Manual for Debian Edu 12 Codename bookworm

Debian Edu Installer Logo

This is the manual for the Debian Edu 12 (bookworm) release.

The source at is a wiki and updated frequently.

Updated translations are available online.

About Debian Edu and Skolelinux

Debian Edu aka Skolelinux is a Linux distribution based on Debian providing an out-of-the box environment of a completely configured school network. It implements a client-server approach. Servers and clients are pieces of software that interact with one another. Servers provide information required by clients to function. When a server is installed on one machine and its client on a different machine, the machines themselves are referred to as the server and the client, by extension of the concept.

The chapters about hardware and network requirements and about the architecture contain basic system design details.

After installation of a main server, all services needed for a school network are set up and the system is ready to be used. Only users and machines need to be added via GOsa², a comfortable Web-UI, or any other LDAP editor. A netbooting environment using PXE/iPXE has also been prepared, so after initial installation of the main server from CD, Blu-ray disc or USB flash drive all other machines can be installed via the network, this includes "roaming workstations" (ones that can be taken away from the school network, usually laptops or netbooks). Also, machines can be booted via PXE/iPXE as diskless workstations or thin clients.

Several educational applications like GeoGebra, Kalzium, KGeography, GNU Solfege and Scratch are included in the default desktop environment setup, which can be extended easily and almost endlessly via the Debian universe.

Some history and why two names

Debian Edu / Skolelinux is a Linux distribution created by the Debian Edu project. As a Debian Pure Blend distribution it is an official Debian subproject.

What this means for your school is that Skolelinux is a version of Debian providing an out-of-the box environment of a completely configured school-network.

The Skolelinux project in Norway was founded on July 2nd 2001 and about the same time Raphaël Hertzog started Debian-Edu in France. Since 2003 both projects are united, but both names stayed. "Skole" and (Debian-)"Education" are just two well understood terms in these regions.

Today the system is in use in several countries around the world.




This section of the document describes the network architecture and services provided by a Skolelinux installation.

The Debian Edu network topology

The figure is a sketch of the assumed network topology. The default setup of a Skolelinux network assumes that there is one (and only one) main server, while allowing the inclusion of both normal workstations and LTSP servers (with associated thin clients and/or diskless workstations). The number of workstations can be as large or small as you want (starting from none to a lot). The same goes for the LTSP servers, each of which is on a separate network so that the traffic between the clients and the LTSP server doesn't affect the rest of the network services. LTSP is explained in detail in the related HowTo chapter.

The reason that there can only be one main server in each school network is that the main server provides DHCP, and there can be only one machine doing so in each network. It is possible to move services from the main server to other machines by setting up the service on another machine, and subsequently updating the DNS configuration, pointing the DNS alias for that service to the right computer.

In order to simplify the standard setup of Skolelinux, the Internet connection runs over a separate router, also called gateway. See the Internet router chapter for details how to set up such a gateway if it is not possible to configure an existing one as needed.

The default network setup

DHCP on the main server serves the network, providing a PXE boot menu where you can choose whether to install a new server/workstation, boot a thin client or a diskless workstation, run memtest, or boot from the local hard disk.

This is designed to be modified; for details, see the related HowTo chapter.

DHCP on the LTSP servers only serves a dedicated network on the second interface ( and are preconfigured options) and should seldom need to be changed.

The configuration of all subnets is stored in LDAP.

Main server

A Skolelinux network needs one main server (hostname "tjener" which is Norwegian and means "server") which per default has the IP address and is installed by selecting the Main Server profile. It's possible (but not required) to also select and install the LTSP Server and Workstation profiles in addition to the Main Server profile.

Services running on the main server

With the exception of the control of the thin clients, all services are initially set up on one central computer (the main server). For performance reasons, the LTSP server(s) should be separate (though it is possible to install both the Main Server and LTSP Server profiles on the same machine). All services are allocated a dedicated DNS-name and are offered exclusively over IPv4. The allocated DNS name makes it easy to move individual services from the main server to a different machine, by simply stopping the service on the main server, and changing the DNS configuration to point to the new location of the service (which should be set up on that machine first, of course).

To ensure security all connections where passwords are transmitted over the network are encrypted, so no passwords are sent over the network as plain text.

Below is a table of the services that are set up by default in a Skolelinux network and the DNS name of each service. If possible all configuration files will refer to the service by name (without the domain name) thus making it easy for schools to change either their domain (if they have an own DNS domain) or the IP addresses they use.

Table of services

Service description

Common name

DNS service name

Centralised Logging



Domain Name Service



Automatic Network Configuration of Machines



Clock Synchronisation



Home Directories via Network File System



Electronic Post Office

IMAP (Dovecot)


Directory Service



User Administration



Web Server



Central Backup

sl-backup, slbackup-php


Web Cache

Proxy (Squid)





Secure Remote Login



Automatic Configuration



LTSP Server/s



Machine and Service Surveillance with Error Reporting, plus Status and History on the Web. Error Reporting by email

Munin, Icinga and Sitesummary


Personal files for each user are stored in their home directories, which are made available by the server. Home directories are accessible from all machines, giving users access to the same files regardless of which machine they are using. The server is operating system agnostic, offering access via NFS for Unix clients and via SMB2/SMB3 for other clients.

By default email is set up for local delivery (i.e. within the school) only, though email delivery to the wider Internet may be set up if the school has a permanent Internet connection. Clients are set up to deliver mail to the server (using 'smarthost'), and users can access their personal mail through IMAP.

All services are accessible using the same username and password, thanks to the central user database for authentication and authorisation.

To increase performance on frequently accessed sites a web proxy that caches files locally (Squid) is used. In conjunction with blocking web-traffic in the router this also enables control of Internet access on individual machines.

Network configuration on the clients is done automatically using DHCP. All types of clients can be connected to the private subnet and will get according IP addresses; LTSP clients should be connected to the corresponding LTSP server via the separate subnet (this is to ensure that the network traffic of the LTSP clients doesn't interfere with the rest of the network services).

Centralised logging is set up so that all machines send their syslog messages to the server. The syslog service is set up so that it only accepts incoming messages from the local network.

By default the DNS server is set up with a domain for internal use only (*.intern), until a real ("external") DNS domain can be set up. The DNS server is set up as caching DNS server so that all machines on the network can use it as the main DNS Server.

Pupils and teachers have the ability to publish websites. The web server provides mechanisms for authenticating users, and for limiting access to individual pages and subdirectories to certain users and groups. Users will have the ability to create dynamic web pages, as the web server will be programmable on the server side.

Information on users and machines can be changed in one central location, and is made accessible to all computers on the network automatically. To achieve this a centralised directory server is set up. The directory will have information on users, user groups, machines and groups of machines. To avoid user confusion there won't be any difference between file groups and network groups. This implies that groups of machines which are to form network groups will use the same namespace as user groups.

Administration of services and users will mainly be via the web, and follow established standards, functioning well in the web browsers which are part of Skolelinux. The delegation of certain tasks to individual users or user groups will be made possible by the administration systems.

In order to avoid certain problems with NFS, and to make it simpler to debug problems, the different machines need synchronised clocks. To achieve this the Skolelinux server is set up as a local Network Time Protocol (NTP) server, and all workstations and clients are set up to synchronise with the server. The server itself should synchronise its clock via NTP against machines on the Internet, thus ensuring the whole network has the correct time.

Printers are connected where convenient, either directly onto the main network, or connected to a server, workstation or LTSP server. Access to printers can be controlled for individual users according to the groups they belong to; this will be achieved by using quota and access control for printers.

LTSP server(s)

A Skolelinux network can have many LTSP servers, which are installed by selecting the LTSP Server profile.

The LTSP servers are set up to receive syslog from thin clients and workstations, and forward these messages to the central syslog recipient.

Please note:

  • LTSP diskless workstations are using the programs installed on the server.
  • The client root filesystem is provided using NFS. After each modification to the LTSP server the related image has to be re-generated; run debian-edu-ltsp-install --diskless_workstation yes on the LTSP server.

Thin clients

A thin client setup enables ordinary PCs to function as (X-)terminals. This means that the machine boots directly from the server using PXE without using the local client hard drive. The thin client setup now uses X2Go, because LTSP has dropped support.

Thin clients are a good way to still make use of very old (mostly 32-bit) machines as they effectively run all programs on the LTSP server. This works as follows: the service uses DHCP and TFTP to connect to the network and boot from the network. Next, the file system is mounted from the LTSP server using NFS, and finally the X2Go client is started.

Diskless workstations

A diskless workstation runs all software on the PC without a locally installed operating system. This means that client machines boot via PXE without running software installed on a local hard drive.

Diskless workstations are an excellent way of using powerful hardware with the same low maintenance cost as with thin clients. Software is administered and maintained on the server with no need for local installed software on the clients. Home directories and system settings are stored on the server too.

Networked clients

The term "networked clients" is used in this manual to refer to both thin clients and diskless workstations, as well as computers running macOS or Windows.


All the Linux machines that are installed with the Skolelinux installer will be administrable from a central computer, most likely the server. It will be possible to log in to all machines via SSH, and thereby have full access to the machines. As root one needs to run kinit first to get a Kerberos TGT.

All user information is kept in an LDAP directory. Updates of user accounts are made against this database, which is used by the clients for user authentication.


Currently there are two kinds of installation media images: netinst and BD. Both images can also be booted from USB sticks.

The aim is to be able to install a server from any type of medium once, and install all other clients over the network by booting from the network.

Only the netinstall image needs access to the Internet during installation.

The installation should not ask any questions, with the exception of desired language, location, keyboard layout and machine profile (Main Server, Workstation, LTSP Server, …). All other configuration will be set up automatically with reasonable values, to be changed from a central location by the system administrator subsequent to the installation.

File system access configuration

Each Skolelinux user account is assigned a section of the file system on the file server. This section (home directory) contains the user's configuration files, documents, email and web pages. Some of the files should be set to have read access for other users on the system, some should be readable by everyone on the Internet, and some should not be accessible for reading by anyone but the user.

To ensure that all disks that are used for user directories or shared directories can be uniquely named across all the computers in the installation, they can be mounted as /skole/host/directory/. Initially, one directory is created on the file server, /skole/tjener/home0/, in which all the user accounts are created. More directories may then be created when needed to accommodate particular user groups or particular patterns of usage.

To enable shared access to files under the normal UNIX permissions system, users need to be in supplementary shared groups (such as "students") as well as the personal primary group that they're in by default. If users have an appropriate umask to make newly created items group-accessible (002 or 007), and if the directories they're working in are setgid to ensure the files inherit the correct group-ownership, the result is controlled file sharing between the members of a group.

The initial access settings for newly created files are a matter of policy. The Debian default umask is 022 (which would not allow group-access as described above), but Debian Edu uses a default of 002 - meaning that files are created with read access for everybody, which can later be removed by explicit user action. This can alternatively be changed (by editing /etc/pam.d/common-session) to a umask of 007 - meaning read access is initially blocked, necessitating user action to make them accessible. The first approach encourages knowledge sharing, and makes the system more transparent, whereas the second method decreases the risk of unwanted spreading of sensitive information. The problem with the first solution is that it is not apparent to the users that the material they create will be accessible to all other users. They can only detect this by inspecting other users' directories and seeing that their files are readable. The problem with the second solution is that few people are likely to make their files accessible, even if they do not contain sensitive information and the content would be helpful to inquisitive users who want to learn how others have solved particular problems (typically configuration issues).



There are different ways of setting up a Skolelinux solution. It can be installed on just one standalone PC, or as a region-wide solution at many schools operated centrally. This flexibility makes a huge difference to the configuration of network components, servers and client machines.

Hardware requirements

The purpose of the different profiles is explained in the network architecture chapter.

(!) If LTSP is intended to be used, take a look at the LTSP Hardware Requirements wiki page.

  • The computers running Debian Edu / Skolelinux must have either 32 bit (Debian architecture 'i386', oldest supported processors are 686 class ones) or 64 bit (Debian architecture 'amd64') x86 processors.
  • Thin clients with only 256 MiB RAM and 400 MHz are possible, though more RAM and faster processors are recommended.
  • For workstations, diskless workstations and standalone systems, 1500 MHz and 1024 MiB RAM are the absolute minimum requirements. For running modern webbrowsers and LibreOffice at least 2048 MiB RAM is recommended.

  • The minimum disk space requirements depend on the profile which is installed:
    • combined main server + LTSP server + workstation (if a GUI on the server is desired): 60 GiB (plus additional space for user accounts).
    • LTSP server: 40 GiB.
    • workstation or standalone: 30 GiB.
    • minimal networked machine installation: 4 GiB.
  • LTSP servers need two network cards when using the default network architecture:
    • eth0 is connected to the main network (,
    • eth1 is used for serving LTSP clients.
  • Laptops are movable workstations, so they have the same requirements as workstations.

Hardware known to work

A list of tested hardware is provided at . This list is not nearly complete. is an effort to document how to install, configure and use Debian on some specific hardware, allowing potential buyers to know if that hardware is supported and existing owners to know how get the best out of that hardware.

Requirements for network setup

Default Setup

When using the default network architecture, these rules apply:

  • You need exactly one main server.
  • You can have hundreds of workstations on the main network.
  • You can have a lot of LTSP servers on the main network; two different subnets are preconfigured (DNS, DHCP) in LDAP, more can be added.
  • You can have hundreds of thin clients and/or diskless workstations on each LTSP server network.
  • You can have hundreds of other machines which will have dynamic IP addresses assigned.
  • For access to the Internet you need a router/gateway (see below).

Internet router

A router/gateway, connected to the Internet on the external interface and running on the IP address with netmask on the internal interface, is needed to connect to the Internet.

The router should not run a DHCP server, it can run a DNS server, though this is not needed and will not be used.

In case you do not already have a router or your existing router cannot be set up accordingly, any machine which fulfills the requirements for a minimal Debian installation and which has at least two network interfaces can be turned into a gateway between the existing network and the Debian Edu one. See installation documentation for a simple way to install and set up a Debian machine using debian-edu-router-config.

If you need something for an embedded router or accesspoint we recommend using OpenWRT, though of course you can also use the original firmware. Using the original firmware is easier; using OpenWRT gives you more choices and control. Check the OpenWRT webpages for a list of supported hardware.

It is possible to use a different network setup (there is a documented procedure to do this), but if you are not forced to do this by an existing network infrastructure, we recommend against doing so and recommend you stay with the default network architecture.


Installation and download options

Where to find additional information

We recommend that you read or at least take a look at the release notes for Debian Bookworm before you start installing a system for production use. There is more information about the Debian Bookworm release available in its installation manual.

Please give Debian Edu/Skolelinux a try, it should just work.
It is recommended, though, to read the chapters about hardware and network requirements and about the architecture before starting to install a main server.

Be sure to also read the getting started chapter of this manual, as it explains how to log in for the first time.

Download the installation media for Debian Edu 12 Codename bookworm

amd64 or i386

amd64 and i386 are the names of two Debian architectures for x86 CPUs, both are or have been build by AMD, Intel and other manufacturers. amd64 is a 64-bit architecture and i386 is a 32-bit architecture. New installations today should be done using amd64. i386 should only be used for very old hardware.

netinst iso images for amd64 or i386

The netinst iso image can be used for installation from CD/DVD and USB flash drives and is available for two Debian architectures: amd64 or i386. As the name implies, Internet access is required for the installation.

Once Bookworm has been released these images will be available for download from:

BD iso images for amd64 or i386

These ISO image are approximately 7.5 GB large and can be used for installation of amd64 or i386 machines, also without access to the Internet. Like the netinst image it can be used on USB flash drives or disk media of sufficient size.

Once Bookworm has been released these images will be available for download from:

Verification of downloaded image files

Detailed instructions for verifying and using these images are part of the Debian-CD FAQ.


Sources are available from the Debian archive at the usual locations, several media are linked on

Installing Debian Edu

When you do a Debian Edu installation, you have a few options to choose from. Don't be afraid; there aren't many. We have done a good job of hiding the complexity of Debian during the installation and beyond. However, Debian Edu is Debian, and if you want there are more than 59,000 packages to choose from and a billion configuration options. For the majority of our users, our defaults should be fine. Please note: if LTSP is intended to be used, choose a lightweight desktop environment.

Main server installation scenarios

  1. Typical school or home network with Internet access through a router providing DHCP:
    • Installation of a main server is possible, but after reboot there will be no Internet access (due to primary network interface IP
    • See the Internet router chapter for details how to set up a gateway if it is not possible to configure an existing one as needed.

    • Connect all components like shown in the architecture chapter.

    • The main server should have Internet connection once booted the first time in the correct environment.
  2. Typical school or institution network, similar to the one above, but with proxy use required.
    • Add 'debian-edu-expert' to the kernel command line; see further below for details how this is done.
    • Some additional questions must be answered, the proxy server related one included.
  3. Network with router/gateway IP (which does not provide a DHCP server) and Internet access:
    • As soon as the automatic network configuration fails (due to missing DHCP), choose manual network configuration.
      • Enter as host IP
      • Enter as gateway IP
      • Enter as nameserver IP unless you know better
    • The main server should just work after the first boot.
  4. Offline (no Internet connection):
    • Use the BD ISO image.
    • Make sure all (real/virtual) network cables are unplugged.
    • Choose 'Do not configure the network at this time' (after DHCP failed to configure the network and you pressed 'Continue').
    • Update the system once bootet the first time in the correct environment with Internet access.

Desktop environments

Several desktop environments are available:

  • Xfce has a slightly bigger footprint than LXDE but a very good language support (106 languages).
  • KDE and GNOME both have good language support, but too big a footprint for both older computers and for LTSP clients.
  • Cinnamon is a lighter alternative to GNOME.
  • MATE is lighter than the three above, but is missing good language support for several countries.
  • LXDE has the smallest footprint and supports 35 languages.
  • LXQt is a lightweight desktop environment (language support similar to LXDE) with a more modern look and feel (based on Qt just like KDE).

Debian Edu as an international project has chosen to use Xfce as the default desktop environment; see below how to set a different one.

Modular installation

  • When installing a system with profile Workstation included, a lot of education related programs are installed. To install only the basic profile, remove the desktop=xxxx kernel command line param before starting the installation; see further below for details how this is done. This allows one to install a site specific system and could be used to speed up test installations.

  • Please note: If you want to install a desktop environment afterwards, don't use the Debian Edu meta-packages like e.g. education-desktop-xfce because these would pull in all education related programs; rather install e.g. task-xfce-desktop instead. One or more of the new school level related meta-packages education-preschool, education-primaryschool, education-secondaryschool, education-highschool could be installed to match the use case.

  • For details about Debian Edu meta-packages, see the Debian Edu packages overview page.

Installation types and options

Installer boot menu on 64-bit Hardware - BIOS mode

64-bit Installer boot menu (BIOS mode)

Graphical install uses the GTK installer where you can use the mouse.
Install uses text mode.
Advanced options > gives a sub menu with more detailed options to choose.
Help gives some hints on using the installer; see screenshot below.

64-bit Installer advanced options screen 1

Back.. brings back to the main menu.
Graphical expert install gives access to all available questions, mouse usable.
Graphical rescue mode makes this install medium become a rescue disk for emergency tasks.
Graphical automated install needs a preseed file.
Expert install gives access to all available questions in text mode.
Rescue mode text mode; makes this install medium become a rescue disk for emergency tasks.
Automated install text mode; needs a preseed file.
/!\ Do not use Graphical expert install or Expert install, use debian-edu-expert instead as an additional kernel parameter in exceptional cases.

Help screen

Installer help screen

This Help screen is self explaining and enables the <F>-keys on the keyboard for getting more detailed help on the topics described.

Installer boot menu on 64-bit Hardware - UEFI mode

64-bit Installer boot menu (UEFI mode)

Add or change boot parameters for installations

In both cases, boot options can be edited by pressing the TAB or E key in the boot menu; the screenshots show the command line for Graphical install.

Edit command line options (BIOS mode)

Edit command line options (UEFI mode)

  • You can use an existing HTTP proxy service on the network to speed up the installation of the Main Server profile from CD. Add e.g. mirror/http/proxy= as an additional boot parameter.

  • If you have already installed the Main Server profile on a machine, further installations should be done via PXE, as this will automatically use the proxy of the main server.

  • To install the GNOME desktop environment instead of the default Xfce desktop environment, replace xfce with gnome in the desktop=xfce parameter.

  • To install the LXDE desktop environment instead, use desktop=lxde.

  • To install the LXQt desktop environment instead, use desktop=lxqt.

  • To install the KDE Plasma desktop environment instead, use desktop=kde.

  • To install the Cinnamon desktop environment instead, use desktop=cinnamon.

  • And to install the MATE desktop environment instead, use desktop=mate.

The installation process

Remember the system requirements and make sure you have at least two network cards (NICs) if you plan on setting up an LTSP server.

  • Choose a language (for the installation and the installed system).
  • Choose a location which normally should be the location where you live.
  • Choose a keyboard keymap (the country's default is usually fine).
  • Choose profile(s) from the following list:
    • Main Server

      • This is the main server (tjener) for your school providing all services pre-configured to work out of the box. You must install only one main server per school! This profile does not include a graphical user interface. If you want a graphical user interface, then select Workstation or LTSP Server in addition to this one.
    • Workstation

      • A computer booting from its local hard drive, and running all software and devices locally like an ordinary computer, except that user logins are authenticated by the main server, where the users' files and desktop profile are stored.
    • Roaming workstation

      • Same as workstation but capable of authentication using cached credentials, meaning it can be used outside the school network. The users' files and profiles are stored on the local disk. For single user notebooks and laptops this profile should be selected and not 'Workstation' or 'Standalone' as suggested in earlier releases.
    • LTSP Server

      • A thin client (and diskless workstation) server, is called an LTSP server. Clients without hard drives boot and run software from this server. This computer needs two network interfaces, a lot of memory, and ideally more than one processor or core. See the chapter about networked clients for more information on this subject. Choosing this profile also enables the workstation profile (even if it is not selected) - an LTSP server can always be used as a workstation, too.

    • Standalone

      • An ordinary computer that can function without a main server (that is, it doesn't need to be on the network). Includes laptops.
    • Minimal

      • This profile will install the base packages and configure the machine to integrate into the Debian Edu network, but without any services and applications. It is useful as a platform for single services manually moved out from the main server.
        In case ordinary users should be able to use such a system, it needs to be added using GOsa² (similar to a workstation) and the libpam-krb5 package needs to be installed.

    The Main Server, Workstation and LTSP Server profiles are preselected. These profiles can be installed on one machine together if you want to install a so called combined main server. This means the main server will be an LTSP server and also be used as a workstation. This is the default choice, since we assume most people will want it. Please note that you must have 2 network cards installed in a machine which is going to be installed as a combined main server or as an LTSP server to become useful after the installation.

  • Say "yes" or "no" to automatic partitioning. Be aware that saying "yes" will destroy all data on the hard drives! Saying "no" on the other hand will require more work - you will need to make sure that the required partitions are created and are big enough.
  • Please say "yes" to submitting information to to allow us to know which packages are popular and should be kept for future releases. Although you don't have to, it is a simple way for you to help. :)

  • Wait. If the selected profiles include LTSP Server then the installer will spend quite some time at the end, "Finishing the installation - Running debian-edu-profile-udeb...".
  • After giving the root password, you will be asked to create a normal user account "for non-administrative tasks". For Debian Edu this account is very important: it is the account you will use to manage the Skolelinux network.

    /!\ The password for this user must have a length of at least 5 characters and must differ from the username - otherwise login will not be possible (even though a shorter password and also a password matching the username will be accepted by the installer).

  • Wait again in case of a combined main server after rebooting the system. It will spend quite some time generating the SquashFS image for diskless workstations.

  • In case of a separate LTSP server, the diskless workstation and/or thin client setup needs some manual steps. For details, see the Network clients HowTo chapter.

Installing a gateway using debian-edu-router

The debian-edu-router-config package simplifies the the setup of a gateway for a Debian Edu network through an interactive configuration process where the necessary information is obtained through a series of dialogues.

In order to make use of it, perform a minimal Debian installation. Be sure to use the regular Debian installer and not the Debian Edu installer since Debian Edu installations are not supported by debian-edu-router-config.

Install the debian-edu-router-config package using

DEBIAN_FRONTEND=noninteractive apt install -y -q debian-edu-router-config

Error messages regarding the configuration are expected and can be ignored for now.

For the configuration process following the installation of debian-edu-router-config, physical access to the computer is required.

The network interfaces may already be connected to the corresponding networks but do not have to be. However it is necessary to be aware which interface will be connected to which network. In order to obtain more information about the network hardware

lshw -class network

can be used.

Remove the configuration of the two network interfaces to be used from /etc/network/interfaces or files in /etc/network/interfaces.d/ and un-configure the two interfaces using

ip addr flush <interface>

The actual configuration process is started with

dpkg-reconfigure --force uif debian-edu-router-config

Selecting the uif configuration method

Confirmation for setting up uif

When asked about the uif firewall configuration method choose "debian-edu-router". Confirm that you want to set up the firewall for Debian Edu Router.

Allowing ping in uif

Allowing traceroute in uif

Decide whether you want to respond to ping and traceroute. If unsure answer with yes as it can be useful for diagnosing network issues.

Enabling IP packet forwarding

Confirm that you want to enable IP packet forwarding.

Selecting the network setup method

Next, assign networks to the network interfaces in your router, choose one of the offered options depending on whether your network interfaces are already connected or not.

Selecting the uplink interface

Select the interface which is connected to the upstream network.

Selecting internal networks

Select an internal network, in case you are unsure and simply want a single internal network select "Education" here.

Enabling use of VLANs

Select whether VLANs should be used for internal networks, if you are unsure select no here.

Selecting supported IP versions

Select "IPv4" here.

Selecting networks which require a static IP address

Select "Uplink" if your upstream network requires a static IP address and, if you followed the above suggestion on internal networks, "Education".

Setting a static IP address for the internal network

Set as the static IP address for the internal network "Education" if you followed the above suggestion on internal networks.

Enabling NAT for networks

Enable NAT for the internal network.

Enabling internet access for networks

Enable internet access for internal networks.

Setting up reverse NAT

If you want to expose any internal services to the internet you can configure them using the described syntax. Note that SSH access to the gateway can be configured using the following dialog.

Enabling SSH access for networks

Decide from which networks you want to allow SSH access to the gateway.

Enabling DHCP for networks

Do not enable DHCP for the internal networks, it will be offered by the Debian Edu main server.

Configuring the SSH port

Configure the SSH port, this should be 22 if the configuration has not been changed.

Connect the network interfaces if you have not already done so and reboot the machine. Now, when you logging in as a root you should see Debian Edu Router Menu.

SSH main menu SSH configuration

If SSH access has been enabled the gateway can be reconfigured remotely via the menu offered when logging in as root. Pressing c in the main menu switches to the configuration menu from which all or parts of the configuration can be changed using the same dialogue system which was used for the initial configuration.

Notes on some characteristics

A note on notebooks

Most likely you will want to use the 'Roaming workstation' profile (see above). Be aware that all data is stored locally (so take some extra care over backups) and login credentials are cached (so after a password change, logins may require your old password if you have not connected your laptop to the network and logged in with the new password).

A note on USB flash drive / Blu-ray disc image installs

After you install from the USB flash drive / Blu-ray disc image, /etc/apt/sources.list will only contain sources from that image. If you have an Internet connection, we strongly suggest adding the following lines to it so that available security updates can be installed:

deb bookworm main 
deb bookworm-security main 

A note on CD installs

A netinst installation (which is the type of installation our CD provides) will fetch some packages from the CD and the rest from the net. The amount of packages fetched from the net varies from profile to profile but stays below a gigabyte (unless you choose to install all possible desktop environments). Once you have installed the main server (whether a pure main server or combi-server does not matter), further installation will use its proxy to avoid downloading the same package several times from the net.

Installation using USB flash drives instead of CD / Blu-ray discs

It is possible to directly copy a CD/BD ISO image to USB flash drives (also known as "USB sticks") and boot from them. Simply execute a command like this, just adapting the file and device name to your needs:

sudo dd if=debian-edu-amd64-XXX.iso of=/dev/sdX bs=1M

To determine the value of X, run this command before and after the USB device has been inserted:

lsblk -p

Please note that copying will take quite some time.

Depending on which image you choose, the USB flash drive will behave just like a CD or Blu-ray disc.

Installation and booting over the network via PXE

For this installation method it is required that you have a running main server. When clients boot via the network, an iPXE menu with installer and boot selection options is displayed. If PXE installation fails with an error message claiming a XXX.bin file is missing, then most probably the client's network card requires nonfree firmware. In this case the Debian Installer's initrd must be modified. This can be achieved by executing the command:


on the server.

This is how the iPXE menu looks with the Main Server profile only:

The iPXE menu without LTSP entries

This is how the iPXE menu looks with the LTSP Server profile:

The iPXE menu with LTSP entries

This setup also allows diskless workstations and thin clients to be booted on the main network. Unlike workstations and separate LTSP servers, diskless workstations don't have to be added to LDAP with GOsa².

More information about network clients can be found in the Network clients HowTo chapter.

Modifying PXE installations

The PXE installation uses a debian-installer preseed file, which can be modified to ask for more packages to install.

A line like the following needs to be added to tjener:/etc/debian-edu/www/debian-edu-install.dat

d-i    pkgsel/include string my-extra-package(s)

The PXE installation uses the preseeding file /etc/debian-edu/www/debian-edu-install.dat. This file can be changed to adjust the preseeding used during installation, to avoid more questions when installing over the net. Another way to achieve this is to provide extra settings in /etc/debian-edu/pxeinstall.conf and /etc/debian-edu/www/debian-edu-install.dat.local and to run /usr/sbin/debian-edu-pxeinstall to update the generated files.

Further information can be found in the manual of the Debian Installer.

To disable or change the use of the proxy when installing via PXE, the lines containing mirror/http/proxy, mirror/ftp/proxy and preseed/early_command in tjener:/etc/debian-edu/www/debian-edu-install.dat  need to be changed. To disable the use of a proxy when installing, put '#' in front of the first two lines, and remove the "export http_proxy="http://webcache:3128"; " part from the last one.

Some settings can not be preseeded because they are needed before the preseeding file is downloaded. Language, keyboard layout and desktop environment are examples of such settings. If you want to change the default settings, edit the iPXE menu file /srv/tftp/ltsp/ltsp.ipxe on the main server.

Custom images

Creating custom CDs, DVDs or Blu-ray discs can be quite easy since we use the Debian Installer, which has a modular design and other nice features. Preseeding allows you to define answers to the questions normally asked.

So all you need to do is to create a preseeding file with your answers (this is described in the appendix of the Debian Installer manual) and remaster the CD/DVD.

Screenshot tour

The text mode and the graphical installation are functionally identical - only the appearance is different. The graphical mode offers the opportunity to use a mouse, and of course looks much nicer and more modern. Unless the hardware has trouble with the graphical mode, there is no reason not to use it.

So here is a screenshot tour through a graphical 64-bit Main Server + Workstation + LTSP Server installation (in BIOS mode) and how it looks at the first boot of the main server and a PXE boot on the LTSP client network (thin client session screen - and login screen after the session on the right has been clicked).

64-bit Installer boot menu (BIOS mode)

Select a language

Select your location

Configure the keyboard

Detect network hardware

Configure network manually

Configure IP address

Configure gateway

Configure nameserver

Choose Debian Edu profile

Use the automatic partitioning tool: no

Use the automatic partitioning tool: yes

Participate in the package usage survey: no

Participate in the package usage survey: yes

Set password for the root user

Set full name for the first user

Set user name for the first user

Set password for the first user

Installation complete

Lightdm Login screen

Xfce Desktop showing Browser window

Xfce Desktop screen

Thin-Client-Welcome screen

Thin-Client-Login screen


Getting started

Minimum steps to get started

During installation of the main server a first user account was created. In the following text this account will be referenced as "first user". This account is special, as the home directory permission is set to 700 (so chmod o+x ~ is needed to make personal web pages accessible), and the first user can use sudo to become root.

See the information about Debian Edu specific file system access configuration before adding users; adjust to your site's policy if needed.

After the installation, the first things you need to do as first user are:

  1. Log into the server.
  2. Add users with GOsa².
  3. Add workstations with GOsa².

Adding users and workstations is described in detail below, so please read this chapter completely. It covers how to perform these minimum steps correctly as well as other stuff that everybody will probably need to do.

There is additional information available elsewhere in this manual: the New features in Bookworm chapter should be read by everyone who is familiar with previous releases. And for those upgrading from a previous release, make sure to read the Upgrades chapter.

/!\ If generic DNS traffic is blocked out of your network and you need to use some specific DNS server to look up internet hosts, you need to tell the DNS server to use this server as its "forwarder". Update /etc/bind/named.conf.options and specify the IP address of the DNS server to use.

The HowTo chapter covers more tips and tricks and some frequently asked questions.

Services running on the main server

There are several services running on the main server which can be managed via a web management interface. We'll describe each service below.

Introduction to GOsa²

GOsa² is a web based management tool that helps to manage some important parts of your Debian Edu setup. With GOsa² you can manage (add, modify, or delete) these main groups:

  • User Administration
  • Group Administration
  • NIS Netgroup Administration
  • Machine Administration
  • DNS Administration
  • DHCP Administration

For GOsa² access you need the Skolelinux main server and a (client) system with a web browser installed which can be the main server itself if it was installed as a so called combined server (Main Server + LTSP Server + Workstation profiles).

If you (probably accidentally) installed a pure Main Server profile and don't have a client with a web-browser handy, it's easy to install a minimal desktop on the main server using this command sequence in a (non-graphical) shell as the user you created during the main server's installation (first user):

  $ sudo apt update
  $ sudo apt install task-desktop-xfce lightdm education-menus
  $ sudo service lightdm start

From a web browser use the URL https://www/gosa for GOsa² access, and log in as the first user.

  • If you are using a new Debian Edu Bookworm machine, the site certificate will be known by the browser.
  • Otherwise, you will get an error message about the SSL certificate being wrong. If you know you are alone on your network, just tell the browser to accept it and ignore that.

GOsa² Login plus Overview

GOsa² overview page after login as the first  user

After logging in to GOsa² you will see the overview page of GOsa².

Next, you can choose a task in the menu or click any of the task icons on the overview page. For navigation, we recommend using the menu on the left side of the screen, as it will stay visible there on all administration pages offered by GOsa².

In Debian Edu, account, group, and system information is stored in an LDAP directory. This data is used not only by the main server, but also by the (diskless) workstations, the LTSP servers and other machines on the network. With LDAP, account information about students, teachers, etc. only needs to be entered once. After information has been provided in LDAP, the information will be available to all systems on the whole Skolelinux network.

GOsa² is an administration tool that uses LDAP to store its information and provide a hierarchical department structure. To each "department" you can add user accounts, groups, systems, netgroups, etc. Depending on the structure of your institution, you can use the department structure in GOsa²/LDAP to transfer your organisational structure into the LDAP data tree of the Debian Edu main server.

A default Debian Edu main server installation currently provides two "departments": Teachers and Students, plus the base level of the LDAP tree. Student accounts are intended to be added to the "Students" department, teachers to the "Teachers" department; systems (servers, workstations, printers etc.) are currently added to the base level. Find your own scheme for customising this structure. (You can find an example how to create users in year groups, with common home directories for each group in the HowTo/AdvancedAdministration chapter of this manual.)

Depending on the task that you want to work on (manage users, manage groups, manage systems, etc.) GOsa² presents you with a different view on the selected department (or the base level).

User Management with GOsa²

First, click on "Users" in the left navigation menu. The right side of the screen will change to show a table with department folders for "Students" and "Teachers" and the account of the GOsa² Administrator (the first created user). Above this table you can see a field called Base that allows you to navigate through your tree structure (move your mouse over that area and a drop-down menu will appear) and to select a base folder for your intended operations (e.g. adding a new user).

Adding users

Next to that tree navigation item you can see the "Actions" menu. Move your mouse over this item and a submenu appears on screen; choose "Create" here, and then "User". You will be guided by the user creation wizard.

  • The most important thing to add is the template (newstudent or newteacher) and the full name of your user (see image).
  • As you follow the wizard, you will see that GOsa² generates a username automatically based on the real name. It automatically chooses a username that doesn't exist yet, so multiple users with the same full name are not a problem. Note that GOsa² can generate invalid usernames if the full name contains non-ASCII characters.
  • If you don't like the generated username you can select another username offered in the drop-down box, but you do not have a free choice here in the wizard. (If you want to be able to edit the proposed username, open /etc/gosa/gosa.conf with an editor and add allowUIDProposalModification="true" as an additional option to the "location definition".)

  • When the wizard has finished, you are presented with the GOsa² screen for your new user object. Use the tabs at the top to check the completed fields.

After you have created the user (no need to customise fields the wizard has left empty for now), click on the "Ok" button in the bottom-right corner.

As the last step GOsa² will ask for a password for the new user. Type that in twice and then click "Set password" in the bottom-right corner. /!\ Some characters may not be allowed as part of the password.

If all went well, you can now see the new user in the user list table. You should now be able to log in with that username on any Skolelinux machine within your network.

Search, modify and delete users


To modify or delete a user, use GOsa² to browse the list of users on your system. On the middle of the screen you may open the "Filter" box, a search tool provided by GOsa². If you don't know the exact location of your user account in your tree, change to the base level of the GOsa²/LDAP tree and search there with the option marked "Search in subtrees".

When using the "Filter" box, results will immediately appear in the middle of the text in the table list view. Every line represents a user account and the items farthest to the right on each line are little icons that provide actions for you: edit user, lock account, set password and remove user.

A new page will show up where you can directly modify information about the user, change the password of the user and modify the list of groups the user belongs to.

Editing user data

Set passwords

The students can change their own passwords by logging into GOsa² with their own usernames. To ease the access of GOsa², an entry called Gosa is provided in the desktop's System (or System settings) menu. A logged-in student will be presented with a very minimal version of GOsa² that only allows access to the student's own account data sheet and to the set-password dialog.

Teachers logged in under their own usernames have special privileges in GOsa². They are shown a more privileged view of GOsa², and can change the passwords for all student accounts. This may be very handy during class.

To administratively set a new password for a user

  1. search for the user to be modified, as explained above
  2. click on the key symbol at the end of the line that the username is shown in
  3. on the page subsequently presented you can set a new password chosen by yourself

Set user password

Be aware of security implications due to easy to guess passwords!

Advanced user management

It is possible to mass-create users with GOsa² by using a CSV file, which can be created with any good spreadsheet software (for example localc). At least, entries for the following fields have to be provided: uid, last name (sn), first name (givenName) and password. Make sure that there are no duplicate entries in the uid field. Please note that the check for duplicates must include already existing uid entries in LDAP (which could be obtained by executing getent passwd | grep tjener/home | cut -d":" -f1 on the command line).

These are the format guidelines for such a CSV file (GOsa² is quite intolerant about them):

  • Use "," as field separator
  • Do not use quotes
  • The CSV file must not contain a header line (of the sort that normally contains the column names)

  • The order of the fields is not relevant, and can be defined in GOsa² during the mass import

The mass import steps are:

  1. click the "LDAP Manager" link in the navigation menu on the left
  2. click the "Import" tab in the screen on the right
  3. browse your local disk and select a CSV file with the list of users to be imported
  4. choose an available user template that should be applied during mass import (such as NewTeacher or NewStudent)

  5. click the "Import" button in the bottom-right corner

It's a good idea to do some tests first, preferably using a CSV file with a few fictional users, which can be deleted later.

Same applies to the password management module, which allows one to reset a lot of passwords using a CSV file or to re-generate new passwords for users belonging to a special LDAP subtree.

Reset passwords

Adding users from the command line

User accounts can also be added from the command line using the ldap-createuser-krb5 tool, see the documentation in the Administration HowTo

Group Management with GOsa²

create group

create group

The management of groups is very similar to the management of users.

You can enter a name and a description per group. Make sure that you choose the right level in the LDAP tree when creating a new group.

Adding users to a newly created group takes you back to the user list, where you most probably would like to use the filter box to find users. Check the LDAP tree level, too.

The groups entered in the group management are also regular unix groups, so you can use them for file permissions too.

Machine Management with GOsa²

Machine management basically allows you to manage all networked devices in your Debian Edu network. Every machine added to the LDAP directory using GOsa² has a hostname, an IP address, a MAC address and a domain name (which is usually "intern"). For a fuller description of the Debian Edu architecture see the architecture chapter of this manual.

Diskless workstations and thin clients work out-of-the-box in case of a combined main server.

Workstations with disks (including separate LTSP servers) have to be added with GOsa². Behind the scenes, both a machine specific Kerberos Principal (sort of account) and a related keytab file (containing a key used as password) are generated; the keytab file needs to be present on the workstation to be able to mount users' home directories. Once the added system has been rebooted, log into it as root and run /usr/share/debian-edu-config/tools/copy-host-keytab.

To create Principal and keytab file for a system already configured with GOsa², log in on the main server as root and run

/usr/share/debian-edu-config/tools/gosa-modify-host <hostname> <IP>

Please note: host keytab creation is possible for systems of type workstations, servers and terminals but not for those of type netdevices. See the Network clients HowTo chapter for NFS configuration options.

To add a machine, use the GOsa² main menu, systems, add. The name of the machine is expected to be a valid unqualified hostname, do not add the domain name here. You can use an IP address/hostname from the preconfigured address space Currently there are only two predefined fixed addresses: (tjener) and (gateway). The addresses from to (roughly or 4000 hosts) are reserved for DHCP and are assigned dynamically.

To assign a host with the MAC address 52:54:00:12:34:10 a static IP address in GOsa² you have to enter the MAC address, the hostname and the IP; alternatively you might click the Propose ip button which will show the first free fixed address in, most probably something like if you add the first machine this way. It may be better to first think about your network: for example you could use 10.0.0.x with x>10 and x<50 for servers, and x>100 for workstations. Don't forget to activate the just added system. With the exception of the main server all systems will then have a matching icon.

If the machines have booted as thin clients/diskless workstations or have been installed using any of the networked profiles, the sitesummary2ldapdhcp script can be used to automatically add machines to GOsa². For simple machines it will work out of the box, for machines with more than one mac address the actually used one has to be chosen, sitesummary2ldapdhcp -h shows usage information. Please note, that the IP addresses shown after usage of sitesummary2ldapdhcp belong to the dynamic IP range. These systems can then be modified to suit your network: rename each new system, activate DHCP and DNS, add it to netgroups (see screenshot below for recommended netgroups), reboot the system afterwards. The following screenshots show how this looks in practice:

root@tjener:~# sitesummary2ldapdhcp -a -i ether-22:11:33:44:55:ff
info: Create GOsa machine for am-2211334455ff.intern [] id ether-22:11:33:44:55:ff.
Enter password if you want to activate these changes, and ^c to abort.
Connecting to LDAP as cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
enter password: ********

GOsa² systems listing

Host details

Modify host

Add netgroup

A cronjob updating DNS runs every hour; su -c ldap2bind can be used to trigger the update manually.

Search and delete machines

Searching for and deleting machines is quite similar to searching for and deleting users, so that information is not repeated here.

Modify existing machines / Netgroup management

After adding a machine to the LDAP tree using GOsa², you can modify its properties using the search functionality and clicking on the machine name (as you would with users).

The format of these system entries is similar to the one you already know from modifying user entries, but the fields mean different things in this context.

For example, adding a machine to a NetGroup does not modify the file access or command execution permissions for that machine or the users logged in to that machine; instead it restricts the services that machine can use on your main server.

The default installation provides the NetGroups

  • all-hosts
  • cups-queue-autoflush-hosts
  • cups-queue-autoreenable-hosts
  • fsautoresize-hosts
  • ltsp-server-hosts
  • netblock-hosts
  • printer-hosts
  • server-hosts
  • shutdown-at-night-hosts
  • shutdown-at-night-wakeup-hosts-blacklist
  • workstation-hosts

Currently the NetGroup functionality is used for:

  • Resizing partitions (fsautoresize-hosts)

    • Debian Edu machines in this group will automatically resize LVM partitions that run out of space.
  • Shutdown machines at night (shutdown-at-night-hosts and shutdown-at-night-wakeup-hosts-blacklist)

    • Debian Edu machines in this group will automatically shut down at night to save energy.
  • Managing printers (cups-queue-autoflush-hosts and cups-queue-autoreenable-hosts)

    • Debian Edu machines in these groups will automatically flush all print queues every night, and re-enable any disabled print queue every hour.
  • Blocking Internet access (netblock-hosts)

    • Debian Edu machines in this group will be allowed to connect to machines only on the local network. Combined with web proxy restrictions this might be used during exams.

Printer Management

For centralized printer management point your web browser to https://www.intern:631. This is the normal CUPS management interface where you can add/delete/modify your printers and can clean up the printing queue. By default only the first user is allowed but this can be changed by adding users to the GOsa² printer-admins group.

Use printers attached to workstations

The package p910nd is installed by default on a system with the Workstation profile.

  • Edit /etc/default/p910nd like this (USB printer):

    • P910ND_OPTS="-f /dev/usb/lp0"
    • P910ND_START=1
  • Configure the printer using the web interface https://www.intern:631; choose network printer type AppSocket/HP JetDirect (for all printers regardless of brand or model) and set socket://<workstation ip>:9100 as connection URI.

Network printers

It is recommended to disable all self-advertising features in the used network printers. Instead, assign a fixed IP address with GOsa² and configure them as AppSocket/HP JetDirect network printers.

Clock synchronisation

The default configuration in Debian Edu is to keep the clocks on all machines synchronous but not necessarily correct. NTP is used to update the time. The clocks will be synchronised with an external source by default. This can cause machines to keep the external Internet connection open if it is created when used.

/!\ If you use dialup or ISDN and pay per minute, you want to change this default setting.

To disable synchronisation with an external clock, the file /etc/ntp.conf on the main server needs to be modified. Add comment ("#") marks in front of the server entries. After this, the NTP server needs to be restarted by running service ntp restart as root. To test if a machine is using the external clock sources, run ntpq -c lpeer.

Extending full partitions

Because of a possible bug with automatic partitioning, some partitions might be too full after installation. To extend these partitions, run debian-edu-fsautoresize -n as root. See the "Resizing Partitions" HowTo in the administration HowTo chapter for more information.



Updating the software

This section explains how to use apt full-upgrade.

Using apt is really simply. To update a system you need to execute two commands on the command line as root: apt update (which updates the lists of available packages) and apt full-upgrade (which upgrades the packages for which an upgrade is available).

It is also a good idea to upgrade using the C locale to get English output which in cases of problems is more likely to produce results in search engines.

LC_ALL=C apt full-upgrade -y

After upgrading the debian-edu-config package, changed Cfengine configuration files might be available. Run ls -ltr /etc/cfengine3/debian-edu/ to check if this is the case. To apply the changes, run LC_ALL=C cf-agent -D installation.

It is important to run debian-edu-ltsp-install --diskless_workstation yes after LTSP server upgrades to keep the SquashFS image for diskless clients in sync.

After a point release upgrade of a system with Main Server or LTSP Server profile, debian-edu-pxeinstall needs to be run to update the PXE installation environment.

It is also a good idea to install cron-apt and apt-listchanges and configure them to send mail to an address you are reading.

cron-apt will notify you once a day via email about any packages that can be upgraded. It does not install these upgrades, but does download them (usually in the night), so you don't have to wait for the download when you do apt full-upgrade.

Automatic installation of updates can be done easily if desired, it just needs the unattended-upgrades package to be installed and configured as described on

apt-listchanges can send new changelog entries to you via email, or alternatively display them in the terminal when running apt.

Keep yourself informed about security updates

Running cron-apt as described above is a good way to learn when security updates are available for installed packages. Another way to stay informed about security updates is to subscribe to the Debian security-announce mailinglist, which has the benefit of also telling you what the security update is about. The downside (compared to cron-apt) is that it also includes information about updates for packages which aren't installed.

Backup Management

For backup management point your browser to https://www/slbackup-php. Please note that you need to access this site via SSL, since you have to enter the root password there. If you try to access this site without using SSL it will fail.
/!\ Note: the site will only work if you temporarily allow SSH root login on the backup server, which is the main server (tjener.intern) by default.

By default, backups of /skole/tjener/home0, /etc/, /root/.svk and LDAP are stored in the /skole/backup/ directory which is managed as separate partition by LVM. If you only want to have spare copies of things (in case you delete them) this setup should be fine for you.

/!\ Be aware that this backup scheme doesn't protect you from failing hard drives.

If you want to back up your data to an external server, a tape device or another hard drive you'll have to modify the existing configuration a bit.

If you want to restore a complete folder, your best option is to use the command-line:

$ sudo rdiff-backup -r <date>  \
   /skole/backup/tjener/skole/tjener/home0/user \

This will leave the content from /skole/tjener/home0/user for <date> in the folder /skole/tjener/home0/user_<date>

If you want to restore a single file, then you should be able to select the file (and the version) from the web interface, and download only that file.

If you want to get rid of older backups, choose "Maintenance" in the menu on the backup page and select the oldest snapshot to keep:

slbackup-php Maintenance

Server Monitoring


The Munin trend reporting system is available from https://www/munin/. It provides system status measurement graphs on a daily, weekly, monthly and yearly basis, and provides the system administrator with help when looking for bottlenecks and the source of system problems.

The list of machines being monitored using Munin is generated automatically, based on the list of hosts reporting to sitesummary. All hosts with the package munin-node installed are registered for Munin monitoring. It will normally take one day from a machine being installed until Munin monitoring starts, because of the order the cron jobs are executed. To speed up the process, run sitesummary-update-munin as root on the sitesummary server (normally the main server). This will update the /etc/munin/munin.conf file.

The set of measurements being collected is automatically generated on each machine using the munin-node-configure program which probes the plugins available from /usr/share/munin/plugins/ and symlinks the relevant ones to /etc/munin/plugins/.

Information about Munin is available from


Icinga system and service monitoring is available from https://www/icingaweb2/. The set of machines and services being monitored is automatically generated using information collected by the sitesummary system. The machines with the profile Main-server and LTSP-server receive full monitoring, while workstations and thin clients receive simple monitoring. To enable full monitoring on a workstation, install the nagios-nrpe-server package on the workstation.

By default Icinga does not send email. This can be changed by replacing notify-by-nothing with host-notify-by-email and notify-by-email in the file /etc/icinga/sitesummary-template-contacts.cfg.

The Icinga configuration file used is /etc/icinga/sitesummary.cfg. The sitesummary cron job generates /var/lib/sitesummary/icinga-generated.cfg with the list of hosts and services to monitor.

Extra Icinga checks can be put in the file /var/lib/sitesummary/ to get them included in the generated file.

Information about Icinga is available from or in the icinga-doc package.

Common Icinga warnings and how to handle them

Here are instructions on how to handle the most common Icinga warnings.

DISK CRITICAL - free space: /usr 309 MB (5% inode=47%):

The partition (/usr/ in the example) is too full. There are in general two ways to handle this: (1) remove some files or (2) increase the size of the partition. If the partition is /var/, purging the APT cache by calling apt clean might remove some files. If there is more room available in the LVM volume group, running the program debian-edu-fsautoresize to extend the partitions might help. To run this program automatically every hour, the host in question can be added to the fsautoresize-hosts netgroup.

APT CRITICAL: 13 packages available for upgrade (13 critical updates).

New package are available for upgrades. The critical ones are normally security fixes. To upgrade, run apt upgrade && apt full-upgrade as root in a terminal or log in via SSH to do the same.

If you do not want to manually upgrade packages and trust Debian to do a good job with new versions, you can configure unattended-upgrades to automatically upgrade all new packages every night. This will not upgrade the LTSP chroots.

WARNING - Reboot required : running kernel = 2.6.32-37.81.0, installed kernel = 2.6.32-38.83.0

The running kernel is older than the newest installed kernel, and a reboot is required to activate the newest installed kernel. This is normally fairly urgent, as new kernels normally show up in Debian Edu to fix security issues.

WARNING: CUPS queue size - 61

The printer queues in CUPS have a lot of jobs pending. This is most likely because of a unavailable printer. Disabled print queues are enabled every hour on hosts that are member of the cups-queue-autoreenable-hosts netgroup, so for such hosts no manual action should be required. The print queues are emptied every night on hosts that are member of the cups-queue-autoflush-hosts netgroup. If a host have a lot of jobs in their queue, consider adding this host to one or both of these netgroups.


Sitesummary is used to collect information from each computer and submit it to the central server. The information collected is available in /var/lib/sitesummary/entries/. Scripts in /usr/lib/sitesummary/ are available to generate reports.

A simple report from Sitesummary without any details is available from https://www/sitesummary/.

Some documentation on Sitesummary is available from

More information about Debian Edu customisations

More information about Debian Edu customisations useful for system administrators can be found in the Administration Howto chapter and in the Advanced administration Howto chapter



/!\ Before reading this upgrade guide, please note that live updates to your production servers are carried out at your own risk. Debian Edu/Skolelinux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

Please read this chapter and the New features in Bookworm chapter of this manual completely before attempting to upgrade.

General notes on upgrading

Upgrading Debian from one distribution to the next is generally rather easy. For Debian Edu this is unfortunately a bit more complicated as we modify configuration files in ways we shouldn't. However we have documented the needed steps below. (See Debian bug 311188 for more information how Debian Edu should modify configuration files.)

In general, upgrading the servers is more difficult than the workstations and the main server is the most difficult to upgrade.

If you want to be sure that after the upgrade everything works as before, you should test the upgrade on a test system or systems configured the same way as your production machines. There you can test the upgrade without risk and see if everything works as it should.

Make sure to also read the information about the current Debian Stable release in its installation manual.

It may also be wise to wait a bit and keep running Oldstable for a few weeks longer, so that others can test the upgrade and document any problems they experience. The Oldstable release of Debian Edu will receive continued support for some time after the next Stable release, but when Debian ceases support for Oldstable, Debian Edu will necessarily do the same.

Upgrades from Debian Edu Bullseye

/!\ Be prepared: make sure you have tested the upgrade from Bullseye in a test environment or have backups ready to be able to go back.

Please note that the following recipe applies to a default Debian Edu main server installation (desktop=xfce, profiles Main Server, Workstation, LTSP Server). (For a general overview concerning Bullseye to Bookworm upgrade, see:

Don't use X, use a virtual console, log in as root.

If apt finishes with an error, try to fix it and/or run apt -f install and then apt -y full-upgrade once again.

Upgrading the main server

  • Start by making sure the current system is up-to-date:

apt update
apt full-upgrade
  • Prepare and start the upgrade to Bookworm:

sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list
export LC_ALL=C
apt update
apt upgrade --without-new-pkgs
apt full-upgrade
  • apt-list-changes: be prepared for a lot of NEWS to read; press <return> to scroll down, <q> to leave the pager. All information will be mailed to root so that you can read it again (using mailx or mutt).

  • Read all debconf information carefully, choose 'keep the local version currently installed' unless stated differently below; in most cases hitting return will be fine.
    • restart services: Choose yes.
    • Samba server and utilities: Choose 'keep the local version currently installed'.
    • openssh-server: Choose 'keep the local version currently installed'.
  • Apply and adjust configuration:

cf-agent -v -D installation
  • Check if the upgraded system works:

Reboot; log in as first user and test

  • if the GOsa² gui is working,
  • if one is able to connect LTSP clients and workstations,
  • if one can add/remove a netgroup membership of a system,
  • if one can send and receive internal email,
  • if one can manage printers,
  • and if other site specific things are working.

Upgrading a workstation

Do all the basic things like on the main server and without doing the things not needed.

Upgrades from older Debian Edu / Skolelinux installations (before Bullseye)

To upgrade from any older release, you will need to upgrade to the Bullseye based Debian Edu release first, before you can follow the instructions provided above. Instructions are given in the Manual for Debian Edu Bullseye about how to upgrade to Bullseye from the previous release, Buster.




HowTos for general administration

The Getting Started and Maintenance chapters describe how to get started with Debian Edu and how to do the basic maintenance work. The howtos in this chapter have some more "advanced" tips and tricks.

Configuration history: tracking /etc/ using the Git version control system

Using etckeeper, all files in /etc/ are tracked using Git as a version control system.

This makes it possible to see when a file is added, changed and removed, as well as what was changed if the file is a text file. The git repository is stored in /etc/.git/.

Every hour, any changes are automatically recorded, allowing configuration history to be extracted and reviewed.

To look at the history, the command etckeeper vcs log is used. To check the differences between two points in time, a command like etckeeper vcs diff  can be used.

See the output of man etckeeper for more information.

List of useful commands:

etckeeper vcs log
etckeeper vcs status
etckeeper vcs diff
etckeeper vcs add .
etckeeper vcs commit -a
man etckeeper

Usage examples

On a freshly installed system, try this to see all changes done since the system was installed:

etckeeper vcs log

See which files are currently not tracked and which are not up-to-date:

etckeeper vcs status

To manually commit a file, because you don't want to wait up to an hour:

etckeeper vcs commit -a /etc/resolv.conf

Resizing Partitions

In Debian Edu, all partitions other than the /boot/ partition are on logical LVM volumes. With Linux kernels since version 2.6.10, it is possible to extend partitions while they are mounted. Shrinking partitions still needs to happen while the partition is unmounted.

It is a good idea to avoid creating very large partitions (over, say, 20GiB), because of the time it takes to run fsck on them or to restore them from backup if the need arises. It is better, if possible, to create several smaller partitions than one very large one.

The helper script debian-edu-fsautoresize is provided to make it easier to extend full partitions. When invoked, it reads the configuration from /usr/share/debian-edu-config/fsautoresizetab, /site/etc/fsautoresizetab and /etc/fsautoresizetab. It then proposes to extend partitions with too little free space, according to the rules provided in these files. If run with no arguments, it will only show the commands needed to extend the file system. The argument -n is needed to actually execute these commands to extend the file systems.

The script is executed automatically every hour on every client listed in the fsautoresize-hosts netgroup.

When the partition used by the Squid proxy is resized, the value for cache size in etc/squid/squid.conf needs to be updated as well. The helper script /usr/share/debian-edu-config/tools/squid-update-cachedir is provided to do this automatically, checking the current partition size of /var/spool/squid/ and configuring Squid to use 80% of this as its cache size.

Logical Volume Management

Logical Volume Management (LVM) enables resizing the partitions while they are mounted and in use. You can learn more about LVM from the LVM HowTo.

To extend a logical volume manually you simply tell the lvextend command how large you want it to grow to. For example, to extend home0 to 30GiB you use the following commands:

lvextend -L30G /dev/vg_system/skole+tjener+home0
resize2fs /dev/vg_system/skole+tjener+home0

To extend home0 by additional 30GiB, you insert a '+' (-L+30G).

Using ldapvi

ldapvi is a tool to edit the LDAP database with a normal text editor on the commandline.

The following needs to be executed:

ldapvi -ZD '(cn=admin)'

Note: ldapvi will use whatever is the default editor. By executing export EDITOR=vim in the shell prompt one can configure the environment to get a vi clone as editor.

/!\ Warning: ldapvi is a very powerful tool. Be careful and don't mess up the LDAP database, same warning applies for JXplorer.

Kerberized NFS

Using Kerberos for NFS to mount home directories is a security feature. Workstations and LTSP clients won't work without Kerberos. The levels krb5, krb5i and krb5p are supported (krb5 means Kerberos authentication, i stands for integrity check and p for privacy, i.e. encryption); the load on both server and workstation increases with the security level, krb5i is a good choice and has been chosen as default.

How to change the default

Main server

  • login as root
  • run ldapvi -ZD '(cn=admin)', search for sec=krb5i and replace it with sec=krb5 or sec=krb5p.

  • edit /etc/exports.d/edu.exports and adjust these entries accordingly:

/srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
/srv/nfs4/home0  gss/krb5i(rw,sync,no_subtree_check)
  • run exportfs -r.


This tool allows to set the default printer depending on location, machine, or group membership. For more information, see /usr/share/doc/standardskriver/

The configuration file /etc/standardskriver.cfg has to be provided by the admin, see /usr/share/doc/standardskriver/examples/standardskriver.cfg as an example.

JXplorer, an LDAP GUI

If you prefer a GUI to work with the LDAP database, check out the jxplorer package, which is installed by default. To get write access connect like this:

host: ldap.intern
port: 636
Security level: ssl + user + password
User dn: cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no

ldap-createuser-krb5, a command-line tool for adding users

ldap-createuser-krb is a small command line tool to create user accounts, it is invoked as follows:

ldap-createuser-krb5 [-u uid] [-g gid] [-G group[,group]...] [-d department] <username> <gecos>

All arguments except the username and GECOS field are optional, the latter usually should contain the full name of the user. Unless specified the tool will pick the next free UID and GID automatically and not assign any additional groups to the user. If no department is given, it will pick the first gosaDepartment from LDAP which is likely skole and for regular users usually not what you want, so you should pick an appropriate value for the user, e.g. Teachers or Students. After entering and confirming the password and entering the LDAP administrator password, ldap-createuser-krb5 will create the user account in LDAP, set the Kerberos password, create the home directory, and add a corresponding Samba user. The following screenshot shows an example invocation to create a user account named harhir for a teacher whose full name is "Harry Hirsch":

root@tjener:~# ldap-createuser-krb5 -d Teachers harhir "Harry Hirsch"
new user password: 
confirm password: 

dn: uid=harhir,ou=people,ou=Teachers,dc=skole,dc=skolelinux,dc=no
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: gosaAccount
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
sn: Harry Hirsch
givenName: Harry Hirsch
uid: harhir
cn: Harry Hirsch
userPassword: {CRYPT}$y$j9T$TWnq55O1rvyLhjF.$oVf.t.RXC1v/4Y8FhV0umno629mo7bP7/YJyig6HET6
homeDirectory: /skole/tjener/home0/harhir
loginShell: /bin/bash
uidNumber: 1004
gidNumber: 1004
gecos: Harry Hirsch
shadowLastChange: 19641
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
krbPwdPolicyReference: cn=users,cn=INTERN,cn=kerberos,dc=skole,dc=skolelinux,dc=no
krbPrincipalName: harhir@INTERN

ldap_initialize( <DEFAULT> )
Enter LDAP Password: 
add objectClass:
add sn:
        Harry Hirsch
add givenName:
        Harry Hirsch
add uid:
add cn:
        Harry Hirsch
add userPassword:
add homeDirectory:
add loginShell:
add uidNumber:
add gidNumber:
add gecos:
        Harry Hirsch
add shadowLastChange:
add shadowMin:
add shadowMax:
add shadowWarning:
add krbPwdPolicyReference:
add krbPrincipalName:
adding new entry "uid=harhir,ou=people,ou=Teachers,dc=skole,dc=skolelinux,dc=no"
modify complete

Authenticating as principal root/admin@INTERN with password.
kadmin.local:  change_password harhir@INTERN
Enter password for principal "harhir@INTERN": 
Re-enter password for principal "harhir@INTERN": 
Password for "harhir@INTERN" changed.
kadmin.local:  lpcfg_do_global_parameter: WARNING: The "encrypt passwords" option is deprecated
Added user harhir.

Using stable-updates

While you can use stable-updates directly, you don't have to: stable-updates are pushed into the stable suite regularly when stable point releases are done, which roughly happens every two months.

Using backports to install newer software

You are running Debian Edu because you prefer the stability of Debian Edu. It runs great; there is just one problem: sometimes software is a little bit more outdated than you like. This is where steps in.

Backports are recompiled packages from Debian testing (mostly) and Debian unstable (in a few cases only, e.g. security updates), so they will run without new libraries (wherever this is possible) on a stable Debian distribution like Debian Edu. We recommend you to pick out individual backports which fit your needs, and not to use all backports available there.

Using backports is simple:

echo "deb bookworm-backports main" > /etc/apt/sources.list.d/bookworm-backports.sources.list
apt update

After which one can install backported packages easily, the following command will install a backported version of tuxtype:

apt install tuxtype/bookworm-backports

Backports are automatically updated (if available) just like other packages. Like the normal archive, backports has three sections: main, contrib and non-free.

Upgrading with a CD or similar image

If you want to upgrade from one version to another (for example from Bookworm 12.1 to 12.2) but you do not have Internet connectivity, only physical media, follow these steps:

Insert the CD / DVD / Blu-ray disc / USB flash drive and use the apt-cdrom command:

apt-cdrom add

To quote the apt-cdrom(8) man page:

  • apt-cdrom is used to add a new CD-ROM to APTs list of available sources. apt-cdrom takes care of determining the structure of the disc as well as correcting for several possible mis-burns and verifying the index files.
  • It is necessary to use apt-cdrom to add CDs to the APT system, it cannot be done by hand. Furthermore each disk in a multi-CD set must be inserted and scanned separately to account for possible mis-burns.

Then run these two commands to upgrade the system:

apt update
apt full-upgrade

Automatic cleanup of leftover processes

killer is a perl script that gets rid of background jobs. Background jobs are defined as processes that belong to users who are not currently logged into the machine. It's run by cron job once an hour.

Automatic installation of security upgrades

unattended-upgrades is a Debian package which will install security (and other) upgrades automatically. If installed, the package is preconfigured to install security upgrades. The logs are available in /var/log/unattended-upgrades/; also, there are always /var/log/dpkg.log and /var/log/apt/.

Automatic shutdown of machines during the night

It is possible to save energy and money by automatically turning client machines off at night and back on in the morning. The package shutdown-at-night will try to turn off the machine every hour on the hour from 16:00 in the afternoon, but will not turn it off if it seems to have users. It will try to tell the BIOS to turn on the machine around 07:00 in the morning, and the main server will try to turn on machines from 06:30 by sending Wake-on-LAN packets. These times can be changed in the crontabs of individual machines.

Some considerations should be kept in mind when setting this up:

  • The clients should not be shut down when someone is using them. This is ensured by checking the output from who, and as a special case, checking for the SSH connection command to work with X2Go thin clients.

  • To avoid blowing electrical fuses, it is a good idea to make sure all clients do not start at the same time.
  • There are two different methods available to wake up clients. One uses a BIOS feature and requires a working and correct hardware clock, as well as a motherboard and BIOS version supported by nvram-wakeup; the other requires clients to have support for Wake-on-LAN, and the server to know about all the clients that need to be woken up.

How to set up shutdown-at-night

On clients that should turn off at night, touch /etc/shutdown-at-night/shutdown-at-night, or add the hostname (that is, the output from 'uname -n' on the client) to the netgroup "shutdown-at-night-hosts". Adding hosts to the netgroup in LDAP can be done using the GOsa² web tool. The clients might need to have Wake-on-LAN configured in the BIOS. It is also important that the switches and routers used between the Wake-on-LAN server and the clients will pass the WOL packets to the clients even if the clients are turned off. Some switches fail to pass on packets to clients that are missing in the ARP table on the switch, and this blocks the WOL packets.

To enable Wake-on-LAN on the server, add the clients to /etc/shutdown-at-night/clients, with one line per client, IP address first, followed by MAC address (ethernet address), separated by a space; or create a script /etc/shutdown-at-night/clients-generator to generate the list of clients on the fly.

Here is an example /etc/shutdown-at-night/clients-generator for use with sitesummary:

  export PATH
  sitesummary-nodes -w

An alternative if the netgroup is used to activate shutdown-at-night on clients is this script using the netgroup tool from the ng-utils package:

  export PATH
  netgroup -h shutdown-at-night-hosts

Access Debian Edu servers located behind a firewall

To access machines behind a firewall from the Internet, consider installing the package autossh. It can be used to set up an SSH tunnel to a machine on the Internet that you have access to. From that machine, you can access the server behind the firewall via the SSH tunnel.

Installing additional service machines for spreading the load from the main server

In the default installation, all services are running on the main server, hostname tjener. To simplify moving some to another machine, there is a minimal installation profile available. Installing with this profile will lead to a machine, which is part of the Debian Edu network, but which doesn't have any services running (yet).

These are the required steps to setup a machine dedicated to some services:

  • choose the Minimal profile during installation

  • install the packages for the service
  • configure the service
  • disable the service on the main server
  • update DNS (via LDAP/GOsa²) on the main server

HowTos from

FIXME: The HowTos from are either user- or developer-specific. Let's move the user-specific HowTos over here (and delete them over there)! (But first ask the authors (see the history of those pages to find them) if they are fine with moving the howto and putting it under the GPL.)


Advanced administration howto

In this chapter advanced administration tasks are described.

User Customisations with GOsa²

Create Users in Year Groups

In this example we want to create users in year groups, with common home directories for each group (home0/2024, home0/2026, etc). We want to create the users by csv import.

(as root on the main server)

  • Make the necessary year group directories

mkdir /skole/tjener/home0/2024

(as first user in Gosa)

  • Department

Main menu: goto 'Directory structure', click the 'Students' department. The 'Base' field should show '/Students'. From the drop box 'Actions' choose 'Create'/'Department'. Fill in values for Name (2024) and Description fields (students graduating in 2024), leave the Base field as is (should be '/Students'). Save it clicking 'Ok'. Now the new department (2024) should show up below /Students. Click it.

  • Group

Choose 'Groups' from the main menu; 'Actions'/Create/Group. Enter group name (leave 'Base' as is, should be /Students/2024) and 'Ok' to save it.

  • Template

Choose 'users' from the main menu. Change to 'Students' in the Base field. An Entry NewStudent should show up, click it. This is the 'students' template, not a real user. As you'll have to create such a template (to be able to use csv import for your structure) based on this one, notice all entries showing up in the Generic and POSIX tabs, maybe take screenshots to have information ready for the new template.

Now change to /Students/2024 in the Base field; choose Create/Template and start to fill in your desired values, first the Generic tab (add your new 2024 group under Group Membership, too), then add the POSIX account.

  • Import users

Choose your new template when doing csv import; testing it with a few users is recommended.

Other User Customisations

Creating folders in the home directories of all users

With this script the administrator can create a folder in each user's home directory and set access permissions and ownership.

In the example shown below with group=teachers and permissions=2770 a user can hand in an assignment by saving the file to the folder "assignments" where teachers are given write access to be able to make comments.

 for home in $(ls $home_path); do
    if [ ! -d "$home_path/$home/$shared_folder" ]; then
        mkdir $home_path/$home/$shared_folder
        chmod $permissions $home_path/$home/$shared_folder
        chown $user:$group $home_path/$home/$shared_folder
        echo -e "the folder $home_path/$home/$shared_folder already exists.\n"
 echo "$created_dir folders have been created"

Use a dedicated storage server

Take these steps to set up a dedicated storage server for user home directories and possibly other data.

  • Add a new system of type server using GOsa² as outlined in the Getting started chapter of this manual.

    • This example uses 'nas-server.intern' as the server name. Once 'nas-server.intern' is configured, check if the NFS export points on the new storage server are exported to the relevant subnets or machines:
          root@tjener:~# showmount -e nas-server
          Export list for nas-server:
      Here everything on the backbone network is granted access to the /storage export. (This could be restricted to netgroup membership or single IP addresses to limit NFS access like it is done in the tjener:/etc/exports file.)
  • Add automount information about 'nas-server.intern' in LDAP to allow all clients to automatically mount the new export on request.
    • This can't be done using GOsa², because a module for automount is missing. Instead, use ldapvi and add the required LDAP objects using an editor.

      ldapvi --ldap-conf -ZD '(cn=admin)' -b ou=automount,dc=skole,dc=skolelinux,dc=no

      When the editor shows up, add the following LDAP objects at the bottom of the document. (The "/&" part in the last LDAP object is a wild card matching everything 'nas-server.intern' exports, removing the need to list individual mount points in LDAP.)

          add cn=nas-server,ou=auto.skole,ou=automount,dc=skole,dc=skolelinux,dc=no
          objectClass: automount
          cn: nas-server
          automountInformation: -fstype=autofs --timeout=60 ldap:ou=auto.nas-server,ou=automount,dc=skole,dc=skolelinux,dc=no
          add ou=auto.nas-server,ou=automount,dc=skole,dc=skolelinux,dc=no
          objectClass: top
          objectClass: automountMap
          ou: auto.nas-server
          add cn=/,ou=auto.nas-server,ou=automount,dc=skole,dc=skolelinux,dc=no
          objectClass: automount
          cn: /
          automountInformation: -fstype=nfs,tcp,rsize=32768,wsize=32768,rw,intr,hard,nodev,nosuid,noatime nas-server.intern:/&
  • Add the relevant entries in tjener.intern:/etc/fstab, because tjener.intern does not use automount to avoid mounting loops:
    • Create the mount point directories using mkdir, edit '/etc/fstab' as adequate and run mount -a to mount the new resources.

Now users should be able to access the files on 'nas-server.intern' directly by just visiting the '/tjener/nas-server/storage/' directory using any application on any workstation, LTSP thin client or LTSP server.

Restrict SSH login access

There are several ways to restrict SSH login, some are listed here.

Setup without LTSP clients

If no LTSP clients are used a simple solution is to create a new group (say sshusers) and to add a line to the machine's /etc/ssh/sshd_config file. Only members of the sshusers group will then be allowed to ssh into the machine from everywhere.

Managing this case with GOsa is quite simple:

  • Create a group sshusers on the base level (where already other system management related groups like gosa-admins show up).

  • Add users to the new group sshusers.

  • Add AllowGroups sshusers to /etc/ssh/sshd_config.

  • Execute service ssh restart.

Setup with LTSP clients

The default LTSP diskless client setup doesn't use SSH connections. Update the SquashFS image on the related LTSP server after the SSH setup has been changed is enough.

X2Go thin clients are using SSH connections to the related LTSP server. So a different approach using PAM is needed.

  • Enable in the LTSP server's /etc/pam.d/sshd file.
  • Configure /etc/security/access.conf to allow connections for (sample) users alice, jane, bob and john from everywhere and for all other users only from the internal networks by adding these lines:

+ : alice jane bob john : ALL
+ : ALL :
- : ALL : ALL

If only dedicated LTSP servers are used, the network could be dropped to disable internal SSH login access. Note: someone connecting his box to the dedicated LTSP client network(s) will gain SSH access to the LTSP server(s) as well.

A note for more complex setups

If X2Go clients were attached to the backbone network, things would be even more complicated and maybe only a sophisticated DHCP setup (in LDAP) checking the vendor-class-identifier together with appropriate PAM configuration would allow to disable internal SSH login.


HowTos for the desktop

Set up a multi-language desktop environment

To support multiple languages these steps need to be done:

  • Run dpkg-reconfigure locales (as root) and choose the languages (UTF-8 variants).

  • Run these commands as root to install the related packages:
    •    apt update

Users will then be able to choose the language via the LightDM display manager before logging in; this applies to Xfce, LXDE and LXQt. GNOME and KDE both come with their own internal region and language configuration tools, use these. MATE uses the Arctica greeter on top of LightDM whithout a language chooser. Run apt purge arctica-greeter to get the stock LightDM greeter.

Playing DVDs

libdvdcss is needed for playing most commercial DVDs. For legal reasons it's not included in Debian (Edu). If you are legally allowed to use it, you can build your own local packages using the libdvd-pkg Debian package; make sure contrib is enabled in /etc/apt/sources.list.

apt update
apt install libdvd-pkg

Answer the debconf questions, then run dpkg-reconfigure libdvd-pkg.

Handwriting fonts

The package fonts-linex (which is installed by default) installs the font "Abecedario" which is a nice handwriting font for kids. The font has several forms to be used with kids: dotted, and with lines.


HowTos for networked clients

Introduction to thin clients and diskless workstations

One generic term for both thin clients and diskless workstations is LTSP client.

(!) Starting with Bullseye, LTSP is quite different from the previous versions. This concerns both setup and maintenance.

  • As one main difference, the SquashFS image for diskless workstations is now generated from the LTSP server file system by default. This happens on a combined server at first boot, taking some time.
  • Thin clients are no longer part of LTSP. Debian Edu uses X2Go to still support thin client usage.

  • In case of a separate or an additional LTSP server, required information for setting up the LTSP client environment isn't complete at installation time. Setup can be done once the system has been added with GOsa².

For information about LTSP in general, see the LTSP homepage. On systems with LTSP server profile, man ltsp provides more information.

Please note that the ltsp tool from LTSP has to be used carefully. For example, ltsp image / would fail to generate the SquashFS image in case of Debian machines (these have a separate /boot partition by default), ltsp ipxe would fail to generate the iPXE menu correctly (due to Debian Edu's thin client support), and ltsp initrd would mess up LTSP client boot completely.

The debian-edu-ltsp-install tool is a wrapper script for ltsp image, ltsp initrd and ltsp ipxe. It is used to setup and configure diskless workstation and thin client support (both 64-Bit and 32-Bit PC). See man debian-edu-ltsp-install or the script content to see how it works. All configuration is contained in the script itself (HERE documents) to facilitate site specific adjustments.

Examples how to use the wrapper script debian-edu-ltsp-install:

  • debian-edu-ltsp-install --diskless_workstation yes updates the diskless workstation SquashFS image (server filesystem).

  • debian-edu-ltsp-install --diskless_workstation yes --thin_type bare creates diskless workstation and 64-bit thin client support.

  • debian-edu-ltsp-install --arch i386 --thin_type bare creates additional 32-bit thin client support (chroot and SquashFS image).

Besides bare (smallest thin client system), also display and desktop are available options. The display type offers a shutdown button, the desktop type runs Firefox ESR in kiosk mode on the client itself (more local RAM and CPU power required, but server load reduced).

The debian-edu-ltsp-ipxe tool is a wrapper script for ltsp ipxe. It makes sure that the /srv/tftp/ltsp/ltsp.ipxe file is Debian Edu specific. The command needs to be run after iPXE menu related items (like menu timeout or default boot settings) in the /etc/ltsp/ltsp.conf [server] section have been modified.

The debian-edu-ltsp-initrd tool is a wrapper script for ltsp initrd. It makes sure that a use case specific initrd (/srv/tftp/ltsp/ltsp.img) is generated and then moved to the use case related directory. The command needs to be run after the /etc/ltsp/ltsp.conf [clients] section has been modified.

The debian-edu-ltsp-chroot tool is a replacement for the ltsp-chroot tool shipped with LTSP5. It is used to execute commands in a specified LTSP chroot (like e.g. install, upgrade and remove packages).

Diskless workstation

A diskless workstation runs all software locally. The client machines boot directly from the LTSP server without a local hard drive. Software is administered and maintained on the LTSP server, but runs on the diskless workstations. Home directories and system settings are stored on the server too. Diskless workstations are an excellent way of reusing older (but powerful) hardware with the same low maintenance costs as with thin clients.

Unlike workstations diskless workstations run without any need to add them with GOsa².

Thin client

A thin client setup enables an ordinary PC to function as an (X-)terminal, where all software runs on the LTSP server. This means that this machine boots via PXE without using a local client hard drive and that the LTSP server needs to be a powerful machine.

Debian Edu still supports the use of thin clients to enable the use of very old hardware.

(!) Since Thin clients use X2Go, users should disable compositing to avoid display artefacts. In the default case (Xfce desktop environment): Settings -> Window Manager Tweaks -> Compositor.

LTSP client firmware

LTSP client boot will fail if the client's network interface requires a non-free firmware. A PXE installation can be used for troubleshooting problems with netbooting a machine; if the Debian Installer complains about a missing XXX.bin file then non-free firmware has to be added to the LTSP server's initrd.

Proceed like this on the LTSP server:

  • First get information about firmware packages, run:

apt update && apt search ^firmware-
  • Decide which package has to be installed for the network interface(s), most probably this will be firmware-linux, run:

apt -y -q install firmware-linux
  • Update the SquashFS image for diskless workstations, run:

debian-edu-ltsp-install --diskless_workstation yes
  • In case X2Go thin clients are used, run:

/usr/share/debian-edu-config/tools/ltsp-addfirmware -h
  • and proceed according to the usage information.

    Then update the SquashFS image; e.g. for the /srv/ltsp/x2go-bare-amd64 chroot, run:

ltsp image x2go-bare-amd64

LTSP client type selection

Each LTSP server has two ethernet interfaces: one configured in the main subnet (which is shared with the main server), and another forming a local subnet (a separate subnet for each LTSP server).

In both cases diskless workstation or thin client can be chosen from the iPXE menu. After waiting for 5 seconds, the machine will boot as diskless workstation.

The default iPXE boot menu item and it's default timeout can both be configured in /etc/ltsp/ltsp.conf. A timeout value of -1 is used to hide the menu. Run debian-edu-ltsp-ipxe for the changes to take effect.

Use a different LTSP client network is the default LTSP client network if a machine is installed using the LTSP profile. If lots of LTSP clients are used or if different LTSP servers should serve both i386 and amd64 chroot environments the second preconfigured network could be used as well. Edit the file /etc/network/interfaces and adjust the eth1 settings accordingly. Use ldapvi or any other LDAP editor to inspect DNS and DHCP configuration.

Add LTSP chroot to support 32-bit-PC clients

To create chroot and SquashFS image, run:

debian-edu-ltsp-install --arch i386 --thin_type bare

See man debian-edu-ltsp-install for details about thin client types.

LTSP client configuration

Run man ltsp.conf to have a look at available configuration options. Or read it online:

Add configuration items to the /etc/ltsp/ltsp.conf [clients] section. For the changes to take effect, run:


Sound with LTSP clients

LTSP thin clients use networked audio to pass audio from the server to the clients.

LTSP diskless workstations handle audio locally.

Access to USB drives and CD-ROMs/DVDs

When users insert a USB drive or DVD / CD-ROM into a Diskless Workstation, a corresponding icon appears on the desktop, allowing access to the content as on a workstation.

When users insert a USB drive into an X2Go thin client of type bare (default combined server installation), the media is mounted as soon as the existing folder icon on the Xfce desktop is double-clicked. Depending on the media content it might take some time until the content shows up in the file manager.

A warning about removable media on LTSP servers

When inserted into an LTSP server, USB drives and other removable media cause the related folder icon to appear on LTSP thin client desktops. Remote users can access the files.

Use printers attached to LTSP clients

  • Attach the printer to the LTSP client machine (both USB and parallel port are supported).
  • Configure the LTSP client with GOsa² to use a fixed IP address.
  • Configure the printer using the web interface https://www.intern:631 on the main server; choose network printer type AppSocket/HP JetDirect (for all printers regardless of brand or model) and set socket://<LTSP client ip>:9100 as connection URI.

Modifying the PXE setup

PXE stands for Preboot eXecution Environment. Debian Edu now uses the iPXE implementation for easier LTSP integration.

Configuring the PXE menu

The iPXE menu item concerning system installations is generated using the script debian-edu-pxeinstall. It allows some settings to be overridden using the file /etc/debian-edu/pxeinstall.conf with replacement values.

Configuring the PXE installation

The PXE installation will inherit the language, keyboard layout and mirror settings from the settings used when installing the main server, and the other questions will be asked during installation (profile, popcon participation, partitioning and root password). To avoid these questions, the file /etc/debian-edu/www/debian-edu-install.dat can be modified to provide preselected answers to debconf values. Some examples of available debconf values are already commented in /etc/debian-edu/www/debian-edu-install.dat. Your changes will be lost as soon as debian-edu-pxeinstall is used to recreate the PXE-installation environment. To append debconf values to /etc/debian-edu/www/debian-edu-install.dat during recreation with debian-edu-pxeinstall, add the file /etc/debian-edu/www/debian-edu-install.dat.local with your additional debconf values.

More information about modifying PXE installations can be found in the Installation chapter.

Adding a custom repository for PXE installations

For adding a custom repository add something like this to /etc/debian-edu/www/debian-edu-install.dat.local:

d-i     apt-setup/local1/repository string stable main contrib non-free
d-i     apt-setup/local1/comment string         Example Software Repository
d-i     apt-setup/local1/source boolean         true
d-i     apt-setup/local1/key    string

and then run /usr/sbin/debian-edu-pxeinstall once.

Changing network settings

The debian-edu-config package comes with a tool which helps in changing the network from to something else. Have a look at /usr/share/debian-edu-config/tools/subnet-change. It is intended for use just after installation on the main server, to update LDAP and other files that need to be edited to change the subnet.

/!\ Note that changing to one of the subnets already used elsewhere in Debian Edu will not work. and are already set up as LTSP client networks. Changing to these subnets will require manual editing of configuration files to remove duplicate entries.

There is no easy way to change the DNS domain name. Changing it would require changes to both the LDAP structure and several files in the main server file system. There is also no easy way to change the host and DNS name of the main server (tjener.intern). To do so would also require changes to LDAP and files in the main server and client file system. In both cases the Kerberos setup would have to be changed, too.

Remote Desktop

Choosing the LTSP server profile or the combined server profile also installs the xrdp and x2goserver packages.


Xrdp uses the Remote Desktop Protocol to present a graphical login to a remote client. Microsoft Windows users can connect to the LTSP server running xrdp without installing additional software - they simply start a Remote Desktop Connection on their Windows machine and connect.

Additionally, xrdp can connect to a VNC server or another RDP server.

Xrdp comes without sound support; to compile (or re-compile) the required modules this script could be used. Please note: The caller needs to be root or a member of the sudo group. Also, /etc/apt/sources.list must contain a valid deb-src line.

 set -e
  if [[ $UID -ne 0 ]] ; then  
     if ! groups | egrep -q sudo ; then
         echo "ERROR: You need to be root or a sudo group member."
         exit 1
 if ! egrep -q  ^deb-src /etc/apt/sources.list ; then
     echo "ERROR: Make sure /etc/apt/sources.list contains a deb-src line."
     exit 1
 TMP=$(mktemp -d)
 PULSE_UPSTREAM_VERSION="$(dpkg-query -W -f='${source:Upstream-Version}' pulseaudio)"
 XRDP_UPSTREAM_VERSION="$(dpkg-query -W -f='${source:Upstream-Version}' xrdp)"
 sudo apt -q update
 sudo apt -q install dpkg-dev
 cd $TMP
 apt -q source pulseaudio xrdp
 sudo apt -q build-dep pulseaudio xrdp
 cd $TMP/xrdp-$XRDP_UPSTREAM_VERSION/sesman/chansrv/pulse/
 sed -i 's/^PULSE/#PULSE/' Makefile
 sed -i "/#PULSE_DIR/a \
 sudo cp *.so /usr/lib/pulse-$PULSE_UPSTREAM_VERSION/modules/
 sudo chmod 644 /usr/lib/pulse-$PULSE_UPSTREAM_VERSION/modules/module-xrdp*
 sudo service xrdp restart


X2Go enables you to access a graphical desktop on the LTSP server over both low bandwidth and high bandwidth connections from a PC running Linux, Windows or macOS. Additional software is needed on the client side, see the X2Go wiki for more information.

Please note that the killer package should best be removed on the LTSP server if X2Go is used, see 890517.

Available Remote Desktop clients

  • freerdp-x11 is installed by default and is capable of RDP and VNC.

    • RDP - the easiest way to access Windows terminal server. An alternative client package is rdesktop.

    • VNC client (Virtual Network Computer) gives access to Skolelinux remotely. An alternative client package is xvncviewer.

  • x2goclient is a graphical client for the X2Go system (not installed by default). You can use it to connect to running sessions and start new ones.

Wireless clients

The freeRADIUS server could be used to provide secure network connections. For this to work, install the freeradius and winbind packages on the main server and run /usr/share/debian-edu-config/tools/setup-freeradius-server to generate a basic, site specific configuration. This way, both EAP-TTLS/PAP and PEAP-MSCHAPV2 methods are enabled. All configuration is contained in the script itself to facilitate site specific adjustments. See the freeRADIUS homepage for details.

Additional configuration is needed to

  • enable/disable access points via a shared secret (/etc/freeradius/3.0/clients.conf).

  • allow/deny wireless access using LDAP groups (/etc/freeradius/3.0/users).
  • combine access points into dedicated groups (/etc/freeradius/3.0/huntgroups)

(!) End user devices need to be configured properly, these devices need to be PIN protected for the use of EAP (802.1x) methods. Users should also be educated to install the freeradius CA certificate on their devices to be sure to connect to the right server. This way their password can't be catched in case of a malicious server. The site specific certificate is available on the internal network.

Please note that configuring end user devices will be a real challenge due to the variety of devices. For Windows devices an installer script could be created, for Apple devices a mobileconfig file. In both cases the freeRADIUS CA certificate can be integrated, but OS specific tools are needed to create the scripts.

Authorize Windows machine with Debian Edu credentials using pGina LDAP plugin

Adding pGina user in Debian Edu

To have an ability to use pGina (or any else 3rd party auth-service-application) you should have a special user account used in search inside of LDAP.

Add a special user, eg pguser with password pwd.777, on https://www/gosa website.

Install pGina fork

Download and install pGina as usual software. Take an attention that LDAP plugin persists in pGina plugin folder:

C:\Program Files\pGina.fork\Plugins\pGina.Plugin.Ldap.dll

Configure pGina

Considering to Debian Edu settings the connection to LDAP uses SSL by port 636.

So necessary settings in a pGina LDAP plugin are below
(these are stored in HKEY_LOCAL_MACHINE\SOFTWARE\pGina3.fork\Plugins\0f52390b-c781-43ae-bd62-553c77fa4cf7).

LDAP Plugin main section

  • LDAP Host(s): (or any else with "space" as a separator)

  • LDAP Port: 636 (for SSL connection)

  • Timeout: 10
  • Use SSL: YES (tick checkbox)

  • Start TLS: NO (don't tick checkbox)

  • Validate Server Certificate: NO (don't tick checkbox)

  • Search DN: uid=pguser,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no

    • ("pguser" is a user to authenticate in LDAP to search users in a login session)
  • Search Password: pwd.777 (this is the "pguser" password)

Authentication block

Bind Tab:

  • Allow Empty Passwords: NO

  • Search for DN: YES (tick checkbox)

  • Search Filter: (&(uid=%u)(objectClass=person))

Authorization block

  • Default: Allow

  • Deny when LDAP authentication fails: YES (tick checkbox)

  • Allow when server is unreachable: NO (don't tick checkbox, optional)

Plugin Selection

  • LDAP: Authentication [v], Authorization [v], Gateway[v], Change Password [_]
  • Local Machine: Authentication [v], Gateway [v] (tick only two checkboxes)

Plugin Order

  • Authentication: LDAP, Local Machine
  • Gateway: LDAP, Local Machine



Samba in Debian Edu

Samba is now configured as standalone server with modern SMB2/SMB3 support and usershares enabled, see /etc/samba/smb-debian-edu.conf on the main server. This way non-admin users are enabled to provide shares.

For site specific changes, copy /usr/share/debian-edu-config/ to the /etc/samba directory. The settings in will override those contained in smb-debian-edu.conf.

Please note:

  • By default, home directories are read only. This can be changed in /etc/samba/

  • Samba passwords are stored using smbpasswd and are updated in case a password is changed using GOsa².

  • To temporarily disable a user's Samba account, run smbpasswd -d <username>, smbpasswd -e <username> will re-enable it.

  • Running chown root:teachers /var/lib/samba/usershares on the main server will disable usershares for 'students'.

Accessing files via Samba

Connections to a user's home directory and to additional site specific shares (if configured) are possible for devices running Linux, Android, macOS, iOS, iPadOS, Chrome OS or Windows. For example, Android based devices require a file manager with SMB2/SMB3 support, also known as LAN access. X-plore or Total Commander with LAN plugin might be a good choice.

Use \\tjener\<username> or smb://tjener/<username> to access the home directory.


HowTos for teaching and learning

All Debian packages mentioned in this section can be installed by running apt install <package> (as root).

Teaching Programming

stable/education-development is a meta package depending on a lot of programming tools. Please note that almost 2 GiB of disk space is needed if this package is installed. For more details (maybe to install only a few packages), see the Debian Edu Development packages page.

Monitoring pupils

/!\ Warning: make sure you know the status of the laws about monitoring and restricting computer users' activities in your jurisdiction.

Some schools use control tools like Epoptes or Veyon to supervise their students. See also: Epoptes Homepage and Veyon Homepage.

Restricting pupils' network access

Some schools use Squidguard or e2guardian to restrict Internet access.


HowTos for users

Changing passwords

Every user should change her or his password by using GOsa². To do so, just use a browser and go to https://www/gosa/.

Using GOsa² to change the password ensures that passwords for Kerberos (krbPrincipalKey), LDAP (userPassword) and Samba are the same.

Changing passwords using PAM is working also at the GDM login prompt, but this will only update the Kerberos password, and not the Samba and GOsa² (LDAP) password. So after you changed your password at the login prompt, you really should also change it using GOsa².

Running standalone Java applications

Standalone Java applications are supported out of the box by the OpenJDK Java runtime.

Using email

All users can send and receive mails within the internal network; certificates are provided to allow TLS secured connections. To allow mail outside the internal network, the administrator needs to configure the mailserver exim4 to suit the local situation, starting with dpkg-reconfigure exim4-config.

Every user who wants to use Thunderbird needs to configure it as follows. For a user with username jdoe the internal email address is jdoe@postoffice.intern.


  • Start Thunderbird
  • Click 'Skip this and use my existing email'
  • Enter your email address
  • Don't enter your password as Kerberos single sign on will be used
  • Click 'Continue'
  • For both IMAP and SMTP the settings should be 'STARTTLS' and 'Kerberos/GSSAPI'; adjust if not detected automatically
  • Click 'Done'



Contribute online

Most of the time, the developer mailing list is our main medium for communication, though we also have #debian-edu on and even, sometimes, real gatherings, where we meet each other in person.

A good way to learn what is happening in the development of Debian Edu is to subscribe to the commit mailinglist.

Report bugs

Debian Edu uses the Debian Bug Tracking System (BTS). View existing bug reports and feature requests or create new ones. Please report all bugs against the package debian-edu-config. Take a look at How To Report Bugs for more information on bug reporting in Debian Edu.

Documentation writers and translators

This document needs your help! First and foremost, it is not finished yet: if you read it, you will notice various FIXMEs within the text. If you happen to know (a bit of) what needs to be explained there, please consider sharing your knowledge with us.

The source of the text is a wiki and can be edited with a simple webbrowser. Just go to and you can contribute easily. Note: a user account is needed to edit the pages; you may need to create a wiki user account first.

Another very good way to contribute and to help users is by translating software and documentation. Information on how to translate this document can be found in the translations chapter of this book. Please consider helping the translation effort of this book!



Volunteer based support

in English

  • - support mailing list

  • #debian-edu on - IRC channel, mostly development related; do not expect real time support even though it frequently happens.

in Norwegian

  • #skolelinux on - IRC channel to support Norwegian users

in German

in French

Professional support

Lists of companies providing professional support are available from


New features in Debian Edu Bookworm

New features for Debian Edu 12 Bookworm

Installation changes

  • New version of Debian Installer from Debian bookworm, see its installation manual for more details,

    • including information on non-free-firmware, which is a new section in addition to the well known main, contrib and non-free sections.

  • New artwork based on the Emerald theme, the default artwork for Debian 12 bookworm.

Software updates

  • Everything which is new in Debian 12 bookworm, eg:
    • Linux kernel 6.1
    • Desktop environments KDE Plasma 5.27, GNOME 43, Xfce 4.18, LXDE 11, MATE 1.26
    • LibreOffice 7.4

    • GOsa² 2.8
    • Educational toolbox GCompris 3.1
    • Music creator Rosegarden 22.12
    • LTSP 23.01
    • Debian Bookworm includes more than 64000 packages available for installation.

Documentation and translation updates

  • During installation the profile choice page is available in 29 languages, of which 22 are fully translated.
  • The Debian Edu Bookworm Manual is translated to Simplified Chinese, Danish, Dutch, French, German, Italian, Japanese, Norwegian (Bokmål), Brazilian Portuguese, European Portuguese, Spanish, Romanian and Ukrainian.

Known issues


Copyright and authors

This document is written and copyrighted by Holger Levsen (2007-2024), Petter Reinholdtsen (2001, 2002, 2003, 2004, 2007, 2008, 2009, 2010, 2012, 2014), Daniel Heß (2007), Patrick Winnertz (2007), Knut Yrvin (2007), Ralf Gesellensetter (2007), Ronny Aasen (2007), Morten Werner Forsbring (2007), Bjarne Nielsen (2007, 2008), Nigel Barker (2007), José L. Redrejo Rodríguez (2007), John Bildoy (2007), Joakim Seeberg (2008), Jürgen Leibner (2009, 2010, 2011, 2012, 2014), Oded Naveh (2009), Philipp Hübner (2009, 2010), Andreas Mundt (2010), Olivier Vitrat (2010, 2012), Vagrant Cascadian (2010), Mike Gabriel (2011), Justin B Rye (2012), David Prévot (2012), Wolfgang Schweer (2012-2024), Bernhard Hammes (2012), Joe Hansen (2015), Serhii Horichenko (2022) and Guido Berhörster (2023) and is released under the GPL2 or any later version. Enjoy!

If you add content to it, please only do so if you are the author. You need to release it under the same conditions! Then add your name here and release it under the "GPL v2 or any later version" licence.


Translations of this document

There is an online overview of packaged translations, updated frequently.

HowTo translate this document

Translate using PO files

As in many free software projects, translations of this document are kept in PO files. More information about the process can be found in /usr/share/doc/debian-edu-doc/README.debian-edu-bookworm-manual-translations.

Translate online using a web browser

Most language teams have decided to translate via Weblate. See for more information.

Please report any problems.


Appendix A - The GNU General Public License

Manual for Debian Edu 12 Codename Bookworm

Copyright (C) 2007-2021 Holger Levsen < > and others, see the Copyright for the full list of copyright owners.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.


Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.


0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

  • a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.

    b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

    c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

  • a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.






Appendix B - Features in older releases

New features for Debian Edu 11 Codename Bullseye released 2021-08-14

Installation changes

  • New version of Debian Installer from Debian bullseye, see its installation manual for more details.

  • New artwork based on the Homeworld theme, the default artwork for Debian 11 (bullseye).

  • The Debian Installer doesn't support LTSP chroot setup anymore. In case of a combined server installation ('Main server' + 'LTSP server' profiles), setting up thin client support (now using X2Go) happens at the end of the installation. Generating the SquashFS image for diskless client support (from the server's file system) is done at first boot.
    For separate LTSP servers, both steps have to be done via a tool after first boot inside the internal network when enough information is available from the main server.

Software updates

  • Everything which is new in Debian 11 Bullseye, eg:
    • Linux kernel 5.10
    • Desktop environments KDE Plasma 5.20, GNOME 3.38, Xfce 4.16, LXDE 11, MATE 1.24
    • LibreOffice 7.0

    • Educational toolbox GCompris 1.0
    • Music creator Rosegarden 20.12
    • LTSP 21.01
    • Debian Bullseye includes more than 59000 packages available for installation.

Documentation and translation updates

  • During installation the profile choice page is available in 29 languages, of which 22 are fully translated.
  • The Debian Edu Bullseye Manual is fully translated to Dutch, French, German, Italian, Japanese, Norwegian Bokmål, Portuguese (Portugal) and Simplified Chinese.

    • Partly translated versions exist for Danish and Spanish.

Other changes compared to the previous release

  • Improved TLS/SSL support on the internal network. On clients, the root certificate for the Debian Edu-CA is located inside the certificate bundle for the whole system.
  • New LTSP, re-written from scratch, dropping thin client support. Thin clients are now supported using X2Go.

  • Netboot is provided using iPXE instead of PXELINUX to be compliant with LTSP.
  • The /srv/tftp directory is now used as netboot base instead of /var/lib/tftpboot.

  • After a point release upgrade of a system with Main Server or LTSP Server profile, debian-edu-pxeinstall needs to be run to update the PXE installation environment.

  • DuckDuckGo is used as default search provider for both Firefox ESR and Chromium.

  • Chromium uses the internal website instead of Google as default startpage.
  • On diskless workstations, the Kerberos TGT is available after login automatically.
  • New tool added to set up freeRADIUS with support for both EAP-TTLS/PAP and PEAP-MSCHAPV2 methods.
  • Samba is configured as 'standalone server' with support for SMB2/SMB3; domain joining is gone.
  • The GOsa² web interface doesn't show Samba related entries because Samba account data are no longer stored in LDAP.
  • Debian Installer's graphical mode is used for PXE installations (instead of text mode).
  • Central CUPS print server ipp.intern, users belonging to the printer-admins group are allowed to administrate CUPS.
  • Icinga administration via the web interface is restricted to the first user.

Historic information about older releases

The following Debian Edu releases were made further in the past:

  • Debian Edu 10+edu0 Codename Buster released 2019-07-06.
  • Debian Edu 9+edu0 Codename Stretch released 2017-06-17.
  • Debian Edu 8+edu0 Codename Jessie released 2016-07-02.
  • Debian Edu 7.1+edu0 Codename Wheezy released 2013-09-28.
  • Debian Edu 6.0.7+r1 Codename "Squeeze", released 2013-03-03.
  • Debian Edu 6.0.4+r0 Codename "Squeeze", released 2012-03-11.
  • Debian Edu 5.0.6+edu1 Codename "Lenny", released 2010-10-05.
  • Debian Edu 5.0.4+edu0 Codename "Lenny", released 2010-02-08.
  • Debian Edu "3.0r1 Terra", released 2007-12-05.
  • Debian Edu "3.0r0 Terra" released 2007-07-22. Based on Debian 4.0 Etch released 2007-04-08.
  • Debian Edu 2.0, released 2006-03-14. Based on Debian 3.1 Sarge released 2005-06-06.
  • Debian Edu "1.0 Venus" release 2004-06-20. Based on Debian 3.0 Woody released 2002-07-19.

A complete and detailed overview about older releases is contained in Appendix C of the Jessie manual; or see the related release manuals on the release manuals page.