Differences between revisions 46 and 47
Revision 46 as of 2012-01-18 21:11:55
Size: 16732
Editor: ?WolfgangSchweer
Comment: add man page info
Revision 47 as of 2012-01-20 12:10:30
Size: 16682
Editor: ?WolfgangSchweer
Comment: adapt for beta3
Deletions are marked like this. Additions are marked like this.
Line 12: Line 12:
 1. add users with GOsa² (you need to log in as "super-admin" with the same password as the main server's "root" account)  1. add users with GOsa² (you need to log in as the first created user)

Getting started

Minimum steps to get started

FIXME: the change from documenting lwat to GOsa2 still needs to be completed

After the installation, the first things you need to do are:

  1. Log into the server as the user you created during the main server's installation - with the root account you cannot log in graphically. As the first created user you can use sudo to become root.

  2. add users with GOsa² (you need to log in as the first created user)
  3. add workstations with GOsa²

Adding users and workstations is described in detail below, so please read this chapter completely. It covers how to perform these minumum steps correctly as well, as other stuff that everybody will probably need to do.

The HowTo chapter covers more tips and tricks and some frequently asked questions.

FIXME: add an updated english squeeze screenshot here.

Debian Edu desktop

Services running on the main server

There are several services running on the main server which can be managed via a web management interface. We'll describe each service below.

Introduction to GOsa²

GOsa² is a web based management tool that can help you manage some important parts of your Debian Edu setup. You can manage (add, modify, or delete) these main groups:

  • User Administration
  • Group Administration
  • NIS Netgroup Administrator
  • Machine Administration
  • DNS Administration
  • DHCP Administration

For GOsa² access you need the Skolelinux main server and a (client) system with a web browser installed. If that's not available, see HowTo/Administration.

From a web browser use the URL https://www/gosa for GOsa² access, and log in with the username super-admin and the main server's root password.

  • If you are using a new Debian Edu Squeeze machine, the site certificate will be known by the browser.
  • Otherwise, you will get an error message about the SSS certificate being wrong. If you know you are alone on your network, just tell the browser to accept it and ignore that.

For general information on GOsa² have a look at: https://oss.gonicus.de/labs/gosa/wiki/documentation.

GOsa² Login plus Overview

GOsa² overview page after login as super-admin

After logging in to GOsa² as super-admin you will see the overview page of GOsa².

Next, you can choose a task in the menu or click any of the task icons on the overview page. For navigation, we recommend using the menu on the left side of the screen, as it will stay visible there on all administation pages offered by GOsa².

In Debian Edu, account, group, and system information is stored in an LDAP directory. This data is used not only by the main server, but also by the (diskless) workstations, the thin client servers and the Windows machines on the network. With LDAP, account information about students, pupils, teachers, etc. only needs to be entered once. After information has been provided in LDAP, the information will be available to all systems on the whole Skolelinux network.

GOsa² is an administration tool that uses LDAP to store its information and provide a hierarchical department structure. To each "department" you can add user accounts, groups, systems, netgroups, etc. Depending on the structure of your institution, you can use the department structure in GOsa²/LDAP to transfer your organizational structure into the LDAP data tree of the Debian Edu main server.

A default Debian Edu main server installation currently provides two "departments": Teachers and Students, plus the base level of the LDAP tree. Student accounts are intended to be added to the "Students" department, teachers to the "Teachers" department; systems (servers, Skolelinux workstations, Windows machines, etc.) are currently added to the base level. Find your own scheme for customizing this structure.

Depending on the task that you want to work on (manage users, manage groups, manage systems, etc.) GOsa² presents you with a different view on the selected department (or the base level).

User Management with GOsa²

First, click on "Users" in the left navigation menu. The right side of the screen will change to show a table with department folders for "Students" and "Teachers" and the account of the GOsa² Super-Administrator (super-admin). Above this table you can see a field called Base that allows you to navigate through your tree structure (move your mouse over that area and a drop-down menu will appear) and to select a base folder for your intended operations (e.g. adding a new user).

Adding users

Next to that tree navigation item you can see the "Actions" menu. Move your mouse over this item and a submenu appears on screen; choose "Create" here, and then "User". You will be guided by the user creation wizard.

  • The most important thing to add is the full name of your user (see image).
  • As you follow the wizard, you will see that GOsa² generates a username automatically based on the real name. It automatically chooses a username that doesn't exist yet, so multiple users with the same full name are not a problem.
  • If you don't like the generated username you can select another username offered in the drop-down box, but you do not have a free choice here in the wizard. (User ID generation can be customized in /etc/gosa/gosa.conf, see man 5 gosa.conf for details.)

  • When the wizard has finished, you are presented with the GOsa² screen for your new user object. Use the tabs at the top to check the completed fields.

After you have created the user (no need to customize fields the wizard has left empty for now), click on the "Ok" button in the bottom-right corner.

As the last step GOsa² will ask for a password for the new user. Type that in twice and then click "Set password" in the bottom-right corner.

If all went well, you can now see the new user in the user list table. You should now be able to log in with that username on any Skolelinux machine within your network.

/!\ It might take some minutes before the newly added user's home directory is created. Until that is done the user won't be able to log in on any server, workstation or thin client.

Search, modify and delete users

To modify or delete a user, use GOsa² to browse the list of users on your system. On the very left of the screen you will find the "Filter" box, a search tool provided by GOsa². If you don't know the exact location of your user account in your tree, change to the base level of the GOsa²/LDAP tree and search there with the option marked "[x] Search in subtrees".

When using the "Filter" box, results will immediately appear in the middle of the text in the table list view. Every line represents a user account and the items farthest to the right on each line are little icons that provide actions for you: edit, lock, set password, browse home (not supported in Skolelinux), export and delete.

FIXME: image for the Filter Box

A new page will show up where you can directly modify information about the user, change the password of the user and modify the list of groups the user belongs to.

FIXME: image for Editing a User

Set passwords

The students can change their own passwords by logging into GOsa² with their own usernames. A logged-in student will be presented with a very minimal version of GOsa² that only allows access to the student's own account data sheet and to the set-password dialog.

Teachers logged in under their own usernames have special privileges in GOsa². They are shown a more privileged view of GOsa², and can change the passwords for all student accounts. This may be very handy during class.

To administratively set a new password for a user

  1. search for the user to be modified, as explained above
  2. click on the key symbol at the end of the line that the username is shown in
  3. on the page subsequently presented you can set a new password chosen by yourself

FIXME: add GOsa² password dialog image here

Beware of security implications due to easy to guess passwords!

Advanced user management

It is possible to mass-create users with GOsa² by using a .csv file, which can be created with any good spreadsheet software (for example oocalc).

These are the format guidelines for such a CSV file (GOsa² is quite intolerant about them):

  • Use "," as field separator
  • Do not use quotes
  • The CSV file must not contain a header line (of the sort that normally contains the column names)

  • The order of the fields is not relevant, and can be defined in GOsa² during the mass import

The mass import steps are:

  1. click the "LDAP Manager" link in the navigatin menu on the left
  2. click the "Import" tab in the screen on the right
  3. browse your local disk and select a CSV file with the list of users to be imported
  4. choose an available user template that should be applied during mass import (such as NewTeacher or NewStudent)

  5. click the "Import" button in the bottom-right corner

It's a good idea to do some tests first, preferably using a .csv file with a few fictional users, which can be deleted later.

Group Management with lwat [FIXME: obsolete?]

The management of groups is very similar to the management of users. You can enter a name and a description per group. When searching for groups you can also delete or disable all users of the groups found. From the modification page you can access all the users of that group.

The groups entered in the group management are also regular unix groups, so you can use them for file permissions too.

Group Management on the command line

# List existing group mapping between UNIX and Windows groups.
net groupmap list

# Add your new or otherwise missing groups:
net groupmap add unixgroup=NEW_GROUP type=domain ntgroup="NEW_GROUP"\
                 comment="DESCRIPTION OF NEW GROUP"

This is explained in more detail in the HowTo/NetworkClients chapter of this manual.

Advanced group management [FIXME: obsolete?]

Using lwat it's easy to put users in a specific group (for example named after the year they enter or finish school) and to create all their home directories in a dedicated directory.

To achieve this, add a stanza like the following to the file /etc/lwat/admin.ini:

[2009]
ou = "ou=People,%base%"
objectClass = top posixAccount shadowAccount imapUser sambaSamAccount
homeDirectory = /skole/tjener/home0/2009/%username%
groups = none students 2009
loginShell = /bin/bash
mailMessageStore = /var/lib/maildirs/%username%

To make this work, the 2009 group has to be created before adding the users.

The above stanza simply adds them on top of home0. If you want them somewhere else, using another automount, then you should use lwat to add that automount, and change the homeDirectory string in admini.ini correspondingly.

Machine Management with GOsa²

FIXME: this yet to be written chapter needs to include the info about the cronjob updating dns running every hour and "su -c ldap2bind - bind" to trigger this manually

Machine management basically allows you to manage all networked devices in your Debian Edu network. Every machine added to the LDAP directory using GOsa² has a hostname, an IP address, a MAC address and a domain name (which is usually "intern"). For a fuller description of the Debian Edu architecture see the architecture chapter of this manual.

When you add a machine, you can use an IP address/hostname from the preconfigured address space. The following IP address ranges are predefined:

First address

Last address

hostname

10.0.2.10

10.0.2.29

ltspserverxx

10.0.2.30

10.0.2.49

printerxx

10.0.2.50

10.0.2.99

staticxx

The addresses from 10.0.16.20 to 10.0.31.254 (roughly 10.0.16.0/20 or 4000 hosts) are reserved for DHCP and are assigned dynamically.

To assign a host with the MAC address 52:54:00:12:34:10 a static IP address you only have to enter the MAC address and the hostname static00; the remaining fields will be filled automatically according to the predefined configuration:

Search and delete machines

Searching for and deleting machines is quite similar to searching for and deleting users, so that information is not repeated here.

Modify existing machines / Netgroup management

After adding a machine to the LDAP tree using GOsa², you can modify its properties using the search functionality and clicking on the machine (as you would with users).

The format of these machine links is similar to the one you already know from modifying user entries, but the fields mean different things in this context.

For example, adding a machine to a NetGroup does not modify the file access or command execution permissions for that machine or the users logged in to that machine; instead it restricts the services that machine can use on your main-server.

The default installation provides the NetGroups

  • printer-hosts
  • workstation-hosts
  • ltsp-server-hosts
  • server-hosts
  • shutdown-at-night-hosts
  • fs-autoresize-hosts

Currently the NetGroup functionality is used for

  • NFS.
    • The home directories are exported by the main-server to be mounted by the workstations and the LTSP servers. For security reasons, only hosts within the workstation-hosts, ltsp-server-hosts and server-hosts NetGroups can mount the exported NFS shares. So it is rather important to remember to configure these kinds of machines properly in the LDAP tree using GOsa² and to configure them to use static IP addresses from LDAP. /!\ Remember to configure workstations and ldap-servers properly with GOsa², or your users won't be able to access their home directories.

  • fs-autoresize
    • Debian Edu machines in this group will automatically resize LVM partitions that run out of space.
  • shutdown at night
    • Debian Edu machines in this group will automatically shut down at night to save energy.

Another important part of machine configuration is the 'Samba host' flag (in the 'Host information' area). If you plan to add existing Windows systems to the Skolelinux Samba domain, you need to add the Windows host to the LDAP tree and set this flag to be able to join the Windows host to the domain. For more information about adding Windows hosts to the Skolelinux network see the HowTo/NetworkClients chapter of this manual.

Printer Management

For Printer Management point your web browser to https://www:631 This is the normal CUPS management interface where you can add/delete/modify your printers and can clean up the printing queue. Changes that require a root login need SSL encryption.

Clock synchronization

The default configuration in Debian Edu is to keep the clocks on all machines synchronous but not necessarily correct. NTP is used to update the time. The clocks will not be synchronized with an external source by default, to make sure the machines do not need a permanently active external network connection. This default was chosen after a school discovered their ISDN network was up all the time, giving them a nasty extra phone bill.

To enable synchronization with an external clock, the file /etc/ntp.conf on the main-server need to be modified. The comment ("#") marks in front of the server entries need to be removed. After this, the NTP server needs to be restarted by running /etc/init.d/ntp restart as root. To test if the server is using the external clock sources, run ntpq -c lpeer.

Extending full partitions

Because of a possible bug with automatic partitioning, some partitions might be too full after installation. To extend these partitions, run debian-edu-fsautoresize -n as root. See the "Resizing Partitions" HowTo in the administration HowTo chapter for more information.

CategoryPermalink