"Debian Edu / Skolelinux Lenny 5.0.4+edu1 Manual"

3.1. Red

El fuente del paquete debian-edu-docincluye esta imagen como un archivo dia.

La figura es un esquema propuesto de la topología de red. La configuración predeterminada de Skolelinux asume que hay un (y sólo uno) servidor principal, y permite incluir tanto servidores de clientes ligeros (asociados con clientes ligeros) como puestos normales. El número de puestos puede ser tan grande o pequeña como se quiera (desde ninguno a muchísimos). Lo mismo para los servidores de clientes ligeros, cada uno de los cuales está en una red separada, de forma que el tráfico entre los clientes ligeros y su servidor no afecta al resto de los servicios de red.

La razón por la que sólo puede haber un servidor principal en cada red es que el servidor principal proporciona DHCP, y sólo puede haber una máquina haciendo eso en cada red. Es posible trasladar servicios del servidor principal a otras máquinas configurando el servicio en otra máquina, y posteriormente, actualizando la configuración de DNS para que apunte al alias DNS de ese servicio a la máquina correcta.

Para simplificar la configuración estándar de Skolelinux, la conexión a Internet va sobre un router separado. Se puede configurar Debian con un módem o una conexión RDSI, sin embargo no se ha intentando hacer tal configuración para Skolelinux por defecto.(las modificaciones necesarias para ajustar la configuración por defecto a esta situación deberían documentarse por separado).

3.2. Administración

Todas las máquinas linux que se instalan por medio del CD o DVD de Skolelinux se pueden administrar desde un ordenador central, es decir el servidor. Se puede acceder a todas las máquinas por ssh y, por tanto hay acceso completo a todos los puestos.

Usamos cfengine para editar los archivos de configuración. Estos archivos se actualizan desde el servidor a los clientes. Para cambiar la configuración del cliente, es suficiente editar la configuración en el servidor y dejar que la automatización distribuya los cambios.

Toda la información de los usuarios se guarda en un directorio LDAP. Las actualizaciones de las cuentas de usuario se hacen contra esta base de datos y es la que usan los clientes para autenticarse.

3.3. Instalación

Se puede instalar tanto desde un CD como un DVD.

La idea es poder instalar un servidor desde CD/DVD, e instalar los clientes por la red arrancando todas las demás máquinas a través de la red. La instalación del DVD funciona sin acceder a Internet.

La instalación no debería hacer ninguna pregunta, con la excepción del idioma deseado (p. ej. Noruego, Español, etc) y el perfil de la máquina (servidor, puesto normal, servidor de cliente ligero). Todas las demás configuraciones se harán automáticamente con valores rezonables, y el administrador del sistema las podrá cambiar desde un sitio centralizado después de la instalación.

3.4. Configuración del acceso al sistema de archivos

Cada cuenta de usuario de Skolelinux tiene asignada una sección del sistema de archivos en el servidor de ficheros. Esta sección (directorio home) contiene los archivos de configuración del usuario, documentos y páginas web. Algunos de estos archivos deberían tener acceso de lectura para otros usuarios del sistema, algunos podrían ser de lectura para todo internet, y algunos no deberían ser accesibles por nadie que no fuera el usuario.

To ensure that all disks that are used for user directories or shared directories can be uniquely named across all the computers in the installation, they can be mounted as /skole/host/directory/. Initially, one directory is created on the file server, /skole/tjener/home0/, in which all the user accounts are created. More directories may then be created when needed, to accomodate particular user groups or particular patterns of usage.

Para tener control de acceso a los archivos compartidos, cada usuario debe asignarse a un grupo primario que no tenga otros miembros. El nombre de este grupo privado debe ser el mismo nombre de usuario. (Hay más información disponible en Redhat sobre este tema.) Esto permite que todos los archivos que crea el usuario tengan acceso completo al grupo de archivos. Junto con el bit set-gid en los directorios y la herencia de derechos, esto permite la compartición controlada de archivos entre los miembros de un grupo de archivos. Por tanto, la umask de los usuarios deb ser 00X. (Si todos los usuarios de un grupo inicialmente pueden leer los archivos nuevos X=2. Si sólo se debe dar un acceso inicial a un grupo de usuarios X=7).

La política definirá el acceso inicial para los archivos nuevos. Puede ser dar acceso de lectura a todo el mundo, algo que luego el usuario puede cambiar explícitamente, o se puede bloquear inicialmente, necesitando una acción del usuario para hacerlos accesibles. La primera aproximación incita a compartir el conocimiento y hace el sistema más transparente, mientras que el segundo método disminuye el riesgo de distribuir información sensible o indeseada. El problema con la primera solución es que no es visible para los usuarios que el material que crean es accesible a todos los usuarios. Esto es detectable cuando se revisan los directorios de otros usuarios, donde uno puede ver los archivos que son legibles. El problema con la segunda solución es que muy poca gente acostumbra a hacer sus archivos accesibles, aunque no contengan nada sensible y el contenido sea útil para los que aprenden de como otros han resuelto los mismos problemas.

Sugerencia: Los archivos son originalmente accesibles por todos, pero solo carpetas particulares son creadas con contenidos bloqueados inicialmente. Esto simplificará el decidir adónde debería de ser accesible o no. Concretamente, umask debería de ser puesto a un valor 002, y ~/ creado con permisos de acceso 0775. Las carpetas ~/priv/ con 0750, y ~/pub/ con 0775, Los archivos que no sean accesibles por otros deberán de ser puestos en ~/priv/ y cualquiera que sea público, puesto en ~/pub/. Otros archivos que inicialmente sean accesibles, podrán ser restringidos si es necesario.

ssh requiere que el directorio home solo lo pueda ser escrito por el propietario, así que el privilegio máximo para ~/ es 755.

• - acceso a las carpetas home (*~/)? - carpetas home - carpetas compartidas?

3.5. notas sueltas

Estas son varias notas de cosas que deberían incluirse en este documento.

• La base de datos centralizada de usuarios los agrupa y tiene la capacidad de controlar que grupos tienen acceso a las máquinas.

• Grupo de máquinas y la capacidad de controlar el acceso a los servicios de la red par a esos grupos (bloqueando el acceso a internet vía squid)

• Debería considerar usar el servicio DNS de la RFC 2606.

This chapter was initially copied and pasted from http://developer.skolelinux.no/arkitektur/arkitektur.html.en ( at that time it was Copyright © 2001, 2002, 2003, 2004 Petter Reinholdtsen < pere@hungry.com >, released under the GPL) and has since then beed edited.

4.1. New features in the Debian Edu 5.0.4+edu0 Codename "Lenny" released 2010-02-08

• Everything that is new in Debian 5.0.4, see the following paragraph for details.

• More than 80 applications relevant for education are included based on user feedback and user statistics (through Debian Edu popularity contest). The full list of packages are listed in the task overview page.

• Escritorio para los estudiantes mejorado con accesos directos a software educativo como GCompris, Kalzium, Kgeography, KMplot, KStars, Stopmotion y OpenOffice Write e Impress.

• Dynamic desktop icons and menu options that adjust based on user group.

• Gnome added as a supported desktop, see the Installation chapter to learn how to install with GNOME instead of KDE as desktop.

• Soporte para más de 50 idiomas.

• Sistema mejorado para administración de usuarios e identificación de computadoras.

• Mejoras en la configuración de clientes sin disco y clientes ligeros.

• New startup menu letting users choose diskless workstation, thin client or workstation.

• Opción de estación de trabajo sin disco es instalada pero no activada por defecto en los servidores con el perfil servidor de clientes ligeros.

• Main-server is set up as a PXE server for booting thin clients and diskless workstations and for installing to clients' hard or flash drives.

• La configurcin para DNS y DHCP esta almanecenada en LDAP y puede ser editada usando lwat. El servidor DNS ha sido cambiado de bind9 a power-dns.

• LDAP server for directory services (NSS) are now located using a SRV record in DNS instead of hardcoding the 'ldap' DNS name. LDAP server for password checks (PAM) is still using the hardcoded 'ldap' DNS name.

• Disco de instalación por red multi arquitectura (amd64/i386/powerpc).

  • La mayoría de los paquetes se descargan de Internet.

• Multi arch (amd64/i386) installer DVD capable of installing without network.

• PulseAudio es proporcionado además de ALSA y OSS para sonido en estaciones de trabajo y estaciones de trabajo sin disco.

• The Barebone profile has been renamed to Minimal, to better reflect what it is.

• La configuración de Nagios3 ahora es automáticamente creada por sitesummary.

• The per-user file ~/.xsession-errors is now truncated automatically when the user logs in to avoid filling up the home directory partition with a log that grows indefinitely. The user can disable this by creating ~/.xsession-errors-enable. The system administrator can configure the system to redirect the file to /dev/null by editing /etc/X11/Xsession.d/05debian-edu-truncate-xerrorlog.

• To ease installation of Debian Edu on hardware needing non-free firmware, the CD and DVD include the following firmware packages: firmware-bnx2, firmware-bnx2x, firmware-ipw2x00, firmware-iwlwifi, firmware-qlogic and firmware-ralink.

4.2. New features in Debian 5.0.4 upon which Debian Edu 5.0.4+edu0 is based

• El nuevo Kernel Linux 2.6.26 soporta ms hardware

• With this release, Debian GNU/Linux updates from X.Org 7.1 to X.Org 7.3 (which includes support of newer hardware) and now includes the desktop environments KDE 3.5.10 and GNOME 2.22. Updates of other desktop applications include Iceweasel (version 3.0.6, which is the unbranded Firefox web browser), Icedove (version 2.0.0.19, which is the unbranded Thunderbird mail client) as well as upgrades to Evolution 2.22.3, OpenOffice.org 2.4.1, and Pidgin 2.4.3 (formerly known as Gaim).

• Instalación desde CD desde windows

• Se cambio de sysklogd a rsyslog como el colector de registros del sistema.

• For more information see the page New in Lenny on wiki.debian.org

4.3. New features in the "3.0r1 Terra" release 2007-12-05

• Much improved documentation with updated translations to German, Norwegian Bokmal and Italian

• Includes more than 40 bug fixes, improvements and security updates that came to our attentention after the 3.0r0 release

4.4. New features in the "3.0r0 Terra" release 2007-07-22

• Basado en Debian 4.0 Etch publicación en 2007-04-08

• Instalador gráfico con soporte para mouse

• Boot splash con usplash

• comatible con LSB 3.1

• Versión del kernel linux 2.6.18

  • soporte para controladoras SATA y discos rígidos

• Versión de X 7.1.

• Ambiente gráfico KDE 3.5.5

• OpenOffice versión 2.0

• LTSP5 (versión 0.99debian12)

• Inventario automático de equipos instalados utilizando Sitesummary.

• Configuración automática de munin utilizando los datos de Sitesummary.

• Control automático de versiones de configuración en /etc/ por medio de svk.

• Tamaño del sistema de archivos pueden ser ampliados mientra el sistema de archivos esta montado.

  • Soporte automático ampliando el sistema de archivos basándose en reglas predefinidas.

• Soporte de dispositivos locales en Clientes ligeros.

• Nuevas arquitecturas de procesadores: amd64 (soporte completo) y ppc (soporte experimental, el sistema de instalación funciona únicamente en la nueva subarquitectura newworld).

• DVDs multi-arquitectura para i386, amd64 y powerpc

• Regression: the CD-install requires Internet access during installation. Previous versions could be installed from one CD without Internet access.

• Regression: webmin is now removed from Debian because of problems supporting it. We've added a new web based user administration tool named lwat, which doesn't has the same functionality as wlus, the old user administration tool. But wlus requires webmin.

• Regression: swi-prolog is not part of etch, but was part of sarge. The HowTo teach and learn Chapter describes how to install swi-prolog on etch.

4.5. Features in 2.0 release 2006-03-14

• Based on Debian 3.1 Sarge released 2005-06-06.

• Linux kernel version 2.6.8.

• XFree86 version 4.3.

• KDE version 3.3.

• OpenOffice.org 1.1.

4.6. Features in "1.0 Venus" release 2004-06-20

• Based on Debian 3.0 Woody released 2002-07-19.

• Linux kernel version 2.4.26.

• XFree86 version 4.1.

• KDE version 2.2.

4.7. Más información sobre lanzamientos anteriores

Más información sobre lanzamientos anteriores puede ser encontrado en http://developer.skolelinux.no/info/cdbygging/news.html.

5.1. Requisitos de hardware

The purpose of the different profiles is explained in the network architecture chapter.

• The computers running Debian Edu / Skolelinux must have either i386, amd64 or powerpc processors.

  • On powerpc, the installation media will only boot on machines of the newworld sub-architecture, which are the systems from Apple with a translucent case.

• Thin client servers need two network cards when using the default network architecture:

  • eth0 is connected to the main network (10.0.2.0/23),

  • eth1 is used for serving the thin-clients (192.168.0.0/24) .

  • Consider 2 GB RAM for 30 clients and 4 GB RAM for 50-60 clients.

• Disk space requirements depend on profiles used, but any disk larger than 10 GiB will be sufficient for a workstation or standalone installation, 15 Gib for a thin-client server and at least 30 GiB on the main server. As usual with disk space on a main-server: the bigger the better.

• Thin clients can run on as low as 64 MiB RAM and 133 MHz processor, though 128 MiB RAM and somewhat faster processors are recommended.

  • For running Iceweasel/Firefox and OpenOffice.org, 128 MiB RAM is a minimum requirement.

• For workstations, diskless workstations and standalone PCs 800 MHz, 256 MiB RAM are minimum requirements, though 512 or 1024 MiB RAM will perform considerable better. Just a faster CPU will speed things up.

  • Swapping over the network is automatically enabled, the swap size is 32 MiB, if you need more you can tune this by editing /etc/ltsp/nbdswapd.conf on tjener to set the SIZE variable. Please tune up the swap size either locally on the pc or on the server.

    • If your diskless workstations have harddrives, it is recommended to use them for swap as it is a lot faster than network swapping.

  • On workstations with little RAM the spell checker can cause OpenOffice.org to hang if the swap space is too small. Then the system administrator has to disable the spell checker on OpenOffice.org or students have to kill OpenOffice.org, resulting in loss of work. Enabling at least 512 MiB swap on a 256 MiB RAM workstation solves this, and the spell checker runs smoothly.

• Laptops have the same requirements as for workstations since they are just movable workstations.

5.2. Hardware conocido que funciona

A list of tested hardware is provided from http://wiki.debian.org/DebianEdu/Hardware/ . This list is not nearly complete

http://wiki.debian.org/InstallingDebianOn is an effort to document how to install, configure and use Debian on some specific hardware. Therefore potential buyers would know if that hardware is supported and owner would know how get the best out of that hardware.

Una excelente base de datos sobre hardware soporte por Debian esta disponible en http://kmuto.jp/debian/hcl/.

6.1. Configuración por defecto

Se aplican las siguientes reglas cuando se usa la arquitectura de red por defecto:

• necesitas un servidor principal, el tjener

• puedes tener más de 50 estaciones de trabajo (sin disco) en la red principal

• puedes tener más de 20 servidores ltsp en la red principal

  • puedes tener cientos de clientes ligeros y/o estaciones de trabajo sin disco en cada red de servidores ltsp

• puedes tener cientos de otras computadoras que tendrán direcciones ip asignadas de manera dinámica

• para tener acceso a Internet necesitas un enrutador/pasarela (ver más abajo)

6.2. Enrutador de internet

A router/gateway, connected to the internet on the external interface and running on the IP address 10.0.2.1 with netmask 255.255.254.0 on the internal interface, is needed to connect to the internet.

The router should not run a DHCP server, it can run a DNS server, though this is not needed and will not be used. (If the router runs a DHCP server you must disable the DHCP server on the main server and you will loose some features and certain documented procedures will work differently. So better disable the DHCP server on the router.)

Si buscas una solución basada en i386 (para poder rehusar una PC vieja) recomendamos IPCop o floppyfw.

If you need something for an embedded router or accesspoint we recommend using OpenWRT, though of course you can also use the original firmware. Using the original firmware is easier, using OpenWRT gives you more choices and control. Check the OpenWRT webpages for a list of supported hardware.

It is possible to use a different network setup, this is the documented procedure to do this. If you are not forced to do this by an existing network infrastructure, we recommend against doing so and recommend you stay with the default network architecture.

7.1. Donde encontrar información adicional

We recommend that you read or at least take a look at the release notes for Debian Lenny before you start installing a system for production use. If you just want to give Debian Edu/Skolelinux a try, you don't have to though, it should just work.

Even more information about the Debian Lenny release is available in its installation manual.

7.2. Download the installation media for Debian Edu 5.0.4+edu0 Codename "Lenny"

7.3. Solicita un CD/DVD por correo

For those without a fast internet connection, we offer to send you a CD or DVD for the cost of the CD or DVD and shipping. Just send an email to cd@skolelinux.no and we will discuss the payment details (for shipping and media) Remember to include the address you want the CD or DVD to be sent to in the email.

7.4. Instalando Debian Edu

deb http://ftp.debian.org/debian/ lenny main 
deb http://security.debian.org/ lenny/updates main 
deb http://ftp.skolelinux.org/skolelinux lenny local

d-i    pkgsel/include string my-extra-package(s)

7.5. Screenshot tour

The text mode and the graphical installation are identical, only the appearance is different. The graphical mode offers you the opportunity to use a mouse. Of course the graphical mode looks much nicer and more modern. Unless the hardware has trouble with the graphical mode, there is no reason not to use it.

So here is a screenshot tour through a graphical Main-Server + Thin-Client-Server installation:

8.1. Minimum steps to get started

This chapter describes the first steps you need to do after the installation to get started. The minimum you need to do is:

• add users

• add workstations to host netgroups (for exporting home-directories via NFS)

  • thin clients don't need to be added, only workstations. And workstations no matter if with disk or diskless.

This is described below, please read this chapter completly. It covers how to do these minumum steps correctly as well as other stuff probably everybody will need to do.

The following HowTo chapter covers more tips and tricks and some frequently asked questions.

9.1. Gestión basada en web, usando lwat

Lwat is a web based management tool, that will help you manage some important parts of your Debian Edu setup. You can manage this four main groups (add, modify, delete):

• Administración de usuarios

• Administración de grupos

• Automount Informations

• Administración de computadoras

• Administración DNS

Para acceder a lwat entra a https://www/lwat en tu navegador web.

• In case you are not using a new Debian Edu Lenny machine, you will get an error message about the ssl certificate. Just tell your browser to accept and ignore that.

• In case you are using a new Debian Edu Lenny machine, the override rule will be already in place and you can't be bothered.

You will then see the login page of LWAT. If you visit this site the first time after installation, the login name there is: admin and the password is the password you entered during the installation for the root account.

After login the you can choose a task in the menu.

9.2. User Management with lwat

In Debian Edu account information is stored in a LDAP directory. This data is used not only by the main server, but also by the (diskless) workstations and thin client servers on the network. In this way data about students, pupils, teachers, etc. needs to be entered only once. After that it is available to all systems on the network.

To get the work done efficiently lwat will assist you on getting your user's data entered to the LDAP directory.

You can add users, group them in usergroups (for example to refer the members of a class more easily), update them and remove them again. By pointing the mouse onto the menu entries "Users" or "Groups" you can choose the action: Add any, or search for existing users or groups to modify or delete them.

Usuario agregado: Usuario Demo
username: demuse
password: secret

9.3. Group Management with lwat

The mangement of groups is very similar to the management of users. You can enter a name and a description per group. When searching for groups you can also delete or disable all users of the groups found. From the modification page you can access all the users of that group.

The groups entered in the group management are also regular unix groups, so you can use them for file permissions too.

9.4. Gestión de grupos en la linea de comando

Here's how:

# List existing group mapping between UNIX and Windows groups.
net groupmap list

# Add your new or otherwise missing groups:
net groupmap add unixgroup=NEW_GROUP type=domain ntgroup="NEW_GROUP"\
                 comment="DESCRIPTION OF NEW GROUP"

This is explained in more detail in the HowTo/NetworkClients chapter of this manual.

[2009]
ou = "ou=People,%base%"
objectClass = top posixAccount shadowAccount imapUser sambaSamAccount
homeDirectory = /skole/tjener/home0/2009/%username%
groups = none students 2009
loginShell = /bin/bash
mailMessageStore = /var/lib/maildirs/%username%

9.5. Machine Management with lwat

With the machine management you can basically manage all IP based devices in your Debian Edu network. Every machine added to the LDAP directory using lwat has a hostname, an IP-address, a MAC-address and a domain name which usually is "intern". For a more verbose description about the Debian Edu architecture see the architecture chapter of this manual.

If you add a machine, you can use an ip/hostname from the preconfigured address space. The following ip ranges are predefined:

The addresses from 10.0.2.100 till 10.0.2.255 and 10.0.3.0 till 10.0.3.243 are reserved for dhcp and are assigned dynamically.

To assign a host with the MAC-address 52:54:00:12:34:10 a static IP-address you only have to enter the MAC-address and the hostname static00, the remaining fields will be filled automatically according to the predefined configuration:

9.6. Gestión de impresoras

For Printer Management point your web browser to https://www:631 This is the normal cups management site where you can add/delete/modify your printers and can clean up the printing queue. Changes that require to login as root need ssl encryption.

If you connect the printer for the first time, we suggest to run printconf as root. FIXME: explain what to do when printconf does not accomplish anything.

9.7. Sincronización del reloj

The default configuration in Debian Edu is to keep the clocks on all machines synchronous but not necessarily correct. NTP is used to update the time. The clocks will not be synchronized with an external source by default, to make sure the machines to not use external network connections active all the time. This was configured like this after a school discovered their ISDN network was up all the time, giving them a nasty extra phone bill.

To enable synchronization with an external clock, the file /etc/ntp.conf on the main-server need to be modified. The comments in front of the server entries need to be removed. After this, the ntp server need to be restarted by running /etc/init.d/ntp restart as root. To test if the server is using the external clock sources, run ntpq -c lpeer.

9.8. Extending full partitions

Because of a possible bug with automatic partitioning, some partitions might be too full after installation. To extend these partitions, run debian-edu-fsautoresize -n as root. See the "Resizing Partitions" HowTo in the administration HowTo chapter for more information.

10.1. Actualizar el software

This section explains how to use aptitude upgrade and kde-update-notifier.

Using aptitude is really simply. To update a system you need to execute two commands on the command line as root: aptitude update (updates the lists of available packages) and aptitude upgrade (upgrades the packages for which an upgrade is available).

Instead of using the command line you can also use kde-update-notifier. FIXME: Explain how to use kde-update-notifier, best with screenshots.

It is also a good idea to install cron-apt and apt-listchanges and configure them to send mail to an address you are reading.

cron-apt will notify you once a day via email, which packages need an update. It does not install these updates, but downloads them (usually in the night), so you don't have to wait for the download, when you do aptitude upgrade.

apt-listchanges can send new changelog entries to you.

10.2. Gestión de las copias de seguridad

For the backup management point your browser to https://www/slbackup-php. Please note that you have to access this site via ssl, since you have to enter the root password there. If you try to access this site without using ssl it will fail.

Per default the tjener will backup /skole/tjener/home0, /etc/, /root/.svk and the ldap to /skole/backup which is in the lvm. If you only want to have things twice (if you delete something) this setup should be fine for you.

Be aware that this backup doesn't protect you from failing harddrives.

If you want to backup your data to an external server, a tape device or another harddrive you'll have to modify the existing configuration a bit.

Si quieres restaurar un directorio. la mejor opción es usar la linea de comandos:

$ sudo rdiff-backup -r <date>  \
   /skole/backup/tjener/skole/tjener/home0/user \
   /skole/tjener/home0/user_<date>

this will leave the content from /skole/tjener/home0/user from <date> in the folder /skole/tjener/home0/user_<date>

If you want to restore a single file, then you should be able to select the file (and the version) from the web-interface, and download only that file.

• FIXME: continue description of slbackup-php usage, maybe with screenshots

10.3. Monitorización del Servidor

htpasswd /etc/nagios3/htpasswd.users nagiosadmin

10.4. Más información sobre personalizaciones de Debian Edu

More information about Debian Edu customisations useful for system administrators can be found in the Administration Howto chapter.

11.1. General notes on upgrading

Upgrading Debian from one distribution to the next is generally rather easy. For Debian Edu this is unfortunatly not yet true as we heavily modify configuration files in ways we shouldn't do. (See Debian bug 311188 for more information.) Upgrading is still possible but might requiere some work.

In general, upgrading the servers is more difficult than the workstations and the main-server is the most difficult to upgrade. The diskless machines are easy, as their chroot environment can be deleted and recreated, if you haven't modified it. If you have, the chroot is basically a workstation chroot anyway, so rather easy to upgrade.

If you want to be sure that after the upgrade everything works like before , you should test the upgrade on (a) test systems, which are configured the same way as your production machines. There you can test the upgrade without risk and see if everything works as it should.

Make sure to also read the information about the Debian lenny release from its installation manual.

Also it might be wise to wait a bit and keep running etch for some more weeks, so that others can test the upgrade, experience problems and document them here. Debian Edu etch will receive continued support for some time in the future, but when Debian ceases support for etch, Debian Edu will (have to) do that too. This is expected to happen on Febrary 16th, 2010.

12.1. The basic upgrade operation

1. Edit /etc/apt/sources.list and replace all occurances of "etch" with "lenny".

2. run apt-get update

3. run apt-get upgrade

4. run apt-get dist-upgrade

12.2. LDAP service needs to repaired

Upgrading the debian-edu-config package on tjener is likely to disrupt some services:

1. slapd wouldn't start.

   It may keep running until next restart, then if it gives:

    tjener:~# invoke-rc.d slapd start
    Starting OpenLDAP: slapd - failed.
    The operation failed but no output was produced. For hints on what went
    wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
    try running the daemon in Debug mode like via "slapd -d 16383" (warning:
    this will create copious output).
   
    Below, you can find the command line options used by this script to
    run slapd. Do not forget to specify those options if you
    want to look to debugging output:
    slapd -h 'ldap:/// ldaps:///' -g openldap -u openldap -f /etc/ldap/slapd.conf                     -4

   And searching /var/log/syslog yelds something like:

   tjener slapd[8894]: could not stat config file "/etc/ldap/schema/dnsdomain2.schema": No such file or directory (2)

   then as a temporary measure to get it running until DNS is sorted.

   1. Comment out the line include /etc/ldap/schema/dnsdomain2.schema in /etc/ldap/slapd.conf.

   2. Ejecuta invoke-rc.d slapd start

Some new indexes have been added to openldap's configuration. in order to benefit from these you need to regenerate indexes:

1. stop slapd. invoke-rc.d slapd stop

2. check syslog or ps output that it have truly stopped.

3. run sudo -u openldap slapindex

4. start slapd with invoke-rc.d slapd start

12.3. DHCP service needs to repaired

1. dhcp3-server wouldn't start.

   If starting dhcp3-server gives:

    tjener:~# invoke-rc.d dhcp3-server start
    dhcpd self-test failed. Please fix the config file.
    The error was:
    Internet Systems Consortium DHCP Server V3.1.1
    Copyright 2004-2008 Internet Systems Consortium.
    All rights reserved.
    For info, please visit http://www.isc.org/sw/dhcp/
    /etc/dhcp3/dhcpd.conf line 2: semicolon expected.
    ldap-server "ldap"
                ^
    /etc/dhcp3/dhcpd.conf line 3: semicolon expected.
    ldap-port 389;
              ^
    /etc/dhcp3/dhcpd.conf line 4: semicolon expected.
    ldap-base-dn  "dc=skole,dc=skolelinux,dc=no"
                  ^
    /etc/dhcp3/dhcpd.conf line 5: semicolon expected.
    ldap-dhcp-server-cn "dhcp"
                        ^
    /etc/dhcp3/dhcpd.conf line 6: semicolon expected.
    ldap-method dynamic;
               ^
    Configuration file errors encountered -- exiting
    invoke-rc.d: initscript dhcp3-server, action "start" failed.

   Then installing dhcp3-server-ldap is needed install it. Use your favorite package management front-end or run:

    tjener:~# apt-get -q=2 update
    tjener:~# apt-get -q=2 install dhcp3-server-ldap

   If starting dhcp3-server gives:

    tjener:~# invoke-rc.d dhcp3-server start
    dhcpd self-test failed. Please fix the config file.
    The error was:
    Internet Systems Consortium DHCP Server V3.1.1
    Copyright 2004-2008 Internet Systems Consortium.
    All rights reserved.
    For info, please visit http://www.isc.org/sw/dhcp/
    Connecting to LDAP server ldap:389
    Successfully logged into LDAP server ldap
    Cannot find host LDAP entry dhcp (&(objectClass=dhcpServer)(cn=dhcp))
    Configuration file errors encountered -- exiting
    invoke-rc.d: initscript dhcp3-server, action "start" failed.

   La configuración DHCP necesita cargarse en LDAP. Dos maneras de hacerlo son:

   1. Cargar una configuración existente en la base de datos:

      1. Locate the appropriate dhcp.conf, the last one should be in /etc/dhcp3/dhcpd-debian-edu.conf.dpkg-old or get one from backups.

      2. Extract /usr/share/doc/dhcp3-server-ldap/dhcpd-conf-to-ldap.pl.gz

      3. Set /usr/share/doc/dhcp3-server-ldap/dhcpd-conf-to-ldap.pl executable.

      4. Run /usr/share/doc/dhcp3-server-ldap/dhcpd-conf-to-ldap.pl, optionaly with --help first or read the comments in code.

      5. View and check the resulting ldif file. Though DHCP is likely to function fine with this file, to keep as close as possible to the default configuration it is probably best to keep the entries for the configured individual hosts and replace the general entries (i.e. dhcpService, dhcpSharedNetwork, dhcpSubnet, etc.) with those from etc/ldap/dhcp.ldif.

      6. Load the resulting ldif file to the LDAP database.

      7. Start dhcp3-server.

       tjener:~# cd /usr/share/doc/dhcp3-server-ldap/
       tjener:/usr/share/doc/dhcp3-server-ldap# gunzip dhcpd-conf-to-ldap.pl.gz
       tjener:/usr/share/doc/dhcp3-server-ldap# chmod 0744 dhcpd-conf-to-ldap.pl
       tjener:/usr/share/doc/dhcp3-server-ldap#
       tjener:/usr/share/doc/dhcp3-server-ldap# ./dhcpd-conf-to-ldap.pl --server "dhcp" \
       >     --basedn "dc=skole,dc=skolelinux,dc=no" \
       >     --dhcpdn "cn=DHCP Config,dc=skole,dc=skolelinux,dc=no" \
       >     --conf "/etc/dhcp3/dhcpd-debian-edu.conf.dpkg-old" --ldif "/etc/ldap/migrate-dhcp.ldif"
      
       Creating LDAP Configuration with the following options:
              Base DN: dc=skole,dc=skolelinux,dc=no
              DHCP DN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
              Server DN: cn=dhcp, dc=skole,dc=skolelinux,dc=no
      
       Done.
       tjener:/usr/share/doc/dhcp3-server-ldap#
       tjener:/usr/share/doc/dhcp3-server-ldap# cd /etc/ldap/
       tjener:/etc/ldap#
       tjener:/etc/ldap#
       tjener:/etc/ldap# # At this point it's recommended to view migrate-dhcp.ldif side by side
       tjener:/etc/ldap# # with dhcp.ldif and make some manual adjustments, before running:
       tjener:/etc/ldap#
       tjener:/etc/ldap# ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
       >                         -f /etc/ldap/migrate-dhcp.ldif
       Enter LDAP Password:
       adding new entry "cn=dhcp, dc=skole,dc=skolelinux,dc=no"
       ....
       tjener:/etc/ldap#
       tjener:/etc/ldap# invoke-rc.d dhcp3-server start
        * Starting DHCP server dhcpd3                                            [ ok ]
       tjener:/etc/ldap#

   2. To load The fresh configuration into the database:

      If there are only few configured host and adding them later to the configuration is no bother just run ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -f /etc/ldap/dhcp.ldif

2. Squid wouldn't start.

   If starting Squid gives:

    tjener:~# invoke-rc.d squid start
    * Starting Squid HTTP proxy squid
    2009/08/23 00:20:56| ACL name 'localnet' not defined!
    FATAL: Bungled squid.conf line 2577: http_access allow localnet
    Squid Cache (Version 2.7.STABLE3): Terminated abnormally.

   It's complaint is self explanatory. Two options to overcome this are:

   1. To keep the old /etc/squid/squid.conf just comment-out or remove the offending line http_access allow localnet.

   2. To stay current copy the new squid.conf distributed in the squid package:

       tjener:~# cd /etc/squid/
       tjener:/etc/squid# mv squid.conf etch-squid.conf
       tjener:/etc/squid# cp /usr/share/doc/squid/examples/squid.conf squid.conf

      1. Para tener la configuración por defecto de Debian Edu ejecuta el cfengine-debian-edu

      2. Any customized settings in the old configuration should be copyed from the old file ( dropping lines acl schoolnet*, acl ltspnet*, http_access allow schoolnet and http_access allow ltspnet these were replaced by the acl localnet* and *access allow localnet lines).

12.4. User logins from Windows machines needs to repaired

1. Users can't login from Windows machines.

   A change in Samba that has become apparent in Lenny (see 532859) prevents users login to Samba unless sambaPwdLastSet attribute is set other than zero in their LDAP entry.

   1. To add the 'sambaPwdLastSet' attribute for new users to be created in lwat make sure /etc/lwat/admin.ini contain the line 'sambaPwdLastSet = 1' for each group. See also: Debian Edu bug#1364.

   2. To find which users are affected try:

      ldapsearch -xZLLLWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'ou=People,dc=skole,dc=skolelinux,dc=no' -s one '(&(objectClass=sambaSamAccount)(|(!(sambaPwdLastSet=*))(sambaPwdLastSet=0)))' uid  | less

   3. To add the 'sambaPwdLastSet' attribute to users where it isn't set try:

      ldapsearch -xZLLLWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'ou=People,dc=skole,dc=skolelinux,dc=no' -s one '(&(objectClass=sambaSamAccount)(!(sambaPwdLastSet=*)))' dn | sed '/.\+/a\changetype: modify\nadd:sambaPwdLastSet\nsambaPwdLastSet: 2\n-' > /etc/ldap/fixamba.ldif
      
      ldapmodify -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
                  -f /etc/ldap/fixamba.ldif

   4. If users with 'sambaPwdLastSet = 0' were found and allowing them to login is desired, try:

      ldapsearch -xZLLLWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'ou=People,dc=skole,dc=skolelinux,dc=no' -s one '(&(objectClass=sambaSamAccount)(sambaPwdLastSet=0))' dn | sed '/.\+/a\changetype: modify\nreplace:sambaPwdLastSet\nsambaPwdLastSet: 2\n-' > /etc/ldap/fixamba.ldif
      
      ldapmodify -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
                 -f /etc/ldap/fixamba.ldif

      See also SambaLDAP.

12.5. DNS service needs to repaired

For lenny Debian Edu has switched to powerdns as nameserver. It's however possible to stay with bind9.

;RFC2782
_ldap._tcp                      IN      SRV     0 100 389 tjener
_syslog._udp                    IN      SRV     0 100 514 tjener

12.6. Nagios setup has changed

Nagios2 is not available in lenny anymore, so nagios3 is now installed.

The nagios3 configuration will already be installed and functional, though the nagios2 configuration won't be functional anymore. If you changed the nagios2 configuration, your changes will be saved in .dpkg-old files, but the changes will not be applied to the nagios3 configuration. So these changes have to be redone manually.

12.7. Recreating an LTSP chroot

On the LTSP server(s) the LTSP chroot should be recreated. The new chroot will automatically support both thin-clients and diskless workstations.

Remove /opt/ltsp/i386 (or /opt/ltsp/amd64, depending on your setup. If you have enough diskspace, consider backing it up.

Recreate the chroot by running debian-edu-ltsp && ltsp-make-client as root.

15.1. Seguimiento de /etc usando el sistema de control de versiones svk

With the introduction of the etcinsvk script in Debian Edu, all files in /etc/ are tracked using svk as a version control system.

This makes it possible to see when a file is added, changed and removed, as well as what was changed if the file is a text file. The svk repository is stored in ~root/.svk/. Every hour any changes are automatically recorded, allowing configuration history to be extracted and reviewed.

To look at the history, the command etcinsvk log is used. To check the differences between two points in time, a command like etcinsvk diff -r6:8 can be used. The numbers 6 and 8 here represent revision numbers, which can be found by using etcinsvk log. See below for some examples.

See the output of etcinsvk --help for verbose information.

Lista de comandos útiles:

etcinsvk diff
etcinsvk log
etcinsvk status
etcinsvk commit
etcinsvk ignore

etcinsvk diff -r6 | less

etcinsvk log | less

etcinsvk diff -rN | less

etcinsvk diff -r46 -r64 /etc/resolv.conf | less

( cd /etc && etcinsvk diff -r6 /etc/resolv.conf | patch -p0 -R )

etcinsvk commit /etc/resolv.conf

etcinsvk ignore /etc/path/to/file/to/be/ignored

15.2. Redimensionando Particiones

Most partitions in Debian Edu are logical LVM volumes. Only the /boot/ partition is not. With the Debian/Etch release of Debian Edu, it is possible to extend partitions while they are mounted. This is a feature of the Linux kernel since version 2.6.10. Shrinking partitions still need to happen while the partition is unmounted.

It is a good idea to avoid creating very large partitions, as large partitions will take a long time to restore from backup if the need should arise, and file system checks take a very long time for large partitions. A good limit can be 20 GiB. It is better, if possible, to create several smaller partitions than one very large one.

To make it easier to extend full partitions, the debian-edu-fsautoresize script is provided. When invoked, it reads the configuration from /usr/share/debian-edu-config/fsautoresizetab, /site/etc/fsautoresizetab and /etc/fsautoresizetab. It proposes to extend partitions with too little free space based on the rules provided in these files. Without any arguments, it will only show the commands needed to extend the file system. The argument -n is needed to actually execute this commands to extend the file systems.

The script is executed automatically every hour on every client listed in the fsautoresize-hosts netgroup.

When resizing the partition used by the Squid proxy, the cache size in etc/squid/squid.conf need to be updated as well. The helper script /usr/share/debian-edu-config/tools/squid-update-cachedir is provided to do this automatically, checking the current partition size of /var/spool/squid/ and configuring Squid to use 80% of this as its cache size.

lvextend -L30G /dev/vg_system/skole+tjener+home0
resize2fs /dev/vg_system/skole+tjener+home0

15.3. Using ldapvi

ldapvi is a tool to edit the LDAP database with a normal text editor on the commandline.

The following needs to be executed:

ldapvi --host ldap -ZZ --bind simple --tls allow -D 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no'

Then make your changes, safe and quit the editor. That's it!

Alternatively, to save key-strokes try:

ldapvi --ldap-conf -ZD '(cn=admin)'

Note: ldapvi will use whatever is the default editor. By executing export EDITOR=vim in the shell prompt one can configure the enviroment to get a vi clone as editor.

Warning: ldapvi is a very powerful tool. Be careful and don't mess up the LDAP database.

15.4. Using volatile.debian.org

15.5. Using backports.org to install newer software

You are running Debian Edu, because you prefer the stability of Debian Edu. It runs great, there is just one problem: Sometimes software is a little bit more outdated as you like. This is where backports.org steps in.

Backports are recompiled packages from Debian testing (mostly) and Debian unstable (in a few cases only, e.g. security updates), so they will run without new libraries (wherever this is possible) on a stable Debian distribution like Debian Edu. We recommend you to pick out single backports which fits your needs, and not to use all backports available there. Please follow the instructions on http://www.backports.org to use these backports.

You will need to add the backports.org archive key to root's gpg keyring, so that apt can use this repository securily. This is done by running these commands as root:

# install the debian-keyring securily:
aptitude install debian-keyring
# fetch the backports.org key insecurily:
gpg --keyserver pgpkeys.pca.dfn.de --recv-keys 16BA136C
# check securily if the key is correct and add it the keyring used by apt if it is:
gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 16BA136C && gpg --export 16BA136C | apt-key add -
# add backports.org repo to /etc/apt/sources.list
echo "deb http://www.backports.org/debian lenny-backports main contrib non-free" >> /etc/apt/sources.list
# update the list of available packages:
aptitude update
# Install the keyring package for backports
aptitude install debian-backports-keyring 

Then you can either use aptitude -t lenny-backports install <packagename> to install or update packages once, or you can configure a package to be always installed from backports.org though /etc/apt/preferences. The latter is described in the instructions on backports.org.

The second variant has the advantage, that updates to backports are installed automatically when they are available. With the first variant you need to update manually.

15.6. Java

deb http://ftp.debian.org/debian/ lenny main contrib non-free

# apt-get update

# apt-get install sun-java6-plugin sun-java6-jre sun-java6-fonts

15.7. Creando directorios en el directorio home de los usuarios

With this script the administrator can create a folder in each users home directory and set access permissions and ownership.

In the example shown below with group=teachers and permissions=2770 a user can hand in an assignment by saving the file to the folder "assignments" where teachers are given write access to be able to make comments.

home_path="/skole/tjener/home0";
 shared_folder="assignments";
 permissions="2770";
 created_dir=0;
        for home in $(ls $home_path);do
        . if [ ! -d "$home_path/$home/$shared_folder" ]; then
        . mkdir $home_path/$home/$shared_folder
        chmod $permissions $home_path/$home/$shared_folder
. #set the right owner and group
  #"username" = "group name" = "folder name"
        user=$home
        group=teachers
        chown $user:$group $home_path/$home/$shared_folder
        ((created_dir+=1))
 else
  . echo -e "the folder $home_path/$home/$shared_folder already exists.\n"
 . fi
done
echo "$created_dir folders has been created"

15.8. Easy access to USB drives and CDROMs/DVDs

When users insert a USB drive or DVD/CDROM into a (diskless) workstation, there is a popup windows asking what to do with it, just like in any other normal installation.

When users insert a USB drive or DVD/CDROM into a thin client there is no popup window like they are used to from their usual Desktop. Instead it is automatically mounted and they have to browse to the /media/$user folder to access it.. This is quite difficult for many non experienced users.

With the following script the symlink "Media" is created for all users in the home folder for easy access to USB drives, CDROMs or whatever media is connected to the thin client.

home_path="/skole/tjener/home0"; shared_folder="Media"; permissions="775"; created_dir=0;
for home in $(ls $home_path); do
  if [ ! -d "$home_path/$home/$shared_folder" ]; then
    ln -s /media/$home $home_path/$home/$shared_folder ((created_dir+=1))
  else
    echo -e "the folder $home_path/$home/$shared_folder already exists.\n"
  fi
done
echo "$created_dir folders has been created"

15.9. Automatic cleanup of left-over processes

killer is is a perl script that gets rid of background jobs. Background jobs are defined as processes that belong to users who are not currently logged into the machine. It's run by cron job once an hour.

Due to 551753 (also documented as Debian Edu bug #1373) killer should not be installed on thin-client servers when long usernames are used!

Para instalar ejecuta el siguiente comando como root:

 apt-get install killer

15.10. Automatic shutdown of machines during the night

It is possible to save energy and money by turning off client machines at night, and turn them automatically on in the morning.

There are some considerations to make when doing this:

• The clients should not be shut down when someone is using them. This is done by checking the output from who, and as a special case, checking for the LDM ssh connection command to work with LTSP thin clients.

• To avoid breaking electrical fuses, it is a good idea to make sure all clients do not start at the same time.

• There are two different methods available to wake up clients. One uses a BIOS feature and require a working and correct hardware clock, as well as a motherboard and BIOS version supported by nvram-wakeup, The other require a server with knowledge about all the clients to wake up and for all the clients to have support for wake-on-lan.

  #!/bin/sh
  PATH=/usr/sbin:$PATH
  export PATH
  sitesummary-nodes -w

  #!/bin/sh
  PATH=/usr/sbin:$PATH
  export PATH
  netgroup -h shutdown-at-night-hosts

15.11. Access to skolelinux server from outside a firewall

A boot script open-backdoor is provided in the debian-edu-config package to "break out" from behind a firewall. It is useful for system administrators responsible for several Debian Edu installations. It set up an SSH tunnel to another machine, allowing ssh login from the outside of the firewall.

To enable it, create a ssh key without a password, create a user on a remote host to use for ssh login, copy the public key into ~/.ssh/authorized_keys for the remote user used for and specify the login information in /etc/default/backdoor.

Content of /etc/default/backdoor should be similar to this:

RHOST=admin.example.net
RPORT=1234
RUSER=backdoor

FIXME: paragraph about access from outside need to be completed and tested.

15.12. Instalar máquinas con servicios separados para liberar carga del servidor principal

FIXME: this is so generic its almost useless

• install the minimal profile using the debian-edu-expert boot-option

• install the packages for the service

• configure the service

• disable the service on main-server

• actualiza DNS en el servidor principal

15.13. Configurando el menú PXE

The PXE configuration is generated using the debian-edu-pxeinstall script. It allow some settings to be overriden by adding a file /etc/debian-edu/pxeinstall.conf with replacement values.

MENU PASSWD $4$NDk0OTUzNTQ1NTQ5$7d6KvAlVCJKRKcijtVSPfveuWPM$

15.14. HowTos from wiki.debian.org

The HowTos from http://wiki.debian.org/DebianEdu/HowTo/ are either user- or developer-specific. Let's move the user-specific HowTos over here (and delete them over there)! (But first ask the authors (see the history of those pages to find them) if they are fine with moving the howto and putting it under the GPL.)

• http://wiki.debian.org/DebianEdu/HowTo/AutoNetRespawn

• http://wiki.debian.org/DebianEdu/HowTo/BackupPC

• http://wiki.debian.org/DebianEdu/HowTo/ChangeIpSubnet

• http://wiki.debian.org/DebianEdu/HowTo/SiteSummary

• http://wiki.debian.org/DebianEdu/HowTo/Squid_LDAP_Authentication

16.1. KDE Kiosk mode

Dos perfiles por defecto son incluidos:

debian_edu_pupils (enabled for members of the students file group)

• customized set of icons appears on student desktops

• makes sure that the programs behind the desktop icons also show up in the kde panel

• adept is not started

• makes sure that students cannot start another kde session

• disables possibility to gain root access for students

debian_edu_root (enabled for the root user and members of the admins file group)

• adds a desktop icon to connect to the local webserver on tjener to provide easy access to all the administration programs

Note:: modifications to the profiles can be done using kiosktool. However, unless you follow the step below, your changes will be overwritten by upgrades. FIXME: this is broken and a bug should be filed: kiosktool upgrades restore default desktop icons

If you want to modify the kiosk profiles, you can either copy the existing ones and modify them, or create new kiosk profiles in (for example) /etc/kde3/kioskprofiles/ and enable them in /etc/kde-user-profile. The kiosk tool will do this for you if you click "profile properties" and browse to a new folder.

16.2. Changing kioskmode on diskless workstations

After you have made changes to the kioskmode settings with kiosktool like described above, you will have to copy some files inside the chroot used by the diskless workstation.

Assuming the diskless workstations are running i386, the following commands must be executed on the workstation server(s):

export LTSPCHROOT=/opt/ltsp/i386/
cp -rv /etc/kde-profile/ $LTSPCHROOT/etc/
cp -v /etc/kderc $LTSPCHROOT/etc/
cp -v /etc/kde-user-profile $LTSPCHROOT/etc/
unset LTSPCHROOT

Else replace i386 with amd64 or powerpc as applicable.

16.3. Modifying the kdm login screen

In Debian/Etch, the way to customize the kdm login screen was changed. Now, it is done by adding a file in /etc/default/kdm.d/ specifying variables to override the default.

Here is one example used to activate the theme in the desktop-base package:

USETHEME="true"
THEME="/usr/share/apps/kdm/themes/debian-moreblue"

See the code in /etc/init.d/kdm for information on how these variables are used.

16.4. Flash

The free software flash-player gnash is installed by default, but switching to Adobe Flash is an option. To install the (non-free) Adobe Flash Player web browser plugin, install the flashplugin-nonfree debian package from backports.org.

Hay tres requerimientos para hacerlo:

• add backports.org to /etc/apt/sources.list as decribed in the general adminstration howtos

• add the following lines to /etc/apt/preferences (the file probably does not exist, so you might have to create it):

Package: flashplugin-nonfree
Pin: release a=lenny-backports
Pin-priority: 999

• as the flashplugin-nonfree package is only an installer-package (and does not contain the flashplugin itself, for legal reasons), it also requires a working internet connection as it will download the precompiled binary from Adobes website.

16.5. Reproduciendo DVDs

libdvdcss is needed for playing most commercial! DVDs. For legal reasons it's not included in Debian (Edu). If you are legally allowed to use it, you can use the packages from debian-multimedia.org. Add the multimedia repository (as described just below this paragraph) and install multimedia and dvd libraries:

apt-get install libdvdcss2 w32codecs

16.6. Usando el repositorio multimedia

Para usar www.debian-multimedia.org has lo siguiente

# install the debian-keyring securily:
apt-get install debian-keyring
# fetch the debian-multimedia key insecurily:
gpg --keyserver pgpkeys.pca.dfn.de --recv-keys 1F41B907
# check securily if the key is correct and add it to the keyring used by apt if it is:
gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 1F41B907 && gpg --export 1F41B907 | apt-key add -
# add repository to sources.list - please check the homepages for mirrors!
echo "deb http://debian-multimedia.org lenny main" >> /etc/apt/sources.list
# update the list of available packages:
apt-get update

16.7. Handwriting fonts

The package ttf-linex (which is installed by default) installs the font "Abecedario" which is a nice handwriting font for kids. The font has several forms to be used with kids: dotted, and with lines.

17.1. Introduction to Thin clients and Diskless workstations

One generic term for both thin clients and diskless workstations is LTSP client. LTSP is the Linux Terminal Server Project.

Thin client

A thin client setup enables a ordinary PC to function as an (X-)terminal, where all software runs on the LTSP server. This means that this machine boots from a diskette or directly from the server using network-PROM (or PXE) without using a local client hard drive.

Diskless workstation

A diskless workstation runs all software locally. The client machines boot direcly from the LTSP server without a local hard drive. Software is administered and maintained on the LTSP server, but it runs on the diskless workstation. Home directories and system settings are stored on the server too. Diskless workstations are an excellent way of reusing newer hardware with the same low maintanence cost as with thin clients.

ln -s /var/lib/tftpboot/debian-edu/default-diskless.cfg /var/lib/tftpboot/pxelinux.cfg/default

ln -s /var/lib/tftpboot/debian-edu/default-thin.cfg /var/lib/tftpboot/pxelinux.cfg/default

/var/lib/tftpboot/ltsp/i386/pxelinux.cfg/default

 DEFAULT ltsp/i386/vmlinuz initrd=ltsp/i386/initrd.img nfsroot=10.0.2.10:/opt/ltsp/i386 boot=nfs ro quiet 3

ldapmodify -x -Z -W -D cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no -f ext_static.ldif

17.2. LTSP en detalle

[192.168.0.10]
X_MODE_0 = 1280x1024
X_HORZSYNC = "60-70"
X_VERTREFRESH = "59-62"

subnet 10.0.2.0 netmask 255.255.254.0 {
        range 10.0.2.100 10.0.3.242;
        }

filename "/var/lib/tftpboot/ltsp/i386/pxelinux.0";
next-server xxx;
option root-path "/opt/ltsp/i386";
option log-servers ltspserver01;
use-host-decl-names on;

MY_SERVER_LIST = "xxxx xxxx xxxx"

# Randomize the server list contained in MY_SERVER_LIST parameter
TMP_LIST=""
SHUFFLED_LIST=""
for i in $MY_SERVER_LIST; do
rank=$RANDOM
let "rank %= 100"
TMP_LIST="$TMP_LIST\n${rank}_$i"
done
TMP_LIST=$(echo -e $TMP_LIST | sort)
for i in $TMP_LIST; do
SHUFFLED_LIST="$SHUFFLED_LIST $(echo $i | cut -d_ -f2)"
done
echo $SHUFFLED_LIST

chroot /opt/ltsp/i386
aptitude update
aptitude upgrade
aptitude dist-upgrade
exit

chroot /opt/ltsp/i386
## optionally, edit the sources.list:
#vim /etc/apt/sources.list
aptitude update
aptitude install $new_package
exit

LDM_DIRECTX=True

17.3. Replacing LDM with KDM

Skolelinux 3.0 is running LDM as a login manager. It uses a secure ssh tunnel to log in. When using KDM a switch to XDMCP is neccesary. XDMCP uses less CPU ressources on the clients and on the server.

Warning: XDMCP does not use encryption. Passwords will travel in cleartext over the network, as well as anything else.

Note: local devices with ltspfs will stop working without LDM.

To check if XDMCP is running, run this command from a workstation:

 X -query ltspserverXX

If you are on the thin client network, please run this command:

 X -query 192.168.0.254

The goal is to let your "real" thin client to contact the xdmcp-server on the 192.168.0.254 net (given a standard Skolelinux configuration).

If by some reason xdmcp is accessible on your server which runs KDM , please add the following to /etc/kde3/kdm/Xaccess

 * # any host can get a login window

The star before the comment '#' is important, rest is a comment of course

Then turn on xdmcp in kdm with the command:

 sudo update-ini-file /etc/kde3/kdm/kdmrc Xdmcp Enable true

At the end please restart kdm by running:

 sudo invoke-rc.d kdm restart

(in courtesy of Finn-Arne Johansen)

17.4. Connecting Windows machines to the network / Windows integration

/usr/bin/net groupmap add unixgroup=students \
             type=domain ntgroup="students" \
             comment="All students in the school"

logon path = ""
logon home = ""

17.5. Remote Desktops with RDP, VNC, NX or Citrix

Some municipalities provide a remote desktop solution so that students and teachers can access Skolelinux from their home computer running Windows, Mac or Linux.

• RDP - the easiest way to access Windows terminal server. Just install the rdesktop package.

• VNC client (Virtual Network Computer) gives access to Skolelinux remotely. Just install the xvncviewer package.

• NX graphical client gives students and teachers access to Skolelinux remotely on Windows, Mac or Linux PC. One municipality in Norway has provided NX support to all their students since 2005. They report that the solution is stable.

• Citrix ICA client HowTo to access Windows terminal server from Skolelinux.

17.6. HowTos from wiki.debian.org

The HowTos from http://wiki.debian.org/DebianEdu/HowTo/ are either user- or developer-specific. Let's move the user-specific HowTos over here (and delete them over there)! (But first ask the authors (see the history of those pages to find them) if they are fine with moving the howto and putting it under the GPL.)

• http://wiki.debian.org/DebianEdu/HowTo/LocalDeviceLtspfs

• http://wiki.debian.org/DebianEdu/HowTo/LtspDisklessWorkstation

18.1. Moodle

Run aptitude install moodle as root to install moodle.

Moodle is a course management system (CMS) - a free, Open Source software package designed using sound pedagogical principles, to help educators create effective online learning communities. You can download and use it on any computer you have handy (including webhosts), yet it can scale from a single-teacher site to a University with 200,000 students. Some schools in France use moodle to keep track of students' facilities and credit points.

There are moodle sites all over the world, mostly concentrated in Europe and North America. Check the site of an institution near you to get an idea about it. More information is available at the moodle project page, including documentation and support.

18.2. Monitoring pupils

Some schools use control tools like Controlaula or Italc to supervise their students.

Take a look at their wiki: http://italc.sourceforge.net/wiki/index.php?title=Main_Page

FIXME: explain how to install and use italc - 511387 explains this quite well actually.

apt-get install italc-client italc-master

Warning: monitoring humans might be unethical and illegal in your jurisdiction.

18.3. Restricting pupils network access

Some schools use squidguard or dansguardian to restrict internet access. FIXME: explain how to install and use squidguard and/or dansguardian

Warning: restricting access to information or freedom of speech might be unethical and illegal in your jurisdiction.

18.4. Installing swi-prolog

swi-prolog was available in sarge, but was not part of etch, but it was possible to install the sarge version on etch. Lenny again ships swi-prolog so installing is very easy. Just apt-get install swi-prolog and be done

18.5. HowTos from wiki.debian.org

The HowTos from http://wiki.debian.org/DebianEdu/HowTo/ are either user- or developer-specific. Let's move the user-specific HowTos over here (and delete them over there)! (But first ask the authors (see the history of those pages to find them) if they are fine with moving the howto and putting it under the GPL.)

• http://wiki.debian.org/DebianEdu/HowTo/TeacherFirstStep - incomplete but interesting

19.1. Changing passwords

Every student should use the shorcut on their Desktop, which should point to something like https://ldap/lwat/chguserpw.php?username=$(id -un). (On Windows they have to manually put in their username.)

Using lwat to change their password, ensures that linux (userPassword) and samba (sabmaNTPassword and smbaLMPassword) passwords are the same.

19.2. Changing the sound volume

On local machines, which are workstations and LTSP servers, and diskless workstations, kmix works as usual. alsamixer can also be used to change the sound volume.

On thin clients, pavucontrol works, and so does alsamixer but kmix does not work at all.

19.3. Using email

Every user can send and receive mails within the internal network. The following paragraphs describe how to configure kmail for each user.

To be able to send and receive mails outside the internal network, the adminstrator needs to configure the mailserver exim4 according to the local situation, dpkg-reconfigure exim4-config is a good first step to do this.

20.1. Let us know you exist

There are Debian Edu users all over the world. A very easy form of contribution is to let us know you exist and use Debian Edu - this motivates us very much and therefore is already a valuable contribution.

The Debian Edu projects provide a database of schools and users of the system to help the users find each other, and also to have an idea about where the users of the distribution are located. Please let us know about your installation, by registering in this database. To register your school, use this web form.

20.2. Contribute locally

Currently there are local teams in Norway, Germany, the region of Extremadura in Spain, Taiwan and France. "Isolated" contributors and users exist in Greece, the Netherlands, Japan and elsewhere.

The support chapter explains and links to localized ressources, as contribute and support are two sides of the same coin.

20.3. Contribute globally

Internationally we are organized in different teams working on different subjects.

The developer mailing list is most of the time our main medium for communication, though we have monthly meetings on IRC on #debian-edu on irc.debian.org and less frequently even real gatherings, where we meet each other in person. New contributors should read our http://wiki.debian.org/DebianEdu/ArchivePolicy.

A good way to learn what is happening in the development of Debian Edu is to subscribe to the commit mailinglist.

20.4. Documentation writers and translators

This document needs your help! First and foremost, it is not finished yet: If you read it, you will notice various FIXMEs within the text. If you happen to know (a bit of) what needs to be explained there, please consider sharing your knowledge with us.

The source of the text is a wiki and can be edited with a simple webbrowser. Just go to http://wiki.debian.org/DebianEdu/Documentation/Lenny/ and you can contribute easily. Note: An user account is needed to edit the pages, you need to create a wiki user first.

Another very good way to contribute and to help users is by translating software and documentation. Information how to translate this document can be found in the translation chapter of this book. Please consider to help the translation effort of this book!

21.1. Soporte basado en voluntarios

21.2. Soporte profesional

Lists of companies providing professional support are available from http://wiki.debian.org/DebianEdu/Help/ProfessionalHelp.

24.1. HowTo translate this document

As in many free software projects, translations of this document are kept in .po files. More information about the process can be found in /usr/share/doc/debian-edu-doc/README.debian-edu-lenny-manual-translations. The svn-repository (see below) contains this file too. Take a look there and at the language specific conventions if you want to help translating this document.

To commit your translations you need to be a member of the alioth project debian-edu. To translate, you just need to check out some files from from svn (which can be done anonymously) and create patches. Please file a bug against the debian-edu-doc package and attach the .po file to the bugreport. Find some instructions on how to submit bugs here.

You can checkout the debian-edu-doc source anonymously with the following command (you need to have the subversion package installed for this to work):

• svn co svn://svn.debian.org/svn/debian-edu/trunk/src/debian-edu-doc

Then edit the documentation/debian-edu-lenny/debian-edu-lenny-manual.$CC.po (where you replace $CC with your language code). There are many tools for translating available, we suggest to use kbabel.

Then you either commit the file directly to svn (if you have the rights to do so) or send the file to the bugreport.

To update your local copy of the repository use the following command inside the debian-edu-doc directory:

• svn up

Read /usr/share/doc/debian-edu-doc/README.debian-edu-lenny-manual-translations to find information how to create a new .po file for your language if there is none yet, and how to update translations.

Basic information about Alioth (the host where our SVN repository is located) and SVN is available at http://wiki.debian.org/Alioth/Svn.

If you are new to SVN, look at the SVN book, it has a chapter on the basic workflow with SVN. Also you might want to look at he kdesvn package if you prefer a GUI client for SVN instead of using the commandline client.

Please report any problems.

25.1. Manual for Debian Edu 5.0r0+edu0 Codename "Lenny"

Copyright (C) 2007-2009 Holger Levsen < holger@layer-acht.org > and others, see the Copyright chapter for the full list of copyright owners.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

25.2. LICENCIA PUBLICA GENERAL GNU

Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

25.3. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

• a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.

  b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

  c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

• a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

  b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

  c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

NO WARRANTY

11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

25.4. END OF TERMS AND CONDITIONS

26.1. Features of the Standalone image

• Almost all packages from the Standalone profile

• All packages from the laptop task

• Perfil de escritorio KDE para estudiantes

26.2. Activating translations and regional support

To activate a specific translation, boot using locale=ll_CC.UTF-8 as a boot option, where ll_CC.UTF-8 is the locale name you want. To aciviate a given keyboard layout, use the keyb=KB option where KB is the wanted keyboard layout. More information on this feature is available from the live cd build script documentation. Here is a list of commonly used locale codes:

A complete list of locale codes is available in /usr/share/i18n/SUPPORTED, but only the UTF-8 locales are supported by the live images. Not all locales have translations installed, though. The keyboard layout names can be found in /usr/share/keymaps/i386/.

26.3. Stuff to know

• the password for the user is "user", root has no passwd set.

26.4. Known issues with the image

• there are no lenny images yet

26.5. Download

The image is 1.2 GiB and currently NOT available using FTP, HTTP or rsync from ftp.skolelinux.org at cd-lenny-live/.