Home > Gnome > Improving the User Experience for Desktop Sysadmins – SabayonImproving the User Experience for Desktop Sysadmins – Sabayon Submitted by Seth 2005-02-18 Gnome 52 CommentsSabayon is GNOME’s first major design targeted at improving the user experience for people who administer GNOME systems, and hopefully the start of an initiative toward designing for this important group of users.About The Author Eugenia LoliEx-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.Follow me on Twitter @EugeniaLoli 52 Comments 2005-02-18 9:43 am This is/will be the same for GNOME as Kiosktool is for KDE? 2005-02-18 10:10 am Gnome (well, the linux desktop in general) needs a solution on a par or better than Group Policy in Active Directory.This Sabayon effort appears to be the start of such a system, and when the appropriate part of netscape LDAP becomes open source, hopefully a more client/server policy based model will be possible.Working with Group Policy Objects in a windows domain is invaluable to system lockdown and user control. The linux desktop will be “there” for *serious* corporates when there is a similar solution on GNU/linux. Currently, it cannot provide a drop-in replacement for a well managed XP based corporate desktop.I have been waiting for an announcement like this, and will be immediately pledging support to the project. This will be a significant boost to the improvement of Gnome, and of the viability of it as a corporate platform. 2005-02-18 10:15 am Active dir approach isn’t really effective on a unix like system. You already have a good concept of user and of file configuration location. All you may like is a finer way to propagate changes different from cp and diff (that would work quite fine IF the gconf xml files are human indentate)Please stop looking at the half baked M$ copycat from 20years ago ad directly look at it and see how could be improved and not perverted… 2005-02-18 10:29 am Can I realistically specify, at domain level, that a group of users cannot open a terminal, change the look n feel of their desktop, restrict access to certain apps etc.Until this is possible on a corporate wide scale, without chmod and login scripts being involved, gnu/linux is not a viable alternative to a GPO managed domain. 2005-02-18 10:39 am Another way (I do not like so much) is using PAM.Still I like the group/skelfile approach. 2005-02-18 10:42 am Until this is possible on a corporate wide scale, without chmod and login scripts being involved, gnu/linux is not a viable alternative to a GPO managed domain.If you are handling something that requires a GPO, you are a system administrator. And as a system administrator, you are required to know the ins and outs of the systems that you administer…If you can’t handle chmod or login scripts, then you aren’t a UNIX system administrator and you shouldn’t be handling these servers.It’s harsh, but realistically, stick with Windows servers and let the UNIX/Linux admins do their jobs…we don’t step up to do yours (nor do we tend to want to do Windows administration 2005-02-18 10:48 am If you can’t handle chmod or login scriptsWhile not wanting to rise to the bait, chmod and login scripts come quite naturally. I’ve been doing linux administration for quite some time. I just know that there is no alternative to GPOs in the linux world. 2005-02-18 10:49 am Ouch….Quite realistic and very true. Well spoken. 2005-02-18 11:06 am While not wanting to rise to the bait, chmod and login scripts come quite naturally. I’ve been doing linux administration for quite some time. I just know that there is no alternative to GPOs in the linux world.There are many in the UNIX administration groups that believe that Group policies and Active Directory in general is a very broken and poor way to do large system user administration.It doesn’t translate well into the UNIX way of doing things, and Sabayon is a layer, just for GNOME…this doesn’t translate well into the use of different window managers, desktop environments, et al.The only real way of doing it is chmod/login scripts or a PAM like solution. 2005-02-18 11:23 am I, for one, find netlogon scripts and specifying settings in a Windows domain server that should propagte registry settings for example to users that log in into this domain much harder in deploying. It’s just insane! You have all these buttons and levers and stuff and it still doesn’t work. At least with UNIX you know where things go and there’ s only one file responsible for one thing. Unlike Windows where you can spend hours navigating expanding consoles to and find same settings on different levels of different consoles. Guess I’m a terrible Windows admin… 2005-02-18 11:29 am Guess I’m a terrible Windows admin…As am I. This is why I stated what I did earlier. I don’t do Windows administration well at all. I leave that for the trained MS people. I have been trained in the UNIX mentality. I think in UNIX methodology.The UNIX mentality doesn’t transfer well into the Windows world and the Windows mentality doesn’t transfer well into the UNIX world.As a side note, something that’s related to this story…I don’t think adopting windows concepts (gconf, active directory style setups, etc) is the right way to go about this. It’s adopting methods that just don’t mix well with the thought process that went into UNIX and Linux…and it’s bound to cause problems. Don’t copy Microsoft… 2005-02-18 12:24 pm The UNIX mentality doesn’t transfer well into the Windows world and the Windows mentality doesn’t transfer well into the UNIX world.I agree with this. I’m not talking about a direct copy of GPO on linux systems. However, something equal to or superior in terms of administrative control should be developed. There is unfortunately only so much you can do “the unix way”, and “the MS way” can be very complicated and unneccessary.This should be an opportunity to be innovative and creative, resulting in a fd.o spec permitting linux policy based lock down. After all, it is essential to control both the machine and the user. 2005-02-18 12:28 pm Can I realistically specify, at domain level, that a group of users cannot open a terminal, change the look n feel of their desktop, restrict access to certain apps etc.Easily. Asking this question, even rhetorically, shows that you are not as well informed as you could be.Until this is possible on a corporate wide scale, without chmod and login scripts being involved, gnu/linux is not a viable alternative to a GPO managed domain.Gnu/linux is not just viable but good. Incidentally, why are you artificially saying that chmod, one of the basic Unix privilege tools, and login scripts cannot be used? Use the best tools for the job. Though anything a login script can do an admin script can usually do better,In any case it depends on the job but usually when I want to change privileges I just add/remove the appropriate users to/from the appropriate groups. Propagated via LDAP/PAM. If necessary I create new groups and/or exports/mounts to make the appropriate tools [in]visible/accessible. For more complex tasks I’ll parallel remote secure shell a script from my admin workstation to all or a groups of user workstations to modify/fix things as appropriate. It helps that I manage workstation system file changes so that there are no unnecessary differences between workstations apart from logs and network config. 2005-02-18 12:35 pm “Don’t copy Microsoft…”AD is a third left thats been attached to the windows world… copied form NDS (novell or network whatever history you live)…Both are right… there can be the same solution with different logic paths… its open as long as both can work on their own logic path then then that increased the Linux magnetic pull….In a last noteYes copy Microsoft…….From this perspective… they enter a market and dont move till everyone else starts to drop does not matter if they have a poor solution or product over the years it might take ten years or twenty buy they stay till they become number one.SO copy Microsoft……. don’t let the open world crumbleits good to look from every perspective and give a solution.. 2005-02-18 12:36 pm AD is a third LEG thats been attached to the windows world 2005-02-18 1:02 pm So how exactly /do/ you restrict GUI user privs (like items on the panel and whatnot) with chmod? You have to have tools like this to modify the preferences & settings systems of GUI desktop environments, which chmod and groups don’t do very well, since traditional Unix fashion would ignore people using GUI desktop environments.Realisticly, the Linux world is never going to get a common preferences and settings system (which is somewhat unfortunate), so we’ll continute to need tools for each desktop environment, that are also /GUI/ tools. One of the things that Sabayon does _right_ is to have the administrator actually go through the setup process visually, so he/she knows exactly the effects of his/her actions, rather than just editing a text file somewhere. 2005-02-18 1:44 pm chmod is too simple..It is not without reason various ACL projects are (coming) to unix 2005-02-18 1:47 pm “It is not without reason various ACL projects are (coming) to unix”no. acl are a complete failure in unix and unix like systems. what would more sophisticated and viable is selinux like mac systems which have been shipping with fc3 and redhat el 4 by defaultif you want better name space handling look into reiserfs 4. acl will never be widely deployed and used in unix systems. they are too restrictive 2005-02-18 1:49 pm How is this any good when developers doesn’t agree on using a common API?KDE/Qt programs uses their thing Gnome use GConf and so on.How can you centralize configuration(like you do with ActiveDirecory) when you have a lot of different systems?That’s not gonna make you more effective 2005-02-18 2:11 pm “KDE/Qt programs uses their thing Gnome use GConf and so on. ”see freedesktop.org newconf.That’s not gonna make you more effective”it will 2005-02-18 2:12 pm That title on the setting window illustrates to me the level of design maturity that goes into a progect like this. This is why Linux will continue to remain a system primarily for geeks and hackers. :/ 2005-02-18 2:17 pm his is why Linux will continue to remain a system primarily for geeks and hackers. :/—–why. thats is not true even today. so you are expecting a regression not going to happen. the design is a prelimanary sample. if you dont realise how software is developed please educate yourself. gnome is much more than linux itself for your information. 2005-02-18 2:55 pm I do know how software is developed, and I don’t go throwing in silly window titles and error messages into the programs I write because it wastes time to go back and change it later. 2005-02-18 3:14 pm Renaldo: This version is a beta version. I’m pretty sure that the window bar title and the error boxes will be changed in later, more stable, versions. 2005-02-18 3:17 pm I do know how software is developed, and I don’t go throwing in silly window titles and error messages into the programs I write because it wastes time to go back and change it later.Dude, if they want to waste 2 minutes of their lives to fire up glade and change the window title for the final release, I don’t think the rest of the world will take notice and cry in despair.Now, if you have issues with linux, try at least to prove you have valid reasons. Microsoft will change the name for Longhorn, so I don’t think this makes a difference. 2005-02-18 3:29 pm “do know how software is developed, and I don’t go throwing in silly window titles and error messages into the programs I write because it wastes time to go back and change it later.”come on man. that was his personal blog and its just a initial sketch. its supposed to be humorous. if you dont get never mind. but complaining about it and associating it with a hacker audience is profoundling silly. there might be other valid complaints and you are free to state them. 2005-02-18 3:50 pm LOL at your stunning display of maturity.It’s a good thing that you saved that 30 seconds retitling your windows so you could spend it throwing a temper tantrum here. 2005-02-18 3:52 pm It’s funny how people hide under the blankets of opinions. “It’s an opinion, so it doesn’t need to be factual, nor do I need to verify its credibility.” 2005-02-18 4:14 pm In my project teachers with very little knowledge of linux or even windows administration will need to setup the desktop environments for their students. THIS looks like the visual tool that can make this task easier than it is with /etc/skel and chmod. 2005-02-18 4:17 pm Took them quite long to target that particular area where KDE is leading since version 3.0 (2001) when their Kiosk framework was introduced. However I don’t want to know how messy everything looks by them not only covering GConf and GTK configurations but also the ones by Firefox and OpenOffice.org, that already smells like a maintenance nightmare from the get go. 2005-02-18 4:17 pm ACLs have been used for a long time with Unix-like systems. There are lots of large deployments of AFS (http://www-2.cs.cmu.edu/afs/andrew.cmu.edu/usr/shadow/www/afs.html), especially at universities. 2005-02-18 4:37 pm AFAICT, Sabayon isn’t about doing what the first few posters in this thread are talking about. It’s not about locking down applications and terminals, necessarily. It’s about configuring the desktop. It’s a GNOME project that deals with GNOME, it’s not intended to be an end-to-end solution. You should still use pam and other standard unix methods to deal with the underlying system. 2005-02-18 4:40 pm yes, because proprietary software designers never put little jokes into software while it’s still in the development stage, do they?oh, wait. Microsoft put jokes and easter eggs into *released* software. Very elaborate ones too. Just go google some of the easter eggs in Office. Another one I noticed yesterday – in the Excel help file there’s an example macro to lower-case everything in a worksheet. The example was converting ‘E. E. Cummings’ to ‘e. e. cummings’. If you don’t understand that one…it’s a joke. Trust me. Quite a good one, actually. 2005-02-18 5:11 pm <<If you are handling something that requires a GPO, you are a system administrator. And as a system administrator, you are required to know the ins and outs of the systems that you administer…If you can’t handle chmod or login scripts, then you aren’t a UNIX system administrator and you shouldn’t be handling these servers.>>You still present no valid reason why these things should remain pointlessly obscure or obtuse.Not every small business that wants to switch to a linux/unix solution has the big bucks to hire a full time *nix sysadmin. 2005-02-18 5:14 pm No one has mentioned that an incredible easy way to lock down the desktop is to mount the opt directory depending on what the user requires. This provides a reliable way of locking a user desktop down.MS LDAP, sorry MS AD gpo for desktop lockdown can be bypassed with relative ease (if you know how). I cant say the same of Linux! 2005-02-18 5:49 pm why not use wine to run active directory?man you guys over complicate things… 2005-02-18 6:51 pm In addition, Cummings expressed ideas through new grammatical usage: he employed verbs as nouns, and other locutions as new linguistic creations (for example, “wherelings, whenlings / daughters of ifbut offspring of hopefear / sons of unless and children of almost / never shall guess”). He indulged in free play with punctuation and capitalization. Lowercase letters were the rule; capitals were used only for special emphasis; punctuation marks were omitted for ambiguous statement; others were introduced for jarring effects. His use of the lowercase letter “i” not only became a well-known means of self-reference in his work, but also reflected a role that he created for himself: he was the underling, the unnoticed dreamer, the downtrodden one, the child in the man; yet by asserting his individuality in this way, he thrust himself forward and established a memorable persona. 2005-02-18 7:44 pm i can see the usefullness of this as it helps the admin to set up diffrent default classes of desktop configs depending on what the user will be doing. setting up a secretarys desktop? lock the shortcuts to the office apps so you dont get silly calls when she somehow have moved them somewhere or dragged them of the bar and so on. and allso helps setting up a fresh computer for this by saveing the profile as a kind of template and then dumping it into the user folder as needed.still, you could do a basic user config for that class of users and then create a tar of the user folder, but that leaves out a bit of flexiblity.hmm, i wonder if these configs can be applyed useing a shell script as then one can create a interactive script where you define app access (by adding the user to groups) set up the desktop and all the rest by calling the script. 2005-02-18 7:57 pm currently, unix admins know more about how the technologies in their network work then your average MCSE, in fact microsoft certification has become somewhat of a joke in the industry. they are a dime a dozen, and about half dont know their ass from their elbows. (please… its not a flame, just my perception. there are many great windows admins out there, and im sure they would agree with my perception)the reason for this is that the microsoft has lowered the bar to windows administration to the point where a trained ape can do it, so thats what you get. anyone learning to be an admin who finds this stuff beyond them probably should consider another profession. 2005-02-18 9:31 pm You still don’t explain very well *why* a lot of specialized training should be required.I mean, I don’t have to be an Acura certified mechanic to get in my car and drive it safely from point A to point B.Don’t get me wrong. Where I work there are 3.5 *nix heads, but then again, there’s $100k + tied up in Sun hardware and other extremely specialized software that we ask to do some pretty complicated highly customized to our needs things.However, something as nuts and bolts as setting up account permissions, including desktop permissions shouldn’t have to be needlessly hard and complex as to require a specially trained IT person. That’s shooting a sparrow with a cannon.A small business person probably doesn’t have the money to have a dedicated IT person, nor does s/he have the time to take that sort of training, given the demands of business.Or, on an itty bitty scale, at home there are 3 people who need regular time on my PowerMac: me, my husband, my dad. Setting up the 4 accounts needed to handle all that took 3 minutes and no reading anything to learn how to do that. (And, Fast User Switching = greatest thing since sliced bread.)Last year I provided the consuite computers at an informal convention attended by 300 people. Once again OS X made setting up the accounts and assigning privlidges (including locking down the desktop and folders so things couldn’t be moved) incredibly easy. I didn’t have to know Jack about the nitty gritty details of chmod, chown, and all the flags. I just had to know what I did/did not what people to be able do and clicked the little boxes appropriately and. It. Just. Worked.(And for once, at that con, the computers and the printer worked all the way though. Nothing got changed, moved or accidently uninstalled.)(Also, when I showed a friend of mine who loves Linux and is a Unix admin for a living how simple it was for me to set everything up, she goggled at it, because she knows I have no formal *nix training. [It took just a few more clicks of the mouse to give her a custom account where she could start exploring OS X. She ended up purchasing an iBook the week after the con.])Please explain to me why this sort of ease and simplicity in setting up basic meat and potatoes accounts is a bad thing?(Should I have to need to know gear ratios and flywheel size to clutch and shift my car as I drive down the road?)—I’m trying to teach myself Ubuntu, and believe you me, one of the things I miss most is the OS X admin tools panel and right-click “get info”. 2005-02-18 10:14 pm I think those who claim that “1337 admins don’t need this” don’t understand the importance of the project. Don’t you understand that this is what is needed to make “linux on the desktop” popular also with the big mass? The reason Windows is so dominant is not because it’s such a great product, it’s because it’s reasonably easy to use even for those who can’t turn vim into a spaceship or crack the SHA-1 algorithm using 1 line of Perl. With tools like this, the old TCO argument “In enterprise environments Windows is easier to maintain and thus costs less” will no longer hold – MS will have to resort to other arguments in the future (which?)First Hula, now this…good times are coming the penguin desktop way. 2005-02-18 11:57 pm I’ll say two things.1) None of the posters in this thread appear to understand what the /etc/skel directory is and how it can be used in setting up defaults for accounts.2) This is the Gnome world arriving at the party a day late and a dollar short. If they had one bit of common sense, they would extend the existing kiosktool to cover Gnome. Instead,they are now going to require people to make a completely binary choice as to what desktop to use because if you use one, you will not have the tools available to manage the others. In other words, it is a damn shame that you cannot change evolution settings in kiosk or kmail settings in Sabayon.Given that kiosk is here and works now, it shows arrogance beyond belief to thrust upon the user and admin community another tool, just because of the famous “not invented here” syndrome that seems to populate Gnome.Same thing with Hula and everything they do. There is already egroupaware, which works today. It has a beautiful web interface, a public open source XMLRPC API and work-in-progress plugins for Kontact and Outlook. Add one for evolution and you are done. But, no, they have to divide the community and come up with another useless groupware solution that won’t be ready in 2 or more years. In the meantime, we are losing mindshare and wasting the time of the admins and users that want to switch to Linux today.It is time to stop reinventing the wheel. Build your app with whatever toolkit suits your whim, gtk or qt, but let’s work towards building common management tools for the desktop! 2005-02-19 1:23 am Does kiosk have a separate backend? Can it handle Gnome-specific stuff, eg gconf?Maybe kiosk is too KDE specific, and that’s the reason why they chose to implement a separate framework.With your reasoning, why develop gedit when there’s kwrite? Why develop gtk when there’s qt? Etc.Competition is GOOD, remember that – in the end, the users will benefit from it as the better alternative (whatever that turns up to be) will be the one used. 2005-02-19 6:15 am You are correct, but we arnt talking about three user accounts. we are talking about Active Directory and LDAP, which are both technologies that would be pointless anywhere but a fairly large network. i cant really think of a situation where that kind of thing would be used in the home. if a unix admin cant deal with it, then you probably need a new admin. 2005-02-19 10:41 am i know of a situation where this is usefull on the home desktop, when you have kids in the house. i have seen more systems trashed from kids useing their parent auto-login account to try out something a “friend” of theirs talked about (most likely giving flawed or less then needed info so that they would look more informed then the party listening in) then any other factor. yes a seperate account helps but you may allso want to lock down what the kid have access to on that account. lock down what he/she can do to the shortcuts and menus and never have to remake a accidentaly deleted or otherwise removed icon again. i dont have a problem with a simple to use desktop lockdown tool, atleast nothing as visual as this. this is why i like linux, the desktop is a series of prosesses running at the users access, therefor the user can shape it as he likes without haveing to worry about admin level access. to do some of the same stuff i can do simply in kde or gnome i have to use third party apps in windows that need admin access to intercept the explorer. 2005-02-19 10:42 am > In my project teachers with very little knowledge of linux or even windows administration will need to setup the> desktop environments for their students. THIS looks like the visual tool that can make this task easier than it is> with /etc/skel and chmod.Set them up with KDE and you can have that functionality today with “kiosktool”. 2005-02-19 4:23 pm I think you missed the point here. This is an administrator tool, not a user tool. Yes, for the user it doesn’t matter how the things works, it is important that they do. For an administrator the flexibility is more important than the simplicity. I would feel uncomfortable if I don’t know what exactly happens when I click on buttons and checkboxes because I wouldn’t be able to estimate the implications for the system.For example: when I add new user I want to know which files get changed, which permissons these files have and who owns these files. Because the next time the ITS runs and complains that some files changed I have to know if this is OK or the machinge is owned. There is now way around in knowing the nuts and bolts of your system if you want to administer it seriously.In your car analogy: you don’t have to be a mechanic to drive your car but you have to be a mechanic to maintain it. 2005-02-19 5:02 pm I am really glad to here about this new project. Funnily enough the way they are going about it appears to be almost exactly what I had in mind-ie. open an Xnest, create a prototype desktop, save the configuration of the newly created layout, apply these layouts custom-tailored to specific groups). Up till now customizing the GNOME desktop for use in thinclient settings has been a real PITA. As a sys admin for a thin-client (LTSP) environment I am really looking forward to this…Now If I pull out my pipe and start to imagine what I as a sys admin really want to have….1) Thin clients running xorg(perhaps NX), busybox and dbus with a) automatic ghardware detection and b) the ability to then store the detected hardware in the specific machine to the local machine image(so that the machine does not have re-discover the hardware at each boot) c) that dbus is then used to notify the LTSP server of the available hardware(local printers, floppies, USB devices, cd/dvd devices) d) that in a thincleint environment GNOME automagically utilizes the local devices completely transparent from the served desktop. Ideally Rendevous and dbus could be used together to create a auto-configuring presence system -where all network devices self configuring with auomatic hardware detection and configuration.When the user wishes to copie a file to their USB stick the application simply offers them a ‘USB-stick’ directory which is automatically resolved to the particular machine (IP-address) where the currently logged in user is working…..If and when this comes about -this coupled with the above mentioned project would radically change my work as sys admin, radical in the sense that my work would become much, much simpler… 2005-02-20 4:09 pm > Took them quite long to target that particular area where> KDE is leading since version 3.0 (2001) when their Kiosk> framework was introduced.Actually KDE 3.0 was introduced in April 2002, and the Gnome equivalent of the kiosk framework (default and mandatory settings in GConf) was introduced with Gnome 1.4 in April 2001. 2005-02-20 5:22 pm > Actually KDE 3.0 was introduced in April 2002, and the> Gnome equivalent of the kiosk framework (default and> mandatory settings in GConf) was introduced with Gnome 1.4> in April 2001.No, the kiosk framework was introduced into the code in 2001, the first non-beta release of KDE 3.0 was indeed 2002.GNOME 1.4 afaik barely used GConf at all, it was only until 2.0 that GConf was actually used for the complete environment, which was however barely ported over at that point. And even at that point the big issue was that neither were the default and mandatory settings usable with all GNOME apps nor does the GNOME desktop a good job of offering an actually unified desktop, which leads to the mess of Sabayon needing to care about to GConf unrelated GTK+, Firefox and OO.o configuration data. KDE had and has none of these issues as a desktop environment. 2005-02-20 6:31 pm > No, the kiosk framework was introduced into the code in> 2001, the first non-beta release of KDE 3.0 was indeed> 2002.The first draft of the Kiosk framework was in October 2001:http://lists.kde.org/?l=kde-kiosk&m=100317471429397&w=2The first release (albeit very alpha) of GConf was September 1999:ftp://ftp.gnome.org/pub/GNOME/sources/GConf/0.1/What was your point again? Oh, that’s right… you didn’t have one; you were just GNOME-bashing. 2005-02-21 3:56 pm Eh, what’s your point in responsing to something I didn’t even question to begin with? The only thing I was stating is that the kiosk framework was, due to the way KDE is setup as an environment, used and usable from the very beginning. It’s nice that GConf gets the price for being the first to implement lockdown features (they should seriously make that GNOME innovation more visible). It’s just unfortunate that back then nearly no app made use of that configuration backend, and that didn’t change until GNOME 2.0 and, arguably, since Firefox and OO.o and diverse GTK apps are commonly mentioned as part of GNOME, not even today. This is a technical deficit, and I find it funny (but typical for the discussions on this site) that you want to summarize that as “GNOME-bashing”.