Etienne Goyer wrote:
Whoa ! I must really have express wrong, this have absolutely nothing to do with FAI. But the network in a box + domain controller is much closer to what I have in mind. I'll try another shot at explaining it.
I think it was the bit about clients setting themselves up off a master server that lead me to think of FAI (and for reason's I'll outline below, I think it could still come into play)
However, I do not think junior admins, or those unexperienced with Linux coming from other platforms, have the skills to do a good and efficient job of setting up these infrastrucure services.
My only concern here would be that it would be that even if you make it easy to install all those infrastructure services, the junior admins are going to be biting off more than can chew (ie, once they want to move beyond defaults or if something goes wrong, they'll be lost). I don't mean this as a reason not to do it, just that there should be good documentation and perhaps even some warnings as well as sensible defaults and magic scripts.
More concretely, it would involve (on the "master" side) : - Setting up an LDAP directory, mostly for user authentication and NSS - Setting up a DNS zone for the domain - Generate a root CA, and a certificate for the master - Generate a ssh authentication key pair - Setting up a monitoring system ... etc
I think a "domain controller" default install (ala the LAMP install) is a good idea. Not sure about the monitoring side of things being placed on the domain controller though (you might want monitoring done on a seperate system, then again you might not).
When a "client" is added to the "domain", it would involve : - Adding the client in the domain's DNS zone - Generate a certificate for this client, and send it to the client - Make PAM and NSS on the client use the LDAP directory - Install root's ssh public key in the client's authorized_keys file - Install on the client any agent required by the monitoring service ... and so on
When is the client added to the domain? I can think of a couple of cases - Clients added at build time - here you might want to use something like FAI to set up clients with appropriate boot scripts, assuming you have some form of default local build. It really comes down to how you build your clients. Clients added adhoc - the man reason I can see why clients would be being adhoc into a domain is that they're from an external source and need access to resources (ie, an external consultant wants to hook his laptop into the network to print something out). This opens up all sorts of entertaining issues, on both sides. Do you really want any old machine hooked into the network? Does the consulant really want to give his client's IT department root access to his laptop? In either case, what about Dynamic DNS and Zeroconf? That would at least add the client into DNS and let it get basic services. As an aside - does Ubuntu's "lack" of root figure impact any of this? Installing root's ssh public key won't be of much use if root's not turned on.
In other words, I would like to achieve a level of integration comparable to what other platforms provide. Recently, I have been giving a lot of Linux trainings to Windows admins. While they struggle to configure BIND and learn its backward zone file syntax, they never miss the opportunity to point out that this is being taken care when using an Active Directory. It's even worse when it come to user authentication. They are vaguely aware that Active Directory is based on LDAP and Kerberos, but they do not care as it "just work" out of the box. To achieve similar results on Linux, they would have to learn a whole lot of LDAP concepts, how to build a DIT, probably some LDIF syntax, and the intricacies of the LDAP daemon they would use. That's just too much for most of them, and the reason why they will continue to run their infrastructure on Windows.
I don't think default setups would help much, because once they want to step out of the defaults, they're going to be right back to figuring out how things work. I think what you really want is an "easy" to use front end to all of the domain admin functions. cheers Scot -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
