Lars,

I made a very manual first run and got a working client. Lots of bugs to work out. I have a very specific need to have selinux running in enforcing mode on the clients. Yeah, that blew up in my face! Lot's to do on that.

Biggest fail is using an installer initrd image. That will need to be replaced with a version that is more secured. The ftp root needs MUCH work. Another specific need for me is user authentication from ipa. That will probably not be super hard to "bake in" but will need some more research so I know where all the pieces need to be placed. I suspect each client will need an autoenroll process. The challenge there is there's no mechanism in ipa to store certs for multiple machines in the same file on a shared root filesystem. So a client will need a sequence of personality mounts on boot to get detailed content. That will require some scripting on the server end to manage and deploy that structure. The other part I'm not sure about is /dev/random pool depletion. It's essential to my security needs for encryption tokens (kerberos keys, ssl/tls communications of huge mounted filesystems) and multiple users each eat up randomness for each connection (yes. I also need encryption between thin clients and home server).

Applications: this was a generic yum group install "server with gui" chroot of centos 7 for the clients to run on. All the k12 stuff was not there but could be easily added.

Sorry actual details are non existent here. My notes on this are at work and I'm just on my phone, slurping coffee on a Saturday morning. More, much more, later.

Hmm. I need to get the site loaded onto my server for data sharing. Probably not this weekend. Spent most of last weekend migrating to a new web server and have all of those normal weekend chores still to do.

Oh. Other than a pile of old laptops, mac book pro and some Thinkpads, I'm looking to use these for clients:

https://www.amazon.com/gp/aw/d/B06VW53L88