Don’t get me wrong, I used to be a Linux fanboy.
But after Admining in both the Linux and Windows world, I have to say: There’s a reason Microsoft has a dominant market position in business.
AD is fucking awesome. And I don’t understand why Linux is so…finnicky out of the box. There just isn’t a unified default out of the box solution where you can click a button to create a domain controller and have everything in your domain tied together, from user rights on all clients, to file shares, to mailboxes.
This should be the strong point of Unix-likes, considering their history, but it just isn’t.
On AD, you authenticate once when you log into your PC (which even works without contact to the authentication server). And then all the resources you’re allowed to use are available to you. All the admin has to do for new users is assign them to the right groups in a GUI or with a script, and everything is taken care of.
On Linux, that just isn’t the case (unless the domain is managed by AD, that integrates Linux clients well also). Linux is stuck in a time where your client was nothing more than a keyboard attached to a network device that connects you directly to the server.
And authentication is a mess out of the box. A password prompt should have the purpose of checking whether the correct person is sitting in front of the keyboard to do things. On Linux, you log into your client when you boot it. But by default, every time you want to access system resources which you are already allowed to use you need to authenticate again – from within the user account that’s already authenticated. It makes no sense.
And don’t even get me started on how awesome GPO’s are compared to the methods you have to manage Linux clients.
The Linux equivalent to AD is LDAP. Which, I agree, is a lot more finnicky than AD. But Linux isn’t meant to be a domain controller any more than Windows is supposed to be.
LDAP isn’t only a lot more finnicky but also offers only a small subset of AD’s features.
LDAP is a protocol, AD is a product. Its not really a fair comparison. AD even uses LDAP in some cases.
There’s a reason Microsoft has a dominant market position in business.
Same way Intel got to where it was. By bribing oem to sell their stuff with their hardware.
It doesn’t make sense against Linux which is ‘free’. -How is Microsoft going to afford to ‘bribe’ over that? -They have professional devs to pay.
What has happened is shops tried to sell computers with Linux pre-installed, but found the cost of returns and support prohibitive. Linux users also will change distros, or opt for a cheaper Windows computer to install on.
There are still computers sold with Linux -The prices suck.
FreeIPA, Univention, Zentyal are alternatives to Microsoft Active Directory.
There are a bunch of other tools around Kerberos, LDAP and so on.
Microsoft provides a unified package, that does everything and is configurable by GUI.
Authenticating again for privileged operations is a security feature, even if it’s annoying. macOS makes this less painful by usually supporting biometric authentication for these cases.