Quote:
Originally Posted by takayama
Ok, so it can be set up so you easily can create a new user in one place and let it be able to ssh to the rest of the servers, through, the same goes for setting up a new server?
|
Yes. You use LDAP or AD for user accounts. You can either store user home directories on an NFS (NFSv4 recommended) server, or let them have separate home directories on each server. Or even a combination, if you like. I recommend using NFSv4, as I've found it most effective (benefits to cost ratio) in the long term. Note that you do not need to have a single NFSv4 server; you can set up a number of NFSv4 servers, and assign each user to a specific server. That needs some assistance from the LDAP schema, so do think and preferably try it out on a test setup first. (Even if it takes some work, knowing it works before rolling it out is very important, right?)
If you use DHCP to give each machine their host name and IP address, your workstations can all be identical. Whichever machine the user uses, they will always get the same (their own) desktop environment. Obviously, the workstations can be cloned, too; you can have a few spare hard drives pre-cloned, and when a problem occurs, just swap the hard drive. If you have time, you can investigate what the problem is; if not, just re-clone the hard drive. You can clone a Linux installation using basic command line tools; I've written some basic scripts to do partitioning etc. automatically, to clone a system to any disk, regardless of size.
It is possible to clone workstations remotely. I've designed some strategies, but none of them are actively used right now. Using package managers to install a system takes much longer than cloning, especially if you have a gigabit network to a server containing a cloneable image. Let me know if you want to know further details.
The servers can also be pretty much identical, except of course for the specific services each one provides. There is no need to run for example Apache on each server, is there?
(The configuration related to human users is identical on all servers: basically LDAP and PAM configuration, and possibly the helper scripts related to SSH key regeneration et cetera the users may wish to do. It does make maintenance easier, especially if you have many servers.)
If you do not wish to use NFS for user home directories, then the first time a user logs in to a server, they will have to supply their password. Since you will be using LDAP or AD, the user will have a single username and a single password, that works for all servers. If it is very important that users do not need to supply their usernames after that, you can write a couple of simple scripts to retrieve the
~user/.ssh/ files from some centralized storage at interactive SSH login, if the files do not exist yet. There are a couple of additional details to take care of, but basically it boils down to 1) users have to use their password for the first login on each server, and after regenerating their SSH keys, 2) having some centralized storage (SSH/SCP only is fine) for the per-user SSH keys, and 3) writing some helper scripts for these. Again, if you need further details on this, just let me know. However, I do believe using NFSv4 is much simpler.