Dies ist das (noch unvollständige ) Release Manual für das Debian Edu etch 3.0 Release.
This document was put into the debian-edu-doc package on 2007-12-04.
Die Version auf http://wiki.skolelinux.no/DebianEdu/Documentation/Etch ist ein Wiki und wird häufig aktualisiert.
Übersetzungen sind Teil des debian-edu-doc Pakets, das auf einem Webserver installiert sein kann .
Skolelinux ist vom Debian-edu Projekt die Custom Debian Distribution (CDD) in der Entwicklung. Dies bedeutet, dass Skolelinux eine Version von Debian mit einer vorkonfigurierten Umgebung ist, die ihnen ein komplett eingerichtetes Schulnetzwerk zur Verfügung stellt. In Norwegen, wo die Entwicklung von Skolelinux begann, ist die Hauptzielgruppe Schulen mit Schülern im Alter von 6 bis 16 Jahren.
Das System wird in einigen Ländern in der ganzen Welt benutzt, mit den meisten Benutzern in Norwegen, Deutschland und Frankreich.
Dieser Abschnitt erläutert die Netzwerktopologie und die Serverdienste einer Skolelinux-Installation.
(Das debian-edu-doc Quellpaket enthält dieses Bild als dia Datei.)
Die Abbildung ist eine Skizze der angenommenen Netzwerktopologie. Die Grundeinstellungen von Skolelinux gehen davon aus, dass es genau einen Hauptserver ('Tjener') gibt, während normale Arbeitsstationen und Terminalserver (mit ihren zugehörigen Thin-Client-Terminals) eingebunden werden können. Die Anzahl der Arbeitsstationen ist beliebig (zwischen 0 und 400). Gleiches gilt für Terminalserver, die ihre Thin-Clients jeweils auf einem separaten Netzwerksegment bedienen, so dass der Netzwerkverkehr zwischen den Thin-Clients und ihrem Terminalserver den Rest der Netzwerkdienste nicht stört.
Der Grund dafür, dass es nur einen Hauptserver in jedem Schulnetzwerk geben kann, ist dass der Hauptserver DHCP anbietet. Dies kann immer nur eine Maschine in einem Netzwerk machen. Es ist möglich, die Dienste des Hauptservers auf andere Maschinen auszulagern, indem man diese Dienste dort aufsetzt und die DNS-Konfiguration auf dem Hauptserver so abändert, dass der DNS-Alias für die geänderten Dienste auf die richtige Maschine zeigt.
Um die Standardinstallation von Skolelinux einfach zu halten, läuft die Internetverbindung über einen separaten Router. Es besteht die Möglichkeit, eine separate Maschine mit Debian zu installieren und sie als Router für Skolelinux mit der von ihnen bevorzugten Internet-Einwahlmethode zu konfigurieren (Die notwendige Einrichtung um die Standardsituation an die Gegebenheiten anzupassen, sollte separat dokumentiert werden).
With the exception of the control of the thin-clients, all services are initially set up on one central computer (the main server). For performance reasons, the thin-client-server should be a separate machine (though it is possible to install both the main server and thin-client server profiles on the same machine). All services are allocated a dedicated DNS-name and are offered exclusively over IPv4. The allocated DNS name makes it easy to move individual services from the main-server to a different machine, by simply stopping the service on the main-server, and changing the DNS configuration to point to the new location of the service (which should be setup on that machine first of course).
Aus Sicherheitsgründen werden Passwörter stets verschlüsselt übertragen , so dass keine Klartextpasswörter in das Netzwerk gelangen.
Unten ist eine Liste von Diensten, die standardmässig in einem Skolelinuxnetzwerk eingerichtet sind, mit dem DNS Namen jedes einzelnen Dienstes in rechteckigen Klammern. Wo es möglich ist, entspricht der DNS Name dem Dienstenamen in /etc/services ,sonst wurde die allgemeine Bezeichnung des Dienstes als DNS-Name verwendet. Alle Konfigurationsdateien verwenden möglichst den DNS Namen (ohne Domäne), um die Änderung von IP-Bereichen oder Domänennamen zu erleichtern.
Each user stores his personal files in his home folder which is made available by the server. Home folders are accessible from all machines, giving users access to the same files regardless of which machine they are using. The server is operating system agnostic in offering access using NFS for Unix Clients, SMB for Windows and Macintosh clients.
E-Mail ist nur zur lokalen Auslieferung vorkonfiguriert (z.B. innerhalb der Schule), aber die E-Mailzustellung kann, sofern die Schule einen festen Internetzugang hat, so konfiguriert werden, dass auch in das Internet E-Mail ausgeliefert werden können. Mailinglisten werden basierend auf der Benutzerdatenbank eingerichtet, so dass jede Klasse ihre eigene Mailingliste hat. Client PC's sind so konfiguriert, dass sie ihre E-Mails an den Server ('smarthost') senden. Benutzer können auf ihre E-Mails mit den Protokollen POP3 oder IMAP zugreifen.
All services are accessible using the same username and password, thanks to the central user database for authentication and authorization.
Um die Leistung bei häufig zugegriffenen Web-Sites zu steigern, wird ein lokaler proxy-server (squid) benutzt, der die angefragten Web-Seiten für den wiederholten Zugriff zwischenspeichert. In Verbindung mit der Sperrung des Netzwerkverkehrs in dem Router, ermöglicht dies ebenso die Kontrolle über den Internetzugriff einzelner Maschinen.
Die Netzwerkeinrichtung der Client-PC's erfolgt automatisch mit DHCP. Normale Client-PC's bekommen IP-Adressen aus dem privaten Subnetz 10.0.2.0/23 zugeteilt, während Thinclients über das dem zugehörigen Thinclient-Server entsprechende Subnetz 192.168.0.0/24 mit ihm verbunden sind (damit der Netzwerkverkehr der Thinclients nicht den Rest der Netzwerkdienste stören).
Zentrales Mitschreiben von Systemnachrichten ist so konfiguriert, dass alle Maschinen ihre syslog Meldungen zum Server übertragen. Der Syslogdienst akzeptiert nur eingehende Nachrichten aus dem lokalen Netzwerk.
Standardmäßig ist der DNS-Server mit einer domain nur für interne Benutzung konfiguriert (*.intern), bis eine richtige ("external") DNS domain konfiguriert werden kann. Der DNS-Server ist als ein zwischenspeichernder DNS-Server konfiguriert, so dass alle Maschinen des Netzwerks ihn als Haupt-DNS-Server benutzen können.
Schüler und Lehrer haben die Möglichkeit, Webseiten zu veröffentlichen. Der Webserver bietet Mechanismen zur Authentifizierung von Benutzern und Einschränkung des Zugriffs auf individuelle Seiten und Unterverzeichnisse für bestimmte Benutzer und Gruppen. Benutzer haben die Möglichkeit dynamische Webseiten zu erstellen, da der Server programmierbar ist.
Informationen über Benutzer und Maschinen können an zentraler Stelle geändert werden und sind automatisch für alle Maschinen zugreifbar. Um dies zu erreichen, ist ein zentralisierter Verzeichnisserver eingerichtet. Das Verzeichnis hält Informationen über Benutzer, Benutzergruppen, Maschinen und Maschinengruppen. Um eine Verwirrung des Benutzers zu vermeiden, wird kein Unterschied zwischen Datei Gruppen, Mailinglisten und Netzwerkgruppen gemacht. Dies impliziert, dass Gruppen von Maschinen, die Netzwerkgruppen sein müsen, den gleichen Namensraum wie Benutzergruppen und Mailinglisten haben.
Die Verwaltung von Diensten und Benutzern wird meistens und überwiegend web(-basiert) durchgeführt und folgt dabei etablierten Standards, die mit den in Skolelinux enthaltenen Webbrowsern gut funktionieren. Die Übertragung von bestimmten Aufgaben an individuelle Benutzer oder Benutzergruppen wird von dem Verwaltungssystem ermöglicht.
Um bestimmte Probleme mit NFS zu vermeiden und um die Fehlersuche zu vereinfachen, muss die Zeit der verschiedenen Maschinen im Netzwerk synchronisiert werden. Um dies zu gewährleisten, ist der Skolelinux Server als ein lokaler Netzwerk-Zeitprotokollserver (NTP) eingerichtet und alle Arbeitsstationen und Clients sind so eingerichtet, dass sie ihre Uhr mit der des Servers synchronisieren. Der Server selbst sollte sich mit NTP über das Internet gegen Zeitservern höherer Ordnung (Stratuum) synchronisieren, um sicherzustellen, dass das ganze Netzwerk die korrekte Zeit führt.
Drucker können entweder an das Netzwerk, an einen Server, eine Arbeitsstation oder einen Thin-Client-Server angeschlossen werden. Zugriff auf Drucker kann für bestimmte Benutzer entsprechend ihrer Gruppenzugehörigkeit kontrolliert werden. Dies wird durch die Benutzung von Mengenbegrenzungen und Zugriffskontrollisten für Drucker erreicht.
Eine Einrichtung als Thin-Client ermöglicht es einem gewöhnlichen Pc, als (X)Terminal zu funktionieren. Das heisst, dass diese Maschine von einer Diskette startet, oder unter Benutzung des Netzwerkkarten PROM direkt von dem Server , ohne die lokale Festplatte zu benutzen. Die benutzte Thin-Client Einrichtung, ist die des Linux Terminal Server Projekts (LTSP).
Thin Clients sind ein guter Weg, um ältere schwächere Maschinen zu benutzen, da sie alle Programme effektiv auf dem LTSP-Server ausführen. Dies funktioniert wie folgt: Der Dienst benutzt DHCP und TFTP um sich mit dem Netzwerk zu verbinden und davon zu starten. Als nächstes wird das Dateisystem per NFS vom LTSP-Server eingehängt und letztendlich X11 gestartet und mit dem selben LTSP-Server über XDMCP verbunden, damit sichergestellt ist, dass alle Programme auf dem LTSP-Server ausgeführt werden.
Der Thin Client Server ist eingerichtet um Systemmeldungen der Thin Clients zu empfangen und diese an den zentralen Systemmeldungsempfänger weiterzuleiten. (weitere Anmerkungen zur Identifikation von Thin Clients auf dem Hauptserver)
Alle Linux Maschinen die durch eine Skolelinux CD oder DVD installiert wurden, sind durch einen zenttalen Computer verwaltbar, üblicherweise dem Hauptserver. Es ist möglich, sich auf allen Maschinen mit ssh einzuloggen und somit vollen Zugriff auf die Maschinen zu haben.
Wir benutzen cfengine um Konfigurationsdateien zu editieren.Diese Dateien werden durch den Server auf den Clients auf Stand gehalten.
Alle Benutzerinformationen werden in einem LDAP-Verzeichnis gehalten. Aktualisierungen von Benutzerkonten werden in dieser Datenbank durchgeführt, die auch von den Clients zur Authentifizierung der Benutzer benutzt wird.
Die Installation ist entweder von CD oder von DVD möglich.
Das Ziel ist, in der Lage zu sein, einen Server von CD/DVD zu installieren und Clients über das Netzwerk zu installieren indem alle anderen Maschinen vom Netzwerk starten. Die DVD Installation arbeitet ohne Zugriff auf das Internet.
Die Installation sollte keine Fragen stellen, mit der Ausnahme der gewünschten Sprache (z.B. Norwegian Bokmal, Nynorsk, Sami, German, ...) und dem Maschinen Profil (Server, Arbeitsstation, Thin Client Server). Alle anderen Einstellungen werden automatisch mit vernünftigen Werten vorbelegt, um von dem Systemadministrator von einer zentraler Stelle nach der Installation geändert werden zu können.
Jedem Skolelinux Benutzerkonto ist ein Abschnitt des Dateisystems auf dem Server zugewiesen. Dieser Abschnitt (Benutzerverzeichnis) beinhaltet die Konfigurationsdateien, Dokumente, E-Mails und Webseiten des Benutzer. Einige der Dateien sollten mit Lesezugriff für andere Benutzer auf dem System ausgestattet sein, einige sollten lesbar für Jedermann im Internet und manche sollten für Keinen, außer dem Benutzer selbst, lesbar sein.
Um sicherzustellen, dass alle Festplatten, die für Benutzerverzeichnisse oder gemeinsame Verzeichnisse auf allen Computern in der Installation benutzt werden, einheitlich benannt werden können, sind sie als /skole/host/directory/ . Zunächst ist ein Verzeichnis auf dem Dateiserver erstellt, /skole/tjener/home0/ , in dem all die Benutzerverzeichnisse erstellt wurden. Mehr Verzeichnisse können dann erzeugt werden, wenn sie benötigt werden, um bestimmten Benutzergruppen oder bestimmte Muster der Nutzung unterzubringen.
Um die Kontrolle von geteiltem Dateizugriff unter Benutzung von Dateigruppen zu ermöglichen, jeder Benutzer muss einer primären Gruppe ohne anderen Mitgliedern zugeordnet sein. Der Name dieser privaten Gruppe sollte identisch mit dem Benutzernamen sein. (Mehr Info über private Gruppen ist von Redhat verfügbar.) Dies erlaubt für alle neuen von dem Benutzer erzeugten Dateien das Setzen des vollen Zugriffs für die Dateigruppe. Zusammen mit dem set-gid Bit auf Verzeichnissen und der Vererbung von Rechten, ermöglicht es kontrollierten gemeinsamen Dateizugriff zwischen den Mitgliedern einer Dateigruppe. Dazu sollte die umask 00X des Benutzer sein. (Falls alle Benutzer anfänglich in der Lage sein sollen, neue erstellte Dateien zu lesen, dann X=2. Falls nur der relevanten Gruppe anfänglicher Lesezugriff gegeben werden soll, dann ist X=7.)
Die anfängliche Einstellung der Zugriffsrechte für neu erstellte Dateien ist eine Sache der Politik. Sie können einerseits so eingestellt sein, dass jedem Lesezugriff gegeben wird, der später durch den Benutzer gezielt wieder entfernt werden kann, oder sie sind anfänglich gesperrt, mit der Notwendigkeit sie durch gezielten Benutzereingriff zugreifbar zu machen. Der erste Ansatz fördert das Teilen von Wissen und macht das System mehr transparent, wogegen die zweite Methode das Risiko von ungewünschter Verbreitung von empfindlichen Informationen senkt. Das Problem mit der ersten Lösung ist, dass es für die Benutzer nicht ersichtlich ist, dass das von ihnen erstellte Material durch alle anderen zugreifbar ist. Dies ist nur durch die Untersuchung der Benutzerverzeichnisse erkennbar, wo man sehen kann, dass die Dateien lesbar sind. Das Problem mit der zweiten Lösung besteht darin, dass wahrscheinlich wenig Leute ihre Dateien zugreifbar machen möchten, selbst wenn sie keine empfindlichen Informationen enthalten und der Inhalt hilfreich für neugierige Benutzer wäre, die lernen wollen, wie andere bestimmte Probleme gelöst haben (typischerweise Konfigurationsthemen).
Empfehlung: Die Dateien werden anfänglich auf lesbar für alle gesetzt, aber bestimmte Verzeichnisse werden erzeugt, in denen der Inhalt anfänglich gesperrt ist. Dies wird einfach entscheiden, ob die Datei lesbar gemacht werden soll, oder nicht. Konkret sollte umask auf 002 gesetzt werden und ~/ mit den Privilegien0775 erzeugt werden, ~/priv/ mit 0750 und ~/pub/ mit 0775. Dateien, die nicht lesbar für andere sein sollen, sollten in ~/priv/ gespeichert werden, wogegen öffentliche Dateien in ~/pub/ gespeichert werden. Andere Dateien werden anfänglich zugreifbar sein, können aber wie benötigt gesperrt werden.
ssh erfordert, dass das Heimatverzeichnis des Benutzers nur durch den Benutzer beschreibbar ist, somit ist das maximum an Zugriffsprivilegien 755 für ~/ .
Diese zufälligen Notizen betreffen Dinge, die in diesem Dokument enthalten sein sollten.
Dieses Kapitel wurde kopiert und eingefügt von http://developer.skolelinux.no/arkitektur/arkitektur.html.en ( zu diesem Zeitpunkt war es Copyright © 2001, 2002, 2003, 2004 Petter Reinholdtsen < pere@hungry.com >, released under the GPL) - Notiz an Übersetzer: es gibt bereits Übersetzungen für dieses Dokument, die Sie auch kopieren und einfügen können. Aber erhalten Sie jene Copyright Notizen ebenso.
OpenOffice.org Version 2.0.
Rückschritt: webmin ist jetzt aus Debian entfernt worden, wegen Problemen es zu unterstützen. Wir haben ein neues webbasiertes Benutzer Administrationswerkzeug namens lwat hinzugefügt, das nicht die gleichen Funktionen wie wlus hat, dem alten Benutzer Administrationswerkzeug. Aber wlus erfordert webmin .
Rückschritt: swi-prolog ist nicht Teil von etch, aber es war Teil von sarge. Das HowTo teach and learn Kapitel beschreibt wie swi-prolog auf etch installiert wird.
OpenOffice.org 1.1.
Mehr Informationen zu älteren Releases können auf http://developer.skolelinux.no/info/cdbygging/news.html gefunden werden..
Es gibt verschiedene Möglichkeiten eine Skolelinux Lösung einzurichten. Es kann einfach auf einem alleinstehendem PC, oder einer regionalen Lösung mit vielen Schulen installiert werden. Diese Vielfalt an Konfigurationen macht einen großen Unterschied aus, wie eingerichtet werden, Netzwerkkomponenten, Servern und Clients betreffend.
Für den Hauptserver (10.0.2.2): dies ist der einzige Computer im Netzwerk, auf dem das Haupt-Server -Profilinstalliert wird.
for diskless workstations (also known as LowFat clients) 256 MB RAM and 800 MHz or more is recommended minimum requirements. Swapping over the network is automatically enabled, the swap size is 32mb, if you need more you can tune this by editing /etc/ltsp/nbdswapd.conf on tjener to set the SIZE variable.
FIXME: add links to explainations of main-server and thinclient-server
A list of tested hardware is provided from http://wiki.debian.org/DebianEdu/Hardware/ .
A router/gateway, connected to the internet on the external interface and running on the IP address 10.0.2.1 on the internal interface. The router must not run a DHCP server, it can run a DNS server, though this is not needed and will not be used.
If you are looking for a i386 based solution, we recommend IPCop or floppyfw . If you need something for an embedded router we recommend OpenWRT , check here for supported hardware . If you are into BSD unix, pfsense and m0n0wall are good choices. Though since they are BSD based, we think they are better suited for more experienced administrators.
It's possible to use a different network setup, this is the documented procedure to do this. If you are not forced to do this by an existing network infrastructure, we recommend against doing so and recommend you stay with the default network architecture.
We recommend to read or at least take a look at the release notes for
Debian etch before you start installing a system for production
use. If you just want to give Debian Edu/Skolelinux a try, you don't have to
though, it should just work
Even more information about the Debian etch release is available in its installation manual.
Das für mehrere Architekturen geeignete DVD-ISO-Image ist 4,4 GiB groß. Um es herunterzuladen, nutze eine der beiden Methoden:
ftp://ftp.skolelinux.org/skolelinux-cd/debian-edu-etch-amd64-i386-powerpc-DVD-3.0r0.iso
http://ftp.skolelinux.org/skolelinux-cd/debian-edu-etch-amd64-i386-powerpc-DVD-3.0r0.iso
rsync ftp.skolelinux.org::skolelinux-cd/debian-edu-etch-amd64-i386-powerpc-DVD-3.0r0.iso
Oder, um eine Netzinstallation durchzuführen, kannst Du eine CD für die i386 und für die amd64 Architektur herunterladen.
ftp://ftp.skolelinux.org/skolelinux-cd/debian-edu-etch-i386-netinst-3.0r0.iso
http://ftp.skolelinux.org/skolelinux-cd/debian-edu-etch-i386-netinst-3.0r0.iso
rsync ftp.skolelinux.org::skolelinux-cd/debian-edu-etch-i386-netinst-3.0r0.iso
amd64
ftp://ftp.skolelinux.org/skolelinux-cd/debian-edu-etch-amd64-netinst-3.0r0.iso
http://ftp.skolelinux.org/skolelinux-cd/debian-edu-etch-amd64-netinst-3.0r0.iso
rsync ftp.skolelinux.org::skolelinux-cd/debian-edu-etch-amd64-netinst-3.0r0.iso
and powerpc (suited for the newworld sub-architecture)
ftp://ftp.skolelinux.org/skolelinux-cd/debian-edu-etch-powerpc-netinst-3.0r0.iso
http://ftp.skolelinux.org/skolelinux-cd/debian-edu-etch-powerpc-netinst-3.0r0.iso
rsync ftp.skolelinux.org::skolelinux-cd/debian-edu-etch-powerpc-netinst-3.0r0.iso
The powerpc port has not been tested as much as the other architectures, though it should work just fine and has been reported to work. Still, we consider the port an experimental release of Debian Edu, which we might not be able to support as the other archs.
Der Quellcode für dieses Release ist auf einem DVD-Image verfügbar
ftp://ftp.skolelinux.org/skolelinux-cd/debian-edu-etch-source-DVD-3.0r0.iso
http://ftp.skolelinux.org/skolelinux-cd/debian-edu-etch-source-DVD-3.0r0.iso
rsync ftp.skolelinux.org::skolelinux-cd/debian-edu-etch-source-DVD-3.0r0.iso
For those without a fast internet connection, we offer to send you a CD or
DVD for the cost of the CD or DVD and shipping. Just send an email to cd@skolelinux.no and we will discuss
the payment details (for shipping and media) Remember to include the address you want the CD or DVD
to be sent to in the email.
Die Installation mit der Netinstall CD nutzt einige Pakete von der CD und den Rest aus dem Netz. Die Menge der aus dem Netz zu ladenden Pakete hängt vom jeweiligen Installationsprofil ab.
The profiles are explained below.
When you do an Debian Edu installation you have a few options to choose. But don't be afraid, there aren't many. We have done a good job hiding the complexity of Debian during the installation and beyond. However, Debian Edu is Debian, and if you want there are more than 15000 packages to choose from and a billion configuration options. But for the majority of our users, our defaults should be fine.
Normal graphical installation is the default on i386 and amd64. The powerpc installer does not support graphical installation. Enter install at the boot prompt to do an i386 text-mode install.
The debian-edu-expert boot option adds the barebone profile to the profile options, and switches to manual partitioning. Enter installgui debian-edu-expert or install debian-edu-expert at the syslinux/yaboot prompt to enter expert mode.
If you want to boot the amd64 text mode with the multiarch DVD it would be amd64-install . Likewise you can choose amd64-expertgui to get the GUI version on amd64.
If you want to boot the i386 mode with the multiarch DVD on an amd64 machine you need to manually select install (text mode) or expertgui (graphical mode). The multiarch DVD defaults to use amd64-installgui on x86 64-bits machines, and installgui on x86 32-bits machines.
Choose a profile :
bitte sagen Sie Ja, um die Informationen an http://popcon.skolelinux.org/
zu übertragen - Sie müssen dies aber nicht
FIXME: this section needs a link to diskless workstation installation howto.
If you decide to do manual partitioning for the main-server, you need to make sure that the directory /skole/tjener/home0 exists, probably by mounting a partition there. If you don't create that directory you will only be able to login as root. The reason is that the user creation system require this directory to exist to be able to create users home directories, and without a users home directory the user can not log in.
In principal it makes sense to either install notebooks with the workstation or with the standalone profile. But keep in mind, that the workstation profile uses LDAP for the user accounts and NFS for the home directories, so those workstations will only work while in the network where they can access the server. If you plan to use your laptop at home or on the road, choose the standalone profile.
It is possible to reconfigure workstations to cache authentication information and sync the home directories to local disk (and resync to the server when in the network) with unison , but there is currently no howto available for this.
If you install from a DVD /etc/apt/sources.list will only contain sources from the DVD. If you have an internet connection we strongly suggest to add the following lines to it, so that available (security) updates can be installed:
deb http://ftp.debian.org/debian/ etch main deb http://security.debian.org/ etch/updates main deb http://ftp.skolelinux.org/skolelinux etch local
The KDM login screen was manually adjusted to reduce the resolution for this screen shot.
This chapter describes the first steps you need to do after the installation to get started. The minimum you need to do is:
This is described below.
The HowTo chapter describes more tips and tricks and frequently asked questions, while this chapter describes the stuff everybody needs to do.
There are several services running on the main server which can be managed via a web management interface. We'll describe each service here.
Lwat is a web based management tool, that will help you manage some important parts of your Debian Edu setup. You can manage this four main groups (add, modify, delete):
To access lwat point your webbrowser to https://www/lwat . You will get an error message, because of atleast 2 facts:
When you have neglected the warnings (or fixed them...), you will see the page below with the menu fixed to the left part and the varying main part on the right. First you'll see a login screen where you can login with your admin account. If you visit this site the first time after installation, the loginname there is:
admin
and the password is the password you entered during the installation for the root account.
After login the loginarea will disappear and you can choose a task in the menu.
In Debian Edu account informations are stored in a LDAP directory and get used from there not only from the main server itself, but also from the workstations and thinclient server in the network. This way the information about students, pupils, teachers, ... only need to be entered once and are then available on all systems of the network.
To get the work done efficiently lwat will assist you on getting your users data entered to the LDAP directory.
You can add users, group them in usergroups (for example to refer the members of a class more easily), update them and remove them again. The menu entries for this are the four topmost entries (in the two topmost groups).
To add users you only have to choose "Add" in the "Users" section of the menu. After choosing this entry you will see a form where you can enter the data of the user you want to add. The most important thing to add is the full name of your user (point one in the image). As you enter you will see, that lwat will generate a username automatically based on the realname. If you don't like the generated username you can change it later. Second you need to choose the role of your account, which is used by lwat to determine the privileges the user has for systemadministration. Currently lwat knows the following roles:
Table 1.
role |
granted privileges |
Students |
Login and use the system |
Teachers |
Same as Students |
jrAdmins |
Same as Teachers, but can also change other user passwords (besides the ones of Admins) |
Administratoren |
Admins have ultimate privileges. They can add/modify/delete users/groups/machines/automounts and let windows systems join the Skolelinux domain |
After choosing a suitable role you can hit the "Save" button and the user is added.
You may miss the option to set a password, that has been deactivated, but you can set a own password by modifying the user added.
If all went well, you will see a short notice at the end of page with the data added to the ldap directory (also the form gets reset):
Added user: Demo User username: demuse password: somethingsecret
To modify or delete a user you need to first find her using the search menu entry. You will find a form (searcharea in the screenshot) where you can enter either the realname or the username of the user. The results will show up below the form (marked as resultarea in the image). On the left of every result line there is a checkbox you can use to delete or disable on or more user with the two buttons below. If you want to modify a user, just click on it, all result lines are links to the modify page.
A new page will show up where you can modify information directly belonging to a user, change the password of the user and modify the list of groups the user belongs to.
The mangement of groups is very similarly to the management of users. You can enter a name and a description per group. When be searching for groups you can also delete or disable all users of the groups found. From the modification page you can access all the users of that group.
The groups entered in the group management are also regular unix groups, so you can use them for file permissions too.
With the machine management you can basically manage all IP based devices in your Debian Edu network. Every machine added to the LDAP directory using lwat has a Hostname, an IP-address, an MAC-address and a domain name which usually is "intern". For a more verbose description about the Debian Edu architecture see the architecture chapter of this manual.
If you add a machine, you can use an ip/hostname from the preconfigured address space. The following ip ranges are predefined:
Table 2.
First address |
Last address |
hostname |
10.0.2.10 |
10.0.2.29 |
ltspserverxx |
10.0.2.30 |
10.0.2.49 |
printerxx |
10.0.2.50 |
10.0.2.99 |
staticxx |
The addresses from 10.0.2.100 till 10.0.2.255 and 10.0.3.0 till 10.0.3.243 are reserved for dhcp and are assigned dynamically.
To assign a host with the MAC-address 00:40:05:AF:4E:C6 a static IP-address you only have to enter the MAC-address and the hostname static00, the remaining fields will be filled automatically according to the predefined configuration.
This will not configure the dhcp server. You need to
configure the host statically or edit the configuration of the dhcp server
by hand as shown directly below.
To assign a static ip address to a host which you added to the ldap tree via lwat, you need to edit /etc/dhcp3/dhcpd.conf and run /etc/init.d/dhcp3-server restart as root.
For our example above you would, after open /etc/dhcpd3/dhcpd.conf in your favourite editor, search for the configuration section of the host static00 . You should find something exactly like this:
host static00 { hardware ethernet 00:00:00:00:00:00; fixed-address static00; }
You need to replace the all-zero MAC-address with the correct one of your static host. For our example host it will look like this:
host static00 { hardware ethernet 00:40:05:AF:4E:C6; fixed-address static00; }
Don't forget to restart the dhcpd as described above
whenever you have changed the configuration.
The full documentation for lwat can be found at /usr/share/doc/lwat/ on the main server or online .
For Printer Management point your webbrowser to https://www:631 This is the normal cups management site where you can add/delete/modfiy your printers and can clean up the printing queue. For changes where you have to login as root with your root password, you will be forced to use ssl encryption.
If you connect the printer for the first time, we suggest to run printconf as root. FIXME: explain what to do when this does not accomplish anything.
The default configuraiton in Debian Edu is to keep the clocks on all machines synchronous but not necessarily correct. NTP is used to update the time. The clocks will not be synchronized with an external source by default, to make sure the machines to not use external network connections active all the time. This was configured like this after a school discovered their ISDN network was up all the time, giving them a nasty extra phone bill.
To enable synchronization with an external clock, the file /etc/ntp.conf on the main-server need to be modified. The comments in front of the server entries need to be removed. After this, the ntp server need to be restarted by running /etc/init.d/ntp restart as root. To test if the server is using the external clock sources, run ntpq -c lpeer .
Because of a bug in the automatic partition, some partitions might be too full after installation. To extend the full partitions, run debian-edu-fsautoresize -n as root. See the "Resize Partitions" HowTo in the administration howto chapter for more information.
This section explains how to use aptitude upgrade and kde-update-notifier.
Using aptitude is really simply. To update a system you need to execute two commands on the command line as root: aptitude update (updates the lists of available packages) and aptitude upgrade (upgrades the packages for which an upgrade is available).
Instead of using the command line you can also use kde-update-notifier. FIXME: Explain how, maybe with a screenshot.
It is also a good idea to install cron-apt and apt-listchanges and configure them to send mail to an address you are reading.
cron-apt will notify you once a day via email, which packages need an update. It does not install these updates, but downloads them (usually in the night), so you don't have to wait for the download, when you do aptitude upgrade .
apt-listchanges can send new changelog entries to you.
For the backup management point your browser to https://www/slbackup-php . Please note that you have to access this site via ssl, since you have to enter the root password there. If you try to access this site without using ssl it will fail.
Per default the tjener will backup /skole/tjener/home0 , /etc/ and the ldap to /skole/backup which is in the lvm. If you only want to have things twice (if you delete something) this setup should be fine for you.
/root/.svk will also be backed up if you install from etch-test today. (FIXME this, once it's in etch.)
Be aware that this backup doesn't protect you from
failing harddrives.
If you want to backup your data to an external server, a tape device or another harddrive you'll have to modify the existing configuration a bit. FIXME: I have to have a look on the webpage of slbackup-php to describe this further
Munin trend reporting system is available from https://www/munin/ . It provides system status measurement graphis on a daily, weekly, monthly and yearly basis, and allow the system administrator help when looking for bottlenecks and the source of system problems.
The list of machines being monitored using munin is generated automatically based on the list of hosts reporting to sitesummary. All hosts with the package munin-node installed is registered for munin monitoring. It will normally take two days from a machine is installed until munin monitoring start, because of the order the cron jobs are executed. To speed up the process, run /etc/cron.daily/sitesummary-client as root on the freshly installed machine, and /etc/cron.daily/sitesummary as root on the sitesummary server (normally the main-server).
Information about the munin system is available from http://munin.projects.linpro.no/ .
Nagios system and service monitoring is available from https://www/nagios2/ .
The username is nagiosadmin and the password is undefined, you must set your own password before you can login and use nagios. For security reasons, avoid using the samme password as root. To change the password you can run the following command as root:
htpasswd /etc/nagios2/htpasswd.users nagiosadmin
By default from Debian-Edu 3.0r1 Nagios does not send email. This can be changed by replacing notify-by-nothing with host-notify-by-email and notify-by-email in the file /etc/nagios2/debian-edu/contacts.cfg .
Information about the nagios system is available from http://www.nagios.org/ or in the nagios2-doc package.
A simple report from sitesummary is available from https://www/sitesummary/ .
Some documentation on sitesummary is available from http://wiki.debian.org/DebianEdu/HowTo/SiteSummary
Before explaining how to upgrade, please note, that you do this update on your productive server on your own risk. Debian Edu/Skolelinux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Please read this chapter completly before attempting to upgrade.
More information about the Debian etch release is available in its installation manual.
If you want to be sure that after the upgrade everything works like before , you should test the upgrade on a test server, which is configured the same way as your production server. There you can test the upgrade without risk and see if everything works as it should.
Also it might be wise to wait a bit and keep running sarge for some more weeks, so that others can test the upgrade, experience problems and document them here. Debian Edu sarge will receive continued support for some time in the future, but when Debian ceases support for sarge , Debian Edu will (have to) do that too. This is expected to happen in April 2008.
Please read this chapter completly before you start upgrading your systems.
In case of problems you could also read the releasenotes for Debian etch . (Debian Edu/Skolelinux "2.0 Terra" installed a 2.6 kernel as default, but if you are running a 2.4 kernel, you should read the notes on upgrading from kernel 2.4 to 2.6 before you upgrade!)
The main problem upgrading from the sarge-based Release to Terra is that the Partition Scheme changed completly. The sarge-based Release has two volume Groups:
But the etch based release has only 1 Volume Group due to internal changes of the Installer.
The main problem is that the vg_system volumegroup is quite small since the data in this partition is mostly static. When trying the upgrade on a virtual machine with an 8GB harddrive, the upgrade failed since it was not possible to free more space on the vg_sytem. Please note that you should have about 1,5GB free space on /var and about 600MB free space on /usr. If this is not the case the upgrade will fail because of too little free space on the device.
If you have enough space in the vg_system volumegroup but not in the lv_var partition, you have to resize this partition:
1.) Umount the /var partition, you 'll have to umount the /var/spool/squid partition for this to work, too:
/etc/init.d/squid stop umount /var/spool/squid umount -fl /var
e2fsck -f /dev/vg_system/lv_data
lvextend -L +1GB /dev/vg_system/lv_data
resize2fs /dev/vg_system/lv_data
mount /var mount /var/spool/squid /etc/init.d/squid start
Now modify /etc/apt/sources.list to contain these lines
deb http://ftp.debian.org/debian etch main deb http://security.debian.org/ etch/updates main deb http://ftp.skolelinux.org/skolelinux etch local
And start the upgrade with:
aptitude update aptitude dist-upgrade
Here we can give you some hints, what you should answer to the debconf question during the upgrade. But please note: This upgrade HowTo is based on a very plain fresh installation of an mainserver + terminalserver.
Which questions exactly raise up in addition to the ones described here depends on what is additionally installed on your system. (Additionally to what is installed as default in the sarge based Debian Edu release). So if there are any questions which you don't know how to answer, don't hesitate to ask us at the mailinglist (debian-edu@lists.debian.org ) or at IRC (irc.oftc.net): #debian-edu.
* Configure nagios-common.
Here you have to enter a password for the nagiosadmin user.
* Configure console-data
* Configure openssh-server
* Configure systat
* Configure popularity-contest
* Configure libnss-ldap
Change the prompt to: ldaps://ldap/
Change the prompt to: dc=skole,dc=skolelinux,dc=no
* Upgrade glibc now. Answer "yes".
* Restart Services. Answer "yes".
These are the debconf questions you will see if you have no additional packages installed.
Now the upgrade process will start to upgrade the packages.
Please note: You will be asked several times if you want to keep your old modified version of a configfile or if you want to get the latest. The default is to keep your modified one. Unless you really have modified something, please always choose: "Install the latest one".
The upgrade will fail with this error message:
Errors were encountered while processing: mozilla-firefox-locale-it mozilla-firefox-locale-el E: Sub-process /usr/bin/dpkg returned an error code (1)
To fix this you have to edit these two files: /var/lib/dpkg/info/mozilla-firefox-locale-it.postrm and /var/lib/dpkg/info/mozilla-firefox-local-el.postrm and comment out in both the line containing: update-mozilla-firefox-chrome . Then restart the upgrade process with:
apt-get -f install
Now the upgrade continues:
* Several Modified configuration files (nagios)
Then the installation failes another time:
Errors were encountered while processing: slapd E: Sub-process /usr/bin/dpkg returned an error code (1)
In order to fix this, rename this directory: /var/backups/dc=skole,dc=skolelinux,dc=no-2.2.23-8.ldapdb and since openldap now runs as user openldap (instead of as root) the permissions of the configuration files have to be changed:
chown -R openldap:openldap /etc/ldap/ apt-get -f install
Then the installation should finish without an error. Since now many packages are not upgrades please restart the dist-upgrade process again with:
aptitude dist-upgrade
The next error raising up is this one:
Errors were encountered while processing: /var/cache/apt/archives/courier-authlib-ldap_0.58-4_i386.deb E: Sub-process /usr/bin/dpkg returned an error code (1)
Please remove the package: courier-ldap with
aptitude remove courier-ldap
and wait until it is finished.Then restart the dist-upgrade process again.
If you have only the default packages installed the upgrade process should now finish without raising more errors.
The only remaining upgrade issue is that the user of bind9 has changed, so you'll have to chown all bind-configuration files.
chown bind:root -R /etc/bind
See #386791 for more information.
There has been a change in how samba handles groupmaps between sarge and etch. Samba in sarge handled groupmaps internally, so a unix group was also a samba group. In etch samba keeps groupmap information in the LDAP database. Unfortunatly this issue was discovered too late for our LDAP admin tool "lwat" to be aware of the situation.
When you upgrade your LDAP from a sarge installation, you must make sure to create the Domain Admins account, neccessary for correct samba domain operation. Create the Domain Admins account with the command:
/usr/bin/net groupmap add rid=512 unixgroup=admins \ type=domain ntgroup="Domain Admins" \ comment="All system administrators in the school"
If you want your Windows computers to be aware of what groups users are in, you must create the groupmaps in LDAP manually, this is explained in more detail in the HowTo/NetworkClients chapter of this manual.
Upgrades from the woody based Debian Edu / Skolelinux installation are not supported. Upgrade to the sarge based version first, a howto can be found at http://wiki.debian.org/DebianEdu/HowTo/UpgradeFrom1.0 . Then upgrade to Terrra (etch-based Release).
HowTos for general administriation
HowTos for the desktop
HowTos for networked clients
HowTos for teaching and learning
The Getting Started and Maintainance chapters describe how to get started with Debian Edu and how to do the basic maintainance work. The howtos in this chapter are already "advanced" tipps and tricks.
With the introduction of the debian-edu-etc-svk script in Debian Edu, all files in /etc/ are tracked using svk as a version control system. This make it possible to see when a file added, changed and removed, as well as what was changed if the file is a text file. The svk repository is stored in ~root/.svk/ .
This feature is activated automatically in the Etch based version of Debian Edu, and all changes done during installation are registered. Changes in /etc/ are commited every hour.
List of useful commands:
debian-edu-etc-svk diff debian-edu-etc-svk log debian-edu-etc-svk status debian-edu-etc-svk commit debian-edu-etc-svk ignore
In a freshly installed system try this to see all changes done since the system was installed:
debian-edu-etc-svk diff -r6 | less
To see the list of changes done in /etc/, use this command:
debian-edu-etc-svk log | less
To see the changes done to a specific file, specify the file:
debian-edu-etc-svk diff -r6 /etc/resolv.conf | less
To revert a change, use the diff command to look at the change, and edit the file to undo the change, or use a command like this to do it automatically:
( cd /etc && debian-edu-etc-svk diff -r6 /etc/resolv.conf | patch -p1 -R )
To manually commit a file, because you don't want to wait up to an hour:
debian-edu-etc-svk commit /etc/resolv.conf
If you don't want a specific file to be tracked in svk, you can tell to
ignore it. But this is rarely useful
debian-edu-etc-svk ignore /etc/path/to/file/to/be/ignored
/etc in svk was introduced with the etch based release of Debian Edu. If you installed your system prior to this, you need to initialize svk once with the following command run as root:
debian-edu-etc-svk init
This adds all files in /etc to svk and also activates the hourly commit cronjob.
Most partitions in Debian Edu are logical LVM volumes. Only the /boot/ partition is not. With the Debian/Etch release of Debian Edu, it is possible to extend partitions while they are mounted. This is a feature of the Linux kernel since version 2.6.10. Shrinking partitions still need to happen while the partition is unmounted.
It is a good idea to avoid creating very large partitions, as large partitions will take a long time to restore from backup if the need should arise, and file system check take a very long time for large partitions. A good limit can be 20 GiB. It is better, if possible, to create several smaller partitions than one very large one.
To make it easier to extend full partitions, the debian-edu-fsautoresize script is provided. When invoked, it reads the configuration from /usr/share/debian-edu-config/fsautoresizetab , /site/etc/fsautoresizetab and /etc/fsautoresizetab , and based on the rules provided in these files propose to extend partitions with too little free space. Without any arguments, it will only write the commands needed to extend the file system, and the argument -n is needed to actually extend the file systems.
Logical Volumne Management (LVM) enables resizing the partitions while they are mounted and in use. You can learn more about LVM in the LVM HowTo .
Since volatile.debian.org is a relativly new service, introduced with Debian Etch, it's not enabled on default installations.
Quoting from the webpage:
Since the volatile archive key is included in the debian-archive-keyring package, which is installed by default, you do not have to add this key manually to roots keyring anymore. Just add the following line to /etc/apt/sources.list :
deb http://volatile.debian.org/debian-volatile etch/volatile main
And run aptitude update && aptitude upgrade .
You are running Debian Edu, because you prefer the stability of Debian Edu. It runs great, there is just one problem: sometimes software is a little bit more outdated as you like. This is where backports.org steps in.
Backports are recompiled packages from Debian testing (mostly) and Debian unstable (in a few cases only, e.g. security updates), so they will run without new libraries (wherever it is possible) on a stable Debian distribution like Debian Edu. We recommend you to pick out single backports which fits your needs, and not to use all backports available there. Please follow the instructions on http://www.backports.org to use these backports.
You will need to add the backports.org archive key to root's gpg keyring, so that apt can use this repository securily . This is done by running these commands as root:
# install the debian-keyring securily: aptitude install debian-keyring # fetch the backports.org key insecurily: gpg --keyserver pgpkeys.pca.dfn.de --recv-keys 16BA136C # check securily if the key is correct and add it to root's keyring if it is: gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 16BA136C && gpg --export 16BA136C | apt-key add - # update the list of available packages: aptitude update
Then you can either use aptitude -t etch-backports install <packagename> to install or update packages once, or you can configure a package to be always installed from backports.org though /etc/apt/preferences which is described in the instructions on backports.org .
The second variant has the advantage, that updates to backports are installed automatically when they are available. With the first variant you need to update manually.
The HowTos from http://wiki.debian.org/DebianEdu/HowTo/ are either user- or developer-specific. Let's move the user-specific HowTos over here (and delete them over there)! (But first ask the authors (see the history of those pages to find them) if they are fine with moving the howto and putting it under the GPL.)
Two default profiles are included:
debian_edu_pupils (enabled for members of the students file group)
debian_edu_root (enabled for the root user and members of the admins file group)
Note: : modifications to the profiles can be done using kiosktool . However, unless you follow the step below, your changes will be overwritten by upgrades.
If you want to modify the kiosk profiles, you can either copy the existing ones and modify them, or create new kiosk profiles in (for example) /etc/kde3/kioskprofiles/ and enable them in /etc/kde-user-profile . The kiosk tool will do this for you if you click "profile properties" and browse to a new folder.
If you don't want to use kioskmode, disable it in /etc/kderc or /etc/kde-user-profile . (FIXME: in which of the two?!)
In Debian/Etch, the way to customize the kdm login screen was changed. Now, it is done by adding a file in /etc/default/kdm.d/ specifying variables to override the default.
Here is one example used to activate the theme in the desktop-base package:
USETHEME="true" THEME="/usr/share/apps/kdm/themes/debian-moreblue"
See the code in /etc/init.d/kdm for information on how these variables are used.
To install the Adobe Flash Player web browser plugin, install the flashplugin-nonfree debian package. It requires a working Internet connection and will download the precompiled binary from Adobe.
version 9.0.31.0.1 of the package do not work in
Etch. This is expected to be fixed in the near future. [2007-11-30]
An alternative is to install flashplayer-mozilla from debian-multimedia. It work with both konqueror and firefox.
To install newer version of flash, download correct deb-package from ftp://ftp.skolelinux.no/debian/pool/contrib/f/flashplugin-nonfree/ and install with dpkg -i <package-name> as root.
Warning : The
software you install has no trust path. Software installed with
apt-get is cryptographically signed to
ensure a trust path.
E.g. to install flashplugin for i386 architecture as root. Download via webbrowser or with wget:
wget ftp://ftp.skolelinux.no/debian/pool/contrib/f/flashplugin-nonfree/flashplugin-nonfree_9.0.48.0.2_i386.deb
If you previously installed flashplayer-mozilla, you must remove this first:
apt-get remove flashplayer-mozilla
Then install:
dpkg -i flashplugin-nonfree_9.0.48.0.2_i386.deb
If sound doesn't sound properly in thin clients when browsing certain pages (as youtube.com), it can be solved installing a package in the thin clients server. To do it, login as root in the server:
Warning : The
software you install has no trust path. Software installed with
apt-get is cryptographically signed to
ensure a trust path.
wget http://pulseaudio.vdbonline.net/libflashsupport/libflashsupport_1.0~2219-1_i386.deb
Then:
dpkg -i libflashsupport_1.0~2219-1_i386.deb
After adding the multimedia repository:
apt-get install mozilla-mplayer mozilla-acroread acroread-plugins
libdvdcss is needed for playing most commercial !DVDs. For legal reasons it's not included in Debian (Edu). If you are legally allowed to use it, you can use the packages from debian-multimedia.org.
To use www.debian-multimedia.org visit the homepage and find a mirror, or just add
deb http://debian-multimedia.org etch main
to your sources list. Eventually install key package for multimedia (debian-multimedia-keyring).
Install multimedia and dvd libraries
apt-get install libdvdcss2 w32codecs
Instructions on how to enable diskless workstations / stateless workstations / lowfat clients / half-thick clients are available from http://wiki.debian.org/DebianEdu/HowTo/LtspDisklessWorkstation
To make special adaptations and configurations for specific thinclients, you can edit the file /opt/ltsp/i386/etc/lts.conf . Have a look at /opt/ltsp/i386/usr/share/doc/ltsp-client/examples/lts.conf to see examples and what parameters you can specify.
The default values is defined under [default] , to configure one client, specify which client using the client mac adress or ipadress like this [192.168.0.10] .
Example: To make the thinclient ltsp010 use 1280x1024 resolution, add something like this:
[192.168.0.10] X_MODE_0 = 1280x1024 X_HORZSYNC = "60-70" X_VERTREFRESH = "59-62"
somewhere below the default settings.
Depending on what changes you make, it may be necessary to restart X on the client (by pressing alt+ctrl+backspace) or restart the client.
To use ipadresses in lts.conf you should add the client mac-address to your dhcp-server. Otherwise you should use the client mac-address directly in you lts.conf file.
It is possible to set up the clients to connect to one of several servers for load balancing. One way is listing several servers using LDM_SERVER in lts.conf . Another is by providing /opt/ltsp/i386/usr/lib/ltsp/get_hosts as a script printing one or more servers to connect to. In addition to this, each ltsp chroot need to include the ssh host key for each of the servers.
This feature was new in ltsp version
0.99debian12+0.0.edu.etch.8 to be included in 3.0r1.
If the client has sound hardware support and alsa is used (currently, this is the default sound system in Debian), module snd-pcm-oss should be loaded by the client hardware to assure esd can find /dev/dsp. If it's not done automatically, this line:
MODULE_01 = "snd-pcm-oss"
should be added to the server in the /opt/ltsp/i386/etc/lts.conf file.
For Windows clients the Windows domain "SKOLELINUX" is available to be joined. A special service called Samba, installed on the main-server tjener, enables Windows clients to store profiles and userdata and also authenticates the users during the login.
In order to make Windows clients join the domain some (few) steps are required:
1. Create a user with membership in the "admins" group (if not already existing)
In order to be able to join the "SKOLELINUX" domain a member of the admins group needs to authorize the process. If not yet existing a user with that membership needs to be added (for more information see <link to lwat docu>). The user "root" will not work, because there is no password for root in Samba.
2. Configure the Windows client as static host
When joining a samba domain some special data is stored on the domain controller (tjener). This data is needed to recognize the Windows client later as being allowed to authenticate users. In order to enable Samba to store this data, Samba requires an static host configuration to be present. This could be added by using the LWAT web interface (see also <link to lwat>). When adding the static host configuration it is important to check the "Samba host" option, otherwise will lack the required data to be able to join the domain.
3. On the Windows client: Make sure the network and system configuration matches the data stored on tjener (hostname and ip configuration)
4. Join the domain as usual using the user added in step 1.
Windows will sync the profile of domain users on every login and logout. Depending on how much data stored in the profile this could take some time. To minimize the time needed, one should deactivate things like local cache in browsers (you could use the squid proxycache installed on tjener instead) and save file into the H: volume instead of "Own files".
Groupmaps must also be added for any other user groups you add through lwat . If you want your user groups to be available in Windows eg for netlogon scripts or other group dependant actions, you can add them using variations of the following command. Samba will function without these groupmaps, but Windows machines won't be group aware.
/usr/bin/net groupmap add unixgroup=students \ type=domain ntgroup="students" \ comment="All students in the school"
Users bringing in their XP home laptop can still connect to Tjener using their skolelinux credentials, provided the workgroup is set to SKOLELINUX. However, they may need to disable the windows firewall before Tjener will appear in Network Neighbourhood (or whatever its called now).
Roaming profiles contain user work environments, which include the desktop items and settings. Some examples of these environments are personal files, desktop icons, screen colors, mouse settings, window size and position, application configurations and network and printer connections. Roaming profiles are available wherever the user logs on, provided the server is available.
Since the profile is copied from the server to the machine during logon, and copied back to the server during logout. A large profile can make windows login/logout painfully slow. There can be many reasons for a large profile, but the most common problems is that users save their files on the windows desktop or in my documents instead of in their homedir. Also some badly designed programs use the profile for scratch space, and other data.
The educational approach One way to deal with to large profiles is to explain the situation for the users. tell them not to store huge files on the desktop and if they fail to listen it's their own fault when login is slow.
Tweaking the profile A different way to deal with the problem is to remove parts of the profile, and redirect other parts to regular file storage. This moves the work load from the users to the administrator, while adding the complexity of the installation. There are atlest three ways to edit the parts that are removed from the roaming profile.
you can edit the machines policy and copy it to all other computers.
under the selection User Configuration -> Administrative Templates -> System -> User Profiles -> Exclude directories in roaming profile, you can enter a semicolon separated string of directories to exclude from the profile, the directories are internationalize and must be written in your own language the way they are in the profile. Example of directories to exclude are
Copy c:\windows\system32\GroupPolicy to all other windows machines.
By using the windows policy editor (poledit.exe), you can can create a Policy file (NTConfig.pol) file and put it in your netlogon share on tjener. This would have the advantage of working almost instantly on all machines. But is unfortunatly not as easy as it sounds. And you can quite easily lock yourself out of your windows machines. If you have experience with this please elaborate here... FIXME
You can edit the registry of the local computer, and copy this registry key to other computers
Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Use the menu Edit menu->New->String Value .
Call it ExcludeProfileDirs
Now you can choose to export this registry key as a .reg file, Mark a selection, right click and select export. Save the file and you can double click it, or add it to a script to spread it to other machines.
Sources:
Sometimes just removing the directory from the profile is not enough. You may experience that users loose files because they mistakenly save things into my documents, when this is not saved in the profiles. Also you may want to redirect the directories some badly programed applications use to normal network shares.
Everything under Using machine policies above applies. You edit using gpedit.msc and copy the Policy to all machines The redirection should be available under User Configuration -> Windows Settings->Folder Redirection Things that can be nice to redirect are Desktop or My Documents.
One thing to remember is that if you enable folder redirection, those folders are automatically added to the syncroniced folders list. If you do not want this, you should also disable that in following
User Configuration -> Administrative Templates -> Network -> Offline Files
Computer Configuration -> Administrative Templates -> Network -> Offline Files
Using local policies you can disable roaming profile on individual machines. This is often wanted on special machines, for instance on dedicated machines, or machines that have lower then usual bandwith.
You can use the machine policy method describe above, the key is in
Administrative Templates -> system -> User Profiles -> Only allow local profiles
By editing the samba config you can disable roaming profiles for the entire network. Perhaps everyone have their own dedicated machine? and nobody else is allowed to touch it. To disable the roaming profiles for the entire network you can alter the smb.conf file on tjener and unset the logon path and logon home variables, and restart samba.
logon path = "" logon home = ""
Some municipalities provide a remote desktop solution so that students and teachers can access Skolelinux from their home computer running Windows, Mac or Linux.
RDP - the easiest way to access Windows terminal server. Just install the rdesktop package.
VNC client (Virtual Network Computer) gives access to Skolelinux remotely. Just install the xvncviewer package.
Citrix ICA client HowTo to access Windows terminal server from Skolelinux.
The HowTos from http://wiki.debian.org/DebianEdu/HowTo/ are either user- or developer-specific. Let's move the user-specific HowTos over here (and delete them over there)! (But first ask the authors (see the history of those pages to find them) if they are fine with moving the howto and putting it under the GPL.)
Run aptitude install moodle as root to install moodle.
Some schools in France use moodle to keep track of students' facilities and credit points. FIXME: more examples, etc.
Some schools use control tools like Controlaula or Italc to supervise their students. FIXME: explain how to install and use it.
apt-get install italc
Warning : monitoring
humans might be unethical and illegal in your jurisdiction.
Some schools use squidguard or dansguardian to restrict internet access. FIXME: explain how to install and use it.
Warning :
restricting access to information or freedom of speech might be unethical
and illegal in your jurisdiction.
swi-prolog was available in sarge, but was not part of etch. But you can just install the version from sarge on a etch system.
Warning : The
software you install has no trust path. Software installed with
apt-get is cryptographically signed to
ensure a trust path.
# swi-prolog depends on libreadline4, also not in etch wget http://ftp.de.debian.org/debian/pool/main/r/readline4/libreadline4_4.3-11_i386.deb dpkg -i libreadline4_4.3-11_i386.deb wget http://ftp.de.debian.org/debian/pool/main/s/swi-prolog/swi-prolog_5.2.13-1_i386.deb dpkg -i swi-prolog_5.2.13-1_i386.deb
swi-prolog-doc is part of etch
The HowTos from http://wiki.debian.org/DebianEdu/HowTo/ are either user- or developer-specific. Let's move the user-specific HowTos over here (and delete them over there)! (But first ask the authors (see the history of those pages to find them) if they are fine with moving the howto and putting it under the GPL.)
http://wiki.debian.org/DebianEdu/HowTo/TeacherFirstStep - incomplete but interesting
There are Debian Edu users all over the world. A very easy form of
contribution is to let us know you exist and use Debian Edu - this motivates
us very much and therefore is already a valuable
contribution.
The Debian Edu projects provide a database of schools and users of the system to help the users find each other, and also to have an idea about where the users of the distribution are located. Please let us know about your installation, by registering in this database. To register your school, use this web form .
Currently there are local teams in Norway, Germany, France and in the region of Extremadura in Spain. "Isolated" contributors and users exist in Greece, the Netherlands, Japan and elsewhere.
The support chapter explains and links to localized ressources, as contribute and support are two sides of the same coin.
Internationally we are organized in different teams working on different subjects.
The developer mailing list is most of the time our main medium for communication, though we have monthly meetings on IRC on #debian-edu on irc.debian.org and less frequently even real gatherings, where we meet each other in person.
A good way to learn what is happening in the development of Debian Edu is to subscribe to the commit mailinglist .
This document needs your help! First and foremost, it is not finished yet: If you read it, you will notice various FIXMEs within the text. If you happen to know (a bit of) what needs to be explained there, please consider sharing your knowledge with us.
The source of the text is a wiki and can be edited with a simple webbrowser. Just go to http://wiki.skolelinux.no/DebianEdu/Documentation/Etch/ and you can contribute easily. Note: An user account is needed to edit the pages, you need to create a wiki user first.
1
Another very good way to contribute and to help users is by translating software and documentation. Information how to translate this document can be found in the translation chapter of this book. Please consider to help the translation effort of this book!
1 We use wiki.skolelinux.no because the version of moinmoin on wiki.debian.org does not support exporting the wiki as docbook . Once it is upgraded, we will move this document over.
https://init.linpro.no/mailman/skolelinux.no/listinfo/admin-discuss - support mailing list
#debian-edu on irc.debian.org - IRC channel, mostly development related, do
not expect real time support even though it frequently happens
https://init.linpro.no/mailman/skolelinux.no/listinfo/bruker - support mailing list
https://init.linpro.no/mailman/skolelinux.no/listinfo/linuxiskolen - mailinglist for the development member organisation in Norway (FRISK)
http://www.skolelinux.de/mailman/listinfo/user - support mailing list
http://wiki.skolelinux.de - wiki with lots of HowTos etc.
Lists of companies providing professional support are available from http://wiki.debian.org/DebianEdu/Help/ProfessionalHelp .
This document is written and copyrighted 2007 by Holger Levsen, Petter Reinholdtsen, Daniel Heß, Patrick Winnertz, Knut Yrvin, Ralf Gesellensetter, Ronny Aasen, Morten Werner Forsbring and José L. Redrejo Rodríguezis released under the GPL2 or any later version. Enjoy!
wenn Sie Inhalte hinzufügen, bitte nur, wenn Sie auch dessen Autor sind und beabsichtigen, es unter den gleichen Bedingungen zu lizensieren.! Dann fügen Sie hier Ihren Namen hinzu und lizensieren Sie es unter der GPL2 oder einer späteren Version.
The spanish translation is copyrighted 2007 by José L. Redrejo Rodríguez and is released under the GPL2 or any later version.
The norwegian Bokmål translation is copyrighted 2007 by Petter Reinholdtsen and Håvard Korsvoll and is released under the GPL2 or any later version.
The german translation is copyrighted 2007 by Holger Levsen, Patrick Winnertz, Ralf Gesellensetter, Roland F. Teichert and Jürgen Leibner and is released under the GPL2 or any later version.
The italian translation is copyrighted 2007 by Claudio Carboncini and is released under the GPL2 or any later version.
Fully translated versions of this document are not yet available. Incomplete translations for Norwegian Bokmål, Spanish and German exist.
Translations of this document are kept in .po files like in many free software projects, read usr/share/doc/debian-edu-doc/README.release-manual-translations for more information on this. Please read also read this, if you want to start/help translating this document.
To commit your translations you need to be a member of the alioth project debian-edu . To translate, you just need to check out some files from from svn (which can be done anonymously), create patches and send those to [debian-edu@lists.debian.org ].
You can checkout the debian-edu-doc source anonymously with the following command (you need to have the subversion package installed for this to work):
svn co svn://svn.debian.org/svn/debian-edu/trunk/src/debian-edu-doc
Then edit the documentation/release-manual/release-manual.$CC.po (where you replace $CC with your language code). There are many tools for translating available, we suggest to use kbabel .
Then you either commit the file directly to svn (if you have the rights to do so) or send the file to the mailinglist.
To update your local copy of the repository use the following command inside the debian-edu-doc directory:
svn up
Read /usr/share/doc/debian-edu-doc/README.release-manual-translations to find information how to create a new .po file for your language if there is none yet, and how to update translations.
Please report any problems.
Note to translators: there is no need to translate the GPL license text.
Copyright (C) 2007 Holger Levsen < holger@layer-acht.org > and others, see the Copyright chapter for the full list of copyright owners.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.
In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.
10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
To activate a specific translation, boot using locale=ll_CC.UTF-8 as a boot option, where ll_CC.UTF-8 is the locale name you want. To aciviate a given keyboard layout, use the keyb=KB option where KB is the wanted keyboard layout. More information on this feature is available from the live cd build script documentation . Here is a list of commonly used locale codes:
Table 3.
Language (Region) |
Locale value |
Keyboard layout |
Norwegian Bokmål |
nb_NO.UTF-8 |
no |
Norwegian Nynorsk |
nn_NO.UTF-8 |
no |
German |
de_DE.UTF-8 |
de |
French (France) |
fr_FR.UTF-8 |
fr |
Greek (Greece) |
el_GR.UTF-8 |
el |
Japanese |
ja_JP.UTF-8 |
jp |
Northern Sami (Norway) |
se_NO |
no(smi) |
A complete list of locale codes is available in /usr/share/i18n/SUPPORTED , but only the UTF-8 locales are supported by the live images. Not all locales have translations installed, though. The keyboard layout names can be found in /usr/share/keymaps/i386/.
The image is 1.2 GiB and available using FTP , HTTP or rsync from ftp.skolelinux.org at cd-etch-live/.