[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Thoughts on roaming laptop setup for Debian Edu

For some years now, I have wondered how we should handle laptops in
Debian Edu. The Debian Edu infrastructure is mostly designed to handle
stationary computers, and less suited for computers that come and go.

Now I finally believe I have an sensible idea on how to adjust Debian
Edu for laptops, by introducing a new profile for them, for example
called Roaming Workstations. Here are my thought on this. The setup
would consist of the following:

  * During installation, the user name of the owner / primary usre of
    the laptop is requested and a local home directory is set up for
    the user, with uid and gid information fetched from the LDAP
    server. This allow the user to work also when offline. The central
    home directory can be available in a subdirectory on request, for
    example mounted via CIFS. It could be mounted automatically when a
    user log in while on the Debian Edu network, and unmounted when
    the machine is taken away (network down, hibernate, etc), it can
    be set up to do automatic mounting on request (using autofs), or
    perhaps some GUI button on the desktop can be used to access it
    when needed. Perhaps it is enough to use the fish protocol in KDE?

  * Password checking is set up to use LDAP or Kerberos authentication
    when the machine is on the Debian Edu network, and to cache the
    password for offline checking when the machine unable to reach the
    LDAP or Kerberos server. This can be done using libpam-ccreds or
    the Fedora developed System Security Services Daemon packages.

  * File synchronisation with the central home directory is set up
    using a shared directory in both the local and the central home
    directory, using unison.

  * Printing should be set up to print to all printers broadcasting
    their existence on the local network, and should then work out of
    the box with CUPS. For sites needing accurate printer quotas, some
    system with Kerberos authentication or printing via ssh could be

  * For users that should have local root access to their laptop, sudo
    should be used to allow this to the local user.

  * It would be nice if user and group information from LDAP is cached
    on the client, but given that there are entries for the local user
    and primary group in /etc/, it should not be needed.

I believe all the pieces to implement this are in Debian/testing at
the moment. If we work quickly, we should be able to get this ready in
time for the Squeeze release to freeze. Some of the pieces need
tweaking, like libpam-ccreds should get support for pam-auth-update
(#566718) and nslcd (or perhaps debian-edu-config) should get some
integration code to stop its daemon when the LDAP server is
unavailable to avoid long timeouts when disconnected from the net. If
we get Kerberos enabled, we need to make sure we avoid long timeouts
there too.

Happy hacking,
Petter Reinholdtsen

Reply to: