[debian-edu-commits] [Debian Wiki] Update of "DebianEdu/Documentation/Bullseye/HowTo/NetworkClients" by WolfgangSchweer

Debian Wiki wiki at debian.org
Mon Jan 18 20:52:04 GMT 2021 

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Debian Wiki" for change notification.

The "DebianEdu/Documentation/Bullseye/HowTo/NetworkClients" page has been changed by WolfgangSchweer:
https://wiki.debian.org/DebianEdu/Documentation/Bullseye/HowTo/NetworkClients?action=diff&rev1=7&rev2=8

Comment:
LTSP with a lot of changes, also add freeRADIUS related information

+ timeout
  <<Anchor(NetworkClients)>>
  = HowTos for networked clients =
  <<TableOfContents(3)>>
@@ -9, +10 @@

  One generic term for both thin clients and diskless workstations is ''LTSP client''.
  
  (!) Starting with Bullseye, LTSP is quite different from the previous versions.
- This concerns both setup amd maintenance. As a main difference, the SquashFS image for diskless workstations is now generated from the LTSP server filesystem. Also, thin clients are no longer supported by default.
+ This concerns both setup and maintenance. As one main difference, the SquashFS image for diskless workstations is now generated from the LTSP server file system. Also, thin clients are no longer supported.
  <<BR>>
- See the [[https://ltsp.org| LTSP homepage]] for details.
+ See the [[https://ltsp.org| LTSP homepage]] for details. On systems with ''LSTP server'' profile, {{{man ltsp}}} provides more information.
  
+ Please note that the ''ltsp'' tool needs to be used with care. For example, {{{ltsp image /}}} would fail to generate the SquashFS image in case of Debian machines, and {{{ltsp ipxe}}} would fail to generate the iPXE menu correctly.
+ 
+ The ''debian-edu-ltsp-install'' tool is a wrapper script for {{{ltsp image}}}, {{{ltsp kernel}}} and {{{ltsp ipxe}}}. It is used to setup and configure diskless workstation support; in addition thin clients (both 64-Bit and 32-Bit PC) are supported using X2Go. See {{{man debian-edu-ltsp-install}}} or the script content to see how it works. All configuration is contained in the script itself (here documents) to facilitate site specific adjustments.
+ 
+ Examples how to use ''debian-edu-ltsp-install'':
+  * {{{debian-edu-ltsp-install --arch amd64}}} creates 64-bit diskless workstation support.
+  * {{{debian-edu-ltsp-install --arch amd64 --dist bullseye --thin_type bare}}} creates diskless workstation and 64-bit thin client support.
+  * {{{debian-edu-ltsp-install --arch i386 --diskless_workstation no --thin_type bare}}} creates additional 32-bit thin client support.
+  * {{{debian-edu-ltsp-install --diskless_workstation yes}}} updates the diskless workstation SquashFS image.
+  * {{{debian-edu-ltsp-install --diskless_workstation no --thin_type bare}}} (re-)creates 64-bit thin client support.
+  
+ Besides ''bare'' (smallest thin client system), also ''display'' and ''desktop'' are available options. Some programs like Firefox ESR are executed on the client itself (more local RAM and CPU power required, but server load reduced).
+ 
+ '''Diskless workstation'''
+ 
+ A diskless workstation runs all software locally. The client machines boot directly from the LTSP server without a local hard drive. Software is administered and maintained on the LTSP server, but it runs on the diskless workstation. Home directories and system settings are stored on the server too. Diskless workstations are an excellent way of reusing older (but powerful) hardware with the same low maintenance cost as with thin clients. 
+ 
+ Unlike workstations diskless workstations run without any need to add them with GOsa².
  
  '''Thin client'''
  
- A thin client setup enables an ordinary PC to function as an (X-)terminal, where all software runs on the LTSP server. This means that this machine boots via PXE without using a local client hard drive. 
+ A thin client setup enables an ordinary PC to function as an (X-)terminal, where all software runs on the LTSP server. This means that this machine boots via PXE without using a local client hard drive.
  
+ Debian Edu still supports the use of thin clients to enable the use of very old hardware.
- '''Diskless workstation'''
- 
- A diskless workstation runs all software locally. The client machines boot directly from the LTSP server without a local hard drive. Software is administered and maintained on the LTSP server, but it runs on the diskless workstation. Home directories and system settings are stored on the server too. Diskless workstations are an excellent way of reusing older (but powerful) hardware with the same low maintenance cost as with thin clients. 
- 
- Unlike workstations diskless workstations run without any need to add them with GOsa².
  
  '''LTSP client firmware'''
  
@@ -38, +53 @@

  # Most probably this will be firmware-linux-nonfree.
  apt -y -q install <package name>
   
- # copy the new initrd to the server's tftpboot directory and update the SqushFS image.
- ltsp image /
+ # Update the SquashFS image for diskless workstations.
+ debian-edu-ltsp-install --diskless_workstation yes
  }}}
  
  === LTSP client type selection ===
  
- Each LTSP server has two ethernet interfaces: one configured in the main 10.0.0.0/8 subnet (which is shared with the main server), and another forming a local subnet (a separate subnet for each LTSP server). 
+ Each LTSP server has two ethernet interfaces: one configured in the main 10.0.0.0/8 subnet (which is shared with the main server), and another forming a local subnet (a separate subnet for each LTSP server).
  
- On the main subnet the complete PXE menu is provided; the separate subnet for each LTSP server allows only diskless and thin LTSP client selection. 
+ In both cases ''diskless workstation'' or ''thin client'' can be chosen from the iPXE menu. After waiting for 5 seconds, the machine will boot as diskless workstation. See {{{man ltsp.conf}}} how to change the timeout or to hide the menu.
  
- Using the default PXE menu on the main subnet 10.0.0.0/8, a machine could be started as diskless workstation or thin client.
+ === Use a different LTSP client network ===
+ 
+ 192.168.0.0/24 is the default LTSP client network if a machine is installed using the LTSP profile. If lots of LTSP clients are used or if different LTSP servers should serve both i386 and amd64 chroot environments the second preconfigured network 192.168.1.0/24 could be used as well. Edit the file {{{/etc/network/interfaces}}} and adjust the eth1 settings accordingly. Use {{{ldapvi}}} or any other LDAP editor to inspect DNS and DHCP configuration.  
+ 
+ === Add LTSP chroot to support 32-bit-PC clients ===
+ 
+ Run {{{debian-edu-ltsp-install --arch i386 --diskless_workstation no --thin_type bare}}}.
+ See {{{man debian-edu-ltsp-install}}} for details about thin client types.
+ 
+ === LTSP client configuration ===
+ 
+ Run {{{man ltsp.conf}}} to have a look at available configuration options.
+ Or read it online: https://ltsp.org/man/ltsp.conf/
+ 
+ === Sound with LTSP clients ===
+ 
+ LTSP thin clients use networked audio to pass audio from the server to the clients.
+ 
+ LTSP diskless workstations handle audio locally.
+ 
+ === Use printers attached to LTSP clients ===
+ 
+  * Attach the printer to the LTSP client machine (both USB and parallel port are supported). 
+ 
+  * Configure the LTSP client with GOsa² to use a fixed IP address.
+  
+  * Configure the printer using the web interface {{{https://www.intern:631}}} on the main server; choose network printer type {{{AppSocket/HP JetDirect}}} (for all printers regardless of brand or model) and set {{{socket://<LTSP client ip>:9100}}} as connection URI.
  
  <<Anchor(NetworkClients--Configuring_the_PXE_menu)>>
- === Configuring the PXE menu ===
+ == Configuring the PXE menu ==
  
- The PXE configuration is generated using the script {{{debian-edu-pxeinstall}}}.  It allows some settings to be overridden using the file {{{/etc/debian-edu/pxeinstall.conf}}} with replacement values.
+ The iPXE menu item concerning system installations is generated using the script {{{debian-edu-pxeinstall}}}.  It allows some settings to be overridden using the file {{{/etc/debian-edu/pxeinstall.conf}}} with replacement values.
  
  === Configuring the PXE installation ===
- 
- The PXE installation option is by default available to anyone able to PXE boot a machine. To password protect the PXE installation options, a file {{{/var/lib/tftpboot/menupassword.cfg}}} can be created with content similar to this:
- 
- {{{
- MENU PASSWD $4$NDk0OTUzNTQ1NTQ5$7d6KvAlVCJKRKcijtVSPfveuWPM$
- }}}
- 
- The password hash should be replaced with an MD5 hash for the desired password.
  
  The PXE installation will inherit the language, keyboard layout and mirror settings from the settings used when installing the main-server, and the other questions will be asked during installation (profile, popcon participation, partitioning and root password). To avoid these questions, the file {{{/etc/debian-edu/www/debian-edu-install.dat}}} can be modified to provide preselected answers to debconf values. Some examples of available debconf values are already commented in {{{/etc/debian-edu/www/debian-edu-install.dat}}}. Your changes will be lost as soon as {{{debian-edu-pxeinstall}}} is used to recreate the PXE-installation environment. To append debconf values to {{{/etc/debian-edu/www/debian-edu-install.dat}}} during recreation with {{{debian-edu-pxeinstall}}}, add the file {{{/etc/debian-edu/www/debian-edu-install.dat.local}}} with your additional debconf values.
  
@@ -83, +116 @@

  
  and then run {{{/usr/sbin/debian-edu-pxeinstall}}} once.
  
- === Use a different LTSP client network ===
- 
- 192.168.0.0/24 is the default LTSP client network if a machine is installed using the LTSP profile. If lots of LTSP clients are used or if different LTSP servers should serve both i386 and amd64 chroot environments the second preconfigured network 192.168.1.0/24 could be used as well. Edit the file {{{/etc/network/interfaces}}} and adjust the eth1 settings accordingly. Use {{{ldapvi}}} or any other LDAP editor to inspect DNS and DHCP configuration.  
- 
- === Add LTSP chroot to support 32-bit-PC clients ===
- 
- FIXME: add information for thin client chroot
- 
  == Changing network settings ==
  
  The debian-edu-config package comes with a tool which helps in changing the network from 10.0.0.0/8 to something else. Have a look at {{{/usr/share/debian-edu-config/tools/subnet-change}}}.  It is intended for use just after installation on the main server, to update LDAP and other files that need to be edited to change the subnet.
@@ -98, +123 @@

  /!\ Note that changing to one of the subnets already used elsewhere in Debian Edu will not work. 192.168.0.0/24 and 192.168.1.0/24 are already set up as LTSP client networks. Changing to these subnets will require manual editing of configuration files to remove duplicate entries.
  
  There is no easy way to change the DNS domain name.  Changing it would require changes to both the LDAP structure and several files in the main server file system.  There is also no easy way to change the host and DNS name of the main server (tjener.intern).  To do so would also require changes to LDAP and files in the main-server and client file system.  In both cases the Kerberos setup would have to be changed, too.  
- 
- == LTSP in detail ==
- 
- === LTSP client configuration ===
- 
- Run {{{man ltsp.conf}}} to have a look at available configuration options.
- Or read it online: https://ltsp.org/man/ltsp.conf/
- 
- === Desktop autoloader ===
- 
- This tool preloads the default Desktop environment (and programs of your choice). It is only useful for diskless clients. The setup is site specific, also some technical skills are required.
-  * Read about it: run {{{ltsp-chroot cat /usr/share/doc/desktop-autoloader/README.Debian}}}
- At least two files need to be edited. Available <editor> choices are: vi, nano, mcedit.
-  * run {{{ltsp-chroot <editor> /etc/cron.d/desktop-autoloader}}}
-  * run {{{ltsp-chroot <editor> /etc/default/desktop-autoloader}}}
- If the setup is complete, update the NBD image running {{{ltsp-update-image}}} and test it.
- 
- === Sound with LTSP clients ===
- 
- LTSP thin clients use networked audio to pass audio from the server to the clients.
- 
- LTSP diskless workstations handle audio locally.
- 
- === Use printers attached to LTSP clients ===
- 
-  * Attach the printer to the LTSP client machine (both USB and parallel port are supported). 
- 
-  * Configure the LTSP client to use a fixed IP, see {{{man ltsp.conf}}}.
-  
-  * Configure the printer using the web interface {{{https://www:631}}} on the main server; choose network printer type {{{AppSocket/HP JetDirect}}} (for all printers regardless of brand or model) and set {{{socket://<LTSP client ip>:9100}}} as connection URI.
- 
- <<Anchor(NetworkClients--Connecting_Windows_machines_to_the_network)>>
- === Connecting Windows machines to the network ===
- 
- For Windows clients the Windows domain "SKOLELINUX" is available to be joined. A special service called Samba, installed on the main server, enables Windows clients to store profiles and user data, and also authenticates the users during the login.
- 
- /!\ Joining a domain with a Windows client requires the steps described in the [[DebianEdu/Documentation/Bullseye/HowTo/Samba|Debian Edu Bullseye Samba Howto]].
- 
- Windows will sync the profiles of domain users on every Windows login and logout. Depending on how much data is stored in the profile, this could take some time. To minimise the time needed, deactivate things like local cache in browsers (you can use the Squid proxy cache installed on the main server instead) and save files into the H: volume rather than under "My Documents".
  
  == Remote Desktop ==
  
@@ -205, +191 @@

   * {{{x2goclient}}} is a graphical client for the !X2Go system (not installed by default). You can use it to connect to running sessions and start new ones. 
   * [[http://wiki.debian.org/DebianEdu/HowTo/CitrixApps|Citrix ICA client HowTo]] to access Windows terminal server from Skolelinux.
  
+ == Wireless clients ==
+ 
+ The ''freeRADIUS'' server could be used to provide secure network connections. For this to work, install the ''freeradius'' and ''winbind'' packages on the main server and run {{{/usr/share/debian-edu-config/setup-freeradius-server}}} to generate a basic, site specific configuration. This way, both EAP-TTLS/PAP and PEAP-MSCHAPV2 methods are enabled. All configuration is contained in the script itself to facilitate site specific adjustments. See [[https://freeradius.org/|the freeRADIUS homepage]] for details.
+ 
+ Additional configuration is needed to 
+  * enable/disable access points via a ''shared secret'' (/etc/freeradius/3.0/clients.conf).
+  * allow/deny wireless access using LDAP groups (/etc/freeradius/3.0/users).
+  * combine access points into dedicated groups (/etc/freeradius/3.0/huntgroups)
+ 
+ (!) End user devices need to be configured properly, these devices need to be PIN protected for the use of EAP (802.1x) methods. And most important: users need to be educated to install the freeradius CA certificate on their devices to be sure to connect to the right server. This way the password can't be catched in case of a malicious server. The site specific certificate is available on the internal network.
+  * https://www.intern/freeradius-ca.pem (for end user devices running Linux)
+  * https://www.intern/freeradius-ca.crt (Linux, Android)
+  * https://www.intern/freeradius-ca.der (macOS, iOS, iPadOS, Windows)
+ Please note that configuring end user devices will be a real challenge.
+ 
  CategoryPermalink

More information about the debian-edu-commits mailing list