blog/data/2010-04-28-edu-laptop.txt

   1 Title: Thoughts on roaming laptop setup for Debian Edu
   2 Tags: english, nuug, debian edu
   3 Date: 2010-04-28 20:40
   4
   5 <p>For some years now, I have wondered how we should handle laptops in
   6 Debian Edu.  The Debian Edu infrastructure is mostly designed to
   7 handle stationary computers, and less suited for computers that come
   8 and go.</p>
   9
  10 <p>Now I finally believe I have an sensible idea on how to adjust
  11 Debian Edu for laptops, by introducing a new profile for them, for
  12 example called Roaming Workstations.  Here are my thought on this.
  13 The setup would consist of the following:</p>
  14
  15 <ul>
  16
  17  <li>During installation, the user name of the owner / primary user of
  18    the laptop is requested and a local home directory is set up for
  19    the user, with uid and gid information fetched from the LDAP
  20    server.  This allow the user to work also when offline.  The
  21    central home directory can be available in a subdirectory on
  22    request, for example mounted via CIFS.  It could be mounted
  23    automatically when a user log in while on the Debian Edu network,
  24    and unmounted when the machine is taken away (network down,
  25    hibernate, etc), it can be set up to do automatic mounting on
  26    request (using autofs), or perhaps some GUI button on the desktop
  27    can be used to access it when needed.  Perhaps it is enough to use
  28    the fish protocol in KDE?</li>
  29
  30  <li>Password checking is set up to use LDAP or Kerberos
  31    authentication when the machine is on the Debian Edu network, and
  32    to cache the password for offline checking when the machine unable
  33    to reach the LDAP or Kerberos server.  This can be done using
  34    <a href="http://www.padl.com/OSS/pam_ccreds.html">libpam-ccreds</a>
  35    or the Fedora developed
  36    <a href="https://fedoraproject.org/wiki/Features/SSSD">System
  37    Security Services Daemon</a> packages.</li>
  38
  39  <li>File synchronisation with the central home directory is set up
  40    using a shared directory in both the local and the central home
  41    directory, using unison.</li>
  42
  43  <li>Printing should be set up to print to all printers broadcasting
  44    their existence on the local network, and should then work out of
  45    the box with CUPS.  For sites needing accurate printer quotas, some
  46    system with Kerberos authentication or printing via ssh could be
  47    implemented.</li>
  48
  49  <li>For users that should have local root access to their laptop,
  50    sudo should be used to allow this to the local user.</li>
  51
  52  <li>It would be nice if user and group information from LDAP is
  53    cached on the client, but given that there are entries for the
  54    local user and primary group in /etc/, it should not be needed.</li>
  55
  56 </ul>
  57
  58 <p>I believe all the pieces to implement this are in Debian/testing at
  59 the moment.  If we work quickly, we should be able to get this ready
  60 in time for the Squeeze release to freeze.  Some of the pieces need
  61 tweaking, like libpam-ccreds should get support for pam-auth-update
  62 (<a href="http://bugs.debian.org/566718">#566718</a>) and nslcd (or
  63 perhaps debian-edu-config) should get some integration code to stop
  64 its daemon when the LDAP server is unavailable to avoid long timeouts
  65 when disconnected from the net.  If we get Kerberos enabled, we need
  66 to make sure we avoid long timeouts there too.</p>
  67
  68 <p>If you want to help out with implementing this for Debian Edu,
  69 please contact us on debian-edu@lists.debian.org.</p>