El jue, 29-04-2010 a las 15:14 +0200, Petter Reinholdtsen escribió: > [José L. Redrejo Rodríguez] > > Hi, as I have had the same problems (in Spain, present and future > > deployments are being doing using laptops in all the regions), I'll give > > you inline the solutions I'm using since the beginning of the present > > scholar course. Maybe some of them can be useful. > > Very useful indeed. :) > > >> * During installation, the user name of the owner / primary usre of > >> the laptop is requested and a local home directory is set up for > >> the user, with uid and gid information fetched from the LDAP > >> server. This allow the user to work also when offline. The central > >> home directory can be available in a subdirectory on request, for > >> example mounted via CIFS. It could be mounted automatically when a > >> user log in while on the Debian Edu network, and unmounted when > >> the machine is taken away (network down, hibernate, etc), it can > >> be set up to do automatic mounting on request (using autofs), or > >> perhaps some GUI button on the desktop can be used to access it > >> when needed. Perhaps it is enough to use the fish protocol in KDE? > >> > > > > We're using pam mkhomedir, so the installation is the same for all > > the laptops, never mind the end user of it. THen, at the school, > > when the laptop is given to the teacher/student, he must login at > > least once in the network, so ldap credential are fetched, his home > > is created at the disk and we're also using a script that assign to > > the laptop hostname the loginname of the user. This is useful to > > localize later the laptops in the net. > > Very good idea, but I did not quite like the fact that the home > directory on the laptop end up with a path indicating a location on a > different machine. I got /skole/tjener/home0/<username> (tjener is > the host where the directory is located). I would prefer it if the > home directory ended up being /home/<username> on the laptop, to make > it obvious from the path that is is not the remote location. No idea > how to do that with mkhomedir. Would probably have to rewrite the > fetched LDAP information to make that happen. mmm, I got /home0/username, not the server info. Maybe the home information is different in our ldap servers > > > I've made a small development with two parts: a server announcement > > and an agent in the laptops. The nfs servers announce themselves > > using avahi to the net, and the mounting point of the shares. The > > client agent at the laptops detect that announcement and mount the > > shares when available. So at the school they have access to the nfs > > servers and at home the don't. > > This sound like something we could use in the official Debian Edu > packages as well. What is the URL to the source? > http://desarrollo.educarex.es/linex/projects/linexcolegios2010/repository/show/zeroconf-services The file ServicesConfig.py has a self-explanatory config file example to show how it works. All the code has comments in english, so it's not hard to follow it. There is a brief description of its targets at: http://desarrollo.educarex.es/linex/projects/linexcolegios2010/wiki/Zeroconf in perfect spanish ;) The application is thought to do more things from the servers to the clients: announce disk clonations, nfs shares, desktop icons and jclic libraries. Currently only nfs shares is implemented and used in production. Disk clonations is tested and works with lenny, but don't work in squeeze due to the new grub setup. > > The home is at the laptop, the nfs dirs are only used for share > > files between students, classrooms or departments at the school. > > Right. That might be a challenge, as long as we use NFS and use IP > based access lists. > > >> * File synchronisation with the central home directory is set up > >> using a shared directory in both the local and the central home > >> directory, using unison. > >> > > > > this is not scalable when hundred of users are logged. > > What is the bottleneck? > with hundred of users there are two bottleneck: cpu consumption in the server when doing the rsync, and bandwith to the server. It's very common at schools beginning the classes at the same time, so the students switch on and off the computer around the same time. That's a really big concurrency for the school network in our case. > >> * For users that should have local root access to their laptop, sudo > >> should be used to allow this to the local user. > >> > > > > We have removed the root access to the users. Only root access via > > ssh from some special machines in the school is allowed. So, only a > > few people can access as root to the laptops, and from a very few > > machines. > > Probably a good idea. If all users can log in via ssh, they will get > home directories created automatically, and that is not really the > intention. Perhaps mkhomedir should be disabled after the first user > is created? We do have such intention: currently not all the teachers have a laptop, in some departaments there are two or three laptops for five or more teachers. Now any laptop can be shared by more than one teacher. Until we get a 1x1 setup, this is being useful. Students and teachers don't use (most of them don't even know) ssh, and in the worst case we would end having some empty home directories created in the laptops, wich have much more spare disk space than needed. So for us, the benefits of being able to share the laptops are greater than the problems ssh access can cause in some case. > > >> * It would be nice if user and group information from LDAP is cached > >> on the client, but given that there are entries for the local user > >> and primary group in /etc/, it should not be needed. > > > > we're caching them, pam_ccreds works perfectly with it. > > How are you caching the user and group info? Are you using nscd for > this, and if that is the case, how did you change /etc/nscd.conf? > I've reported <URL: http://bugs.debian.org/485282 > to try to have the > defaults changed, but no luck for the last 2 years. > mmm, let me check it next week in a school. I don't remember how I did it, but I know it works :) > > When laptops are used, there are more things involved. Wireless is > > important too, and the using a network daemon is very important to > > allow the user connecting at home, or at any other place without > > problems. We're using wicd because is very flexible and have some > > very useful hooks that allow as masquerade the macs, so the laptops > > have the same mac address when connect wireless or with a cable. > > We're also preparing a freeradius setup using the same ldap scheme, > > for the wifi access at schools. > > Yeah. Should probably install that or network-manager or something to > get that functionallity. > wicd works for us better than network-manager because: - the network connection is done before the user logins, wich is important if you use automount or just ldap netgroups - in Gnome, network manager is integrated with the gnome-keyring-manager deposit that's very complicated to be used by teachers. - wicd has a very nice hooks system that allows us to do somethings before or after getting a connection (maybe network-manager also has something similar, I've never checked it) > > Also, puppet or cfengine or any other daemon depending on the > > network to be available at booting is affected when roaming profiles > > are used. > > Absolutely. We are not there, though. :( Sure, and it's very different doing some thing for anyone in the world, than doing it for an controlled environment. The latter is my case, so I can do some things that probably are not adecuate for a general case. Regards. José L.
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente