[debian-edu-commits] [Debian Wiki] Update of "DebianEdu/Documentation/Bullseye/GettingStarted" by WolfgangSchweer
Debian Wiki
wiki at debian.org
Mon Jan 18 20:45:03 GMT 2021
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Debian Wiki" for change notification.
The "DebianEdu/Documentation/Bullseye/GettingStarted" page has been changed by WolfgangSchweer:
https://wiki.debian.org/DebianEdu/Documentation/Bullseye/GettingStarted?action=diff&rev1=8&rev2=9
Comment:
update after major changes
== Minimum steps to get started ==
- During installation of the main server a first user account was created. In the following text this account will be referenced as "first user". This account is special, as there's no Samba account (can be added via GOsa²), the home directory permission is set to 700 (so {{{chmod o+x ~}}} is needed to make personal web pages accessible), and the first user can use {{{sudo}}} to become root.
+ During installation of the main server a first user account was created. In the following text this account will be referenced as "first user". This account is special, as the home directory permission is set to 700 (so {{{chmod o+x ~}}} is needed to make personal web pages accessible), and the first user can use {{{sudo}}} to become root.
See the information about Debian Edu specific [[../Architecture#File_system_access_configuration|file system access configuration]] before adding users; adjust to your site's policy if needed.
After the installation, the first things you need to do as first user are:
- 1. Log into the server.
+ 1. Log into the server.
1. Add users with GOsa².
- 1. Add workstations with GOsa² - thin-client and diskless workstation can be used directly without this step.
+ 1. Add workstations with GOsa².
Adding users and workstations is described in detail below, so please read this chapter completely. It covers how to perform these minimum steps correctly as well as other stuff that everybody will probably need to do.
@@ -26, +26 @@
/!\ If generic DNS traffic is blocked out of your network and you need to use some specific DNS server to look up internet hosts, you need to tell the DNS server to use this server as its "forwarder". Update /etc/bind/named.conf.options and specify the IP address of the DNS server to use.
The [[../HowTo|HowTo]] chapter covers more tips and tricks and some frequently asked questions.
-
- {{attachment:27-Tjener-Xfce_Desktop.png|Debian Edu Xfce desktop|width=600}}
=== Services running on the main server ===
@@ -39, +37 @@
* User Administration
* Group Administration
- * NIS Netgroup Administrator
+ * NIS Netgroup Administration
* Machine Administration
* DNS Administration
* DHCP Administration
@@ -69, +67 @@
Next, you can choose a task in the menu or click any of the task icons on the overview page. For navigation, we recommend using the menu on the left side of the screen, as it will stay visible there on all administration pages offered by GOsa².
- In Debian Edu, account, group, and system information is stored in an LDAP directory. This data is used not only by the main server, but also by the (diskless) workstations, the LTSP servers and the Windows machines on the network. With LDAP, account information about students, teachers, etc. only needs to be entered once. After information has been provided in LDAP, the information will be available to all systems on the whole Skolelinux network.
+ In Debian Edu, account, group, and system information is stored in an LDAP directory. This data is used not only by the main server, but also by the (diskless) workstations, the LTSP servers and other machines on the network. With LDAP, account information about students, teachers, etc. only needs to be entered once. After information has been provided in LDAP, the information will be available to all systems on the whole Skolelinux network.
GOsa² is an administration tool that uses LDAP to store its information and provide a hierarchical department structure. To each "department" you can add user accounts, groups, systems, netgroups, etc. Depending on the structure of your institution, you can use the department structure in GOsa²/LDAP to transfer your organisational structure into the LDAP data tree of the Debian Edu main server.
- A default Debian Edu main server installation currently provides two "departments": Teachers and Students, plus the base level of the LDAP tree. Student accounts are intended to be added to the "Students" department, teachers to the "Teachers" department; systems (servers, Skolelinux workstations, Windows machines, printers etc.) are currently added to the base level. Find your own scheme for customising this structure. (You can find an example how to create users in year groups, with common home directories for each group in the [[../HowTo/AdvancedAdministration#Create_Users_in_Year_Groups|HowTo/AdvancedAdministration]] chapter of this manual.)
+ A default Debian Edu main server installation currently provides two "departments": Teachers and Students, plus the base level of the LDAP tree. Student accounts are intended to be added to the "Students" department, teachers to the "Teachers" department; systems (servers, workstations, printers etc.) are currently added to the base level. Find your own scheme for customising this structure. (You can find an example how to create users in year groups, with common home directories for each group in the [[../HowTo/AdvancedAdministration#Create_Users_in_Year_Groups|HowTo/AdvancedAdministration]] chapter of this manual.)
Depending on the task that you want to work on (manage users, manage groups, manage systems, etc.) GOsa² presents you with a different view on the selected department (or the base level).
@@ -160, +158 @@
You can enter a name and a description per group. Make sure that you choose the right level in the LDAP tree when creating a new group.
- By default, the appropriate Samba group isn't created. If you forgot to check the Samba group option during group creation, you can modify the group later on.
-
Adding users to a newly created group takes you back to the user list, where you most probably would like to use the filter box to find users. Check the LDAP tree level, too.
The groups entered in the group management are also regular unix groups, so you can use them for file permissions too.
+ == Machine Management with GOsa² ==
- === Group Management on the command line ===
+ Machine management basically allows you to manage all networked devices in your Debian Edu network. Every machine added to the LDAP directory using GOsa² has a hostname, an IP address, a MAC address and a domain name (which is usually "intern"). For a fuller description of the Debian Edu architecture see the [[../Architecture|architecture]] chapter of this manual.
+ Diskless workstations and thin clients work out-of-the-box in case of a ''combined main server''.
+
+ Workstations with disks (including separate LTSP servers) '''have to''' be added with GOsa². Behind the scenes, both a machine specific Kerberos Principal (sort of ''account'') and a related keytab file (containing a key used as ''password'') are generated; the keytab file needs to be present on the workstation to be able to mount users' home directories. Once the added system has been rebooted, log into it as root and run {{{/usr/share/debian-edu-config/tools/copy-host-keytab}}}.
+
+ To create Principal and keytab file for a system ''already configured with GOsa²'', log in on the main server as root and run
{{{
+ /usr/share/debian-edu-config/tools/gosa-modify-host <hostname> <IP>
- # List existing group mapping between UNIX and Windows groups.
- net groupmap list
-
- # Add your new or otherwise missing groups:
- net groupmap add unixgroup=NEW_GROUP type=domain ntgroup="NEW_GROUP"\
- comment="DESCRIPTION OF NEW GROUP"
}}}
+ '''Please note:''' host keytab creation is possible for systems of type ''workstations'', ''servers'' and ''terminals'' but not for those of type ''netdevices''.
+ See the [[DebianEdu/Documentation/Bullseye/HowTo/NetworkClients|Network clients HowTo]] chapter for NFS configuration options.
-
- == Machine Management with GOsa² ==
-
- Machine management basically allows you to manage all networked devices in your Debian Edu network. Every machine added to the LDAP directory using GOsa² has a hostname, an IP address, a MAC address and a domain name (which is usually "intern"). For a fuller description of the Debian Edu architecture see the [[../Architecture|architecture]] chapter of this manual.
-
- Diskless workstations and thin-clients work out-of-the-box when connected to the main network. Only workstations with disks '''have to''' be added with GOsa², but all '''can'''.
To add a machine, use the GOsa² main menu, systems, add. You can use an IP address/hostname from the preconfigured address space 10.0.0.0/8. Currently there are only two predefined fixed addresses: 10.0.2.2 (tjener) and 10.0.0.1 (gateway). The addresses from 10.0.16.20 to 10.0.31.254 (roughly 10.0.16.0/20 or 4000 hosts) are reserved for DHCP and are assigned dynamically.
@@ -225, +218 @@
For example, adding a machine to a {{{NetGroup}}} does not modify the file access or command execution permissions for that machine or the users logged in to that machine; instead it restricts the services that machine can use on your main-server.
The default installation provides the {{{NetGroups}}}
-
+ * all-hosts
* cups-queue-autoflush-hosts
* cups-queue-autoreenable-hosts
* fsautoresize-hosts
@@ -235, +228 @@
* server-hosts
* shutdown-at-night-hosts
* shutdown-at-night-wakeup-hosts-blacklist
- * winstation-hosts
* workstation-hosts
- Currently the {{{NetGroup}}} functionality is used for
+ Currently the {{{NetGroup}}} functionality is used for:
- * NFS.
- The home directories are exported by the main-server to be mounted by the workstations and the LTSP servers. For security reasons, only hosts within the workstation-hosts, ltsp-server-hosts and server-hosts {{{NetGroups}}} can mount the exported NFS shares. So it is rather important to remember to configure these kinds of machines properly in the LDAP tree using GOsa² and to configure them to use static IP addresses from LDAP.
+ * '''Resizing partitions''' (fsautoresize-hosts)
- /!\ Remember to configure workstations and LTSP servers properly with GOsa², or your users won't be able to access their home directories. Diskless workstations and thin clients don't use NFS, so they don't need to be configured.
- * fs-autoresize
Debian Edu machines in this group will automatically resize LVM partitions that run out of space.
- * shutdown at night
+ * '''Shutdown machines at night''' (shutdown-at-night-hosts an shutdown-at-night-wakeup-hosts-blacklist)
Debian Edu machines in this group will automatically shut down at night to save energy.
- * CUPS (cups-queue-autoflush-hosts and cups-queue-autoreenable-hosts)
+ * '''Managing printers''' (cups-queue-autoflush-hosts and cups-queue-autoreenable-hosts)
Debian Edu machines in these groups will automatically flush all print queues every night, and re-enable any disabled print queue every hour.
- * netblock-hosts
+ * '''Blocking Internet access''' (netblock-hosts)
Debian Edu machines in this group will be allowed to connect to machines only on the local network. Combined with web proxy restrictions this might be used during exams.
- Another important part of machine configuration is the 'Samba host' flag (in the 'Host information' area). If you plan to add existing Windows systems to the Skolelinux Samba domain, you need to add the Windows host to the LDAP tree and set this flag to be able to join the Windows host to the domain. For more information about adding Windows hosts to the Skolelinux network see the [[../HowTo/NetworkClients#Connecting_Windows_machines_to_the_network|HowTo/NetworkClients]] chapter of this manual.
-
= Printer Management =
- For Printer Management point your web browser to https://www:631. This is the normal CUPS management interface where you can add/delete/modify your printers and can clean up the printing queue. By default only root is allowed but this can be changed: Open /etc/cups/cups-files.conf with an editor and add one or more valid group names matching your site policy to the line containing {{{SystemGroup lpadmin}}}. Existing GOsa² groups that might be used are {{{gosa-admins}}} and {{{printer-admins}}} (both with the first user as member), {{{teachers}}} and {{{jradmins}}} (no members after installation).
+ For centralized printer management point your web browser to https://www.intern:631. This is the normal CUPS management interface where you can add/delete/modify your printers and can clean up the printing queue. By default only the first user is allowed but this can be changed by adding users to the GOsa² {{{printer-admins}}} group.
== Use printers attached to workstations ==
@@ -265, +252 @@
* P910ND_OPTS="-f /dev/usb/lp0"
* P910ND_START=1
* Configure the printer using the web interface {{{https://www.intern:631}}}; choose network printer type {{{AppSocket/HP JetDirect}}} (for all printers regardless of brand or model) and set {{{socket://<workstation ip>:9100}}} as connection URI.
-
+
+ == Network printers ==
+
+ It is recommended to disable all self-advertising features in the used network printers. Instead, assign a fixed IP address with GOsa² and configure them as {{{AppSocket/HP JetDirect}}} network printers.
+
= Clock synchronisation =
The default configuration in Debian Edu is to keep the clocks on all machines
@@ -275, +266 @@
/!\ If you use dialup or ISDN and pay per minute, you want to change this default setting.
To disable synchronisation with an external clock, the file /etc/ntp.conf on
- the main-server and all clients and LTSP chroots need to be modified. Add comment ("#") marks in front of the
+ the main server needs to be modified. Add comment ("#") marks in front of the
- {{{server}}} entries. After this, the NTP server needs to be
+ {{{server}}} entries. After this, the NTP server needs to be
- restarted by running {{{/etc/init.d/ntp restart}}} as root. To test if a machine is using the external clock sources, run {{{ntpq -c lpeer}}}.
+ restarted by running {{{service ntp restart}}} as root. To test if a machine is using the external clock sources, run {{{ntpq -c lpeer}}}.
= Extending full partitions =
More information about the debian-edu-commits
mailing list