For some years now, I have wondered how we should handle laptops in +Debian Edu. The Debian Edu infrastructure is mostly designed to +handle stationary computers, and less suited for computers that come +and go.
+ +Now I finally believe I have an sensible idea on how to adjust +Debian Edu for laptops, by introducing a new profile for them, for +example called Roaming Workstations. Here are my thought on this. +The setup would consist of the following:
+ +-
+
+
- During installation, the user name of the owner / primary usre of + the laptop is requested and a local home directory is set up for + the user, with uid and gid information fetched from the LDAP + server. This allow the user to work also when offline. The + central home directory can be available in a subdirectory on + request, for example mounted via CIFS. It could be mounted + automatically when a user log in while on the Debian Edu network, + and unmounted when the machine is taken away (network down, + hibernate, etc), it can be set up to do automatic mounting on + request (using autofs), or perhaps some GUI button on the desktop + can be used to access it when needed. Perhaps it is enough to use + the fish protocol in KDE? + +
- Password checking is set up to use LDAP or Kerberos + authentication when the machine is on the Debian Edu network, and + to cache the password for offline checking when the machine unable + to reach the LDAP or Kerberos server. This can be done using + libpam-ccreds + or the Fedora developed + System + Security Services Daemon packages. + +
- File synchronisation with the central home directory is set up + using a shared directory in both the local and the central home + directory, using unison. + +
- Printing should be set up to print to all printers broadcasting + their existence on the local network, and should then work out of + the box with CUPS. For sites needing accurate printer quotas, some + system with Kerberos authentication or printing via ssh could be + implemented. + +
- For users that should have local root access to their laptop, + sudo should be used to allow this to the local user. + +
- It would be nice if user and group information from LDAP is + cached on the client, but given that there are entries for the + local user and primary group in /etc/, it should not be needed. + +
I believe all the pieces to implement this are in Debian/testing at +the moment. If we work quickly, we should be able to get this ready +in time for the Squeeze release to freeze. Some of the pieces need +tweaking, like libpam-ccreds should get support for pam-auth-update +(#566718) and nslcd (or +perhaps debian-edu-config) should get some integration code to stop +its daemon when the LDAP server is unavailable to avoid long timeouts +when disconnected from the net. If we get Kerberos enabled, we need +to make sure we avoid long timeouts there too.
+ +If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.
+