I'm also curious on this.. Is LDAP, Kerberos, NIS or any other system recommended?
A lot of different opinions 'out there' :-)
---
stoffell

I've rolled out a krb5/openLDAP/NFSv3-over-IPSEC implementation for a moderate-sized group. I used debian sarge servers (with backports) on the server side, and Ubuntu LTS (6.06) on the client side.

There were hiccups along the way, of course, but the system seems to function pretty well. If i got to do it again right now, i'd try to use NFSv4 and ditch the IPSEC business. Host-to-host encryption never did sit right with me anyway, because the real encryption layers you want are user-to-service (and vice versa). But alas, NFSv4 was even more in its infancy at the start of that project. Things move fast these days.

I think Novell would be upset at your suggestion of there being no integrated solution like NDS for GNU/Linux. Not least you haven't called it eDirectory, so the marketing department have failed big time, and you don't know it supports SuSE ;)

Redhat do a directory service, which is not so different to a roll your own OpenLDAP and Kerberos in terms of software, but the value add is in pre-written policies, schemas, and documented deployment steps.

It is definitely the case that this is an area of weakness because there aren't many large GNU/Linux desktop deployments in the style of Microsoft ADS. Typically client policies are managed by software installation, and config file synchronization, which isn't so different from how large GNU/Linux server farms are deployed.

Everyone I've met who have done big deployments are almost to a man thin client fans. Unlike Microsoft Windows, that was never designed for thin client, X and Unix were both designed with this in mind, and unless you have keen processing, or multimedia requirements, this is almost certainly the best way to meet traditional business desktop computing requirements and can vastly reduce the scale and complexity of deployment. If you have say 1 desktop server to 60 users, suddenly how do I manage the systems for 120 users, becomes how do I manage 2 servers, and suddenly OpenLDAP begins to look like it might be overkill. It is perfectly reasonable to run desktop Office apps for 60 users simultaneously on a low end x86 server hardware these days, you have to stick a lot of memory in, but it works really well. Indeed if they are mostly non-power users you can probably get 120 users on a server costing only 50 USD per user. This is becoming more of an issue as people expect sophisticated multimedia apps as standard desktop stuff.

Similarly fully automated install is pretty straight forward on modern hardware, so they places that didn't go "thin client", went with identical client machines, which can be remotely reimaged when the standard image is updated. Reinstalling the OS for simple updates seems like overkill, but it does keep things simple, and if the OS is largely "thin" or "thinnish", it doesn't really take long or require a lot of bandwidth to reinstall a few hundred desktops.

I would use LDAP for user/password share and NFS (or some other net file system) for sharing files. For installation/configuration I would use FAI/cfengine.
And "big" server is good for fast deployment to ordinary users.

It is much better to install software automaticly than to have a "golden computer" to make images from and distribute. Images doesn't scale as good as automatic installation.