Re: Thoughts on roaming laptop setup for Debian Edu
[José L. Redrejo Rodríguez]
> Hi, as I have had the same problems (in Spain, present and future
> deployments are being doing using laptops in all the regions), I'll give
> you inline the solutions I'm using since the beginning of the present
> scholar course. Maybe some of them can be useful.
Very useful indeed. :)
>> * During installation, the user name of the owner / primary usre of
>> the laptop is requested and a local home directory is set up for
>> the user, with uid and gid information fetched from the LDAP
>> server. This allow the user to work also when offline. The central
>> home directory can be available in a subdirectory on request, for
>> example mounted via CIFS. It could be mounted automatically when a
>> user log in while on the Debian Edu network, and unmounted when
>> the machine is taken away (network down, hibernate, etc), it can
>> be set up to do automatic mounting on request (using autofs), or
>> perhaps some GUI button on the desktop can be used to access it
>> when needed. Perhaps it is enough to use the fish protocol in KDE?
> We're using pam mkhomedir, so the installation is the same for all
> the laptops, never mind the end user of it. THen, at the school,
> when the laptop is given to the teacher/student, he must login at
> least once in the network, so ldap credential are fetched, his home
> is created at the disk and we're also using a script that assign to
> the laptop hostname the loginname of the user. This is useful to
> localize later the laptops in the net.
Very good idea, but I did not quite like the fact that the home
directory on the laptop end up with a path indicating a location on a
different machine. I got /skole/tjener/home0/<username> (tjener is
the host where the directory is located). I would prefer it if the
home directory ended up being /home/<username> on the laptop, to make
it obvious from the path that is is not the remote location. No idea
how to do that with mkhomedir. Would probably have to rewrite the
fetched LDAP information to make that happen.
> I've made a small development with two parts: a server announcement
> and an agent in the laptops. The nfs servers announce themselves
> using avahi to the net, and the mounting point of the shares. The
> client agent at the laptops detect that announcement and mount the
> shares when available. So at the school they have access to the nfs
> servers and at home the don't.
This sound like something we could use in the official Debian Edu
packages as well. What is the URL to the source?
> The home is at the laptop, the nfs dirs are only used for share
> files between students, classrooms or departments at the school.
Right. That might be a challenge, as long as we use NFS and use IP
based access lists.
>> * File synchronisation with the central home directory is set up
>> using a shared directory in both the local and the central home
>> directory, using unison.
> this is not scalable when hundred of users are logged.
What is the bottleneck?
>> * For users that should have local root access to their laptop, sudo
>> should be used to allow this to the local user.
> We have removed the root access to the users. Only root access via
> ssh from some special machines in the school is allowed. So, only a
> few people can access as root to the laptops, and from a very few
Probably a good idea. If all users can log in via ssh, they will get
home directories created automatically, and that is not really the
intention. Perhaps mkhomedir should be disabled after the first user
>> * It would be nice if user and group information from LDAP is cached
>> on the client, but given that there are entries for the local user
>> and primary group in /etc/, it should not be needed.
> we're caching them, pam_ccreds works perfectly with it.
How are you caching the user and group info? Are you using nscd for
this, and if that is the case, how did you change /etc/nscd.conf?
I've reported <URL: http://bugs.debian.org/485282 > to try to have the
defaults changed, but no luck for the last 2 years.
> When laptops are used, there are more things involved. Wireless is
> important too, and the using a network daemon is very important to
> allow the user connecting at home, or at any other place without
> problems. We're using wicd because is very flexible and have some
> very useful hooks that allow as masquerade the macs, so the laptops
> have the same mac address when connect wireless or with a cable.
> We're also preparing a freeradius setup using the same ldap scheme,
> for the wifi access at schools.
Yeah. Should probably install that or network-manager or something to
get that functionallity.
> Also, puppet or cfengine or any other daemon depending on the
> network to be available at booting is affected when roaming profiles
> are used.
Absolutely. We are not there, though. :(