[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Today's experiences installing skolelinux at a school



Hi Frenklin,

On  Sa 22 Mär 2014 14:56:43 CET, Franklin Weng wrote:

4. Then we found that, it might be the time problem.  At first installing,
the time on the main server was 8 hours faster than normal time.  When
importing the user, I manually set the time back to normal.  It may cause
the time in the LDAP database become "future", hence the whole LDAP system
was unusable.

5. I then manually set the time to one day fast (to make the LDAP time
"normal").  It worked.  I could login successfully.

Was that login on another client on the Debian Edu network that failed or user/admin login on TJENER?

The time critical service is the KDC (Kerberos) daemon. If a client differs in time by more than five minutes, Kerberos will deny login.

6. Then I changed the IP subnet.  The reason was that, the ip 10.0.2.2/8 at
eth0 would conflict with the IP (10.160.0.0/16) at eth1, which was
controlled by the "upstream" unit.  I mean, originally the computers in
this computer classroom would get 10.160.0.0/16 from upstream DHCP server=..
 At the main server I installed the second NIC and connected it to the
upstream.  If I didn't change the subnet it would not be able to access the
internet.

1. I know that the system may have troubles if the timestamp of some files
are at the future, but I really have no idea why.  This caused the whole
LDAP system unusable.

I am actually not sure, if LDAP is that time sensitive. Make sure to clearly differentiate between LDAP and Kerberos here. And: the clocks should go right in the first place. This is a presumption that we have to make.

2. I didn't assign ldap ip when running subnet_change.  After subnet change
the LDAP was unusable unless I explicitly assign the ldap ip in /etc/hosts.
 Would anyone know why?

Everything in the Debian Edu setup is based on a properly working DNS. If DNS is broken, then you are lost and have to fix DNS first.

The DNS information is stored in LDAP again, so maybe we a have cat and tail issue here (LDAP becomes inaccessible, BIND configuration is not updated anymore, DNS fails to work, LDAP won't become accessible unless BIND gets fixed before which obtains its fixes from LDAP...)

3. The performance was not as good as our last test.  We wondered if it was
because of the quality of the LAN.  One of the client could boot and logged
into the system, but when operating (for example, browsing web pages or
using some software) it disconnected with the main server, hence had
problems writing configs back to home folder.

Urgh... that is strange. Maybe DNS problems, as well. I noticed earlier, that Debian Edu systems behave weirdly, if upstream (internet) DNS is unavailable. Not sure why.

4. When clicking the menu icon, it would sometimes show the menu very
slowly, maybe after 5 or more seconds.  Also when I pointed the mouse to a
category, it would sometimes show the second layer menu very slowly.  Was
it because the home folder was remotely mounted?  Is there any way to
improve this?

This happens, because on first menu clicks the .desktop files are read from disk/NFS. Next time, menus are obtained from the diskless client's RAM cache. You could try to read-ahead the .desktop files somehow.

5. Another question is that, how can I assign the group when importing mass
users into LDAP?  We'd like to split users into different (POSIX) groups to
easily control the permissions of folders.  However we didn't find out how.

Create one user template per your-special-group in GOsa². Then mass import users and select different templates at the beginning of the mass import procedure.

Mike

--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

Attachment: pgpFPveYwtdD7.pgp
Description: Digitale PGP-Signatur


Reply to: