action #46718
open
Create a setup-script for invis-sub-server
Added by flacco almost 6 years ago.
Updated over 3 years ago.
Description
Major steps to realize with this Script:
- Establish an openVPN connection to the main invis-server
- Join the Domain as a "Read Only Domain Controller" (RODC)
- Setup sssd
- Setup local samba shares
- realize (owncloud based) data synchronization between sub and main-server
Some of these steps are already realized inside the joininvis-script from the invisAD-client package.
Joining the domain as a rodc (https://de.wikipedia.org/wiki/Read_Only_Domain_Controller) instead of a simple member server seems to be the better way. In a productive environment at one of our custumers I tried to realize a subsidiary server as a simple member-server. Nearly every time the vpn-connection caused by a not very stable internet-connection, I had to rejoin the domain with the sub-server to give the sub-users access to their local samba-shares.
Related issues
1 (1 open — 0 closed)
As in invisAD-setup, this script here has to switch from networkmanager to wicked.
- Status changed from Feedback to In Progress
- % Done changed from 0 to 10
The setup-Script is based on sine2 and called subsine
- Related to action #38303: Create a rpm package with basic directories, config files and dependencies added
subsine module "check" works for now.
Next step is module "quest". The module has to ask for the following informations:
- Internet-FQDN from the master invis-server
- Path to the vpn client certificate (p12 file) (?)
- Password for p12 file
- AD-Domain
- Internet-FQDN from the sub-server
- DNS Forwarders
From the invisAD-setup we keep the following questions:
- admin contact
- clean transfer (only needed, if we realize a transfer-share)
- SMTP SASL informations
- monitoring system
We also keep the randomized creation of SSH and HTTPs Ports
subsine modules and running order - first draft:
- check
- quest
- sysprep
- vpn (establish a vpn connection during setup. If this fails subsine has to break)
- samba (join domain as a rodc)
- dns (from sine2 with ad backend)
- mailserver (postfix should be able to send mails via the organisations smarthost)
- fileserver
- firewall (from sine2 - reduced)
- monitoring (from sine2)
Questions about VPN-connection:
Should we realize a bridged Network-2-Network (N2N) connection or fits a simple routed Client-2-Network (C2N) our needs?
I added a openvpn configuration file as a first draft for a C2N connection to the package.
The file contains two placeholders:
Attribute: "remote" - Placeholder: remote-fqdn
Attribute: "pkcs12" - Placeholder: invis-server.p12
The file contains the askpass-directive, means that we have to place a passwordfile for the p12-file in /etc/openvpn/keys.
- % Done changed from 10 to 30
There are some "subsine" modules ready:
- check
- quest
- sysprep
- nameserver
- openvpn
The first productive test shows, that acting as a router an dhcp-server seems to be a good idea. In my first testcase, the internet provider is unitymedia and it is a business contract with one static ip-address. In this case the router (FritzBox) acts only as default gateway, no dhcp-server. In this case the the invis-sub-server needs two NICs and the external one is statically configured to the static ip-address from unitymedia.
This meens, we should use the network-setup from invis-Server also for the invis-sub-server.
the dhcp-server setup should be simple, with a ascii-based configuration.
First step is to realize just a simple address-pool for the sub-servers subnet.
- Target version set to 1.0
Next steps to go:
- dhcp-Server module
- fileserver module
- firewall module
Also available in: Atom
PDF