Project

General

Profile

action #46718

Create a setup-script for invis-sub-server

Added by flacco over 2 years ago. Updated 11 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
2019-01-26
Due date:
% Done:

30%

Estimated time:

Description

Major steps to realize with this Script:

  1. Establish an openVPN connection to the main invis-server
  2. Join the Domain as a "Read Only Domain Controller" (RODC)
  3. Setup sssd
  4. Setup local samba shares
  5. realize (owncloud based) data synchronization between sub and main-server

Some of these steps are already realized inside the joininvis-script from the invisAD-client package.

Joining the domain as a rodc (https://de.wikipedia.org/wiki/Read_Only_Domain_Controller) instead of a simple member server seems to be the better way. In a productive environment at one of our custumers I tried to realize a subsidiary server as a simple member-server. Nearly every time the vpn-connection caused by a not very stable internet-connection, I had to rejoin the domain with the sub-server to give the sub-users access to their local samba-shares.


Related issues

Related to invis-sub-setup - action #38303: Create a rpm package with basic directories, config files and dependenciesIn Progress2018-07-07

History

#1 Updated by flacco over 2 years ago

#2 Updated by flacco over 2 years ago

As in invisAD-setup, this script here has to switch from networkmanager to wicked.

#3 Updated by flacco over 2 years ago

  • Status changed from Feedback to In Progress
  • % Done changed from 0 to 10

The setup-Script is based on sine2 and called subsine

#4 Updated by flacco over 2 years ago

  • Related to action #38303: Create a rpm package with basic directories, config files and dependencies added

#5 Updated by flacco over 2 years ago

subsine module "check" works for now.

Next step is module "quest". The module has to ask for the following informations:

  1. Internet-FQDN from the master invis-server
  2. Path to the vpn client certificate (p12 file) (?)
  3. Password for p12 file
  4. AD-Domain
  5. Internet-FQDN from the sub-server
  6. DNS Forwarders

From the invisAD-setup we keep the following questions:

  1. admin contact
  2. clean transfer (only needed, if we realize a transfer-share)
  3. SMTP SASL informations
  4. monitoring system

We also keep the randomized creation of SSH and HTTPs Ports

#6 Updated by flacco over 2 years ago

subsine modules and running order - first draft:

  1. check
  2. quest
  3. sysprep
  4. vpn (establish a vpn connection during setup. If this fails subsine has to break)
  5. samba (join domain as a rodc)
  6. dns (from sine2 with ad backend)
  7. mailserver (postfix should be able to send mails via the organisations smarthost)
  8. fileserver
  9. firewall (from sine2 - reduced)
  10. monitoring (from sine2)

#7 Updated by flacco over 2 years ago

Questions about VPN-connection:

Should we realize a bridged Network-2-Network (N2N) connection or fits a simple routed Client-2-Network (C2N) our needs?

I added a openvpn configuration file as a first draft for a C2N connection to the package.

The file contains two placeholders:

Attribute: "remote" - Placeholder: remote-fqdn
Attribute: "pkcs12" - Placeholder: invis-server.p12

The file contains the askpass-directive, means that we have to place a passwordfile for the p12-file in /etc/openvpn/keys.

#8 Updated by flacco almost 2 years ago

  • % Done changed from 10 to 30

There are some "subsine" modules ready:

  1. check
  2. quest
  3. sysprep
  4. nameserver
  5. openvpn

#9 Updated by flacco almost 2 years ago

The first productive test shows, that acting as a router an dhcp-server seems to be a good idea. In my first testcase, the internet provider is unitymedia and it is a business contract with one static ip-address. In this case the router (FritzBox) acts only as default gateway, no dhcp-server. In this case the the invis-sub-server needs two NICs and the external one is statically configured to the static ip-address from unitymedia.

This meens, we should use the network-setup from invis-Server also for the invis-sub-server.

#10 Updated by flacco almost 2 years ago

the dhcp-server setup should be simple, with a ascii-based configuration.

First step is to realize just a simple address-pool for the sub-servers subnet.

#11 Updated by flacco over 1 year ago

  • Target version set to 1.0

#12 Updated by flacco 11 days ago

Next steps to go:

  1. dhcp-Server module
  2. fileserver module
  3. firewall module

Also available in: Atom PDF