Create a setup-script for invis-sub-server
Major steps to realize with this Script:
- Establish an openVPN connection to the main invis-server
- Join the Domain as a "Read Only Domain Controller" (RODC)
- Setup sssd
- Setup local samba shares
- realize (owncloud based) data synchronization between sub and main-server
Some of these steps are already realized inside the joininvis-script from the invisAD-client package.
Joining the domain as a rodc (https://de.wikipedia.org/wiki/Read_Only_Domain_Controller) instead of a simple member server seems to be the better way. In a productive environment at one of our custumers I tried to realize a subsidiary server as a simple member-server. Nearly every time the vpn-connection caused by a not very stable internet-connection, I had to rejoin the domain with the sub-server to give the sub-users access to their local samba-shares.
#1 Updated by flacco over 2 years ago
Infos about using samba as a rdoc: https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC
#5 Updated by flacco over 2 years ago
subsine module "check" works for now.
Next step is module "quest". The module has to ask for the following informations:
- Internet-FQDN from the master invis-server
- Path to the vpn client certificate (p12 file) (?)
- Password for p12 file
- Internet-FQDN from the sub-server
- DNS Forwarders
From the invisAD-setup we keep the following questions:
- admin contact
- clean transfer (only needed, if we realize a transfer-share)
- SMTP SASL informations
- monitoring system
We also keep the randomized creation of SSH and HTTPs Ports
#6 Updated by flacco over 2 years ago
subsine modules and running order - first draft:
- vpn (establish a vpn connection during setup. If this fails subsine has to break)
- samba (join domain as a rodc)
- dns (from sine2 with ad backend)
- mailserver (postfix should be able to send mails via the organisations smarthost)
- firewall (from sine2 - reduced)
- monitoring (from sine2)
#7 Updated by flacco over 2 years ago
Questions about VPN-connection:
Should we realize a bridged Network-2-Network (N2N) connection or fits a simple routed Client-2-Network (C2N) our needs?
I added a openvpn configuration file as a first draft for a C2N connection to the package.
The file contains two placeholders:
Attribute: "remote" - Placeholder: remote-fqdn
Attribute: "pkcs12" - Placeholder: invis-server.p12
The file contains the askpass-directive, means that we have to place a passwordfile for the p12-file in /etc/openvpn/keys.
#9 Updated by flacco almost 2 years ago
The first productive test shows, that acting as a router an dhcp-server seems to be a good idea. In my first testcase, the internet provider is unitymedia and it is a business contract with one static ip-address. In this case the router (FritzBox) acts only as default gateway, no dhcp-server. In this case the the invis-sub-server needs two NICs and the external one is statically configured to the static ip-address from unitymedia.
This meens, we should use the network-setup from invis-Server also for the invis-sub-server.