Differences between revisions 2 and 6 (spanning 4 versions)
Revision 2 as of 2017-02-19 11:45:46
Size: 9737
Editor: ?WolfgangSchweer
Comment: various typo fixes / other improvements; thanks victory.
Revision 6 as of 2018-01-25 11:32:39
Size: 10313
Editor: HolgerLevsen
Comment: add CategoryPermalink
Deletions are marked like this. Additions are marked like this.
Line 158: Line 158:
Now users should be able to access the files on 'nas-server.intern' directly by just visiting the '/tjener/nas-server/storage/' directory using any application on any workstation, LTSP client or LTSP server.   * Enable access in case diskless workstations are used. This is a special case, because sshfs is used instead of NFS and automount:

    Create the mount point directories in the LTSP diskless client's root (default {{{/opt/ltsp/i386/}}}) as well.<<BR>>
    Add a line containing 'LOCAL_APPS_EXTRAMOUNTS=/storage' to {{{/opt/ltsp/i386/etc/lts.conf}}} (example).<<BR>>
    Create a link in each user's home dir like 'ln -s /storage Storage' to help users find the resources.
    
Now users should be able to access the files on 'nas-server.intern' directly by just visiting the '/tjener/nas-server/storage/' directory using any application on any workstation, LTSP thin client or LTSP server, and visiting ~/Storage in case an LTSP diskless client is used.
Line 173: Line 179:
 * Create a group {{{sshusers}}} on the root level (where already other system management related groups like {{{gosa-admins}}} show up).  * Create a group {{{sshusers}}} on the base level (where already other system management related groups like {{{gosa-admins}}} show up).
Line 190: Line 196:
If only dedicated LTSP servers are used, the 10.0.0.0/8 network could be dropped to disable internal ssh login access. Note: someone pluging in his box into the dedicated LTSP client network(s) will gain ssh access to the LTSP server(s) as well. If only dedicated LTSP servers are used, the 10.0.0.0/8 network could be dropped to disable internal ssh login access. Note: someone connecting his box to the dedicated LTSP client network(s) will gain ssh access to the LTSP server(s) as well.
Line 196: Line 202:
maybe only a sophisticated DHCP setup (in LDAP) checking the vendor-class-identifier together with apropriate PAM configuration would allow to disable internal ssh login. maybe only a sophisticated DHCP setup (in LDAP) checking the vendor-class-identifier together with appropriate PAM configuration would allow to disable internal ssh login.

CategoryPermalink

Advanced administration howto

In this chapter advanced administration tasks are described.

User Customisations with GOsa²

Create Users in Year Groups

In this example we want to create users in year groups, with common home directories for each group (home0/2014, home0/2015, etc). We want to create the users by csv import.

(as root on the main server)

  • Make the necessary year group directories

mkdir /skole/tjener/home0/2014

(as superuser in Gosa)

  • Department

Main menu: goto 'Directory structure', click the 'Students' department. The 'Base' field should show '/Students'. From the drop box 'Actions' choose 'Create'/'Department'. Fill in values for Name (2014) and Description fields (students graduating in 2014), leave the Base field as is (should be '/Students'). Save it clicking 'Ok'. Now the new department (2014) should show up below /Students. Click it.

  • Group

Choose 'Groups' from the main menu; 'Actions'/Create/Group. Enter group name (leave 'Base' as is, should be /Students/2014) and click the check box left of 'Samba group'. 'Ok' to save it.

  • Template

Choose 'users' from the main menu. Change to 'Students' in the Base field. An Entry NewStudent should show up, click it. This is the 'students' template, not a real user. As you'll have to create such a template (to be able to use csv import for your structure) based on this one, notice all entries showing up in the Generic, POSIX and Samba tabs, maybe take screenshots to have information ready for the new template.

Now change to /Students/2014 in the Base field; choose Create/Template and start to fill in your desired values, first the Generic tab (add your new 2014 group under Group Membership, too), then add POSIX and Samba account.

  • Import users

Choose your new template when doing csv import; testing it with a few users is recommended.

Other User Customisations

Creating folders in the home directories of all users

With this script the administrator can create a folder in each user's home directory and set access permissions and ownership.

In the example shown below with group=teachers and permissions=2770 a user can hand in an assignment by saving the file to the folder "assignments" where teachers are given write access to be able to make comments.

 #!/bin/bash
 home_path="/skole/tjener/home0"
 shared_folder="assignments"
 permissions="2770"
 created_dir=0
 for home in $(ls $home_path); do
    if [ ! -d "$home_path/$home/$shared_folder" ]; then
        mkdir $home_path/$home/$shared_folder
        chmod $permissions $home_path/$home/$shared_folder
        #set the right owner and group
        #"username" = "group name" = "folder name"
        user=$home
        group=teachers
        chown $user:$group $home_path/$home/$shared_folder
        ((created_dir+=1))
    else
        echo -e "the folder $home_path/$home/$shared_folder already exists.\n"
    fi
 done
 echo "$created_dir folders have been created"

Easy access to USB drives and CD-ROMs/DVDs

When users insert a USB drive or a DVD / CD-ROM into a (diskless) workstation, a popup window appears asking what to do with it, just like in any other normal installation.

When users insert a USB drive or a DVD / CD-ROM into a thin client there is only a notify-window showing up for a few seconds. The media is automatically mounted and it is possible to access it browsing to the /media/$user folder. This is quite difficult for many non experienced users.

It is possible to have the default KDE "Plasma" file manager Dolphin showing up if KDE "Plasma" (or LDXE, if installed in parallel to KDE "Plasma") is in use as desktop environment. To configure this, simply execute /usr/share/debian-edu-config/ltspfs-mounter-kde enable on the terminal server. (When using GNOME, device icons will be placed on the desktop allowing easy access).

In addition the following script could be used to create the symlink "media" for all users in their home folder for easy access to USB drives, CD-ROM / DVD or whatever media is connected to the thin client. This might come in handy if users want to edit files directly on their plugged in media.

 #!/bin/bash
 home_path="/skole/tjener/home0"
 shared_folder="media"
 permissions="775"
 created_dir=0;
 for home in $(ls $home_path); do
    if [ ! -d "$home_path/$home/$shared_folder" ]; then
        ln -s /media/$home $home_path/$home/$shared_folder
        ((created_dir+=1))
    else
        echo -e "the folder $home_path/$home/$shared_folder already exists.\n"
    fi
 done
 echo "$created_dir folders has been created"

A warning about removable media on LTSP servers

/!\ Warning: When inserted into an LTSP server USB drives and other removable media cause popup messages on remote LTSP clients.

If remote users acknowledge the popup or use pmount from the console, they can even mount the removable devices and access the files.

Use a dedicated storage server

Take these steps to set up a dedicated storage server for user home directories and possibly other data.

  • Add a new system of type server using GOsa² as outlined in the Getting started chapter of this manual.

    • This example uses 'nas-server.intern' as the server name. Once 'nas-server.intern' is configured, check if the NFS export points on the new storage server are exported to the relevant subnets or machines:
          root@tjener:~# showmount -e nas-server
          Export list for nas-server:
          /storage         10.0.0.0/8
          root@tjener:~#
      Here everything on the backbone network is granted access to the /storage export. (This could be restricted to netgroup membership or single IP addresses to limit NFS access like it is done in the tjener:/etc/exports file.)
  • Add automount information about 'nas-server.intern' in LDAP to allow all clients to automatically mount the new export on request.
    • This can't be done using GOsa², because a module for automount is missing. Instead, use ldapvi and add the required LDAP objects using an editor.

      ldapvi --ldap-conf -ZD '(cn=admin)' -b ou=automount,dc=skole,dc=skolelinux,dc=no

      When the editor shows up, add the following LDAP objects at the bottom of the document. (The "/&" part in the last LDAP object is a wild card matching everything 'nas-server.intern' exports, removing the need to list individual mount points in LDAP.)

          add cn=nas-server,ou=auto.skole,ou=automount,dc=skole,dc=skolelinux,dc=no
          objectClass: automount
          cn: nas-server
          automountInformation: -fstype=autofs --timeout=60 ldap:ou=auto.nas-server,ou=automount,dc=skole,dc=skolelinux,dc=no
      
          add ou=auto.nas-server,ou=automount,dc=skole,dc=skolelinux,dc=no
          objectClass: top
          objectClass: automountMap
          ou: auto.nas-server
      
          add cn=/,ou=auto.nas-server,ou=automount,dc=skole,dc=skolelinux,dc=no
          objectClass: automount
          cn: /
          automountInformation: -fstype=nfs,tcp,rsize=32768,wsize=32768,rw,intr,hard,nodev,nosuid,noatime nas-server.intern:/&
  • Add the relevant entries in tjener.intern:/etc/fstab, because tjener.intern does not use automount to avoid mounting loops:
    • Create the mount point directories using mkdir, edit '/etc/fstab' as adequate and run mount -a to mount the new resources.

  • Enable access in case diskless workstations are used. This is a special case, because sshfs is used instead of NFS and automount:
    • Create the mount point directories in the LTSP diskless client's root (default /opt/ltsp/i386/) as well.
      Add a line containing 'LOCAL_APPS_EXTRAMOUNTS=/storage' to /opt/ltsp/i386/etc/lts.conf (example).
      Create a link in each user's home dir like 'ln -s /storage Storage' to help users find the resources.

Now users should be able to access the files on 'nas-server.intern' directly by just visiting the '/tjener/nas-server/storage/' directory using any application on any workstation, LTSP thin client or LTSP server, and visiting ~/Storage in case an LTSP diskless client is used.

Restrict ssh login access

There are several ways to restrict ssh login, some are listed here.

Setup without LTSP clients

If no LTSP clients are used a simple solution is to create a new group (say sshusers) and to add a line to the machine's /etc/ssh/sshd_config file. Only members of the sshusers group will then be allowed to ssh into the machine from everywhere.

Managing this case with GOsa is quite simple:

  • Create a group sshusers on the base level (where already other system management related groups like gosa-admins show up).

  • Add users to the new group sshusers.

  • Add AllowGroups sshusers to /etc/ssh/sshd_config.

  • Execute service ssh restart.

Setup with LTSP clients

The default LTSP client setup uses ssh connections to the LTSP server. So a different approach using PAM is needed.

  • Enable pam_access.so in the LTSP server's /etc/pam.d/sshd file.
  • Configure /etc/security/access.conf to allow connections for (sample) users alice, jane, bob and john from everywhere and for all other users only from the internal networks by adding these lines:

+ : alice jane bob john : ALL
+ : ALL : 10.0.0.0/8 192.168.0.0/24 192.168.1.0/24
- : ALL : ALL
#

If only dedicated LTSP servers are used, the 10.0.0.0/8 network could be dropped to disable internal ssh login access. Note: someone connecting his box to the dedicated LTSP client network(s) will gain ssh access to the LTSP server(s) as well.

A note for more complex setups

If LTSP clients were attached to the backbone network 10.0.0.0/8 (combi server or LTSP cluster setup) things would be even more complicated and maybe only a sophisticated DHCP setup (in LDAP) checking the vendor-class-identifier together with appropriate PAM configuration would allow to disable internal ssh login.

CategoryPermalink