Debian Edu / Skolelinux  - 讨论区

返回群组主页

标题:DebianEdu HowTos 网络客户端 [ 拙劣翻译开始 ]

分享
马勇

马勇

2012年01月22日 星期日 23:50

原文目录

  1. HowTos for networked clients
    1. Introduction to Thin clients and Diskless workstations
      1. Machine type selection based on the network
      2. Changing the PXE menu on an LTSP server
      3. Separate main- and LTSP servers
    2. LTSP in detail
      1. lts.conf
      2. Load balancing LTSP servers
      3. Sound with LTSP clients
      4. Upgrading the LTSP environment
      5. Slow login and security
    3. Replacing LDM with KDM
    4. Connecting Windows machines to the network / Windows integration
      1. Joining the domain
      2. XP home
      3. Managing roaming profiles
      4. Redirecting parts of profile
      5. Avoiding roaming profiles
    5. Remote Desktop
      1. Remote Desktops Service
      2. Remote Desktops clients with RDP, VNC, NX or Citrix
    6. HowTos from wiki.debian.org

 

 

瘦客户机和无盘工作站简介

 

瘦客户机和无盘工作站二者通称 LTSP 客户端。 LTSP is the Linux Terminal Server Project.

瘦客户机

瘦客户机可以设置普通个人电脑具有 (X-)终端功能,那里的所有程序运行在 LTSP 服务器上。这一方法是机器从软盘或直接从服务器使用 network-PROM (或 PXE) 引导,而不使用本地客户机的硬盘驱动器。

无盘工作站

无盘工作站在本地运行所有软件。客户机直接从 LTSP 服务器引导而不是本地硬盘驱动器。软件在 LTSP 服务器上管理和维护,但它运行在无盘工作站上。主目录和系统设置也保存在服务器上。无盘工作站是一个类似于瘦客户机的低维护成本再利用较新硬件的极好方法。

 

根据网络选择机器种类

 

每个 LTSP 服务器有两个网卡,一个设置在 10.0.0.0/8 子网(共享主服务器),另一个构成本地 192.168.0.0/24 子网(对于每个 LTSP 服务器的单独子网)。

无盘工作站获得私有 IP 地址分配在子网 10.0.0.0/8,而瘦客户机连接在私有子网 192.168.0.0/24。

 

在 LTSP 服务器上改变 PXE 菜单

 

PXE 菜单让 LTSP 客户机可选择网络引导,安装和其他可能的选项。缺省使用 /var/lib/tftpboot/pxelinux.cfg/default 文件,如果在该目录内没有其他文件与客户机匹配,开箱即用的设置连接到 /var/lib/tftpboot/debian-edu/default-menu.cfg。

如果想要所有客户机引导为无盘工作站取代全部 PXE 菜单设置,可以实施改变这个符号连接:

ln -s /var/lib/tftpboot/debian-edu/default-diskless.cfg /var/lib/tftpboot/\
pxelinux.cfg/default

如果希望所有客户机作为瘦客户机引导来代替,改变符号连接类似这样:

ln -s /var/lib/tftpboot/debian-edu/default-thin.cfg /var/lib/tftpboot/pxelinux.\
cfg/default

 

也可参看在 http://syslinux.zytor.com/wiki/index.php/PXELINUX  中的 pxelinux 文档。

如果需要客户机在一个瘦客户机服务器的 192.168.x.x 接口上引导为无盘工作站而取代瘦客户机,编辑

/var/lib/tftpboot/ltsp/i386/pxelinux.cfg/default

 

增添一个 '3' (没有引号)到行尾。那里不需要在 GOsa 里添加这些工作站,保存你的工作和一个 "staticxx" IP 地址(看下面)。

 

分离的主服务器和 LTSP 服务器

 

出于性能和安全的考虑,需要设置分离的主服务器而不作为诸如 LTSP 服务器。

在主网络上 (10.0.x.x) 有 ltspserver00 服务于无盘工作站,在那里 tjener 不是组合服务器,这需要如下步骤:

  • 自ltspserver00 复制  /var/lib/tftpboot 的 ltsp 目录到 tjener 上的一个目录。

  • 复制/var/lib/tftpboot/debian-edu/default-diskless.cfg 到 tjener 的一个目录。

  • 编辑/var/lib/tftpboot/debian-edu/default-diskless.cfg 使用 ltspserver00 的 IP 地址,下面的示例使用 10.0.2.10 (缺省的):

DEFAULT ltsp/i386/vmlinuz initrd=ltsp/i386/initrd.img nfsroot=10.0.2.10:/opt\
/ltsp/i386 boot=nfs ro quiet 3

  • 在 tjener 上设置符号连接 /var/lib/tftpboot/pxelinux.cfg 指向 /var/lib/tftpboot/debian-edu/default-diskless.cfg

 

详细叙述 LTSP

 

 

lts.conf

 

对于瘦客户机所作的专门的改制和配置,你可以编辑文件 /opt/ltsp/i386/etc/lts.conf。安装 ltsp-docs 软件包并运行 "man lts.conf" 查看可用的配置选项。

默认值是定义下面 [default],配置一个客户机,明确规定那个客户机使用客户机网卡硬件地址或类似这个 IP 地址 [192.168.0.10]

示例:确定瘦客户机 ltsp010 使用 1280x1024 解析度,添加类似这样的内容:

[192.168.0.10]
X_MODE_0 = 1280x1024
X_HORZSYNC = "60-70"
X_VERTREFRESH = "59-62"

 

其下面某些地方为缺省设置。

确定你所作的更改,这需要重启客户机。

lts.conf 中使用 IP 地址,你需要添加客户机网卡硬件地址到你的 dhcp 服务器。另一方法需要你直接在你的 lts.conf 文件中使用客户机的网卡硬件地址。

 

负载均衡 LTSP 服务器

 

 

第一部分

 

它能为了负载均衡而设置客户机连接到若干服务器中的一个。这以供 /opt/ltsp/i386/usr/share/ltsp/get_hosts 这一脚本为 LDM 连接在一个或更多服务器做记号。在这添加每一 ltsp chroot 所需包含的对于每一个服务器的 ssh 主键。

首先,你需要选择一个 LTSP 服务器为负载均衡服务器。所有客户机将以 PXE 从这个服务器引导和加载 Skolelinux 镜像。镜像加载之后, LDM 使用 "get_hosts" 脚本选择哪一个服务器来连接。这是你之后如何做的。

现在你要移动你的客户机从 192.168.1.0 网络到 10.0.0.0 网络。这是因为那时你使用负载均衡,客户机将要直接访问 LDM 选择的服务器。如果你让你的客户机在 192.168.1.0 网络,所有客户机在与选择 LDM 服务器取得联系之前的流量将通过那个服务器。

设置客户机工作在 10.0.0.0 网络上,你要编辑在主服务器(tjener)上的 /etc/dhcp3/dhcpd.conf。在那表明:

/!\ FIXME: 这需要在 LDAP 改变 DHCP 设置。

subnet 10.0.0.0 netmask 255.0.0.0 {
        range 10.0.2.100 10.0.3.242;
        }

 

你要在 "range" 之下增加这些:

filename "/var/lib/tftpboot/ltsp/i386/pxelinux.0";
next-server xxx;
option root-path "/opt/ltsp/i386";
option log-servers ltspserver01;
use-host-decl-names on;

Next-server 需要你所选择的负载均衡服务器的 IP 地址或主机名。如果你使用主机名,你要有 DNS 的工作。记着重启 dhcp 服务。

 

第二部分

 

现在你来做一个 "get_hosts" 脚本为 LDM 联接标记一个服务器。LDM_SERVER 参数比这个脚本重要。因而,这个参数应该不定义,如果已经使用 get_hosts。get_hosts 脚本按随意顺序在标准输出上填写每个服务器的 IP 地址或主机名。

编辑"/opt/ltsp/i386/etc/lts.conf" 添加诸如这样的内容:

MY_SERVER_LIST = "xxxx xxxx xxxx"

以主服务器的 IP 或主机名两者之一取代 xxxx,清单以空格分隔。那时,置下面的脚本于你所选择的负载均衡服务器的 /opt/ltsp/i386/usr/lib/ltsp/get_hosts 目录中。

# Randomize the server list contained in MY_SERVER_LIST parameter
TMP_LIST=""
SHUFFLED_LIST=""
for i in $MY_SERVER_LIST; do
rank=$RANDOM
let "rank %= 100"
TMP_LIST="$TMP_LIST\n${rank}_$i"
done
TMP_LIST=$(echo -e $TMP_LIST | sort)
for i in $TMP_LIST; do
SHUFFLED_LIST="$SHUFFLED_LIST $(echo $i | cut -d_ -f2)"
done
echo $SHUFFLED_LIST

第三部分

 

那里现在有你制作的 "get_hosts" 脚本,他择时对 ltsp chroot 做 ssh 主键。这可以制作一个文件包含自所有那些将是负载均衡服务器的 /opt/ltsp/i386/etc/ssh/ssh_known_hosts 的内容。在所有负载均衡服务器上保存这个文件为 /etc/ltsp/ssh_known_hosts.extra。最后的步骤非常重要,因为每次服务器引导运行 ltsp-update-sshkeys 并且如果它存在,就包含于 /etc/ltsp/ssh_known_hosts.extra。

/!\ 如果你保存你的新主机文件作为 /opt/ltsp/i386/etc/ssh/ssh_known_hosts,它将在你重启动服务器时清除。

对于这个设置有一些明显的缺点。所有客户机从一个服务器获取它们的镜像,这样如果大量客户机在同一时间引导会导致服务器的高负载。客户机也有赖于那个服务器总是可用的,没有它客户机不能引导或获得 LDM 服务器。因此这一设置极其依赖此服务器,这不是很好。

你的客户机现在应该负载均衡!

 

LTSP 客户机的声音

 

LTSP 瘦客户机支持三种不同的声音系统以应用, ESD, PulseAudio 和 ALSA。 ESD 和 PulseAudio 支持网络声音和使用从服务器到客户机穿行的声音。ALSA 是设置通过 PulseAudio 修改它的声音来源。 对于选择仅使用支持 OSS 声音系统,通过 /usr/sbin/debian-edu-ltsp-audiodivert 生成一个包装来修改它们的声音源自 PulseAudio。运行这个脚本无争议地获得这样可重定向施用清单。

LTSP 无盘工作站可用本地声音并对网络声音无须特殊设置。

 

升级 LTSP 环境

 

经常适当以新软件包对 LTSP 环境做有益的升级,明晰安全处境和可用的改进。在每个 LTSP 服务器以 root 用户运行这些命令进行更新:

ltsp-chroot   # this does "chroot /opt/ltsp/i386" and more, ie it also prevents 
                  # daemons from being started
aptitude update
aptitude upgrade
aptitude dist-upgrade
exit

 

 

在 LTSP 环境中安装另外的软件

 

为 LTSP 客户机安装外加的软件,你需要在 LTSP 服务器的 chroot 内部执行安装。

ltsp-chroot
## optionally, edit the sources.list:
#vim /etc/apt/sources.list
aptitude update
aptitude install $new_package
exit

 

迟缓的登录和安全

 

Skolelinux 在客户机网络增加若干安全特性阻止非授权主管用户访问,在使用本地网络可以阻止密码嗅探和其他骗术。一个如此安全的度量是以缺省 LDM 使用 ssh 安全登录。这能减慢那些超过 10 年使用期,以及处理器低于 160 MHz 和 32 MB 内存的客户机器速度。尽管不建议,你能添加 "True" 值在 ...

LDM_DIRECTX=True

要在 /opt/ltsp/i386/etc/lts.conf 文件中加入这个服务器。

/!\ 警告:上面保护初始登录而非所有使用非加密的网络 X 活动。密码(除了初始的)将以明文遍历网络,还有其他任何事。

注意:直到现在,上面提到已十年的旧瘦客户机运行各版本的 OpenOffice.org 也未曾有困难,and Firefox/Iceweasel due to pixmap caching issues, 你要考虑运行的瘦客户机内存不低于 128 MB,或者升级硬件,那会给你良好的性能可以用它们作为无盘工作站。

 

以 KDM 取代 LDM

 

Skolelinux 直到 3.0 版是运行 LDM 作为登录管理器。它使用安全 ssh 通道登录。当时使用 KDM 转向 XDMCP 是必然的。XDMCP 在客户机和服务器上使用低的 CPU 资源。

/!\ 警告:XDMCP 不使用加密。密码将以明文遍历网络,还有其他任何事。

/!\ 注意:没有 LDM 应用 ltspfs 本地驱动器将停止工作。

检查 XDMCP 是否运行,在一个工作站上运行这个命令:

X -query ltspserverXX

如果你是在瘦客户机网络,请运行这个命令:

X -query 192.168.0.254

The goal is to let your "real" thin client to contact the xdmcp-server on the 192.168.0.254 net (given a standard Skolelinux configuration).

If by some reason xdmcp is accessible on your server which runs KDM , please add the following to /etc/kde3/kdm/Xaccess

 

 * # any host can get a login window

 

The star before the comment '#' is important, rest is a comment of course :)

Then turn on xdmcp in kdm with the command:

 

 sudo update-ini-file /etc/kde3/kdm/kdmrc Xdmcp Enable true

 

At the end please restart kdm by running:

 

 sudo invoke-rc.d kdm restart

 

(in courtesy of Finn-Arne Johansen)

 

Connecting Windows machines to the network / Windows integration

 

 

Joining the domain

 

For Windows clients the Windows domain "SKOLELINUX" is available to be joined. A special service called Samba, installed on the main-server tjener, enables Windows clients to store profiles and userdata and also authenticates the users during the login.

In order to make Windows clients join the domain some (few) steps are required:

1. Create a user with membership in the "admins" group (if not already existing)

  • In order to be able to join the "SKOLELINUX" domain a member of the admins group needs to authorize the process. If not yet existing, a user with that membership needs to be added (for more information see <link to GOsa docu>). The user "root" will not work, because there is no password for root in Samba.

2. Configure the Windows client as static host

  • When joining a samba domain some special data is stored on the domain controller (tjener). This data is needed to recognize the Windows client later as being allowed to authenticate users. In order to enable Samba to store this data, Samba requires an static host configuration to be present. This could be added by using the GOsa web interface (see also <link to GOsa>). When adding the static host configuration it is important to check the "Samba host" option, otherwise will lack the required data to be able to join the domain.

3. On the Windows client: Make sure the network and system configuration matches the data stored on tjener (hostname and ip configuration).

  • It's really important, that the Windows hosts have the same data, otherwise Samba will not find the host added in step 2.

4. Join the domain as usual using the user added in step 1.

  • Depending on the version and language of you Windows installation, you should find the configuration about the domain or workgroup of your system somewhere in the system properties. A freshly installed Windows system should belong to a default workgroup. You can join the domain by selecting "Domain" instead of "Workgroup" and entering SKOLELINUX as new domain. Pressing enter will then open a new window, where the login data of the user created in step 1. can be entered. After some time the Windows client opens a popup window with a welcome message. After the obligatory reboot the loginscreen offers a option to login into the domain.

Windows will sync the profile of domain users on every login and logout. Depending on how much data stored in the profile this could take some time. To minimize the time needed, one should deactivate things like local cache in browsers (you could use the squid proxycache installed on tjener instead) and save file into the H: volume instead of "Own files".

 

User groups in Windows

 

Groupmaps must also be added for any other user groups you add through GOsa. If you want your user groups to be available in Windows, eg for netlogon scripts or other group dependant actions, you can add them using variations of the following command. Samba will function without these groupmaps, but Windows machines won't be group aware.

 

/usr/bin/net groupmap add unixgroup=students \
             type=domain ntgroup="students" \
             comment="All students in the school"

 

FIXME: should user groups in windows better be explained with GOsa first, and then with an example for the command line?

If you want to check user groups on Windows, you need to download the tool IFMEMBER.EXE from Microsoft. Then you can use this for example in the logon script which resides on tjener in /etc/samba/netlogon/LOGON.BAT.

 

XP home

 

Users bringing in their XP home laptop can still connect to Tjener using their skolelinux credentials, provided the workgroup is set to SKOLELINUX. However, they may need to disable the windows firewall before Tjener will appear in Network Neighbourhood (or whatever its called now).

 

Managing roaming profiles

 

Roaming profiles contain user work environments, which include the desktop items and settings. Some examples of these environments are personal files, desktop icons and menus, screen colors, mouse settings, window size and position, application configurations and network and printer connections. Roaming profiles are available wherever the user logs on, provided the server is available.

Since the profile is copied from the server to the machine during logon, and copied back to the server during logout, a large profile can make windows login/logout painfully slow. There can be many reasons for a large profile, but the most common problems is that users save their files on the windows desktop or in the My Documents folder instead of in their homedir. Also some badly designed programs use the profile for scratch space, and other data.

The educational approach: One way to deal with to large profiles is to explain the situation for the users. Tell them not to store huge files on the desktop and if they fail to listen it's their own fault when login is slow.

Tweaking the profile: A different way to deal with the problem is to remove parts of the profile, and redirect other parts to regular file storage. This moves the work load from the users to the administrator, while adding complexity to the installation. There are at least three ways to edit the parts that are removed from the roaming profile.

 

Example smb.conf's for roaming profiles

 

Already delivered while installation, you can find an example smb.conf hopefully in your prefered language. You can find the config example files on your tjener under /usr/share/debian-edu-config/examples/. The source file is in English and is called smb-roaming-profiles-en.conf. If it is translated to German for example, it is named smb-roaming-profiles-de.conf. So if you search a file translated to your prefered language, look at the country code part in the filename. Inside the config file are a lot of explanations, so you should have a look at.

 

Using machine policies

 

Machine policies can be edited and copied to all the other computers.

  1. Pick a freshly installed Windows computer, and run gpedit.msc

  2. Under the selection User Configuration -> Administrative Templates -> System -> User Profiles -> Exclude directories in roaming profile, you can enter a semicolon separated string of directories to exclude from the profile, the directories are internationalized and must be written in your own language the way they are in the profile. Example of directories to exclude are

    • log
    • Locale settings
    • Temporary Internet Files
    • My Documents
    • Application Data
    • Temporary Internet Files
  3. Save your changes, and exit the editor.

  4. Copy c:\windows\system32\GroupPolicy to all other windows machines.

    • It's a good idea to copy it to your windows os deployment system to have it included at install time.

 

Using global policies

 

By using the legacy windows policy editor (poledit.exe), you can can create a Policy file (NTConfig.pol) file and put it in your netlogon share on tjener. This has the advantage of working almost instantly on all windows machines.

Since some time the policy editor standalone download has been removed from the Microsoft website, but it's still available as part of the ORK Tools.

With poledit.exe you can create .pol files. If you put such a file on tjener as /etc/samba/netlogon/NTLOGON.POL it will be read by the windows machine automatically and temporarily overwrite the registry, thus applying the changes.

To make sensible use of poledit.exe you also need to download appriate .adm files for your operating system and applications, otherwise you cannot define many settings in poledit.exe.

Be aware that the new group policy tools, gpedit.msc and gpmc.msc cannot create .pol files, they either only work for the local machine or need an active directory server.

If you understand german, http://gruppenrichtlinien.de is a very good website on this topic.

 

Editing Windows registry

 

You can edit the registry of the local computer, and copy this registry key to other computers

  1. Start the Registry Editor.

  2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

  3. Use the menu Edit menu->New->String Value.

  4. Call it ExcludeProfileDirs

  5. Enter a semicolon sepatated string of paths to exclude. (same way as machine policy)

Now you can choose to export this registry key as a .reg file, Mark a selection, right click and select export. Save the file and you can double click it, or add it to a script to spread it to other machines.

Sources:

 

Redirecting parts of profile

 

Sometimes just removing the directory from the profile is not enough. You may experience that users loose files because they mistakenly save things into my documents, when this is not saved in the profiles. Also you may want to redirect the directories some badly programed applications use to normal network shares.

 

Using machine policies

 

Everything under Using machine policies above applies. You edit using gpedit.msc and copy the Policy to all machines The redirection should be available under User Configuration -> Windows Settings->Folder Redirection Things that can be nice to redirect are Desktop or My Documents.

One thing to remember is that if you enable folder redirection, those folders are automatically added to the syncroniced folders list. If you do not want this, you should also disable that in following

  • User Configuration -> Administrative Templates -> Network -> Offline Files

  • Computer Configuration -> Administrative Templates -> Network -> Offline Files

 

Using global policies

 

FIXME explain how to use profiles from global policies for windows machines in the skolelinux network

 

Avoiding roaming profiles

 

 

Using a local policy

 

Using local policies you can disable roaming profile on individual machines. This is often wanted on special machines, for instance on dedicated machines, or machines that have lower then usual bandwith.

You can use the machine policy method describe above, the key is in

  • Administrative Templates -> system -> User Profiles -> Only allow local profiles

 

Using global policies

 

FIXME: describe roaming profile key for the global policy editor here

 

altering samba config

 

By editing the samba config you can disable roaming profiles for the entire network. Perhaps everyone have their own dedicated machine? and nobody else is allowed to touch it. To disable the roaming profiles for the entire network you can alter the smb.conf file on tjener and unset the logon path and logon home variables, and restart samba.

 

logon path = ""
logon home = ""

 

 

Remote Desktop

 

 

Remote Desktops Service

 

Beginning with this release, choosing the thin client server profile or the combined server profile, xrdp is installed, a package which uses the Remote Desktop Protocol to present a graphical login to a remote client. Microsoft Windows users can connect to the thin client server running xrdp without installing additional software. So simply start your Remote-Desktop-Connection on your Windows[tm] machine and connect.

Additionally xrdp can connect to a VNC server or another RDP server.

Some municipalities provide a remote desktop solution so that students and teachers can access Skolelinux from their home computer running Windows, Mac or Linux.

 

Remote Desktops clients with RDP, VNC, NX or Citrix

 

  • RDP - the easiest way to access Windows terminal server. Just install the rdesktop or freerdp-x11 packages.

  • VNC client (Virtual Network Computer) gives access to Skolelinux remotely. Just install the xvncviewer package.

  • NX graphical client gives students and teachers access to Skolelinux remotely on Windows, Mac or Linux PC. One municipality in Norway has provided NX support to all their students since 2005. They report that the solution is stable.

  • Citrix ICA client HowTo to access Windows terminal server from Skolelinux.

 

HowTos from wiki.debian.org

 

The HowTos from http://wiki.debian.org/DebianEdu/HowTo/ are either user- or developer-specific. Let's move the user-specific HowTos over here (and delete them over there)! (But first ask the authors (see the history of those pages to find them) if they are fine with moving the howto and putting it under the GPL.)

如下红色区域有误,请重新填写。

    你的回复:

    请 登录 后回复。还没有在Zeuux哲思注册吗?现在 注册 !
    反馈意见 帮助中心 服务条款 版权声明 关于哲思

    Zeuux © 2024

    京ICP备05028076号