[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Thoughts on roaming laptop setup for Debian Edu

El mié, 28-04-2010 a las 20:43 +0200, Petter Reinholdtsen escribió:
> For some years now, I have wondered how we should handle laptops in
> Debian Edu. The Debian Edu infrastructure is mostly designed to handle
> stationary computers, and less suited for computers that come and go.
> Now I finally believe I have an sensible idea on how to adjust Debian
> Edu for laptops, by introducing a new profile for them, for example
> called Roaming Workstations. Here are my thought on this. The setup
> would consist of the following:

Hi, as I have had the same problems (in Spain, present and future
deployments are being doing using laptops in all the regions), I'll give
you  inline the solutions I'm using since the beginning of the present
scholar course. Maybe some of them can be useful.

>   * During installation, the user name of the owner / primary usre of
>     the laptop is requested and a local home directory is set up for
>     the user, with uid and gid information fetched from the LDAP
>     server. This allow the user to work also when offline. The central
>     home directory can be available in a subdirectory on request, for
>     example mounted via CIFS. It could be mounted automatically when a
>     user log in while on the Debian Edu network, and unmounted when
>     the machine is taken away (network down, hibernate, etc), it can
>     be set up to do automatic mounting on request (using autofs), or
>     perhaps some GUI button on the desktop can be used to access it
>     when needed. Perhaps it is enough to use the fish protocol in KDE?

We're using pam mkhomedir, so the installation is the same for all the
laptops, never mind the end user of it. THen, at the school, when the
laptop is given to the teacher/student, he must login at least once in
the network, so ldap credential are fetched, his home is created at the
disk and we're also using a script that assign to the laptop hostname
the loginname of the user. This is useful to localize later the laptops
in the net.

>   * Password checking is set up to use LDAP or Kerberos authentication
>     when the machine is on the Debian Edu network, and to cache the
>     password for offline checking when the machine unable to reach the
>     LDAP or Kerberos server. This can be done using libpam-ccreds or
>     the Fedora developed System Security Services Daemon packages.

I've made a small development with two parts: a server announcement and
an agent in the laptops. The nfs servers announce themselves using avahi
to the net, and the mounting point of the shares. The client agent at
the laptops detect that announcement and mount the shares when
available. So at the school they have access to the nfs servers and at
home the don't.

The home is at the laptop, the nfs dirs are only used for share files
between students, classrooms or departments at the school.

>   * File synchronisation with the central home directory is set up
>     using a shared directory in both the local and the central home
>     directory, using unison.

this is not scalable when hundred of users are logged.

>   * Printing should be set up to print to all printers broadcasting
>     their existence on the local network, and should then work out of
>     the box with CUPS. For sites needing accurate printer quotas, some
>     system with Kerberos authentication or printing via ssh could be
>     implemented.
>   * For users that should have local root access to their laptop, sudo
>     should be used to allow this to the local user.

We have removed the root access to the users. Only root access via ssh
from some special machines in the school is allowed. So, only a few
people can access as root to the laptops, and from a very few machines.

>   * It would be nice if user and group information from LDAP is cached
>     on the client, but given that there are entries for the local user
>     and primary group in /etc/, it should not be needed.

we're caching them, pam_ccreds works perfectly with it.

> I believe all the pieces to implement this are in Debian/testing at
> the moment. If we work quickly, we should be able to get this ready in
> time for the Squeeze release to freeze. Some of the pieces need
> tweaking, like libpam-ccreds should get support for pam-auth-update
> (#566718) and nslcd (or perhaps debian-edu-config) should get some
> integration code to stop its daemon when the LDAP server is
> unavailable to avoid long timeouts when disconnected from the net. If
> we get Kerberos enabled, we need to make sure we avoid long timeouts
> there too.

When laptops are used, there are more things involved. Wireless is
important too, and the using a network daemon is very important to allow
the user connecting at home, or at any other place without problems.
We're using wicd because is very flexible and have some very useful
hooks that allow as masquerade the macs, so the laptops have the same
mac address when connect wireless or with a cable. 
We're also preparing a freeradius setup using the same ldap scheme, for
the wifi access at schools.

Also, puppet or cfengine or any other daemon depending on the network to
be available at booting is affected when roaming profiles are used. 

José L.

Attachment: signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente

Reply to: