really nice telesales lady was quite happy with but mr machine-hider wasn't). when i explained to him that he was getting a nice pretty desktop and yes, if you click on the XLS document it just works, he capitulated and then grudgingly told me where the hidden machine was.
hm, having a script to allow users to be added. to be honest, i so don't trust these staff to not screw things up that it hadn't even occurred to me to have a pretty program that does the work. and being even MORE honest, i sincerely believe that even if i DID provide them with such a script, unless i was there to hit them with a Big Stick they STILL wouldn't actually use it!
on the flip side, however, it would make my job easier, and also for other companies with more computer literate staff, such a tool would likely also prove invaluable.
No wonder people would hide their boxes, sounds as if you made it hard for them to administer their own machines.
dude, i thought it was fairly obvious from what i described: until i came along there WAS no administration of machines! the only thing protecting them from not having their computers destroyed by viruses was that they didn't even have any internet connectivity - AT ALL!
i've had to deal with the lack of anti-virus software and other safety measures by restricting internet access, by insisting that they use mozilla and mozilla mail, banning outlook and internet explorer, etc. what i REALLY want is to move off of windows-dependence and risks altogether, but that's not going to happen until things like openoffice or alternatives work properly and save by default to word documents.
but seriously, the problems faced are caused by users administering their own machines - some of whom have now left, taking the administrative password with them, having made copies of hundreds of files onto their local machine, editing some of those files and then NOT COPYING THEM BACK TO THE SERVER (meanwhile other users continue to edit the same documents on the server and other files in the same subdirectory as the one copied).
i mean, it's a complete nightmare: there are several thousand documents, with about three copies of around five to seven hundred of those, because someone "didn't trust the server". that's what leaving users to "administer their own machines" results in, in this case, and it's why i am enforcing some of the decisions that i am, drastic as they may seem.
the employees at this company use the computers they have, at work, to do administrative tasks (typewriting, effectively) and then they go home. they _certainly_ aren't paid enough to afford laptops, and that only about three of the eight full-time staff have their own home computer.
i've repeated several times that files should be copied via the network, and remain on the network server, and each time i come in i find 1) a new member of staff using someone else's password 2) they don't know what they are doing 3) checking the machines i find files all over the remaining windows machines or on floppy disks. there's only so much repeating i can take until i have to decide to take capabilities away from them in order to enforce policies that, ultimately, reduce the risk of data loss etc.
i know this all sounds like really drastic, but not all companies contain technically savvy employees with a corporate infrastructure to whom the responsibility for enforcing and drumming in IT policy can be pushed. anyway, this is all background material to the goal of getting these people moved over to Linux, and it's been a bit touch-and-go so far, and that's what i really wanted people to know.