Manual for Debian Edu 5.0.6+edu1 Codename "Lenny"

This is the (still incomplete) manual for the Debian Edu Lenny 5.0.6+edu1 release.

This document was put into the debian-edu-doc package on $DEBIAN_EDU_DOC_BUILDDATE.

The version at is a wiki and updated frequently.

Translations are part of the debian-edu-doc package, which can be installed on a webserver.

About Debian Edu and Skolelinux

Skolelinux is a Linux distribution made by the Debian Edu project. As a Debian Pure Blends distribution it is a official Debian subproject.

What this means for your school is that Skolelinux is a version of Debian providing an out-of-the box environment of a completely configured school-network.

In Norway, where Skolelinux was started, the main target group initially were schools serving the 6-16 years age bracket. Today the system is in use in several countries around the world, with most installations in Norway, Spain, Germany and France.



This section of the document describes the network architecture and services provided by a Skolelinux installation.



(The debian-edu-doc source package contains this image as a dia file.)

The figure is a sketch of the assumed network topology. The default setup of a Skolelinux network assumes that there is one (and only one) main-server, while allowing the inclusion of both normal workstations and thin-client-servers (with associated thin-clients). The number of workstations can be as large or small as you want (starting from none to a lot). The same goes for the thin-client servers, each of which is on a separate network so that the traffic between the thin-clients and the thin-client server doesn't affect the rest of the network services.

The reason that there can only be one main server in each school network is that the main server provides DHCP, and there can be only one machine doing so in each network. It is possible to move services from the main server to other machines by setting up the service on another machine, and subsequently updating the DNS-configuration, pointing the DNS alias for that service to the right computer.

In order to simplify the standard setup of Skolelinux, the Internet connection runs over a separate router. It is possible to set up Debian with both a modem and an ISDN connection, however no attempt is made to make such a setup work out of the box for Skolelinux (the setup needed to adjust the default situation to this should be documented separately).

Main server (tjener)

A Skolelinux network needs one main server (also called "tjener" which is Norwegian and means "server") which per default has the IP address and is installed by selecting the main server profile. It's possible (but not requiered) to also select and install the thin-client-server and workstation profiles in addition to the main server profile.

Services running on the main server

With the exception of the control of the thin-clients, all services are initially set up on one central computer (the main server). For performance reasons, the thin-client-server should be a separate machine (though it is possible to install both the main server and thin-client server profiles on the same machine). All services are allocated a dedicated DNS-name and are offered exclusively over IPv4. The allocated DNS name makes it easy to move individual services from the main-server to a different machine, by simply stopping the service on the main-server, and changing the DNS configuration to point to the new location of the service (which should be setup on that machine first of course).

To ensure security all connections where passwords are transmitted over the network are encrypted, so no passwords are send over the network as plain text.

Below is a list of the services that are set up by default in a Skolelinux network, with the DNS name of each service given in square brackets. If possible all configuration files will refer to the service by name (without the domain name) thus making it easy for schools to change either their domain (if they have an own DNS domain) or the IP addresses they use.

  • Centralized Logging [syslog]
  • DNS (PowerDNS) [domain]
  • Automatic Network Configuration of Machines (DHCP) [bootps]
  • Clock Synchronization (NTP) [ntp]
  • Home Directories via Network File System (SMB/NFS) [homes]
  • Electronic Post Office [postoffice]
  • Directory Service (OpenLDAP) [ldap]
  • User Administration (lwat)
  • Web Server (Apache/PHP) [www]
  • Central Backup (sl-backup, slbackup-php) [backup]
  • Web Cache / Proxy (Squid) [webcache]
  • Printing (CUPS) [ipp]
  • Remote Login (OpenSSH) [ssh]
  • Automatic Configuration [cfengine]
  • Thin Client Server/s (LTSP) [ltspserver\#]
  • Machine and Service Surveillance with Error Reporting, plus Status and History on the Web. Error Reporting by E-mail (munin,nagios and site-summary)

Each user stores his personal files in his home folder which is made available by the server. Home folders are accessible from all machines, giving users access to the same files regardless of which machine they are using. The server is operating system agnostic in offering access using NFS for Unix Clients, SMB for Windows and Macintosh clients.

By default e-mail is set up for local delivery (i.e. within the school) only, though e-mail delivery to the wider Internet may be set up if the school has a fixed Internet-connection. Mailing lists are set up based on the user database, giving each class their own mailing list. Clients are set up to deliver mail to the server (using 'smarthost'), and users can access their personal mail through either POP3 or IMAP.

All services are accessible using the same username and password, thanks to the central user database for authentication and authorization.

To increase performance on frequently accessed sites a web proxy that caches files locally (Squid) is used. In conjunction with blocking web-traffic in the router this also enables control of Internet access on individual machines.

Network configuration on the clients is done automatically using DHCP. Normal clients are allocated IP addresses in the private subnet, while thin clients are connected to the corresponding thin-client-server via the seperate subnet (this to ensure that the network traffic of the thin clients doesn't interfere with the rest of the network services).

Centralized logging is set up so that all machines send their syslog messages to the server. The syslog service is set up so that it only accepts incoming messages from the local network.

By default the DNS server is set up with a domain for internal use only (*.intern), until a real ("external") DNS domain can be set up. The DNS server is set up as caching DNS server so that all machines on the network can use it as the main DNS Server.

Pupils and teachers have the possibility to publish websites. The web server provides mechanisms for authenticating users, and for limiting access to individual pages and subdiretories to certain users and groups. Users will have the possibility to create dynamic web pages, as the web server will be programmable on the server side.

Information on users and machines can be changed in one central location, and is made accessible to all computers on the network automatically. To achieve this a centralized directory server is set up. The directory will have information on users, user groups, machines, and groups of machines. To avoid user confusion there won't be any difference between file groups, mailing lists, and network groups. This implies that groups of machines which have to be network groups, have the same namespace as user groups and mailing lists.

Administration of services and users will by and large be via web, and follow established standards, functioning well in the web browsers which are part of Skolelinux. The delegation of certain tasks to individual users or user groups will be made possible by the administration systems.

In order to avoid certain problems with NFS, and to make it simpler to debug problems, time needs to be synchronized on the different machines. To achieve this the Skolelinux server is set up as a local Network Time Protocol (NTP) server, and all workstations and clients are set up to synchronize their clock with the server. The server itself should synchronize its clock via NTP against machines on the Internet, thus ensuring the whole network has the correct time.

Printers are connected where convenient, either directly onto the network, or connected to a server, workstation or thin-client-server. Access to printers can be controlled for individual users according to the groups they belong to, this will be achieved by using quota and access control for printers.

LTSP server(s) (Thin client server(s))

A Skolelinux network can have many LTSP servers (also called thin client servers), which are installed by selecting the LTSP server profile.

The thin client servers are set up to receive syslog from the thin clients, and forward these messages to the central syslog recipient.

Thin clients

A thin client setup enables a ordinary PC to function as an (X-)terminal. This means that this machine boots from a diskette or directly from the server using network-PROM (or PXE) without using the local client hard drive. The thin client setup used is that of the Linux Terminal Server Project (LTSP).

Thin clients are a good way to make use of older, weaker machines as they effectively run all programs on the LTSP-Server. This works as follows: The service uses DHCP and TFTP to connect to the network and boot from the network. Next, the file system is mounted via NFS from the LTSP-server, and finally X11 is started. The display manager (LDM) connects to the LTSP-Server via SSH with X-forwarding. That way all data is encrypted on the network. For very old thin clients which are to slow for the encryption this can be set to the behaviour from former versions: use direct X connection via XDMCP.

Diskless workstations

For diskless workstations the terms "stateless workstations", "lowfat clients" or "half-thick clients" are also used. For the sake of clarity this manual sticks to the term "diskless workstations".

A diskless workstation runs all software on the PC without a locally installed operating system. This means that client machines boot direcly from the servers hard drive without running software installed on a local hard drive.

Diskless workstations are an exellent way of reusing newer hardware with the same low maintanence cost as with thin clients. Software is administered and maintained on the server with no need for local installed software on the clients. Home directories and system settings are stored on the server too.

Diskless workstations were introduced as part of the Linux Terminal Server Project (LTSP) with version 5.0.

Networked clients

The term "networked clients" is used in this manual to refer to both thin clients and diskless workstations as well as computers running MacOS or Windows.


All the linux machines that are installed by means of a Skolelinux CD or DVD will be administrable from a central computer, most likely the server. It will be possible to login to all machines by ssh, and thereby have full access to the machines

We use cfengine to edit configuration files. These files are updated from the server to the clients. In order to change the client configuration, it suffices to edit the server configuration and let the automatation distribute the changes.

All user information is kept in an LDAP directory. Updates of user accounts are made against this database and is used by the clients for user authentication.


Installation is possible either from a CD or DVD.

The aim is to be able to install a server from CD/DVD, and install clients over the network by booting all other machines from the network. The DVD installation works without access to the Internet.

The installation should not ask any questions, with the exception of desired language (e.g. Norwegian Bokmal, Nynorsk, Sami) and machine profile (server, workstation, thin client server). All other configuration will be set up automatically with reasonable values, to be changed from a centrally location by the system administrator subsequent to the installation.

File system access configuration

Each Skolelinux user account is assigned a section of the file system on the file server. This section (home directory) contains the user's configuration files, documents, email and web pages. Some of the files should be set to have read access for other users on the system, some should be readable by everyone on the internet, and some should not be accessible for reading by anyone but the user.

To ensure that all disks that are used for user directories or shared directories can be uniquely named across all the computers in the installation, they can be mounted as /skole/host/directory/. Initially, one directory is created on the file server, /skole/tjener/home0/, in which all the user accounts are created. More directories may then be created when needed, to accomodate particular user groups or particular patterns of usage.

To enable shared file access control using the file groups, each user must be assigned a primary group with no other members. The name of this private group should be identical to the username. (More info on private groups is available from Redhat.) This allows for all new files created by the user to be set with full access for the file's group. Together with set-gid bit on directories and inheritance of rights, this enables controlled file sharing between the members of a file group. Therefore, the users' umask should be 00X. (If all users initially should be able to read newly created files, then X=2. If only the relevant group should be given initial read access then X=7.)

The initial access settings for newly created files is a matter of policy. They may either be set to give read access to everybody, which can later be removed by explicit user action, or they may be initially blocked, necessitating user action to make them accessible. The first approach encourages knowledge sharing, and makes the system more transparent, whereas the second method decreases the risk of unwanted spreading of sensitive information. The problem with the first solution is that it is not apparent to the users that the material they create will be accessible to all other users. This is detectable only upon inspection of other users' directories, where one can see that the files are readable. The problem with the second solution is that few people are likely to make their files accessible, even if they do not contain sensitive information and the content would be helpful to inquisitive users who want to learn how others have solved particular problems (typically configuration issues).

Suggestion: The files are initially set to be readable by all, but particular directories are created in which the content is initially blocked. This will simplify deciding whether the file should be made readable or not. Concretely, umask should be set to 002, and ~/ created with privileges 0775, ~/priv/ given 0750,and ~/pub/ given 0775. Files that should not be readable by others should be put in ~/priv/, whereas public files will be put in ~/pub/. Other files will initially be accessible, but may be blocked as needed.

ssh requires that the home directory can only be written to by the owner, thus the maximum access privilege for ~/ is 755.

  • - access to home directories (*~/.)? - home directories - shared directories?

random notes

These are random notes concerning things which should be included in this document.

  • Centralized user database with grouping and the ability to control which groups have access to which machines.
  • Grouping of machines and ability to control access to network services for these groups (access blocking to Internet via squid)
  • Should consider using a DNS name from RFC 2606.

This chapter was initially copied and pasted from ( at that time it was Copyright © 2001, 2002, 2003, 2004 Petter Reinholdtsen < >, released under the GPL) and has since then beed edited.



New in Debian 5.0.7

  • Debian 5.0.7 is a maintainance release not adding any new features, just bugfixes which can be installed by upgrading from 5.0.6. Therefore there are no Debian Edu installation images based on 5.0.7.

New in Debian Edu 5.0.6+edu1 Codename "Lenny" released 2010-10-05

  • Everything that is new in Debian 5.0.5 and 5.0.6, which includes support for some new hardware. 5.0.5 and 5.0.6 are maintainance releases and generally don't add new features.

  • several bugfixes, including fixes for Skolelinux bugs #1436, #1427, #1441, #1413, #1450 and Debian bugs #585966, #585772, #585968, #586035 and #585966 plus several which were not filed.
  • Merge new web pages from Squeeze. The text is the same, but it provides new translation for zh, compete translations for all included langauges (de es fr it nb nl ru zh), and a rename of the .no page to .nb to reflect the langauge used.
  • debian-edu-install: Slovak translation added, updates to German, Basque, Italian, Bokmal, Vietnamese and Chinese translations.
  • debian-edu-doc: improvements to Italian, Bokmal and German translations as well as overall content and layout.
  • sitesummary: various improvements, most notably several nagios checks where added to monitor system health.
  • shutdown-at-night: fix #1435 (did not work with the LDAP host groups populated by lwat)

New features in Debian Edu 5.0.4+edu0 Codename "Lenny" released 2010-02-08

  • Everything that is new in Debian 5.0.4, see the following paragraph for details.

  • More than 80 applications relevant for education are included based on user feedback and user statistics (through Debian Edu popularity contest). The full list of packages are listed in the task overview page.

  • Improved student desktop with educational software shortcuts to GCompris, Kalzium, KGeography, KMplot, KStars, Stopmotion and OpenOffice Write and Impress.

  • Dynamic desktop icons and menu options that adjust based on user group.
  • Gnome added as a supported desktop, see the Installation chapter to learn how to install with GNOME instead of KDE as desktop.

  • Support for more than 50 languages.
  • Improved system for user administration and machine identification.
  • Improved diskless and thin client setup.
  • New startup menu letting users choose diskless workstation, thin client or workstation.
  • A diskless workstation option is installed but not activated by default on all servers with the thin-client-server profile.
  • Main-server is set up as a PXE server for booting thin clients and diskless workstations and for installing to clients' hard or flash drives.
  • The configuration for DNS and DHCP is stored in LDAP and can be edited using lwat. The DNS server has been switched from bind9 to power-dns.

  • LDAP server for directory services (NSS) are now located using a SRV record in DNS instead of hardcoding the 'ldap' DNS name. LDAP server for password checks (PAM) is still using the hardcoded 'ldap' DNS name.
  • Multi arch (amd64/i386/powerpc) net installer CD.
    • (Most) Packages are downloaded from over the Internet.
  • Multi arch (amd64/i386) installer DVD capable of installing without network.
  • PulseAudio is provided in addition to ALSA and OSS for sound on workstations and diskless workstations machines.

  • The Barebone profile has been renamed to Minimal, to better reflect what it is.

  • The Nagios3 configuration is now automatically created by sitesummary.
  • The per-user file ~/.xsession-errors is now truncated automatically when the user logs in to avoid filling up the home directory partition with a log that grows indefinitely. The user can disable this by creating ~/.xsession-errors-enable. The system administrator can configure the system to redirect the file to /dev/null by editing /etc/X11/Xsession.d/05debian-edu-truncate-xerrorlog.

  • To ease installation of Debian Edu on hardware needing non-free firmware, the CD and DVD include the following firmware packages: firmware-bnx2, firmware-bnx2x, firmware-ipw2x00, firmware-iwlwifi, firmware-qlogic and firmware-ralink.

New features in Debian 5.0.4 upon which Debian Edu 5.0.4+edu0 is based

  • New Linux kernel 2.6.26 supports more hardware
  • With this release, Debian GNU/Linux updates from X.Org 7.1 to X.Org 7.3 (which includes support of newer hardware) and now includes the desktop environments KDE 3.5.10 and GNOME 2.22. Updates of other desktop applications include Iceweasel (version 3.0.6, which is the unbranded Firefox web browser), Icedove (version, which is the unbranded Thunderbird mail client) as well as upgrades to Evolution 2.22.3, 2.4.1, and Pidgin 2.4.3 (formerly known as Gaim).

  • Installation from CD/DVD from within Windows
  • Switched from sysklogd to rsyslog as the syslog collector.
  • For more information see the page New in Lenny on

New features in the "3.0r1 Terra" release 2007-12-05

  • Much improved documentation with updated translations to German, Norwegian Bokmal and Italian
  • Includes more than 40 bug fixes, improvements and security updates that came to our attentention after the 3.0r0 release

New features in the "3.0r0 Terra" release 2007-07-22

  • Based on Debian 4.0 Etch released 2007-04-08.
  • Graphical installer with mouse support
  • Boot splash with usplash
  • LSB 3.1 compatible
  • Linux kernel version 2.6.18
    • Support for SATA controllers and hard disks
  • version 7.1.
  • KDE desktop environment version 3.5.5
  • version 2.0.

  • LTSP5 (version 0.99debian12)
  • Automatic tracking of installed machines using Sitesummary.
  • Automatic configuration of munin using data from Sitesummary.
  • Automatic version control of configuration files in /etc/ using svk.
  • File systems sizes can be extended while the file system is mounted.
    • Support automatically extending file system based on predefined rules.
  • Local Device Support on thin clients.
  • New processor architectures: amd64 (fully supported) and powerpc (experimental support, installation media only boots on the newworld subarchitecture)
  • Multi-architecture DVD for i386, amd64 and powerpc
  • Regression: the CD-install requires Internet access during installation. Previous versions could be installed from one CD without Internet access.
  • Regression: webmin is now removed from Debian because of problems supporting it. We've added a new web based user administration tool named lwat, which doesn't has the same functionality as wlus, the old user administration tool. But wlus requires webmin.

  • Regression: swi-prolog is not part of etch, but was part of sarge. The HowTo teach and learn Chapter describes how to install swi-prolog on etch.

Features in 2.0 release 2006-03-14

  • Based on Debian 3.1 Sarge released 2005-06-06.
  • Linux kernel version 2.6.8.
  • XFree86 version 4.3.
  • KDE version 3.3.
  • 1.1.

Features in "1.0 Venus" release 2004-06-20

  • Based on Debian 3.0 Woody released 2002-07-19.
  • Linux kernel version 2.4.26.
  • XFree86 version 4.1.
  • KDE version 2.2.

More information on older releases

More information on the older releases can be found at



There are different ways of setting up a Skolelinux solution. It can be installed on just one standalone PC or a regional wide solution at many schools operated centrally. This variety of configurations makes a huge difference on how things are set up regarding network components, servers and client machines.

Hardware requirements

The purpose of the different profiles is explained in the network architecture chapter.

  • The computers running Debian Edu / Skolelinux must have either i386, amd64 or powerpc processors.
    • On powerpc, the installation media will only boot on machines of the newworld sub-architecture, which are the systems from Apple with a translucent case.
  • Thin client servers need two network cards when using the default network architecture:
    • eth0 is connected to the main network (,
    • eth1 is used for serving the thin-clients ( .
    • Consider 2 GB RAM for 30 clients and 4 GB RAM for 50-60 clients.
  • Disk space requirements depend on profiles used, but any disk larger than 10 GiB will be sufficient for a workstation or standalone installation, 15 Gib for a thin-client server and at least 30 GiB on the main server. As usual with disk space on a main-server: the bigger the better.
  • Thin clients can run on as low as 64 MiB RAM and 133 MHz processor, though 128 MiB RAM and somewhat faster processors are recommended.
    • For running Iceweasel/Firefox and, 128 MiB RAM is a minimum requirement.

  • For workstations, diskless workstations and standalone PCs 800 MHz, 256 MiB RAM are minimum requirements, though 512 or 1024 MiB RAM will perform considerable better. Just a faster CPU will speed things up.
    • Swapping over the network is automatically enabled, the swap size is 32 MiB, if you need more you can tune this by editing /etc/ltsp/nbdswapd.conf on tjener to set the SIZE variable. Please tune up the swap size either locally on the pc or on the server.

      • If your diskless workstations have harddrives, it is recommended to use them for swap as it is a lot faster than network swapping.
    • On workstations with little RAM the spell checker can cause to hang if the swap space is too small. Then the system administrator has to disable the spell checker on or students have to kill, resulting in loss of work. Enabling at least 512 MiB swap on a 256 MiB RAM workstation solves this, and the spell checker runs smoothly.

  • Laptops have the same requirements as for workstations since they are just movable workstations.

Hardware known to work

A list of tested hardware is provided from . This list is not nearly complete :) is an effort to document how to install, configure and use Debian on some specific hardware. Therefore potential buyers would know if that hardware is supported and owner would know how get the best out of that hardware.

An excellent database about hardware supported by Debian is online at

Requirements for a network setup

Default Setup

When using the default network architecture, these rules apply:

  • you need exactly one main server, the tjener
  • you can have up to 50 (diskless) workstations on the main network
  • you can have up to 20 ltspservers on the main network
    • you can have hundreds of thin clients and/or diskless workstations on each ltspserver network
  • you can have hundreds of other machines which will have dynamic IP addresses assigned
  • for having access to the internet you need a router/gateway (see below)

Internet router

A router/gateway, connected to the internet on the external interface and running on the IP address with netmask on the internal interface, is needed to connect to the internet.

The router should not run a DHCP server, it can run a DNS server, though this is not needed and will not be used. (If the router runs a DHCP server you must disable the DHCP server on the main server and you will loose some features and certain documented procedures will work differently. So better disable the DHCP server on the router.)

If you are looking for a i386 based solution (so that you can reuse an old PC), we recommend IPCop or floppyfw.

If you need something for an embedded router or accesspoint we recommend using OpenWRT, though of course you can also use the original firmware. Using the original firmware is easier, using OpenWRT gives you more choices and control. Check the OpenWRT webpages for a list of supported hardware.

It is possible to use a different network setup, this is the documented procedure to do this. If you are not forced to do this by an existing network infrastructure, we recommend against doing so and recommend you stay with the default network architecture.



Where to find additional information

We recommend that you read or at least take a look at the release notes for Debian Lenny before you start installing a system for production use. If you just want to give Debian Edu/Skolelinux a try, you don't have to though, it should just work. :-)

Even more information about the Debian Lenny release is available in its installation manual.

Download the installation media for Debian Edu 5.0.6+edu1 Codename "Lenny"

DVDs for i386, amd64 and powerpc

The multiarch DVD ISO image is 4.4 GiB large and can be used for installation of amd64 and i386 machines. To download it, use any of these methods:



The netinstall CD, which can be used for installation of i386, amd64 and powerpc machines, is available via



The powerpc port has not been tested as much as the other architectures, though it should work just fine and has been reported to work. Still, we consider the port an experimental release of Debian Edu, which we might not be able to support as the other archs.

The Sources are available via



Request a CD/DVD by mail

For those without a fast internet connection, we offer to send you a CD or DVD for the cost of the CD or DVD and shipping. Just send an email to and we will discuss the payment details (for shipping and media) :) Remember to include the address you want the CD or DVD to be sent to in the email.

Installing Debian Edu

The installation process

When you do a Debian Edu installation, you have a few options to choose. Don't be afraid; there aren't many. We have done a good job hiding the complexity of Debian during the installation and beyond. However, Debian Edu is Debian, and if you want there are more than 15000 packages to choose from and a billion configuration options. For the majority of our users, our defaults should be fine.

  • Select type of installation
    • Install is the default text mode installation on i386 and amd64.

    • 64 bit install does an amd64 text-mode install.

    • Select Graphical install to have the GTK installer where you can use the mouse.

    • Select 64 bit graphical install to have the amd64 GTK installer where you can use the mouse.

    • The debian-edu-expert boot-option adds the minimal profile to the profile options, and switches to manual partitioning.

    • Further notes:
      • On i386/amd64 boot-options can be edited by pressing the tabulator-key in the boot menu.

      • The powerpc installer does neither support the graphical installation nor the boot menu that i386 and amd64 have.
      • On powerpc, enter install debian-edu-expert at the yaboot prompt to enter expert mode.

      • If you want to boot the amd64 text mode with the multiarch DVD it would be amd64-install.

      • Likewise you can choose amd64-expertgui to get the GUI version on amd64.

      • If you want to boot the i386 mode with the multiarch DVD on an amd64 machine you need to manually select install (text mode) or expertgui (graphical mode).

      • The multiarch DVD defaults to use amd64-installgui on x86 64-bits machines, and installgui on x86 32-bits machines.
      • If you have already installed the mainserver profile on a machine, you can use its http proxy service to speed up the following installations from CD. Add d-i mirror/http/proxy string as additional boot-option.

      • to install the GNOME desktop instead of the KDE desktop, add desktop=gnome to the kernel boot params.

  • Choose a language (for the installation and the installed system)
  • Choose a time-zone
  • Choose a keyboard keymap (usually the countrys default is fine)
  • Choose a profile:

    • Main-Server
      • This is the main server (tjener) for your school providing the following services: file, print, intranet, proxy, DNS, DHCP, LDAP, backup, nagios, sitesummary, and munin. All services are pre-configured to work out of the box. You must only install one main server per school! This profile does not include a graphical user interface. If you want a graphical user interface, then select Workstation or Thin-Client-Server in addition to this one.
    • Workstation
      • A computer booting from its local hard drive, and running all software and devices locally like an ordinary computer, but the user login is authenticated by the main server, where the user's files and desktop profile are stored.
    • Thin-Client-Server
      • Thin client (and diskless workstation) server, also called LTSP server. Clients without hard drives boot and run software from this server. This computer needs two network cards, a lot of memory, and ideally more than one processor or core. See the chapter about networked clients for more information on this subject. Chosing this profile also enables the workstation profile (even if it is not selected), a thin client server can always be used as a workstation, too.

    • Standalone
      • An ordinary computer that can function without a main server, ie. doesn't need to be on the network. Includes laptops.
    • Minimal
      • This profile is only available when using the 'debian-edu-expert' boot option. It will install the base packages and configure the machine to integrate into the Debian Edu network, but without any services and applications. It is useful as a platform for single services manually moved out from the main-server.
    The first 3 profiles can all be installed on the same machine. That means the main server can be a thin client server and also used as a workstation.
  • Say yes or no to automatic partitioning
    • Be aware that saying yes will destroy all data on the harddrives! Saying no on the other hand will require more work and one will need to make sure that the required partitions are created and are big enough.
  • Please say yes to submit information to to allow us to know which packages are popular and should be kept for future releases. Though you don't have to, it is a simple way for you to help. :)

  • Wait
    • if thin client server is among the selected profiles, then the installer will spent quite some time at the end, "Finishing the installation - Running debian-edu-profile-udeb..."
  • Be happy

A note on manual partitioning

As a general advice: if you choose manual paritioning and your system fails to boot, try automatic partitioning first.

If you decide to do manual partitioning for the main-server, you should consider this:

  • Make sure the directory /skole/tjener/home0 exists, usually you will also be mounting a partition there. If you don't create that directory you will only be able to login as root. The reason is that the user creation system require this directory to exist to be able to create users home directories, and without a users home directory the user can not log in.

  • If /var/spool/squid is on a seperate partition, 3GiB free space is a good recommendation. Squids cache size will be set to 80% of the partition size.

  • /boot should have its own partition.

A note on notebooks

In principal it makes sense either to install notebooks with the workstation or with the standalone profile. Keep in mind that the workstation profile uses LDAP for the user accounts and NFS for the home directories, so those workstations will only work while in the network where they can access the server. If you plan to use your laptop at home or on the road, then choose the standalone profile.

It is possible to reconfigure workstations to cache authentication information and sync the home directories to local disk (and resync to the server when in the network) with unison, but there is currently no howto available for this.

A note on DVD installs

If you install from a DVD, /etc/apt/sources.list it will only contain sources from the DVD afterwards. If you have an internet connection we strongly suggest adding the following lines to it so that available (security) updates can be installed:

deb lenny main 
deb lenny/updates main 
deb lenny local

A note on CD installs

The netinst installation (which is the type of installation our CD provides) will fetch some packages from the CD and the rest from the net. The amount of packages fetched from the net varies from profile to profile:

  • Main server: 8 of 115 MiB downloaded.
  • Main server and Thin client server: 618 of 1082 MiB downloaded.
  • Main server and Workstation: 618 of 1081 MiB downloaded.
  • Thin client server: 618 of 1052 MiB downloaded.
  • Workstation: 618 of 1051 MiB downloaded.
  • Standalone: 618 of 1020 MiB downloaded.
  • Minimal: 12 of 83 MiB downloaded.

A note on some RAID controllers

When using a USB drive to add missing firmware during install, with some RAID-controllers GRUB is installed to the USB drive. So a reboot after installation results in a GRUB-error. A workaround for this problem is to remove the USB drive after the firmware is loaded, and preferably before partitioning starts.

More information is available in Debian-Edu bug #1395 and Debian bug 516280.

A note on thin-client-server installations

First of all, this profile name is confusing due to historic reasons: the profile actually installs a LTSP server environment for thin-clients and for workstations. So for the next release of Debian Edu the name of this profile will be changed.

By providing the kernel argument edu-skip-ltsp-make-client it is possible to skip the step which converts the LTSP chroot from a thin-client chroot into a combined thin-client/diskless workstation chroot.

This is useful in certain situations, e.g. if one wants a pure thin client chroot or if there is already a diskless chroot on another server, which can be rsynced. For these situations skipping this step will cut down the installation time considerably.

Except for the longer installation time there is no harm creating combined chroots always and this is why this is done by default.

Custom CD/DVDs

Creating custom CDs or DVDs is possibly quite easy since we use the debian installer, which has a modular design and other nice features. Preseeding allows you to define answers to the questions normally asked.

So all you need to do is to create a preseeding file with your answers (this is described in the appendix of the debian installer manual) and remaster the CD/DVD.

Installation over the network (PXE) and booting diskless clients

For this installation method it is required that you have a running main server. When clients boot via the main network, a new PXE menu with installer and boot selection options is displayed.

This is how the PXE menu looks like with the Main-Server profile only:


This is how the PXE menu looks like with the Main-Server and Thin-Client-Server profile:


This setup also allows to boot diskless workstations and thin clients on the main network. Diskless workstations must be added with LWAT just like normal workstations or thin client servers.

More information about network clients can be found in the Network clients HowTo chapter.

Modifying PXE installations

The PXE installation is using a debian-installer preseed file, and this file can be modified to ask for more packages to install.

A line like the following needs to be added to tjener:/etc/debian-edu/www/debian-edu-install.dat

d-i    pkgsel/include string my-extra-package(s)

The PXE installation uses the files /var/lib/tftpboot/debian-edu/install.cfg and the preseeding file in /etc/debian-edu/www/debian-edu-install.dat. These files can be changed to adjust the preseeding used during installation, i.e. to avoid more questions when installing over the net. Another possibility to achieve the same is to provide extra settings in /etc/debian-edu/pxeinstall.conf and /etc/debian-edu/www/debian-edu-install.dat.local and to run /usr/sbin/debian-edu-pxeinstall to update the generated files.

Further information can be found in the manual of the Debian Installer.

To disable or change the use of the proxy when installing via PXE, the lines containing mirror/http/proxy, mirror/ftp/proxy and preseed/early_command in tjener:/etc/debian-edu/www/debian-edu-install.dat  need to be changed. To disable the use of a proxy when installing, put '#' in front of the first two lines, and remove the "export xhttp_proxy="http://webcache:3128"; " part from the last one.

Some settings can not be preseeded because they are needed before the preseeding file is downloaded. These are configured in the pxelinux based boot arguments available from /var/lib/tftproot/debian-edu/install.cfg. Language, keyboard layout and desktop are examples of such settings.

Screenshot tour

The text mode and the graphical installation are identical, only the appearance is different. The graphical mode offers you the opportunity to use a mouse. Of course the graphical mode looks much nicer and more modern. Unless the hardware has trouble with the graphical mode, there is no reason not to use it.

So here is a screenshot tour through a graphical Main-Server + Thin-Client-Server installation:

















Getting started

Minimum steps to get started

This chapter describes the first steps you need to do after the installation to get started. The minimum you need to do is:

  • add users
  • add workstations to host netgroups (for exporting home-directories via NFS)
    • thin clients don't need to be added, only workstations. And workstations no matter if with disk or diskless.

This is described below, please read this chapter completly. It covers how to do these minumum steps correctly as well as other stuff probably everybody will need to do.

The following HowTo chapter covers more tips and tricks and some frequently asked questions.

Debian Edu desktop

Services running on the main server

There are several services running on the main server which can be managed via a web management interface. We'll describe each service here.

Web based management, using lwat

Lwat is a web based management tool, that will help you manage some important parts of your Debian Edu setup. You can manage this four main groups (add, modify, delete):

  • User Administration
  • Group Administration
  • Automount Informations
  • Machine Administration
  • DNS Administration

To access lwat point your web browser to https://www/lwat.

  • In case you are not using a new Debian Edu Lenny machine, you will get an error message about the ssl certificate. Just tell your browser to accept and ignore that.

  • In case you are using a new Debian Edu Lenny machine, the override rule will be already in place and you can't be bothered.

You will then see the login page of LWAT. If you visit this site the first time after installation, the login name there is: admin and the password is the password you entered during the installation for the root account.


After login the you can choose a task in the menu.

User Management with lwat

In Debian Edu account information is stored in a LDAP directory. This data is used not only by the main server, but also by the (diskless) workstations and thin client servers on the network. In this way data about students, pupils, teachers, etc. needs to be entered only once. After that it is available to all systems on the network.

To get the work done efficiently lwat will assist you on getting your user's data entered to the LDAP directory.

You can add users, group them in usergroups (for example to refer the members of a class more easily), update them and remove them again. By pointing the mouse onto the menu entries "Users" or "Groups" you can choose the action: Add any, or search for existing users or groups to modify or delete them.

Adding users

To add users you only have to choose "Add" in the "Users" section of the menu. After choosing this entry you will see a form where you can enter the data of the user you want to add. The most important thing to add is the full name of your user (see image). As you enter you will see, that lwat will generate a user name automatically based on the real name. It automatically chooses a user name that doesn't exist yet, so multiple users with the same full name are not a problem. If you don't like the generated user name you can change it in the corresponding field. Second you need to choose the role of your account, which is used by lwat to determine the privileges the user has for system administration. Currently lwat knows the following roles:


granted privileges


Login and use the system


Same as Students


Same as Teachers, but can also change other user's passwords (except for the Admins' ones)


Admins have ultimate privileges. They can add/modify/delete users/groups/machines/automounts and let windows systems join the Skolelinux domain

After choosing a suitable role you can hit the "Save" button and the user is added. Do not hit the enter key, or your progress will be lost. This is to avoid security problems with PHP.


If all went well, you will see a short notice at the end of page with the data added to the ldap directory (also the form gets reset):

Added user: Demo User
username: demuse
password: somethingsecret

/!\ It might take several minutes until the new added user's home directory is created. Until that is done he won't be able to log in on any server, workstation or thin client.

You may miss the option to set a password, that has been set automatically. The user can change is own password by clicking on the key icon on his desktop or directly browsing to http://www/lwat/chguserpw.php.

You can also set another password by modifying the user added (see below).

Search and delete users

To modify or delete a user you need to first find her using the search menu entry. You will find the form shown in the screenshot where you can enter either the real name or the user name of the user. The results will show up below. On the left of every result line there is a checkbox you can use to delete or disable one or more users with the two buttons below. If you want to modify a user, just click on it, all names found are links to the modify page.


A new page will show up where you can modify information directly belonging to the user, change the password of the user and modify the list of groups the user belongs to.


Set passwords

To set a new password for a user

  • search the user to be modified like explained above and click on the username once found.
  • click on the button New password

  • on the following page, you can set a new random generated password.
  • note that by default it is not possible to set a self-chosen password, as the corresponding field is not writable


To allow setting self-chosen passwords you need to edit /etc/lwat/config.php on the tjener:

  • Execute nano /etc/lwat/config.php

  • Change $allowPwSet = false ; to $allowPwSet = true ;

  • Press CTRL+X
  • Press Y
  • Press Enter

You can now set any password you like, as long as it is at least 5 digits long. Beware of security implications due to easy to guess passwords!

Advanced user management

It is possible to mass-create users with lwat by using a .csv file, which can be created with any good spreadsheet software (for example oocalc).

The import script expects a file formated with all data for one user on one row, with each field separated with a semicolon. The minimum information needed is the full name of the user. If fullname is not given, the script expects to have both firstname and lastname. The maximum information it expects is "User template; Fullname; Username; Password; Additional group membership".

If a password column is missing, an easy to remember, pronounceable password will be created.

If users are put into groups, these groups have to exist, so you need to create them manually (with lwat, see below) before importing the users.

It's a good idea to do some tests first, best with a .csv file with a few fictional users, which can be deleted later.

Group Management with lwat

The mangement of groups is very similar to the management of users. You can enter a name and a description per group. When searching for groups you can also delete or disable all users of the groups found. From the modification page you can access all the users of that group.

The groups entered in the group management are also regular unix groups, so you can use them for file permissions too.

Group Management on the command line

Here's how:

# List existing group mapping between UNIX and Windows groups.
net groupmap list

# Add your new or otherwise missing groups:
net groupmap add unixgroup=NEW_GROUP type=domain ntgroup="NEW_GROUP"\
                 comment="DESCRIPTION OF NEW GROUP"

This is explained in more detail in the HowTo/NetworkClients chapter of this manual.

Advanced group management

Using lwat it's easy to put users in a specific group (for example named after the year they enter or finish school) and to create all their home directories in a dedicated directory.

To achieve that, add a stanza like the following to the file /etc/lwat/admin.ini:

ou = "ou=People,%base%"
objectClass = top posixAccount shadowAccount imapUser sambaSamAccount
homeDirectory = /skole/tjener/home0/2009/%username%
groups = none students 2009
loginShell = /bin/bash
mailMessageStore = /var/lib/maildirs/%username%

To make this work, the 2009 group has to be created before adding the users.

The above stanza simply adds them on top off home0. If you want them somewhere else, using another automount, then you use lwat to add that automount, and change the homeDirectory string in admini.ini correspondingly.

Machine Management with lwat

With the machine management you can basically manage all IP based devices in your Debian Edu network. Every machine added to the LDAP directory using lwat has a hostname, an IP-address, a MAC-address and a domain name which usually is "intern". For a more verbose description about the Debian Edu architecture see the architecture chapter of this manual.

If you add a machine, you can use an ip/hostname from the preconfigured address space. The following ip ranges are predefined:

First address

Last address





The addresses from till and till are reserved for dhcp and are assigned dynamically.

To assign a host with the MAC-address 52:54:00:12:34:10 a static IP-address you only have to enter the MAC-address and the hostname static00, the remaining fields will be filled automatically according to the predefined configuration:


Search and delete machines

Searching for and deleting machines is quite similar to searching and deleting users, so that information is not repeated here.

Modify existing machines / Netgroup management

After adding a machine to the ldap tree using lwat, you can modify its properties using the search functionality and clicking on the machine (as you would with users).


The form that is behind these machine links is in one way similar to the one you already know from modifying user entries, but in an other way the informations do mean different things in this context.

For example, adding a machine to a NetGroup does not modify the permissions that machine or the users logged into that machine have on accessing files or programs on the server. But it restricts the services that machine can use on your main-server.

The default installation provides the NetGroups

  • printer-hosts
  • workstation-hosts
  • ltsp-server-hosts
  • server-hosts
  • shutdown-at-night-hosts
  • fs-autoresize-hosts

Currently the NetGroup functionality is used for

  • NFS.
    • The home directories are exported by the main-server to be mounted by the workstations and the ltsp-servers. Because of security reasons only hosts within the workstation-hosts, ltsp-server-hosts and server-hosts NetGroups can mount the exported NFS shares. So it is rather important to remember to configure this kinds of machines properly in the ldap tree using lwat and configuring them to use the static IPs from ldap. /!\ Remember to configure workstations and ldap-servers properly with lwat, or your users won't be able to access their home directories.

  • fs-autoresize
    • debian edu machines in this group will automatically resize lvm partitions that run out of space
  • shutdown at night
    • debian edu machines in this group will automatically shutdown at night to save energy

Another important part of the machine configuration is the 'Samba host' flag (in the 'Host information' area). If you plan to add existing Windows systems to the Skolelinux Samba domain, you have to add the Windows host to the ldap tree and set this flag to be able to join the Windows host to the domain. For more information about adding Windows hosts to the Skolelinux network see the HowTo/NetworkClients chapter of this manual.

More lwat documentation

The full documentation for lwat can be found at /usr/share/doc/lwat/ on the main server or online.

Printer Managment

For Printer Management point your web browser to https://www:631 This is the normal cups management site where you can add/delete/modify your printers and can clean up the printing queue. Changes that require to login as root need ssl encryption.

If you connect the printer for the first time, we suggest to run printconf as root. FIXME: explain what to do when printconf does not accomplish anything.

Clock synchronization

The default configuration in Debian Edu is to keep the clocks on all machines synchronous but not necessarily correct. NTP is used to update the time. The clocks will not be synchronized with an external source by default, to make sure the machines to not use external network connections active all the time. This was configured like this after a school discovered their ISDN network was up all the time, giving them a nasty extra phone bill.

To enable synchronization with an external clock, the file /etc/ntp.conf on the main-server need to be modified. The comments in front of the server entries need to be removed. After this, the ntp server need to be restarted by running /etc/init.d/ntp restart as root. To test if the server is using the external clock sources, run ntpq -c lpeer.

Extending full partitions

Because of a possible bug with automatic partitioning, some partitions might be too full after installation. To extend these partitions, run debian-edu-fsautoresize -n as root. See the "Resizing Partitions" HowTo in the administration HowTo chapter for more information.



Updating the software

This section explains how to use aptitude upgrade and kde-update-notifier.

Using aptitude is really simply. To update a system you need to execute two commands on the command line as root: aptitude update (updates the lists of available packages) and aptitude upgrade (upgrades the packages for which an upgrade is available).

Instead of using the command line you can also use kde-update-notifier. FIXME: Explain how to use kde-update-notifier, best with screenshots.

It is also a good idea to install cron-apt and apt-listchanges and configure them to send mail to an address you are reading.

cron-apt will notify you once a day via email, which packages need an update. It does not install these updates, but downloads them (usually in the night), so you don't have to wait for the download, when you do aptitude upgrade.

apt-listchanges can send new changelog entries to you.

Keep yourself informed about security updates

Running cron-apt as described above is a good way to learn that for an installed package a security update is available. Another way to get informed about security updates is to subscribe to the Debian security-announce mailinglist, which has the benefit of also informing what the security update is about. The downside (compared to cron-apt) is that it also includes information about updates for packages which aren't installed.

Backup Management

For the backup management point your browser to https://www/slbackup-php. Please note that you have to access this site via ssl, since you have to enter the root password there. If you try to access this site without using ssl it will fail.

Per default the tjener will backup /skole/tjener/home0, /etc/, /root/.svk and the ldap to /skole/backup which is in the lvm. If you only want to have things twice (if you delete something) this setup should be fine for you.

/!\ Be aware that this backup doesn't protect you from failing harddrives.

If you want to backup your data to an external server, a tape device or another harddrive you'll have to modify the existing configuration a bit.

If you want to restore a complete folder, your best option is to use the command-line:

$ sudo rdiff-backup -r <date>  \
   /skole/backup/tjener/skole/tjener/home0/user \

this will leave the content from /skole/tjener/home0/user from <date> in the folder /skole/tjener/home0/user_<date>

If you want to restore a single file, then you should be able to select the file (and the version) from the web-interface, and download only that file.

  • FIXME: continue description of slbackup-php usage, maybe with screenshots

Server Monitoring


Munin trend reporting system is available from https://www/munin/. It provides system status measurement graphis on a daily, weekly, monthly and yearly basis, and allow the system administrator help when looking for bottlenecks and the source of system problems.

The list of machines being monitored using munin is generated automatically based on the list of hosts reporting to sitesummary. All hosts with the package munin-node installed is registered for munin monitoring. It will normally take two days from a machine is installed until munin monitoring start, because of the order the cron jobs are executed. To speed up the process, run sitesummary-client as root on the freshly installed machine, and /etc/cron.daily/sitesummary as root on the sitesummary server (normally the main-server).

Information about the munin system is available from .


Nagios system and service monitoring is available from https://www/nagios3/. The set of machines and services being monitored is automatically generated using information collected by the sitesummary system. The machines with the profile Main-server and Thin-client-server receive full monitoring, while workstations and thin clients receive simple monitoring. To enable full monitoring on a workstation, install the nagios-nrpe-server package on the workstation.

The username is nagiosadmin and the password is undefined, you must set your own password before you can login and use nagios. For security reasons, avoid using the same password as root. To change the password you can run the following command as root:

htpasswd /etc/nagios3/htpasswd.users nagiosadmin

By default Nagios does not send email. This can be changed by replacing notify-by-nothing with host-notify-by-email and notify-by-email in the file /etc/nagios3/sitesummary-template-contacts.cfg.

The Nagios configuration file used is /etc/nagios3/sitesummary.cfg. The sitesummary cron job generate /var/lib/sitesummary/nagios-generated.cfg with the list of hosts and services to monitor.

Extra nagios checks can be put in the file /var/lib/sitesummary/ to get them included in the generated file.

Information about the nagios system is available from or in the nagios3-doc package.


Sitesummary is used to collect information from each computer and submit it to the central server. The information collected is available in /var/lib/sitesummary/entries/. Scripts in /usr/lib/sitesummary/ are available to generate reports.

A simple report from sitesummary without any details is available from https://www/sitesummary/.

Some documentation on sitesummary is available from

More information about Debian Edu customisations

More information about Debian Edu customisations useful for system administrators can be found in the Administration Howto chapter.



/!\ Before explaining how to upgrade, please note, that you do this update on your productive server on your own risk. Debian Edu/Skolelinux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

Please read this chapter completly before attempting to upgrade.

General notes on upgrading

Upgrading Debian from one distribution to the next is generally rather easy. For Debian Edu this is unfortunatly not yet true as we heavily modify configuration files in ways we shouldn't do. (See Debian bug 311188 for more information.) Upgrading is still possible but might requiere some work.

In general, upgrading the servers is more difficult than the workstations and the main-server is the most difficult to upgrade. The diskless machines are easy, as their chroot environment can be deleted and recreated, if you haven't modified it. If you have, the chroot is basically a workstation chroot anyway, so rather easy to upgrade.

If you want to be sure that after the upgrade everything works like before , you should test the upgrade on (a) test systems, which are configured the same way as your production machines. There you can test the upgrade without risk and see if everything works as it should.

Make sure to also read the information about the Debian lenny release from its installation manual.

Also it might be wise to wait a bit and keep running etch for some more weeks, so that others can test the upgrade, experience problems and document them here. Debian Edu etch will receive continued support for some time in the future, but when Debian ceases support for etch, Debian Edu will (have to) do that too. This is expected to happen on Febrary 16th, 2010.

Upgrades from Debian Edu etch

/!\ Be prepared: make sure you have tested the upgrade from Etch in a test environment or have backups ready to be able to go back.

The basic upgrade operation

  1. Edit /etc/apt/sources.list and replace all occurances of "etch" with "lenny".

  2. run apt-get update

  3. run apt-get upgrade

  4. run apt-get dist-upgrade

LDAP service needs to repaired

Upgrading the debian-edu-config package on tjener is likely to disrupt some services:

  1. slapd wouldn't start.
    It may keep running until next restart, then if it gives:

     tjener:~# invoke-rc.d slapd start
     Starting OpenLDAP: slapd - failed.
     The operation failed but no output was produced. For hints on what went
     wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
     try running the daemon in Debug mode like via "slapd -d 16383" (warning:
     this will create copious output).
     Below, you can find the command line options used by this script to
     run slapd. Do not forget to specify those options if you
     want to look to debugging output:
     slapd -h 'ldap:/// ldaps:///' -g openldap -u openldap -f /etc/ldap/slapd.conf                     -4

    And searching /var/log/syslog yelds something like:
    tjener slapd[8894]: could not stat config file "/etc/ldap/schema/dnsdomain2.schema": No such file or directory (2)
    then as a temporary measure to get it running until DNS is sorted.

    1. Comment out the line include   /etc/ldap/schema/dnsdomain2.schema in /etc/ldap/slapd.conf.

    2. Run invoke-rc.d slapd start

Some new indexes have been added to openldap's configuration. in order to benefit from these you need to regenerate indexes:

  1. stop slapd.  invoke-rc.d slapd stop 

  2. check syslog or ps output that it have truly stopped.
  3. run  sudo -u openldap slapindex 

  4. start slapd with  invoke-rc.d slapd start 

DHCP service needs to repaired

  1. dhcp3-server wouldn't start.
    If starting dhcp3-server gives:

     tjener:~# invoke-rc.d dhcp3-server start
     dhcpd self-test failed. Please fix the config file.
     The error was:
     Internet Systems Consortium DHCP Server V3.1.1
     Copyright 2004-2008 Internet Systems Consortium.
     All rights reserved.
     For info, please visit
     /etc/dhcp3/dhcpd.conf line 2: semicolon expected.
     ldap-server "ldap"
     /etc/dhcp3/dhcpd.conf line 3: semicolon expected.
     ldap-port 389;
     /etc/dhcp3/dhcpd.conf line 4: semicolon expected.
     ldap-base-dn  "dc=skole,dc=skolelinux,dc=no"
     /etc/dhcp3/dhcpd.conf line 5: semicolon expected.
     ldap-dhcp-server-cn "dhcp"
     /etc/dhcp3/dhcpd.conf line 6: semicolon expected.
     ldap-method dynamic;
     Configuration file errors encountered -- exiting
     invoke-rc.d: initscript dhcp3-server, action "start" failed.

    Then installing dhcp3-server-ldap is needed install it. Use your favorite package management front-end or run:

     tjener:~# apt-get -q=2 update
     tjener:~# apt-get -q=2 install dhcp3-server-ldap

    If starting dhcp3-server gives:

     tjener:~# invoke-rc.d dhcp3-server start
     dhcpd self-test failed. Please fix the config file.
     The error was:
     Internet Systems Consortium DHCP Server V3.1.1
     Copyright 2004-2008 Internet Systems Consortium.
     All rights reserved.
     For info, please visit
     Connecting to LDAP server ldap:389
     Successfully logged into LDAP server ldap
     Cannot find host LDAP entry dhcp (&(objectClass=dhcpServer)(cn=dhcp))
     Configuration file errors encountered -- exiting
     invoke-rc.d: initscript dhcp3-server, action "start" failed.
    Then DHCP configuration needs loading into LDAP. Two ways to do it are:
    1. To load an existing configuration into the database:
      1. Locate the appropriate dhcp.conf, the last one should be in /etc/dhcp3/dhcpd-debian-edu.conf.dpkg-old or get one from backups.

      2. Extract /usr/share/doc/dhcp3-server-ldap/

      3. Set /usr/share/doc/dhcp3-server-ldap/ executable.

      4. Run /usr/share/doc/dhcp3-server-ldap/, optionaly with --help first or read the comments in code.

      5. View and check the resulting ldif file. Though DHCP is likely to function fine with this file, to keep as close as possible to the default configuration it is probably best to keep the entries for the configured individual hosts and replace the general entries (i.e. dhcpService, dhcpSharedNetwork, dhcpSubnet, etc.) with those from etc/ldap/dhcp.ldif.

      6. Load the resulting ldif file to the LDAP database.
      7. Start dhcp3-server.

       tjener:~# cd /usr/share/doc/dhcp3-server-ldap/
       tjener:/usr/share/doc/dhcp3-server-ldap# gunzip
       tjener:/usr/share/doc/dhcp3-server-ldap# chmod 0744
       tjener:/usr/share/doc/dhcp3-server-ldap# ./ --server "dhcp" \
       >     --basedn "dc=skole,dc=skolelinux,dc=no" \
       >     --dhcpdn "cn=DHCP Config,dc=skole,dc=skolelinux,dc=no" \
       >     --conf "/etc/dhcp3/dhcpd-debian-edu.conf.dpkg-old" --ldif "/etc/ldap/migrate-dhcp.ldif"
       Creating LDAP Configuration with the following options:
              Base DN: dc=skole,dc=skolelinux,dc=no
              DHCP DN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
              Server DN: cn=dhcp, dc=skole,dc=skolelinux,dc=no
       tjener:/usr/share/doc/dhcp3-server-ldap# cd /etc/ldap/
       tjener:/etc/ldap# # At this point it's recommended to view migrate-dhcp.ldif side by side
       tjener:/etc/ldap# # with dhcp.ldif and make some manual adjustments, before running:
       tjener:/etc/ldap# ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
       >                         -f /etc/ldap/migrate-dhcp.ldif
       Enter LDAP Password:
       adding new entry "cn=dhcp, dc=skole,dc=skolelinux,dc=no"
       tjener:/etc/ldap# invoke-rc.d dhcp3-server start
        * Starting DHCP server dhcpd3                                            [ ok ]
    2. To load The fresh configuration into the database:
      If there are only few configured host and adding them later to the configuration is no bother just run ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -f /etc/ldap/dhcp.ldif

  2. Squid wouldn't start.
    If starting Squid gives:

     tjener:~# invoke-rc.d squid start
     * Starting Squid HTTP proxy squid
     2009/08/23 00:20:56| ACL name 'localnet' not defined!
     FATAL: Bungled squid.conf line 2577: http_access allow localnet
     Squid Cache (Version 2.7.STABLE3): Terminated abnormally.
    It's complaint is self explanatory. Two options to overcome this are:
    1. To keep the old /etc/squid/squid.conf just comment-out or remove the offending line http_access allow localnet.

    2. To stay current copy the new squid.conf distributed in the squid package:
       tjener:~# cd /etc/squid/
       tjener:/etc/squid# mv squid.conf etch-squid.conf
       tjener:/etc/squid# cp /usr/share/doc/squid/examples/squid.conf squid.conf
      1. To have the default Debian Edu configuration run cfengine-debian-edu

      2. Any customized settings in the old configuration should be copied from the old file ( dropping lines acl schoolnet*, acl ltspnet*, http_access allow schoolnet and http_access allow ltspnet these were replaced by the acl localnet* and *access allow localnet lines).

User logins from Windows machines needs to repaired

  1. Users can't login from Windows machines.
    A change in Samba that has become apparent in Lenny (see 532859) prevents users login to Samba unless sambaPwdLastSet attribute is set other than zero in their LDAP entry.

    1. To add the 'sambaPwdLastSet' attribute for new users to be created in lwat make sure /etc/lwat/admin.ini contain the line 'sambaPwdLastSet = 1' for each group. See also: Debian Edu bug#1364.

    2. To find which users are affected try:
      ldapsearch -xZLLLWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'ou=People,dc=skole,dc=skolelinux,dc=no' -s one '(&(objectClass=sambaSamAccount)(|(!(sambaPwdLastSet=*))(sambaPwdLastSet=0)))' uid  | less
    3. To add the 'sambaPwdLastSet' attribute to users where it isn't set try:

      ldapsearch -xZLLLWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'ou=People,dc=skole,dc=skolelinux,dc=no' -s one '(&(objectClass=sambaSamAccount)(!(sambaPwdLastSet=*)))' dn | sed '/.\+/a\changetype: modify\nadd:sambaPwdLastSet\nsambaPwdLastSet: 2\n-' > /etc/ldap/fixamba.ldif
      ldapmodify -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
                  -f /etc/ldap/fixamba.ldif
    4. If users with 'sambaPwdLastSet = 0' were found and allowing them to login is desired, try:

      ldapsearch -xZLLLWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'ou=People,dc=skole,dc=skolelinux,dc=no' -s one '(&(objectClass=sambaSamAccount)(sambaPwdLastSet=0))' dn | sed '/.\+/a\changetype: modify\nreplace:sambaPwdLastSet\nsambaPwdLastSet: 2\n-' > /etc/ldap/fixamba.ldif
      ldapmodify -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
                 -f /etc/ldap/fixamba.ldif

      See also SambaLDAP.

DNS service needs to repaired

For lenny Debian Edu has switched to powerdns as nameserver. It's however possible to stay with bind9.


If you want to continue running bind, you must add the RFC 2782 entries in /etc/bind/debian-edu/db.intern:

_ldap._tcp                      IN      SRV     0 100 389 tjener
_syslog._udp                    IN      SRV     0 100 514 tjener


To switch to powerdns:

  1. install the packages pdns-server, pdns-recursor and pdns-backend-ldap.

     tjener:~# apt-get -q=2 update
     tjener:~# apt-get -q=2 install pdns-server pdns-recursor pdns-backend-ldap
  2. In /etc/ldap/slapd.conf:

    1. Uncomment the line include   /etc/ldap/schema/dnsdomain2.schema, if it was commented-out earlier (1.1).

    2. It's recommended to index associatedDomain, at the indices area add the lines:

       # PowerDNS index
       index associatedDomain         pres,eq,sub
  3. Restart slapd invoke-rc.d slapd restart.

  4. Load the DNS data into LDAP either using the default Debian Edu or the existing Bind9 configuration:
    1. To use the default Debian Edu configuration:
      1. Add the contents of /etc/ldap/dns_skole.ldif and /etc/ldap/dns_arpa.ldif using ldapadd.

         tjener:~# ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
         >                 -f '/etc/ldap/dns_skole.ldif'
         tjener:~# ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
         >                 -f '/etc/ldap/dns_arpa.ldif'
    2. To migrate Bind's configuration:

      1. There is a utility called zone2ldap provided in the PowerDNS distribution which convert zone files used by BIND to the ldif format, it is broken in Lenny (504061), fixed packages are available in Squeeze.
        To use the one from Etch:

        1. Download etch-i386-pdns-backend-ldap.

        2. Unpack it using dpkg or dpkg-deb and replace the faulty /usr/bin/zone2ldap:

           tjener:/tmp# dpkg-deb -x pdns-backend-ldap_2.9.20-8+etch1_i386.deb \
           >                     pdns-backend-ldap_2.9.20
           tjener:/tmp# cp pdns-backend-ldap_2.9.20/usr/bin/zone2ldap /usr/bin/zone2ldap
        3. Apparently PowerDNS in Lenny ( doesn't understand AFSDB records same for `zone2ldap', when reading an AFSDB record it will quit with an error message.
          To workaround this limitation comment-out (with ' ; ') AFSDB records in the named db.* files, grep -rl AFSDB /etc/bind/* will disclose them.

        4. At last the conversion can be executed:
           tjener:~# zone2ldap --basedn='ou=hosts,dc=skole,dc=skolelinux,dc=no' --layout=tree \
           >                   --named-conf='/etc/bind/debian-edu/named-bind9.conf' --resume \
           >               > /etc/ldap/skole-zone2ldap
      2. Before the data in the new ldif file can be added to the database the "basedn" must be created:
         tjener:~# ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no'
         Enter LDAP Password:
         dn: ou=hosts,dc=skole,dc=skolelinux,dc=no
         objectClass: organizationalUnit
         objectClass: domainRelatedObject
         ou: hosts
         associatedDomain: intern
      3. The format of the ldif file created by zone2ldap is suitable for `ldapmodify':

         tjener:~# ldapmodify -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
         >                    -f /etc/ldap/skole-zone2ldap
  5. Time to stop bind9 and start pdns and pdns-recursor:

     tjener:~# invoke-rc.d bind9 stop
     tjener:~# invoke-rc.d pdns start
     tjener:~# invoke-rc.d pdns-recursor start
  6. After testing the new PowerDNS setup Bind9 may be disabled/removed/purged.

Nagios setup has changed

Nagios2 is not available in lenny anymore, so nagios3 is now installed.

The nagios3 configuration will already be installed and functional, though the nagios2 configuration won't be functional anymore. If you changed the nagios2 configuration, your changes will be saved in .dpkg-old files, but the changes will not be applied to the nagios3 configuration. So these changes have to be redone manually.

Recreating an LTSP chroot

On the LTSP server(s) the LTSP chroot should be recreated. The new chroot will automatically support both thin-clients and diskless workstations.

Remove /opt/ltsp/i386 (or /opt/ltsp/amd64, depending on your setup. If you have enough diskspace, consider backing it up.

Recreate the chroot by running debian-edu-ltsp && ltsp-make-client as root.

Upgrades from older Debian Edu / Skolelinux installations (before etch)

To upgrade from any older release, you will need to upgrade to the etch based Debian Edu release first, before you can follow the instructions provided above. How to upgrade to etch is described in the Manual for Debian Edu etch.




HowTos for general administration

The Getting Started and DebianEdu/Documentation/Lenny/Maintainance chapters describe how to get started with Debian Edu and how to do the basic maintainance work. The howtos in this chapter have some more "advanced" tips and tricks.

Configuration history: tracking /etc/ using the svk version control system

With the introduction of the etcinsvk script in Debian Edu, all files in /etc/ are tracked using svk as a version control system.

This makes it possible to see when a file is added, changed and removed, as well as what was changed if the file is a text file. The svk repository is stored in ~root/.svk/. Every hour any changes are automatically recorded, allowing configuration history to be extracted and reviewed.

To look at the history, the command etcinsvk log is used. To check the differences between two points in time, a command like etcinsvk diff -r6:8 can be used. The numbers 6 and 8 here represent revision numbers, which can be found by using etcinsvk log. See below for some examples.

See the output of etcinsvk --help for verbose information.

List of useful commands:

etcinsvk diff
etcinsvk log
etcinsvk status
etcinsvk commit
etcinsvk ignore

Usage examples

In a freshly installed system try this to see all changes done since the system was installed:

etcinsvk diff -r6 | less

To see the list of changes done in /etc/, use this command:

etcinsvk log | less

Here check revision numbers by date and time. To see all changes done since revision N say:

etcinsvk diff -rN | less

To see the changes done to a specific file between specific revisions, specify the file and both revisions:

etcinsvk diff -r46 -r64 /etc/resolv.conf | less

To revert a change, use the diff command to look at the change, and edit the file to undo the change, or use a command like this to do it automatically:

( cd /etc && etcinsvk diff -r6 /etc/resolv.conf | patch -p0 -R )

To manually commit a file, because you don't want to wait up to an hour:

etcinsvk commit /etc/resolv.conf

If you don't want a specific file to be tracked in svk, you can tell to ignore it. But this is rarely useful :)

etcinsvk ignore /etc/path/to/file/to/be/ignored

For those who upgraded from Etch

debian-edu-etc-svk was moved to a separate package and renamed to etcinsvk for Lenny. Those used to using debian-edu-etc-svk should start to use etcinsvk instead.

Resizing Partitions

Most partitions in Debian Edu are logical LVM volumes. Only the /boot/ partition is not. With the Debian/Etch release of Debian Edu, it is possible to extend partitions while they are mounted. This is a feature of the Linux kernel since version 2.6.10. Shrinking partitions still need to happen while the partition is unmounted.

It is a good idea to avoid creating very large partitions, as large partitions will take a long time to restore from backup if the need should arise, and file system checks take a very long time for large partitions. A good limit can be 20 GiB. It is better, if possible, to create several smaller partitions than one very large one.

To make it easier to extend full partitions, the debian-edu-fsautoresize script is provided. When invoked, it reads the configuration from /usr/share/debian-edu-config/fsautoresizetab, /site/etc/fsautoresizetab and /etc/fsautoresizetab. It proposes to extend partitions with too little free space based on the rules provided in these files. Without any arguments, it will only show the commands needed to extend the file system. The argument -n is needed to actually execute this commands to extend the file systems.

The script is executed automatically every hour on every client listed in the fsautoresize-hosts netgroup.

When resizing the partition used by the Squid proxy, the cache size in etc/squid/squid.conf need to be updated as well. The helper script /usr/share/debian-edu-config/tools/squid-update-cachedir is provided to do this automatically, checking the current partition size of /var/spool/squid/ and configuring Squid to use 80% of this as its cache size.

Logical Volume Management

Logical Volume Management (LVM) enables resizing the partitions while they are mounted and in use. You can learn more about LVM in the LVM HowTo.

To extend a logical volume manually you simply tell the lvextend command how large you want it to grow to. For example, to extend home0 to 30GB you use the following commands:

lvextend -L30G /dev/vg_system/skole+tjener+home0
resize2fs /dev/vg_system/skole+tjener+home0

To extend home0 by 30G, you insert a '+' (-L+30G)

Using ldapvi

ldapvi is a tool to edit the LDAP database with a normal text editor on the commandline.

The following needs to be executed:

ldapvi --host ldap -ZZ --bind simple --tls allow -D 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no'

Then make your changes, safe and quit the editor. That's it!

Alternatively, to save key-strokes try:

ldapvi --ldap-conf -ZD '(cn=admin)'

Note: ldapvi will use whatever is the default editor. By executing export EDITOR=vim in the shell prompt one can configure the environment to get a vi clone as editor.

/!\ Warning: ldapvi is a very powerful tool. Be careful and don't mess up the LDAP database.

luma, an LDAP GUI

If you prefer a GUI to work with the LDAP database, check out the luma package.


What is debian-volatile?

Quoting from the webpage:

  • Some packages aim at fast moving targets, such as spam filtering and virus scanning, and even when using updated data patterns, they do not really work for the full time of a stable release. The main goal of volatile is allowing system administrators to update their systems in a nice, consistent way, without getting the drawbacks of using unstable, even without getting the drawbacks for the selected packages. So debian-volatile will only contain changes to stable programs that are necessary to keep them functional.

How to use volatile

Since the Lenny release, the volatile archive is enabled and used by default.

Using to install newer software

You are running Debian Edu, because you prefer the stability of Debian Edu. It runs great, there is just one problem: Sometimes software is a little bit more outdated as you like. This is where steps in.

Backports are recompiled packages from Debian testing (mostly) and Debian unstable (in a few cases only, e.g. security updates), so they will run without new libraries (wherever this is possible) on a stable Debian distribution like Debian Edu. We recommend you to pick out single backports which fits your needs, and not to use all backports available there.

Using is simple:

echo "deb lenny-backports main contrib non-free" >> /etc/apt/sources.list
apt-get update

Then you can either use aptitude -t lenny-backports install <packagename> to install or update packages once, or you can configure a package to be always installed from though /etc/apt/preferences.

The latter is described in the instructions on and has the advantage, that updates to backports are installed automatically when they are available. With the first variant you need to update manually.

Upgrading with a CD or DVD ROM

If you want to upgrade from one version to another (for example from Lenny 5.0.4 to 5.0.6) but you do not have Internet connectivity, only a physical media, follow these steps:

Insert the CD/DVD-ROM in the drive, mount it and use apt-cdrom command:

mount /cdrom
apt-cdrom add -m

Quoting from apt-cdrom(8) man page:

  • apt-cdrom is used to add a new CDROM to APTs list of available sources. apt-cdrom takes care of determining the structure of the disc as well as correcting for several possible mis-burns and verifying the index files.
  • It is necessary to use apt-cdrom to add CDs to the APT system, it cannot be done by hand. Furthermore each disk in a multi-cd set must be inserted and scanned separately to account for possible mis-burns.

Then run these two commands to upgrade the system:

apt-get update
apt-get upgrade


running standalone Java applications

Standalone Java applications are supported out of the box by the OpenJDK Java runtime.

running Java applications in the webbrowser

The version of the OpenJDK Java runtime available in Debian Edu Lenny does not support to run Java applications in the webbrowser, this will be fixed in the next release. On Lenny, the non-free (but freely available) Java from Sun needs to be installed.

To install Java from Sun you need to edit the /etc/apt/sources.list first to make sure it will install packages from non-free. There needs to be a line like this:

deb lenny main contrib non-free

Then do:

# apt-get update

Now you are ready to run this command:

# apt-get install sun-java6-plugin sun-java6-jre sun-java6-fonts

Creating folders in the home directories of all users

With this script the administrator can create a folder in each users home directory and set access permissions and ownership.

In the example shown below with group=teachers and permissions=2770 a user can hand in an assignment by saving the file to the folder "assignments" where teachers are given write access to be able to make comments.

        for home in $(ls $home_path);do
          if [ ! -d "$home_path/$home/$shared_folder" ]; then
          mkdir $home_path/$home/$shared_folder
        chmod $permissions $home_path/$home/$shared_folder
  #set the right owner and group
  #"username" = "group name" = "folder name"
        chown $user:$group $home_path/$home/$shared_folder
    echo -e "the folder $home_path/$home/$shared_folder already exists.\n"
echo "$created_dir folders has been created"

Easy access to USB drives and CDROMs/DVDs

When users insert a USB drive or DVD/CDROM into a (diskless) workstation, there is a popup windows asking what to do with it, just like in any other normal installation.

When users insert a USB drive or DVD/CDROM into a thin client there is no popup window like they are used to from their usual Desktop. Instead it is automatically mounted and they have to browse to the /media/$user folder to access it.. This is quite difficult for many non experienced users.

With the following script the symlink "Media" is created for all users in the home folder for easy access to USB drives, CDROMs or whatever media is connected to the thin client.

home_path="/skole/tjener/home0"; shared_folder="Media"; permissions="775"; created_dir=0;
for home in $(ls $home_path); do
  if [ ! -d "$home_path/$home/$shared_folder" ]; then
    ln -s /media/$home $home_path/$home/$shared_folder ((created_dir+=1))
    echo -e "the folder $home_path/$home/$shared_folder already exists.\n"
echo "$created_dir folders has been created"

A warning about removable media on LTSP servers

/!\ Warning: When inserted into a LTSP server USB drives and other removable media cause popup messages on remote LTSP clients.

When a remote users acknowledges the popup or uses pmount from console, a remote user can even mount the removable devices and access the files.

This is being tracked as Debian Edu bug #1376.

Automatic cleanup of left-over processes

killer is is a perl script that gets rid of background jobs. Background jobs are defined as processes that belong to users who are not currently logged into the machine. It's run by cron job once an hour.

/!\ Due to 551753 (also documented as Debian Edu bug #1373) killer should not be installed on thin-client servers when long usernames are used!

To install it run the following command as root:

 apt-get install killer

Automatic shutdown of machines during the night

It is possible to save energy and money by turning off client machines at night, and turn them automatically on in the morning. The package will try to turn off the machine every hour on the hour from 16:00 in the afternoon, but not turn it off if the machine seems to have users. It will try to tell the bios to turn on the machine around 07:00 in the morning, and the main-server will try to turn on machines from 06:30 using wake-on-lan packages. These times can be changed in the crontabs of individual machines.

There are some considerations to make when doing this:

  • The clients should not be shut down when someone is using them. This is done by checking the output from who, and as a special case, checking for the LDM ssh connection command to work with LTSP thin clients.

  • To avoid breaking electrical fuses, it is a good idea to make sure all clients do not start at the same time.
  • There are two different methods available to wake up clients. One uses a BIOS feature and require a working and correct hardware clock, as well as a motherboard and BIOS version supported by nvram-wakeup, The other require a server with knowledge about all the clients to wake up and for all the clients to have support for wake-on-lan.

How to set up shutdown-at-night

On clients that should turn off at night, touch /etc/shutdown-at-night/shutdown-at-night, or add the hostname (ie the output from 'uname -n' on the client) to the netgroup "shutdown-at-night-hosts". Adding hosts to the netgroup in LDAP can be done using the lwat web tool. The clients might need to have wake-on-lan configured in the BIOS. It is also important that the switches and routers used between the wake-on-lan server and the clients will pass the WOL packages to the clients even if the clients are turned off. Some switches fail to pass on packages to clients that are missing in the ARP table on the switch, and this block the WOL packages.

To enable wake-on-lan on the server, add the clients to /etc/shutdown-at-night/clients, with one line per client, IP address first, and MAC address (ethernet address) next, with space between them, or create a script /etc/shutdown-at-night/clients-generator to generate the list of clients on the fly.

Here is an example /etc/shutdown-at-night/clients-generator for use with sitesummary:

  export PATH
  sitesummary-nodes -w

An alternative if the netgroup is used to activate shutdown-at-night on clients is this script using the netgroup tool from the ng-utils package:

  export PATH
  netgroup -h shutdown-at-night-hosts

/!\ This text was originally taken from this README.

Access to skolelinux server from outside a firewall

A boot script open-backdoor is provided in the debian-edu-config package to "break out" from behind a firewall. It is useful for system administrators responsible for several Debian Edu installations. It set up an SSH tunnel to another machine, allowing ssh login from the outside of the firewall.

To enable it, create a ssh key without a password, create a user on a remote host to use for ssh login, copy the public key into ~/.ssh/authorized_keys for the remote user used for and specify the login information in /etc/default/backdoor.

Content of /etc/default/backdoor should be similar to this:

FIXME: paragraph about access from outside need to be completed and tested.

Installing single service machines for spreading the load from main-server

FIXME: this is so generic its almost useless

  • install the minimal profile using the debian-edu-expert boot-option

  • install the packages for the service
  • configure the service
  • disable the service on main-server
  • update DNS on main-server

Configuring the PXE menu

The PXE configuration is generated using the debian-edu-pxeinstall script. It allow some settings to be overriden by adding a file /etc/debian-edu/pxeinstall.conf with replacement values.

Configuring the PXE installation

The PXE installation option is by default available to anyone able to PXE boot a machine. To password protect the PXE installation options, a file /var/lib/tftpboot/menupassword.cfg can be created with content similar to this:


The password hash should be replaced with a MD5 hash for the wanted password.

The PXE installation will inherit the language, keyboard layout and mirror settings from the settings used when installing the main-server, and the other questions will be asked during installation (profile, popcon participation, partitioning and root password). To avoid these questions, the file /etc/debian-edu/www/debian-edu-install.dat can be modified to provide preselected answers to debconf values. Some examples of available debconf values are already commented in /etc/debian-edu/www/debian-edu-install.dat. Your changes will be lost as soon as debian-edu-pxeinstall is used to recreate the PXE-installation environment. To append debconf values to /etc/debian-edu/www/debian-edu-install.dat during recreation with debian-edu-pxeinstall, add the file /etc/debian-edu/www/debian-edu-install.dat.local with your additional debconf values.

FIXME: Compare with DebianEdu/Documentation/Lenny/HowTo/NetworkClients and get rid of redundant information.

HowTos from

The HowTos from are either user- or developer-specific. Let's move the user-specific HowTos over here (and delete them over there)! (But first ask the authors (see the history of those pages to find them) if they are fine with moving the howto and putting it under the GPL.)


HowTos for the desktop

KDE Kiosk mode

Two default profiles are included:

debian_edu_pupils (enabled for members of the students file group)

  • customized set of icons appears on student desktops
  • makes sure that the programs behind the desktop icons also show up in the kde panel
  • adept is not started
  • makes sure that students cannot start another kde session
  • disables possibility to gain root access for students

debian_edu_root (enabled for the root user and members of the admins file group)

  • adds a desktop icon to connect to the local webserver on tjener to provide easy access to all the administration programs

Note:: modifications to the profiles can be done using kiosktool. However, unless you follow the step below, your changes will be overwritten by upgrades. FIXME: this is broken and a bug should be filed: kiosktool upgrades restore default desktop icons

If you want to modify the kiosk profiles, you can either copy the existing ones and modify them, or create new kiosk profiles in (for example) /etc/kde3/kioskprofiles/ and enable them in /etc/kde-user-profile. The kiosk tool will do this for you if you click "profile properties" and browse to a new folder.

Changing kioskmode on diskless workstations

After you have made changes to the kioskmode settings with kiosktool like described above, you will have to copy some files inside the chroot used by the diskless workstation.

Assuming the diskless workstations are running i386, the following commands must be executed on the workstation server(s):

export LTSPCHROOT=/opt/ltsp/i386/
cp -rv /etc/kde-profile/ $LTSPCHROOT/etc/
cp -v /etc/kderc $LTSPCHROOT/etc/
cp -v /etc/kde-user-profile $LTSPCHROOT/etc/

Else replace i386 with amd64 or powerpc as applicable.

Disabling kioskmode

If you don't want to use kioskmode, either just remove the file /etc/kderc. Or, if you just want to temporarily disable kioskmode, comment out all entries in there.

Modifying the kdm login screen

In Debian/Etch, the way to customize the kdm login screen was changed. Now, it is done by adding a file in /etc/default/kdm.d/ specifying variables to override the default.

Here is one example used to activate the theme in the desktop-base package:


See the code in /etc/init.d/kdm for information on how these variables are used.


The free software flash-player gnash is installed by default, but switching to Adobe Flash is an option. To install the (non-free) Adobe Flash Player web browser plugin, install the flashplugin-nonfree debian package from

There are three requirements to do so:

  • add entries to /etc/apt/sources.list as decribed in the general adminstration howtos

  • add the following lines to /etc/apt/preferences (the file probably does not exist, so you might have to create it):

Package: flashplugin-nonfree
Pin: release a=lenny-backports
Pin-priority: 999
  • as the flashplugin-nonfree package is only an installer-package (and does not contain the flashplugin itself, for legal reasons), it also requires a working internet connection as it will download the precompiled binary from Adobes website.

Sound with Flash on thin clients

Additionally to the flashplugin-nonfree package (see above) you just need to install the flashplugin-nonfree-extrasound package.

Playing DVDs

libdvdcss is needed for playing most commercial! DVDs. For legal reasons it's not included in Debian (Edu). If you are legally allowed to use it, you can use the packages from Add the multimedia repository (as described just below this paragraph) and install multimedia and dvd libraries:

apt-get install libdvdcss2 w32codecs

Using the multimedia repository

To use do the following:

# install the debian-keyring securily:
apt-get install debian-keyring
# fetch the deb-multimedia key insecurily:
gpg --keyserver --recv-keys 1F41B907
# check securily if the key is correct and add it to the keyring used by apt if it is:
gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 1F41B907 && gpg --export 1F41B907 | apt-key add -
# add repository to sources.list - please check the homepages for mirrors!
echo "deb lenny main" >> /etc/apt/sources.list
# update the list of available packages:
apt-get update

Handwriting fonts

The package ttf-linex (which is installed by default) installs the font "Abecedario" which is a nice handwriting font for kids. The font has several forms to be used with kids: dotted, and with lines.


HowTos for networked clients

Introduction to Thin clients and Diskless workstations

One generic term for both thin clients and diskless workstations is LTSP client. LTSP is the Linux Terminal Server Project.

Thin client

A thin client setup enables a ordinary PC to function as an (X-)terminal, where all software runs on the LTSP server. This means that this machine boots from a diskette or directly from the server using network-PROM (or PXE) without using a local client hard drive.

Diskless workstation

A diskless workstation runs all software locally. The client machines boot direcly from the LTSP server without a local hard drive. Software is administered and maintained on the LTSP server, but it runs on the diskless workstation. Home directories and system settings are stored on the server too. Diskless workstations are an excellent way of reusing newer hardware with the same low maintanence cost as with thin clients.

Machine type selection based on the network

Each LTSP server has two ethernet cards, one is configured in the subnet (which is shared with the main server) and another forming a local subnet (this subnet is a seperate subnet for each LTSP server).

Diskless workstations get IP addresses assigned in the private subnet, while thin clients are connected in the seperate subnet

Changing the PXE menu on an LTSP server

The PXE menu allows network booting of LTSP clients, the installer and other alternatives. The file /var/lib/tftpboot/pxelinux.cfg/default is used by default if no other file in that directory matches the client, and out of the box it is set to link to /var/lib/tftpboot/debian-edu/default-menu.cfg.

If one want all clients to boot as diskless workstations instead of getting the full PXE menu, this can be implemented by changing the symlink:

ln -s /var/lib/tftpboot/debian-edu/default-diskless.cfg /var/lib/tftpboot/pxelinux.cfg/default

If one want all clients to boot as thin clients instead, change the symlink like this:

ln -s /var/lib/tftpboot/debian-edu/default-thin.cfg /var/lib/tftpboot/pxelinux.cfg/default

See also the pxelinux documentation at .

If one wants clients on the 192.168.x.x interface of a thin client server to boot as diskless workstations instead of thin clients, edit


and add a '3' (no quotes) to the end of the line. There is no need to add these workstations in lwat, saving you some work and some "staticxx" IP addresses (see below).

Separate main- and LTSP servers

For performace and security considerations it might be desired to set up a seperate main server which doesn't act as LTSP server.

To have ltspserver00 serve diskless workstations on the main (10.0.x.x) network, when tjener is not a combined server, one needs to follow these steps:

  • copy the ltsp directory from /var/lib/tftpboot from ltspserver00 to the same directory on tjener.
  • copy /var/lib/tftpboot/debian-edu/default-diskless.cfg to the same directory on tjener.

  • edit /var/lib/tftpboot/debian-edu/default-diskless.cfg to use the IP address of ltspserver00, the following example uses (which is the default):

 DEFAULT ltsp/i386/vmlinuz initrd=ltsp/i386/initrd.img nfsroot= boot=nfs ro quiet 3
  • set the symlink in /var/lib/tftpboot/pxelinux.cfg on tjener to point to /var/lib/tftpboot/debian-edu/default-diskless.cfg.

How to extend the range of static IP addresses

Out of the box Debian Edu only has 50 static addresses available on the network. To extend this to 90 addresses, you can do the following.

  1. Download ext_static.ldif. The LDIF makes the following changes to the LDAP catalog:

    • It changes the dynamic DHCP range from to
    • It deletes the DNS records for dhcp370 ( to dhcp399 (
    • It adds DNS records for static50 ( to static90 (
  2. Apply the changes described in ext_static.ldif:

ldapmodify -x -Z -W -D cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no -f ext_static.ldif

When prompted, enter the LDAP admin password. You now have 40 extra static addresses, at the cost of 29 dynamic addresses.

LTSP in detail


To make special adaptations and configurations for specific thinclients, you can edit the file /opt/ltsp/i386/etc/lts.conf. Have a look at /opt/ltsp/i386/usr/share/doc/ltsp-client-core/examples/lts.conf to see some examples and see /usr/share/doc/ltsp-server/lts-parameters.txt.gz for all parameters you can specify.

The default values is defined under [default], to configure one client, specify which client using the client mac adress or ipadress like this [].

Example: To make the thinclient ltsp010 use 1280x1024 resolution, add something like this:

X_MODE_0 = 1280x1024
X_HORZSYNC = "60-70"

somewhere below the default settings.

Depending on what changes you make, it may be necessary to restart X on the client (by pressing alt+ctrl+backspace) or restart the client.

To use ipadresses in lts.conf you should add the client mac-address to your dhcp-server. Otherwise you should use the client mac-address directly in you lts.conf file.

Load balancing LTSP servers

Part 1

It is possible to set up the clients to connect to one of several servers for load balancing. This is done by providing /opt/ltsp/i386/usr/lib/ltsp/get_hosts as a script printing one or more servers for LDM to connect to. In addition to this, each ltsp chroot need to include the ssh host key for each of the servers.

First of all, you must choose one LTSP server to be the loadbalancing server. All the clients will PXE-boot from this server and load the Skolelinux image. After the image is loaded, LDM chooses which server to connect to by using the "get_hosts" script. How this is done you decide later on.

Now you have to move your clients from the network to the network. This is because when you use loadbalancing, the clients should have direct access to the server LDM chooses. If you leave your clients on the network, all of the clients traffic will go through that server before it reaches the chosen LDM server.

To get the clients working on the network, you have to edit /etc/dhcp3/dhcpd.conf on the main-server (tjener). Where it says:

/!\ FIXME: This need to be changed as DHCP configuration is in LDAP.

subnet netmask {

you have to add this under "range":

filename "/var/lib/tftpboot/ltsp/i386/pxelinux.0";
next-server xxx;
option root-path "/opt/ltsp/i386";
option log-servers ltspserver01;
use-host-decl-names on;

Next-server should be the IP-address or hostname of the server you chose to be the loadbalancing server. If you use hostname you must have a working DNS. Remember to restart the dhcp service.

Part 2

Now you have to make a "get_hosts" script that prints a server for LDM to connect to. The parameter LDM_SERVER overrides this script. In consequence, this parameter must not be defined if the get_hosts is going to be used. The get_hosts script writes on the standard output each server IP address or host names, in the random order.

Edit "/opt/ltsp/i386/etc/lts.conf" and add something like this:

MY_SERVER_LIST = "xxxx xxxx xxxx"

Replace xxxx with either the IP or hostname of the servers, list must be space separated. Then, put the following script in /opt/ltsp/i386/usr/lib/ltsp/get_hosts on the server you chose to be the loadbalancing server.

# Randomize the server list contained in MY_SERVER_LIST parameter
for i in $MY_SERVER_LIST; do
let "rank %= 100"
TMP_LIST=$(echo -e $TMP_LIST | sort)
for i in $TMP_LIST; do
SHUFFLED_LIST="$SHUFFLED_LIST $(echo $i | cut -d_ -f2)"

Part 3

Now that you've made the "get_hosts" script, it's time to make the ssh host key for the ltsp chroots. This can be done by making a file containing the content of /opt/ltsp/i386/etc/ssh/ssh_known_hosts from all the ltsp servers that will be loadbalanced. Save this file as /etc/ltsp/ssh_known_hosts.extra on all loadbalance servers. The last step is very important because ltsp-update-sshkeys runs every time a server is booted, and /etc/ltsp/ssh_known_hosts.extra is included if it exists.

/!\ If you save your new host file as /opt/ltsp/i386/etc/ssh/ssh_known_hosts, it will be erased when you reboot the server.

There is some obvious weaknesses with this setup. All clients get their image from the same server, this causes high loads on the server if many clients are booted at the same time. Also the clients require that server to always be available, without it they cannot boot or get a LDM server. Therefore this setup is very dependent on one server, which isn't very good.

Your clients should now be loadbalanced!

Sound with LTSP clients

LTSP thin clients supports three different audio systems for applications, ESD, PulseAudio and ALSA. ESD and PulseAudio support networked audio and are used to pass audio from the server to the clients. ALSA is configured to redirect its sound via PulseAudio. For selected applications only supporting the OSS audio system, a wrapper is created by /usr/sbin/debian-edu-ltsp-audiodivert to redirect their sound to PulseAudio. Run this script without arguments to get a list of applications with such redirection enabled.

LTSP diskless workstations handle audio locally and have none of the special setup needed for networked audio.

Upgrading the LTSP environment

It is useful to upgrade the LTSP environment with new packages fairly often, to make sure security fixes and improvements are made available. To upgrade, run these commands as user root on each LTSP server:

chroot /opt/ltsp/i386
mount -t proc proc /proc
aptitude update
aptitude upgrade
aptitude dist-upgrade
umount /proc

Installing additional software in the LTSP environment

To install additional software for LTSP client you must perform the installation inside the chroot of the LTSP server.

chroot /opt/ltsp/i386
## optionally, edit the sources.list:
#vim /etc/apt/sources.list
mount -t proc proc /proc
aptitude update
aptitude install $new_package
umount /proc

Slow login and security

Skolelinux has added several security features on the client network preventing unauthorised super user access, stopping password sniffing and other tricks which may be used on a local network. One such security measures is secure login using ssh wich is default with LDM. This can slow down some client machines which are older than 10 years, having as little as 160 MHz processor and 32 MB RAM. Even if not recomended, you can add the "True" value in ...


should be added to the server in the /opt/ltsp/i386/etc/lts.conf file.

/!\ Warning: Above protects initial login but all activities after that use unencrypted XDMCP. Passwords (except the initial one) will travel in cleartext over the network, as well as anything else.

Note: Since such 10 year old thin clients may also get trouble with running never versions of and Firefox/Iceweasel due to pixmap caching issues, you may consider running thin clients with at least 128 MB RAM, or upgrade to hardware, which will also give you the benefit of being able to use them as diskless workstations.

Replacing LDM with KDM

Skolelinux 3.0 is running LDM as a login manager. It uses a secure ssh tunnel to log in. When using KDM a switch to XDMCP is neccesary. XDMCP uses less CPU ressources on the clients and on the server.

/!\ Warning: XDMCP does not use encryption. Passwords will travel in cleartext over the network, as well as anything else.

/!\ Note: local devices with ltspfs will stop working without LDM.

To check if XDMCP is running, run this command from a workstation:

 X -query ltspserverXX

If you are on the thin client network, please run this command:

 X -query

The goal is to let your "real" thin client to contact the xdmcp-server on the net (given a standard Skolelinux configuration).

If by some reason xdmcp is accessible on your server which runs KDM , please add the following to /etc/kde3/kdm/Xaccess

 * # any host can get a login window

The star before the comment '#' is important, rest is a comment of course :)

Then turn on xdmcp in kdm with the command:

 sudo update-ini-file /etc/kde3/kdm/kdmrc Xdmcp Enable true

At the end please restart kdm by running:

 sudo invoke-rc.d kdm restart

(in courtesy of Finn-Arne Johansen)

Connecting Windows machines to the network / Windows integration

Joining the domain

For Windows clients the Windows domain "SKOLELINUX" is available to be joined. A special service called Samba, installed on the main-server tjener, enables Windows clients to store profiles and userdata and also authenticates the users during the login.

In order to make Windows clients join the domain some (few) steps are required:

1. Create a user with membership in the "admins" group (if not already existing)

  • In order to be able to join the "SKOLELINUX" domain a member of the admins group needs to authorize the process. If not yet existing, a user with that membership needs to be added (for more information see <link to lwat docu>). The user "root" will not work, because there is no password for root in Samba.

2. Configure the Windows client as static host

  • When joining a samba domain some special data is stored on the domain controller (tjener). This data is needed to recognize the Windows client later as being allowed to authenticate users. In order to enable Samba to store this data, Samba requires an static host configuration to be present. This could be added by using the LWAT web interface (see also <link to lwat>). When adding the static host configuration it is important to check the "Samba host" option, otherwise will lack the required data to be able to join the domain.

3. On the Windows client: Make sure the network and system configuration matches the data stored on tjener (hostname and ip configuration).

  • It's really important, that the Windows hosts have the same data, otherwise Samba will not find the host added in step 2.

4. Join the domain as usual using the user added in step 1.

  • Depending on the version and language of you Windows installation, you should find the configuration about the domain or workgroup of your system somewhere in the system properties. A freshly installed Windows system should belong to a default workgroup. You can join the domain by selecting "Domain" instead of "Workgroup" and entering SKOLELINUX as new domain. Pressing enter will then open a new window, where the login data of the user created in step 1. can be entered. After some time the Windows client opens a popup window with a welcome message. After the obligatory reboot the loginscreen offers a option to login into the domain.

Windows will sync the profile of domain users on every login and logout. Depending on how much data stored in the profile this could take some time. To minimize the time needed, one should deactivate things like local cache in browsers (you could use the squid proxycache installed on tjener instead) and save file into the H: volume instead of "Own files".

User groups in Windows

Groupmaps must also be added for any other user groups you add through lwat. If you want your user groups to be available in Windows, eg for netlogon scripts or other group dependant actions, you can add them using variations of the following command. Samba will function without these groupmaps, but Windows machines won't be group aware.

/usr/bin/net groupmap add unixgroup=students \
             type=domain ntgroup="students" \
             comment="All students in the school"

FIXME: should user groups in windows better be explained with lwat first, and then with an example for the command line?

If you want to check user groups on Windows, you need to download the tool IFMEMBER.EXE from Microsoft. Then you can use this for example in the logon script which resides on tjener in /etc/samba/netlogon/LOGON.BAT.

XP home

Users bringing in their XP home laptop can still connect to Tjener using their skolelinux credentials, provided the workgroup is set to SKOLELINUX. However, they may need to disable the windows firewall before Tjener will appear in Network Neighbourhood (or whatever its called now).

Managing roaming profiles

Roaming profiles contain user work environments, which include the desktop items and settings. Some examples of these environments are personal files, desktop icons and menus, screen colors, mouse settings, window size and position, application configurations and network and printer connections. Roaming profiles are available wherever the user logs on, provided the server is available.

Since the profile is copied from the server to the machine during logon, and copied back to the server during logout, a large profile can make windows login/logout painfully slow. There can be many reasons for a large profile, but the most common problems is that users save their files on the windows desktop or in the My Documents folder instead of in their homedir. Also some badly designed programs use the profile for scratch space, and other data.

The educational approach: One way to deal with to large profiles is to explain the situation for the users. Tell them not to store huge files on the desktop and if they fail to listen it's their own fault when login is slow.

Tweaking the profile: A different way to deal with the problem is to remove parts of the profile, and redirect other parts to regular file storage. This moves the work load from the users to the administrator, while adding complexity to the installation. There are at least three ways to edit the parts that are removed from the roaming profile.

Example smb.conf's for roaming profiles

Already delivered while installation, you can find an example smb.conf hopefully in your prefered language. You can find the config example files on your tjener under /usr/share/debian-edu-config/examples/. The source file is in English and is called smb-roaming-profiles-en.conf. If it is translated to German for example, it is named smb-roaming-profiles-de.conf. So if you search a file translated to your prefered language, look at the country code part in the filename. Inside the config file are a lot of explanations, so you should have a look at.

Using machine policies

Machine policies can be edited and copied to all the other computers.

  1. Pick a freshly installed Windows computer, and run gpedit.msc
  2. Under the selection User Configuration -> Administrative Templates -> System -> User Profiles -> Exclude directories in roaming profile, you can enter a semicolon separated string of directories to exclude from the profile, the directories are internationalized and must be written in your own language the way they are in the profile. Example of directories to exclude are

    • log
    • Locale settings
    • Temporary Internet Files
    • My Documents
    • Application Data
    • Temporary Internet Files
  3. Save your changes, and exit the editor.
  4. Copy c:\windows\system32\GroupPolicy to all other windows machines.

    • It's a good idea to copy it to your windows os deployment system to have it included at install time.

Using global policies

By using the legacy windows policy editor (poledit.exe), you can can create a Policy file (NTConfig.pol) file and put it in your netlogon share on tjener. This has the advantage of working almost instantly on all windows machines.

Since some time the policy editor standalone download has been removed from the Microsoft website, but it's still available as part of the ORK Tools.

With poledit.exe you can create .pol files. If you put such a file on tjener as /etc/samba/netlogon/NTLOGON.POL it will be read by the windows machine automatically and temporarily overwrite the registry, thus applying the changes.

To make sensible use of poledit.exe you also need to download appriate .adm files for your operating system and applications, otherwise you cannot define many settings in poledit.exe.

Be aware that the new group policy tools, gpedit.msc and gpmc.msc cannot create .pol files, they either only work for the local machine or need an active directory server.

If you understand german, is a very good website on this topic.

Editing Windows registry

You can edit the registry of the local computer, and copy this registry key to other computers

  1. Start the Registry Editor.
  2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

  3. Use the menu Edit menu->New->String Value.

  4. Call it ExcludeProfileDirs

  5. Enter a semicolon sepatated string of paths to exclude. (same way as machine policy)

Now you can choose to export this registry key as a .reg file, Mark a selection, right click and select export. Save the file and you can double click it, or add it to a script to spread it to other machines.


Redirecting parts of profile

Sometimes just removing the directory from the profile is not enough. You may experience that users loose files because they mistakenly save things into my documents, when this is not saved in the profiles. Also you may want to redirect the directories some badly programed applications use to normal network shares.

Using machine policies

Everything under Using machine policies above applies. You edit using gpedit.msc and copy the Policy to all machines The redirection should be available under User Configuration -> Windows Settings->Folder Redirection Things that can be nice to redirect are Desktop or My Documents.

One thing to remember is that if you enable folder redirection, those folders are automatically added to the syncroniced folders list. If you do not want this, you should also disable that in following

  • User Configuration -> Administrative Templates -> Network -> Offline Files

  • Computer Configuration -> Administrative Templates -> Network -> Offline Files

Using global policies

FIXME explain how to use profiles from global policies for windows machines in the skolelinux network

Avoiding roaming profiles

Using a local policy

Using local policies you can disable roaming profile on individual machines. This is often wanted on special machines, for instance on dedicated machines, or machines that have lower then usual bandwith.

You can use the machine policy method describe above, the key is in

  • Administrative Templates -> system -> User Profiles -> Only allow local profiles

Using global policies

FIXME: describe roaming profile key for the global policy editor here

altering samba config

By editing the samba config you can disable roaming profiles for the entire network. Perhaps everyone have their own dedicated machine? and nobody else is allowed to touch it. To disable the roaming profiles for the entire network you can alter the smb.conf file on tjener and unset the logon path and logon home variables, and restart samba.

logon path = ""
logon home = ""

Remote Desktops with RDP, VNC, NX or Citrix

Some municipalities provide a remote desktop solution so that students and teachers can access Skolelinux from their home computer running Windows, Mac or Linux.

  • RDP - the easiest way to access Windows terminal server. Just install the rdesktop package.

  • VNC client (Virtual Network Computer) gives access to Skolelinux remotely. Just install the xvncviewer package.

  • NX graphical client gives students and teachers access to Skolelinux remotely on Windows, Mac or Linux PC. One municipality in Norway has provided NX support to all their students since 2005. They report that the solution is stable.
  • Citrix ICA client HowTo to access Windows terminal server from Skolelinux.

HowTos from

The HowTos from are either user- or developer-specific. Let's move the user-specific HowTos over here (and delete them over there)! (But first ask the authors (see the history of those pages to find them) if they are fine with moving the howto and putting it under the GPL.)


HowTos for teaching and learning


Run aptitude install moodle as root to install moodle.

Moodle is a course management system (CMS) - a free, Open Source software package designed using sound pedagogical principles, to help educators create effective online learning communities. You can download and use it on any computer you have handy (including webhosts), yet it can scale from a single-teacher site to a University with 200,000 students. Some schools in France use moodle to keep track of students' facilities and credit points.

There are moodle sites all over the world, mostly concentrated in Europe and North America. Check the site of an institution near you to get an idea about it. More information is available at the moodle project page, including documentation and support.

Monitoring pupils

Some schools use control tools like Controlaula or Italc to supervise their students.

Take a look at their wiki:

FIXME: explain how to install and use italc - 511387 explains this quite well actually.

apt-get install italc-client italc-master

/!\ Warning: monitoring humans might be unethical and illegal in your jurisdiction.

Restricting pupils network access

Some schools use squidguard or dansguardian to restrict internet access. FIXME: explain how to install and use squidguard and/or dansguardian

/!\ Warning: restricting access to information or freedom of speech might be unethical and illegal in your jurisdiction.

Installing swi-prolog

swi-prolog was available in sarge, but was not part of etch, but it was possible to install the sarge version on etch. Lenny again ships swi-prolog so installing is very easy. Just apt-get install swi-prolog and be done :-)

HowTos from

The HowTos from are either user- or developer-specific. Let's move the user-specific HowTos over here (and delete them over there)! (But first ask the authors (see the history of those pages to find them) if they are fine with moving the howto and putting it under the GPL.)


HowTos for users

Changing passwords

Every student should use the shorcut on their Desktop, which should point to something like https://ldap/lwat/chguserpw.php?username=$(id -un). (On Windows they have to manually put in their username.)

Using lwat to change their password, ensures that linux (userPassword) and samba (sabmaNTPassword and smbaLMPassword) passwords are the same.

Changing the sound volume

On local machines, which are workstations and LTSP servers, and diskless workstations, kmix works as usual. alsamixer can also be used to change the sound volume.

On thin clients, pavucontrol works, and so does alsamixer but kmix does not work at all.

Using email

Every user can send and receive mails within the internal network. The following paragraphs describe how to configure kmail for each user.

To be able to send and receive mails outside the internal network, the adminstrator needs to configure the mailserver exim4 according to the local situation, dpkg-reconfigure exim4-config is a good first step to do this.

Configuring KMail as a mail client

This needs to be done once by every user who wants to use email.

First, start KMail and skip the wizard ("Cancel"). Open the configuration-window and enter your identity (username and mail-address: username@postoffice.intern). Now move on to "Accounts" and there choose the "Sending"-tab. Add SMTP, host is "postoffice". default port 25. Do not forget to enter "postoffice.intern" as default domain and click "Apply". Send a mail to yourself (username@postoffice.intern) now to make sure your directory on the imap-server is created.

After that, add a new IMAP account under the "Receiving"-tab. Enter your username and password, the host is again "postoffice". Switch to the "Security"-tab and click on "Check What the Server Supports". Click "Continue" in the warning about the missing server certificate and accept that forever. Go back to the "General"-tab. Port should be 993 now. Click "Ok" and check if the mail to yourself is there. :)


Let us know you exist

There are Debian Edu users all over the world. A very easy form of contribution is to let us know you exist and use Debian Edu - this motivates us very much and therefore is already a valuable contribution. :-)

The Debian Edu projects provide a database of schools and users of the system to help the users find each other, and also to have an idea about where the users of the distribution are located. Please let us know about your installation, by registering in this database. To register your school, use this web form.

Contribute locally

Currently there are local teams in Norway, Germany, the region of Extremadura in Spain, Taiwan and France. "Isolated" contributors and users exist in Greece, the Netherlands, Japan and elsewhere.

The support chapter explains and links to localized ressources, as contribute and support are two sides of the same coin.

Contribute globally

Internationally we are organized in different teams working on different subjects.

The developer mailing list is most of the time our main medium for communication, though we have monthly meetings on IRC on #debian-edu on and less frequently even real gatherings, where we meet each other in person. New contributors should read our

A good way to learn what is happening in the development of Debian Edu is to subscribe to the commit mailinglist.

Documentation writers and translators

This document needs your help! First and foremost, it is not finished yet: If you read it, you will notice various FIXMEs within the text. If you happen to know (a bit of) what needs to be explained there, please consider sharing your knowledge with us.

The source of the text is a wiki and can be edited with a simple webbrowser. Just go to and you can contribute easily. Note: An user account is needed to edit the pages, you need to create a wiki user first.

Another very good way to contribute and to help users is by translating software and documentation. Information how to translate this document can be found in the translation chapter of this book. Please consider to help the translation effort of this book!



Volunteer based support

in English

in Norwegian

in German

in French

in Spanish

Professional support

Lists of companies providing professional support are available from


Copyright and authors

This document is written and copyrighted by Holger Levsen (2007, 2008, 2009, 2010), Petter Reinholdtsen (2007, 2008, 2009, 2010), Daniel Heß (2007), Patrick Winnertz (2007), Knut Yrvin (2007), Ralf Gesellensetter (2007), Ronny Aasen (2007), Morten Werner Forsbring (2007), Bjarne Nielsen (2007, 2008) Nigel Barker (2007), José L. Redrejo Rodríguez (2007), John Bildoy (2007), Joakim Seeberg (2008), Jürgen Leibner (2009), Oded Naveh (2009), Philipp Hübner (2009, 2010), Andreas Mundt (2010) and Olivier Vitrat (2010) and is released under the GPL2 or any later version. Enjoy!

If you add content to it, please only do so if you are the author. You need to release it under the same conditions! Then add your name here and release it under the GPL2 or later version.

Translation copyright and authors

The Spanish translation is copyrighted by José L. Redrejo Rodríguez (2007), Rafael Rivas (2009) and Norman Garcia (2010) and is released under the GPL2 or any later version.

The Bokmål translation is copyrighted by Petter Reinholdtsen (2007), Håvard Korsvoll (2007, 2008), Tore Skogly (2008), Ole-Anders Andreassen (2010) and Jan Roar Rød (2010) and is released under the GPL2 or any later version.

The German translation is copyrighted by Holger Levsen (2007), Patrick Winnertz (2007), Ralf Gesellensetter (2007, 2009), Roland F. Teichert (2007, 2008, 2009), Jürgen Leibner (2007), Ludger Sicking (2008), Kai Hatje (2008), Kurt Gramlich (2009), Franziska Teichert (2009), Philipp Hübner (2009) and Andreas Mundt (2009, 2010) and is released under the GPL2 or any later version.

The Italian translation is copyrighted by Claudio Carboncini (2007, 2008, 2009, 2010) and is released under the GPL2 or any later version.

The French translation is copyrighted by Christophe Masson (2008), Olivier Vitrat (2010) and the French l10n team (2009, 2010) and is released under the GPL2 or any later version.

The Traditional Chinese translation is copyrighted by Andrew Lee (李健秋) (2009) and is released under the GPL2 or any later version.


Translations of this document

Fully translated versions of this document to German and Italian are available. Incomplete translations for Norwegian Bokmål, French, Spanish and Chinese exist, take a look for your language here.

HowTo translate this document

As in many free software projects, translations of this document are kept in .po files. More information about the process can be found in /usr/share/doc/debian-edu-doc/README.debian-edu-lenny-manual-translations. The svn-repository (see below) contains this file too. Take a look there and at the language specific conventions if you want to help translating this document.

To commit your translations you need to be a member of the alioth project debian-edu. To translate, you just need to check out some files from from svn (which can be done anonymously) and create patches. Please file a bug against the debian-edu-doc package and attach the .po file to the bugreport. Find some instructions on how to submit bugs here.

You can checkout the debian-edu-doc source anonymously with the following command (you need to have the subversion package installed for this to work):

  • svn co svn://

Then edit the documentation/debian-edu-lenny/debian-edu-lenny-manual.$CC.po (where you replace $CC with your language code). There are many tools for translating available, we suggest to use kbabel.

Then you either commit the file directly to svn (if you have the rights to do so) or send the file to the bugreport.

To update your local copy of the repository use the following command inside the debian-edu-doc directory:

  • svn up

Read /usr/share/doc/debian-edu-doc/README.debian-edu-lenny-manual-translations to find information how to create a new .po file for your language if there is none yet, and how to update translations.

Basic information about Alioth (the host where our SVN repository is located) and SVN is available at

If you are new to SVN, look at the SVN book, it has a chapter on the basic workflow with SVN. Also you might want to look at he kdesvn package if you prefer a GUI client for SVN instead of using the commandline client.

Please report any problems.


Appendix A - The GNU Public License

Note to translators: there is no need to translate the GPL license text. 

Manual for Debian Edu 5.0.6+edu1 Codename "Lenny"

Copyright (C) 2007-2010 Holger Levsen < > and others, see the Copyright chapter for the full list of copyright owners.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.


Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.


0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

  • a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.

    b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

    c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

  • a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.






Appendix B - about Debian Edu Live CD/DVDs

/!\ Debian Edu Live CD/DVDs for Lenny are not available at the moment.

Features of the Standalone image

  • Almost all packages from the Standalone profile
  • All packages from the laptop task
  • The KDE desktop profile for students/pupils.

Activating translations and regional support

To activate a specific translation, boot using locale=ll_CC.UTF-8 as a boot option, where ll_CC.UTF-8 is the locale name you want. To aciviate a given keyboard layout, use the keyb=KB option where KB is the wanted keyboard layout. More information on this feature is available from the live cd build script documentation. Here is a list of commonly used locale codes:

Language (Region)

Locale value

Keyboard layout

Norwegian Bokmål



Norwegian Nynorsk






French (France)



Greek (Greece)






Northern Sami (Norway)



A complete list of locale codes is available in /usr/share/i18n/SUPPORTED, but only the UTF-8 locales are supported by the live images. Not all locales have translations installed, though. The keyboard layout names can be found in /usr/share/keymaps/i386/.

Stuff to know

  • the password for the user is "user", root has no passwd set.

Known issues with the image

  • /!\ there are no lenny images yet :(


The image is 1.2 GiB and currently NOT available using FTP, HTTP or rsync from at cd-lenny-live/.