Re: Thoughts on roaming laptop setup for Debian Edu

[Petter Reinholdtsen]

[Petter Reinholdtsen 2010-07-10]
  * The wicd package is installed (instead of network-manager).  Not
sure if this is a good idea or not, but the report from Extremadura
made me put it in there as a test.

Based on todays tests, I am starting to suspect it might be better to
use network-manager.

I installed a roaming workstation using PXE in a Debian Edu/Squeeze
network today, and the installation worked fairly well (partition size
issues - updated d-e-install with new sizes).  After installation, I can
log in with the first user, and a local home directory is created and
used after I log in for the second time.  I can disconnect the network
cable and still log in using cached credentials.  All good so far.

But, when I try to connect to the wireless networks around me, wicd do
not see anything.  I had to manually configure wicd to use wlan0 as the
wireless interface to be able to see the wireless networks.  And when I
try to select the non-encrypted network I want to use, I am unable to
get any IP address.

After removing the wicd package and installing the network-manager-kde
instead to get a KDE panel widget to control network-manager, I am able
to connect to the wireless network.

Anyone want to debug wicd in this setup, or should we just switch to
network-manager on Roaming Workstation profiles?  Possible advantages:

 - It will discover wireless interfaces without any configuration.

 - Roaming Workstation will use network manager the same way Standalone
   (and all other profiles?) do it now.

Possible problems

 - Roaming Workstation will not work for new users because the network
   is not enabled at boot but only after first login, and thus no
   connection to LDAP and Kerberos can be made.

The problems I see might be because wicd and network-manager are
confusing each other.  I did not have much time to debug.
-- 
Happy hacking
Petter Reinholdtsen


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2flzkd92y2z@diskless.uio.no

Re: Thoughts on roaming laptop setup for Debian Edu

[Giorgio Pioda]

I also would argue that wicd is fairly less efficient
than network manager. I've tested it
recently on an fresh Wheezy-XFCE but at school I wasn't able to
connect and had to replace it with n-m.

Cheers

Giorgio

On Fri, Jan 27, 2012 at 12:18:12PM +0100, Petter Reinholdtsen wrote:
 
 [Petter Reinholdtsen 2010-07-10]
   * The wicd package is installed (instead of network-manager).  Not
 sure if this is a good idea or not, but the report from Extremadura
 made me put it in there as a test.
 
 Based on todays tests, I am starting to suspect it might be better to
 use network-manager.
 
 I installed a roaming workstation using PXE in a Debian Edu/Squeeze
 network today, and the installation worked fairly well (partition size
 issues - updated d-e-install with new sizes).  After installation, I can
 log in with the first user, and a local home directory is created and
 used after I log in for the second time.  I can disconnect the network
 cable and still log in using cached credentials.  All good so far.
 
 But, when I try to connect to the wireless networks around me, wicd do
 not see anything.  I had to manually configure wicd to use wlan0 as the
 wireless interface to be able to see the wireless networks.  And when I
 try to select the non-encrypted network I want to use, I am unable to
 get any IP address.
 
 After removing the wicd package and installing the network-manager-kde
 instead to get a KDE panel widget to control network-manager, I am able
 to connect to the wireless network.
 
 Anyone want to debug wicd in this setup, or should we just switch to
 network-manager on Roaming Workstation profiles?  Possible advantages:
 
  - It will discover wireless interfaces without any configuration.
 
  - Roaming Workstation will use network manager the same way Standalone
(and all other profiles?) do it now.
 
 Possible problems
 
  - Roaming Workstation will not work for new users because the network
is not enabled at boot but only after first login, and thus no
connection to LDAP and Kerberos can be made.
 
 The problems I see might be because wicd and network-manager are
 confusing each other.  I did not have much time to debug.
 -- 
 Happy hacking
 Petter Reinholdtsen
 
 
 -- 
 To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: http://lists.debian.org/2flzkd92y2z@diskless.uio.no
 
 

-- 
Sysadmin SPSE-Tenero
Ufficio:   +41 91 735 62 48 
Cellulare: +41 79 629 20 63


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120127140121.ga3...@ticino.com

Re: Thoughts on roaming laptop setup for Debian Edu

[José Luis Redrejo]

2012/1/27 Giorgio Pioda g...@ticino.com:
 I also would argue that wicd is fairly less efficient
 than network manager. I've tested it
 recently on an fresh Wheezy-XFCE but at school I wasn't able to
 connect and had to replace it with n-m.

 Cheers


I  agree. Things have changed in the latest two years. The development
of n-m has continued improving the application, while wicd has
stalled, keeping some ugly bugs for months.

I still think wicd has a more friendly interface for non-geek users,
specially when you want the computer to get a network connection
before login. That's something that will require root access in n-m
while it's easy for any user without root access using wicd. However ,
the bugs wicd is keeping are making it less efficient with some
wireless encription methods, so we have been migrating our machines to
n-m in the last months.

Regards.


 Giorgio

 On Fri, Jan 27, 2012 at 12:18:12PM +0100, Petter Reinholdtsen wrote:

 [Petter Reinholdtsen 2010-07-10]
   * The wicd package is installed (instead of network-manager).  Not
     sure if this is a good idea or not, but the report from Extremadura
     made me put it in there as a test.

 Based on todays tests, I am starting to suspect it might be better to
 use network-manager.

 I installed a roaming workstation using PXE in a Debian Edu/Squeeze
 network today, and the installation worked fairly well (partition size
 issues - updated d-e-install with new sizes).  After installation, I can
 log in with the first user, and a local home directory is created and
 used after I log in for the second time.  I can disconnect the network
 cable and still log in using cached credentials.  All good so far.

 But, when I try to connect to the wireless networks around me, wicd do
 not see anything.  I had to manually configure wicd to use wlan0 as the
 wireless interface to be able to see the wireless networks.  And when I
 try to select the non-encrypted network I want to use, I am unable to
 get any IP address.

 After removing the wicd package and installing the network-manager-kde
 instead to get a KDE panel widget to control network-manager, I am able
 to connect to the wireless network.

 Anyone want to debug wicd in this setup, or should we just switch to
 network-manager on Roaming Workstation profiles?  Possible advantages:

  - It will discover wireless interfaces without any configuration.

  - Roaming Workstation will use network manager the same way Standalone
    (and all other profiles?) do it now.

 Possible problems

  - Roaming Workstation will not work for new users because the network
    is not enabled at boot but only after first login, and thus no
    connection to LDAP and Kerberos can be made.

 The problems I see might be because wicd and network-manager are
 confusing each other.  I did not have much time to debug.
 --
 Happy hacking
 Petter Reinholdtsen


 --
 To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: http://lists.debian.org/2flzkd92y2z@diskless.uio.no



 --
 Sysadmin SPSE-Tenero
 Ufficio:   +41 91 735 62 48
 Cellulare: +41 79 629 20 63


 --
 To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: http://lists.debian.org/20120127140121.ga3...@ticino.com



--
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAHpm-q2htMGc5odB-9B=whd6nlr4h_yq_q_-lqpwfdnnx9o...@mail.gmail.com

Re: Thoughts on roaming laptop setup for Debian Edu

[Petter Reinholdtsen]

[Petter Reinholdtsen 2010-04-28]
 For some years now, I have wondered how we should handle laptops in
 Debian Edu. The Debian Edu infrastructure is mostly designed to handle
 stationary computers, and less suited for computers that come and go.
 
 Now I finally believe I have an sensible idea on how to adjust Debian
 Edu for laptops, by introducing a new profile for them, for example
 called Roaming Workstations.

Thank you for the very useful feedback from all of you.  Based on this
thread and personal testing, the plan has been changed and modified
proposal has been implemented. :)

This profile is available in squeeze-test since yesterday.  It only
have part of the solution in place, but this is how it is set up so
far:

 * During installation, libpam-mklocaluser and sssd is installed and
   configured to use LDAP and Kerberos.

 * The wicd package is installed (instead of network-manager).  Not
   sure if this is a good idea or not, but the report from Extremadura
   made me put it in there as a test.

 * When a user in LDAP/Kerberos log in for the first time, a local
   home directory is created in /home/ and a local user is created in
   /etc/passwd to make sure this new home directory take effect.  The
   user is thrown out with a message asking her to log in again, and on
   the second login the local user and home directory is used, and
   password checking is done by sssd which caches LDAP and Kerberos
   information when needed.

If this work well, we can provide it as part of the Squeeze release.

There are still pieces missing:

 * Nothing is done with Printing.

 * Nothing is done with file sync / backup.

 * Nothing is done with mounting the network home directory from the
   NFS/Samba server.

 * Sudo is not set up to grant access for the local user.  Not sure if
   this should be done by default or not.

Happy hacking,
-- 
Petter Reinholdtsen


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100710185452.gb...@login2.uio.no

Re: Thoughts on roaming laptop setup for Debian Edu

[Finn-Arne Johansen]

Petter Reinholdtsen wrote:
 For some years now, I have wondered how we should handle laptops in
 Debian Edu. The Debian Edu infrastructure is mostly designed to handle
 stationary computers, and less suited for computers that come and go.

For some years, I've implemented various solutions for this, and all
have their pitfalls.

The first setups was a rather normal installation, where the user
created during installation was a normal user.

Also we've set up installations with a common username (bruker), and
where the connection to the homedirecotory was done through a script,
where the user was asked for their username, before the connection was
done either through sshfs or smbfs/cifs

We've then tried a solution using pam-ccreds and nss-update together
with sshfs connection during login. This also worked from home, using a
special variant of ppp over ssh. Although it now seems to work most of
the time, we've stopped using that method. The problem was caused by
connections that was disconnected. These disconnections is caused by
using wlan as the carrier, and often home-targeted wlan routers to be
used in offices where there are several teachers.

The main problem was connection to shared folders. These folders are
used by several users (teachers), and although it's not a problem with
the disk-space, there would soon be a problem with lock-files, and
question on how often one should synchronize.
Unison each 5 minute or so could maybe be used, but it would need to run
as root user on the laptop and on the server, and I don't like that.


What we've ended up with the latest version is a version that tests
during startup if there is a local user created. If not, kdm automaticly
logs in a system user, which asks for a username and a password. Then
the scripts tries to authenticate against the ldap server. If
successful, a local user user is created, and then it returns back to
the kdm login screen. It also sets the name of the laptop to the
owners name, and gives the user sudo access to the machine. The system
disk is mounted read only, but during creation of a local user, tit's
remounted read-write.

When there is a user (either just created, or created previously), a
local login is done. Then there is a script to connect to some shared
folder, and the user homedirectory using cifs. Cifs is chosen because in
real life, I feel it's more robust than sshfs. it's better at handling
disconnections. When connection is done, the user is prompted for a
password.

The main reason is that most connections are done using wireless, and
most often, this connection is done after the user has logged in.
There is still a task to get the passwords synchronized whenever the
user changes passwords.

So to summarize the pitfalls.
- Network connections usually happens after the user has logged in, so
  during authentication, the user to be authenticated locally
- Simple wlan leads to drop in the connection , causing sshfs to hang,
  cifs/smbfs is somewhat better (according to real life experience)
- pam-ccreds and nss-update is not stable enough on Lenny



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4bdab928.2070...@bzz.no

Re: Thoughts on roaming laptop setup for Debian Edu

[L. Redrejo]

El jue, 29-04-2010 a las 15:14 +0200, Petter Reinholdtsen escribió:
 [José L. Redrejo Rodríguez]
  Hi, as I have had the same problems (in Spain, present and future
  deployments are being doing using laptops in all the regions), I'll give
  you  inline the solutions I'm using since the beginning of the present
  scholar course. Maybe some of them can be useful.
 
 Very useful indeed. :)
 
* During installation, the user name of the owner / primary usre of
  the laptop is requested and a local home directory is set up for
  the user, with uid and gid information fetched from the LDAP
  server. This allow the user to work also when offline. The central
  home directory can be available in a subdirectory on request, for
  example mounted via CIFS. It could be mounted automatically when a
  user log in while on the Debian Edu network, and unmounted when
  the machine is taken away (network down, hibernate, etc), it can
  be set up to do automatic mounting on request (using autofs), or
  perhaps some GUI button on the desktop can be used to access it
  when needed. Perhaps it is enough to use the fish protocol in KDE?
  
  
  We're using pam mkhomedir, so the installation is the same for all
  the laptops, never mind the end user of it. THen, at the school,
  when the laptop is given to the teacher/student, he must login at
  least once in the network, so ldap credential are fetched, his home
  is created at the disk and we're also using a script that assign to
  the laptop hostname the loginname of the user. This is useful to
  localize later the laptops in the net.
 
 Very good idea, but I did not quite like the fact that the home
 directory on the laptop end up with a path indicating a location on a
 different machine.  I got /skole/tjener/home0/username (tjener is
 the host where the directory is located).  I would prefer it if the
 home directory ended up being /home/username on the laptop, to make
 it obvious from the path that is is not the remote location.  No idea
 how to do that with mkhomedir.  Would probably have to rewrite the
 fetched LDAP information to make that happen.

mmm, I got /home0/username, not the server info. Maybe the home
information is different in our ldap servers


 
  I've made a small development with two parts: a server announcement
  and an agent in the laptops. The nfs servers announce themselves
  using avahi to the net, and the mounting point of the shares. The
  client agent at the laptops detect that announcement and mount the
  shares when available. So at the school they have access to the nfs
  servers and at home the don't.
 
 This sound like something we could use in the official Debian Edu
 packages as well.  What is the URL to the source?
 



http://desarrollo.educarex.es/linex/projects/linexcolegios2010/repository/show/zeroconf-services

The file ServicesConfig.py has a self-explanatory config file example to
show how it works. All the code has comments in english, so it's not
hard to follow it.

There is a brief description of its targets at:
http://desarrollo.educarex.es/linex/projects/linexcolegios2010/wiki/Zeroconf in 
perfect spanish ;)

The application is thought to do more things from the servers to the
clients: announce disk clonations, nfs shares, desktop icons and jclic
libraries. Currently only  nfs shares is implemented and used in
production. Disk clonations is tested and works with lenny, but don't
work in squeeze due to the new grub setup.



  The home is at the laptop, the nfs dirs are only used for share
  files between students, classrooms or departments at the school.
 
 Right.  That might be a challenge, as long as we use NFS and use IP
 based access lists.
 
* File synchronisation with the central home directory is set up
  using a shared directory in both the local and the central home
  directory, using unison.
  
  
  this is not scalable when hundred of users are logged.
 
 What is the bottleneck?
 

with hundred of users there are two bottleneck: cpu consumption in the
server when doing the rsync, and bandwith to the server. It's very
common at schools beginning the classes at the same time, so the
students switch on and off the computer around the same time. That's a
really big concurrency for the school network in our case.


* For users that should have local root access to their laptop, sudo
  should be used to allow this to the local user.
  
  
  We have removed the root access to the users. Only root access via
  ssh from some special machines in the school is allowed. So, only a
  few people can access as root to the laptops, and from a very few
  machines.
 
 Probably a good idea.  If all users can log in via ssh, they will get
 home directories created automatically, and that is not really the
 intention.  Perhaps mkhomedir should be disabled after the first user
 is created?


We do have such intention: currently not all the teachers have a laptop,
in some 

Re: Thoughts on roaming laptop setup for Debian Edu

[Jonas Smedegaard]

On Fri, Apr 30, 2010 at 12:19:11PM +0200, José L. Redrejo Rodríguez wrote:


with hundred of users there are two bottleneck: cpu consumption in the
server when doing the rsync, and bandwith to the server.


I was recently made aware of zsync, putting the burden on the clients: 
http://zsync.moria.org.uk/



 - Jonas

--
* Jonas Smedegaard - idealist  Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: Digital signature

Re: Thoughts on roaming laptop setup for Debian Edu

[Petter Reinholdtsen]

[José L. Redrejo Rodríguez]
 mmm, I got /home0/username, not the server info. Maybe the home
 information is different in our ldap servers

With NFS, such setup would cause NFS hangs for a lot of processes
(anyone doing the equivalent of ls -l /), so we choose
/skole/host/home0/username for Debian Edu.

 http://desarrollo.educarex.es/linex/projects/linexcolegios2010/repository/show/zeroconf-services

Great.  I'm unable to reach the server now.  Not sure what is wrong.

 The application is thought to do more things from the servers to the
 clients: announce disk clonations, nfs shares, desktop icons and
 jclic libraries. Currently only nfs shares is implemented and used
 in production. Disk clonations is tested and works with lenny, but
 don't work in squeeze due to the new grub setup.

Sound very useful, and perhaps a better idea than our current autofs
based implementation.

 So for us, the benefits of being able to share the laptops are
 greater than the problems ssh access can cause in some case.

Right.  I've asked for pam_mkhomedir to get pam-auth-update
configuration in Squeeze (#485282), and home it will be available in
time.  If it is, setting up such configuration would consist of
installing a libpam-mkhomedir package. :)

 mmm, let me check it next week in a school. I don't remember how I
 did it, but I know it works :)

Thanks.  I am aware of two solutions for this, one using nscd and one using 
pam-updatedb.

 wicd works for us better than network-manager because:
 - the network connection is done before the user logins, wich is
 important if you use automount or just ldap netgroups
 - in Gnome, network manager is integrated with the gnome-keyring-manager
 deposit that's very complicated to be used by teachers. 
 - wicd has a very nice hooks system that allows us to do somethings
 before or after getting a connection (maybe network-manager also has
 something similar, I've never checked it)

Sound like wicd might be a good solution for roaming workstations.  It
should be possible to configure network-manager to configure network
before a user log in (ie at boot), but I have not been able to get it
working.

In KDE, network-maanager is integrated with kwallet, and ask for
wallet access even for non-encrypted wireless networks. :)

 Sure, and it's very different doing some thing for anyone in the
 world, than doing it for an controlled environment. The latter is my
 case, so I can do some things that probably are not adecuate for a
 general case.

Yeah.  We have a framework in place, but no-one documented how to use
it and I doubt anyone is using our framework for distributed
cfengine. :)

Happy hacking,
-- 
Petter Reinholdtsen


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100430125737.gf16...@login1.uio.no

Re: Thoughts on roaming laptop setup for Debian Edu

[L. Redrejo]

El vie, 30-04-2010 a las 14:57 +0200, Petter Reinholdtsen escribió:
 [José L. Redrejo Rodríguez]
  mmm, I got /home0/username, not the server info. Maybe the home
  information is different in our ldap servers
 
 With NFS, such setup would cause NFS hangs for a lot of processes
 (anyone doing the equivalent of ls -l /), so we choose
 /skole/host/home0/username for Debian Edu.
 
  http://desarrollo.educarex.es/linex/projects/linexcolegios2010/repository/show/zeroconf-services
 
 Great.  I'm unable to reach the server now.  Not sure what is wrong.


It's my fault, just change in the url desarrollo.educarex.es (the
domain name inside our Intranet) by desarrollo2.educarex.es (the public
domain name for the same machine).

Regards.
José L.




signature.asc
Description: Esta parte del mensaje está firmada	digitalmente

Re: Thoughts on roaming laptop setup for Debian Edu

[L. Redrejo]

El vie, 30-04-2010 a las 14:53 +0200, Jonas Smedegaard escribió:
 On Fri, Apr 30, 2010 at 12:19:11PM +0200, José L. Redrejo Rodríguez wrote:
 
 with hundred of users there are two bottleneck: cpu consumption in the
 server when doing the rsync, and bandwith to the server.
 
 I was recently made aware of zsync, putting the burden on the clients: 
 http://zsync.moria.org.uk/


I find this very useful to distribute files to the client (to clone a
disk), but I don't see the diferences with rsync when you just want to
syncronize a local home dir between the hard disk and the server...


signature.asc
Description: Esta parte del mensaje está firmada	digitalmente

Re: Thoughts on roaming laptop setup for Debian Edu

[Jonas Smedegaard]

On Fri, Apr 30, 2010 at 04:56:57PM +0200, José L. Redrejo Rodríguez wrote:

El vie, 30-04-2010 a las 14:53 +0200, Jonas Smedegaard escribió:
On Fri, Apr 30, 2010 at 12:19:11PM +0200, José L. Redrejo Rodríguez 
wrote:


with hundred of users there are two bottleneck: cpu consumption in 
the server when doing the rsync, and bandwith to the server.


I was recently made aware of zsync, putting the burden on the 
clients: http://zsync.moria.org.uk/



I find this very useful to distribute files to the client (to clone a 
disk), but I don't see the diferences with rsync when you just want to 
syncronize a local home dir between the hard disk and the server...


As I understand it, zsync computes binary diffs client-side, rather than 
server-side as rsync does.  Which I suspect would help with the first of 
the bottlenecks you mention above: CPU consumption on the server.


I have not used zsync myself, however, just looked it up when Sugarlabs 
folks mentioned it recently, so I might have misunderstood.



Regards,

 - Jonas

--
* Jonas Smedegaard - idealist  Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: Digital signature

Re: Thoughts on roaming laptop setup for Debian Edu

[L. Redrejo]

El mié, 28-04-2010 a las 20:43 +0200, Petter Reinholdtsen escribió:
 For some years now, I have wondered how we should handle laptops in
 Debian Edu. The Debian Edu infrastructure is mostly designed to handle
 stationary computers, and less suited for computers that come and go.
 
 Now I finally believe I have an sensible idea on how to adjust Debian
 Edu for laptops, by introducing a new profile for them, for example
 called Roaming Workstations. Here are my thought on this. The setup
 would consist of the following:
 


Hi, as I have had the same problems (in Spain, present and future
deployments are being doing using laptops in all the regions), I'll give
you  inline the solutions I'm using since the beginning of the present
scholar course. Maybe some of them can be useful.

   * During installation, the user name of the owner / primary usre of
 the laptop is requested and a local home directory is set up for
 the user, with uid and gid information fetched from the LDAP
 server. This allow the user to work also when offline. The central
 home directory can be available in a subdirectory on request, for
 example mounted via CIFS. It could be mounted automatically when a
 user log in while on the Debian Edu network, and unmounted when
 the machine is taken away (network down, hibernate, etc), it can
 be set up to do automatic mounting on request (using autofs), or
 perhaps some GUI button on the desktop can be used to access it
 when needed. Perhaps it is enough to use the fish protocol in KDE?
 

We're using pam mkhomedir, so the installation is the same for all the
laptops, never mind the end user of it. THen, at the school, when the
laptop is given to the teacher/student, he must login at least once in
the network, so ldap credential are fetched, his home is created at the
disk and we're also using a script that assign to the laptop hostname
the loginname of the user. This is useful to localize later the laptops
in the net.


   * Password checking is set up to use LDAP or Kerberos authentication
 when the machine is on the Debian Edu network, and to cache the
 password for offline checking when the machine unable to reach the
 LDAP or Kerberos server. This can be done using libpam-ccreds or
 the Fedora developed System Security Services Daemon packages.



I've made a small development with two parts: a server announcement and
an agent in the laptops. The nfs servers announce themselves using avahi
to the net, and the mounting point of the shares. The client agent at
the laptops detect that announcement and mount the shares when
available. So at the school they have access to the nfs servers and at
home the don't.

The home is at the laptop, the nfs dirs are only used for share files
between students, classrooms or departments at the school.

 
   * File synchronisation with the central home directory is set up
 using a shared directory in both the local and the central home
 directory, using unison.
 

this is not scalable when hundred of users are logged.


   * Printing should be set up to print to all printers broadcasting
 their existence on the local network, and should then work out of
 the box with CUPS. For sites needing accurate printer quotas, some
 system with Kerberos authentication or printing via ssh could be
 implemented.
 
   * For users that should have local root access to their laptop, sudo
 should be used to allow this to the local user.
 

We have removed the root access to the users. Only root access via ssh
from some special machines in the school is allowed. So, only a few
people can access as root to the laptops, and from a very few machines.


   * It would be nice if user and group information from LDAP is cached
 on the client, but given that there are entries for the local user
 and primary group in /etc/, it should not be needed.
 


we're caching them, pam_ccreds works perfectly with it.


 I believe all the pieces to implement this are in Debian/testing at
 the moment. If we work quickly, we should be able to get this ready in
 time for the Squeeze release to freeze. Some of the pieces need
 tweaking, like libpam-ccreds should get support for pam-auth-update
 (#566718) and nslcd (or perhaps debian-edu-config) should get some
 integration code to stop its daemon when the LDAP server is
 unavailable to avoid long timeouts when disconnected from the net. If
 we get Kerberos enabled, we need to make sure we avoid long timeouts
 there too.

When laptops are used, there are more things involved. Wireless is
important too, and the using a network daemon is very important to allow
the user connecting at home, or at any other place without problems.
We're using wicd because is very flexible and have some very useful
hooks that allow as masquerade the macs, so the laptops have the same
mac address when connect wireless or with a cable. 
We're also preparing a freeradius setup using the 

Re: Thoughts on roaming laptop setup for Debian Edu

[Petter Reinholdtsen]

[José L. Redrejo Rodríguez]
 Hi, as I have had the same problems (in Spain, present and future
 deployments are being doing using laptops in all the regions), I'll give
 you  inline the solutions I'm using since the beginning of the present
 scholar course. Maybe some of them can be useful.

Very useful indeed. :)

   * During installation, the user name of the owner / primary usre of
 the laptop is requested and a local home directory is set up for
 the user, with uid and gid information fetched from the LDAP
 server. This allow the user to work also when offline. The central
 home directory can be available in a subdirectory on request, for
 example mounted via CIFS. It could be mounted automatically when a
 user log in while on the Debian Edu network, and unmounted when
 the machine is taken away (network down, hibernate, etc), it can
 be set up to do automatic mounting on request (using autofs), or
 perhaps some GUI button on the desktop can be used to access it
 when needed. Perhaps it is enough to use the fish protocol in KDE?
 
 
 We're using pam mkhomedir, so the installation is the same for all
 the laptops, never mind the end user of it. THen, at the school,
 when the laptop is given to the teacher/student, he must login at
 least once in the network, so ldap credential are fetched, his home
 is created at the disk and we're also using a script that assign to
 the laptop hostname the loginname of the user. This is useful to
 localize later the laptops in the net.

Very good idea, but I did not quite like the fact that the home
directory on the laptop end up with a path indicating a location on a
different machine.  I got /skole/tjener/home0/username (tjener is
the host where the directory is located).  I would prefer it if the
home directory ended up being /home/username on the laptop, to make
it obvious from the path that is is not the remote location.  No idea
how to do that with mkhomedir.  Would probably have to rewrite the
fetched LDAP information to make that happen.

 I've made a small development with two parts: a server announcement
 and an agent in the laptops. The nfs servers announce themselves
 using avahi to the net, and the mounting point of the shares. The
 client agent at the laptops detect that announcement and mount the
 shares when available. So at the school they have access to the nfs
 servers and at home the don't.

This sound like something we could use in the official Debian Edu
packages as well.  What is the URL to the source?

 The home is at the laptop, the nfs dirs are only used for share
 files between students, classrooms or departments at the school.

Right.  That might be a challenge, as long as we use NFS and use IP
based access lists.

   * File synchronisation with the central home directory is set up
 using a shared directory in both the local and the central home
 directory, using unison.
 
 
 this is not scalable when hundred of users are logged.

What is the bottleneck?

   * For users that should have local root access to their laptop, sudo
 should be used to allow this to the local user.
 
 
 We have removed the root access to the users. Only root access via
 ssh from some special machines in the school is allowed. So, only a
 few people can access as root to the laptops, and from a very few
 machines.

Probably a good idea.  If all users can log in via ssh, they will get
home directories created automatically, and that is not really the
intention.  Perhaps mkhomedir should be disabled after the first user
is created?

   * It would be nice if user and group information from LDAP is cached
 on the client, but given that there are entries for the local user
 and primary group in /etc/, it should not be needed.
 
 we're caching them, pam_ccreds works perfectly with it.

How are you caching the user and group info?  Are you using nscd for
this, and if that is the case, how did you change /etc/nscd.conf?
I've reported URL: http://bugs.debian.org/485282  to try to have the
defaults changed, but no luck for the last 2 years.

 When laptops are used, there are more things involved. Wireless is
 important too, and the using a network daemon is very important to
 allow the user connecting at home, or at any other place without
 problems.  We're using wicd because is very flexible and have some
 very useful hooks that allow as masquerade the macs, so the laptops
 have the same mac address when connect wireless or with a cable.
 We're also preparing a freeradius setup using the same ldap scheme,
 for the wifi access at schools.

Yeah.  Should probably install that or network-manager or something to
get that functionallity.

 Also, puppet or cfengine or any other daemon depending on the
 network to be available at booting is affected when roaming profiles
 are used.

Absolutely.  We are not there, though. :(

Happy hacking,
-- 
Petter Reinholdtsen


-- 
To UNSUBSCRIBE, email to 

Re: On Thoughts on roaming laptop setup for Debian Edu

[Petter Reinholdtsen]

[Arthur de Jong]
 Hi Petter and list,

Hi.

 I saw your blog post on Thoughts on roaming laptop set-up for Debian
 Edu [1] and thought I'd point out use of the nssov slapd overlay with
 caching for off-line operation [2].

Definitely interesting.  A third option has come up, which is to use
the sssd system (WNPP: #579593) from Fedora (also in Ubuntu).

Btw, when I have your attention on the topic.  If one is to use nslcd
in a roaming setup, what would be your recommondations for the
timeouts specified in nslcd.conf?  Will nslcd react properly when the
network is up but the ldap server do not respond any more because the
local machine changed IP address?  I suspect a good aproach would be
to stop nslcd when the network is down or the LDAP server is
unavailable, to make sure everything keep responding quickly when
disconnected.

Party related to the topic, do you know if there is some work in
progress to handle nsswitch.conf configuration in Debian?

Happy hacking,
-- 
Petter Reinholdtsen


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100429173639.gb32...@login2.uio.no

Re: On Thoughts on roaming laptop setup for Debian Edu

[Arthur de Jong]

On Thu, 2010-04-29 at 19:36 +0200, Petter Reinholdtsen wrote:
 A third option has come up, which is to use the sssd system (WNPP:
 #579593) from Fedora (also in Ubuntu).

I don't have experience with that although I did have a look at it at
one point. Perhaps I should investigate it some more and look at recent
versions.

 Btw, when I have your attention on the topic.  If one is to use nslcd
 in a roaming setup, what would be your recommondations for the
 timeouts specified in nslcd.conf?  Will nslcd react properly when the
 network is up but the ldap server do not respond any more because the
 local machine changed IP address?  I suspect a good aproach would be
 to stop nslcd when the network is down or the LDAP server is
 unavailable, to make sure everything keep responding quickly when
 disconnected.

If you are using nslcd (and not nssov) I recommend setting the timeouts
as low as reasonable in a working network (say a couple of seconds for
bind_timelimit and reconnect_maxsleeptime). nslcd keeps some state on
the reachability of the LDAP server and will only retry once for every
NSS lookup (it's a bit more complicated than that but failures are fast
if the LDAP server was unavailable before).

It is faster to not have nslcd running when the LDAP server is
unavailable though.

nslcd does not check if the network is up, it just tries to connect to
the LDAP server. Having an unreachable LDAP server (e.g. not reachable
through a firewall that drops packets) could slow things down a little
but other than that it should be pretty fast.

You have to think a bit about security in such situations though.
Consider that you plug your laptop into another network. If that network
happens to contain an LDAP server on the same address, that LDAP server
could insert any information it wants into the NSS and PAM stacks of the
laptop. You probably want to authenticate the LDAP server in some way
(e.g. using certificates).

 Party related to the topic, do you know if there is some work in
 progress to handle nsswitch.conf configuration in Debian?

Not that I'm aware of though I would be very interested if there were. I
think all packages that modify /etc/nsswitch.conf all have their own
scripts. There was at one point a Summer of Code project [1] that
produced something [2] but sadly nothing was done with it [3].

[1] http://wiki.debian.org/SummerOfCode2008/PamNssDebianInstaller
[2] 
http://gnucrash.wordpress.com/2008/06/12/first-versions-of-update-pam-update-nsswitch-ready/
[3] http://bugs.debian.org/496915

-- 
-- arthur - art...@arthurdejong.org - http://arthurdejong.org --


signature.asc
Description: This is a digitally signed message part

Thoughts on roaming laptop setup for Debian Edu

[Petter Reinholdtsen]

For some years now, I have wondered how we should handle laptops in
Debian Edu. The Debian Edu infrastructure is mostly designed to handle
stationary computers, and less suited for computers that come and go.

Now I finally believe I have an sensible idea on how to adjust Debian
Edu for laptops, by introducing a new profile for them, for example
called Roaming Workstations. Here are my thought on this. The setup
would consist of the following:

  * During installation, the user name of the owner / primary usre of
the laptop is requested and a local home directory is set up for
the user, with uid and gid information fetched from the LDAP
server. This allow the user to work also when offline. The central
home directory can be available in a subdirectory on request, for
example mounted via CIFS. It could be mounted automatically when a
user log in while on the Debian Edu network, and unmounted when
the machine is taken away (network down, hibernate, etc), it can
be set up to do automatic mounting on request (using autofs), or
perhaps some GUI button on the desktop can be used to access it
when needed. Perhaps it is enough to use the fish protocol in KDE?

  * Password checking is set up to use LDAP or Kerberos authentication
when the machine is on the Debian Edu network, and to cache the
password for offline checking when the machine unable to reach the
LDAP or Kerberos server. This can be done using libpam-ccreds or
the Fedora developed System Security Services Daemon packages.

  * File synchronisation with the central home directory is set up
using a shared directory in both the local and the central home
directory, using unison.

  * Printing should be set up to print to all printers broadcasting
their existence on the local network, and should then work out of
the box with CUPS. For sites needing accurate printer quotas, some
system with Kerberos authentication or printing via ssh could be
implemented.

  * For users that should have local root access to their laptop, sudo
should be used to allow this to the local user.

  * It would be nice if user and group information from LDAP is cached
on the client, but given that there are entries for the local user
and primary group in /etc/, it should not be needed.

I believe all the pieces to implement this are in Debian/testing at
the moment. If we work quickly, we should be able to get this ready in
time for the Squeeze release to freeze. Some of the pieces need
tweaking, like libpam-ccreds should get support for pam-auth-update
(#566718) and nslcd (or perhaps debian-edu-config) should get some
integration code to stop its daemon when the LDAP server is
unavailable to avoid long timeouts when disconnected from the net. If
we get Kerberos enabled, we need to make sure we avoid long timeouts
there too.

Happy hacking,
-- 
Petter Reinholdtsen


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2flhbmvto3p@login2.uio.no

Re: Thoughts on roaming laptop setup for Debian Edu

[Petter Reinholdtsen]

[Petter Reinholdtsen]
 I believe all the pieces to implement this are in Debian/testing at
 the moment.

I started on this, and here is a draft (untested) patch to implement
the new profile option, ask for username and create a local user for
it based on information found in LDAP, and set up libpam-ccreds and
sudo.  I hope to find time to test it the next few days, and find
solutions for the missing pieces.  If you want to help out, please
join me on IRC. :)

Index: debian/debian-edu-profile-udeb.templates
===
--- debian/debian-edu-profile-udeb.templates(revision 63786)
+++ debian/debian-edu-profile-udeb.templates(working copy)
@@ -5,7 +5,7 @@
 
 Template: debian-edu-install/profile
 Type: multiselect
-__Choices: Main-Server, Workstation, Thin-Client-Server, Standalone
+__Choices: Main-Server, Workstation, Roaming workstation, Thin-Client-Server, 
Standalone
 _Description: Profile(s) to apply to this machine:
  Profiles determine how the machine can be used out-of-the-box:
  .
@@ -14,6 +14,8 @@
  should only be one such server on a Debian Edu 
  network.
   - Workstation: for normal machines on the Debian Edu network.
+  - Roaming-Workstation: for single user machines on the Debian Edu
+ network which some times travel outside the network.
   - Thin-Client-Server:
  includes 'Workstation' and requires two network
  cards.
@@ -25,7 +27,7 @@
 Type: multiselect
 #flag:translate!:6
 #__Choices: Main-Server, Workstation, Thin-Client-Server, Standalone, Minimal, 
Sugar
-__Choices: Main-Server, Workstation, Thin-Client-Server, Standalone, Minimal
+__Choices: Main-Server, Workstation, Roaming-workstation, Thin-Client-Server, 
Standalone, Minimal
 #flag:comment:3
 ## Translators, do not translate Sugar
 _Description: Profile(s) to apply to this machine:
@@ -36,6 +38,8 @@
  should only be one such server on a Debian Edu 
  network.
   - Workstation: for normal machines on the Debian Edu network.
+  - Roaming-Workstation: for single user machines on the Debian Edu
+ network which some times travel outside the network.
   - Thin-Client-Server:
  includes 'Workstation' and requires two network 
  cards.
@@ -89,6 +93,12 @@
 Type: text
 _Description: Participate in the package usage survey?
 
+Template: debian-edu-install/primary-user
+Type: text
+_Description: User name of local user:
+ The roaming workstation profile is tied to a network user which is
+ given a local user .
+
 Template: debian-edu-install/participate-popcon
 Type: boolean
 _Description: Participate in the package usage survey?
Index: debian-edu-profile
===
--- debian-edu-profile  (revision 63786)
+++ debian-edu-profile  (working copy)
@@ -93,10 +93,24 @@
 fi
 }
 
+ask_for_primary_user() {
+RET=
+db_input critical debian-edu-install/primary-user || true
+log Fetch primary user name
+db_go || true 
+db_get debian-edu-install/primary-user || true
+if test $RET ; then
+   log username $RET
+elif test $RET = false ; then
+   log no username specified!
+fi
+}
+
 check_profiles() {
 preseed=
 #if a value is unset it breaks the case esac later on
 workstation=false
+roaming=false
 ltspserver=false
 server=false
 networked=false
@@ -111,6 +125,12 @@
workstation=true
log Added task '$value'
;;
+   Roaming-Workstation)
+   networked=true
+   workstation=true
+   roaming=true
+   log Added task '$value'
+   ;;
Thin-Client-Server)
networked=true
workstation=true
@@ -177,6 +197,12 @@
check_profiles
 done
 
+if test true = $roaming ; then
+ask_for_primary_user
+else
+db_set debian-edu-install/primary-user 
+fi
+
 # Make sure the default values have this priority, with lower number
 # priority overriding higher number
 #  1 main-server
Index: pre-pkgsel
===
--- pre-pkgsel  (revision 63786)
+++ pre-pkgsel  (working copy)
@@ -89,3 +89,60 @@
 # Clean up file added in base-installer-late, now that
 # debian-edu-config is installed (pulled in via debian-edu-install).
 rm -f /target/etc/apt/apt.conf.d/90squid-di
+
+edu-etcvcs commit
+
+if db_get debian-edu-install/primary-user  [ $RET ] ; then
+# Roaming profile enabled.  Look up primary user in LDAP, create
+# it and give it sudo acces.
+PRIMARYUSER=$RET
+apt-install ldap-utils libpam-ccreds sudo
+
+ldapbase=dc=skole,dc=skolelinux,dc=no
+ldapserver=ldap
+ldifuser=/tmp/primary-user-ldap.ldif
+ldifgroup=/tmp/primary-group-ldap.ldif
+# Can not use in-target, because it redirects stdout to the 

Re: Thoughts on roaming laptop setup for Debian Edu

[L. Redrejo]

El mié, 28-04-2010 a las 20:43 +0200, Petter Reinholdtsen escribió:
 For some years now, I have wondered how we should handle laptops in
 Debian Edu. The Debian Edu infrastructure is mostly designed to handle
 stationary computers, and less suited for computers that come and go.
 
 Now I finally believe I have an sensible idea on how to adjust Debian
 Edu for laptops, by introducing a new profile for them, for example
 called Roaming Workstations. Here are my thought on this. The setup
 would consist of the following:


Hi, as I have had the same problems (in Spain, present and future
deployments are being doing using laptops in all the regions), I'll give
you  inline the solutions I'm using since the beginning of the present
scholar course. Maybe some of them can be useful.

 
   * During installation, the user name of the owner / primary usre of
 the laptop is requested and a local home directory is set up for
 the user, with uid and gid information fetched from the LDAP
 server.

We're using pam mkhomedir, so the installation is the same for all the
laptops, never mind the end user of it. THen, at the school, when the
laptop is given to the teacher/student, he must login at least once in
the network, so ldap credential are fetched, his home is created at the
disk and we're also using a script that assign to the laptop hostname
the loginname of the user. This is useful to localize later the laptops
in the net.



  This allow the user to work also when offline. The central
 home directory can be available in a subdirectory on request, for
 example mounted via CIFS. It could be mounted automatically when a
 user log in while on the Debian Edu network, and unmounted when
 the machine is taken away (network down, hibernate, etc), it can
 be set up to do automatic mounting on request (using autofs), or
 perhaps some GUI button on the desktop can be used to access it
 when needed. Perhaps it is enough to use the fish protocol in KDE?


I've made a small development with two parts: a server announcement and
an agent in the laptops. The nfs servers announce themselves using avahi
to the net, and the mounting point of the shares. The client agent at
the laptops detect that announcement and mount the shares when
available. So at the school they have access to the nfs servers and at
home the don't.

The home is at the laptop, the nfs dirs are only used for share files
between students, classrooms or departments at the school.


 
   * Password checking is set up to use LDAP or Kerberos authentication
 when the machine is on the Debian Edu network, and to cache the
 password for offline checking when the machine unable to reach the
 LDAP or Kerberos server. This can be done using libpam-ccreds or
 the Fedora developed System Security Services Daemon packages.
 
   * File synchronisation with the central home directory is set up
 using a shared directory in both the local and the central home
 directory, using unison.


this is not scalable when hundred of users are logged.


 
   * Printing should be set up to print to all printers broadcasting
 their existence on the local network, and should then work out of
 the box with CUPS. For sites needing accurate printer quotas, some
 system with Kerberos authentication or printing via ssh could be
 implemented.
 

   * For users that should have local root access to their laptop, sudo
 should be used to allow this to the local user.


We have removed the root access to the users. Only root access via ssh
from some special machines in the school is allowed. So, only a few
people can access as root to the laptops, and from a very few machines.


 
   * It would be nice if user and group information from LDAP is cached
 on the client, but given that there are entries for the local user
 and primary group in /etc/, it should not be needed.
 


we're caching them


 I believe all the pieces to implement this are in Debian/testing at
 the moment. If we work quickly, we should be able to get this ready in
 time for the Squeeze release to freeze. Some of the pieces need
 tweaking, like libpam-ccreds should get support for pam-auth-update
 (#566718) and nslcd (or perhaps debian-edu-config) should get some
 integration code to stop its daemon when the LDAP server is
 unavailable to avoid long timeouts when disconnected from the net. If
 we get Kerberos enabled, we need to make sure we avoid long timeouts
 there too.
 


When laptops are used, there are more things involved. Wireless is
important too, and the using a network daemon is very important to allow
the user connecting at home, or at any other place without problems.
We're using wicd because is very flexible and have some very useful
hooks that allow as masquerade the macs, so the laptops have the same
mac address when connect wireless or with a cable. 
We're also preparing a freeradius setup using the same ldap scheme, for
the 

Re: Thoughts on roaming laptop setup for Debian Edu

[Veli-Matti Lintu]

ke, 2010-04-28 kello 20:43 +0200, Petter Reinholdtsen kirjoitti:
 For some years now, I have wondered how we should handle laptops in
 Debian Edu. The Debian Edu infrastructure is mostly designed to handle
 stationary computers, and less suited for computers that come and go.
 
 Now I finally believe I have an sensible idea on how to adjust Debian
 Edu for laptops, by introducing a new profile for them, for example
 called Roaming Workstations. Here are my thought on this. The setup
 would consist of the following:

Hi,

I'm not using Debian Edu myself, but I've been dealing with the same
issues on Ubuntu/Edubuntu in schools where laptops are shared between
pupils and wlan is used for network connection.

We have ldap/kerberos infrastructure in place and we wanted to use
either ldap or kerberos authentication for laptops too. At first we
tried using pam-ccreds and libnss-db/updatedb, but for some reason we
never got it stable. It could be that missing network connection would
sometimes break authentication even if user had authenticated before and
sometimes it would work perfectly. Debugging the modules didn't reveal
the problem, so we tried something else.

Next we did https based authentication where a script run from pam would
contact https server with user's credentials and transfer user and group
information if authentication succeeded. This worked nicely and as a
bonus no firewall seemed to stop it.

Next we discovered sssd that was written as part of FreeIPA project by
Fedora. sssd is packaged in Ubuntu, but seems to be missing from Debian.
It loads user information from ldap and authenticates the user against
ldap or kerberos. Once the information is on the laptop, it works in
offline mode also. So far it's been working really nicely, so I can
recommend this solution.

For file synchronisation we've been using Unison and besides
localisation and UI issues it's been working nicely. CUPS printer
information broadcasting to local network works also with little
configuration. Users see the available printers automatically and they
disappear if the network goes down.

There's more information about sssd on shared laptops in our blog:
http://www.opinsys.fi/en/user-management-with-sssd-on-shared-laptops

sssd homepage: https://fedorahosted.org/sssd/

I'm just a happy user and not involved in sssd's development or Ubuntu
packaging.

I hope this helps!

Veli-Matti


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1272484997.2643.6344.ca...@vm-lucid

On Thoughts on roaming laptop setup for Debian Edu

[Arthur de Jong]

Hi Petter and list,

I saw your blog post on Thoughts on roaming laptop set-up for Debian
Edu [1] and thought I'd point out use of the nssov slapd overlay with
caching for off-line operation [2].

Apparently you can configure slapd to use quite a reasonable amount of
memory (I think Howard Chu said that some time but my google skills are
lacking at the moment) so it should be possible for laptops.

For this it would be great if the nssov overlay were packaged in Debian
(it is in Ubuntu I think), probably as a separate package (which could
Provide: nslcd) but the OpenLDAP package maintainers are looking for
help so I don't think this will be done soon (I thought about helping
but I'm pretty busy at the moment already).

Also, the Ubuntu people have also been working on this also [3].

Anyway, hope this helps.

[1] 
http://people.skolelinux.org/pere/blog/Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html
[2] http://www.openldap.org/lists/openldap-software/201003/msg00141.html
[3] https://wiki.kubuntu.org/NetworkDirectoryUserLogin

(btw, I'm not subscribed to this list so if you want a reply from me you
will have to Cc me)

-- 
-- arthur - art...@arthurdejong.org - http://arthurdejong.org --


signature.asc
Description: This is a digitally signed message part