Getting started

Minimum steps to get started

FIXME: the change from documenting lwat to GOsa2 still needs to be completed

During installation of the main server a first user account was created. In the following text this account will be referenced as "first user".

After the installation, the first things you need to do as first user are:

  1. Log into the server - with the root account you cannot log in graphically. As the first created user you can use sudo to become root.

  2. add users with GOsa²
  3. add workstations with GOsa²

Adding users and workstations is described in detail below, so please read this chapter completely. It covers how to perform these minumum steps correctly as well, as other stuff that everybody will probably need to do.

The HowTo chapter covers more tips and tricks and some frequently asked questions.

FIXME: add an updated english squeeze screenshot here.

Debian Edu desktop

Services running on the main server

There are several services running on the main server which can be managed via a web management interface. We'll describe each service below.

Introduction to GOsa²

GOsa² is a web based management tool that can help you manage some important parts of your Debian Edu setup. You can manage (add, modify, or delete) these main groups:

For GOsa² access you need the Skolelinux main server and a (client) system with a web browser installed. If that's not available, see HowTo/Administration.

From a web browser use the URL https://www/gosa for GOsa² access, and log in as the first user.

For general information on GOsa² have a look at: https://oss.gonicus.de/labs/gosa/wiki/documentation.

GOsa² Login plus Overview

GOsa² overview page after login as the first  user

After logging in to GOsa² you will see the overview page of GOsa².

Next, you can choose a task in the menu or click any of the task icons on the overview page. For navigation, we recommend using the menu on the left side of the screen, as it will stay visible there on all administation pages offered by GOsa².

In Debian Edu, account, group, and system information is stored in an LDAP directory. This data is used not only by the main server, but also by the (diskless) workstations, the thin client servers and the Windows machines on the network. With LDAP, account information about students, pupils, teachers, etc. only needs to be entered once. After information has been provided in LDAP, the information will be available to all systems on the whole Skolelinux network.

GOsa² is an administration tool that uses LDAP to store its information and provide a hierarchical department structure. To each "department" you can add user accounts, groups, systems, netgroups, etc. Depending on the structure of your institution, you can use the department structure in GOsa²/LDAP to transfer your organizational structure into the LDAP data tree of the Debian Edu main server.

A default Debian Edu main server installation currently provides two "departments": Teachers and Students, plus the base level of the LDAP tree. Student accounts are intended to be added to the "Students" department, teachers to the "Teachers" department; systems (servers, Skolelinux workstations, Windows machines, etc.) are currently added to the base level. Find your own scheme for customizing this structure.

Depending on the task that you want to work on (manage users, manage groups, manage systems, etc.) GOsa² presents you with a different view on the selected department (or the base level).

User Management with GOsa²

First, click on "Users" in the left navigation menu. The right side of the screen will change to show a table with department folders for "Students" and "Teachers" and the account of the GOsa² Super-Administrator. Above this table you can see a field called Base that allows you to navigate through your tree structure (move your mouse over that area and a drop-down menu will appear) and to select a base folder for your intended operations (e.g. adding a new user).

Adding users

Next to that tree navigation item you can see the "Actions" menu. Move your mouse over this item and a submenu appears on screen; choose "Create" here, and then "User". You will be guided by the user creation wizard.

After you have created the user (no need to customize fields the wizard has left empty for now), click on the "Ok" button in the bottom-right corner.

As the last step GOsa² will ask for a password for the new user. Type that in twice and then click "Set password" in the bottom-right corner.

If all went well, you can now see the new user in the user list table. You should now be able to log in with that username on any Skolelinux machine within your network.

Search, modify and delete users

To modify or delete a user, use GOsa² to browse the list of users on your system. On the very left of the screen you will find the "Filter" box, a search tool provided by GOsa². If you don't know the exact location of your user account in your tree, change to the base level of the GOsa²/LDAP tree and search there with the option marked "[x] Search in subtrees".

When using the "Filter" box, results will immediately appear in the middle of the text in the table list view. Every line represents a user account and the items farthest to the right on each line are little icons that provide actions for you: edit, lock, set password, browse home (not supported in Skolelinux), export and delete.

FIXME: image for the Filter Box

A new page will show up where you can directly modify information about the user, change the password of the user and modify the list of groups the user belongs to.

FIXME: image for Editing a User

Set passwords

The students can change their own passwords by logging into GOsa² with their own usernames. A logged-in student will be presented with a very minimal version of GOsa² that only allows access to the student's own account data sheet and to the set-password dialog.

Teachers logged in under their own usernames have special privileges in GOsa². They are shown a more privileged view of GOsa², and can change the passwords for all student accounts. This may be very handy during class.

To administratively set a new password for a user

  1. search for the user to be modified, as explained above
  2. click on the key symbol at the end of the line that the username is shown in
  3. on the page subsequently presented you can set a new password chosen by yourself

FIXME: add GOsa² password dialog image here

Beware of security implications due to easy to guess passwords!

Advanced user management

It is possible to mass-create users with GOsa² by using a .csv file, which can be created with any good spreadsheet software (for example oocalc).

These are the format guidelines for such a CSV file (GOsa² is quite intolerant about them):

The mass import steps are:

  1. click the "LDAP Manager" link in the navigation menu on the left
  2. click the "Import" tab in the screen on the right
  3. browse your local disk and select a CSV file with the list of users to be imported
  4. choose an available user template that should be applied during mass import (such as NewTeacher or NewStudent)

  5. click the "Import" button in the bottom-right corner

It's a good idea to do some tests first, preferably using a .csv file with a few fictional users, which can be deleted later.

Group Management with lwat [FIXME: obsolete?]

The management of groups is very similar to the management of users. You can enter a name and a description per group. When searching for groups you can also delete or disable all users of the groups found. From the modification page you can access all the users of that group.

The groups entered in the group management are also regular unix groups, so you can use them for file permissions too.

Group Management on the command line

# List existing group mapping between UNIX and Windows groups.
net groupmap list

# Add your new or otherwise missing groups:
net groupmap add unixgroup=NEW_GROUP type=domain ntgroup="NEW_GROUP"\
                 comment="DESCRIPTION OF NEW GROUP"

This is explained in more detail in the HowTo/NetworkClients chapter of this manual.

Advanced group management [FIXME: obsolete?]

Using lwat it's easy to put users in a specific group (for example named after the year they enter or finish school) and to create all their home directories in a dedicated directory.

To achieve this, add a stanza like the following to the file /etc/lwat/admin.ini:

[2009]
ou = "ou=People,%base%"
objectClass = top posixAccount shadowAccount imapUser sambaSamAccount
homeDirectory = /skole/tjener/home0/2009/%username%
groups = none students 2009
loginShell = /bin/bash
mailMessageStore = /var/lib/maildirs/%username%

To make this work, the 2009 group has to be created before adding the users.

The above stanza simply adds them on top of home0. If you want them somewhere else, using another automount, then you should use lwat to add that automount, and change the homeDirectory string in admini.ini correspondingly.

Machine Management with GOsa²

FIXME: this yet to be written chapter needs to include the info about the cronjob updating dns running every hour and "su -c ldap2bind - bind" to trigger this manually

FIXME This section need to mention the sitesummary2ldapdhcp script, which automatically add machines to GOsa² if the machines have booted as thin clients, diskless workstations or been installed using any of the networked profiles.

Machine management basically allows you to manage all networked devices in your Debian Edu network. Every machine added to the LDAP directory using GOsa² has a hostname, an IP address, a MAC address and a domain name (which is usually "intern"). For a fuller description of the Debian Edu architecture see the architecture chapter of this manual.

When you add a machine, you can use an IP address/hostname from the preconfigured address space. The following IP address ranges are predefined:

First address

Last address

hostname

10.0.2.10

10.0.2.29

ltspserverxx

10.0.2.30

10.0.2.49

printerxx

10.0.2.50

10.0.2.99

staticxx

The addresses from 10.0.16.20 to 10.0.31.254 (roughly 10.0.16.0/20 or 4000 hosts) are reserved for DHCP and are assigned dynamically.

To assign a host with the MAC address 52:54:00:12:34:10 a static IP address you only have to enter the MAC address and the hostname static00; the remaining fields will be filled automatically according to the predefined configuration:

Search and delete machines

Searching for and deleting machines is quite similar to searching for and deleting users, so that information is not repeated here.

Modify existing machines / Netgroup management

After adding a machine to the LDAP tree using GOsa², you can modify its properties using the search functionality and clicking on the machine (as you would with users).

The format of these machine links is similar to the one you already know from modifying user entries, but the fields mean different things in this context.

For example, adding a machine to a NetGroup does not modify the file access or command execution permissions for that machine or the users logged in to that machine; instead it restricts the services that machine can use on your main-server.

The default installation provides the NetGroups

Currently the NetGroup functionality is used for

Another important part of machine configuration is the 'Samba host' flag (in the 'Host information' area). If you plan to add existing Windows systems to the Skolelinux Samba domain, you need to add the Windows host to the LDAP tree and set this flag to be able to join the Windows host to the domain. For more information about adding Windows hosts to the Skolelinux network see the HowTo/NetworkClients chapter of this manual.

Printer Management

For Printer Management point your web browser to https://www:631 This is the normal CUPS management interface where you can add/delete/modify your printers and can clean up the printing queue. Changes that require a root login need SSL encryption.

Clock synchronization

The default configuration in Debian Edu is to keep the clocks on all machines synchronous but not necessarily correct. NTP is used to update the time. The clocks will be synchronized with an external source by default. This can cause machines to keep the external Internet connection open if it is created when used.

/!\ If you use dialup or ISDN and pay per minute, you want to change this default setting.

To disable synchronization with an external clock, the file /etc/ntp.conf on the main-server and all clients and LTSP chroots need to be modified. Add comments ("#") marks in front of the server entries. After this, the NTP server needs to be restarted by running /etc/init.d/ntp restart as root. To test if a machine is using the external clock sources, run ntpq -c lpeer.

Extending full partitions

Because of a possible bug with automatic partitioning, some partitions might be too full after installation. To extend these partitions, run debian-edu-fsautoresize -n as root. See the "Resizing Partitions" HowTo in the administration HowTo chapter for more information.

CategoryPermalink