[homepage.git] / blog / tags / debian edu / debian edu.rss

<?xml version="1.0" encoding="utf-8"?>
<rss version='2.0' xmlns:lj='http://www.livejournal.org/rss/lj/1.0/'>
        <channel>
                <title>Petter Reinholdtsen - Entries tagged debian edu</title>
                <description>Entries tagged debian edu</description>
                <link>../../</link>

        
        <item>
                <title>The sorry state of multimedia browser plugins in Debian</title>
                <link>../../The_sorry_state_of_multimedia_browser_plugins_in_Debian.html</link>        
                <guid isPermaLink="true">../../The_sorry_state_of_multimedia_browser_plugins_in_Debian.html</guid>
                <pubDate>Tue, 25 Nov 2008 00:10:00 +0100</pubDate>
                <description>
&lt;p&gt;Recently I have spent some time evaluating the multimedia browser
plugins available in Debian Lenny, to see which one we should use by
default in Debian Edu.  We need an embedded video playing plugin with
control buttons to pause or stop the video, and capable of streaming
all the multimedia content available on the web.  The test results and
notes are available on
&lt;a href=&quot;http://wiki.debian.org/DebianEdu/BrowserMultimedia&quot;&gt;the
Debian wiki&lt;/a&gt;.  I was surprised how few of the plugins are able to
fill this need.  My personal video player favorite, VLC, has a really
bad plugin which fail on a lot of the test pages.  A lot of the MIME
types I would expect to work with any free software player (like
video/ogg), just do not work.  And simple formats like the
audio/x-mplegurl format (m3u playlists), just isn&#39;t supported by the
totem and vlc plugins.  I hope the situation will improve soon.  No
wonder sites use the proprietary Adobe flash to play video.&lt;/p&gt;

&lt;p&gt;For Lenny, we seem to end up with the mplayer plugin.  It seem to
be the only one fitting our needs. :/&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Devcamp brought us closer to the Lenny based Debian Edu release</title>
                <link>../../Devcamp_brought_us_closer_to_the_Lenny_based_Debian_Edu_release.html</link>        
                <guid isPermaLink="true">../../Devcamp_brought_us_closer_to_the_Lenny_based_Debian_Edu_release.html</guid>
                <pubDate>Sun, 7 Dec 2008 12:00:00 +0100</pubDate>
                <description>
&lt;p&gt;This weekend we had a small developer gathering for Debian Edu in
Oslo.  Most of Saturday was used for the general assemly for the
member organization, but the rest of the weekend I used to tune the
LTSP installation.  LTSP now work out of the box on the 10-network.
Acer Aspire One proved to be a very nice thin client, with both
screen, mouse and keybard in a small box.  Was working on getting the
diskless workstation setup configured out of the box, but did not
finish it before the weekend was up.&lt;/p&gt;

&lt;p&gt;Did not find time to look at the 4 VGA cards in one box we got from
the Brazilian group, so that will have to wait for the next
development gathering.  Would love to have the Debian Edu installer
automatically detect and configure a multiseat setup when it find one
of these cards.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Endelig norsk stavekontroll med støtte for ord med bindestrek</title>
                <link>../../Endelig_norsk_stavekontroll_med_st__tte_for_ord_med_bindestrek.html</link>        
                <guid isPermaLink="true">../../Endelig_norsk_stavekontroll_med_st__tte_for_ord_med_bindestrek.html</guid>
                <pubDate>Fri, 26 Dec 2008 11:00:00 +0100</pubDate>
                <description>
&lt;p&gt;Etter flere års mislykkede forsøk på å skrive om byggesystemet for
&lt;a href=&quot;http://no.speling.org/&quot;&gt;den norske stavekontrollen for bokmål
og nynorsk&lt;/a&gt; til å ikke bruke bindestrek som ordskillemarkør, lyktes jeg
endelig første juledag.  Bruken av bindestrek som ordskillemarkør har
gjort det umulig å få med ord med bindestrek i
stavekontrolldatagrunnlaget, slik at ord som e-post og CD-spiller ikke
kunne godtas av stavekontrollen.  Hadde litt tid til overs å bruke på
stavekontrollen, og satte meg ned med to kopier av byggsystemet og en
liten testdatafil, og byttet ut - med = på utvalgte steder i
byggsystemet og datafilen helt til jeg fikk samme resultat med det
gamle og det nye byggsystemet.  Dette tror jeg var forsøk 4, der de
foregående har feilet uten at jeg klarte å forstå hvorfor.  Det sier
kanskje litt om kompleksiteten i det originale byggsystemet som Rune
Kleveland laget i sin tid.&lt;/p&gt;

&lt;p&gt;Etter å ha endret byggsystemet, var neste steg å importere ordene
med bindestrek.  Vi har en rekke slike i databasene for
&lt;a href=&quot;http://tyge.sslug.dk/~korsvoll/nb.speling.org/htdocs/&quot;&gt;bokmål&lt;/a&gt;
og
&lt;a href=&quot;http://tyge.sslug.dk/~korsvoll/nn.speling.org/htdocs/&quot;&gt;nynorsk&lt;/a&gt;
for korrektur av datagrunnlaget for stavekontrollen, og etter importen
skulle nå 10350 nye ord bli godkjent som korrekt stavede ord av
stavekontrollen.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Endelig er Debian Lenny gitt ut</title>
                <link>../../Endelig_er_Debian_Lenny_gitt_ut.html</link>        
                <guid isPermaLink="true">../../Endelig_er_Debian_Lenny_gitt_ut.html</guid>
                <pubDate>Sun, 15 Feb 2009 11:50:00 +0100</pubDate>
                <description>
&lt;p&gt;Endelig er &lt;a href=&quot;http://www.debian.org/&quot;&gt;Debian&lt;/a&gt;
&lt;a href=&quot;http://www.debian.org/News/2009/20090214&quot;&gt;Lenny&lt;/a&gt; gitt ut.
Et langt steg videre for Debian-prosjektet, og en rekke nye
programpakker blir nå tilgjengelig for de av oss som bruker den
stabile utgaven av Debian.  Neste steg er nå å få
&lt;a href=&quot;http://www.skolelinux.org/&quot;&gt;Skolelinux&lt;/a&gt; /
&lt;a href=&quot;http://wiki.debian.org/DebianEdu/&quot;&gt;Debian Edu&lt;/a&gt; ferdig
oppdatert for den nye utgaven, slik at en oppdatert versjon kan
slippes løs på skolene.  Takk til alle debian-utviklerne som har
gjort dette mulig.  Endelig er f.eks. fungerende avhengighetsstyrt
bootsekvens tilgjengelig i stabil utgave, vha pakken
&lt;tt&gt;insserv&lt;/tt&gt;.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Time for new  LDAP schemas replacing RFC 2307?</title>
                <link>../../Time_for_new__LDAP_schemas_replacing_RFC_2307_.html</link>        
                <guid isPermaLink="true">../../Time_for_new__LDAP_schemas_replacing_RFC_2307_.html</guid>
                <pubDate>Sun, 29 Mar 2009 20:30:00 +0200</pubDate>
                <description>
&lt;p&gt;The state of standardized LDAP schemas on Linux is far from
optimal.  There is RFC 2307 documenting one way to store NIS maps in
LDAP, and a modified version of this normally called RFC 2307bis, with
some modifications to be compatible with Active Directory.  The RFC
specification handle the content of a lot of system databases, but do
not handle DNS zones and DHCP configuration.&lt;/p&gt;

&lt;p&gt;In &lt;a href=&quot;http://www.skolelinux.org/&quot;&gt;Debian Edu/Skolelinux&lt;/a&gt;,
we would like to store information about users, SMB clients/hosts,
filegroups, netgroups (users and hosts), DHCP and DNS configuration,
and LTSP configuration in LDAP.  These objects have a lot in common,
but with the current LDAP schemas it is not possible to have one
object per entity.  For example, one need to have at least three LDAP
objects for a given computer, one with the SMB related stuff, one with
DNS information and another with DHCP information.  The schemas
provided for DNS and DHCP are impossible to combine into one LDAP
object.  In addition, it is impossible to implement quick queries for
netgroup membership, because of the way NIS triples are implemented.
It just do not scale.  I believe it is time for a few RFC
specifications to cleam up this mess.&lt;/p&gt;

&lt;p&gt;I would like to have one LDAP object representing each computer in
the network, and this object can then keep the SMB (ie host key), DHCP
(mac address/name) and DNS (name/IP address) settings in one place.
It need to be efficently stored to make sure it scale well.&lt;/p&gt;

&lt;p&gt;I would also like to have a quick way to map from a user or
computer and to the net group this user or computer is a member.&lt;/p&gt;

&lt;p&gt;Active Directory have done a better job than unix heads like myself
in this regard, and the unix side need to catch up.  Time to start a
new IETF work group?&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Returning from Skolelinux developer gathering</title>
                <link>../../Returning_from_Skolelinux_developer_gathering.html</link>        
                <guid isPermaLink="true">../../Returning_from_Skolelinux_developer_gathering.html</guid>
                <pubDate>Sun, 29 Mar 2009 21:00:00 +0200</pubDate>
                <description>
&lt;p&gt;I&#39;m sitting on the train going home from this weekends Debian
Edu/Skolelinux development gathering.  I got a bit done tuning the
desktop, and looked into the dynamic service location protocol
implementation avahi.  It look like it could be useful for us.  Almost
30 people participated, and I believe it was a great environment to
get to know the Skolelinux system.  Walter Bender, involved in the
development of the Sugar educational platform, presented his stuff and
also helped me improve my OLPC installation.  He also showed me that
his Turtle Art application can be used in standalone mode, and we
agreed that I would help getting it packaged for Debian.  As a
standalone application it would be great for Debian Edu.  We also
tried to get the video conferencing working with two OLPCs, but that
proved to be too hard for us.  The application seem to need more work
before it is ready for me.  I look forward to getting home and relax
now. :)&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>BSAs påstander om piratkopiering møter motstand</title>
                <link>../../BSAs_p__stander_om_piratkopiering_m__ter_motstand.html</link>        
                <guid isPermaLink="true">../../BSAs_p__stander_om_piratkopiering_m__ter_motstand.html</guid>
                <pubDate>Sun, 17 May 2009 23:05:00 +0200</pubDate>
                <description>
&lt;p&gt;Hvert år de siste årene har BSA, lobbyfronten til de store
programvareselskapene som Microsoft og Apple, publisert en rapport der
de gjetter på hvor mye piratkopiering påfører i tapte inntekter i
ulike land rundt om i verden.  Resultatene er tendensiøse.  For noen
dager siden kom
&lt;a href=&quot;http://global.bsa.org/globalpiracy2008/studies/globalpiracy2008.pdf&quot;&gt;siste
rapport&lt;/a&gt;, og det er flere kritiske kommentarer publisert de siste
dagene.  Et spesielt interessant kommentar fra Sverige,
&lt;a href=&quot;http://www.idg.se/2.1085/1.229795/bsa-hoftade-sverigesiffror&quot;&gt;BSA
höftade Sverigesiffror&lt;/a&gt;, oppsummeres slik:&lt;/p&gt;

&lt;blockquote&gt;
I sin senaste rapport slår BSA fast att 25 procent av all mjukvara i
Sverige är piratkopierad. Det utan att ha pratat med ett enda svenskt
företag. &quot;Man bör nog kanske inte se de här siffrorna som helt
exakta&quot;, säger BSAs Sverigechef John Hugosson.
&lt;/blockquote&gt;

&lt;p&gt;Mon tro om de er like metodiske når de gjetter på andelen piratkopiering i Norge?  To andre kommentarer er &lt;a
href=&quot;http://www.vnunet.com/vnunet/comment/2242134/bsa-piracy-figures-shot-reality&quot;&gt;BSA
piracy figures need a shot of reality&lt;/a&gt; og &lt;a
href=&quot;http://www.michaelgeist.ca/content/view/3958/125/&quot;&gt;Does The WIPO
Copyright Treaty Work?&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Fant lenkene via &lt;a
href=&quot;http://tech.slashdot.org/article.pl?sid=09/05/17/1632242&quot;&gt;oppslag
på Slashdot&lt;/a&gt;.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Endelig operativt webbasert medlemsregister for Fri programvare i skolen</title>
                <link>../../Endelig_operativt_webbasert_medlemsregister_for_Fri_programvare_i_skolen.html</link>        
                <guid isPermaLink="true">../../Endelig_operativt_webbasert_medlemsregister_for_Fri_programvare_i_skolen.html</guid>
                <pubDate>Mon, 2 Nov 2009 22:40:00 +0100</pubDate>
                <description>
&lt;p&gt;Under helgens utviklersamling i
&lt;a href=&quot;http://www.skolelinux.no/&quot;&gt;Skolelinux&lt;/a&gt; fikk jeg endelig
satt meg ned sammen med Ronny Aasen i styret for å få et webbasert
medlemsregister tilbake på plass for foreningen som passer på
skolelinuxprosjektet.  Etter flere års knot og problemer, er nå
memberdb satt opp og klart til bruk.  Import av det gamle
medlemsregisteret har vist seg vanskelig, så alle medlemmer bes om å
registrere seg på nytt.  Hvis du støtter FRiSKs formål så er du
hjertelig velkommen til
&lt;a href=&quot;http://medlem.friprogramvareiskolen.no/&quot;&gt;å melde deg
inn&lt;/a&gt;. Formålet lyder:&lt;/p&gt;

&lt;blockquote&gt;Linux i skolen skal tilrettelegge for og informere om bruk
av fri programvare, i henhold til Debian Free Software Guidelines av
2002-02-03, i den norske skolen, slik som f.eks. Linux og
GNU.&lt;/blockquote&gt;
</description>
        </item>
        
        <item>
                <title>Opphavet til Skolelinux-prosjektet</title>
                <link>../../Opphavet_til_Skolelinux_prosjektet.html</link>        
                <guid isPermaLink="true">../../Opphavet_til_Skolelinux_prosjektet.html</guid>
                <pubDate>Thu, 17 Dec 2009 10:50:00 +0100</pubDate>
                <description>
&lt;p&gt;De færreste er klar over at Skolelinux-prosjektet kom som et resultat
av en avgjørelse på årsmøtet i
&lt;a href=&quot;http://www.nuug.no/&quot;&gt;NUUG&lt;/a&gt; i 2000-06-29, der Håkon Wium
Lie, da varamedlem i styret, tok på seg oppdraget om å starte et
initiativ kalt &quot;Teach the Teacher&quot;, som skulle være et initiativ for
å få fri programvare og unix-lignende operativsystemer inn i Skolen.
Tanken var at en måtte starte med lærerne for at ungene skulle få
mulighet til å møte en bedre IT-hverdag.  Jeg var tilstede på
møtet, og hadde sans for ideen, men intet skjedde.  På vårparten
2001 ble det arrangert en demonstrasjon i anledning at First Tuesday
hadde invitert Microsoft til et møte for å fortelle om fremtidens
Internet.  Dette provoserte endel av oss, og EFN og NUUG tok initiativ
til å arrangere
&lt;a href=&quot;http://www.digi.no/60982/first-tuesday-mote-med-microsoft-protest&quot;&gt;en
demonstrasjon utenfor lokalene 2001-05-21&lt;/a&gt;.  Blant de som sto bak
demonstrasjonen var Vidar Bakke fra NUUG og Håkon W. Lie fra EFN.
Etter demonstrasjonen arrangerte Håkon en fest hjemme hos seg der alle
som hadde vært aktive i demonstrasjonsplanlegging og gjennomføringen
deltok.  Før festen var jeg blitt lei av å vente på at Håkon skulle ta
initiativ til &quot;Teach the Teacher&quot;, og for å forsøke å få litt fremgang
besteme jeg meg for å benytte anledningen hos Håkon til å snakke om
behovet for å hjelpe skolene i gang med bedre datasystemer bestående
av fri programvare og unix-lignende operativsystemer.  Flere var
interessert, og Knut Yrvin tenkte på ideen.  Han
&lt;a href=&quot;http://developer.skolelinux.no/brev/2001-06-28-invitasjon-skolelinux.txt&quot;&gt;ropte
sammen&lt;/a&gt; til et stiftelsesmøte i prosjektet i sin arbeidsgivers
Objectwares lokaler ved Ullevål stadion 2001-07-02, og jeg ble med.
Resten er historie. :)&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Automatic Munin and Nagios configuration</title>
                <link>../../Automatic_Munin_and_Nagios_configuration.html</link>        
                <guid isPermaLink="true">../../Automatic_Munin_and_Nagios_configuration.html</guid>
                <pubDate>Wed, 27 Jan 2010 15:15:00 +0100</pubDate>
                <description>
&lt;p&gt;One of the new features in the next Debian/Lenny based release of
Debian Edu/Skolelinux, which is scheduled for release in the next few
days, is automatic configuration of the service monitoring system
Nagios.  The previous release had automatic configuration of trend
analysis using Munin, and this Lenny based release take that a step
further.&lt;/p&gt;

&lt;p&gt;When installing a Debian Edu Main-server, it is automatically
configured as a Munin and Nagios server.  In addition, it is
configured to be a server for the
&lt;a href=&quot;http://wiki.debian.org/DebianEdu/HowTo/SiteSummary&quot;&gt;SiteSummary
system&lt;/a&gt; I have written for use in Debian Edu.  The SiteSummary
system is inspired by a system used by the University of Oslo where I
work.  In short, the system provide a centralised collector of
information about the computers on the network, and a client on each
computer submitting information to this collector.  This allow for
automatic information on which packages are installed on each machine,
which kernel the machines are using, what kind of configuration the
packages got etc.  This also allow us to automatically generate Munin
and Nagios configuration.&lt;/p&gt;

&lt;p&gt;All computers reporting to the sitesummary collector with the
munin-node package installed is automatically enabled as a Munin
client and graphs from the statistics collected from that machine show
up automatically on http://www/munin/ on the Main-server.&lt;/p&gt;

&lt;p&gt;All non-laptop computers reporting to the sitesummary collector are
automatically monitored for network presence (ping and any network
services detected).  In addition, all computers (also laptops) with
the nagios-nrpe-server package installed and configured the way
sitesummary would configure it, are monitored for full disks, software
raid status, swap free and other checks that need to run locally on
the machine.&lt;/p&gt;

&lt;p&gt;The result is that the administrator on a school using Debian Edu
based on Lenny will be able to check the health of his installation
with one look at the Nagios settings, without having to spend any time
keeping the Nagios configuration up-to-date.&lt;/p&gt;

&lt;p&gt;The only configuration one need to do to get Nagios up and running
is to set the password used to get access via HTTP.  The system
administrator need to run &quot;&lt;tt&gt;htpasswd /etc/nagios3/htpasswd.users
nagiosadmin&lt;/tt&gt;&quot; to create a nagiosadmin user and set a password for
it to be able to log into the Nagios web pages.  After that,
everything is taken care of.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Debian Edu / Skolelinux based on Lenny released, work continues</title>
                <link>../../Debian_Edu___Skolelinux_based_on_Lenny_released__work_continues.html</link>        
                <guid isPermaLink="true">../../Debian_Edu___Skolelinux_based_on_Lenny_released__work_continues.html</guid>
                <pubDate>Thu, 11 Feb 2010 17:15:00 +0100</pubDate>
                <description>
&lt;p&gt;On Tuesday, the Debian/Lenny based version of
&lt;a href=&quot;http://www.skolelinux.org/&quot;&gt;Skolelinux&lt;/a&gt; was finally
shipped.  This was a major leap forward for the project, and I am very
pleased that we finally got the release wrapped up.  Work on the first
point release starts imediately, as we plan to get that one out a
month after the major release, to include all fixes for bugs we found
and fixed too late in the release process to include last Tuesday.&lt;/p&gt;

&lt;p&gt;Perhaps it even is time for some partying?&lt;/p&gt;

&lt;p&gt;After this first point release, my plan is to focus again on the
next major release, based on Squeeze.  We will try to get as many of
the fixes we need into the official Debian packages before the freeze,
and have just a few weeks or months to make it happen.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>After 6 years of waiting, the Xreset.d feature is implemented</title>
                <link>../../After_6_years_of_waiting__the_Xreset_d_feature_is_implemented.html</link>        
                <guid isPermaLink="true">../../After_6_years_of_waiting__the_Xreset_d_feature_is_implemented.html</guid>
                <pubDate>Sat, 6 Mar 2010 18:15:00 +0100</pubDate>
                <description>
&lt;p&gt;6 years ago, as part of the Debian Edu development I am involved
in, I asked for a hook in the kdm and gdm setup to run scripts as root
when the user log out.  A bug was submitted against the xfree86-common
package in 2004 (&lt;a href=&quot;http://bugs.debian.org/230422&quot;&gt;#230422&lt;/a&gt;),
and revisited every time Debian Edu was working on a new release.
Today, this finally paid off.&lt;/p&gt;

&lt;p&gt;The framework for this feature was today commited to the git
repositry for the xorg package, and the git repository for xdm has
been updated to use this framework.  Next on my agenda is to make sure
kdm and gdm also add code to use this framework.&lt;/p&gt;

&lt;p&gt;In Debian Edu, we want to ability to run commands as root when the
user log out, to get rid of runaway processes and do general cleanup
after a user.  With this framework in place, we finally can do that in
a generic way that work with all display managers using this
framework.  My goal is to get all display managers in Debian use it,
similar to how they use the Xsession.d framework today.&lt;p&gt;
</description>
        </item>
        
        <item>
                <title>Kerberos for Debian Edu/Squeeze?</title>
                <link>../../Kerberos_for_Debian_Edu_Squeeze_.html</link>        
                <guid isPermaLink="true">../../Kerberos_for_Debian_Edu_Squeeze_.html</guid>
                <pubDate>Wed, 14 Apr 2010 17:20:00 +0200</pubDate>
                <description>
&lt;p&gt;&lt;a href=&quot;http://www.nuug.no/aktiviteter/20100413-kerberos/&quot;&gt;Yesterdays
NUUG presentation&lt;/a&gt; about Kerberos was inspiring, and reminded me
about the need to start using Kerberos in Skolelinux.  Setting up a
Kerberos server seem to be straight forward, and if we get this in
place a long time before the Squeeze version of Debian freezes, we
have a chance to migrate Skolelinux away from NFSv3 for the home
directories, and over to an architecture where the infrastructure do
not have to trust IP addresses and machines, and instead can trust
users and cryptographic keys instead.&lt;/p&gt;

&lt;p&gt;A challenge will be integration and administration.  Is there a
Kerberos implementation for Debian where one can control the
administration access in Kerberos using LDAP groups?  With it, the
school administration will have to maintain access control using flat
files on the main server, which give a huge potential for errors.&lt;/p&gt;

&lt;p&gt;A related question I would like to know is how well Kerberos and
pam-ccreds (offline password check) work together.  Anyone know?&lt;/p&gt;

&lt;p&gt;Next step will be to use Kerberos for access control in Lwat and
Nagios.  I have no idea how much work that will be to implement.  We
would also need to document how to integrate with Windows AD, as such
shared network will require two Kerberos realms that need to cooperate
to work properly.&lt;/p&gt;

&lt;p&gt;I believe a good start would be to start using Kerberos on the
skolelinux.no machines, and this way get ourselves experience with
configuration and integration.  A natural starting point would be
setting up ldap.skolelinux.no as the Kerberos server, and migrate the
rest of the machines from PAM via LDAP to PAM via Kerberos one at the
time.&lt;/p&gt;

&lt;p&gt;If you would like to contribute to get this working in Skolelinux,
I recommend you to see the video recording from yesterdays NUUG
presentation, and start using Kerberos at home.  The video show show
up in a few days.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Thoughts on roaming laptop setup for Debian Edu</title>
                <link>../../Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html</link>        
                <guid isPermaLink="true">../../Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html</guid>
                <pubDate>Wed, 28 Apr 2010 20:40:00 +0200</pubDate>
                <description>
&lt;p&gt;For some years now, I have wondered how we should handle laptops in
Debian Edu.  The Debian Edu infrastructure is mostly designed to
handle stationary computers, and less suited for computers that come
and go.&lt;/p&gt;

&lt;p&gt;Now I finally believe I have an sensible idea on how to adjust
Debian Edu for laptops, by introducing a new profile for them, for
example called Roaming Workstations.  Here are my thought on this.
The setup would consist of the following:&lt;/p&gt;

&lt;ul&gt;

 &lt;li&gt;During installation, the user name of the owner / primary user of
   the laptop is requested and a local home directory is set up for
   the user, with uid and gid information fetched from the LDAP
   server.  This allow the user to work also when offline.  The
   central home directory can be available in a subdirectory on
   request, for example mounted via CIFS.  It could be mounted
   automatically when a user log in while on the Debian Edu network,
   and unmounted when the machine is taken away (network down,
   hibernate, etc), it can be set up to do automatic mounting on
   request (using autofs), or perhaps some GUI button on the desktop
   can be used to access it when needed.  Perhaps it is enough to use
   the fish protocol in KDE?&lt;/li&gt;

 &lt;li&gt;Password checking is set up to use LDAP or Kerberos
   authentication when the machine is on the Debian Edu network, and
   to cache the password for offline checking when the machine unable
   to reach the LDAP or Kerberos server.  This can be done using
   &lt;a href=&quot;http://www.padl.com/OSS/pam_ccreds.html&quot;&gt;libpam-ccreds&lt;/a&gt;
   or the Fedora developed
   &lt;a href=&quot;https://fedoraproject.org/wiki/Features/SSSD&quot;&gt;System
   Security Services Daemon&lt;/a&gt; packages.&lt;/li&gt;

 &lt;li&gt;File synchronisation with the central home directory is set up
   using a shared directory in both the local and the central home
   directory, using unison.&lt;/li&gt;

 &lt;li&gt;Printing should be set up to print to all printers broadcasting
   their existence on the local network, and should then work out of
   the box with CUPS.  For sites needing accurate printer quotas, some
   system with Kerberos authentication or printing via ssh could be
   implemented.&lt;/li&gt;

 &lt;li&gt;For users that should have local root access to their laptop,
   sudo should be used to allow this to the local user.&lt;/li&gt;

 &lt;li&gt;It would be nice if user and group information from LDAP is
   cached on the client, but given that there are entries for the
   local user and primary group in /etc/, it should not be needed.&lt;/li&gt;

&lt;/ul&gt;

&lt;p&gt;I believe all the pieces to implement this are in Debian/testing at
the moment.  If we work quickly, we should be able to get this ready
in time for the Squeeze release to freeze.  Some of the pieces need
tweaking, like libpam-ccreds should get support for pam-auth-update
(&lt;a href=&quot;http://bugs.debian.org/566718&quot;&gt;#566718&lt;/a&gt;) and nslcd (or
perhaps debian-edu-config) should get some integration code to stop
its daemon when the LDAP server is unavailable to avoid long timeouts
when disconnected from the net.  If we get Kerberos enabled, we need
to make sure we avoid long timeouts there too.&lt;/p&gt;

&lt;p&gt;If you want to help out with implementing this for Debian Edu,
please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Forcing new users to change their password on first login</title>
                <link>../../Forcing_new_users_to_change_their_password_on_first_login.html</link>        
                <guid isPermaLink="true">../../Forcing_new_users_to_change_their_password_on_first_login.html</guid>
                <pubDate>Sun, 2 May 2010 13:47:00 +0200</pubDate>
                <description>
&lt;p&gt;One interesting feature in Active Directory, is the ability to
create a new user with an expired password, and thus force the user to
change the password on the first login attempt.&lt;/p&gt;

&lt;p&gt;I&#39;m not quite sure how to do that with the LDAP setup in Debian
Edu, but did some initial testing with a local account.  The account
and password aging information is available in /etc/shadow, but
unfortunately, it is not possible to specify an expiration time for
passwords, only a maximum age for passwords.&lt;/p&gt;

&lt;p&gt;A freshly created account (using adduser test) will have these
settings in /etc/shadow:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
root@tjener:~# chage -l test
Last password change                                    : May 02, 2010
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7
root@tjener:~#
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;The only way I could come up with to create a user with an expired
account, is to change the date of the last password change to the
lowest value possible (January 1th 1970), and the maximum password age
to the difference in days between that date and today.  To make it
simple, I went for 30 years (30 * 365 = 10950) and January 2th (to
avoid testing if 0 is a valid value).&lt;/p&gt;

&lt;p&gt;After using these commands to set it up, it seem to work as
intended:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
root@tjener:~# chage -d 1 test; chage -M 10950 test
root@tjener:~# chage -l test
Last password change                                    : Jan 02, 1970
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 10950
Number of days of warning before password expires       : 7
root@tjener:~#  
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;So far I have tested this with ssh and console, and kdm (in
Squeeze) login, and all ask for a new password before login in the
user (with ssh, I was thrown out and had to log in again).&lt;/p&gt;

&lt;p&gt;Perhaps we should set up something similar for Debian Edu, to make
sure only the user itself have the account password?&lt;/p&gt;

&lt;p&gt;If you want to comment on or help out with implementing this for
Debian Edu, please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
</description>
        </item>
        
        </channel>
</rss>