Debian Edu / Skolelinux es una distribución de Linux, hecha por el proyecto Debian Edu. Siendo una distribución mezclada de Debian es un sub-proyecto oficial de Debian

Lo que esto significa, es que Skolelinux es una versión de Debian que proporciona un ambiente "out of the box" de una red escolar completamente configurada.

El proyecto Skolelinux fue fundado en Noruega el 2 de julio de 2001, y casi a la vez Raphaël Hertzog iniciaba el proyecto Debian Edu en Francia. Desde el 2003, ambos proyectos trabajaron unidos, aunque los nombres permanecieron separados. «Skole» y (Debian-)«Educativo» son dos términos bien conocidos en estas regiones.

Actualmente, el sistema se utiliza en muchos países alrededor del mundo.

Esta sección del documento describe la arquitectura de red y los servicios proporcionados por una instalación Skolelinux.

La figura es un esquema propuesto de la topología de red. La configuración predeterminada de Skolelinux asume que hay un (y sólo uno) servidor principal, y permite incluir tanto servidores LTSP (con clientes ligeros y/o estaciones sin disco asociados) como estaciones de trabajo. El número de estaciones de trabajo puede ser tan grande o pequeña como se quiera (desde ninguno a muchísimos). Lo mismo para los servidores LTSP, cada uno de los cuales está en una red separada, de forma que el tráfico entre los clientes ligeros y su servidor no afecte al resto de los servicios de red. LTSP se explica en detalle en el capítulo relacionado con HowTo

La razón por la que sólo puede haber un servidor principal en cada red es que el servidor principal proporciona DHCP, y sólo puede haber una máquina haciendo eso en cada red. Es posible trasladar servicios del servidor principal a otras máquinas configurando el servicio en otra máquina, y posteriormente, actualizando la configuración de DNS para que apunte al alias DNS de ese servicio a la máquina correcta.

In order to simplify the standard setup of Skolelinux, the Internet connection runs over a separate router, also called gateway. See the Internet router chapter for details how to set up such a gateway if it is not possible to configure an existing one as needed.

Todas las máquinas Linux que se instalan con el instalador de Skolelinux se pueden administrar desde una computadora central, es decir el servidor. Se puede acceder a todas las máquinas por SSH y, por tanto hay acceso completo a todos los puestos. Como root primero es necesario ejecutar kinit para obtener un TGT de Kerberos.

Toda la información de los usuarios se guarda en un directorio LDAP. Las actualizaciones de las cuentas de usuario se hacen contra esta base de datos, que es la que usan los clientes para autenticarse.

El propósito de los diferentes perfiles es explicado en el capítulo Arquitecturas de red.

If LTSP is intended to be used, take a look at the LTSP Hardware Requirements wiki page.

Una lista de hardware probado esta en https://wiki.debian.org/DebianEdu/Hardware/ . Esta lista no está completa

https://wiki.debian.org/InstallingDebianOn es un esfuerzo para documentar el proceso de instalación, configuración y uso de Debian en hardware específico. Por lo tanto los potenciales compradores sabrán si su hardware es soportado y los propietarios podrán saber como obtener el máximo de sus equipos.

Se aplican las siguientes reglas cuando se usa la arquitectura de red por defecto:

Un enrutador/pasarela conectado a Internet en la interfaz externa y con la dirección IP 10.0.0.1 y máscara de red 255.0.0.0 en la interfaz interna, es necesario para conectarse a internet.

El enrutador no debería ejecutar un servidor DHCP, puede ejecutar un servidor DNS, aunque no es necesario y no será usado.

In case you already have a router but are unable to configure it as needed (eg because you are not allowed to do so, or for technical reasons), an older computer with two network interfaces can be turned into a gateway between the existing network and the Debian Edu one.

A simple way is to install Debian Edu on this computer; select 'Minimal' as profile during installation.

After installation, run /usr/share/debian-edu-config/tools/configure-edu-gateway --firewall <yes|no> which will make the following changes:

Si necesita algo para un enrutador empotrado, o un punto de acceso le recomendamos usar OpenWRT, así podrá usar también el firmware original. Utilizar el firmware original es más fácil, utilizar OpenWRT le proporciona más opciones y control. Revise la web de OpenwRT para una lista completa del hardware soportado.

Es posible usar una configuración diferente de red (existe un proceso documentado para hacer esto), pero si usted no tiene una infraestructura de red preexistente, le recomendamos abstenerse de hacerlo, y mantener la configuración predeterminada de la arquitectura de red.

We recommend that you read or at least take a look at the release notes for Debian Bullseye before you start installing a system for production use. There is more information about the Debian Bullseye release available in its installation manual.

Please give Debian Edu/Skolelinux a try, it should just work.

It is recommended, though, to read the chapters about hardware and network requirements and about the architecture before starting to install a main server.

Asegúrese de leer el capítulo Iniciando con Debian Edu de este manual, ya que explica como iniciar sesión por primera vez.

When you do a Debian Edu installation, you have a few options to choose from. Don't be afraid; there aren't many. We have done a good job of hiding the complexity of Debian during the installation and beyond. However, Debian Edu is Debian, and if you want there are more than 57,000 packages to choose from and a billion configuration options. For the majority of our users, our defaults should be fine. Please note: if LTSP is intended to be used, choose a lightweight desktop environment.

deb http://deb.debian.org/debian/ bullseye main 
deb http://security.debian.org bullseye-security main 

d-i    pkgsel/include string my-extra-package(s)

El modo de texto y modo gráfico de instalación son idénticos, sólo la apariencia es diferente. El modo gráfico le ofrece la oportunidad de utilizar un ratón y por supuesto, el modo gráfico se ve mucho mejor y más moderno. A menos que el hardware presente problemas con el modo gráfico, no hay razón para no usarlo.

So here is a screenshot tour through a graphical 64-bit Main Server + Workstation + LTSP Server installation and how it looks at the first boot of the main server and a PXE boot on the LTSP client network (thin client session screen - and login screen after the session on the right has been clicked).

During installation of the main server a first user account was created. In the following text this account will be referenced as "first user". This account is special, as the home directory permission is set to 700 (so chmod o+x ~ is needed to make personal web pages accessible), and the first user can use sudo to become root.

See the information about Debian Edu specific file system access configuration before adding users; adjust to your site's policy if needed.

Después de la instalación, las primeras cosas que necesita hacer como usuario son:

Como agregar usuarios y estaciones de trabajo es descrito con más detalle a continuación. Por favor, lea este capítulo completamente. Abarca como realizar estos pasos mínimos correctamente, además de otras cosas que probablemente todos necesitan hacer.

There is additional information available elsewhere in this manual: the New features in Bullseye chapter should be read by everyone who is familiar with previous releases. And for those upgrading from a previous release, make sure to read the Upgrades chapter.

If generic DNS traffic is blocked out of your network and you need to use some specific DNS server to look up internet hosts, you need to tell the DNS server to use this server as its "forwarder". Update /etc/bind/named.conf.options and specify the IP address of the DNS server to use.

El capítulo HowTo describe más trucos, pistas y algunas preguntas de uso frecuente.

GOsa²es una herramienta de administración web, que le ayudará a administrar algunas de las partes importantes de su configuración de Debian Edu. Podrá administrar (agregar, modificar o eliminar) estos principales grupos:

Para acceder a GOsa², necesita el servidor principal Skolelinux y una computadora con un navegador web, puede ser el mismo servidor principal si se instaló como un servidor combinado (servidor principal + servidor LTSP + estación de trabajo).

If you (probably accidentally) installed a pure main-server profile and don't have a client with a web-browser handy, it's easy to install a minimal desktop on the main server using this command sequence in a (non-graphical) shell as the user you created during the main server's installation (first user):

  $ sudo apt update
  $ sudo apt install task-desktop-xfce lightdm education-menus
  ### after installation, run 'sudo service lightdm start'
  ### login as first user

Desde un navegador web, utilice https://www/gosa para acceder a GOsa² e ingrese por primera vez.

En primer lugar, haga clic en "Usuarios" en el menú de navegación de la izquierda. El lado derecho de la pantalla cambiará para mostrar una tabla con las carpetas de departamento para "Estudiantes" y "maestros" y la cuenta GOsa² Administrador (el primer usuario creado). Por encima de esta tabla se puede ver un campo llamado Base que le permite navegar a través de su estructura de árbol (mueva el ratón sobre esa zona y aparecerá un menú desplegable) y seleccione una carpeta de base para sus operaciones previstas (por ejemplo, la adición de un nuevo usuario).

La gestión de grupos es muy similar a la gestión de usuarios.

Puede ingresar un nombre y una descripción por grupo. Asegúrese de elegir el nivel correcto en el árbol LDAP cuando cree un nuevo grupo.

Adding users to a newly created group takes you back to the user list, where you most probably would like to use the filter box to find users. Check the LDAP tree level, too.

Los grupos incluidos en el manejo de grupos, son también grupos regulares de Unix, así que pueden utilizarse también para los permisos de archivos.

Machine management basically allows you to manage all networked devices in your Debian Edu network. Every machine added to the LDAP directory using GOsa² has a hostname, an IP address, a MAC address and a domain name (which is usually "intern"). For a fuller description of the Debian Edu architecture see the architecture chapter of this manual.

Diskless workstations and thin clients work out-of-the-box in case of a combined main server.

Workstations with disks (including separate LTSP servers) have to be added with GOsa². Behind the scenes, both a machine specific Kerberos Principal (sort of account) and a related keytab file (containing a key used as password) are generated; the keytab file needs to be present on the workstation to be able to mount users' home directories. Once the added system has been rebooted, log into it as root and run /usr/share/debian-edu-config/tools/copy-host-keytab.

To create Principal and keytab file for a system already configured with GOsa², log in on the main server as root and run

/usr/share/debian-edu-config/tools/gosa-modify-host <hostname> <IP>

Please note: host keytab creation is possible for systems of type workstations, servers and terminals but not for those of type netdevices. See the Network clients HowTo chapter for NFS configuration options.

To add a machine, use the GOsa² main menu, systems, add. You can use an IP address/hostname from the preconfigured address space 10.0.0.0/8. Currently there are only two predefined fixed addresses: 10.0.2.2 (tjener) and 10.0.0.1 (gateway). The addresses from 10.0.16.20 to 10.0.31.254 (roughly 10.0.16.0/20 or 4000 hosts) are reserved for DHCP and are assigned dynamically.

To assign a host with the MAC address 52:54:00:12:34:10 a static IP address in GOsa² you have to enter the MAC address, the hostname and the IP; alternatively you might click the Propose ip button which will show the first free fixed address in 10.0.0.0/8, most probably something like 10.0.0.2 if you add the first machine this way. It may be better to first think about your network: for example you could use 10.0.0.x with x>10 and x<50 for servers, and x>100 for workstations. Don't forget to activate the just added system. With the exception of the main server all systems will then have a matching icon.

If the machines have booted as thin clients/diskless workstations or have been installed using any of the networked profiles, the sitesummary2ldapdhcp script can be used to automatically add machines to GOsa². For simple machines it will work out of the box, for machines with more than one mac address the actually used one has to be chosen, sitesummary2ldapdhcp -h shows usage information. Please note, that the IP addresses shown after usage of sitesummary2ldapdhcp belong to the dynamic IP range. These systems can then be modified to suit your network: rename each new system, activate DHCP and DNS, add it to netgroups (see screenshot below for recommended netgroups), reboot the system afterwards. The following screenshots show how this looks in practice:

root@tjener:~# sitesummary2ldapdhcp -a -i ether-22:11:33:44:55:ff
info: Create GOsa machine for am-2211334455ff.intern [10.0.16.21] id ether-22:11:33:44:55:ff.
 
Enter password if you want to activate these changes, and ^c to abort.
 
Connecting to LDAP as cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
enter password: ********
root@tjener:~#

A cronjob updating DNS runs every hour; su -c ldap2bind can be used to trigger the update manually.

The package p910nd is installed by default on a system with the Workstation profile.

It is recommended to disable all self-advertising features in the used network printers. Instead, assign a fixed IP address with GOsa² and configure them as AppSocket/HP JetDirect network printers.

This section explains how to use apt full-upgrade.

Using apt is really simply. To update a system you need to execute two commands on the command line as root: apt update (which updates the lists of available packages) and apt full-upgrade (which upgrades the packages for which an upgrade is available).

It is also a good idea to upgrade using the C locale to get English output which in cases of problems is more likely to produce results in search engines.

LC_ALL=C apt full-upgrade -y

After upgrading the debian-edu-config package, changed Cfengine configuration files might be available. Run ls -ltr /etc/cfengine3/debian-edu/ to check if this is the case. To apply the changes, run LC_ALL=C cf-agent -D installation.

It is important to run debian-edu-ltsp-install --diskless_workstation yes after LTSP server upgrades to keep the SquashFS image for diskless clients menu in sync.

After a point release upgrade of a system with Main Server or LTSP Server profile, debian-edu-pxeinstall needs to be run to update the PXE installation environment.

También es buena idea instalar cron-apt y apt-listchanges y configurarlos para que le envíe corre electrónico.

cron-apt will notify you once a day via email about any packages that can be upgraded. It does not install these upgrades, but does download them (usually in the night), so you don't have to wait for the download when you do apt full-upgrade.

Automatic installation of updates can be done easily if desired, it just needs the unattended-upgrades package to be installed and configured as described on wiki.debian.org/UnattendedUpgrades.

apt-listchanges can send new changelog entries to you via email, or alternatively display them in the terminal when running apt.

For backup management point your browser to https://www/slbackup-php. Please note that you need to access this site via SSL, since you have to enter the root password there. If you try to access this site without using SSL it will fail.

Note: the site will only work if you temporarily allow ssh root login on the backup server (main server 'tjener' by default).

By default tjener will back up /skole/tjener/home0, /etc/, /root/.svk and LDAP to /skole/backup which is under the LVM. If you only want to have spare copies of things (in case you delete them) this setup should be fine for you.

Tome en cuenta que este esquema de respaldo no le protege de daños en el disco duro.

If you want to back up your data to an external server, a tape device or another hard drive you'll have to modify the existing configuration a bit.

Si quieres restaurar un directorio, la mejor opción es usar la línea de comandos:

$ sudo rdiff-backup -r <date>  \
   /skole/backup/tjener/skole/tjener/home0/user \
   /skole/tjener/home0/user_<date>

Esto pondrá el contenido de /skole/tjener/home0/user para <date> en el directorio /skole/tjener/home0/user_<date>.

Si desea restablecer un archivo, debería de ser capaz de seleccionar el archivo (y la versión) de la interfaz web y descargar solamente ese archivo.

Si desea deshacerse de los respaldos viejos, elija "Maintenance" en el menú de la página respaldo y seleccione la instantánea más vieja que desee conservar:

Más información sobre personalizaciones de Debian Edu útil para administradores de sistema puede encontrarse en el capítulo Administración y en el capítulo Administración avanzada

Upgrading Debian from one distribution to the next is generally rather easy. For Debian Edu this is unfortunately a bit more complicated as we modify configuration files in ways we shouldn't. However we have documented the needed steps below. (See Debian bug 311188 for more information how Debian Edu should modify configuration files.)

In general, upgrading the servers is more difficult than the workstations and the main-server is the most difficult to upgrade.

Si quiere asegurase de que después de la actualización todo va como antes, debería probarlo en un sistema de pruebas o en un sistema configurado igual que su servidor en producción. Ahí puede probar la actualización sin riesgo y ver si todo funciona como debiera.

Make sure to also read the information about the current Debian Stable release in its installation manual.

It may also be wise to wait a bit and keep running Oldstable for a few weeks longer, so that others can test the upgrade and document any problems they experience. The Oldstable release of Debian Edu will receive continued support for some time after the next Stable release, but when Debian ceases support for Oldstable, Debian Edu will necessarily do the same.

Be prepared: make sure you have tested the upgrade from Buster in a test environment or have backups ready to be able to go back.

Please note that the following recipe applies to a default Debian Edu main server installation (desktop=xfce, profiles Main Server, Workstation, LTSP Server). (For a general overview concerning Buster to Bullseye upgrade, see: https://www.debian.org/releases/bullseye/releasenotes)

Don't use X, use a virtual console, log in as root.

If apt finishes with an error, try to fix it and/or run apt -f install and then apt -y full-upgrade once again.

apt update
apt full-upgrade

apt clean

sed -i 's/buster/bullseye/g' /etc/apt/sources.list
sed -i 's#/debian-security bullseye/updates# bullseye-security#g' /etc/apt/sources.list
export LC_ALL=C        # optional (to get English output)
apt update
apt full-upgrade

cf-agent -v -D installation
service squid restart

apt install debian-edu-artwork-homeworld
apt purge debian-edu-artwork-buster      # unless Buster artwork should be kept as an alternative

rm -f /etc/xdg/xfce4/panel/default.xml.cfsaved
mv /etc/xdg/xfce4/panel/default.xml.dpkg-new /etc/xdg/xfce4/panel/default.xml

rm -f /etc/default/tftpd-hpa        # to remove no longer needed modifications
rm -rf /var/lib/tftpboot            # to remove no longer used tftp base directory
dpkg-reconfigure -p low tftpd-hpa   # first prompt: keep ''tftp'' as system account, second: change TFTP root directory to ''/srv/tftp''
                                    # third: keep address and port, last one: enter ''--secure'' as additional option 
service tftpd-hpa restart
rm -rf /opt/ltsp                    # cleanup old LTSP base directory
# The next steps will need quite some execution time.
debian-edu-ltsp-install --arch amd64 --diskless_workstation no thin_type bare   # if 64-Bit thin client support is wanted
debian-edu-ltsp-install --arch i386 --diskless_workstation no thin_type bare    # if 32-Bit thin client support is wanted
debian-edu-ltsp-install --diskless_workstation yes   # to create diskless workstation image from the server's file system
debian-edu-pxeinstall                                # to add PXE installation files and related iPXE menu items 

To upgrade from any older release, you will need to upgrade to the Buster based Debian Edu release first, before you can follow the instructions provided above. Instructions are given in the Manual for Debian Edu Buster about how to upgrade to Buster from the previous release, Stretch. Likewise the Stretch manual describes how to upgrade from Jessie.

Using etckeeper, all files in /etc/ are tracked using Git as a version control system.

Esto hace posible ver cuando un archivo es agregado, modificado o eliminado, también ver lo que se cambió si el archivo es un archivo de texto. El repositorio de git es guardado en /etc/.git/.

Cualquier cambio, es registrado cada hora, permitiendo tener un histórico de la configuración para ser extraído y revisado.

To look at the history, the command etckeeper vcs log is used. To check the differences between two points in time, a command like etckeeper vcs diff can be used.

Revise la salida de man etckeeper para más información.

Lista de comandos útiles:

etckeeper vcs log
etckeeper vcs status
etckeeper vcs diff
etckeeper vcs add .
etckeeper vcs commit -a
man etckeeper

etckeeper vcs log

etckeeper vcs status

etckeeper vcs commit -a /etc/resolv.conf

In Debian Edu, all partitions other than the /boot/ partition are on logical LVM volumes. With Linux kernels since version 2.6.10, it is possible to extend partitions while they are mounted. Shrinking partitions still needs to happen while the partition is unmounted.

It is a good idea to avoid creating very large partitions (over, say, 20GiB), because of the time it takes to run fsck on them or to restore them from backup if the need arises. It is better, if possible, to create several smaller partitions than one very large one.

The helper script debian-edu-fsautoresize is provided to make it easier to extend full partitions. When invoked, it reads the configuration from /usr/share/debian-edu-config/fsautoresizetab, /site/etc/fsautoresizetab and /etc/fsautoresizetab. It then proposes to extend partitions with too little free space, according to the rules provided in these files. If run with no arguments, it will only show the commands needed to extend the file system. The argument -n is needed to actually execute these commands to extend the file systems.

The script is executed automatically every hour on every client listed in the fsautoresize-hosts netgroup.

When the partition used by the Squid proxy is resized, the value for cache size in etc/squid/squid.conf needs to be updated as well. The helper script /usr/share/debian-edu-config/tools/squid-update-cachedir is provided to do this automatically, checking the current partition size of /var/spool/squid/ and configuring Squid to use 80% of this as its cache size.

lvextend -L30G /dev/vg_system/skole+tjener+home0
resize2fs /dev/vg_system/skole+tjener+home0

ldapvi es una herramienta para editar la base de datos LDAP con un editor de texto en la linea de comandos.

Lo siguiente necesita ser ejecutado:

ldapvi --ldap-conf -ZD '(cn=admin)'

Nota: ldapvi usará el editor de texto predeterminado. Ejecutar export EDITOR=vim en el intérprete de comandos puede configurar el entorno para tener un clon de vi como editor.

To add an LDAP object using ldapvi, use object sequence number with the string add in front of the new LDAP object.

Adevertencia: ldapvi es una herramienta poderosa. Sea cuidadoso y no dañe la base de datos de LDAP, la misma advertencia aplica para JXplorer.

Using Kerberos for NFS to mount home directories is a security feature. As of Bullseye, LTSP clients won't work without Kerberos. The levels krb5, krb5i and krb5p are supported (krb5 means Kerberos authentication, i stands for integrity check and p for privacy, i.e. encryption); the load on both server and workstation increases with the security level, krb5i is a good choice and has been chosen as default.

/srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
/srv/nfs4/home0  gss/krb5i(rw,sync,no_subtree_check)

This tool allows to set the default printer depending on location, machine, or group membership. For more information, see /usr/share/doc/standardskriver/README.md.

The configuration file /etc/standardskriver.cfg has to be provided by the admin, see /usr/share/doc/standardskriver/examples/standardskriver.cfg as an example.

If you prefer a GUI to work with the LDAP database, check out the jxplorer package, which is installed by default. To get write access connect like this:

host: ldap.intern
port:636
Security level: ssl + user + password
User dn: cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no

ldap-createuser-krb is a small command line tool to create LDAP users and set their passwords in Kerberos. It's mostly useful for testing, though.

Since the Squeeze release in 2011, Debian has included packages formerly maintained in volatile.debian.org in the stable-updates suite.

While you can use stable-updates directly, you don't have to: stable-updates are pushed into the stable suite regularly when stable point releases are done, which roughly happens every two months.

You are running Debian Edu because you prefer the stability of Debian Edu. It runs great; there is just one problem: sometimes software is a little bit more outdated than you like. This is where backports.debian.org steps in.

Backports are recompiled packages from Debian testing (mostly) and Debian unstable (in a few cases only, e.g. security updates), so they will run without new libraries (wherever this is possible) on a stable Debian distribution like Debian Edu. We recommend you to pick out individual backports which fit your needs, and not to use all backports available there.

Usar backports es sencillo:

echo "deb http://deb.debian.org/debian/ bullseye-backports main" >> /etc/apt/sources.list
apt-get update

After which one can install backported packages easily, the following command will install a backported version of tuxtype:

apt install -t bullseye-backports tuxtype

Backports are automatically updated (if available) just like other packages. Like the normal archive, backports has three sections: main, contrib and non-free.

If you want to upgrade from one version to another (for example from Bullseye 11.1 to 11.2) but you do not have Internet connectivity, only physical media, follow these steps:

Inserte el CD/DVD/Disco Blu-ray/Dispositivo USB en la unidad y use el comando apt-cdrom:

apt-cdrom add

Para citar el manual de referencia de apt-cdrom(8):

Luego ejecute estos dos comandos para actualizar el sistema:

apt update
apt full-upgrade

killer es un script hecho en perl que elimina trabajos en segundo plano. Trabajos en segundo plano son definidos como procesos que pertenecen a usuarios que no tienen una sesión activa en la computadora. Se ejecuta cada hora por un cron.

unattended-upgrades is a Debian package which will install security (and other) upgrades automatically. If installed, the package is preconfigured to install security upgrades. The logs are available in /var/log/unattended-upgrades/; also, there are always /var/log/dpkg.log and /var/log/apt/.

It is possible to save energy and money by automatically turning client machines off at night and back on in the morning. The package shutdown-at-night will try to turn off the machine every hour on the hour from 16:00 in the afternoon, but will not turn it off if it seems to have users. It will try to tell the BIOS to turn on the machine around 07:00 in the morning, and the main-server will try to turn on machines from 06:30 by sending wake-on-lan packets. These times can be changed in the crontabs of individual machines.

Some considerations should be kept in mind when setting this up:

  #!/bin/sh
  PATH=/usr/sbin:$PATH
  export PATH
  sitesummary-nodes -w

  #!/bin/sh
  PATH=/usr/sbin:$PATH
  export PATH
  netgroup -h shutdown-at-night-hosts

To access machines behind a firewall from the Internet, consider installing the package autossh. It can be used to set up an SSH tunnel to a machine on the Internet that you have access to. From that machine, you can access the server behind the firewall via the SSH tunnel.

En la instalación predeterminada, todos los servicios están ejecutándose en el servidor principal, tjener. Para mover algunos servicios a otra computadora de manera sencilla, existe un perfil mínimo de instalación disponible. Instalar con este perfil le proporcionará una computadora, que es parte de la red de Debian Edu, pero que no cuenta con un servicio ejecutándose (todavía)

Estos son los pasos que se deben seguir para configurar un servicio dedicado en una computadora:

FIXME: The HowTos from https://wiki.debian.org/DebianEdu/HowTo/ are either user- or developer-specific. Let's move the user-specific HowTos over here (and delete them over there)! (But first ask the authors (see the history of those pages to find them) if they are fine with moving the howto and putting it under the GPL.)

Take these steps to set up a dedicated storage server for user home directories and possibly other data.

Now users should be able to access the files on 'nas-server.intern' directly by just visiting the '/tjener/nas-server/storage/' directory using any application on any workstation, LTSP thin client or LTSP server.

There are several ways to restrict ssh login, some are listed here.

+ : alice jane bob john : ALL
+ : ALL : 10.0.0.0/8 192.168.0.0/24 192.168.1.0/24
- : ALL : ALL
#

To support multiple languages these commands need to be run:

apt update
/usr/share/debian-edu-config/tools/install-task-pkgs
/usr/share/debian-edu-config/tools/improve-desktop-l10n

Users will then be able to choose the language via the LightDM display manager before logging in; this applies to Xfce, LXDE and LXQt. GNOME and KDE both come with their own internal region and language configuration tools, use these. MATE uses the Arctica greeter on top of Lightdm whithout a language chooser. Run apt purge arctica-greeter to get the stock Lightdm greeter.

libdvdcss is needed for playing most commercial DVDs. For legal reasons it's not included in Debian (Edu). If you are legally allowed to use it, you can build your own local packages using the libdvd-pkg Debian package; make sure contrib is enabled in /etc/apt/sources.list.

apt update
apt install libdvd-pkg

Answer the debconf questions, then run dpkg-reconfigure libdvd-pkg.

The package fonts-linex (which is installed by default) installs the font "Abecedario" which is a nice handwriting font for kids. The font has several forms to be used with kids: dotted, and with lines.

Un término genérico para clientes ligeros y estaciones de trabajo sin disco es cliente LTSP.

Starting with Bullseye, LTSP is quite different from the previous versions. This concerns both setup and maintenance. As one main difference, the SquashFS image for diskless workstations is now generated from the LTSP server file system. Also, thin clients are no longer supported.

In case of a separate or an additional LTSP server required information for setting up the LTSP client environment isn't complete at installation time. Setup can be done once the system has been added with GOsa².

For information about LTSP in general, see the LTSP homepage. On systems with LTSP server profile, man ltsp provides more information.

The debian-edu-ltsp-install tool is a wrapper script for ltsp image, ltsp kernel and ltsp ipxe. It is used to setup and configure diskless workstation support; in addition thin clients (both 64-Bit and 32-Bit PC) are supported using X2Go. See man debian-edu-ltsp-install or the script content to see how it works. All configuration is contained in the script itself (here documents) to facilitate site specific adjustments.

Please note that the ltsp tool has to be used carefully. For example, ltsp image / would fail to generate the SquashFS image in case of Debian machines (these have a separate /boot partition by default), and ltsp ipxe would fail to generate the iPXE menu correctly (due to Debian Edu's thin client support).

Examples how to use the wrapper script debian-edu-ltsp-install instead:

Besides bare (smallest thin client system), also display and desktop are available options. The display type offers a shutdown button, the desktop type runs Firefox ESR in kiosk mode on the client itself (more local RAM and CPU power required, but server load reduced).

Estaciones de trabajo sin disco

A diskless workstation runs all software locally. The client machines boot directly from the LTSP server without a local hard drive. Software is administered and maintained on the LTSP server, but runs on the diskless workstations. Home directories and system settings are stored on the server too. Diskless workstations are an excellent way of reusing older (but powerful) hardware with the same low maintenance costs as with thin clients.

Unlike workstations diskless workstations run without any need to add them with GOsa².

Cliente ligero

A thin client setup enables an ordinary PC to function as an (X-)terminal, where all software runs on the LTSP server. This means that this machine boots via PXE without using a local client hard drive.

Debian Edu still supports the use of thin clients to enable the use of very old hardware.

LTSP client firmware

LTSP client boot will fail if the client's network interface requires a non-free firmware. A PXE installation can be used for troubleshooting problems with netbooting a machine; if the Debian Installer complains about a missing XXX.bin file then non-free firmware has to be added to the LTSP server's initrd.

En este caso, ejecute los siguientes comandos en un servidor LTSP.

# First get information about firmware packages
apt update && apt search ^firmware-
 
# Decide which package has to be installed for the network interface(s). 
# Most probably this will be firmware-linux-nonfree.
apt -y -q install <package name>
 
# Update the SquashFS image for diskless workstations.
debian-edu-ltsp-install --diskless_workstation yes

PXE stands for Preboot eXecution Environment. Debian Edu now uses the iPXE implementation for easier LTSP integration.

#add the skole projects local repository
d-i     apt-setup/local1/repository string      http://example.org/debian stable main contrib non-free
d-i     apt-setup/local1/comment string         Example Software Repository
d-i     apt-setup/local1/source boolean         true
d-i     apt-setup/local1/key    string          http://example.org/key.asc

The debian-edu-config package comes with a tool which helps in changing the network from 10.0.0.0/8 to something else. Have a look at /usr/share/debian-edu-config/tools/subnet-change. It is intended for use just after installation on the main server, to update LDAP and other files that need to be edited to change the subnet.

Note that changing to one of the subnets already used elsewhere in Debian Edu will not work. 192.168.0.0/24 and 192.168.1.0/24 are already set up as LTSP client networks. Changing to these subnets will require manual editing of configuration files to remove duplicate entries.

There is no easy way to change the DNS domain name. Changing it would require changes to both the LDAP structure and several files in the main server file system. There is also no easy way to change the host and DNS name of the main server (tjener.intern). To do so would also require changes to LDAP and files in the main-server and client file system. In both cases the Kerberos setup would have to be changed, too.

Choosing the LTSP server profile or the combined server profile also installs the xrdp and x2goserver packages.

 #!/bin/bash
 # Script to compile / recompile xrdp PulseAudio modules.
 # The caller needs to be root or a member of the sudo group.
 # Also, /etc/apt/sources.list must contain a valid deb-src line.
 set -e
  if [[ $UID -ne 0 ]] ; then  
     if ! groups | egrep -q sudo ; then
         echo "ERROR: You need to be root or a sudo group member."
         exit 1
     fi
 fi
 if ! egrep -q  ^deb-src /etc/apt/sources.list ; then
     echo "ERROR: Make sure /etc/apt/sources.list contains a deb-src line."
     exit 1
 fi
 TMP=$(mktemp -d)
 PULSE_UPSTREAM_VERSION="$(dpkg-query -W -f='${source:Upstream-Version}' pulseaudio)"
 XRDP_UPSTREAM_VERSION="$(dpkg-query -W -f='${source:Upstream-Version}' xrdp)"
 sudo apt -q update
 # Get sources and build dependencies:
 sudo apt -q install dpkg-dev
 cd $TMP
 apt -q source pulseaudio xrdp
 sudo apt -q build-dep pulseaudio xrdp
 # For pulseaudio 'configure' is all what is needed:
 cd pulseaudio-$PULSE_UPSTREAM_VERSION/
 ./configure
 # Adjust pulseaudio modules Makefile (needs absolute path)
 # and build the pulseaudio modules.
 cd $TMP/xrdp-$XRDP_UPSTREAM_VERSION/sesman/chansrv/pulse/
 sed -i 's/^PULSE/#PULSE/' Makefile
 sed -i "/#PULSE_DIR/a \
 PULSE_DIR = $TMP/pulseaudio-$PULSE_UPSTREAM_VERSION" Makefile
 make
 # Copy modules to Pulseaudio modules directory, adjust rights.
 sudo cp *.so /usr/lib/pulse-$PULSE_UPSTREAM_VERSION/modules/
 sudo chmod 644 /usr/lib/pulse-$PULSE_UPSTREAM_VERSION/modules/module-xrdp*
 # Restart xrdp, now with sound enabled.
 sudo service xrdp restart

The freeRADIUS server could be used to provide secure network connections. For this to work, install the freeradius and winbind packages on the main server and run /usr/share/debian-edu-config/setup-freeradius-server to generate a basic, site specific configuration. This way, both EAP-TTLS/PAP and PEAP-MSCHAPV2 methods are enabled. All configuration is contained in the script itself to facilitate site specific adjustments. See the freeRADIUS homepage for details.

Additional configuration is needed to

End user devices need to be configured properly, these devices need to be PIN protected for the use of EAP (802.1x) methods. And most important: users need to be educated to install the freeradius CA certificate on their devices to be sure to connect to the right server. This way the password can't be catched in case of a malicious server. The site specific certificate is available on the internal network.

Please note that configuring end user devices will be a real challenge due to the variety of devices. For Windows devices an installer script could be created, for Apple devices a mobileconfig file. In both cases the freeRADIUS CA certificate can be integrated, but OS specific tools are needed to create the scripts.

Connections to a user's home directory and to additional site specific shares (if configured) are possible for devices running Linux, Android, macOS, iOS, iPadOS, Chrome OS or Windows. Other devices like Android based ones require a file manager with SMB2/SMB3 support, also known as LAN access. X-plore or Total Commander with LAN plugin might be a good choice.

Use \\tjener\<username> or smb://tjener/<username> to access the home directory.

stable/education-development is a meta package depending on a lot of programming tools. Please note that almost 2 GiB of disk space is needed if this package is installed. For more details (maybe to install only a few packages), see the Debian Edu Development packages page.

Warning: make sure you know the status of the laws about monitoring and restricting computer users' activities in your jurisdiction.

Some schools use control tools like Epoptes or Veyon to supervise their students. See also: Epoptes Homepage and Veyon Homepage.

Some schools use Squidguard or e2guardian to restrict Internet access.

Casa usuario debería cambiar su contraseña usando GOsa². Para hacerlo, solo use un navegador web y vaya a https://www/gosa/.

Using GOsa² to change the password ensures that passwords for Kerberos (krbPrincipalKey), LDAP (userPassword) and Samba (sambaNTPassword) are the same.

Changing passwords using PAM is working also at the GDM login prompt, but this will only update the Kerberos password, and not the Samba and GOsa² (LDAP) password. So after you changed your password at the login prompt, you really should also change it using GOsa².

Standalone Java applications are supported out of the box by the OpenJDK Java runtime.

All users can send and receive mails within the internal network; certificates are provided to allow TLS secured connections. To allow mail outside the internal network, the administrator needs to configure the mailserver exim4 to suit the local situation, starting with dpkg-reconfigure exim4-config.

Every user who wants to use Thunderbird needs to configure it as follows. For a user with username jdoe the internal email address is jdoe@postoffice.intern.

Actualmente hay equipos locales en Noruega, Alemania, la región de Extremadura en España, Taiwán y Francia. Además, contribuidores y usuarios y usuarias sin colectivo existen en Grecia, Países Bajos, Japón y otros lugares.

El capítulo de soporte contiene explicaciones y enlaces a recursos localizados, ya que contruibuir y apoyar son dos lados de la misma moneda.

A nivel internacional estamos organizados en varios equipos que trabajan en distintas áreas.

Most of the time, the developer mailing list is our main medium for communication, though we have monthly IRC meetings on #debian-edu on irc.debian.org and even, less frequently, real gatherings, where we meet each other in person. New contributors should read our https://wiki.debian.org/DebianEdu/ArchivePolicy.

A good way to learn what is happening in the development of Debian Edu is to subscribe to the commit mailinglist.

Debian Edu uses the Debian Bug Tracking System (BTS). View existing bug reports and feature requests or create new ones. Please report all bugs against the package debian-edu-config. Take a look at How To Report Bugs for more information on bug reporting in Debian Edu.

¡Este documento necesita de su ayuda! No está finalizado todavía: si lo lee, notará varias lineas que dicen POR CORREGIR. Si usted saber lo que se necesita corregir, considere compartir su conocimiento con nosotros.

The source of the text is a wiki and can be edited with a simple webbrowser. Just go to https://wiki.debian.org/DebianEdu/Documentation/Bullseye/ and you can contribute easily. Note: a user account is needed to edit the pages; you need to create a wiki user first.

Another very good way to contribute and to help users is by translating software and documentation. Information on how to translate this document can be found in the translations chapter of this book. Please consider helping the translation effort of this book!

Lists of companies providing professional support are available from https://wiki.debian.org/DebianEdu/Help/ProfessionalHelp.

Copyright (C) 2007-2018 Holger Levsen < holger@layer-acht.org > and others, see the Copyright chapter for the full list of copyright owners.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

NO WARRANTY

11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS

To activate a specific translation, boot using locale=ll_CC.UTF-8 as a boot option, where ll_CC.UTF-8 is the locale name you want. To activate a given keyboard layout, use the keyb=KB option where KB is the desired keyboard layout. Here is a list of commonly used locale codes:

La lista completa de los códigos locales esta disponible en /usr/share/i18n/SUPPORTED, pero únicamente los locales con UTF-8 son soportados por la imagen «live». No todas las traducciones locales tienen instalación. Las distribuciones de teclados pueden ser encontradas en /usr/share/keymaps/amd64/.

The following Debian Edu releases were made further in the past:

A complete and detailed overview about older releases is contained in Appendix C of the Jessie manual; or see the related release manuals on the release manuals page.