[debian-lan-devel] Installation report

Andreas B. Mundt andi.mundt at web.de
Fri May 3 06:19:48 UTC 2013 

Hello Julien!

On Wed, May 01, 2013 at 11:25:10PM +0200, Julien Lambot wrote:
> Good evening,
>
> This is my first installation report of a production environment for
> debian-lan :)

That's great news!

> There was one major issue and a few minor ones.
>
> The only major one is network performances. This is not directly bound to
> debian-lan, but it's architecture makes it highly network dependent.
> With a poor-man's network (100mb), old cables, old computers, the overall
> reactivity of the desktop is quickly impacted. There are high variation of
> reactivity and the cause is not yet identified. I just can say that it's
> not the server which is nearly idle.
> Tomorrow, I will be able to check if it's better since the installation of
> some non-free network firmwares. Some tcpdump might help locate the cause.

This is interesting, and we should definitely find out the reason for such
bad performance.  Can you give some more information about the setup,
i.e. how many workstations, diskless machines you have running?  Are
gateway and server on different machines or do you use the setup where
the mainserver acts as gateway?

> On the minor ones:
> - when I create the LOGUSER for fai, I'm requested to input Kerberos
> credential, which I don't have. Seems that local users need to be created
> before debian-lan installation. Otherwise, these users need to be within
> ldap. I searched a bit but didn't found the best solution to apply.

Hm, indeed, creating a local user doesn't work as usual, just tested
it myself here.  You can create the account ignoring the kerberos
password and modify it later:

Create a password hash with "mkpasswd", and then use

usermod -p YnxZ6TRKNzBLs test

to update /etc/shadow.  But I agree, this is not perfect.  I guess PAM
is responsible for mixing in Kerberos ...

> - one failure with a disk-less client (not yet investigated)
> - one failure with a workstation where grub was not successfully installed
> (not yet investigated)
> - some packages need to be added for French environment (this will be
> included in a separate config file)

Oh yes, please add a class like FRENCH or the like ...

> - shorewall needs a bunch of rules to make the whole thing work. This will
> be posted too and included in a config file.

Very good idea to include shorewall!

> - Squid was bypassed. This might need a configuration change to support
> TPROXY and work along with shorewall. Testing tomorrow.
> - installation of flashplugin-nonfree needs a bypass for the proxy. This
> will be tested tomorrow following information from wiki.debian.org.
> - printing issues related to the network printer. Might need lsb-printing
> package to support the provided drivers.
> - adding samba machines, not yet ok. But disk and printer sharing is OK.
> - need a read-only user into ldap for some authentication needs like
> printer connection, authentication from windows (home edition) with
> pgina,...
> - added support for openvpn but this should be better integrated into ldap.
> - added fail2ban, just in case. I'll latter improve the shorewall config.
> - I added a dirvish config for backups upon insertion of an external
> usb-hdd. If someone needs it, I will post.

That sounds pretty interesting, if you don't mind, please post it or
add it to the wiki.

> - baddly need the educlient/eduroaming packages. This is my next target for
> the coming days.

There was/is a discussion about the roaming workstations on the
debian-edu list:
           https://lists.debian.org/debian-edu/2013/04/msg00192.html

Perhaps we can learn from them ...

> And, for my own education. I didn't tested the password expiration yet.
> What should happen when password is about to expire (provided the warning
> is enabled in Gosa) and is the user able to change it form its workstation
> or needs to connect onto Gosa?

I fear that this does not work.  All login passwords used are kept in the
Kerberos KDC, and the password in GOsa is only used to log into the
GOsa web page.  If a password is changed there, Kerberos is
synchronized by the gosa-sync script.  If you change a password with
kpasswd, the LDAP password used by GOsa is not modified, i.e. you have
to login into GOsa with the old one.  This is by far not perfect, but
unfortunately that's the state of GOsa.

              http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698544

> All in all, this was quite a success!

Yes, I am pretty happy that things work for you, and you already added
quite some interesting stuff which might be interesting to include
"upstream".

Many thanks for reporting and keep us up to date!

Best regards,

     Andi

More information about the debian-lan-devel mailing list