Comparison of Salt vs AD



  • I'm trying to clarify this statement from this post

    By @scottalanmiller "I'll add a note for clarity given the title... SaltStack does not do authentication like AD does. AD does not do patching of any sort like Salt does. Salt is an alternative to common myths about AD functionality, but not to actual AD functionality. But you can use Salt to do distributed local authentication management, which does replace the need for AD, but is very different than what is being discussed here. In this case Salt is replacing GPO, not AD."

    https://mangolassi.it/topic/13786/how-to-patch-wannacry-using-saltstack-ad-alternative/3

    Please correct me if I am wrong, but I want to clarify if I am understanding this correctly.

    We all know that AD is a collective, server/client, authentication system. Client computers connected to an AD system has to communicate with an AD server in order to authenticate users for resources.

    Salt syncs local users to each other in a mesh-network so that all users are still capable of accessing all of the computers with the same credentials without having to authenticate to a central server.

    Is this correct or am I reading too much into this?


  • Service Provider

    @NerdyDad said in Comparison of Salt vs AD:

    We all know that AD is a collective, server/client, authentication system. Client computers connected to an AD system has to communicate with an AD server in order to authenticate users for resources.

    Salt syncs local users to each other in a mesh-network so that all users are still capable of accessing all of the computers with the same credentials without having to authenticate to a central server.

    Correct. AD does central authentication where each machine reaches out to a central database. Salt will take local users and push them to each machine. Central vs. distributed. Salt can also be used to automate the management of other things. Salt is just a generic management tool, but because it is so powerful and ubiquitous, it can do things that previously seemed too complex or hard to do and can make them almost trivially easy. Which fundamentally changes many assumptions.



  • @scottalanmiller said in Comparison of Salt vs AD:

    @NerdyDad said in Comparison of Salt vs AD:

    We all know that AD is a collective, server/client, authentication system. Client computers connected to an AD system has to communicate with an AD server in order to authenticate users for resources.

    Salt syncs local users to each other in a mesh-network so that all users are still capable of accessing all of the computers with the same credentials without having to authenticate to a central server.

    Correct. AD does central authentication where each machine reaches out to a central database. Salt will take local users and push them to each machine. Central vs. distributed. Salt can also be used to automate the management of other things. Salt is just a generic management tool, but because it is so powerful and ubiquitous, it can do things that previously seemed too complex or hard to do and can make them almost trivially easy. Which fundamentally changes many assumptions.

    Perfect. That makes total sense now. Thanks,



  • Active Directory is just a centralized authentication and object database... it isn't much more than that.

    The good stuff (in this aspect), is Group Policy. The main part of Group Policy, administrative templates, is (basically) just an easy categorized and searchable GUI way of centrally controlling the registry of multiple Windows clients.

    There are a ton of other Group Policy extensions as well, like all those included in Group Policy Preferences for example. So for fine-tuning and centrally controlling all settings and such of Windows machines (clients and servers), and other objects, Group Policy is really a very convenient way of doing it.

    I would think Salt compares to SCCM (it is just a configuration manager after all).

    I'd use Salt in place of Group Policy and other configuration managers. But if you already have AD/Group Policy and System Center, there's really no need, unless you also have a lot of Linux (or other) based OSs.



  • @Tim_G said in Comparison of Salt vs AD:

    Active Directory is just a centralized authentication and object database... it isn't much more than that.

    The good stuff (in this aspect), is Group Policy. The main part of Group Policy, administrative templates, is (basically) just an easy categorized and searchable GUI way of centrally controlling the registry of multiple Windows clients.

    There are a ton of other Group Policy extensions as well, like all those included in Group Policy Preferences for example. So for fine-tuning and centrally controlling all settings and such of Windows machines (clients and servers), and other objects, Group Policy is really a very convenient way of doing it.

    I would think Salt compares to SCCM (it is just a configuration manager after all).

    I'd use Salt in place of Group Policy and other configuration managers. But if you already have AD/Group Policy and System Center, there's really no need, unless you also have a lot of Linux (or other) based OSs.

    While I totally agree with what you are saying in a Windows environment, I was asking out of curiosity in a Fedora environment. I am trying to branch out of Windows and begin to per sue skills on the other side, if you will.



  • @NerdyDad said in Comparison of Salt vs AD:

    @Tim_G said in Comparison of Salt vs AD:

    Active Directory is just a centralized authentication and object database... it isn't much more than that.

    The good stuff (in this aspect), is Group Policy. The main part of Group Policy, administrative templates, is (basically) just an easy categorized and searchable GUI way of centrally controlling the registry of multiple Windows clients.

    There are a ton of other Group Policy extensions as well, like all those included in Group Policy Preferences for example. So for fine-tuning and centrally controlling all settings and such of Windows machines (clients and servers), and other objects, Group Policy is really a very convenient way of doing it.

    I would think Salt compares to SCCM (it is just a configuration manager after all).

    I'd use Salt in place of Group Policy and other configuration managers. But if you already have AD/Group Policy and System Center, there's really no need, unless you also have a lot of Linux (or other) based OSs.

    While I totally agree with what you are saying in a Windows environment, I was asking out of curiosity in a Fedora environment. I am trying to branch out of Windows and begin to per sue skills on the other side, if you will.

    Ah, the dark side...

    1367381826397-welcome_to_the_dark_side_answer_1_xlarge.jpg


  • Service Provider

    @NerdyDad said in Comparison of Salt vs AD:

    While I totally agree with what you are saying in a Windows environment, I was asking out of curiosity in a Fedora environment. I am trying to branch out of Windows and begin to per sue skills on the other side, if you will.

    Oh, local accounts are even more simple and powerful there. So Salt's ability to be used for central authentication is quite strong.



  • @scottalanmiller said in Comparison of Salt vs AD:

    @NerdyDad said in Comparison of Salt vs AD:

    While I totally agree with what you are saying in a Windows environment, I was asking out of curiosity in a Fedora environment. I am trying to branch out of Windows and begin to per sue skills on the other side, if you will.

    Oh, local accounts are even more simple and powerful there. So Salt's ability to be used for central authentication is quite strong.

    Seems to be way more powerful to manage systems located anywhere from anywhere, with nothing more than a simple internet connection at either end.


  • Service Provider

    @Tim_G said in Comparison of Salt vs AD:

    @scottalanmiller said in Comparison of Salt vs AD:

    @NerdyDad said in Comparison of Salt vs AD:

    While I totally agree with what you are saying in a Windows environment, I was asking out of curiosity in a Fedora environment. I am trying to branch out of Windows and begin to per sue skills on the other side, if you will.

    Oh, local accounts are even more simple and powerful there. So Salt's ability to be used for central authentication is quite strong.

    Seems to be way more powerful to manage systems located anywhere from anywhere, with nothing more than a simple internet connection at either end.

    Yeah, managing Linux from Salt is like a dream :)



  • Managing computers as long as they have an Internet connection (am thinking our various sales folk and account managers who work form home). . . I need to learn about Salt.



  • @NerdyDad

    While I agree with what you said technically, Salt can be so powerful in my opinion and that it can do
    everything I want from AD (but it needs prior planning and proper machine naming, also the first step of configuring salt minion on every machine can be daunting, yeah on every machine).

    I think what you'are referencing about AD is regarding authorization part, well for me I can create users also windows groups remotely using salt native module, then using this with a NAS I can provide access, or I can run script on selected user to mount the share on startup of their machines.

    In summary it can do everything AD does in my perspective, but you just need to plan ahead and keep things simpler.

    Also check this module, where you can configure the local group policy for windows clients.
    https://docs.saltstack.com/en/latest/ref/states/all/salt.states.win_lgpo.html
    It is just one of many native modules where you can do many things, want to check free space on all of your client machines, this can be done using 1 liner:
    salt '*' status.diskusage

    Thus salt expands the already known stable reporting tools that Windows natively has, but it wraps it in SSH feel environment that I love.

    I think next step for us in my organization is using SaltStack + Urbackup . Will keep you posted about how this goes.



  • @msff-amman-Itofficer said in Comparison of Salt vs AD:

    @NerdyDad

    While I agree with what you said technically, Salt can be so powerful in my opinion and that it can do
    everything I want from AD (but it needs prior planning and proper machine naming, also the first step of configuring salt minion on every machine can be daunting, yeah on every machine).

    I think what you'are referencing about AD is regarding authorization part, well for me I can create users also windows groups remotely using salt native module, then using this with a NAS I can provide access, or I can run script on selected user to mount the share on startup of their machines.

    In summary it can do everything AD does in my perspective, but you just need to plan ahead and keep things simpler.

    Also check this module, where you can configure the local group policy for windows clients.

    I think next step for us in my organization is using SaltStack + Urbackup . Will keep you posted about how this goes.

    I wonder how much of this could be automated via tools like PDQ Deploy? ... or just make sure your DNS servers have an entry for your Salt server.


  • Service Provider

    @dafyre said in Comparison of Salt vs AD:

    I wonder how much of this could be automated via tools like PDQ Deploy? ... or just make sure your DNS servers have an entry for your Salt server.

    not nearly so much and not nearly so well.



  • @dafyre

    The windows installer of salt minion asks you for :

    Salt Master Hostname or IP address
    Minion Name

    And you can install it silently with:

    Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

    Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

    Now I have to do them all manually
    90 MACHINES

    GONA GO KILL MORE PPL IN DBD


  • Service Provider

    @msff-amman-Itofficer said in Comparison of Salt vs AD:

    @dafyre

    The windows installer of salt minion asks you for :

    Salt Master Hostname or IP address
    Minion Name

    And you can install it silently with:

    Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

    Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

    Now I have to do them all manually
    90 MACHINES

    User PowerShell or GPO.



  • @scottalanmiller said in Comparison of Salt vs AD:

    @msff-amman-Itofficer said in Comparison of Salt vs AD:

    @dafyre

    The windows installer of salt minion asks you for :

    Salt Master Hostname or IP address
    Minion Name

    And you can install it silently with:

    Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

    Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

    Now I have to do them all manually
    90 MACHINES

    User PowerShell or GPO.

    Or PDQ Deploy, lol. I probably should have mentioned I was thinking only of pushing out the Salt agent to the mentions.



  • @msff-amman-Itofficer said in Comparison of Salt vs AD:

    Now I have to do them all manually
    90 MACHINES

    GONA GO KILL MORE PPL IN DBD

    Don't do this.... The first rule of IT is the automate when possible. I suggest PDQ as well.



  • @dafyre said in Comparison of Salt vs AD:

    @scottalanmiller said in Comparison of Salt vs AD:

    @msff-amman-Itofficer said in Comparison of Salt vs AD:

    @dafyre

    The windows installer of salt minion asks you for :

    Salt Master Hostname or IP address
    Minion Name

    And you can install it silently with:

    Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

    Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

    Now I have to do them all manually
    90 MACHINES

    User PowerShell or GPO.

    Or PDQ Deploy, lol. I probably should have mentioned I was thinking only of pushing out the Salt agent to the mentions.

    @dafyre That is exactly how I deployed my salt-minions. Added the salt entry on my dns and deployed the minion with PDQ Deploy.


  • Service Provider

    @Romo said in Comparison of Salt vs AD:

    @dafyre said in Comparison of Salt vs AD:

    @scottalanmiller said in Comparison of Salt vs AD:

    @msff-amman-Itofficer said in Comparison of Salt vs AD:

    @dafyre

    The windows installer of salt minion asks you for :

    Salt Master Hostname or IP address
    Minion Name

    And you can install it silently with:

    Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

    Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

    Now I have to do them all manually
    90 MACHINES

    User PowerShell or GPO.

    Or PDQ Deploy, lol. I probably should have mentioned I was thinking only of pushing out the Salt agent to the mentions.

    @dafyre That is exactly how I deployed my salt-minions. Added the salt entry on my dns and deployed the minion with PDQ Deploy.

    I use Chocolatey.



  • @NerdyDad said in Comparison of Salt vs AD:

    I'm trying to clarify this statement from this post

    By @scottalanmiller "I'll add a note for clarity given the title... SaltStack does not do authentication like AD does. AD does not do patching of any sort like Salt does. Salt is an alternative to common myths about AD functionality, but not to actual AD functionality. But you can use Salt to do distributed local authentication management, which does replace the need for AD, but is very different than what is being discussed here. In this case Salt is replacing GPO, not AD."

    https://mangolassi.it/topic/13786/how-to-patch-wannacry-using-saltstack-ad-alternative/3

    Please correct me if I am wrong, but I want to clarify if I am understanding this correctly.

    We all know that AD is a collective, server/client, authentication system. Client computers connected to an AD system has to communicate with an AD server in order to authenticate users for resources.

    Salt syncs local users to each other in a mesh-network so that all users are still capable of accessing all of the computers with the same credentials without having to authenticate to a central server.

    Is this correct or am I reading too much into this?

    a more strict analogous of AD authentication in linux is kerberos (on which AD is based). Using Salt is most of an hack, which, considering the apparent possibility to fire events in Salt, seems anyway a feasible one.



  • @scottalanmiller said in Comparison of Salt vs AD:

    @Romo said in Comparison of Salt vs AD:

    @dafyre said in Comparison of Salt vs AD:

    @scottalanmiller said in Comparison of Salt vs AD:

    @msff-amman-Itofficer said in Comparison of Salt vs AD:

    @dafyre

    The windows installer of salt minion asks you for :

    Salt Master Hostname or IP address
    Minion Name

    And you can install it silently with:

    Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

    Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

    Now I have to do them all manually
    90 MACHINES

    User PowerShell or GPO.

    Or PDQ Deploy, lol. I probably should have mentioned I was thinking only of pushing out the Salt agent to the mentions.

    @dafyre That is exactly how I deployed my salt-minions. Added the salt entry on my dns and deployed the minion with PDQ Deploy.

    I use Chocolatey.

    I actually deployed the salt-minions to upgrade powershell and deploy chocolatey =).



  • @Romo @aaronstuder @dafyre

    This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
    or it just relies on Active Directory to work.



  • @msff-amman-Itofficer said in Comparison of Salt vs AD:

    @Romo @aaronstuder @dafyre

    This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
    or it just relies on Active Directory to work.

    No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.


  • Service Provider

    @NerdyDad said in Comparison of Salt vs AD:

    @msff-amman-Itofficer said in Comparison of Salt vs AD:

    @Romo @aaronstuder @dafyre

    This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
    or it just relies on Active Directory to work.

    No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.

    Same as with PowerShell.



  • @NerdyDad

    Interesting, thanks.



  • @scottalanmiller said in Comparison of Salt vs AD:

    @NerdyDad said in Comparison of Salt vs AD:

    @msff-amman-Itofficer said in Comparison of Salt vs AD:

    @Romo @aaronstuder @dafyre

    This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
    or it just relies on Active Directory to work.

    No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.

    Same as with PowerShell.

    Does PowerShell require some sort of remote access to be enabled?

    Are the needed ports open by default to allow the use of PDQ Deploy in a non AD environment?



  • @Dashrender said in Comparison of Salt vs AD:

    Are the needed ports open by default to allow the use of PDQ Deploy in a non AD environment?

    • UDP 137
    • UDP 138
    • UDP 445
    • TCP 139
    • TCP 445
    • TCP 6336

  • Service Provider

    @wirestyle22 said in Comparison of Salt vs AD:

    @Dashrender said in Comparison of Salt vs AD:

    Are the needed ports open by default to allow the use of PDQ Deploy in a non AD environment?

    • UDP 137
    • UDP 138
    • UDP 445
    • TCP 139
    • TCP 445
    • TCP 6336

    Man that's a lot.


  • Service Provider

    @Dashrender said in Comparison of Salt vs AD:

    @scottalanmiller said in Comparison of Salt vs AD:

    @NerdyDad said in Comparison of Salt vs AD:

    @msff-amman-Itofficer said in Comparison of Salt vs AD:

    @Romo @aaronstuder @dafyre

    This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
    or it just relies on Active Directory to work.

    No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.

    Same as with PowerShell.

    Does PowerShell require some sort of remote access to be enabled?

    Yes, but it is enabled by default. Just don't turn it off.



  • @scottalanmiller said in Comparison of Salt vs AD:

    @wirestyle22 said in Comparison of Salt vs AD:

    @Dashrender said in Comparison of Salt vs AD:

    Are the needed ports open by default to allow the use of PDQ Deploy in a non AD environment?

    • UDP 137
    • UDP 138
    • UDP 445
    • TCP 139
    • TCP 445
    • TCP 6336

    Man that's a lot.

    Could be easily done as part of an image, logon batch.


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.