Debian-LAN with mainserver acting as gateway.
Debian-LAN with dedicated gateway.
Two variants are available:
- The mainserver takes part in a network with a dedicated gateway. The mainserver's IP address differs from the gateway address.
- The mainserver with two network cards acts as a gateway to the external network.
The mainserver serves the central services to the LAN and the root file system for diskless machines. The clients mount their home directories via kerberized NFSv4.
By default the following IP addresses are used: Gateway: 10.0.0.1, mainserver: 10.0.0.10, workstations: 10.0.0.50...10.0.0.149, diskless clients 10.0.0.150...10.0.0.249. This can be modified in the config space class/SERVER_A.var.
- DNS and DHCP for the internal network.
- Kerberos KDC
- GOsa for user management
- ICINGA and Munin system monitoring
- Home directories distributed via NFSv4 (sec=krb5i by default) or SSHFS (optional for diskless clients)
- disk quota
- proxy (Squid), optimized for package caching
- local APT repository
- firewall (shorewall)
- system backup (/etc, home directories, FAI config space, LDAP, package selection and -configuration)
- simple machine with two network interfaces
- firewall (shorewall)
- desktop enviroment (Gnome by default)
- customized package selection
- same features as workstation (see below on how to activate)
- same features as workstation, off-line use possible
Details and Hints
First make sure you can ssh as root into the mainserver with the root password.
FAI nfsroot and diskless clients
The mainserver by default serves the root file system for diskless machines. After installation you need to install the FAI nfsroot (fai-setup) and the diskless' chroot by running:
The command will install the chroots for FAI and diskless machines. In addition, swaping over the network is activated and the PXE configuration prepared. Unknown machines and the disklessXX hosts will be booted as diskless clients. To update the chroots, use the same command.
The FAI classes DISKLESS_* work only on the mainserver, making the classes independent has not been done yet.
User and Machine Management
GOsa is used to manage users. Access GOsa with a browser https://<mainserver IP address>/gosa/ and log in as admin with the password as entered during installation. The user admin has unlimited sudo access on all machines.
To add a lists of users to GOsa, use the provided script add2gosa.
In addition, the script debian-lan is provided to manage users and groups in LDAP (using ldapscripts). The users created with debian-lan are not accessible within GOsa.
debian-lan also helps with adding machines to dhcpd.conf and copying the Kerberos keytabs to the machines (machine principals).
After installation of the mainserver (gateway version): Make sure your networks are connected to the right interfaces: Fixed IP address 10.0.0.1 to the internal network, DHCP to the outside world (internet/router).
To install a client machine, you have to add the hardware MAC address to /etc/dhcp/dhcpd.conf. This should be done with the command:
The command lists all (non-local and not yet known) MAC addresses found in the arp cache and prompts for skipping the address, adding it as workstation or as diskless machine.
So to (mass) add machines:
- switch on all machines you want to add and boot via PXE
- make sure no 'foreign' machines are in the network or note their hardware (MAC) address
- eventually wait a bit, until all unwanted entries have vanished from the ARP cache
run debian-lan add2dhcp and choose the machines' type
Distributing Kerberos keytabs to clients: During installation of a workstation, the kerberos keytab is sent to the machine and marked with a time stamp. In case you need to repeat this procedure manually, remove the timestamp from the keytab in /etc/root/installation/ (i.e. rename it). After that, use the command:
debian-lan key2machine workstationXX
on the mainserver to copy the Kerberos keytab to workstationXX. Diskless clients and roaming machines do not need this procedure to be activated.
Adding users: Adding users in GOsa should be straight forward (use the template prepared). Lists of users can be added with the provided script add2gosa.
If you prefer not to use GOsa, use:
debian-lan adduser <list of usernames separated by spaces>
debian-lan adduser <path to file>
to add users. The file is a simple text file containing on each line a single username and optionally the user's password separated by spaces. If you omit the password, debian-lan will create a random password and append it to the user's line in the file. Note that the users created with debian-lan are inaccessible within GOsa.
Removing users: Use the command deluser in the debian-lan script.
For more details take a look at the debian-lan script itself.
Manual LDAP Modifications
Use ldapvi -ZD 'cn=admin,dc=intern' and the password provided in /root/installation/LDAPadminPWD to modify LDAP entries. For example switch the automount option sec=krb5i to sec=krb5p.
A dedicated backup disk is recommended. Use a class *BAK* for that case. Take a look at class/50-host-classes and disk_config/*BAK* for details.
To use a RAID1 on the server, add the class RAID and replace LVM*_A with the corresponding RAIDLVM*_A class in class/50-host-classes.
Local APT repository
By default the mainserver includes a (signed) APT repository to distribute site-specific customized packages in your DebianLAN. For details look into /var/www/debian/create_archive.sh. This repository is added to the clients' sources.list on a FAI softupdate as soon as the publick key can be fetched. To disable this feature, remove the corresponding variables in class/SERVER_A.var and class/CLIENT_A.var.
Installation of roaming machines can be chosen from the PXE menu, when booting over the network. Users have a local home directory at /home/... where they can drop data for offline use or which they can synchronize with the Debian-LAN home directory.