[debian-lan-devel] seeking advice on how to handle a small existing network

Andreas B. Mundt andi.mundt at web.de
Thu Nov 12 17:48:41 GMT 2020 

Hi Ross,

On Wed, Nov 11, 2020 at 01:16:51PM -0800, Ross Boylan wrote:
> I have a small network already running, including dhcp/dns/netbooting, NFS,
> and apt-cacher (I believe debian-lan moved  away from apt-cacher awhile
> ago).  I would like to add centralized identity management, i.e., Kerberos
> and LDAP.  Some more centralized management might help a bit too.  I'm
> inclined to keep home directories separate on separate machines, in part
> because I may have a mix of distributions and OS versions.
>
> Do you have any suggestions about how debian-lan can help?  I originally
> thought of it because I understand setting up the centralized management is
> a bit involved, and I thought it would provide a guide.  However,
> debian-lan seems more oriented to creating a network from scratch, which is
> not my case.
>
> One option would be to use the configuration scripts as guides to what I
> should do.
>
> Also, there is now a FAI way and an ansible way, and I'm wondering about
> which of those to pick.  It sounds as if ansible might be simpler, so maybe
> choose that?

Yes, I recommend using the ansible approach.  In Salsa, you'll find
ansible roles which are taken more or less from the FAI config space of
the Debian-LAN package.  I would start as follows:

  • First, add another machine to your network and provide there, one
    after the other:

  • A TFTP server to install clients (this is the slightly modified
    playbook for the 'installbox'. (Also take a look at the
    di-netboot-assistant package, which is used in that playbook).
    On your already existing DHCP server you need to only modify
    'next-server', to send PXE clients to the new TFTP machine.
    If you add some preseeding, new clients can be installed
    automatically already using your existing package cache.

(If your netbooting works fine already, skip the TFTP/netbooting stuff.
But preseeding and the following is needed.)

  • Then continue providing the ansible playbooks via a git repository
    on this new machine.  With ansible-pull being run at the end of the
    installation (modify the preseed file accordingly), you can customize
    all clients.

  • Finally, take a look at the roles 'kerberox.yml' and
    'kerberox-client.yml':  These roles provide the implementation of a
    LDAP/KDC as well as a corresponding client.  Managing users and
    machines is done with a simple, basic script so far[2].  After
    some customization taking your existing setup into acount, this
    should already work for you.

With this approach, you should be able to step by step add the machinery
to your network without making modifications on the already working
infrastructure.  If the new stuff works fine, you can more and more move
to the new system (or finally add existing services to LDAP/Kerberos).

I hope these ideas give some guidance and you can make use of them.
Don't hesitate to ask if you run into problems or something is unclear.

Best Regards

  Andi



> P.S. Isn't there a way to filter the spam out of the list more
> effectively?  The noise comes close to drowning out the signal in the list
> archive.

Sorry, I do not know a solution here :-/


[1] https://salsa.debian.org/andi/debian-lan-ansible/
[2] https://salsa.debian.org/andi/debian-lan-ansible/-/blob/master/roles/ldap/templates/debian-lan.j2

More information about the debian-lan-devel mailing list