Getting started

Minimum steps to get started

This chapter describes the first steps you need to do after the installation to get started.

The minimum you need to do is:

  1. Log into the server as user "localadmin" (which has the same password as the "root" account) - with the root account you cannot log in graphically. As localadmin you can use sudo to become root.

  2. add users with GOsa²
  3. add workstations with GOsa²

Adding users and workstations is described below, please read this chapter completely. It covers how to do these minumum steps correctly as well as other stuff probably everybody will need to do.

The following HowTo chapter covers more tips and tricks and some frequently asked questions.

FIXME: add an english squeeze screenshot here.

Debian Edu desktop

Services running on the main server

There are several services running on the main server which can be managed via a web management interface. We'll describe each service below.

Web browser based management, using GOsa2

FIXME: gosa needs to be documented properly here, following the structure of the existing lwat instructions. _Then_ the lwat text should be deleted.

For GOsa² access you need the Skolelinux main server and a client system with a web browser installed.

Alternatively, as user localadmin you can install a minimal desktop on the main server using this command sequence in a (non-graphical) shell:

  $ sudo apt-get update
  $ sudo apt-get install gnome-session gnome-terminal iceweasel xorg
  # after intallation, start a graphical session for user localadmin
  $ startx

From a web browser use this URL https://www/gosa for GOsa² access, login with username super-admin and the main server's root password.

Introduction to GOsa²

GOsa² is a web based management tool, that will help you manage some important parts of your Debian Edu setup. You can manage these four main groups (add, modify, delete):

To access GOsa² point your web browser to https://www/gosa.

For general information on GOsa² have a look at: https://oss.gonicus.de/labs/gosa/wiki/documentation, GOsa² has lately been forked as the new directory administation tool FusionDirectory . The FusionDirectory documentation is (intended to be) far better than the GOsa² documentation, everything you read about FD 1.0 also applies to GOsa² 2.6, the version in Debian squeeze.

GOsa² Login plus Overview

After login into GOsa² as super-admin you will see the overview page of GOsa².

GOsa² overview page after login as super-admin

Next, you can choose a task in the menu or click any of the task icons on the overview page. For navigation, we recommend to use the menu on the left screen side, as it will stay there visible on all administation pages offered by GOsa².

In Debian Edu account, group, system information is stored in an LDAP directory. This data is used not only by the main server, but also by the (diskless) workstations, the thin client servers and the Windows machines on the network. With LDAP account information about students, pupils, teachers, etc. need to be entered only once. After information has been provided in LDAP, the information will be available to all systems on the whole Skolelinux network.

GOsa² is an administration tool that use LDAP to store its information in. GOsa² (via LDAP) provides a tree like department structure. To each »department« you can add user accounts, groups, systems, netgroups, etc. Depending on the structure of your institution, you can use the department structure in GOsa²/LDAP to transfer your organizational structure into the LDAP data tree of the Debian Edu main server.

A default Debian Edu main server installation currently provides two »departments«: Teachers and Students, plus the base level of the LDAP tree. Student accounts are intended to be added to the »Students« department, teachers to the »Teachers« department, systems (servers, Skolelinux workstations, Windows machines, etc.) are currently added to the base level. Find your own way of customizing this structure.

Depending on the task that you want to work on (manage users, manage groups, manage systems, etc.) GOsa² presents you with a different view on the selected department (or the base level).

User Management with GOsa²

First now, click on »Users« in the left navigation menu. The right part of the screen changes now, you will see a table with department folders for »Students« and »Teachers« and the account of the GOsa² Super-Administrator (super-admin). Above this table you can see a field called Base that allows you to navigate through your tree structure (move your mouse over that area and a drop-down menu will appear) and select a base folder for your intended operations (e.g. adding a new user).

Adding users

Next to that tree navigation item you can see the »Actions« menu. Move your mouse over this item and a submenu appears on screen, choose »Create» here, and then »User«. You will be guided by the user creation wizzard. Follow the steps of the wizzard.

After you have created the user (no need to customize fields the wizzard has left empty for now), click on the »Ok« button in the bottom-right corner.

As the last step GOsa² will ask for a password for the new user. Type that in twice and then click »Set password« in the bottom-right corner.

If all went well, you can now see the new user in the user list table. You now should be able to login with that user name on any Skolelinux machine within your network.

/!\ It might take some minutes until the new added user's home directory is created. Until that is done he won't be able to log in on any server, workstation or thin client.

Search, modify and delete users

To modify or delete a user use GOsa² to browse the user on your system. On the very left of the screen, you find the »Filter« box, a search tool provided by GOsa². If you don't know the exact location of your user account in you tree, change to the base level of the GOsa²/LDAP tree and search there with the option marked: [x] Search in subtrees.

When using the »Filter« box, results will immediately appear in the middle of the script in the table list view. Every line represents a user account and the most right items in each line are little icons that provide actions for you: edit, lock, set password, browse home (not supported in Skolelinux), export and delete.

FIXME: image for the Filter Box

A new page will show up where you can modify information directly belonging to the user, change the password of the user and modify the list of groups the user belongs to.

FIXME: image for Editing a User

Set passwords

The students can change their own passwords by logging into GOsa² with their own user names. A logged in student will be presented with a very minimal version of GOsa² that only allows access to the student's own account data sheet and to the set-password-dialog.

Teachers have special privileges in GOsa². They can change the password for all student accounts. This may be very handy during class. Let the teacher log in with his/her username and then a more privileged view of GOsa² is shown to the teacher.

To administratively set a new password for a user

  1. search the user to be modified like explained above
  2. click on the key symbol at the end of the line that the user name is shown in
  3. on the following page, you can set a new self-chosen password

FIXME: add GOsa² password dialog image here

Beware of security implications due to easy to guess passwords!

Advanced user management

It is possible to mass-create users with GOsa² by using a .csv file, which can be created with any good spreadsheet software (for example oocalc).

These are the format guidelines for such a CSV file (GOsa² is quite intolerant about them):

The mass import steps are:

  1. click »LDAP Manager« link in the navigatin menu on the left
  2. click the »Import« tab in the screen on the right
  3. browse your local disk and select a CSV file with your to be imported user list
  4. choose an available user template that shall be applied during mass import (NewTeacher, NewStudent)

  5. click the Import button in the bottom-right corner

It's a good idea to do some tests first, best with a .csv file with a few fictional users, which can be deleted later.

Group Management with lwat

The mangement of groups is very similar to the management of users. You can enter a name and a description per group. When searching for groups you can also delete or disable all users of the groups found. From the modification page you can access all the users of that group.

The groups entered in the group management are also regular unix groups, so you can use them for file permissions too.

Group Management on the command line

Here's how:

# List existing group mapping between UNIX and Windows groups.
net groupmap list

# Add your new or otherwise missing groups:
net groupmap add unixgroup=NEW_GROUP type=domain ntgroup="NEW_GROUP"\
                 comment="DESCRIPTION OF NEW GROUP"

This is explained in more detail in the HowTo/NetworkClients chapter of this manual.

Advanced group management

Using lwat it's easy to put users in a specific group (for example named after the year they enter or finish school) and to create all their home directories in a dedicated directory.

To achieve that, add a stanza like the following to the file /etc/lwat/admin.ini:

[2009]
ou = "ou=People,%base%"
objectClass = top posixAccount shadowAccount imapUser sambaSamAccount
homeDirectory = /skole/tjener/home0/2009/%username%
groups = none students 2009
loginShell = /bin/bash
mailMessageStore = /var/lib/maildirs/%username%

To make this work, the 2009 group has to be created before adding the users.

The above stanza simply adds them on top off home0. If you want them somewhere else, using another automount, then you use lwat to add that automount, and change the homeDirectory string in admini.ini correspondingly.

Machine Management with lwat

With the machine management you can basically manage all IP based devices in your Debian Edu network. Every machine added to the LDAP directory using lwat has a hostname, an IP-address, a MAC-address and a domain name which usually is "intern". For a more verbose description about the Debian Edu architecture see the architecture chapter of this manual.

If you add a machine, you can use an ip/hostname from the preconfigured address space. The following ip ranges are predefined:

First address

Last address

hostname

10.0.2.10

10.0.2.29

ltspserverxx

10.0.2.30

10.0.2.49

printerxx

10.0.2.50

10.0.2.99

staticxx

The addresses from 10.0.2.100 till 10.0.2.255 and 10.0.3.0 till 10.0.3.243 are reserved for dhcp and are assigned dynamically.

To assign a host with the MAC-address 52:54:00:12:34:10 a static IP-address you only have to enter the MAC-address and the hostname static00, the remaining fields will be filled automatically according to the predefined configuration:

[ATTACH]

Search and delete machines

Searching for and deleting machines is quite similar to searching and deleting users, so that information is not repeated here.

Modify existing machines / Netgroup management

After adding a machine to the ldap tree using lwat, you can modify its properties using the search functionality and clicking on the machine (as you would with users).

[ATTACH]

The form that is behind these machine links is in one way similar to the one you already know from modifying user entries, but in an other way the informations do mean different things in this context.

For example, adding a machine to a NetGroup does not modify the permissions that machine or the users logged into that machine have on accessing files or programs on the server. But it restricts the services that machine can use on your main-server.

The default installation provides the NetGroups

Currently the NetGroup functionality is used for

Another important part of the machine configuration is the 'Samba host' flag (in the 'Host information' area). If you plan to add existing Windows systems to the Skolelinux Samba domain, you have to add the Windows host to the ldap tree and set this flag to be able to join the Windows host to the domain. For more information about adding Windows hosts to the Skolelinux network see the HowTo/NetworkClients chapter of this manual.

More lwat documentation

The full documentation for lwat can be found at /usr/share/doc/lwat/ on the main server or online.

Printer Managment

For Printer Management point your web browser to https://www:631 This is the normal cups management site where you can add/delete/modify your printers and can clean up the printing queue. Changes that require to login as root need ssl encryption.

Clock synchronization

The default configuration in Debian Edu is to keep the clocks on all machines synchronous but not necessarily correct. NTP is used to update the time. The clocks will not be synchronized with an external source by default, to make sure the machines to not use external network connections active all the time. This was configured like this after a school discovered their ISDN network was up all the time, giving them a nasty extra phone bill.

To enable synchronization with an external clock, the file /etc/ntp.conf on the main-server need to be modified. The comments in front of the server entries need to be removed. After this, the ntp server need to be restarted by running /etc/init.d/ntp restart as root. To test if the server is using the external clock sources, run ntpq -c lpeer.

Extending full partitions

Because of a possible bug with automatic partitioning, some partitions might be too full after installation. To extend these partitions, run debian-edu-fsautoresize -n as root. See the "Resizing Partitions" HowTo in the administration HowTo chapter for more information.

CategoryPermalink