Hi Frenklin, On Sa 22 Mär 2014 14:56:43 CET, Franklin Weng wrote:
4. Then we found that, it might be the time problem. At first installing, the time on the main server was 8 hours faster than normal time. When importing the user, I manually set the time back to normal. It may cause the time in the LDAP database become "future", hence the whole LDAP system was unusable. 5. I then manually set the time to one day fast (to make the LDAP time "normal"). It worked. I could login successfully.
Was that login on another client on the Debian Edu network that failed or user/admin login on TJENER?
The time critical service is the KDC (Kerberos) daemon. If a client differs in time by more than five minutes, Kerberos will deny login.
6. Then I changed the IP subnet. The reason was that, the ip 10.0.2.2/8 at eth0 would conflict with the IP (10.160.0.0/16) at eth1, which was controlled by the "upstream" unit. I mean, originally the computers in this computer classroom would get 10.160.0.0/16 from upstream DHCP server=.. At the main server I installed the second NIC and connected it to the upstream. If I didn't change the subnet it would not be able to access the internet.
1. I know that the system may have troubles if the timestamp of some files are at the future, but I really have no idea why. This caused the whole LDAP system unusable.
I am actually not sure, if LDAP is that time sensitive. Make sure to clearly differentiate between LDAP and Kerberos here. And: the clocks should go right in the first place. This is a presumption that we have to make.
2. I didn't assign ldap ip when running subnet_change. After subnet change the LDAP was unusable unless I explicitly assign the ldap ip in /etc/hosts. Would anyone know why?
Everything in the Debian Edu setup is based on a properly working DNS. If DNS is broken, then you are lost and have to fix DNS first.
The DNS information is stored in LDAP again, so maybe we a have cat and tail issue here (LDAP becomes inaccessible, BIND configuration is not updated anymore, DNS fails to work, LDAP won't become accessible unless BIND gets fixed before which obtains its fixes from LDAP...)
3. The performance was not as good as our last test. We wondered if it was because of the quality of the LAN. One of the client could boot and logged into the system, but when operating (for example, browsing web pages or using some software) it disconnected with the main server, hence had problems writing configs back to home folder.
Urgh... that is strange. Maybe DNS problems, as well. I noticed earlier, that Debian Edu systems behave weirdly, if upstream (internet) DNS is unavailable. Not sure why.
4. When clicking the menu icon, it would sometimes show the menu very slowly, maybe after 5 or more seconds. Also when I pointed the mouse to a category, it would sometimes show the second layer menu very slowly. Was it because the home folder was remotely mounted? Is there any way to improve this?
This happens, because on first menu clicks the .desktop files are read from disk/NFS. Next time, menus are obtained from the diskless client's RAM cache. You could try to read-ahead the .desktop files somehow.
5. Another question is that, how can I assign the group when importing mass users into LDAP? We'd like to split users into different (POSIX) groups to easily control the permissions of folders. However we didn't find out how.
Create one user template per your-special-group in GOsa². Then mass import users and select different templates at the beginning of the mass import procedure.
Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Attachment:
pgppLEGzWjB6x.pgp
Description: Digitale PGP-Signatur