Advanced administration howto

In this chapter advanced administration tasks are described.

User Customisations with GOsa²

Create Users in Year Groups

In this example we want to create users in year groups, with common home directories for each group (home0/2024, home0/2026, etc). We want to create the users by csv import.

(as root on the main server)

mkdir /skole/tjener/home0/2024

(as first user in Gosa)

Main menu: goto 'Directory structure', click the 'Students' department. The 'Base' field should show '/Students'. From the drop box 'Actions' choose 'Create'/'Department'. Fill in values for Name (2024) and Description fields (students graduating in 2024), leave the Base field as is (should be '/Students'). Save it clicking 'Ok'. Now the new department (2024) should show up below /Students. Click it.

Choose 'Groups' from the main menu; 'Actions'/Create/Group. Enter group name (leave 'Base' as is, should be /Students/2024) and 'Ok' to save it.

Choose 'users' from the main menu. Change to 'Students' in the Base field. An Entry NewStudent should show up, click it. This is the 'students' template, not a real user. As you'll have to create such a template (to be able to use csv import for your structure) based on this one, notice all entries showing up in the Generic and POSIX tabs, maybe take screenshots to have information ready for the new template.

Now change to /Students/2024 in the Base field; choose Create/Template and start to fill in your desired values, first the Generic tab (add your new 2024 group under Group Membership, too), then add the POSIX account.

Choose your new template when doing csv import; testing it with a few users is recommended.

Other User Customisations

Creating folders in the home directories of all users

With this script the administrator can create a folder in each user's home directory and set access permissions and ownership.

In the example shown below with group=teachers and permissions=2770 a user can hand in an assignment by saving the file to the folder "assignments" where teachers are given write access to be able to make comments.

 for home in $(ls $home_path); do
    if [ ! -d "$home_path/$home/$shared_folder" ]; then
        mkdir $home_path/$home/$shared_folder
        chmod $permissions $home_path/$home/$shared_folder
        chown $user:$group $home_path/$home/$shared_folder
        echo -e "the folder $home_path/$home/$shared_folder already exists.\n"
 echo "$created_dir folders have been created"

Use a dedicated storage server

Take these steps to set up a dedicated storage server for user home directories and possibly other data.

Now users should be able to access the files on 'nas-server.intern' directly by just visiting the '/tjener/nas-server/storage/' directory using any application on any workstation, LTSP thin client or LTSP server.

Restrict SSH login access

There are several ways to restrict SSH login, some are listed here.

Setup without LTSP clients

If no LTSP clients are used a simple solution is to create a new group (say sshusers) and to add a line to the machine's /etc/ssh/sshd_config file. Only members of the sshusers group will then be allowed to ssh into the machine from everywhere.

Managing this case with GOsa is quite simple:

Setup with LTSP clients

The default LTSP diskless client setup doesn't use SSH connections. Update the SquashFS image on the related LTSP server after the SSH setup has been changed is enough.

X2Go thin clients are using SSH connections to the related LTSP server. So a different approach using PAM is needed.

+ : alice jane bob john : ALL
+ : ALL :
- : ALL : ALL

If only dedicated LTSP servers are used, the network could be dropped to disable internal SSH login access. Note: someone connecting his box to the dedicated LTSP client network(s) will gain SSH access to the LTSP server(s) as well.

A note for more complex setups

If X2Go clients were attached to the backbone network, things would be even more complicated and maybe only a sophisticated DHCP setup (in LDAP) checking the vendor-class-identifier together with appropriate PAM configuration would allow to disable internal SSH login.