Re: Maintaining the Salvation Army terminal server

I'll just answer as I go through

On Thursday 07 October 2004 11:59, Damien Hull wrote:
> As the administrator of the system I am not so happy. I spent a lot of
> time on this project. What I found out is that Linux lacks
> administration tools. It also lacks good documentation.

What kind of documentation are you referring to? There are HOWTO's galore,
and gobs of man pages. When I've needed to accomplish something, I've almost
always found what I needed via Google, or other resources. Even when I've
been confined to man pages (no net access), I've been able to find out what I
need. And for something that so widely documented (i.e. terminal server) I
can't image there would be a dearth of documentation.

> Here's what I went with.
> 1. Slack 9.1

Not to start a war, but I'd say that if you want a user (and admin) friendly
distro, go with Mandrake. Mandrake even has a GUI admin tool for setting up
Terminal servers (NFS/NIS too, although their config requires some tweaking).

> Here were my goals.
> 1. Low cost
> 2. Access to Internet, word processing, printing and maybe a few extras
> 3. User friendly
> 4. Give the users access to the applications they need and nothing else
>
> Items 1 and 2 are relatively easy. Items 3 and 4 where tough to
> implement.

I've found KDE to be VERY user friendly (especially KDE on Mandrake). And as
to "access to the applications they need and nothing else," KDE now has
built in tools for configuring kiosk settings that only allow access to
certain areas.

> User friendly
> 1. Same desktop setup for each user
> 2. easy access to applications and printing
>
> The hard part here was creating the same desktop fore each user. I now
> have the system configured so that when you run "adduser" it creates a
> user with all the settings I want.

I'm not sure why this was hard. Create your prototypical user, then copy
their home directory (minus any "juicy" stuff) into /etc/skel, and that will
be copied to all new home dirs upon creation. I recently did this with a
computer lab that was using NIS/NFS. I configured IceWM to use the XP theme,
along with a custom back ground. Now, every time a user gets created, they
get those settings automatically. And print configs in Mandrake and KDE are
very simple. User printerdrake, and you now have printers available in every
KDE application, and it configures OO for you too!

> Locking down the system
> 1. no shell
> 2. Gnome desktop only
> 4. login screen
> 5. Put default settings back after the user logs out
> 6. Access to the applications in the menu, panel etc..

I believe the KDE kiosk program covers all those things. Haven't used it, so
I can't comment on the ease of use.

> This was the hard part. Gnome has a tool that allows you to select which
> parts of gnome the user has access to. You can lock down a lot with this
> tool. However, I found the tool to be difficult to use. The rest were
> not easy to implement either. I'm still working on item 5.

Login screen: simply select one of the display managers (kdm or gdm) and away
you go. And if you don't want them to select other environments (such as KDE
or IceWM), don't install the core files. E.g., you can install kdelibs for
KDE programs without installing the K Desktop.

As to number five, it sounds like you are using one login for all users.
That's a bit dicey, as users could overwrite other user's data. If everyone
has their own login, why do you need to reset the settings? Can't they
customize a *little*?

> CONCLUSION
> I think Linux works grate as a mail, web, DNS server etc... When it
> comes to computer labs like the one I setup for the Salvation army it
> sucks.

(Preface: I'm not claiming to know all, and have used techniques in the past
that later proved inefficient) Please reserve judgment until you know *all*
the tools available to you. I assume you've been here: http://www.ltsp.org/
And as to things like user config and lock down, that can sometimes be as
simply as not installing certain packages. Gnome or KDE's kiosk
configuration can help too.

> I know that sounds harsh but other operating systems offer far
> better administration tools. Lets play out a scenario. Take the
> distribution of your choice and setup the following.
>
> You have been asked to setup an office network for the acme
> widget company. They have 10 employees. The company needs the
> following.
>
> 1. Internet
> 2. Email
> 3. website
> 4. office sweet

My office is. But did you mean office *suite* ? :)

> 5. file sharing
> 6. printing
>
> To make things simple for the users and administration we will
> do the following.
>
> 1. Every user will have the same desktop look and feel
> 2. Users will not be allowed to select another desktop. If you
> go with a gnome desktop users should not be allowed to select
> fvwm or kde etc...
> 3. Users should not have access to the command line

OK...assuming we're using Linux here, I'd set up NIS/NFS. That way, any user
could log in from any machine and they have all their data and files
available to them. Think Windows Roaming Profiles, but better.

> The big boss man wants to be able to see information about
> sales. create the following.
>
> 1. create a group called sales

Not hard.

> 2. create a directory called sales for the sales group to save
> data
> 3. give the sales group permissions to save data in the sales
> group

Right. Group rw.

> 4. create 3 users
> 5. add one user to the sales group ( they should now be able to
> save data in the sales directory)

OK...that's not hard. You just add them to the sales group, and we're done.

> 6. give one of the users read access to the sales directory

That's one where it gets sticky. However, there are ACL (access control list)
systems available for Linux that would allow specifically this. So, staying
with strictly ext2/ext3, no it can't be done. But ACL can be implemented on
Linux.

> 7. Give the last user no access to the sales directory

That's not hard. :)

> Note: You need to remember that the company has 10 employees.
> They may have other groups then the sales group. Users may also
> be in more then one group. You also need to take into account
> that the company may grow and add new users. What ever you come
> up with needs to take these things into account.

Adding users to groups isn't hard. And if you have an ACL system implemented,
you can also specify which users have access to which resource and how.

> If you were to
> do this in Windows or OSX you would have know problem setting up
> anything outlined in the scenario. However, doing this in Linux is not
> an easy task.

Could you explain? What kind of Kiosk (or lock down) tools does OS X have?
And OS X only has Unix style permissions (I just checked, is there an
add-on?): owner, group, everyone else. So, if you could implement your sales
scenario on Mac OS X, you could implement it on plain ext2/ext3.

Sigh...I must be turning into a Linux evangelist. :)

j----- k-----

-- 
Joshua Kugler
CDE System Administrator
http://distance.uaf.edu/
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.