I'm looking into building a more unified user and workstation management system and I thought it would be a good idea to ask others how they have solved the apparent issues.
I would use LDAP for user management and have the home directories mounted over NFS to the workstations, which is quite straight forward and which would also result in "roaming profiles".
But what would be a sort of best practice for managing the workstations? Management would in this case include updating, installing and removing packages, updating configuration files, dist-upgrade:s and so on. Preparing new workstations (semi-) automatically might also be of use.
I'm building everything on Debian and I'd like to do it "the Debian way". Please tell about your experiences, even if they'd be with other distributions.
//DGnome
-
You might be interested in using puppet or cfengine for managing your configurations.
There's also expect to automate administrative tasks against many workstations
From Maxwell -
I'm managing ~70 Servers with cfengine2
I would suggest, you let cfengine do the whole configuration management.
You can also have a look at cron-apt for automatic installation of updates.
From ThorstenS -
Try and keep as many of the customizations as you can inside a "my-company-customizations" .deb, which you keep on an internal repository linked from sources.list. Then, you can make a policy change in one place (a newer version of the package) and then just apt-get update your machines.
Config files are a special case - dpkg isn't great at keeping track of them if they are provided by two different packages (see this debian-devel thread). If you can't add an override config file without disturbing the packaged ones (and many Debian-packages utils let you drop files in a conf.d directory), then consider cfengine/puppet as Maxwell suggests.
From crb -
As far as user management goes, you'd want to look at doing LDAP authentication. NFS is a good solution for home directories. One small problem with NFS is that it becomes a single point of failure; if the NFS server dies, then all your workstations become completely useless. Any process that accesses a file on the NFS server will block until the NFS server returns.
As far as managing the workstations, we use Puppet, which is incredibly useful. It allows you to describe in a declarative way how you want your workstations to look like and it reconfigures them to make sure they look the right way. You can create files, install packages, create users etc, and build up constructs to make higher level tasks. We have starts trialling using Puppet to do security updates. We're a little wary of automatically upgrading everything, because we don't want to restart important services, and we don't want to do everything by hand. More experience will show if this is a suitable approach.
wazoox : LDAP user management is of course to be combined with krb5 for user/password management.Avery Payne : @wazoox, +1 for kerberos authentication. @David Pashley, +1 for a nice, thorough description of a functional setup.pjc50 : Why not use NIS? Installing and maintaining it is pretty simple, compared to LDAP and/or krb5.David Pashley : It's not as flexible. It can't store as much information. It can't be used for interoperating with other operating systems. It can't be replicated as well LDAP. LDAP allows you to split your administration. They're just the few I can think of off the top of my head.From David Pashley
0 comments:
Post a Comment