[debian-lan-devel] Debian-LAN: installing a complete network environment

Sat Oct 5 14:22:08 UTC 2013

Agreed about reducing the lists.

And I'll wish you luck with it. Since you're working from some sort of
existing installed base of an older project, and not re-inventing the
wheel, it sounds more sensible than I thought. Kerberizing an existing
deployment toolkit is, fortunately, relatively easy, but the tremendous
list of interlinked components you're describing is *hard*. Can I also
encourage you and the project users to pick one name and stick with it?
"Debian-LAN" is not quite the same as "DebianLAN", which is what the
webpage calls it. It's confusing. And it's the kind of small, early, easily
corrected confusion which will come back to *haunt you* for the the next 10
years

If what you're focusing on is Kerberized account and host management (which
is what I thought you meant by "Kerberized network setup"), then I'd say
don't bother, just use Samba, it's already integrated and supports other
related features such as filesystem access control, which is intimately
tied to robust authentication and account management and host
authentication. Don't re-invent the wheel. Especially beware mucking with
the /etc/krb5.conf and /etc/pam.d settings with anything other than the
"authconfig", command line tool, despite the temptations. And as soon as
you have a mixed environment of Windows and Linux boxes, you're going to
have to go there *anyway*, so why not start with it from scratch and save a
lot of headache down the road trying to integrate a Debian customized
account management to integrate with a much, broader tested, much more
capable system.

If you need network based host building from scratch, then I've tested and
gotten good reports about "cobbler", for both Red Hat and Debian based
systems. It's been a few years since I tried a Debian system with it, but
it was working well for mixed environments. And mixed environments are
pretty critical in my worlds of "people want to use what they're familiar
with". It's also known to work with with source controlled configuration
management systems, like chef an dpuppet and cfengine. I've no idea if your
toolkit does that.

FreeIPA, I'm afraid, has some upstream development problems. They're
slowed, profoundly, by their insistence on having developers and QA
personnel scattered in groups of one or two around the globe, which can
really fragment development. Features that have only just been activated
last month, such as supporting multiple domains from a trusted Active
Directory Forest, are pretty critical features which Samba resolved *years*
ago. So I haven't personally seen anything yet with FreeIPA to impress me,
but it's been a few years.

If you want to see if your systems are *really* flexible and capable, try
deploying virtualization servers with multiple VLAN's on their network
ports and pair-bonded connections. I'll bring popcorn to watch if you can
get that working.....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/debian-lan-devel/attachments/20131005/8a1bb9bc/attachment.html>