Re: Maintaining the Salvation Army terminal server

Look, I'm not trying to put down Linux. I'm only trying to explain what
I did and what I found.

On the terminal server I setup there are different users for each thin
client. This makes things simple. We don't have to create an account for
everyone that wants to get on the Internet. There guest accounts. That's
why we need to clean them up either when the user logs out or at the end
of the day.

I was told about the kiosk tool for kde. I gave it a try and found that
it didn't work well. I may give it another try but at the time I made a
quick decision to go with Gnome. Since then I have found other problems
with kde.

The tool to lock down gnome works but it is not easy to use.

Why did I chose to use slack? It's up to date, has what I want, and it
works.

I've never been a fan of Mandrake.

Windows 2003 server gives you the tools and the control that one needs
on a large network. If I'm maintaining a network of 100 workstations I
can quickly add users, configure their desktops, and give them access to
the files and folders they should have access to. All with a few mouse
clicks. Try that in Linux.

Can't really say much about OSX. I can say that I have seen some of the
admin tools and they are much better then what's available for Linux.

IT managers and sys admins don't have a lot of time to hunt down a
how-to or man page. There needs to be an admin tool that lets one
configure the system. Add users, configure the desktop, setup file
permissions etc... As far as I know the only one that comes close is
Webmin.

My conclusion is that any one who wants to be a Linux/Unix admin needs
to create them selves a bag of tricks for maintaining systems. With out
your own bag of tricks there is know way you can maintain a Linux/Unix
system effectively.

On Thu, 2004-10-07 at 14:05, Joshua Kugler wrote:
> I'll just answer as I go through
>
> On Thursday 07 October 2004 11:59, Damien Hull wrote:
> > As the administrator of the system I am not so happy. I spent a lot of
> > time on this project. What I found out is that Linux lacks
> > administration tools. It also lacks good documentation.
>
> What kind of documentation are you referring to? There are HOWTO's galore,
> and gobs of man pages. When I've needed to accomplish something, I've almost
> always found what I needed via Google, or other resources. Even when I've
> been confined to man pages (no net access), I've been able to find out what I
> need. And for something that so widely documented (i.e. terminal server) I
> can't image there would be a dearth of documentation.
>
> > Here's what I went with.
> > 1. Slack 9.1
>
> Not to start a war, but I'd say that if you want a user (and admin) friendly
> distro, go with Mandrake. Mandrake even has a GUI admin tool for setting up
> Terminal servers (NFS/NIS too, although their config requires some tweaking).
>
> > Here were my goals.
> > 1. Low cost
> > 2. Access to Internet, word processing, printing and maybe a few extras
> > 3. User friendly
> > 4. Give the users access to the applications they need and nothing else
> >
> > Items 1 and 2 are relatively easy. Items 3 and 4 where tough to
> > implement.
>
> I've found KDE to be VERY user friendly (especially KDE on Mandrake). And as
> to "access to the applications they need and nothing else," KDE now has
> built in tools for configuring kiosk settings that only allow access to
> certain areas.
>
> > User friendly
> > 1. Same desktop setup for each user
> > 2. easy access to applications and printing
> >
> > The hard part here was creating the same desktop fore each user. I now
> > have the system configured so that when you run "adduser" it creates a
> > user with all the settings I want.
>
> I'm not sure why this was hard. Create your prototypical user, then copy
> their home directory (minus any "juicy" stuff) into /etc/skel, and that will
> be copied to all new home dirs upon creation. I recently did this with a
> computer lab that was using NIS/NFS. I configured IceWM to use the XP theme,
> along with a custom back ground. Now, every time a user gets created, they
> get those settings automatically. And print configs in Mandrake and KDE are
> very simple. User printerdrake, and you now have printers available in every
> KDE application, and it configures OO for you too!
>
> > Locking down the system
> > 1. no shell
> > 2. Gnome desktop only
> > 4. login screen
> > 5. Put default settings back after the user logs out
> > 6. Access to the applications in the menu, panel etc..
>
> I believe the KDE kiosk program covers all those things. Haven't used it, so
> I can't comment on the ease of use.
>
> > This was the hard part. Gnome has a tool that allows you to select which
> > parts of gnome the user has access to. You can lock down a lot with this
> > tool. However, I found the tool to be difficult to use. The rest were
> > not easy to implement either. I'm still working on item 5.
>
> Login screen: simply select one of the display managers (kdm or gdm) and away
> you go. And if you don't want them to select other environments (such as KDE
> or IceWM), don't install the core files. E.g., you can install kdelibs for
> KDE programs without installing the K Desktop.
>
> As to number five, it sounds like you are using one login for all users.
> That's a bit dicey, as users could overwrite other user's data. If everyone
> has their own login, why do you need to reset the settings? Can't they
> customize a *little*?
>
> > CONCLUSION
> > I think Linux works grate as a mail, web, DNS server etc... When it
> > comes to computer labs like the one I setup for the Salvation army it
> > sucks.
>
> (Preface: I'm not claiming to know all, and have used techniques in the past
> that later proved inefficient) Please reserve judgment until you know *all*
> the tools available to you. I assume you've been here: http://www.ltsp.org/
> And as to things like user config and lock down, that can sometimes be as
> simply as not installing certain packages. Gnome or KDE's kiosk
> configuration can help too.
>
> > I know that sounds harsh but other operating systems offer far
> > better administration tools. Lets play out a scenario. Take the
> > distribution of your choice and setup the following.
> >
> > You have been asked to setup an office network for the acme
> > widget company. They have 10 employees. The company needs the
> > following.
> >
> > 1. Internet
> > 2. Email
> > 3. website
> > 4. office sweet
>
> My office is. But did you mean office *suite* ? :)
>
> > 5. file sharing
> > 6. printing
> >
> > To make things simple for the users and administration we will
> > do the following.
> >
> > 1. Every user will have the same desktop look and feel
> > 2. Users will not be allowed to select another desktop. If you
> > go with a gnome desktop users should not be allowed to select
> > fvwm or kde etc...
> > 3. Users should not have access to the command line
>
> OK...assuming we're using Linux here, I'd set up NIS/NFS. That way, any user
> could log in from any machine and they have all their data and files
> available to them. Think Windows Roaming Profiles, but better.
>
>
> > The big boss man wants to be able to see information about
> > sales. create the following.
> >
> > 1. create a group called sales
>
> Not hard.
>
> > 2. create a directory called sales for the sales group to save
> > data
> > 3. give the sales group permissions to save data in the sales
> > group
>
> Right. Group rw.
>
> > 4. create 3 users
> > 5. add one user to the sales group ( they should now be able to
> > save data in the sales directory)
>
> OK...that's not hard. You just add them to the sales group, and we're done.
>
> > 6. give one of the users read access to the sales directory
>
> That's one where it gets sticky. However, there are ACL (access control list)
> systems available for Linux that would allow specifically this. So, staying
> with strictly ext2/ext3, no it can't be done. But ACL can be implemented on
> Linux.
>
> > 7. Give the last user no access to the sales directory
>
> That's not hard. :)
>
> > Note: You need to remember that the company has 10 employees.
> > They may have other groups then the sales group. Users may also
> > be in more then one group. You also need to take into account
> > that the company may grow and add new users. What ever you come
> > up with needs to take these things into account.
>
> Adding users to groups isn't hard. And if you have an ACL system implemented,
> you can also specify which users have access to which resource and how.
>
> > If you were to
> > do this in Windows or OSX you would have know problem setting up
> > anything outlined in the scenario. However, doing this in Linux is not
> > an easy task.
>
> Could you explain? What kind of Kiosk (or lock down) tools does OS X have?
> And OS X only has Unix style permissions (I just checked, is there an
> add-on?): owner, group, everyone else. So, if you could implement your sales
> scenario on Mac OS X, you could implement it on plain ext2/ext3.
>
> Sigh...I must be turning into a Linux evangelist. :)
>
> j----- k-----

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Oct 7 15:48:58 2004