Samba - or to be precise MS AD is not just about files. On Linux it's limited to files and that's exactly the problem I'm talking about. On Mac it's at least able to share certificates and some basic settings now - still not ideal though.
Actually with modern clouds like OneDrive it's not about files at all, I haven't seen network drives being used for a decade. It's about privileges to various resources available within the corporate network and about what you can't do with your work computer, and about having the computer auto-configure to play with all the resources on corporate network.
It's about setting detailed access level based on AD groups - including user applications, not just networked drives or whatever. Permissions to CRM/ERP systems, document management systems etc. Detailed as much as "this user can only see contracts and invoices assigned to the London branch".
I open my computer and I immediately see the printer that's nearest to me as the first printer in the list. Access to it is authenticated and authorized (with no additional password prompts). I can simply choose a document from SharePoint and send it right there, walk over there and slap my chip card on it and have it printed. It's part of my system's print queue but if I switch computers in the meantime I can still work with the queue item there.
I scan a document and it goes directly to my OneDrive which is automatically connected to whatever computer I sit at as soon as I log in, regardless of me using a random terminal that's been sitting in whatever office I'm visiting.
I'm unable to break anything because there is no root to login to, nobody ever uses sudo on the computer, nobody ever needs admin privileges on it (harder to do with devs but common for all other professions). If an app needs to be added the computer is remotely reimaged from an image with the app added (this requires a one-setting change by the admin, nothing else). No user settings or files go missing in the process.
Corporate VPN, firewall, proxy servers, wifi network, wired network - all of it requires auth. The system just takes my user certificate and just works with it all by itself. Nothing is available without auth, nothing is unencrypted.
Building this kind of system with Microsoft products is as easy as installing a few apps on the corporate server machine. I literally learned how to do it when I was 12 and couldn't speak English yet.
Building it with Linux - well I am pretty skilled with Linux admin (as much as you'd expect someone who used it as their primary system for 15 years and hosts their own websites etc) but I can't even imagine where to begin.
Using puppeteer to connect to individual machines and turn options there - that's crazy. Enterprise Windows are fully declarative. And using separate systems to manage Windows/Mac and Linux - that's crazy. Apple is doing what it can to support MS AD - if Linux wants to be a special case, it's going to remain a special case.
Unix systems were doing all of this 30 years ago. (I can almost feel all the old Sun Microsystems employees rolling their eyes.) It's literally why NFS and NIS (replaced by LDAP before Active Directory released) existed. But Unix != Linux, the popular parts of the Linux ecosystem don't cater to this, and trajectory continues to diverge away.
Actually with modern clouds like OneDrive it's not about files at all, I haven't seen network drives being used for a decade. It's about privileges to various resources available within the corporate network and about what you can't do with your work computer, and about having the computer auto-configure to play with all the resources on corporate network.
It's about setting detailed access level based on AD groups - including user applications, not just networked drives or whatever. Permissions to CRM/ERP systems, document management systems etc. Detailed as much as "this user can only see contracts and invoices assigned to the London branch".
I open my computer and I immediately see the printer that's nearest to me as the first printer in the list. Access to it is authenticated and authorized (with no additional password prompts). I can simply choose a document from SharePoint and send it right there, walk over there and slap my chip card on it and have it printed. It's part of my system's print queue but if I switch computers in the meantime I can still work with the queue item there.
I scan a document and it goes directly to my OneDrive which is automatically connected to whatever computer I sit at as soon as I log in, regardless of me using a random terminal that's been sitting in whatever office I'm visiting.
I'm unable to break anything because there is no root to login to, nobody ever uses sudo on the computer, nobody ever needs admin privileges on it (harder to do with devs but common for all other professions). If an app needs to be added the computer is remotely reimaged from an image with the app added (this requires a one-setting change by the admin, nothing else). No user settings or files go missing in the process.
Corporate VPN, firewall, proxy servers, wifi network, wired network - all of it requires auth. The system just takes my user certificate and just works with it all by itself. Nothing is available without auth, nothing is unencrypted.
Building this kind of system with Microsoft products is as easy as installing a few apps on the corporate server machine. I literally learned how to do it when I was 12 and couldn't speak English yet.
Building it with Linux - well I am pretty skilled with Linux admin (as much as you'd expect someone who used it as their primary system for 15 years and hosts their own websites etc) but I can't even imagine where to begin.
Using puppeteer to connect to individual machines and turn options there - that's crazy. Enterprise Windows are fully declarative. And using separate systems to manage Windows/Mac and Linux - that's crazy. Apple is doing what it can to support MS AD - if Linux wants to be a special case, it's going to remain a special case.