Idea for a spec

[Scot McSweeney-Roberts]

Etienne Goyer wrote:

>Whoa !  I must really have express wrong, this have absolutely nothing
>to do with FAI.  But the network in a box + domain controller is much
>closer to what I have in mind.  I'll try another shot at explaining it.
>  
>

I think it was the bit about clients setting themselves up off a master
server that lead me to think of FAI (and for reason's I'll outline
below, I think it could still come into play)

>
>However, I do not think junior admins, or those unexperienced with Linux
>coming from other platforms, have the skills to do a good and efficient
>job of setting up these infrastrucure services.
>

My only concern here would be that it would be that even if you make it
easy to install all those infrastructure services, the junior admins are
going to be biting off more than can chew (ie, once they want to move
beyond defaults or if something goes wrong, they'll be lost). I don't
mean this as a reason not to do it, just that there should be good
documentation and perhaps even some warnings as well as sensible
defaults and magic scripts.

>More concretely, it would involve (on the "master" side) :
>
>- Setting up an LDAP directory, mostly for user authentication and NSS
>- Setting up a DNS zone for the domain
>- Generate a root CA, and a certificate for the master
>- Generate a ssh authentication key pair
>- Setting up a monitoring system
> ... etc
>
>  
>

I think a "domain controller" default install (ala the LAMP install) is
a good idea. Not sure about the monitoring side of things being placed
on the domain controller though (you might want monitoring done on a
seperate system, then again you might not).


>When a "client" is added to the "domain", it would involve :
>
>- Adding the client in the domain's DNS zone
>- Generate a certificate for this client, and send it to the client
>- Make PAM and NSS on the client use the LDAP directory
>- Install root's ssh public key in the client's authorized_keys file
>- Install on the client any agent required by the monitoring service
> ... and so on
>
>
>  
>

When is the client added to the domain? I can think of a couple of cases -

Clients added at build time - here you might want to use something like
FAI to set up clients with appropriate boot scripts, assuming you have
some form of default local build. It really comes down to how you build
your clients.

Clients added adhoc - the man reason I can see why clients would be
being adhoc into a domain is that they're from an external source and
need access to resources (ie, an external consultant wants to hook his
laptop into the network to print something out). This opens up all sorts
of entertaining issues, on both sides. Do you really want any old
machine hooked into the network? Does the consulant really want to give
his client's IT department root access to his laptop?

In either case, what about Dynamic DNS and Zeroconf? That would at least
add the client into DNS and let it get basic services.

As an aside - does Ubuntu's "lack" of root figure impact any of this?
Installing root's ssh public key won't be of much use if root's not
turned on.

>In other words, I would like to achieve a level of integration
>comparable to what other platforms provide.
>
>Recently, I have been giving a lot of Linux trainings to Windows admins.
> While they struggle to configure BIND and learn its backward zone file
>syntax, they never miss the opportunity to point out that this is being
>taken care when using an Active Directory.  It's even worse when it come
>to user authentication.  They are vaguely aware that Active Directory is
>based on LDAP and Kerberos, but they do not care as it "just work" out
>of the box.  To achieve similar results on Linux, they would have to
>learn a whole lot of LDAP concepts, how to build a DIT, probably some
>LDIF syntax, and the intricacies of the LDAP daemon they would use.
>That's just too much for most of them, and the reason why they will
>continue to run their infrastructure on Windows.
>
>  
>

I don't think default setups would help much, because once they want to
step out of the defaults, they're going to be right back to figuring out
how things work. I think what you really want is an "easy" to use front
end to all of the domain admin functions.


cheers

Scot