Comparison of Salt vs AD

scottalanmiller

@NerdyDad said in Comparison of Salt vs AD:

While I totally agree with what you are saying in a Windows environment, I was asking out of curiosity in a Fedora environment. I am trying to branch out of Windows and begin to per sue skills on the other side, if you will.

Oh, local accounts are even more simple and powerful there. So Salt's ability to be used for central authentication is quite strong.

Obsolesce

@scottalanmiller said in Comparison of Salt vs AD:

@NerdyDad said in Comparison of Salt vs AD:

While I totally agree with what you are saying in a Windows environment, I was asking out of curiosity in a Fedora environment. I am trying to branch out of Windows and begin to per sue skills on the other side, if you will.

Oh, local accounts are even more simple and powerful there. So Salt's ability to be used for central authentication is quite strong.

Seems to be way more powerful to manage systems located anywhere from anywhere, with nothing more than a simple internet connection at either end.

scottalanmiller

@Tim_G said in Comparison of Salt vs AD:

@scottalanmiller said in Comparison of Salt vs AD:

@NerdyDad said in Comparison of Salt vs AD:

While I totally agree with what you are saying in a Windows environment, I was asking out of curiosity in a Fedora environment. I am trying to branch out of Windows and begin to per sue skills on the other side, if you will.

Oh, local accounts are even more simple and powerful there. So Salt's ability to be used for central authentication is quite strong.

Seems to be way more powerful to manage systems located anywhere from anywhere, with nothing more than a simple internet connection at either end.

Yeah, managing Linux from Salt is like a dream

EddieJennings

Managing computers as long as they have an Internet connection (am thinking our various sales folk and account managers who work form home). . . I need to learn about Salt.

Emad R

@NerdyDad

While I agree with what you said technically, Salt can be so powerful in my opinion and that it can do
everything I want from AD (but it needs prior planning and proper machine naming, also the first step of configuring salt minion on every machine can be daunting, yeah on every machine).

I think what you'are referencing about AD is regarding authorization part, well for me I can create users also windows groups remotely using salt native module, then using this with a NAS I can provide access, or I can run script on selected user to mount the share on startup of their machines.

In summary it can do everything AD does in my perspective, but you just need to plan ahead and keep things simpler.

Also check this module, where you can configure the local group policy for windows clients.
https://docs.saltstack.com/en/latest/ref/states/all/salt.states.win_lgpo.html
It is just one of many native modules where you can do many things, want to check free space on all of your client machines, this can be done using 1 liner:
salt '*' status.diskusage

Thus salt expands the already known stable reporting tools that Windows natively has, but it wraps it in SSH feel environment that I love.

I think next step for us in my organization is using SaltStack + Urbackup . Will keep you posted about how this goes.

dafyre

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@NerdyDad

While I agree with what you said technically, Salt can be so powerful in my opinion and that it can do
everything I want from AD (but it needs prior planning and proper machine naming, also the first step of configuring salt minion on every machine can be daunting, yeah on every machine).

I think what you'are referencing about AD is regarding authorization part, well for me I can create users also windows groups remotely using salt native module, then using this with a NAS I can provide access, or I can run script on selected user to mount the share on startup of their machines.

In summary it can do everything AD does in my perspective, but you just need to plan ahead and keep things simpler.

Also check this module, where you can configure the local group policy for windows clients.

I think next step for us in my organization is using SaltStack + Urbackup . Will keep you posted about how this goes.

I wonder how much of this could be automated via tools like PDQ Deploy? ... or just make sure your DNS servers have an entry for your Salt server.

scottalanmiller

@dafyre said in Comparison of Salt vs AD:

I wonder how much of this could be automated via tools like PDQ Deploy? ... or just make sure your DNS servers have an entry for your Salt server.

not nearly so much and not nearly so well.

Emad R

@dafyre

The windows installer of salt minion asks you for :

Salt Master Hostname or IP address
Minion Name

And you can install it silently with:

Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

Now I have to do them all manually
90 MACHINES

GONA GO KILL MORE PPL IN DBD

scottalanmiller

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@dafyre

The windows installer of salt minion asks you for :

Salt Master Hostname or IP address
Minion Name

And you can install it silently with:

Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

Now I have to do them all manually
90 MACHINES

User PowerShell or GPO.

dafyre

@scottalanmiller said in Comparison of Salt vs AD:

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@dafyre

The windows installer of salt minion asks you for :

Salt Master Hostname or IP address
Minion Name

And you can install it silently with:

Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

Now I have to do them all manually
90 MACHINES

User PowerShell or GPO.

Or PDQ Deploy, lol. I probably should have mentioned I was thinking only of pushing out the Salt agent to the mentions.

Alex Sage

@msff-amman-Itofficer said in Comparison of Salt vs AD:

Now I have to do them all manually
90 MACHINES

GONA GO KILL MORE PPL IN DBD

Don't do this.... The first rule of IT is the automate when possible. I suggest PDQ as well.

Romo

@dafyre said in Comparison of Salt vs AD:

@scottalanmiller said in Comparison of Salt vs AD:

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@dafyre

The windows installer of salt minion asks you for :

Salt Master Hostname or IP address
Minion Name

And you can install it silently with:

Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

Now I have to do them all manually
90 MACHINES

User PowerShell or GPO.

Or PDQ Deploy, lol. I probably should have mentioned I was thinking only of pushing out the Salt agent to the mentions.

@dafyre That is exactly how I deployed my salt-minions. Added the salt entry on my dns and deployed the minion with PDQ Deploy.

scottalanmiller

@Romo said in Comparison of Salt vs AD:

@dafyre said in Comparison of Salt vs AD:

@scottalanmiller said in Comparison of Salt vs AD:

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@dafyre

The windows installer of salt minion asks you for :

Salt Master Hostname or IP address
Minion Name

And you can install it silently with:

Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

Now I have to do them all manually
90 MACHINES

User PowerShell or GPO.

Or PDQ Deploy, lol. I probably should have mentioned I was thinking only of pushing out the Salt agent to the mentions.

@dafyre That is exactly how I deployed my salt-minions. Added the salt entry on my dns and deployed the minion with PDQ Deploy.

I use Chocolatey.

matteo nunziati

@NerdyDad said in Comparison of Salt vs AD:

I'm trying to clarify this statement from this post

By @scottalanmiller "I'll add a note for clarity given the title... SaltStack does not do authentication like AD does. AD does not do patching of any sort like Salt does. Salt is an alternative to common myths about AD functionality, but not to actual AD functionality. But you can use Salt to do distributed local authentication management, which does replace the need for AD, but is very different than what is being discussed here. In this case Salt is replacing GPO, not AD."

https://mangolassi.it/topic/13786/how-to-patch-wannacry-using-saltstack-ad-alternative/3

Please correct me if I am wrong, but I want to clarify if I am understanding this correctly.

We all know that AD is a collective, server/client, authentication system. Client computers connected to an AD system has to communicate with an AD server in order to authenticate users for resources.

Salt syncs local users to each other in a mesh-network so that all users are still capable of accessing all of the computers with the same credentials without having to authenticate to a central server.

Is this correct or am I reading too much into this?

a more strict analogous of AD authentication in linux is kerberos (on which AD is based). Using Salt is most of an hack, which, considering the apparent possibility to fire events in Salt, seems anyway a feasible one.

Romo

@scottalanmiller said in Comparison of Salt vs AD:

@Romo said in Comparison of Salt vs AD:

@dafyre said in Comparison of Salt vs AD:

@scottalanmiller said in Comparison of Salt vs AD:

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@dafyre

The windows installer of salt minion asks you for :

Salt Master Hostname or IP address
Minion Name

And you can install it silently with:

Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

Now I have to do them all manually
90 MACHINES

User PowerShell or GPO.

Or PDQ Deploy, lol. I probably should have mentioned I was thinking only of pushing out the Salt agent to the mentions.

@dafyre That is exactly how I deployed my salt-minions. Added the salt entry on my dns and deployed the minion with PDQ Deploy.

I use Chocolatey.

I actually deployed the salt-minions to upgrade powershell and deploy chocolatey =).

Emad R

@Romo @aaronstuder @dafyre

This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.

NerdyDad

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@Romo @aaronstuder @dafyre

This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.

No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.

scottalanmiller

@NerdyDad said in Comparison of Salt vs AD:

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@Romo @aaronstuder @dafyre

This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.

No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.

Same as with PowerShell.

Emad R

@NerdyDad

Interesting, thanks.

Dashrender

@scottalanmiller said in Comparison of Salt vs AD:

@NerdyDad said in Comparison of Salt vs AD:

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@Romo @aaronstuder @dafyre

This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.

No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.

Same as with PowerShell.

Does PowerShell require some sort of remote access to be enabled?

Are the needed ports open by default to allow the use of PDQ Deploy in a non AD environment?