开始的一小步

这章讲述在安装之后需要开始的第一步。

至少你要做：

1. 以用户 "localadmin" 登录服务器（其密码同于 "root" 账户） - 你不能以 root 登录图形界面，作为 localadmin ，你可以使用 sudo 变更为 root.

2. 通过 GOsa² 添加用户

3. 通过 GOsa² 添加工作站

下面讲述添加用户和工作站，请读整个章节，其涉及怎样正确做到这些步骤，而且其他材料大概每个人都用得上。

以下 HowTo 章节涉及更多建议和技巧以及一些经常问及的问题。

 

主服务器上运行的服务

在主服务器上运行的若干服务可以通过 web 管理界面进行管理，下面要讲述每一种服务。

基于 Web 浏览器的管理，使用 GOsa2

FIXME: gosa needs to be documented properly here, following the structure of the existing lwat instructions. _Then_ the lwat text should be deleted.

为了访问 GOsa² ，要有 Skolelinux 主服务器和一个安装了一种 web 浏览器的客户系统。

有一种选择，作为 localadmin 用户，你可以在主服务器上安装一个微型桌面，在（非图形） shell 终端执行下列命令：

$ sudo apt-get update
  $ sudo apt-get install gnome-session gnome-terminal iceweasel xorg
  $ startx

安装之后，以 localadmin 用户启动图形会话

使用一个 web 浏览器以 URL https://www/gosa 访问 GOsa² ，以 super-admin 用户名和主服务器 root 用户密码登录。

GOsa² 介绍

GOsa² 是一款基于 web 的管理工具，它将帮你管理你的 Debian Edu 设置的如干重要部分。你可以管理下列主要归类（增加，修改，删除）：

• 用户管理
• 组管理
• NIS Netgroup 管理
• 机器管理
• DNS 管理
• DHCP 管理

以你的 web 浏览器指向 https://www/gosa  来访问 GOsa²。

• 如果你未使用新 Debian Edu Squeeze 机器，你将收到关于 ssl 证书的错误信息，恰当地决定你的浏览器接受或忽视。

• 如果你是使用新 Debian Edu Squeeze 机器，此处已不理会规则，你不必烦扰。

For general information on GOsa² have a look at: https://oss.gonicus.de/labs/gosa/wiki/documentation, GOsa² has lately been forked as the new directory administation tool FusionDirectory . The FusionDirectory documentation is (intended to be) far better than the GOsa² documentation, everything you read about FD 1.0 also applies to GOsa² 2.6, the version in Debian squeeze.

GOsa² 登录和综览

以 super-admin 登录 GOsa² 后你将看到 GOsa² 综览页面。

FIXME: add a GOsa² overview screen here!!!

%

%

接下来，你可以在总览页面菜单选择任务。 作为导航，我们建议使用屏幕左侧的菜单，在那可以看到 GOsa² 提供的所有管理页面。

Debian Edu 帐户，组，系统信息保存在 LDAP 目录，该数据的使用不仅为主服务器，同样在网络中也用于（无盘）工作站，瘦客户机服务器和 Windows 机器。有关学生和教师等的 LDAP 帐户信息仅需输入一次，其后此信息由 LDAP 提供，在整个 Skolelinux 网络中所有系统均可获取该信息。

GOsa² 是一个管理由 LDAP 所保存信息的工具，其（通过 LDAP ）提供一个类似树状的科目结构。你可以向每一科目中添加使用者帐户，组，系统，网路组等，这取决于你建立的结构，你可以使用 GOsa²/LDAP 的科目结构来转储你的组织机构结构到 Debian Edu 主服务器的 LDAP 数据树中。

缺省条件下，当前 Debian Edu 主服务器设置提供两个科目，教师与学生，和 LDAP 数据层。学生帐户计划增添到学生科目，教师到教师科目，系统（服务器，Skolelinux 工作站，Windows 机器等）目前添加到数据层，达到你定制这种结构的方法。

由你要完成的目前 GOsa²  任务（管理用户，组，系统等）决定你在所选科目（或数据层）看到不同的显示。

%

%

%

%

%

%

%

%

%

%

%

%

以 GOsa² 管理用户

现在开始，单击左侧导航菜单中的“用户”，屏幕右侧部分现在改变，你将看到“学生”，“教师”和 GOsa² 主管理者 (super-admin) 帐户科目文件夹目录。目录表纸上你可以看到一处称为 Base ，那将允许你通过你的树状结构导航，（移动你的鼠标到那上面，将出现一个下拉菜单）和选择你所要操作的基本文件夹（例如增加新用户）。

添加使用者

在接下来的树状导航项目中你可以看到“行动”菜单，移动你的鼠标到那上面，将在屏幕上出现一个子菜单，这里选择“创建”，然后选择“用户”，将引导你创建用户。步骤如下：

• 添加你的用户的全名是最重要的事。
• 你会看到 GOsa² 将根据真实姓名自动创建用户名。它自动选择一个不存在的用户名，如此，多个用户有一个全名就不成为问题。

• I如果你不喜欢创建的用户名，可以从下拉列表提供的用户名中选择，但你在这里没有选择的自由（用户 ID 的创建可以定制自 /etc/gosa/gosa.conf ）。
  

• 之后你可以看到 GOsa² 屏幕中出现的新用户。使用顶端标签来自己检查预填充字段。

%

%

%

%

After you have created the user (no need to customize fields the wizzard has left empty for now), click on the »Ok« button in the bottom-right corner.

As the last step GOsa² will ask for a password for the new user. Type that in twice and then click »Set password« in the bottom-right corner.

If all went well, you can now see the new user in the user list table. You now should be able to login with that user name on any Skolelinux machine within your network.

It might take some minutes until the new added user's home directory is created. Until that is done he won't be able to log in on any server, workstation or thin client.

Search, modify and delete users

To modify or delete a user use GOsa² to browse the user on your system. On the very left of the screen, you find the »Filter« box, a search tool provided by GOsa². If you don't know the exact location of your user account in you tree, change to the base level of the GOsa²/LDAP tree and search there with the option marked: [x] Search in subtrees.

When using the »Filter« box, results will immediately appear in the middle of the script in the table list view. Every line represents a user account and the most right items in each line are little icons that provide actions for you: edit, lock, set password, browse home (not supported in Skolelinux), export and delete.

FIXME: image for the Filter Box

A new page will show up where you can modify information directly belonging to the user, change the password of the user and modify the list of groups the user belongs to.

FIXME: image for Editing a User

Set passwords

The students can change their own passwords by logging into GOsa² with their own user names. A logged in student will be presented with a very minimal version of GOsa² that only allows access to the student's own account data sheet and to the set-password-dialog.

Teachers have special privileges in GOsa². They can change the password for all student accounts. This may be very handy during class. Let the teacher log in with his/her username and then a more privileged view of GOsa² is shown to the teacher.

To administratively set a new password for a user

1. search the user to be modified like explained above
2. click on the key symbol at the end of the line that the user name is shown in
3. on the following page, you can set a new self-chosen password

FIXME: add GOsa² password dialog image here

Beware of security implications due to easy to guess passwords!

Advanced user management

It is possible to mass-create users with GOsa² by using a .csv file, which can be created with any good spreadsheet software (for example oocalc). Here are the format guidelines for such a CSV file (GOsa² is quite intolerant about them):

• Use »,« as field separator
• do not use quotes
• the CSV file _must_not_ contain a header line (that normally contains the column names)
• the order of the fields is not relevant, this can be individually selected in GOsa² during mass import

FIXME: NICE FEATURE, DOES GOsa² HAVE SOMETHING EQUIVALENT???? If a password column is missing, an easy to remember, pronounceable password will be created.

The mass import steps are:

1. click »LDAP Manager« link in the navigatin menu on the left
2. click the »Import« tab in the screen on the right
3. browse your local disk and select a CSV file with your to be imported user list

4. choose an available user template that shall be applied during mass import (NewTeacher, NewStudent)

5. click the Import button in the bottom-right corner
6. FIXME: to be continued...

It's a good idea to do some tests first, best with a .csv file with a few fictional users, which can be deleted later.

Group Management with lwat

The mangement of groups is very similar to the management of users. You can enter a name and a description per group. When searching for groups you can also delete or disable all users of the groups found. From the modification page you can access all the users of that group.

The groups entered in the group management are also regular unix groups, so you can use them for file permissions too.

Group Management on the command line

Here's how:

# List existing group mapping between UNIX and Windows groups.
net groupmap list

# Add your new or otherwise missing groups:
net groupmap add unixgroup=NEW_GROUP type=domain ntgroup="NEW_GROUP"\
                 comment="DESCRIPTION OF NEW GROUP"

This is explained in more detail in the HowTo/NetworkClients chapter of this manual.

Advanced group management

Using lwat it's easy to put users in a specific group (for example named after the year they enter or finish school) and to create all their home directories in a dedicated directory.

To achieve that, add a stanza like the following to the file /etc/lwat/admin.ini:

[2009]
ou = "ou=People,%base%"
objectClass = top posixAccount shadowAccount imapUser sambaSamAccount
homeDirectory = /skole/tjener/home0/2009/%username%
groups = none students 2009
loginShell = /bin/bash
mailMessageStore = /var/lib/maildirs/%username%

To make this work, the 2009 group has to be created before adding the users.

The above stanza simply adds them on top off home0. If you want them somewhere else, using another automount, then you use lwat to add that automount, and change the homeDirectory string in admini.ini correspondingly.

Machine Management with lwat

With the machine management you can basically manage all IP based devices in your Debian Edu network. Every machine added to the LDAP directory using lwat has a hostname, an IP-address, a MAC-address and a domain name which usually is "intern". For a more verbose description about the Debian Edu architecture see the architecture chapter of this manual.

If you add a machine, you can use an ip/hostname from the preconfigured address space. The following ip ranges are predefined:

The addresses from 10.0.2.100 till 10.0.2.255 and 10.0.3.0 till 10.0.3.243 are reserved for dhcp and are assigned dynamically.

To assign a host with the MAC-address 52:54:00:12:34:10 a static IP-address you only have to enter the MAC-address and the hostname static00, the remaining fields will be filled automatically according to the predefined configuration:

Search and delete machines

Searching for and deleting machines is quite similar to searching and deleting users, so that information is not repeated here.

Modify existing machines / Netgroup management

After adding a machine to the ldap tree using lwat, you can modify its properties using the search functionality and clicking on the machine (as you would with users).

The form that is behind these machine links is in one way similar to the one you already know from modifying user entries, but in an other way the informations do mean different things in this context.

For example, adding a machine to a NetGroup does not modify the permissions that machine or the users logged into that machine have on accessing files or programs on the server. But it restricts the services that machine can use on your main-server.

The default installation provides the NetGroups

• printer-hosts
• workstation-hosts
• ltsp-server-hosts
• server-hosts
• shutdown-at-night-hosts
• fs-autoresize-hosts

Currently the NetGroup functionality is used for

• NFS.

  • The home directories are exported by the main-server to be mounted by the workstations and the ltsp-servers. Because of security reasons only hosts within the workstation-hosts, ltsp-server-hosts and server-hosts NetGroups Remember to configure workstations and ldap-servers properly with lwat, or your users won't be able to access their home directories. can mount the exported NFS shares. So it is rather important to remember to configure this kinds of machines properly in the ldap tree using lwat and configuring them to use the static IPs from ldap.

• fs-autoresize
  • debian edu machines in this group will automatically resize lvm partitions that run out of space
• shutdown at night
  • debian edu machines in this group will automatically shutdown at night to save energy

Another important part of the machine configuration is the 'Samba host' flag (in the 'Host information' area). If you plan to add existing Windows systems to the Skolelinux Samba domain, you have to add the Windows host to the ldap tree and set this flag to be able to join the Windows host to the domain. For more information about adding Windows hosts to the Skolelinux network see the HowTo/NetworkClients chapter of this manual.

More lwat documentation

The full documentation for lwat can be found at /usr/share/doc/lwat/ on the main server or online.

Printer Managment

For Printer Management point your web browser to https://www:631 This is the normal cups management site where you can add/delete/modify your printers and can clean up the printing queue. Changes that require to login as root need ssl encryption.

Clock synchronization

The default configuration in Debian Edu is to keep the clocks on all machines synchronous but not necessarily correct. NTP is used to update the time. The clocks will not be synchronized with an external source by default, to make sure the machines to not use external network connections active all the time. This was configured like this after a school discovered their ISDN network was up all the time, giving them a nasty extra phone bill.

To enable synchronization with an external clock, the file /etc/ntp.conf on the main-server need to be modified. The comments in front of the server entries need to be removed. After this, the ntp server need to be restarted by running /etc/init.d/ntp restart as root. To test if the server is using the external clock sources, run ntpq -c lpeer.

Extending full partitions

Because of a possible bug with automatic partitioning, some partitions might be too full after installation. To extend these partitions, run debian-edu-fsautoresize -n as root. See the "Resizing Partitions" HowTo in the administration HowTo chapter for more information.

界面很清爽，用户体验应该很不错。

就是不知道面向教育还有其他什么特点

自己曾看到描述其为 "requiring almost no Linux or networking knowledge" ，但实为我这个极一般的桌面用户所不知的系统，细节定制部分也没有体验，有如履薄冰的感觉。

还望大家不吝赐教，多谢