Revision 1 as of 2018-01-25 11:10:55
copied+derived from https://wiki.debian.org/DebianEdu/Documentation/Stretch
add caveat concerning file system permissions
|Deletions are marked like this.||Additions are marked like this.|
|Line 10:||Line 10:|
|See the information about Debian Edu specific [[../Architecture#File_system_access_configuration|file system access configuration]] before adding users.||See the information about Debian Edu specific [[../Architecture#File_system_access_configuration|file system access configuration]] before adding users; adjust to your site's policy if needed.|
Minimum steps to get started
During installation of the main server a first user account was created. In the following text this account will be referenced as "first user". This account is special, as there's no Samba account (can be added via GOsa²), the home directory permission is set to 700 (so chmod o+x ~ is needed to make personal web pages accessible), and the first user can use sudo to become root.
See the information about Debian Edu specific file system access configuration before adding users; adjust to your site's policy if needed.
After the installation, the first things you need to do as first user are:
- Log into the server - with the root account you cannot log in graphically.
- Add users with GOsa²
- Add workstations with GOsa² - thin-client and diskless workstation can be used directly without this step.
Adding users and workstations is described in detail below, so please read this chapter completely. It covers how to perform these minimum steps correctly as well as other stuff that everybody will probably need to do.
There is additional information available elsewhere in this manual: the New features in Buster chapter should be read by everyone who is familiar with previous releases. And for those upgrading from a previous release, make sure to read the Upgrades chapter.
If generic DNS traffic is blocked out of your network and you need to use some specific DNS server to look up internet hosts, you need to tell the DNS server to use this server as its "forwarder". Update /etc/bind/named.conf.options and specify the IP address of the DNS server to use.
The HowTo chapter covers more tips and tricks and some frequently asked questions.
Services running on the main server
There are several services running on the main server which can be managed via a web management interface. We'll describe each service below.
Introduction to GOsa²
GOsa² is a web based management tool that helps to manage some important parts of your Debian Edu setup. With GOsa² you can manage (add, modify, or delete) these main groups:
- User Administration
- Group Administration
- NIS Netgroup Administrator
- Machine Administration
- DNS Administration
- DHCP Administration
For GOsa² access you need the Skolelinux main server and a (client) system with a web browser installed which can be the main server itself if it was installed as a so called combined server (Main Server + LTSP Server + Workstation profiles). If all of the mentioned before is not available, see: Installing a graphical environment on the main-server to use GOsa².
From a web browser use the URL https://www/gosa for GOsa² access, and log in as the first user.
- If you are using a new Debian Edu Buster machine, the site certificate will be known by the browser.
- Otherwise, you will get an error message about the SSL certificate being wrong. If you know you are alone on your network, just tell the browser to accept it and ignore that.
For general information on GOsa² have a look at: https://oss.gonicus.de/labs/gosa/wiki/documentation.
GOsa² Login plus Overview
After logging in to GOsa² you will see the overview page of GOsa².
Next, you can choose a task in the menu or click any of the task icons on the overview page. For navigation, we recommend using the menu on the left side of the screen, as it will stay visible there on all administration pages offered by GOsa².
In Debian Edu, account, group, and system information is stored in an LDAP directory. This data is used not only by the main server, but also by the (diskless) workstations, the LTSP servers and the Windows machines on the network. With LDAP, account information about students, teachers, etc. only needs to be entered once. After information has been provided in LDAP, the information will be available to all systems on the whole Skolelinux network.
GOsa² is an administration tool that uses LDAP to store its information and provide a hierarchical department structure. To each "department" you can add user accounts, groups, systems, netgroups, etc. Depending on the structure of your institution, you can use the department structure in GOsa²/LDAP to transfer your organisational structure into the LDAP data tree of the Debian Edu main server.
A default Debian Edu main server installation currently provides two "departments": Teachers and Students, plus the base level of the LDAP tree. Student accounts are intended to be added to the "Students" department, teachers to the "Teachers" department; systems (servers, Skolelinux workstations, Windows machines, printers etc.) are currently added to the base level. Find your own scheme for customising this structure. (You can find an example how to create users in year groups, with common home directories for each group in the ?HowTo/AdvancedAdministration chapter of this manual.)
Depending on the task that you want to work on (manage users, manage groups, manage systems, etc.) GOsa² presents you with a different view on the selected department (or the base level).
User Management with GOsa²
First, click on "Users" in the left navigation menu. The right side of the screen will change to show a table with department folders for "Students" and "Teachers" and the account of the GOsa² Super-Administrator (the first created user). Above this table you can see a field called Base that allows you to navigate through your tree structure (move your mouse over that area and a drop-down menu will appear) and to select a base folder for your intended operations (e.g. adding a new user).
Next to that tree navigation item you can see the "Actions" menu. Move your mouse over this item and a submenu appears on screen; choose "Create" here, and then "User". You will be guided by the user creation wizard.
- The most important thing to add is the template (newstudent or newteacher) and the full name of your user (see image).
- As you follow the wizard, you will see that GOsa² generates a username automatically based on the real name. It automatically chooses a username that doesn't exist yet, so multiple users with the same full name are not a problem. Note that GOsa² can generate invalid usernames if the full name contains non-ASCII characters.
If you don't like the generated username you can select another username offered in the drop-down box, but you do not have a free choice here in the wizard. (If you want to be able to edit the proposed username, open /etc/gosa/gosa.conf with an editor and add allowUIDProposalModification="true" as an additional option to the "location definition".)
- When the wizard has finished, you are presented with the GOsa² screen for your new user object. Use the tabs at the top to check the completed fields.
After you have created the user (no need to customise fields the wizard has left empty for now), click on the "Ok" button in the bottom-right corner.
As the last step GOsa² will ask for a password for the new user. Type that in twice and then click "Set password" in the bottom-right corner. Some characters may not be allowed as part of the password.
If all went well, you can now see the new user in the user list table. You should now be able to log in with that username on any Skolelinux machine within your network.
Search, modify and delete users
To modify or delete a user, use GOsa² to browse the list of users on your system. On the middle of the screen you may open the "Filter" box, a search tool provided by GOsa². If you don't know the exact location of your user account in your tree, change to the base level of the GOsa²/LDAP tree and search there with the option marked "Search in subtrees".
When using the "Filter" box, results will immediately appear in the middle of the text in the table list view. Every line represents a user account and the items farthest to the right on each line are little icons that provide actions for you: cut entry, copy entry, edit user, lock account, set password, take snapshot (not usable) and remove user.
A new page will show up where you can directly modify information about the user, change the password of the user and modify the list of groups the user belongs to.
The students can change their own passwords by logging into GOsa² with their own usernames. To ease the access of GOsa², an entry called Gosa is provided in the desktop's System (or System settings) menu. A logged-in student will be presented with a very minimal version of GOsa² that only allows access to the student's own account data sheet and to the set-password dialog.
Teachers logged in under their own usernames have special privileges in GOsa². They are shown a more privileged view of GOsa², and can change the passwords for all student accounts. This may be very handy during class.
To administratively set a new password for a user
- search for the user to be modified, as explained above
- click on the key symbol at the end of the line that the username is shown in
- on the page subsequently presented you can set a new password chosen by yourself
Beware of security implications due to easy to guess passwords!
Advanced user management
It is possible to mass-create users with GOsa² by using a CSV file, which can be created with any good spreadsheet software (for example localc). At least, entries for the following fields have to be provided: uid, last name (sn), first name (givenName) and password. Make sure that there are no duplicate entries in the uid field. Please note that the check for duplicates must include already existing uid entries in LDAP (which could be obtained by executing getent passwd | grep tjener/home | cut -d":" -f1 on the command line).
These are the format guidelines for such a CSV file (GOsa² is quite intolerant about them):
- Use "," as field separator
- Do not use quotes
The CSV file must not contain a header line (of the sort that normally contains the column names)
- The order of the fields is not relevant, and can be defined in GOsa² during the mass import
The mass import steps are:
- click the "LDAP Manager" link in the navigation menu on the left
- click the "Import" tab in the screen on the right
- browse your local disk and select a CSV file with the list of users to be imported
choose an available user template that should be applied during mass import (such as NewTeacher or NewStudent)
- click the "Import" button in the bottom-right corner
It's a good idea to do some tests first, preferably using a CSV file with a few fictional users, which can be deleted later.
Group Management with GOsa²
The management of groups is very similar to the management of users.
You can enter a name and a description per group. Make sure that you choose the right level in the LDAP tree when creating a new group.
By default, the appropriate Samba group isn't created. If you forgot to check the Samba group option during group creation, you can modify the group later on.
Adding users to a newly created group takes you back to the user list, where you most probably would like to use the filter box to find users. Check the LDAP tree level, too.
The groups entered in the group management are also regular unix groups, so you can use them for file permissions too.
Group Management on the command line
# List existing group mapping between UNIX and Windows groups. net groupmap list # Add your new or otherwise missing groups: net groupmap add unixgroup=NEW_GROUP type=domain ntgroup="NEW_GROUP"\ comment="DESCRIPTION OF NEW GROUP"
Machine Management with GOsa²
Machine management basically allows you to manage all networked devices in your Debian Edu network. Every machine added to the LDAP directory using GOsa² has a hostname, an IP address, a MAC address and a domain name (which is usually "intern"). For a fuller description of the Debian Edu architecture see the architecture chapter of this manual.
Diskless workstations and thin-clients work out-of-the-box when connected to the main network. Only workstations with disks have to be added with GOsa², but all can.
To add a machine, use the GOsa² main menu, systems, add. You can use an IP address/hostname from the preconfigured address space 10.0.0.0/8. Currently there are only two predefined fixed addresses: 10.0.2.2 (tjener) and 10.0.0.1 (gateway). The addresses from 10.0.16.20 to 10.0.31.254 (roughly 10.0.16.0/20 or 4000 hosts) are reserved for DHCP and are assigned dynamically.
To assign a host with the MAC address 52:54:00:12:34:10 a static IP address in GOsa² you have to enter the MAC address, the hostname and the IP; alternatively you might click the Propose ip button which will show the first free fixed address in 10.0.0.0/8, most probably something like 10.0.0.2 if you add the first machine this way. It may be better to first think about your network: for example you could use 10.0.0.x with x>10 and x<50 for servers, and x>100 for workstations. Don't forget to activate the just added system. With the exception of the main server all systems will then have a matching icon.
If the machines have booted as thin clients/diskless workstations or have been installed using any of the networked profiles, the sitesummary2ldapdhcp script can be used to automatically add machines to GOsa². For simple machines it will work out of the box, for machines with more than one mac address the actually used one has to be chosen, sitesummary2ldapdhcp -h shows usage information. Please note, that the IP addresses shown after usage of sitesummary2ldapdhcp belong to the dynamic IP range. These systems can then be modified to suit your network: rename each new system, activate DHCP and DNS, add it to netgroups if needed, reboot the system afterwards. The following screenshots show how this looks in practice:
root@tjener:~# sitesummary2ldapdhcp -a -i ether-00:04:76:d3:28:b7 -t workstations info: Create GOsa machine for auto-mac-00-04-76-d3-28-b7.intern [10.0.16.21] id ether-00:04:76:d3:28:b7. Enter password if you want to activate these changes, and ^c to abort. Connecting to LDAP as cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no enter password:
A cronjob updating DNS runs every hour; su -c ldap2bind can be used to trigger the update manually.
Search and delete machines
Searching for and deleting machines is quite similar to searching for and deleting users, so that information is not repeated here.
Modify existing machines / Netgroup management
After adding a machine to the LDAP tree using GOsa², you can modify its properties using the search functionality and clicking on the machine name (as you would with users).
The format of these system entries is similar to the one you already know from modifying user entries, but the fields mean different things in this context.
For example, adding a machine to a NetGroup does not modify the file access or command execution permissions for that machine or the users logged in to that machine; instead it restricts the services that machine can use on your main-server.
The default installation provides the NetGroups
Currently the NetGroup functionality is used for
The home directories are exported by the main-server to be mounted by the workstations and the LTSP servers. For security reasons, only hosts within the workstation-hosts, ltsp-server-hosts and server-hosts NetGroups can mount the exported NFS shares. So it is rather important to remember to configure these kinds of machines properly in the LDAP tree using GOsa² and to configure them to use static IP addresses from LDAP.
Remember to configure workstations and LTSP servers properly with GOsa², or your users won't be able to access their home directories. Diskless workstations and thin clients don't use NFS, so they don't need to be configured.
- Debian Edu machines in this group will automatically resize LVM partitions that run out of space.
- shutdown at night
- Debian Edu machines in this group will automatically shut down at night to save energy.
- CUPS (cups-queue-autoflush-hosts and cups-queue-autoreenable-hosts)
- Debian Edu machines in these groups will automatically flush all print queues every night, and re-enable any disabled print queue every hour.
- Debian Edu machines in this group will be allowed to connect to machines only on the local network. Combined with web proxy restrictions this might be used during exams.
Another important part of machine configuration is the 'Samba host' flag (in the 'Host information' area). If you plan to add existing Windows systems to the Skolelinux Samba domain, you need to add the Windows host to the LDAP tree and set this flag to be able to join the Windows host to the domain. For more information about adding Windows hosts to the Skolelinux network see the HowTo/NetworkClients chapter of this manual.
For Printer Management point your web browser to https://www:631 and accept the self-signed certificate. This is the normal CUPS management interface where you can add/delete/modify your printers and can clean up the printing queue. By default only root is allowed but this can be changed: Open /etc/cups/cups-files.conf with an editor and add one or more valid group names matching your site policy to the line containing SystemGroup lpadmin. Existing GOsa² groups that might be used are gosa-admins and printer-admins (both with the first user as member), teachers and jradmins (no members after installation).
The default configuration in Debian Edu is to keep the clocks on all machines synchronous but not necessarily correct. NTP is used to update the time. The clocks will be synchronised with an external source by default. This can cause machines to keep the external Internet connection open if it is created when used.
If you use dialup or ISDN and pay per minute, you want to change this default setting.
To disable synchronisation with an external clock, the file /etc/ntp.conf on the main-server and all clients and LTSP chroots need to be modified. Add comment ("#") marks in front of the server entries. After this, the NTP server needs to be restarted by running /etc/init.d/ntp restart as root. To test if a machine is using the external clock sources, run ntpq -c lpeer.
Extending full partitions
Because of a possible bug with automatic partitioning, some partitions might be too full after installation. To extend these partitions, run debian-edu-fsautoresize -n as root. See the "Resizing Partitions" HowTo in the administration HowTo chapter for more information.