Differences between revisions 6 and 7
Revision 6 as of 2011-03-05 13:14:17
Size: 15906
Comment:
Revision 7 as of 2011-03-05 13:20:38
Size: 15891
Comment:
Deletions are marked like this. Additions are marked like this.
Line 11: Line 11:
 * add workstations to host netgroups (for exporting home-directories via NFS)
* thin clients don't need to be added, only workstations. And workstations no matter if with disk or diskless.
 * add workstations to host netgroups (for exporting home-directories via NFS. Here we use a workaround in the moment -- AndreasSchockenhoff <<DateTime(2011-03-05T13:20:38Z)>>)

Getting started

Minimum steps to get started

This chapter describes the first steps you need to do after the installation to get started. The minimum you need to do is:

  • add users
  • add workstations to host netgroups (for exporting home-directories via NFS. Here we use a workaround in the moment -- AndreasSchockenhoff 2011-03-05 13:20:38)

This is described below, please read this chapter completly. It covers how to do these minumum steps correctly as well as other stuff probably everybody will need to do.

The following HowTo chapter covers more tips and tricks and some frequently asked questions.

FIXME: add an english squeeze screenshot here.

In this moment -- AndreasSchockenhoff 2011-03-05 13:14:17 there is no specific Debian Edu desktop on squeeze no special Icons ... So we must wait until this is fixed for screen screenshots.

Debian Edu desktop

Services running on the main server

There are several services running on the main server which can be managed via a web management interface. We'll describe each service here.

Webbrowser based management, using GOsa2

FIXME: gosa needs to be documented properly here, following the structure of the existing lwat instructions. _Then_ the lwat text should be deleted.

As a first tip, login with username super-admin, using the root password.

GOSA is a web based management tool, that will help you manage some important parts of your Debian Edu setup. You can manage this four main groups (add, modify, delete):

  • User Administration
  • Group Administration
  • Machine Administration
  • DNS Administration
  • DHCP Administration

To access gosa point your web browser to https://www/gosa.

  • In case you are not using a new Debian Edu Squeeze machine, you will get an error message about the ssl certificate. Just tell your browser to accept and ignore that.

  • In case you are using a new Debian Edu Squeeze machine, the override rule will be already in place and you can't be bothered.

Web based management, using lwat

Lwat is a web based management tool, that will help you manage some important parts of your Debian Edu setup. You can manage this four main groups (add, modify, delete):

  • User Administration
  • Group Administration
  • Automount Informations
  • Machine Administration
  • DNS Administration

To access lwat point your web browser to https://www/lwat.

  • In case you are not using a new Debian Edu Squeeze machine, you will get an error message about the ssl certificate. Just tell your browser to accept and ignore that.

  • In case you are using a new Debian Edu Squeeze machine, the override rule will be already in place and you can't be bothered.

You will then see the login page of LWAT. If you visit this site the first time after installation, the login name there is: admin and the password is the password you entered during the installation for the root account.

[ATTACH]

After login the you can choose a task in the menu.

User Management with lwat

In Debian Edu account information is stored in a LDAP directory. This data is used not only by the main server, but also by the (diskless) workstations and thin client servers on the network. In this way data about students, pupils, teachers, etc. needs to be entered only once. After that it is available to all systems on the network.

To get the work done efficiently lwat will assist you on getting your user's data entered to the LDAP directory.

You can add users, group them in usergroups (for example to refer the members of a class more easily), update them and remove them again. By pointing the mouse onto the menu entries "Users" or "Groups" you can choose the action: Add any, or search for existing users or groups to modify or delete them.

Adding users

To add users you only have to choose "Add" in the "Users" section of the menu. After choosing this entry you will see a form where you can enter the data of the user you want to add. The most important thing to add is the full name of your user (see image). As you enter you will see, that lwat will generate a user name automatically based on the real name. It automatically chooses a user name that doesn't exist yet, so multiple users with the same full name are not a problem. If you don't like the generated user name you can change it in the corresponding field. Second you need to choose the role of your account, which is used by lwat to determine the privileges the user has for system administration. Currently lwat knows the following roles:

role

granted privileges

Students

Login and use the system

Teachers

Same as Students

jrAdmins

Same as Teachers, but can also change other user's passwords (except for the Admins' ones)

Admins

Admins have ultimate privileges. They can add/modify/delete users/groups/machines/automounts and let windows systems join the Skolelinux domain

After choosing a suitable role you can hit the "Save" button and the user is added. Do not hit the enter key, or your progress will be lost. This is to avoid security problems with PHP.

[ATTACH]

If all went well, you will see a short notice at the end of page with the data added to the ldap directory (also the form gets reset):

Added user: Demo User
username: demuse
password: somethingsecret

/!\ It might take several minutes until the new added user's home directory is created. Until that is done he won't be able to log in on any server, workstation or thin client.

You may miss the option to set a password, that has been set automatically. The user can change is own password by clicking on the key icon on his desktop or directly browsing to http://www/lwat/chguserpw.php.

You can also set another password by modifying the user added (see below).

Search and delete users

To modify or delete a user you need to first find her using the search menu entry. You will find the form shown in the screenshot where you can enter either the real name or the user name of the user. The results will show up below. On the left of every result line there is a checkbox you can use to delete or disable one or more users with the two buttons below. If you want to modify a user, just click on it, all names found are links to the modify page.

[ATTACH]

A new page will show up where you can modify information directly belonging to the user, change the password of the user and modify the list of groups the user belongs to.

[ATTACH]

Set passwords

To set a new password for a user

  • search the user to be modified like explained above and click on the username once found.
  • click on the button New password

  • on the following page, you can set a new random generated password.
  • note that by default it is not possible to set a self-chosen password, as the corresponding field is not writable

[ATTACH]

To allow setting self-chosen passwords you need to edit /etc/lwat/config.php on the tjener:

  • Execute nano /etc/lwat/config.php

  • Change $allowPwSet = false ; to $allowPwSet = true ;

  • Press CTRL+X
  • Press Y
  • Press Enter

You can now set any password you like, as long as it is at least 5 digits long. Beware of security implications due to easy to guess passwords!

Advanced user management

It is possible to mass-create users with lwat by using a .csv file, which can be created with any good spreadsheet software (for example oocalc).

The import script expects a file formated with all data for one user on one row, with each field separated with a semicolon. The minimum information needed is the full name of the user. If fullname is not given, the script expects to have both firstname and lastname. The maximum information it expects is "User template; Fullname; Username; Password; Additional group membership".

If a password column is missing, an easy to remember, pronounceable password will be created.

If users are put into groups, these groups have to exist, so you need to create them manually (with lwat, see below) before importing the users.

It's a good idea to do some tests first, best with a .csv file with a few fictional users, which can be deleted later.

Group Management with lwat

The mangement of groups is very similar to the management of users. You can enter a name and a description per group. When searching for groups you can also delete or disable all users of the groups found. From the modification page you can access all the users of that group.

The groups entered in the group management are also regular unix groups, so you can use them for file permissions too.

Group Management on the command line

Here's how:

# List existing group mapping between UNIX and Windows groups.
net groupmap list

# Add your new or otherwise missing groups:
net groupmap add unixgroup=NEW_GROUP type=domain ntgroup="NEW_GROUP"\
                 comment="DESCRIPTION OF NEW GROUP"

This is explained in more detail in the HowTo/NetworkClients chapter of this manual.

Advanced group management

Using lwat it's easy to put users in a specific group (for example named after the year they enter or finish school) and to create all their home directories in a dedicated directory.

To achieve that, add a stanza like the following to the file /etc/lwat/admin.ini:

[2009]
ou = "ou=People,%base%"
objectClass = top posixAccount shadowAccount imapUser sambaSamAccount
homeDirectory = /skole/tjener/home0/2009/%username%
groups = none students 2009
loginShell = /bin/bash
mailMessageStore = /var/lib/maildirs/%username%

To make this work, the 2009 group has to be created before adding the users.

The above stanza simply adds them on top off home0. If you want them somewhere else, using another automount, then you use lwat to add that automount, and change the homeDirectory string in admini.ini correspondingly.

Machine Management with lwat

With the machine management you can basically manage all IP based devices in your Debian Edu network. Every machine added to the LDAP directory using lwat has a hostname, an IP-address, a MAC-address and a domain name which usually is "intern". For a more verbose description about the Debian Edu architecture see the architecture chapter of this manual.

If you add a machine, you can use an ip/hostname from the preconfigured address space. The following ip ranges are predefined:

First address

Last address

hostname

10.0.2.10

10.0.2.29

ltspserverxx

10.0.2.30

10.0.2.49

printerxx

10.0.2.50

10.0.2.99

staticxx

The addresses from 10.0.2.100 till 10.0.2.255 and 10.0.3.0 till 10.0.3.243 are reserved for dhcp and are assigned dynamically.

To assign a host with the MAC-address 52:54:00:12:34:10 a static IP-address you only have to enter the MAC-address and the hostname static00, the remaining fields will be filled automatically according to the predefined configuration:

[ATTACH]

Search and delete machines

Searching for and deleting machines is quite similar to searching and deleting users, so that information is not repeated here.

Modify existing machines / Netgroup management

After adding a machine to the ldap tree using lwat, you can modify its properties using the search functionality and clicking on the machine (as you would with users).

[ATTACH]

The form that is behind these machine links is in one way similar to the one you already know from modifying user entries, but in an other way the informations do mean different things in this context.

For example, adding a machine to a NetGroup does not modify the permissions that machine or the users logged into that machine have on accessing files or programs on the server. But it restricts the services that machine can use on your main-server.

The default installation provides the NetGroups

  • printer-hosts
  • workstation-hosts
  • ltsp-server-hosts
  • server-hosts
  • shutdown-at-night-hosts
  • fs-autoresize-hosts

Currently the NetGroup functionality is used for

  • NFS.
    • The home directories are exported by the main-server to be mounted by the workstations and the ltsp-servers. Because of security reasons only hosts within the workstation-hosts, ltsp-server-hosts and server-hosts NetGroups can mount the exported NFS shares. So it is rather important to remember to configure this kinds of machines properly in the ldap tree using lwat and configuring them to use the static IPs from ldap. /!\ Remember to configure workstations and ldap-servers properly with lwat, or your users won't be able to access their home directories.

  • fs-autoresize
    • debian edu machines in this group will automatically resize lvm partitions that run out of space
  • shutdown at night
    • debian edu machines in this group will automatically shutdown at night to save energy

Another important part of the machine configuration is the 'Samba host' flag (in the 'Host information' area). If you plan to add existing Windows systems to the Skolelinux Samba domain, you have to add the Windows host to the ldap tree and set this flag to be able to join the Windows host to the domain. For more information about adding Windows hosts to the Skolelinux network see the HowTo/NetworkClients chapter of this manual.

More lwat documentation

The full documentation for lwat can be found at /usr/share/doc/lwat/ on the main server or online.

Printer Managment

For Printer Management point your web browser to https://www:631 This is the normal cups management site where you can add/delete/modify your printers and can clean up the printing queue. Changes that require to login as root need ssl encryption.

Clock synchronization

The default configuration in Debian Edu is to keep the clocks on all machines synchronous but not necessarily correct. NTP is used to update the time. The clocks will not be synchronized with an external source by default, to make sure the machines to not use external network connections active all the time. This was configured like this after a school discovered their ISDN network was up all the time, giving them a nasty extra phone bill.

To enable synchronization with an external clock, the file /etc/ntp.conf on the main-server need to be modified. The comments in front of the server entries need to be removed. After this, the ntp server need to be restarted by running /etc/init.d/ntp restart as root. To test if the server is using the external clock sources, run ntpq -c lpeer.

Extending full partitions

Because of a possible bug with automatic partitioning, some partitions might be too full after installation. To extend these partitions, run debian-edu-fsautoresize -n as root. See the "Resizing Partitions" HowTo in the administration HowTo chapter for more information.

CategoryPermalink