Marius, I concur with this type of setup, though my thinking is that having a single user account with multiple simultaneous logins isn't a very good idea since multiple things are happening at the same time, which might confuse the server/PAM/applications. I might be wrong, but it just seems like a bad design choice for your goal.
I would propose a "temporary" user of sorts that pulls from the "skel/template" you created, does a pam makehomedir or whatever it is, and removes it upon logout. This way, you have separate user accounts for each login, and changes can be wiped upon user logout. A colleague and I are in the planning stages for something like this that we want to incorporate into our new Ubuntu LTSP/Linux web config utility (don't ask about it yet, as it's in the very beginning stages, just started dev yesterday) which will give dynamic, temporary user accounts that aren't persistent, yet handle simultaneous logins in a sane way. Maybe we can provide better feedback once this portion of it is developed. In the meantime, I think your idea is great, and see many use cases for it - it shouldn't be shunned, it should be explored, developed and secured appropriately. Cheers, Jordan/Lns Marius Flage wrote: > Hi there > > I've asked this question a couple of times on the IRC channel and mostly > just gotten "friendly abuse" for having such a bad design as to only use > one user account. So instead I ask this question here, where I can > properly outline the reason why only one user account and also explain > the other design decisions. > > I'm the system administrator for a school with students aged 6 to 14. > The computers in our network are mostly used for working in applications > like OpenOffice.org and retrieving resources off the web. We have quite > a few machines spread out throughout the school, and a couple of > computer labs where we have some permanent installations. In these labs > I've set up fat clients with Ubuntu Jaunty. For simplicity and ease of > user management (the school has no permanent IT personnel to handle > day-to-day maintenance), we only use one shared account for all students. > > The implications of this design is that we have to make sure that > changes done by one of the students won't get replicated to the home > directory. The way I've accomplished this is by using unionfs. Unionfs > let's me combine two (or more?) directories into one (as outlined in [1] > - the only change here is that I'm using a directory under /tmp instead > of tmpfs). So upon login of a specific user pam mount creates a unionfs > with the read-only home directory and a writable temporary directory, > thus "fooling" the environment into believe it has a writable home > directory - so that all applications work as expected. When logged off > or rebooted the unionfs is unmounted and all changes gone. > > Since this configuration is individual to each computer, we have also > set up one computer without this setup, so the teachers can log on and > make any necessary changes to the /homem directory for the students > (like changing the start page in firefox or setting a new default font > and so on). > > We're quite happy with this setup and it works well for our needs. It > also means we only have to maintain one user account and one home > directory. We also effectively lock down the environment, giving every > student exactly the same look-and-feel, which is crucial for the IT courses. > > That was the introduction, now for my question. I want to replicate this > setup to work for LTSP clients. The building blocks for this setup is > basically pam mount for the automatic mounting of file systems and > volumes whenever a user logs on, and some place on the server to point > the writable directory to. One user on IRC says that all the pam stuff > happens server side, so I guess this would be a limiting factor here? > > Does anyone have any input here? Or maybe some other way to accomplish > the same? And please don't let the "one user account" design be the > focus of the responses ;) > > - Marius > > [1] http://www.debian-administration.org/articles/586 > > ------------------------------------------------------------------------------ > Register Now & Save for Velocity, the Web Performance & Operations > Conference from O'Reilly Media. Velocity features a full day of > expert-led, hands-on workshops and two days of sessions from industry > leaders in dedicated Performance & Operations tracks. Use code vel09scf > and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf > _____________________________________________________________________ > Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: > https://lists.sourceforge.net/lists/listinfo/ltsp-discuss > For additional LTSP help, try #ltsp channel on irc.freenode.net > -- Jordan Erickson Owner, Logical Networking Solutions http://www.logicalnetworking.net 707-636-5678 Latest LNS Blogs - http://blog.logicalnetworking.net Closed-Circuit TV Ads May Be Watching You Back Using Linux considered criminal activity? Leaving computers on overnight = $2.8 billion a year ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
