[debian-edu-commits] [Debian Wiki] Update of "DebianEdu/Documentation/Bookworm/HowTo/AdvancedAdministration" by WolfgangSchweer

Debian Wiki wiki at debian.org
Sun Aug 29 23:15:21 BST 2021


Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Debian Wiki" for change notification.

The "DebianEdu/Documentation/Bookworm/HowTo/AdvancedAdministration" page has been changed by WolfgangSchweer:
https://wiki.debian.org/DebianEdu/Documentation/Bookworm/HowTo/AdvancedAdministration

Comment:
initial content (copy from the bullseye page w/ some adjustments)

New page:
<<Anchor(AdvancedAdministration)>>
= Advanced administration howto =

In this chapter advanced administration tasks are described.

<<TableOfContents(3)>>

== User Customisations with GOsa² ==

<<Anchor(AdvancedAdministration--Create_Users_in_Year_Groups)>>
=== Create Users in Year Groups ===

In this example we want to create users in year groups, with common home directories for each group (home0/2024, home0/2026, etc). We want to create the users by csv import.


''(as root on the main server) ''
  * Make the necessary year group directories 

mkdir /skole/tjener/home0/2024

''(as first user in Gosa)''
  * Department
Main menu: goto 'Directory structure', click the 'Students' department. The 'Base' field should show '/Students'.
>From the drop box 'Actions' choose 'Create'/'Department'.
Fill in values for Name (2024) and Description fields (students graduating in 2024), leave the Base field as is (should be '/Students'). Save it clicking 'Ok'.
Now the new department (2024) should show up below  /Students. Click it.
  * Group
Choose 'Groups' from the main menu; 'Actions'/Create/Group.
Enter group name (leave 'Base' as is, should be /Students/2024) and 'Ok' to save it.
  * Template
Choose 'users' from the main menu. Change to 'Students' in the Base
field. An Entry {{{NewStudent}}} should show up, click it. This is the
'students' template, not a real user. As you'll have to create such a
template (to be able to use csv import for your structure) based on this
one, notice all entries showing up in the Generic and POSIX tabs,
maybe take screenshots to have information ready for the new template.

Now change to /Students/2024 in the Base field; choose
Create/Template and start to fill in your desired values, first the
Generic tab (add your new 2024 group under Group Membership, too), then add the POSIX account.

   * Import users
Choose your new template when doing csv import; testing it with a few users is recommended.

== Other User Customisations ==

=== Creating folders in the home directories of all users ===

With this script the administrator can create a folder in each user's home directory and set access permissions and ownership.

In the example shown below with group=teachers and permissions=2770 a user can hand in an assignment by saving the file to the folder "assignments" where teachers are given write access to be able to make comments.

{{{
 #!/bin/bash
 home_path="/skole/tjener/home0"
 shared_folder="assignments"
 permissions="2770"
 created_dir=0
 for home in $(ls $home_path); do
    if [ ! -d "$home_path/$home/$shared_folder" ]; then
        mkdir $home_path/$home/$shared_folder
        chmod $permissions $home_path/$home/$shared_folder
        user=$home
        group=teachers
        chown $user:$group $home_path/$home/$shared_folder
        ((created_dir+=1))
    else
        echo -e "the folder $home_path/$home/$shared_folder already exists.\n"
    fi
 done
 echo "$created_dir folders have been created"
}}}

=== Easy access to USB drives and CD-ROMs/DVDs ===

When users insert a USB drive or a DVD / CD-ROM into a (diskless) workstation, a popup window appears asking what to do with it, just like in any other normal installation.

When users insert a USB drive or a DVD / CD-ROM into an !X2Go thin client, the media is automatically mounted and it is possible to access it browsing the related folder on the Xfce desktop.

==== A warning about removable media on LTSP servers ====

/!\ Warning: When inserted into an LTSP server USB drives and other removable media cause
popup messages on remote LTSP clients.

If remote users acknowledge the popup or use pmount from the console, they can even mount the removable devices and access the files.

== Use a dedicated storage server ==

Take these steps to set up a dedicated storage server for user home directories and possibly other data.
 
  * Add a new system of type {{{server}}} using GOsa² as outlined in the '''Getting started''' chapter of this manual.

    This example uses 'nas-server.intern' as the server name.

    Once 'nas-server.intern' is configured, check if the NFS export points on the new storage server are exported to the relevant
    subnets or machines:
    {{{ 
    root at tjener:~# showmount -e nas-server
    Export list for nas-server:
    /storage         10.0.0.0/8
    root at tjener:~#
    }}}
    Here everything on the backbone network is granted access to the /storage export. (This could be restricted to netgroup membership
    or single IP addresses to limit NFS access like it is done in the tjener:/etc/exports file.)

  * Add automount information about 'nas-server.intern' in LDAP to allow all clients to automatically mount the new export on request.

    This can't be done using GOsa², because a module for automount is missing. Instead, use ldapvi and add the required LDAP
    objects using an editor.

    {{{ldapvi --ldap-conf -ZD '(cn=admin)' -b ou=automount,dc=skole,dc=skolelinux,dc=no}}}

    When the editor shows up, add the following LDAP objects at the bottom of the document. (The "/&" part in the last LDAP object is
    a wild card matching everything 'nas-server.intern' exports, removing the need to list individual mount points in LDAP.)

    {{{
    add cn=nas-server,ou=auto.skole,ou=automount,dc=skole,dc=skolelinux,dc=no
    objectClass: automount
    cn: nas-server
    automountInformation: -fstype=autofs --timeout=60 ldap:ou=auto.nas-server,ou=automount,dc=skole,dc=skolelinux,dc=no
 
    add ou=auto.nas-server,ou=automount,dc=skole,dc=skolelinux,dc=no
    objectClass: top
    objectClass: automountMap
    ou: auto.nas-server
 
    add cn=/,ou=auto.nas-server,ou=automount,dc=skole,dc=skolelinux,dc=no
    objectClass: automount
    cn: /
    automountInformation: -fstype=nfs,tcp,rsize=32768,wsize=32768,rw,intr,hard,nodev,nosuid,noatime nas-server.intern:/&
    }}}

  * Add the relevant entries in tjener.intern:/etc/fstab, because tjener.intern does not use automount to avoid mounting loops:

    Create the mount point directories using {{{mkdir}}}, edit '/etc/fstab' as adequate and run {{{mount -a}}} to mount the new resources.
    
Now users should be able to access the files on 'nas-server.intern' directly by just visiting the '/tjener/nas-server/storage/' directory using any application on any workstation, LTSP thin client or LTSP server.


== Restrict SSH login access ==

There are several ways to restrict SSH login, some are listed here.

=== Setup without LTSP clients ===

If no LTSP clients are used a simple solution is to create a new group (say {{{sshusers}}}) and to add a line to the machine's /etc/ssh/sshd_config file.
Only members of the {{{sshusers}}} group will then be allowed to ssh into
the machine from everywhere.

Managing this case with GOsa is quite simple:

 * Create a group {{{sshusers}}} on the base level (where already other system management related groups like {{{gosa-admins}}} show up).
 * Add users to the new group {{{sshusers}}}.
 * Add  {{{AllowGroups sshusers}}} to /etc/ssh/sshd_config.
 * Execute {{{service ssh restart}}}.

=== Setup with LTSP clients ===

The default LTSP diskless client setup doesn't use SSH connections. Update the SquashFS image on the related LTSP server after the SSH setup has been changed is enough.

!X2Go thin clients are using SSH connections to the related LTSP server. 
So a different approach using PAM is needed.
 * Enable pam_access.so in the LTSP server's /etc/pam.d/sshd file. 
 * Configure /etc/security/access.conf to allow connections for (sample) users alice, jane, bob and john from everywhere and for all other users only from the internal networks by adding these lines:
{{{
+ : alice jane bob john : ALL
+ : ALL : 10.0.0.0/8 192.168.0.0/24 192.168.1.0/24
- : ALL : ALL
#
}}}

If only dedicated LTSP servers are used, the 10.0.0.0/8 network could be dropped to disable internal SSH login access. Note: someone connecting his box to the dedicated LTSP client network(s) will gain SSH access to the LTSP server(s) as well.

=== A note for more complex setups ===

If !X2Go clients were attached to the backbone network 10.0.0.0/8, things would be even more complicated and maybe only a sophisticated DHCP setup (in LDAP) checking the vendor-class-identifier together with appropriate PAM configuration would allow to disable internal SSH login.

CategoryPermalink



More information about the debian-edu-commits mailing list