Debian Edu / Skolelinux Buster 10+edu0 Manual i

Debian Edu / Skolelinux Buster 10+edu0 Manual

Publish date: 2020-04-03

Debian Edu / Skolelinux Buster 10+edu0 Manual ii

Contents

1 Manual for Debian Edu 10+edu0 Codename Buster 1

2 About Debian Edu and Skolelinux 1

2.1 Some history and why two names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

3 Architecture 2
3.1 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3.1.1 The default network setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1.2 Main server (tjener) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1.3 Services running on the main server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1.4 LTSP server(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1.5 Thin clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1.6 Diskless workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1.7 Networked clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2 Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2.1 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2.2 File system access configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4 Requirements 7
4.1 Hardware requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2 Hardware known to work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

5 Requirements for network setup 8

5.1 Default Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5.2 Internet router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

6 Installation and download options 9

6.1 Where to find additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.2 Download the installation media for Debian Edu 10+edu0 Codename Buster . . . . . . . . . . . . . . . . 9
6.2.1 amd64 or i386 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.2.2 netinst iso images for amd64 or i386 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.2.3 BD iso images for i386 or amd64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.2.4 Verification of downloaded image files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.2.5 Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6.3 Request a CD / DVD by mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6.4 Installing Debian Edu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6.4.1 Main server installation scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6.4.2 Desktop choice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Debian Edu / Skolelinux Buster 10+edu0 Manual iii

6.4.3 Modular installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

6.4.4 Installation types and options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
6.4.5 The installation process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
6.4.6 Notes on some characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
6.4.7 Installation using USB flash drives instead of CD / Blu-ray discs . . . . . . . . . . . . . . . . . . . 17
6.4.8 Installation over the network (PXE) and booting diskless clients . . . . . . . . . . . . . . . . . . . 17
6.4.9 Custom images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
6.5 Screenshot tour . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

7 Getting started 48
7.1 Minimum steps to get started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
7.1.1 Services running on the main server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.2 Introduction to GOsa² . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.2.1 GOsa² Login plus Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
7.3 User Management with GOsa² . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
7.3.1 Adding users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
7.3.2 Search, modify and delete users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
7.3.3 Set passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
7.3.4 Advanced user management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
7.4 Group Management with GOsa² . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
7.4.1 Group Management on the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
7.5 Machine Management with GOsa² . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
7.5.1 Search and delete machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
7.5.2 Modify existing machines / Netgroup management . . . . . . . . . . . . . . . . . . . . . . . . . . 58

8 Printer Management 59
8.1 Use printers attached to workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

9 Clock synchronisation 60

10 Extending full partitions 60

11 Maintenance 60
11.1 Updating the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
11.1.1 Keep yourself informed about security updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
11.2 Backup Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
11.3 Server Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
11.3.1 Munin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
11.3.2 Icinga . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
11.3.3 Sitesummary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
11.4 More information about Debian Edu customisations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Debian Edu / Skolelinux Buster 10+edu0 Manual iv

12 Upgrades 63
12.1 General notes on upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
12.2 Upgrades from Debian Edu Stretch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
12.2.1 Upgrading the main server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
12.2.2 Upgrading a workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
12.2.3 Upgrading LTSP chroots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
12.2.4 Recreating an LTSP chroot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
12.2.5 Add additional LTSP chroot to support 64-bit-PC clients . . . . . . . . . . . . . . . . . . . . . . 66
12.3 Upgrades from older Debian Edu / Skolelinux installations (before Stretch) . . . . . . . . . . . . . . . . . 67

13 HowTo 67

14 HowTos for general administration 67

14.1 Configuration history: tracking /etc/ using the git version control system . . . . . . . . . . . . . . . . . . 67
14.1.1 Usage examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
14.2 Resizing Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
14.2.1 Logical Volume Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
14.3 Installing a graphical environment on the main-server to use GOsa² . . . . . . . . . . . . . . . . . . . . . 68
14.4 Using ldapvi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
14.5 Kerberized NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
14.5.1 How to enable it . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
14.6 Standardskriver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
14.7 JXplorer, an LDAP GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
14.8 ldap-createuser-krb, a command-line tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
14.9 Using stable-updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
14.10Using backports to install newer software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
14.11Upgrading with a CD or similar image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
14.12Automatic cleanup of leftover processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
14.13Automatic installation of security upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
14.14Automatic shutdown of machines during the night . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
14.14.1 How to set up shutdown-at-night . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
14.15Access Debian-Edu servers located behind a firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
14.16Installing additional service machines for spreading the load from main-server . . . . . . . . . . . . . . . . 72
14.17HowTos from wiki.debian.org . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Debian Edu / Skolelinux Buster 10+edu0 Manual v

15 Advanced administration howto 73

15.1 User Customisations with GOsa² . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
15.1.1 Create Users in Year Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
15.2 Other User Customisations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
15.2.1 Creating folders in the home directories of all users . . . . . . . . . . . . . . . . . . . . . . . . . . 74
15.2.2 Easy access to USB drives and CD-ROMs/DVDs . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
15.3 Use a dedicated storage server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
15.4 Restrict ssh login access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
15.4.1 Setup without LTSP clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
15.4.2 Setup with LTSP clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
15.4.3 A note for more complex setups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

16 HowTos for the desktop 77

16.1 Set up a multi-language desktop environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
16.2 Playing DVDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
16.3 Handwriting fonts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

17 HowTos for networked clients 77

17.1 Introduction to thin clients and diskless workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
17.1.1 LTSP client type selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
17.2 Configuring the PXE menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
17.2.1 Configuring the PXE installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
17.2.2 Adding a custom repository for PXE installations . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
17.2.3 Changing the PXE menu on a combined (main and LTSP) server . . . . . . . . . . . . . . . . . . 79
17.2.4 Separate main and LTSP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
17.2.5 Use a different LTSP client network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
17.2.6 Add LTSP chroot to support 32-bit-PC clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
17.3 Changing network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
17.4 LTSP in detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
17.4.1 LTSP client configuration in LDAP (and lts.conf) . . . . . . . . . . . . . . . . . . . . . . . . . . 81
17.4.2 Force all LTSP clients to use LXDE as default desktop environment . . . . . . . . . . . . . . . . . 81
17.4.3 Desktop autoloader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
17.4.4 Load-balancing LTSP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
17.4.5 Sound with LTSP clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
17.4.6 Use printers attached to LTSP clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
17.4.7 Use NFS instead of NBD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
17.4.8 Upgrading the LTSP environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
17.4.9 Slow login and security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
17.5 Connecting Windows machines to the network / Windows integration . . . . . . . . . . . . . . . . . . . . 84
Debian Edu / Skolelinux Buster 10+edu0 Manual vi

17.5.1 Joining a domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

17.6 Remote Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
17.6.1 Xrdp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
17.6.2 X2Go . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
17.6.3 Available Remote Desktop clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

18 Samba in Debian Edu 86

18.1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
18.1.1 Accessing files via Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
18.2 Domain Membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
18.2.1 Windows hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
18.3 First Domain Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

19 HowTos for teaching and learning 87

19.1 Teaching Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
19.2 Monitoring pupils . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
19.3 Restricting pupils’ network access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

20 HowTos for users 88

20.1 Changing passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
20.2 Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
20.2.1 Running standalone Java applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
20.3 Using email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
20.3.1 Thunderbird . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
20.3.2 Obtaining a Kerberos ticket to read email on diskless workstations . . . . . . . . . . . . . . . . . 89
20.4 Volume control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

21 Contribute 89
21.1 Contribute locally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
21.2 Contribute globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
21.3 Documentation writers and translators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

22 Support 90
22.1 Volunteer based support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
22.1.1 in English . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
22.1.2 in Norwegian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
22.1.3 in German . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
22.1.4 in French . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
22.2 Professional support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Debian Edu / Skolelinux Buster 10+edu0 Manual vii

23 New features in Debian Edu Buster 90

23.1 New features for Debian Edu 10+edu0 Codename Buster . . . . . . . . . . . . . . . . . . . . . . . . . . 90
23.1.1 Installation changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
23.1.2 Software updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
23.1.3 Documentation and translation updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
23.1.4 Other changes compared to the previous release . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
23.1.5 Known issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

24 Copyright and authors 92

25 Translation copyright and authors 92

26 Translations of this document 93

26.1 HowTo translate this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
26.1.1 Translate using PO files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
26.1.2 Translate online using a web browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

27 Appendix A - The GNU General Public License 94

27.1 Manual for Debian Edu 10+edu0 Codename Buster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
27.2 GNU GENERAL PUBLIC LICENSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
27.3 TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION . . . . . . . . . . 95

28 Appendix B - no Debian Edu Live CD/DVDs for Buster yet 97

28.1 Features of the Standalone image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
28.2 Features of the Workstation image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
28.3 Activating translations and regional support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
28.4 Stuff to know . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
28.5 Known issues with the image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
28.6 Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

29 Appendix C - Features in older releases 98

29.1 New features for Debian Edu 9+edu0 Codename Stretch released 2017-06-17 . . . . . . . . . . . . . . . . 98
29.1.1 Installation changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
29.1.2 Software updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
29.1.3 Documentation and translation updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
29.1.4 Other changes compared to the previous release . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
29.2 New features for Debian Edu 8+edu0 Codename Jessie released 2016-07-02 . . . . . . . . . . . . . . . . 99
29.2.1 Installation changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
29.2.2 Software updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
29.2.3 Documentation and translation updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
29.2.4 Other changes compared to the previous release . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Debian Edu / Skolelinux Buster 10+edu0 Manual viii

29.3 New features in Debian Edu 7.1+edu0 Codename Wheezy released 2013-09-28 . . . . . . . . . . . . . . . 100
29.3.1 User visible changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
29.3.2 Installation changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
29.3.3 Software updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
29.3.4 Documentation and translation updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
29.3.5 LDAP related changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
29.3.6 Other changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
29.3.7 Known issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
29.4 Historic information about older releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
29.4.1 More information on even older releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 1 / 102

1 Manual for Debian Edu 10+edu0 Codename Buster

This is the manual for the Debian Edu Buster 10+edu0 release.
The version at http://wiki.debian.org/DebianEdu/Documentation/Buster is a wiki and updated frequently.
Translations are part of the debian-edu-doc package which can be installed on a webserver, and is available online.

2 About Debian Edu and Skolelinux

Debian Edu aka Skolelinux is a Linux distribution based on Debian providing an out-of-the box environment of a completely
configured school network.
The chapters about hardware and network requirements and about the architecture contain basic environment details.
After installation of a main server all services needed for a school network are set up and the system is ready to be used.
Only users and machines need to be added via GOsa², a comfortable Web-UI, or any other LDAP editor. A netbooting
environment using PXE has also been prepared, so after initial installation of the main server from CD, Blu-ray disc or USB
flash drive all other machines can be installed via the network, this includes ”roaming workstations” (ones that can be taken
away from the school network, usually laptops or netbooks) as well as PXE booting for diskless machines like traditional
thin clients.
Several educational applications like GeoGebra, Kalzium, KGeography, GNU Solfege and Scratch are included in the default
desktop setup, which can be extended easily and almost endlessly via the Debian universe.
Debian Edu / Skolelinux Buster 10+edu0 Manual 2 / 102

2.1 Some history and why two names

Skolelinux is a Linux distribution created by the Debian Edu project. As a Debian Pure Blends distribution it is an official
Debian subproject.
What this means for your school is that Skolelinux is a version of Debian providing an out-of-the box environment of a
completely configured school-network.
The Skolelinux project in Norway was founded on July 2nd 2001 and about the same time Raphaël Hertzog started Debian-
Edu in France. Since 2003 both projects are united, but both names stayed. ”Skole” and (Debian-)”Education” are just
two well understood terms in these regions.
Today the system is in use in several countries around the world.

3 Architecture

This section of the document describes the network architecture and services provided by a Skolelinux installation.

3.1 Network

The figure is a sketch of the assumed network topology. The default setup of a Skolelinux network assumes that there is
one (and only one) main server, while allowing the inclusion of both normal workstations and LTSP servers (with associated
thin clients and/or diskless workstations). The number of workstations can be as large or small as you want (starting from
none to a lot). The same goes for the LTSP servers, each of which is on a separate network so that the traffic between
the clients and the LTSP server doesn’t affect the rest of the network services. LTSP is explained in detail in the related
HowTo chapter.
Debian Edu / Skolelinux Buster 10+edu0 Manual 3 / 102

The reason that there can only be one main server in each school network is that the main server provides DHCP, and there
can be only one machine doing so in each network. It is possible to move services from the main server to other machines
by setting up the service on another machine, and subsequently updating the DNS configuration, pointing the DNS alias
for that service to the right computer.
In order to simplify the standard setup of Skolelinux, the Internet connection runs over a separate router, also called gateway.
See the Internet router chapter for details how to set up such a gateway if it is not possible to configure an existing one as
needed.

3.1.1 The default network setup

DHCP on the main server serves the 10.0.0.0/8 network, providing a PXE boot menu where you can choose whether to
install a new server/workstation, boot a thin client or a diskless workstation, run memtest, or boot from the local hard disk.
This is designed to be modified; for details, see the related HowTo chapter.
DHCP on the LTSP servers only serves a dedicated network on the second interface (192.168.0.0/24 and 192.168.1.0/24
are preconfigured options) and should seldom need to be changed.
The configuration of all subnets is stored in LDAP.

3.1.2 Main server (tjener)

A Skolelinux network needs one main server (also called ”tjener” which is Norwegian and means ”server”) which per default
has the IP address 10.0.2.2 and is installed by selecting the Main Server profile. It’s possible (but not required) to also
select and install the LTSP Server and Workstation profiles in addition to the Main Server profile.

3.1.3 Services running on the main server

With the exception of the control of the thin clients, all services are initially set up on one central computer (the main
server). For performance reasons, the LTSP server(s) should be separate (though it is possible to install both the Main
Server and LTSP Server profiles on the same machine). All services are allocated a dedicated DNS-name and are offered
exclusively over IPv4. The allocated DNS name makes it easy to move individual services from the main server to a different
machine, by simply stopping the service on the main server, and changing the DNS configuration to point to the new
location of the service (which should be set up on that machine first, of course).
To ensure security all connections where passwords are transmitted over the network are encrypted, so no passwords are
sent over the network as plain text.
Below is a table of the services that are set up by default in a Skolelinux network and the DNS name of each service. If
possible all configuration files will refer to the service by name (without the domain name) thus making it easy for schools
to change either their domain (if they have an own DNS domain) or the IP addresses they use.

Table of services
Service description Common name DNS service name
Centralised Logging rsyslog syslog

Domain Name Service DNS (BIND) domain

Automatic Network Configuration of

DHCP bootps
Machines

Clock Synchronisation NTP ntp

Home Directories via Network File

SMB / NFS homes
System
Debian Edu / Skolelinux Buster 10+edu0 Manual 4 / 102

Electronic Post Office IMAP (Dovecot) postoffice

Directory Service OpenLDAP ldap

User Administration GOsa² ---

Web Server Apache/PHP www

Central Backup sl-backup, slbackup-php backup

Web Cache Proxy (Squid) webcache

Printing CUPS ipp

Secure Remote Login OpenSSH ssh

Automatic Configuration CFEngine cfengine

LTSP Server/s LTSP ltsp

Network Block Device Server NBD ---

Machine and Service Surveillance

with Error Reporting, plus Status
Munin, Icinga and Sitesummary sitesummary
and History on the Web. Error
Reporting by email

Personal files for each user are stored in their home directories, which are made available by the server. Home directories are
accessible from all machines, giving users access to the same files regardless of which machine they are using. The server
is operating system agnostic, offering access via NFS for Unix clients, SMB for Windows and Macintosh clients.
By default email is set up for local delivery (i.e. within the school) only, though email delivery to the wider Internet may be
set up if the school has a permanent Internet connection. Clients are set up to deliver mail to the server (using ’smarthost’),
and users can access their personal mail through IMAP.
All services are accessible using the same username and password, thanks to the central user database for authentication
and authorisation.
To increase performance on frequently accessed sites a web proxy that caches files locally (Squid) is used. In conjunction
with blocking web-traffic in the router this also enables control of Internet access on individual machines.
Network configuration on the clients is done automatically using DHCP. All types of clients can be connected to the private
10.0.0.0/8 subnet and will get according IP addresses; LTSP clients should be connected to the corresponding LTSP server
via the separate subnet 192.168.0.0/24 (this is to ensure that the network traffic of the LTSP clients doesn’t interfere with
the rest of the network services).
Centralised logging is set up so that all machines send their syslog messages to the server. The syslog service is set up so
that it only accepts incoming messages from the local network.
By default the DNS server is set up with a domain for internal use only (*.intern), until a real (”external”) DNS domain
can be set up. The DNS server is set up as caching DNS server so that all machines on the network can use it as the main
DNS Server.
Pupils and teachers have the ability to publish websites. The web server provides mechanisms for authenticating users, and
for limiting access to individual pages and subdirectories to certain users and groups. Users will have the ability to create
dynamic web pages, as the web server will be programmable on the server side.
Information on users and machines can be changed in one central location, and is made accessible to all computers on the
network automatically. To achieve this a centralised directory server is set up. The directory will have information on users,
user groups, machines, and groups of machines. To avoid user confusion there won’t be any difference between file groups,
Debian Edu / Skolelinux Buster 10+edu0 Manual 5 / 102

mailing lists, and network groups. This implies that groups of machines which are to form network groups will use the same
namespace as user groups and mailing lists.
Administration of services and users will mainly be via the web, and follow established standards, functioning well in the
web browsers which are part of Skolelinux. The delegation of certain tasks to individual users or user groups will be made
possible by the administration systems.
In order to avoid certain problems with NFS, and to make it simpler to debug problems, the different machines need
synchronised clocks. To achieve this the Skolelinux server is set up as a local Network Time Protocol (NTP) server, and all
workstations and clients are set up to synchronise with the server. The server itself should synchronise its clock via NTP
against machines on the Internet, thus ensuring the whole network has the correct time.
Printers are connected where convenient, either directly onto the main network, or connected to a server, workstation or
LTSP server. Access to printers can be controlled for individual users according to the groups they belong to; this will be
achieved by using quota and access control for printers.

3.1.4 LTSP server(s)

A Skolelinux network can have many LTSP servers (which we called ”thin client servers” in releases before Stretch), which
are installed by selecting the LTSP Server profile.
The LTSP servers are set up to receive syslog from thin clients and workstations, and forward these messages to the central
syslog recipient.
Please note:

• Thin clients are using the programs installed on the server.

• Diskless workstations are using the programs installed in the server’s LTSP chroot.

• For LTSP clients a more lightweight desktop environment should be used; this can be set at installation time, see the
Installation chapter for details.
• The client root filesystem is provided using NBD (Network Block Device). After each modification to the LTSP chroot
the related NBD image has to be re-generated; run ltsp-update-image on the LTSP server.

3.1.5 Thin clients

A thin client setup enables ordinary PCs to function as (X-)terminals. This means that the machine boots directly from the
server using PXE without using the local client hard drive. The thin client setup used is that of the Linux Terminal Server
Project (LTSP).
Thin clients are a good way to make use of older, weaker machines as they effectively run all programs on the LTSP server.
This works as follows: the service uses DHCP and TFTP to connect to the network and boot from the network. Next, the
file system is mounted from the LTSP server using NBD, and finally the X Window System is started. The display manager
(LDM) connects to the LTSP server via SSH with X-forwarding. This way all data is encrypted on the network.

3.1.6 Diskless workstations

For diskless workstations the terms ”stateless workstations”, ”lowfat clients” or ”half-thick clients” are also used. For the
sake of clarity this manual sticks to the term ”diskless workstations”.
A diskless workstation runs all software on the PC without a locally installed operating system. This means that client
machines boot directly from the server’s hard drive without running software installed on a local hard drive.
Diskless workstations are an excellent way of reusing older (but powerful) hardware with the same low maintenance cost as
with thin clients. Software is administered and maintained on the server with no need for local installed software on the
clients. Home directories and system settings are stored on the server too.
Debian Edu / Skolelinux Buster 10+edu0 Manual 6 / 102

3.1.7 Networked clients

The term ”networked clients” is used in this manual to refer to both thin clients and diskless workstations, as well as
computers running Mac OS or Windows.

3.2 Administration

All the Linux machines that are installed with the Skolelinux installer will be administrable from a central computer, most
likely the server. It will be possible to log in to all machines via SSH, and thereby have full access to the machines. As root
one needs to run kinit first to get a Kerberos TGT.
All user information is kept in an LDAP directory. Updates of user accounts are made against this database, which is used
by the clients for user authentication.

3.2.1 Installation

Currently there are two kinds of installation media images: netinst and BD. Both images can also be booted from USB
sticks.
The aim is to be able to install a server from any type of medium once, and install all other clients over the network by
booting from the network.
Only the netinstall image needs access to the Internet during installation.
The installation should not ask any questions, with the exception of desired language (e.g. Norwegian Bokmål, Nynorsk,
Sami) and machine profile (main server, workstation, LTSP server, ...). All other configuration will be set up automatically
with reasonable values, to be changed from a central location by the system administrator subsequent to the installation.

3.2.2 File system access configuration

Each Skolelinux user account is assigned a section of the file system on the file server. This section (home directory) contains
the user’s configuration files, documents, email and web pages. Some of the files should be set to have read access for other
users on the system, some should be readable by everyone on the Internet, and some should not be accessible for reading
by anyone but the user.
To ensure that all disks that are used for user directories or shared directories can be uniquely named across all the computers
in the installation, they can be mounted as /skole/host/directory/. Initially, one directory is created on the file server,
/skole/tjener/home0/, in which all the user accounts are created. More directories may then be created when needed
to accommodate particular user groups or particular patterns of usage.
To enable shared access to files under the normal UNIX permissions system, users need to be in supplementary shared groups
(such as ”students”) as well as the personal primary group that they’re in by default. If users have an appropriate umask
to make newly created items group-accessible (002 or 007), and if the directories they’re working in are setgid to ensure the
files inherit the correct group-ownership, the result is controlled file sharing between the members of a group.
The initial access settings for newly created files are a matter of policy. The Debian default umask is 022 (which would not
allow group-access as described above), but Debian Edu uses a default of 002 - meaning that files are created with read
access for everybody, which can later be removed by explicit user action. This can alternatively be changed (by editing
/etc/pam.d/common-session) to a umask of 007 - meaning read access is initially blocked, necessitating user action to
make them accessible. The first approach encourages knowledge sharing, and makes the system more transparent, whereas
the second method decreases the risk of unwanted spreading of sensitive information. The problem with the first solution is
that it is not apparent to the users that the material they create will be accessible to all other users. They can only detect
this by inspecting other users’ directories and seeing that their files are readable. The problem with the second solution is
that few people are likely to make their files accessible, even if they do not contain sensitive information and the content
would be helpful to inquisitive users who want to learn how others have solved particular problems (typically configuration
issues).
Debian Edu / Skolelinux Buster 10+edu0 Manual 7 / 102

4 Requirements

There are different ways of setting up a Skolelinux solution. It can be installed on just one standalone PC, or as a region-
wide solution at many schools operated centrally. This flexibility makes a huge difference to the configuration of network
components, servers and client machines.

4.1 Hardware requirements

The purpose of the different profiles is explained in the network architecture chapter.

If LTSP is intended to be used, take a look at the LTSP Hardware Requirements wiki page.

• The computers running Debian Edu / Skolelinux must have either 32 bit (Debian architecture ’i386’, oldest supported
processors are 686 class ones) or 64 bit (Debian architecture ’amd64’) x86 processors.

• At least 12 GiB RAM for 30 thin clients and 20 GiB RAM for 50-60 thin clients are recommended for the main and LTSP
server profiles.
• Thin clients with only 256 MiB RAM and 400 MHz are possible, though more RAM and faster processors are recom-
mended.

– Swapping over the network is automatically enabled for LTSP clients; the swap size is 512 MiB, and if you need more
you can tune this by editing /etc/ltsp/nbdswapd.conf on tjener to set the SIZE variable.
– If your diskless workstations have hard drives, it is recommended to use them for swap as it is a lot faster than network
swapping.

• For workstations, diskless workstations and standalone systems, 1500 MHz and 1024 MiB RAM are the absolute minimum
requirements. For running modern webbrowsers and LibreOffice at least 2048 MiB RAM is recommended.

– On workstations with little RAM the spell checker might cause LibreOffice to hang if the swap space is also too small.
If this happens frequently the spell checker can be disabled by system administrators.

• The minimum disk space requirements depend on the profile which is installed:

– combined main server + LTSP server: 70 GiB (plus additional space for user accounts).
– LTSP server: 50 GiB.
– workstation or standalone: 30 GiB.

• LTSP servers need two network cards when using the default network architecture:

– eth0 is connected to the main network (10.0.0.0/8),

– eth1 is used for serving LTSP clients (192.168.0.0/24 as default), but others are possible.

• Laptops are movable workstations, so they have the same requirements as workstations.

4.2 Hardware known to work

A list of tested hardware is provided at http://wiki.debian.org/DebianEdu/Hardware/ . This list is not nearly complete

http://wiki.debian.org/InstallingDebianOn is an effort to document how to install, configure and use Debian on

some specific hardware, allowing potential buyers to know if that hardware is supported and existing owners to know how
get the best out of that hardware.
An excellent database of hardware supported by Debian is online at http://kmuto.jp/debian/hcl/.
Debian Edu / Skolelinux Buster 10+edu0 Manual 8 / 102

5 Requirements for network setup

5.1 Default Setup

When using the default network architecture, these rules apply:

• You need exactly one main server, the tjener.

• You can have hundreds of workstations on the main network.
• You can have a lot of LTSP servers on the main network; two different subnets are preconfigured (DNS, DHCP) in LDAP,
more can be added.
• You can have hundreds of thin clients and/or diskless workstations on each LTSP server network.
• You can have hundreds of other machines which will have dynamic IP addresses assigned.
• For access to the Internet you need a router/gateway (see below).

5.2 Internet router

A router/gateway, connected to the Internet on the external interface and running on the IP address 10.0.0.1 with netmask
255.0.0.0 on the internal interface, is needed to connect to the Internet.
The router should not run a DHCP server, it can run a DNS server, though this is not needed and will not be used.
In case you already have a router but are unable to configure it as needed (eg because you are not allowed to do so, or
for technical reasons), an older computer with two network interfaces can be turned into a gateway between the existing
network and the Debian Edu one.
A simple way is to install Debian Edu on this computer; select ’Minimal’ as profile during installation.
After the installation:

• Adjust the /etc/network/interfaces file.

• Change the hostname permanently to ’gateway’.
• Enable IP forwarding and NAT for the 10.0.0.0/8 network.
• As an option install a firewall and / or a traffic shaping tool.

#!/ bin/sh
# Turn a system with profile ’Minimal ’ into a gateway / firewall .
#
sed -i ’s/auto eth0/auto eth0 eth1/’ /etc/ network / interfaces
sed -i ’/eth1/ s/dhcp/ static /’ /etc/ network / interfaces
echo ’address 10.0.0.1 ’ >> /etc/ network / interfaces
echo ’netmask 255.0.0.0 ’ >> /etc/ network / interfaces
hostname -b gateway
hostname > /etc/ hostname
service networking stop
service networking start
sed -i ’s#NAT =# NAT =”10.0.0.0/8”# ’ /etc/ default /enable -nat
service enable -nat restart
# You might want a firewall ( shorewall or ufw) and traffic shaping .
#apt update
#apt install shorewall
# or
#apt install ufw
#apt install wondershaper
Debian Edu / Skolelinux Buster 10+edu0 Manual 9 / 102

If you need something for an embedded router or accesspoint we recommend using OpenWRT, though of course you can
also use the original firmware. Using the original firmware is easier; using OpenWRT gives you more choices and control.
Check the OpenWRT webpages for a list of supported hardware.
It is possible to use a different network setup (there is a documented procedure to do this), but if you are not forced to
do this by an existing network infrastructure, we recommend against doing so and recommend you stay with the default
network architecture.

6 Installation and download options

6.1 Where to find additional information

We recommend that you read or at least take a look at the release notes for Debian Buster before you start installing a
system for production use. There is more information about the Debian Buster release available in its installation manual.

Please give Debian Edu/Skolelinux a try, it should just work.

It is recommended, though, to read the chapters about hardware and network requirements and about the architecture
before starting to install a main server.

Be sure to also read the getting started chapter of this manual, as it explains how to log in for the first time.

6.2 Download the installation media for Debian Edu 10+edu0 Codename Buster

6.2.1 amd64 or i386

amd64 and i386 are the names of two Debian architectures for x86 CPUs, both are or have been build by AMD, Intel and
other manufacturers. amd64 is a 64-bit architecture and i386 is a 32-bit architecture. New installations today should be
done using amd64. i386 should only be used for old hardware.

6.2.2 netinst iso images for amd64 or i386

The netinst iso image can be used for installation from CD/DVD and USB flash drives and is available for two Debian
architectures: amd64 or i386. As the name implies, internet access is required for the installation.
Once Buster has been released these images will be available for download from:

• http://get.debian.org/cdimage/release/current/amd64/iso-cd/
• http://get.debian.org/cdimage/release/current/i386/iso-cd/

6.2.3 BD iso images for i386 or amd64

This ISO image is approximately 5 GB large and can be used for installation of amd64 or i386 machines, also without access
to the Internet. Like the netinst image it can be installed on USB flash drives or disk media of sufficient size.
Once Buster has been released these images will be available for download from:

• http://get.debian.org/cdimage/release/current/amd64/iso-bd/
• http://get.debian.org/cdimage/release/current/i386/iso-bd/

6.2.4 Verification of downloaded image files

Detailed instructions for verifying these images are part of the Debian-CD FAQ.
Debian Edu / Skolelinux Buster 10+edu0 Manual 10 / 102

6.2.5 Sources

Sources are available from the Debian archive at the usual locations, several media are linked on http://get.debian.
org/cdimage/release/current/source/

6.3 Request a CD / DVD by mail

For those without a fast Internet connection, we can offer a CD or DVD sent for the cost of the CD or DVD and shipping.
Just send an email to [email protected] and we will discuss the payment details (for shipping and media). Remember to
include the address you want the CD or DVD to be sent to in the email.

6.4 Installing Debian Edu

When you do a Debian Edu installation, you have a few options to choose from. Don’t be afraid; there aren’t many. We
have done a good job of hiding the complexity of Debian during the installation and beyond. However, Debian Edu is
Debian, and if you want there are more than 57,000 packages to choose from and a billion configuration options. For the
majority of our users, our defaults should be fine. Please note: if LTSP is intended to be used, choose a lightweight desktop
environment.

6.4.1 Main server installation scenarios

A. Typical school or home network with Internet access through a router providing DHCP:

• Installation of a main server is possible, but after reboot there will be no internet access (due to primary network
interface IP 10.0.2.2/8).
• See the Internet router chapter for details how to set up a gateway if it is not possible to configure an existing one
as needed.
• Connect all components like shown in the architecture chapter.
• The main server should have Internet connection once bootet the first time in the correct environment.

B. Typical school or institution network, similar to the one above, but with proxy use required.

• Add ’debian-edu-expert’ to the kernel command line; see further below for details how this is done.
• Some additional questions must be answered, the proxy server related one included.

C. Network with router/gateway IP 10.0.0.1/8 (which does not provide a DHCP server) and Internet access:

• As soon as the automatic network configuration fails (due to missing DHCP), choose manual network configuration.
– Enter 10.0.2.2/8 as host IP
– Enter 10.0.0.1 as gateway IP
– Enter 8.8.8.8 as nameserver IP unless you know better
• The main server should just work after the first boot.

D. Offline (no Internet connection):

• Use the BD ISO image.

• Make sure all (real/virtual) network cables are unplugged.
• Choose ’Do not configure the network at this time’ (after DHCP failed to configure the network and you pressed
’Continue’).
• Update the system once bootet the first time in the correct environment with Internet access.
Debian Edu / Skolelinux Buster 10+edu0 Manual 11 / 102

6.4.2 Desktop choice

• KDE and GNOME both have good language support, but too big a footprint for both older computers and for LTSP
clients.
• MATE is lighter than the two above, but is missing good language support for several countries.
• LXDE has the smallest footprint and supports 35 languages.
• LXQt is a lightweight desktop (language support similar to LXDE) with a more modern look and feel (based on Qt just
like KDE).
• Xfce has a slightly bigger footprint than LXDE but a very good language support (106 languages).

Debian Edu as an international project has chosen to use Xfce as the default desktop; see below how to set a different one.

6.4.3 Modular installation

• When installing a system with profile Workstation included, a lot of education related programs are installed. To install
only the basic profile, remove the desktop=xxxx kernel command line param before starting the installation; see further
below for details how this is done. This allows one to install a site specific system and could be used to speed up test
installations.
• Please note: If you want to install a desktop afterwards, don’t use the Debian Edu meta-packages like e.g. education-
desktop-mate because these would pull in all education related programs; rather install e.g. task-mate-desktop instead.
One or more of the new school level related meta-packages education-preschool, education-primaryschool, education-
secondaryschool, education-highschool could be installed to match the use case.

• For details about Debian Edu meta-packages, see the Debian Edu packages overview page.

6.4.4 Installation types and options

Installer boot menu on 64-bit Hardware

Debian Edu / Skolelinux Buster 10+edu0 Manual 12 / 102

Graphical install uses the GTK installer where you can use the mouse.
Install uses text mode.
Advanced options > gives a sub menu with more detailed options to choose.
Help gives some hints on using the installer; see screenshot below.
Debian Edu / Skolelinux Buster 10+edu0 Manual 13 / 102

Back.. brings back to the main menu.

Graphical expert install gives access to all available questions, mouse usable.
Graphical rescue mode makes this install medium become a rescue disk for emergency tasks.
Graphical automated install needs a preseed file.
Expert install gives access to all available questions in text mode.
Rescue mode text mode; makes this install medium become a rescue disk for emergency tasks.
Automated install text mode; needs a preseed file.
Help screen
Debian Edu / Skolelinux Buster 10+edu0 Manual 14 / 102

This Help screen is self explaining and enables the <F>-keys on the keyboard for getting more detailed help on the topics
described.
Add or change boot parameters for installations
In both cases, boot options can be edited by pressing the TAB key in the boot menu; the screenshot shows the command
line for Graphical install.
Debian Edu / Skolelinux Buster 10+edu0 Manual 15 / 102

• You can use an existing HTTP proxy service on the network to speed up the installation of the main server profile from
CD. Add e.g. mirror/http/proxy=http://10.0.2.2:3128 as an additional boot parameter.
• If you have already installed the main server profile on a machine, further installations should be done via PXE, as this
will automatically use the proxy of the main server.
• To install the GNOME desktop instead of the default Xfce desktop, replace xfce with gnome in the desktop=xfce
parameter.
• To install the LXDE desktop instead, use desktop=lxde.

• To install the LXQt desktop instead, use desktop=lxqt.

• To install the KDE Plasma desktop instead, use desktop=kde.
• And to install the MATE desktop instead, use desktop=mate.

6.4.5 The installation process

Remember the system requirements and make sure you have at least two network cards (NICs) if you plan on setting up an
LTSP server.

• Choose a language (for the installation and the installed system).

• Choose a location which normally should be the location where you live.
• Choose a keyboard keymap (the country’s default is usually fine).
Debian Edu / Skolelinux Buster 10+edu0 Manual 16 / 102

• Choose profile(s) from the following list:

– Main Server
∗ This is the main server (tjener) for your school providing all services pre-configured to work out of the box. You
must install only one main server per school! This profile does not include a graphical user interface. If you want a
graphical user interface, then select Workstation or LTSP Server in addition to this one.
– Workstation
∗ A computer booting from its local hard drive, and running all software and devices locally like an ordinary computer,
except that user logins are authenticated by the main server, where the users’ files and desktop profile are stored.
– Roaming workstation
∗ Same as workstation but capable of authentication using cached credentials, meaning it can be used outside the
school network. The users’ files and profiles are stored on the local disk. For single user notebooks and laptops this
profile should be selected and not ’Workstation’ or ’Standalone’ as suggested in earlier releases.
– LTSP Server
∗ A thin client (and diskless workstation) server, is called an LTSP server. Clients without hard drives boot and run
software from this server. This computer needs two network interfaces, a lot of memory, and ideally more than one
processor or core. See the chapter about networked clients for more information on this subject. Choosing this
profile also enables the workstation profile (even if it is not selected) - an LTSP server can always be used as a
workstation, too.
– Standalone
∗ An ordinary computer that can function without a main server (that is, it doesn’t need to be on the network).
Includes laptops.
– Minimal
∗ This profile will install the base packages and configure the machine to integrate into the Debian Edu network, but
without any services and applications. It is useful as a platform for single services manually moved out from the
main-server.

The Main Server, Workstation and LTSP Server profiles are preselected. These profiles can be installed on one
machine together if you want to install a so called combined main server. This means the main server will be an LTSP
server and also be used as a workstation. This is the default choice, since we assume most people will install via PXE
afterwards. Please note that you must have 2 network cards installed in a machine which is going to be installed as a
combined main server or as an LTSP server to become useful after the installation.

• Say ”yes” or ”no” to automatic partitioning. Be aware that saying ”yes” will destroy all data on the hard drives! Saying
”no” on the other hand will require more work - you will need to make sure that the required partitions are created and
are big enough.
• Please say ”yes” to submitting information to https://popcon.debian.org/ to allow us to know which packages are
popular and should be kept for future releases. Although you don’t have to, it is a simple way for you to help.
• Wait. If the selected profiles include LTSP Server then the installer will spend quite some time at the end, ”Finishing
the installation - Running debian-edu-profile-udeb...”
• After giving the root password, you will be asked to create a normal user account ”for non-administrative tasks”. For
Debian Edu this account is very important: it is the account you will use to manage the Skolelinux network.
The password for this user must have a length of at least 5 characters and must differ from the username -
otherwise login will not be possible (even though a shorter password and also a password matching the username will be
accepted by the installer).

• Be happy
Debian Edu / Skolelinux Buster 10+edu0 Manual 17 / 102

6.4.6 Notes on some characteristics

6.4.6.1 A note on notebooks

Most likely you will want to use the ’Roaming workstation’ profile (see above). Be aware that all data is stored locally (so
take some extra care over backups) and login credentials are cached (so after a password change, logins may require your
old password if you have not connected your laptop to the network and logged in with the new password).

6.4.6.2 A note on USB flash drive / Blu-ray disc image installs

After you install from the USB flash drive / Blu-ray disc image, /etc/apt/sources.list will only contain sources from
that image. If you have an Internet connection, we strongly suggest adding the following lines to it so that available security
updates can be installed:
deb http :// deb. debian .org/ debian / buster main
deb http :// security . debian .org/ buster / updates main

6.4.6.3 A note on CD installs

A netinst installation (which is the type of installation our CD provides) will fetch some packages from the CD and the
rest from the net. The amount of packages fetched from the net varies from profile to profile but stays below a gigabyte
(unless you choose to install all possible desktops). Once you have installed the main-server (whether a pure main-server or
combi-server does not matter), further installation will use its proxy to avoid downloading the same package several times
from the net.

6.4.6.4 Notes on LTSP Server installations using only Thin-Clients

Providing the kernel boot parameter edu-skip-ltsp-make-client makes it possible to skip one step which converts the
LTSP chroot from a thin-client chroot into a combined thin-client/diskless workstation chroot.
This is useful in certain situations, such as if you want a pure thin client chroot or if there is already a diskless chroot on
another server, which can be rsynced. For these situations skipping this step will cut down the installation time considerably.
Except for the longer installation time there is no harm in always creating combined chroots, which is why this is done by
default.

6.4.7 Installation using USB flash drives instead of CD / Blu-ray discs

It is possible to directly copy a CD/BD .iso image to USB flash drives (also known as ”USB sticks”) and boot from them.
Simply execute a command like this, just adapting the file and device name to your needs:
sudo cp debian-edu-amd64-XXX.iso /dev/sdX
To determine the value of X, run this command before and after the USB device has been inserted:
lsblk -p
Please note that copying will take quite some time.
Depending on which image you choose, the USB flash drive will behave just like a CD or Blu-ray disc.

6.4.8 Installation over the network (PXE) and booting diskless clients

For this installation method it is required that you have a running main server. When clients boot via the main network, a
new PXE menu with installer and boot selection options is displayed. If PXE installation fails with an error message claiming
a XXX.bin file is missing, then most probably the client’s network card requires nonfree firmware. In this case the Debian In-
staller’s initrd must be modified. This can be achieved by executing the command: /usr/share/debian-edu-config/tools/pxe-
on the server.
Debian Edu / Skolelinux Buster 10+edu0 Manual 18 / 102

This is how the PXE menu looks with the Main-Server profile only:

This is how the PXE menu looks with the Main Server and LTSP Server profiles:
Debian Edu / Skolelinux Buster 10+edu0 Manual 19 / 102

To install a desktop environment of your choice instead of the default one, press TAB and edit the kernel boot options (like
explained above).
This setup also allows diskless workstations and thin clients to be booted on the main network. Unlike workstations, diskless
workstations don’t have to be added to LDAP with GOsa², but can be, for example if you want to force the hostname.
More information about network clients can be found in the Network clients HowTo chapter.

6.4.8.1 Modifying PXE installations

The PXE installation uses a debian-installer preseed file, which can be modified to ask for more packages to install.
A line like the following needs to be added to tjener:/etc/debian-edu/www/debian-edu-install.dat
d-i pkgsel / include string my -extra - package (s)

The PXE installation uses /var/lib/tftpboot/debian-edu/install.cfg and the preseeding file in /etc/debian-edu/www/deb
These files can be changed to adjust the preseeding used during installation, to avoid more questions when installing
over the net. Another way to achieve this is to provide extra settings in /etc/debian-edu/pxeinstall.conf and
/etc/debian-edu/www/debian-edu-install.dat.local and to run /usr/sbin/debian-edu-pxeinstall to update
the generated files.
Further information can be found in the manual of the Debian Installer.
To disable or change the use of the proxy when installing via PXE, the lines containing mirror/http/proxy, mirror/ftp/proxy
and preseed/early_command in tjener:/etc/debian-edu/www/debian-edu-install.dat need to be changed. To
disable the use of a proxy when installing, put ’#’ in front of the first two lines, and remove the ”export http_proxy=”http://webc
” part from the last one.
Debian Edu / Skolelinux Buster 10+edu0 Manual 20 / 102

Some settings can not be preseeded because they are needed before the preseeding file is downloaded. These are configured in
the PXElinux-based boot arguments available from /var/lib/tftproot/debian-edu/install.cfg. Language, keyboard
layout and desktop are examples of such settings.

6.4.9 Custom images

Creating custom CDs, DVDs or Blu-ray discs can be quite easy since we use the Debian Installer, which has a modular
design and other nice features. Preseeding allows you to define answers to the questions normally asked.
So all you need to do is to create a preseeding file with your answers (this is described in the appendix of the Debian Installer
manual) and remaster the CD/DVD.

6.5 Screenshot tour

The text mode and the graphical installation are functionally identical - only the appearance is different. The graphical
mode offers the opportunity to use a mouse, and of course looks much nicer and more modern. Unless the hardware has
trouble with the graphical mode, there is no reason not to use it.
So here is a screenshot tour through a graphical 64-bit Main Server + Workstation + LTSP Server installation and how it
looks at the first boot of the main server, a PXE boot on the workstation network and on the LTSP client network:
Debian Edu / Skolelinux Buster 10+edu0 Manual 21 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 22 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 23 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 24 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 25 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 26 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 27 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 28 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 29 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 30 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 31 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 32 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 33 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 34 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 35 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 36 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 37 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 38 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 39 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 40 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 41 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 42 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 43 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 44 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 45 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 46 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 47 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 48 / 102

7 Getting started

7.1 Minimum steps to get started

During installation of the main server a first user account was created. In the following text this account will be referenced as
”first user”. This account is special, as there’s no Samba account (can be added via GOsa²), the home directory permission
is set to 700 (so chmod o+x ~ is needed to make personal web pages accessible), and the first user can use sudo to become
root.
See the information about Debian Edu specific file system access configuration before adding users; adjust to your site’s
policy if needed.
After the installation, the first things you need to do as first user are:

1. Log into the server.

2. Add users with GOsa².

3. Add workstations with GOsa² - thin-client and diskless workstation can be used directly without this step.

Adding users and workstations is described in detail below, so please read this chapter completely. It covers how to perform
these minimum steps correctly as well as other stuff that everybody will probably need to do.
Debian Edu / Skolelinux Buster 10+edu0 Manual 49 / 102

There is additional information available elsewhere in this manual: the New features in Buster chapter should be read by
everyone who is familiar with previous releases. And for those upgrading from a previous release, make sure to read the
Upgrades chapter.

If generic DNS traffic is blocked out of your network and you need to use some specific DNS server to look up internet
hosts, you need to tell the DNS server to use this server as its ”forwarder”. Update /etc/bind/named.conf.options and
specify the IP address of the DNS server to use.
The HowTo chapter covers more tips and tricks and some frequently asked questions.

7.1.1 Services running on the main server

There are several services running on the main server which can be managed via a web management interface. We’ll describe
each service below.

7.2 Introduction to GOsa²

GOsa² is a web based management tool that helps to manage some important parts of your Debian Edu setup. With GOsa²
you can manage (add, modify, or delete) these main groups:

• User Administration
• Group Administration
Debian Edu / Skolelinux Buster 10+edu0 Manual 50 / 102

• NIS Netgroup Administrator

• Machine Administration
• DNS Administration
• DHCP Administration

For GOsa² access you need the Skolelinux main server and a (client) system with a web browser installed which can be the
main server itself if it was installed as a so called combined server (Main Server + LTSP Server + Workstation profiles). If
all of the mentioned before is not available, see: Installing a graphical environment on the main-server to use GOsa².
From a web browser use the URL https://www/gosa for GOsa² access, and log in as the first user.

• If you are using a new Debian Edu Buster machine, the site certificate will be known by the browser.
• Otherwise, you will get an error message about the SSL certificate being wrong. If you know you are alone on your
network, just tell the browser to accept it and ignore that.

For general information on GOsa² have a look at: https://oss.gonicus.de/labs/gosa/wiki/documentation.

7.2.1 GOsa² Login plus Overview

After logging in to GOsa² you will see the overview page of GOsa².
Next, you can choose a task in the menu or click any of the task icons on the overview page. For navigation, we recommend
using the menu on the left side of the screen, as it will stay visible there on all administration pages offered by GOsa².
In Debian Edu, account, group, and system information is stored in an LDAP directory. This data is used not only by the
main server, but also by the (diskless) workstations, the LTSP servers and the Windows machines on the network. With
LDAP, account information about students, teachers, etc. only needs to be entered once. After information has been
provided in LDAP, the information will be available to all systems on the whole Skolelinux network.
GOsa² is an administration tool that uses LDAP to store its information and provide a hierarchical department structure.
To each ”department” you can add user accounts, groups, systems, netgroups, etc. Depending on the structure of your
Debian Edu / Skolelinux Buster 10+edu0 Manual 51 / 102

institution, you can use the department structure in GOsa²/LDAP to transfer your organisational structure into the LDAP
data tree of the Debian Edu main server.
A default Debian Edu main server installation currently provides two ”departments”: Teachers and Students, plus the
base level of the LDAP tree. Student accounts are intended to be added to the ”Students” department, teachers to the
”Teachers” department; systems (servers, Skolelinux workstations, Windows machines, printers etc.) are currently added to
the base level. Find your own scheme for customising this structure. (You can find an example how to create users in year
groups, with common home directories for each group in the HowTo/AdvancedAdministration chapter of this manual.)
Depending on the task that you want to work on (manage users, manage groups, manage systems, etc.) GOsa² presents
you with a different view on the selected department (or the base level).

7.3 User Management with GOsa²

First, click on ”Users” in the left navigation menu. The right side of the screen will change to show a table with department
folders for ”Students” and ”Teachers” and the account of the GOsa² Administrator (the first created user). Above this table
you can see a field called Base that allows you to navigate through your tree structure (move your mouse over that area
and a drop-down menu will appear) and to select a base folder for your intended operations (e.g. adding a new user).

7.3.1 Adding users

Next to that tree navigation item you can see the ”Actions” menu. Move your mouse over this item and a submenu appears
on screen; choose ”Create” here, and then ”User”. You will be guided by the user creation wizard.

• The most important thing to add is the template (newstudent or newteacher) and the full name of your user (see image).
• As you follow the wizard, you will see that GOsa² generates a username automatically based on the real name. It
automatically chooses a username that doesn’t exist yet, so multiple users with the same full name are not a problem.
Note that GOsa² can generate invalid usernames if the full name contains non-ASCII characters.
• If you don’t like the generated username you can select another username offered in the drop-down box, but you do not
have a free choice here in the wizard. (If you want to be able to edit the proposed username, open /etc/gosa/gosa.conf
with an editor and add allowUIDProposalModification=”true” as an additional option to the ”location definition”.)

• When the wizard has finished, you are presented with the GOsa² screen for your new user object. Use the tabs at the
top to check the completed fields.

After you have created the user (no need to customise fields the wizard has left empty for now), click on the ”Ok” button
in the bottom-right corner.
As the last step GOsa² will ask for a password for the new user. Type that in twice and then click ”Set password” in the
bottom-right corner. Some characters may not be allowed as part of the password.
If all went well, you can now see the new user in the user list table. You should now be able to log in with that username
on any Skolelinux machine within your network.
Debian Edu / Skolelinux Buster 10+edu0 Manual 52 / 102

7.3.2 Search, modify and delete users

To modify or delete a user, use GOsa² to browse the list of users on your system. On the middle of the screen you may
open the ”Filter” box, a search tool provided by GOsa². If you don’t know the exact location of your user account in your
tree, change to the base level of the GOsa²/LDAP tree and search there with the option marked ”Search in subtrees”.
When using the ”Filter” box, results will immediately appear in the middle of the text in the table list view. Every line
represents a user account and the items farthest to the right on each line are little icons that provide actions for you: edit
user, lock account, set password and remove user.
A new page will show up where you can directly modify information about the user, change the password of the user and
modify the list of groups the user belongs to.

7.3.3 Set passwords

The students can change their own passwords by logging into GOsa² with their own usernames. To ease the access of
GOsa², an entry called Gosa is provided in the desktop’s System (or System settings) menu. A logged-in student will be
Debian Edu / Skolelinux Buster 10+edu0 Manual 53 / 102

presented with a very minimal version of GOsa² that only allows access to the student’s own account data sheet and to the
set-password dialog.
Teachers logged in under their own usernames have special privileges in GOsa². They are shown a more privileged view of
GOsa², and can change the passwords for all student accounts. This may be very handy during class.
To administratively set a new password for a user

1. search for the user to be modified, as explained above

2. click on the key symbol at the end of the line that the username is shown in
3. on the page subsequently presented you can set a new password chosen by yourself

Beware of security implications due to easy to guess passwords!

7.3.4 Advanced user management

It is possible to mass-create users with GOsa² by using a CSV file, which can be created with any good spreadsheet software
(for example localc). At least, entries for the following fields have to be provided: uid, last name (sn), first name
(givenName) and password. Make sure that there are no duplicate entries in the uid field. Please note that the check
for duplicates must include already existing uid entries in LDAP (which could be obtained by executing getent passwd |
grep tjener/home | cut -d”:” -f1 on the command line).
These are the format guidelines for such a CSV file (GOsa² is quite intolerant about them):

• Use ”,” as field separator

• Do not use quotes

• The CSV file must not contain a header line (of the sort that normally contains the column names)
• The order of the fields is not relevant, and can be defined in GOsa² during the mass import

The mass import steps are:

1. click the ”LDAP Manager” link in the navigation menu on the left
2. click the ”Import” tab in the screen on the right

3. browse your local disk and select a CSV file with the list of users to be imported
4. choose an available user template that should be applied during mass import (such as NewTeacher or NewStudent)
5. click the ”Import” button in the bottom-right corner
Debian Edu / Skolelinux Buster 10+edu0 Manual 54 / 102

It’s a good idea to do some tests first, preferably using a CSV file with a few fictional users, which can be deleted later.
Same applies to the password management module, which allows to reset a lot of passwords using a CSV file or to re-generate
new passwords for users belonging to a special LDAP subtree.

7.4 Group Management with GOsa²

Debian Edu / Skolelinux Buster 10+edu0 Manual 55 / 102

The management of groups is very similar to the management of users.

You can enter a name and a description per group. Make sure that you choose the right level in the LDAP tree when
creating a new group.
By default, the appropriate Samba group isn’t created. If you forgot to check the Samba group option during group creation,
you can modify the group later on.
Adding users to a newly created group takes you back to the user list, where you most probably would like to use the filter
box to find users. Check the LDAP tree level, too.
The groups entered in the group management are also regular unix groups, so you can use them for file permissions too.

7.4.1 Group Management on the command line

# List existing group mapping between UNIX and Windows groups .

net groupmap list

# Add your new or otherwise missing groups :

net groupmap add unixgroup = NEW_GROUP type= domain ntgroup =” NEW_GROUP ”\
comment =” DESCRIPTION OF NEW GROUP”

7.5 Machine Management with GOsa²

Machine management basically allows you to manage all networked devices in your Debian Edu network. Every machine
added to the LDAP directory using GOsa² has a hostname, an IP address, a MAC address and a domain name (which is
usually ”intern”). For a fuller description of the Debian Edu architecture see the architecture chapter of this manual.
Diskless workstations and thin-clients work out-of-the-box when connected to the main network. Only workstations with
disks have to be added with GOsa², but all can.
To add a machine, use the GOsa² main menu, systems, add. You can use an IP address/hostname from the preconfigured
address space 10.0.0.0/8. Currently there are only two predefined fixed addresses: 10.0.2.2 (tjener) and 10.0.0.1 (gateway).
The addresses from 10.0.16.20 to 10.0.31.254 (roughly 10.0.16.0/20 or 4000 hosts) are reserved for DHCP and are assigned
dynamically.
Debian Edu / Skolelinux Buster 10+edu0 Manual 56 / 102

To assign a host with the MAC address 52:54:00:12:34:10 a static IP address in GOsa² you have to enter the MAC address,
the hostname and the IP; alternatively you might click the Propose ip button which will show the first free fixed address
in 10.0.0.0/8, most probably something like 10.0.0.2 if you add the first machine this way. It may be better to first think
about your network: for example you could use 10.0.0.x with x>10 and x<50 for servers, and x>100 for workstations. Don’t
forget to activate the just added system. With the exception of the main server all systems will then have a matching icon.
If the machines have booted as thin clients/diskless workstations or have been installed using any of the networked profiles, the
sitesummary2ldapdhcp script can be used to automatically add machines to GOsa². For simple machines it will work out
of the box, for machines with more than one mac address the actually used one has to be chosen, sitesummary2ldapdhcp
-h shows usage information. Please note, that the IP addresses shown after usage of sitesummary2ldapdhcp belong to
the dynamic IP range. These systems can then be modified to suit your network: rename each new system, activate DHCP
and DNS, add it to netgroups (see screenshot below for recommended netgroups), reboot the system afterwards. The
following screenshots show how this looks in practice:
root@tjener :~# sitesummary2ldapdhcp -a -i ether -22:11:33:44:55: ff
info: Create GOsa machine for am -2211334455 ff. intern [10.0.16.21] id ether -22:11:33:44:55: ←-
ff.

Enter password if you want to activate these changes , and ^c to abort .

Connecting to LDAP as cn=admin ,ou=ldap -access ,dc=skole ,dc=skolelinux ,dc=no

enter password : ********
root@tjener :~#
Debian Edu / Skolelinux Buster 10+edu0 Manual 57 / 102
Debian Edu / Skolelinux Buster 10+edu0 Manual 58 / 102

A cronjob updating DNS runs every hour; su -c ldap2bind can be used to trigger the update manually.

7.5.1 Search and delete machines

Searching for and deleting machines is quite similar to searching for and deleting users, so that information is not repeated
here.

7.5.2 Modify existing machines / Netgroup management

After adding a machine to the LDAP tree using GOsa², you can modify its properties using the search functionality and
clicking on the machine name (as you would with users).
The format of these system entries is similar to the one you already know from modifying user entries, but the fields mean
different things in this context.
For example, adding a machine to a NetGroup does not modify the file access or command execution permissions for that
machine or the users logged in to that machine; instead it restricts the services that machine can use on your main-server.
The default installation provides the NetGroups

• cups-queue-autoflush-hosts
• cups-queue-autoreenable-hosts
• fsautoresize-hosts

• ltsp-server-hosts
• netblock-hosts
Debian Edu / Skolelinux Buster 10+edu0 Manual 59 / 102

• printer-hosts
• server-hosts
• shutdown-at-night-hosts
• shutdown-at-night-wakeup-hosts-blacklist

• winstation-hosts
• workstation-hosts

Currently the NetGroup functionality is used for

• NFS.

– The home directories are exported by the main-server to be mounted by the workstations and the LTSP servers. For
security reasons, only hosts within the workstation-hosts, ltsp-server-hosts and server-hosts NetGroups can mount
the exported NFS shares. So it is rather important to remember to configure these kinds of machines properly in the
LDAP tree using GOsa² and to configure them to use static IP addresses from LDAP.
Remember to configure workstations and LTSP servers properly with GOsa², or your users won’t be able to access
their home directories. Diskless workstations and thin clients don’t use NFS, so they don’t need to be configured.

• fs-autoresize

– Debian Edu machines in this group will automatically resize LVM partitions that run out of space.

• shutdown at night

– Debian Edu machines in this group will automatically shut down at night to save energy.

• CUPS (cups-queue-autoflush-hosts and cups-queue-autoreenable-hosts)

– Debian Edu machines in these groups will automatically flush all print queues every night, and re-enable any disabled
print queue every hour.

• netblock-hosts

– Debian Edu machines in this group will be allowed to connect to machines only on the local network. Combined with
web proxy restrictions this might be used during exams.

Another important part of machine configuration is the ’Samba host’ flag (in the ’Host information’ area). If you plan to
add existing Windows systems to the Skolelinux Samba domain, you need to add the Windows host to the LDAP tree and
set this flag to be able to join the Windows host to the domain. For more information about adding Windows hosts to the
Skolelinux network see the HowTo/NetworkClients chapter of this manual.

8 Printer Management

For Printer Management point your web browser to https://www:631. This is the normal CUPS management interface
where you can add/delete/modify your printers and can clean up the printing queue. By default only root is allowed but
this can be changed: Open /etc/cups/cups-files.conf with an editor and add one or more valid group names matching your
site policy to the line containing SystemGroup lpadmin. Existing GOsa² groups that might be used are gosa-admins and
printer-admins (both with the first user as member), teachers and jradmins (no members after installation).
Debian Edu / Skolelinux Buster 10+edu0 Manual 60 / 102

8.1 Use printers attached to workstations

The package p910nd is installed by default on a system with the Workstation profile.

• Edit /etc/default/p910nd like this (USB printer):

– P910ND_OPTS=”-f /dev/usb/lp0”
– P910ND_START=1

• Configure the printer using the web interface https://www.intern:631; choose network printer type AppSocket/HP
JetDirect (for all printers regardless of brand or model) and set socket://<workstation ip>:9100 as connection
URI.

9 Clock synchronisation

The default configuration in Debian Edu is to keep the clocks on all machines synchronous but not necessarily correct. NTP
is used to update the time. The clocks will be synchronised with an external source by default. This can cause machines to
keep the external Internet connection open if it is created when used.

If you use dialup or ISDN and pay per minute, you want to change this default setting.
To disable synchronisation with an external clock, the file /etc/ntp.conf on the main-server and all clients and LTSP chroots
need to be modified. Add comment (”#”) marks in front of the server entries. After this, the NTP server needs to be
restarted by running /etc/init.d/ntp restart as root. To test if a machine is using the external clock sources, run
ntpq -c lpeer.

10 Extending full partitions

Because of a possible bug with automatic partitioning, some partitions might be too full after installation. To extend these
partitions, run debian-edu-fsautoresize -n as root. See the ”Resizing Partitions” HowTo in the administration HowTo
chapter for more information.

11 Maintenance

11.1 Updating the software

This section explains how to use apt-get upgrade.

Using apt-get is really simply. To update a system you need to execute two commands on the command line as root:
apt-get update (which updates the lists of available packages) and apt-get upgrade (which upgrades the packages for
which an upgrade is available).
It is also a good idea to upgrade using the C locale to get English output which in cases of problems is more likely to
produce results in search engines.
LC_ALL =C apt -get update ; LC_ALL =C ltsp - chroot apt -get update
LC_ALL =C apt -get upgrade -y
LC_ALL =C ltsp - chroot -m apt -get upgrade -y
cf -agent -D installation # On upgrades of debian -edu - config
ltsp - chroot -m cf -agent -D installation # On upgrades of debian -edu - config
ltsp -update - kernels # If a new kernel was installed
ltsp -update - image
Debian Edu / Skolelinux Buster 10+edu0 Manual 61 / 102

After upgrading the debian-edu-config package, changed Cfengine configuration files might be available. Run ls
-ltr /etc/cfengine3/debian-edu/ to check if this is the case. To apply the changes, run cf-agent -D installation.

It is important to run ltsp-update-kernels if a new kernel was installed in the LTSP chroot, to keep the kernel and
kernel modules in sync. The kernel is handed out via TFTP when the machine does PXE boot, and the kernel modules are
fetched from the LTSP chroot.
Run ltsp-update-image to re-generate the NBD image(s).
It is also a good idea to install cron-apt and apt-listchanges and configure them to send mail to an address you are
reading.
cron-apt will notify you once a day via email about any packages that can be upgraded. It does not install these upgrades,
but does download them (usually in the night), so you don’t have to wait for the download when you do apt-get upgrade.
Automatic installation of updates can be done easily if desired, it just needs the unattended-upgrades package to be
installed and configured as described on wiki.debian.org/UnattendedUpgrades.
apt-listchanges can send new changelog entries to you via email, or alternatively display them in the terminal when
running apt or apt-get.

11.1.1 Keep yourself informed about security updates

Running cron-apt as described above is a good way to learn when security updates are available for installed packages.
Another way to stay informed about security updates is to subscribe to the Debian security-announce mailinglist, which has
the benefit of also telling you what the security update is about. The downside (compared to cron-apt) is that it also
includes information about updates for packages which aren’t installed.

11.2 Backup Management

For backup management point your browser to https://www/slbackup-php. Please note that you need to access this
site via SSL, since you have to enter the root password there. If you try to access this site without using SSL it will fail.

Note: the site will only work if you temporarily allow ssh root login on the backup server (main server ’tjener’ by default).
By default tjener will back up /skole/tjener/home0, /etc/, /root/.svk and LDAP to /skole/backup which is under
the LVM. If you only want to have spare copies of things (in case you delete them) this setup should be fine for you.

Be aware that this backup scheme doesn’t protect you from failing hard drives.
If you want to back up your data to an external server, a tape device or another hard drive you’ll have to modify the existing
configuration a bit.
If you want to restore a complete folder, your best option is to use the command-line:
$ sudo rdiff - backup -r <date > \
/skole/ backup / tjener /skole / tjener /home0/user \
/skole/ tjener / home0 /user_ <date >

This will leave the content from /skole/tjener/home0/user for <date> in the folder /skole/tjener/home0/user_<date>
If you want to restore a single file, then you should be able to select the file (and the version) from the web interface, and
download only that file.
If you want to get rid of older backups, choose ”Maintenance” in the menu on the backup page and select the oldest
snapshot to keep:
Debian Edu / Skolelinux Buster 10+edu0 Manual 62 / 102

11.3 Server Monitoring

11.3.1 Munin

The Munin trend reporting system is available from https://www/munin/. It provides system status measurement graphs
on a daily, weekly, monthly and yearly basis, and provides the system administrator with help when looking for bottlenecks
and the source of system problems.
The list of machines being monitored using Munin is generated automatically, based on the list of hosts reporting to
sitesummary. All hosts with the package munin-node installed are registered for Munin monitoring. It will normally take
one day from a machine being installed until Munin monitoring starts, because of the order the cron jobs are executed.
To speed up the process, run sitesummary-update-munin as root on the sitesummary server (normally the main server).
This will update the /etc/munin/munin.conf file.
The set of measurements being collected is automatically generated on each machine using the munin-node-configure pro-
gram which probes the plugins available from /usr/share/munin/plugins/ and symlinks the relevant ones to /etc/munin/plugin
Information about Munin is available from http://munin-monitoring.org/.

11.3.2 Icinga

Icinga system and service monitoring is available from https://www/icinga/. The set of machines and services being
monitored is automatically generated using information collected by the sitesummary system. The machines with the profile
Main-server and LTSP-server receive full monitoring, while workstations and thin clients receive simple monitoring. To
enable full monitoring on a workstation, install the nagios-nrpe-server package on the workstation.
The username is icingaadmin and the default password is skolelinux. For security reasons, avoid using the same password
as root. To change the password you can run the following command as root:
htpasswd /etc/ icinga / htpasswd . users icingaadmin

By default Icinga does not send email. This can be changed by replacing notify-by-nothing with host-notify-by-email
and notify-by-email in the file /etc/icinga/sitesummary-template-contacts.cfg.
The Icinga configuration file used is /etc/icinga/sitesummary.cfg. The sitesummary cron job generates /var/lib/sitesummar
with the list of hosts and services to monitor.
Extra Icinga checks can be put in the file /var/lib/sitesummary/icinga-generated.cfg.post to get them included
in the generated file.
Information about Icinga is available from https://www.icinga.com/ or in the icinga-doc package.

11.3.2.1 Common Icinga warnings and how to handle them

Here are instructions on how to handle the most common Icinga warnings.
Debian Edu / Skolelinux Buster 10+edu0 Manual 63 / 102

11.3.2.1.1 DISK CRITICAL - free space: /usr 309 MB (5% inode=47%):

The partition (/usr/ in the example) is too full. There are in general two ways to handle this: (1) remove some files or (2)
increase the size of the partition. If the partition is /var/, purging the APT cache by calling apt-get clean might remove
some files. If there is more room available in the LVM volume group, running the program debian-edu-fsautoresize to
extend the partitions might help. To run this program automatically every hour, the host in question can be added to the
fsautoresize-hosts netgroup.

11.3.2.1.2 APT CRITICAL: 13 packages available for upgrade (13 critical updates).

New package are available for upgrades. The critical ones are normally security fixes. To upgrade, run ’apt-get upgrade &&
apt-get dist-upgrade’ as root in a terminal or log in via ssh to do the same. On LTSP servers, remember to also update the
LTSP chroot using ltsp-chroot apt-get update && ltsp-chroot apt-get upgrade.
If you do not want to manually upgrade packages and trust Debian to do a good job with new versions, you can configure
unattended-upgrades to automatically upgrade all new packages every night. This will not upgrade the LTSP chroots.
To upgrade the LTSP chroot, one can use ltsp-chroot apt-get update && ltsp-chroot apt-get upgrade. On
64-bit servers, one will have to add -a i386 as an argument to ltsp-chroot. It is a good idea to update the chroot when
updating the host system.

11.3.2.1.3 WARNING - Reboot required : running kernel = 2.6.32-37.81.0, installed kernel = 2.6.32-38.83.0

The running kernel is older than the newest installed kernel, and a reboot is required to activate the newest installed kernel.
This is normally fairly urgent, as new kernels normally show up in Debian Edu to fix security issues.

11.3.2.1.4 WARNING: CUPS queue size - 61

The printer queues in CUPS have a lot of jobs pending. This is most likely because of a unavailable printer. Disabled print
queues are enabled every hour on hosts that are member of the cups-queue-autoreenable-hosts netgroup, so for such
hosts no manual action should be required. The print queues are emptied every night on hosts that are member of the
cups-queue-autoflush-hosts netgroup. If a host have a lot of jobs in their queue, consider adding this host to one or
both of these netgroups.

11.3.3 Sitesummary

Sitesummary is used to collect information from each computer and submit it to the central server. The information collected
is available in /var/lib/sitesummary/entries/. Scripts in /usr/lib/sitesummary/ are available to generate reports.
A simple report from sitesummary without any details is available from https://www/sitesummary/.
Some documentation on sitesummary is available from http://wiki.debian.org/DebianEdu/HowTo/SiteSummary

11.4 More information about Debian Edu customisations

More information about Debian Edu customisations useful for system administrators can be found in the Administration
Howto chapter and in the Advanced administration Howto chapter

12 Upgrades

Before reading this upgrade guide, please note that live updates to your production servers are carried out at your own
risk. Debian Edu/Skolelinux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable
law.
Please read this chapter and the New features in Buster chapter of this manual completely before attempting to upgrade.
Debian Edu / Skolelinux Buster 10+edu0 Manual 64 / 102

12.1 General notes on upgrading

Upgrading Debian from one distribution to the next is generally rather easy. For Debian Edu this is unfortunately not yet
true as we modify configuration files in ways we shouldn’t. (See Debian bug 311188 for more information.) Upgrading is
still possible but may require some work.
In general, upgrading the servers is more difficult than the workstations and the main-server is the most difficult to upgrade.
The diskless machines are easy, as their chroot environment can be deleted and recreated, if you haven’t modified it. If you
have, the chroot is basically a workstation chroot anyway, so rather easy to upgrade.
If you want to be sure that after the upgrade everything works as before, you should test the upgrade on a test system
or systems configured the same way as your production machines. There you can test the upgrade without risk and see if
everything works as it should.
Make sure to also read the information about the current Debian Stable release in its installation manual.
It may also be wise to wait a bit and keep running Oldstable for a few weeks longer, so that others can test the upgrade
and document any problems they experience. The Oldstable release of Debian Edu will receive continued support for some
time after the next Stable release, but when Debian ceases support for Oldstable, Debian Edu will necessarily do the same.

12.2 Upgrades from Debian Edu Stretch

Be prepared: make sure you have tested the upgrade from Stretch in a test environment or have backups ready to be
able to go back.
Please note that the following recipe applies to a default Debian Edu main server installation (desktop=xfce, profiles
Main Server, Workstation, LTSP Server). (For a general overview concerning stretch to buster upgrade, see: https:
//www.debian.org/releases/buster/releasenotes)
Don’t use X, use a virtual console, log in as root.
If apt finishes with an error, try to fix it and/or run apt -f install and then apt -y full-upgrade once again.

12.2.1 Upgrading the main server

• Start by making sure the current system is up-to-date:

apt update
apt full - upgrade

• Cleanup the package cache:

apt clean

• Make sure you have enough disk space. On both /usr and /var about 5 GiB free space will be needed temporarily. See
the related manual chapter for more information.
• Prepare and start the upgrade to Buster:

sed -i ’s/ stretch / buster /g’ /etc/apt/ sources .list

export LC_ALL =C # optional (to get English output )
apt update
apt purge atftpd # needed because tftpd will be installed
apt install libcurl4 # needed to replace libcurl3
apt install apache2 # needed first to avoid additional work later on
apt full - upgrade
Debian Edu / Skolelinux Buster 10+edu0 Manual 65 / 102

• apt-list-changes: be prepared for a lot of NEWS to read; press <return> to scroll down, <q> to leave the pager. All
information will be mailed to root so that you can read it again (using mailx or mutt).
• Read all debconf information carefully, choose ’keep your currently-installed version’ unless stated differently below; in
most cases hitting return will be fine.

– restart services: Choose yes.

– ntp: Choose N.
– smb
– dovecot
– grub

• Apply and adjust configuration:

cf -agent -I -D installation

• Get the new Debian Edu Buster artwork:

apt install debian -edu -artwork - buster

• Enable PHP 7.3 support:

apt purge php7 .0*

a2enmod php7 .3
a2enconf php7 .3- cgi
service apache2 restart

• Adjust GOsa² access (changed encryption method):

– backup /etc/gosa/gosa.conf.orig
– replace the long (hashed) password in /etc/gosa/gosa.conf with the short (random) password from /etc/gosa/-
gosa.conf.orig (for both adminPassword and snapshotAdminPassword)
– remove /etc/gosa/gosa.secrets
– run gosa-encrypt-passwords
– run service apache2 reload

• After reboot, do some more cleanup:

apt purge linux -image -4.9.0 -*

apt purge linux -headers -4.9.0 -*
apt --purge autoremove

• Check if the upgraded system works:

Reboot; log in as first user and test

• if the GOsa² gui is working,

• if one is able to connect LTSP clients and workstations,
• if one can add/remove a netgroup membership of a system,
• if one can send and receive internal email,
• if one can manage printers,
• and if other site specific things are working.
Debian Edu / Skolelinux Buster 10+edu0 Manual 66 / 102

12.2.2 Upgrading a workstation

Do all the basic things like on the main-server and without doing the things not needed.

12.2.3 Upgrading LTSP chroots

Make sure you have enough disk space. LTSP uses Network Block Device (NBD). The NBD image file size is about 4 GiB
(default installation). If the image is updated, another 4 GiB for a temporary file are needed.
Also please note that the default LTSP architecture was i386 for Stretch. See below how to create a chroot for 64-bit-PCs
(amd64).
ltsp - chroot -m -a i386 apt update
ltsp - chroot -m -a i386 apt -y full - upgrade
sed -i ’s/ stretch / buster /g’ /opt/ltsp/i386/etc/apt/ sources .list
ltsp - chroot -m -a i386 apt update
ltsp - chroot -m -a i386 apt -y full - upgrade
ltsp - chroot -m -a i386 apt -f install
ltsp - chroot -m -a i386 apt -y full - upgrade

• Cleaning up:

ltsp - chroot -m -a i386 apt --purge autoremove

• Update LTSP support on the server side:

ltsp -update - kernels

ltsp -update - sshkeys
ltsp -update - image

To save disk space, ltsp-update-image -n could be used instead; see man ltsp-update-image.

12.2.4 Recreating an LTSP chroot

On the LTSP server(s) the LTSP chroot could also be recreated. The new chroot will still support both thin-clients and
diskless workstations. Please note: As of Buster, the LTSP chroot arch defaults to the one used for the server side.
Remove /opt/ltsp/i386 (or /opt/ltsp/amd64, depending on your setup). If you have enough diskspace, consider backing
it up.
See ltsp-build-client --help and ltsp-build-client --extra-help for more information about options. The file
/etc/ltsp/ltsp-build-client.conf contains some useful (commented) options.
Recreate the chroot by running ltsp-build-client as root.

12.2.5 Add additional LTSP chroot to support 64-bit-PC clients

At least 20 GiB additional disk space on /opt is required.

• Run ”ltsp-build-client --arch amd64” to create chroot and NBD image.

• Use ”ldapvi -ZD ’(cn=admin)’” to replace i386 with amd64 (dhcp statements in LDAP for one dedicated network).
• Run ”service isc-dhcp-server restart”.
• Edit /etc/debian-edu/pxeinstall.conf (set ltsparch=amd64).
• Run ’debian-edu-pxeinstall’ to regenerate the PXE menu.
• Run ’service nbd-service restart’ to serve the new NBD file.
Debian Edu / Skolelinux Buster 10+edu0 Manual 67 / 102

12.3 Upgrades from older Debian Edu / Skolelinux installations (before Stretch)

To upgrade from any older release, you will need to upgrade to the Stretch based Debian Edu release first, before you can
follow the instructions provided above. Instructions are given in the Manual for Debian Edu Stretch about how to upgrade
to Stretch from the previous release, Jessie. Likewise the Jessie manual describes how to upgrade from Wheezy.

13 HowTo

• HowTos for general administration

• HowTos for advanced administration

• HowTos for the desktop
• HowTos for networked clients
• HowTos for Samba

• HowTos for teaching and learning

• HowTos for users

14 HowTos for general administration

The Getting Started and Maintenance chapters describe how to get started with Debian Edu and how to do the basic
maintenance work. The howtos in this chapter have some more ”advanced” tips and tricks.

14.1 Configuration history: tracking /etc/ using the git version control system

With the introduction of etckeeper in Debian Edu Squeeze (previous versions used etcinsvk which was removed from
Debian), all files in /etc/ are tracked using git as a version control system.
This makes it possible to see when a file is added, changed and removed, as well as what was changed if the file is a text
file. The git repository is stored in /etc/.git/.
Every hour, any changes are automatically recorded, allowing configuration history to be extracted and reviewed.
To look at the history, the command etckeeper vcs log is used. To check the differences between two points in time, a
command like etckeeper vcs diff can be used.
See the output of man etckeeper for more information.
List of useful commands:
etckeeper vcs log
etckeeper vcs status
etckeeper vcs diff
etckeeper vcs add .
etckeeper vcs commit -a
man etckeeper
Debian Edu / Skolelinux Buster 10+edu0 Manual 68 / 102

14.1.1 Usage examples

On a freshly installed system, try this to see all changes done since the system was installed:
etckeeper vcs log

See which files are currently not tracked and which are not up-to-date:
etckeeper vcs status

To manually commit a file, because you don’t want to wait up to an hour:

etckeeper vcs commit -a /etc/ resolv .conf

14.2 Resizing Partitions

In Debian Edu, all partitions other than the /boot/ partition are on logical LVM volumes. With Linux kernels since version
2.6.10, it is possible to extend partitions while they are mounted. Shrinking partitions still needs to happen while the
partition is unmounted.
It is a good idea to avoid creating very large partitions (over, say, 20GiB), because of the time it takes to run fsck on them
or to restore them from backup if the need arises. It is better, if possible, to create several smaller partitions than one very
large one.
The helper script debian-edu-fsautoresize is provided to make it easier to extend full partitions. When invoked, it
reads the configuration from /usr/share/debian-edu-config/fsautoresizetab, /site/etc/fsautoresizetab and
/etc/fsautoresizetab. It then proposes to extend partitions with too little free space, according to the rules provided in
these files. If run with no arguments, it will only show the commands needed to extend the file system. The argument -n
is needed to actually execute these commands to extend the file systems.
The script is executed automatically every hour on every client listed in the fsautoresize-hosts netgroup.
When the partition used by the Squid proxy is resized, the value for cache size in etc/squid/squid.conf needs to be
updated as well. The helper script /usr/share/debian-edu-config/tools/squid-update-cachedir is provided to do
this automatically, checking the current partition size of /var/spool/squid/ and configuring Squid to use 80% of this as
its cache size.

14.2.1 Logical Volume Management

Logical Volume Management (LVM) enables resizing the partitions while they are mounted and in use. You can learn more
about LVM from the LVM HowTo.
To extend a logical volume manually you simply tell the lvextend command how large you want it to grow to. For example,
to extend home0 to 30GiB you use the following commands:
lvextend -L30G /dev/ vg_system / skole+ tjener +home0
resize2fs /dev/ vg_system /skole + tjener +home0

To extend home0 by additional 30GiB, you insert a ’+’ (-L+30G)

14.3 Installing a graphical environment on the main-server to use GOsa²

If you (probably accidentally) installed a pure main-server profile and don’t have a client with a web-browser handy, it’s
easy to install a minimal desktop on the main server using this command sequence in a (non-graphical) shell as the user
you created during the main server’s installation (first user):
$ sudo apt update
$ sudo apt install education -desktop -xfce lightdm
### after installation , run ’sudo service lightdm start ’
### login as first user
Debian Edu / Skolelinux Buster 10+edu0 Manual 69 / 102

14.4 Using ldapvi

ldapvi is a tool to edit the LDAP database with a normal text editor on the commandline.
The following needs to be executed:
ldapvi --ldap -conf -ZD ’(cn= admin)’

Note: ldapvi will use whatever is the default editor. By executing export EDITOR=vim in the shell prompt one can
configure the environment to get a vi clone as editor.
To add an LDAP object using ldapvi, use object sequence number with the string add in front of the new LDAP object.

Warning: ldapvi is a very powerful tool. Be careful and don’t mess up the LDAP database, same warning applies for
JXplorer.

14.5 Kerberized NFS

Using Kerberos for NFS to mount home directories is a security feature. The levels krb5, krb5i and krb5p are supported
(krb5 means Kerberos authentication, i stands for integrity check and p for privacy, i.e. encryption); the load on both server
and workstation increases with the security level, krb5i might be a good choice.
For new systems added with GOsa², Kerberos host keytab files are generated automatically.
To create one for a system already configured with GOsa², log in on the main server as root and run
/usr/ share /debian -edu - config /tools/gosa -modify -host <hostname > <IP >

Please note: host keytab creation is possible for systems of type workstations, servers and terminals but not for those
of type netdevices. Also, LTSP clients are using sshfs to mount home directories, so there’s nothing to do for diskless
workstations.

14.5.1 How to enable it

Main server

• login as root
• run ldapvi -ZD ’(cn=admin)’, search for sec=sys and replace it with sec=krb5i

• edit /etc/exports: uncomment/adjust/comment existing entries for /srv/*; make sure they look like this:

/srv/nfs4 gss/krb5i(rw ,sync ,fsid =0, crossmnt , no_subtree_check )

/srv/nfs4/home0 gss/krb5i(rw ,sync , no_subtree_check )

• run exportfs -r

• run exportfs to control if gss/krb5i is active for both entries.

Workstation

• login as root.
• run /usr/share/debian-edu-config/tools/copy-host-keytab
Debian Edu / Skolelinux Buster 10+edu0 Manual 70 / 102

14.6 Standardskriver

This tool allows to set the default printer depending on location, machine, or group membership. For more information, see
/usr/share/doc/standardskriver/README.md.
The configuration file /etc/standardskriver.cfg has to be provided by the admin, see /usr/share/doc/standardskriver/exa
as an example.

14.7 JXplorer, an LDAP GUI

If you prefer a GUI to work with the LDAP database, check out the jxplorer package, which is installed by default. To
get write access connect like this:
host: ldap. intern
port: 636
Security level : ssl + user + password
User dn: cn=admin ,ou=ldap -access ,dc=skole ,dc= skolelinux ,dc=no

14.8 ldap-createuser-krb, a command-line tool

ldap-createuser-krb is a small command line tool to create LDAP users and set their passwords in Kerberos. It’s mostly
useful for testing, though.

14.9 Using stable-updates

Since the Squeeze release in 2011, Debian has included packages formerly maintained in volatile.debian.org in the stable-
updates suite.
While you can use stable-updates directly, you don’t have to: stable-updates are pushed into the stable suite regularly when
stable point releases are done, which roughly happens every two months.

14.10 Using backports to install newer software

You are running Debian Edu because you prefer the stability of Debian Edu. It runs great; there is just one problem:
sometimes software is a little bit more outdated than you like. This is where backports.debian.org steps in.
Backports are recompiled packages from Debian testing (mostly) and Debian unstable (in a few cases only, e.g. security
updates), so they will run without new libraries (wherever this is possible) on a stable Debian distribution like Debian Edu.
We recommend you to pick out individual backports which fit your needs, and not to use all backports available
there.
Using backports is simple:
echo ”deb http :// deb. debian .org/ debian / buster - backports main” >> /etc/apt/ sources .list
apt -get update

After which one can install backported packages easily, the following command will install a backported version of tuxtype:
apt -get install -t buster - backports tuxtype

Backports are automatically updated (if available) just like other packages. Like the normal archive, backports has three
sections: main, contrib and non-free.
Debian Edu / Skolelinux Buster 10+edu0 Manual 71 / 102

14.11 Upgrading with a CD or similar image

If you want to upgrade from one version to another (for example from Buster 10.1+edu0 to 10.3+edu1) but you do not
have Internet connectivity, only physical media, follow these steps:
Insert the CD / DVD / Blu-ray disc / USB flash drive and use the apt-cdrom command:
apt -cdrom add

To quote the apt-cdrom(8) man page:

• apt-cdrom is used to add a new CD-ROM to APTs list of available sources. apt-cdrom takes care of determining the
structure of the disc as well as correcting for several possible mis-burns and verifying the index files.
• It is necessary to use apt-cdrom to add CDs to the APT system, it cannot be done by hand. Furthermore each disk in a
multi-CD set must be inserted and scanned separately to account for possible mis-burns.

Then run these two commands to upgrade the system:

apt -get update
apt -get upgrade

14.12 Automatic cleanup of leftover processes

killer is a perl script that gets rid of background jobs. Background jobs are defined as processes that belong to users who
are not currently logged into the machine. It’s run by cron job once an hour.

14.13 Automatic installation of security upgrades

unattended-upgrades is a Debian package which will install security (and other) upgrades automatically. If installed, the
package is preconfigured to install security upgrades. The logs are available in /var/log/unattended-upgrades/; also,
there are always /var/log/dpkg.log and /var/log/apt/.

14.14 Automatic shutdown of machines during the night

It is possible to save energy and money by automatically turning client machines off at night and back on in the morning.
The package will try to turn off the machine every hour on the hour from 16:00 in the afternoon, but will not turn it off if
it seems to have users. It will try to tell the BIOS to turn on the machine around 07:00 in the morning, and the main-server
will try to turn on machines from 06:30 by sending wake-on-lan packets. These times can be changed in the crontabs of
individual machines.
Some considerations should be kept in mind when setting this up:

• The clients should not be shut down when someone is using them. This is ensured by checking the output from who,
and as a special case, checking for the LDM ssh connection command to work with LTSP thin clients.
• To avoid blowing electrical fuses, it is a good idea to make sure all clients do not start at the same time.
• There are two different methods available to wake up clients. One uses a BIOS feature and requires a working and correct
hardware clock, as well as a motherboard and BIOS version supported by nvram-wakeup; the other requires clients to
have support for wake-on-lan, and the server to know about all the clients that need to be woken up.
Debian Edu / Skolelinux Buster 10+edu0 Manual 72 / 102

14.14.1 How to set up shutdown-at-night

On clients that should turn off at night, touch /etc/shutdown-at-night/shutdown-at-night, or add the hostname (that
is, the output from ’uname -n’ on the client) to the netgroup ”shutdown-at-night-hosts”. Adding hosts to the netgroup in
LDAP can be done using the GOsa² web tool. The clients might need to have wake-on-lan configured in the BIOS. It is also
important that the switches and routers used between the wake-on-lan server and the clients will pass the WOL packets to
the clients even if the clients are turned off. Some switches fail to pass on packets to clients that are missing in the ARP
table on the switch, and this blocks the WOL packets.
To enable wake-on-lan on the server, add the clients to /etc/shutdown-at-night/clients, with one line per client, IP ad-
dress first, followed by MAC address (ethernet address), separated by a space; or create a script /etc/shutdown-at-night/clients
to generate the list of clients on the fly.
Here is an example /etc/shutdown-at-night/clients-generator for use with sitesummary:
#!/ bin/sh
PATH =/ usr/sbin: $PATH
export PATH
sitesummary -nodes -w

An alternative if the netgroup is used to activate shutdown-at-night on clients is this script using the netgroup tool from
the ng-utils package:
#!/ bin/sh
PATH =/ usr/sbin: $PATH
export PATH
netgroup -h shutdown -at -night - hosts

14.15 Access Debian-Edu servers located behind a firewall

To access machines behind a firewall from the Internet, consider installing the package autossh. It can be used to set up
an SSH tunnel to a machine on the Internet that you have access to. From that machine, you can access the server behind
the firewall via the SSH tunnel.

14.16 Installing additional service machines for spreading the load from main-server

In the default installation, all services are running on the main-server, tjener. To simplify moving some to another machine,
there is a minimal installation profile available. Installing with this profile will lead to a machine, which is part of the Debian
Edu network, but which doesn’t have any services running (yet).
These are the required steps to setup a machine dedicated to some services:

• install the minimal profile using the debian-edu-expert boot-option

• install the packages for the service

• configure the service

• disable the service on main-server
• update DNS (via LDAP/GOsa²) on main-server

14.17 HowTos from wiki.debian.org

FIXME: The HowTos from http://wiki.debian.org/DebianEdu/HowTo/ are either user- or developer-specific. Let’s
move the user-specific HowTos over here (and delete them over there)! (But first ask the authors (see the history of those
pages to find them) if they are fine with moving the howto and putting it under the GPL.)
Debian Edu / Skolelinux Buster 10+edu0 Manual 73 / 102

• http://wiki.debian.org/DebianEdu/HowTo/AutoNetRespawn
• http://wiki.debian.org/DebianEdu/HowTo/BackupPC
• http://wiki.debian.org/DebianEdu/HowTo/ChangeIpSubnet
• http://wiki.debian.org/DebianEdu/HowTo/SiteSummary

• http://wiki.debian.org/DebianEdu/HowTo/Squid_LDAP_Authentication

15 Advanced administration howto

In this chapter advanced administration tasks are described.

15.1 User Customisations with GOsa²

15.1.1 Create Users in Year Groups

In this example we want to create users in year groups, with common home directories for each group (home0/2014,
home0/2015, etc). We want to create the users by csv import.
(as root on the main server)

• Make the necessary year group directories

mkdir /skole/tjener/home0/2014
(as first user in Gosa)

• Department

Main menu: goto ’Directory structure’, click the ’Students’ department. The ’Base’ field should show ’/Students’. From the
drop box ’Actions’ choose ’Create’/’Department’. Fill in values for Name (2014) and Description fields (students graduating
in 2014), leave the Base field as is (should be ’/Students’). Save it clicking ’Ok’. Now the new department (2014) should
show up below /Students. Click it.

• Group

Choose ’Groups’ from the main menu; ’Actions’/Create/Group. Enter group name (leave ’Base’ as is, should be /Stu-
dents/2014) and click the check box left of ’Samba group’. ’Ok’ to save it.

• Template

Choose ’users’ from the main menu. Change to ’Students’ in the Base field. An Entry NewStudent should show up, click
it. This is the ’students’ template, not a real user. As you’ll have to create such a template (to be able to use csv import
for your structure) based on this one, notice all entries showing up in the Generic, POSIX and Samba tabs, maybe take
screenshots to have information ready for the new template.
Now change to /Students/2014 in the Base field; choose Create/Template and start to fill in your desired values, first the
Generic tab (add your new 2014 group under Group Membership, too), then add POSIX and Samba account.

• Import users

Choose your new template when doing csv import; testing it with a few users is recommended.
Debian Edu / Skolelinux Buster 10+edu0 Manual 74 / 102

15.2 Other User Customisations

15.2.1 Creating folders in the home directories of all users

With this script the administrator can create a folder in each user’s home directory and set access permissions and ownership.
In the example shown below with group=teachers and permissions=2770 a user can hand in an assignment by saving the
file to the folder ”assignments” where teachers are given write access to be able to make comments.
#!/ bin/bash
home_path =”/ skole/ tjener /home0”
shared_folder =” assignments ”
permissions =”2770”
created_dir =0
for home in $(ls $home_path ); do
if [ ! -d ” $home_path /$home/ $shared_folder ” ]; then
mkdir $home_path /$home / $shared_folder
chmod $permissions $home_path /$home/ $shared_folder
#set the right owner and group
#” username ” = ” group name” = ” folder name”
user= $home
group = teachers
chown $user : $group $home_path /$home/ $shared_folder
(( created_dir +=1))
else
echo -e ”the folder $home_path /$home / $shared_folder already exists .\n”
fi
done
echo ” $created_dir folders have been created ”

15.2.2 Easy access to USB drives and CD-ROMs/DVDs

When users insert a USB drive or a DVD / CD-ROM into a (diskless) workstation, a popup window appears asking what
to do with it, just like in any other normal installation.
When users insert a USB drive or a DVD / CD-ROM into a thin client there is only a notify-window showing up for a few
seconds. The media is automatically mounted and it is possible to access it browsing to the /media/$user folder. This is
quite difficult for many non experienced users.
It is possible to have the default KDE ”Plasma” file manager Dolphin showing up if KDE ”Plasma” (or LDXE, if installed in
parallel to KDE ”Plasma”) is in use as desktop environment. To configure this, simply execute /usr/share/debian-edu-config/l
enable on the terminal server. (When using GNOME, device icons will be placed on the desktop allowing easy access).
In addition the following script could be used to create the symlink ”media” for all users in their home folder for easy access
to USB drives, CD-ROM / DVD or whatever media is connected to the thin client. This might come in handy if users want
to edit files directly on their plugged in media.
#!/ bin/bash
home_path =”/ skole/ tjener /home0”
shared_folder =” media ”
permissions =”775”
created_dir =0;
for home in $(ls $home_path ); do
if [ ! -d ” $home_path /$home/ $shared_folder ” ]; then
ln -s /media /$home $home_path /$home/ $shared_folder
(( created_dir +=1))
else
echo -e ”the folder $home_path /$home / $shared_folder already exists .\n”
fi
done
echo ” $created_dir folders has been created ”
Debian Edu / Skolelinux Buster 10+edu0 Manual 75 / 102

15.2.2.1 A warning about removable media on LTSP servers

Warning: When inserted into an LTSP server USB drives and other removable media cause popup messages on remote
LTSP clients.
If remote users acknowledge the popup or use pmount from the console, they can even mount the removable devices and
access the files.

15.3 Use a dedicated storage server

Take these steps to set up a dedicated storage server for user home directories and possibly other data.

• Add a new system of type server using GOsa² as outlined in the Getting started chapter of this manual.

– This example uses ’nas-server.intern’ as the server name. Once ’nas-server.intern’ is configured, check if the NFS
export points on the new storage server are exported to the relevant subnets or machines:
root@tjener :~# showmount -e nas - server
Export list for nas - server :
/ storage 10.0.0.0/8
root@tjener :~#

Here everything on the backbone network is granted access to the /storage export. (This could be restricted to
netgroup membership or single IP addresses to limit NFS access like it is done in the tjener:/etc/exports file.)

• Add automount information about ’nas-server.intern’ in LDAP to allow all clients to automatically mount the new export
on request.

– This can’t be done using GOsa², because a module for automount is missing. Instead, use ldapvi and add the required
LDAP objects using an editor.
ldapvi --ldap-conf -ZD ’(cn=admin)’ -b ou=automount,dc=skole,dc=skolelinux,dc=no
When the editor shows up, add the following LDAP objects at the bottom of the document. (The ”/&” part in the
last LDAP object is a wild card matching everything ’nas-server.intern’ exports, removing the need to list individual
mount points in LDAP.)
add cn=nas -server ,ou=auto.skole ,ou=automount ,dc=skole ,dc= skolelinux ,dc=no
objectClass : automount
cn: nas - server
automountInformation : -fstype = autofs --timeout =60 ldap:ou=auto.nas -server ,ou= ←-
automount ,dc=skole ,dc= skolelinux ,dc=no

add ou=auto.nas -server ,ou=automount ,dc=skole ,dc= skolelinux ,dc=no

objectClass : top
objectClass : automountMap
ou: auto.nas - server

add cn=/,ou=auto.nas -server ,ou=automount ,dc=skole ,dc= skolelinux ,dc=no

objectClass : automount
cn: /
automountInformation : -fstype =nfs ,tcp ,rsize =32768 , wsize =32768 ,rw ,intr ,hard ,nodev , ←-
nosuid , noatime nas - server . intern :/&

• Add the relevant entries in tjener.intern:/etc/fstab, because tjener.intern does not use automount to avoid mounting
loops:

– Create the mount point directories using mkdir, edit ’/etc/fstab’ as adequate and run mount -a to mount the new
resources.
Debian Edu / Skolelinux Buster 10+edu0 Manual 76 / 102

• Enable access in case diskless workstations are used. This is a special case, because sshfs is used instead of NFS and
automount:

– Create the mount point directories in the LTSP diskless client’s root (default /opt/ltsp/i386/) as well.
Add a line containing ’LOCAL_APPS_EXTRAMOUNTS=/storage’ to /opt/ltsp/i386/etc/lts.conf (example).
Create a link in each user’s home dir like ’ln -s /storage Storage’ to help users find the resources.

Now users should be able to access the files on ’nas-server.intern’ directly by just visiting the ’/tjener/nas-server/storage/’
directory using any application on any workstation, LTSP thin client or LTSP server, and visiting ~/Storage in case an LTSP
diskless client is used.

15.4 Restrict ssh login access

There are several ways to restrict ssh login, some are listed here.

15.4.1 Setup without LTSP clients

If no LTSP clients are used a simple solution is to create a new group (say sshusers) and to add a line to the machine’s
/etc/ssh/sshd_config file. Only members of the sshusers group will then be allowed to ssh into the machine from
everywhere.
Managing this case with GOsa is quite simple:

• Create a group sshusers on the base level (where already other system management related groups like gosa-admins
show up).

• Add users to the new group sshusers.

• Add AllowGroups sshusers to /etc/ssh/sshd_config.
• Execute service ssh restart.

15.4.2 Setup with LTSP clients

The default LTSP client setup uses ssh connections to the LTSP server. So a different approach using PAM is needed.

• Enable pam_access.so in the LTSP server’s /etc/pam.d/sshd file.

• Configure /etc/security/access.conf to allow connections for (sample) users alice, jane, bob and john from everywhere
and for all other users only from the internal networks by adding these lines:

+ : alice jane bob john : ALL

+ : ALL : 10.0.0.0/8 192.168.0.0/24 192.168.1.0/24
- : ALL : ALL
#

If only dedicated LTSP servers are used, the 10.0.0.0/8 network could be dropped to disable internal ssh login access. Note:
someone connecting his box to the dedicated LTSP client network(s) will gain ssh access to the LTSP server(s) as well.

15.4.3 A note for more complex setups

If LTSP clients were attached to the backbone network 10.0.0.0/8 (combi server or LTSP cluster setup) things would be
even more complicated and maybe only a sophisticated DHCP setup (in LDAP) checking the vendor-class-identifier together
with appropriate PAM configuration would allow to disable internal ssh login.
Debian Edu / Skolelinux Buster 10+edu0 Manual 77 / 102

16 HowTos for the desktop

16.1 Set up a multi-language desktop environment

To support multiple languages these commands need to be run:

• Run dpkg-reconfigure locales (as root) and choose the languages (UTF-8 variants).
• Run these commands as root to install the related packages:

apt update
/usr/ share /debian -edu - config /tools/install -task -pkgs
/usr/ share /debian -edu - config /tools/improve -desktop -l10n

Users will then be able to choose the language via the LightDM display manager before logging in; this applies to Xfce,
LXDE and LXQt. GNOME and KDE both come with their own internal region and language configuration tools, use these.
MATE uses the Arctica greeter on top of Lightdm whithout a language chooser. Run apt purge arctica-greeter to
get the stock Lightdm greeter.
If LTSP diskless clients are used the above steps need to be done inside the LTSP chroot as well. LDM supports all desktop
environments. First use Preferences to choose the language, then login.

16.2 Playing DVDs

libdvdcss is needed for playing most commercial DVDs. For legal reasons it’s not included in Debian (Edu). If you are
legally allowed to use it, you can build your own local packages using the libdvd-pkg Debian package; make sure contrib
is enabled in /etc/apt/sources.list.
apt update
apt install libdvd -pkg

Answer the debconf questions, then run dpkg-reconfigure libdvd-pkg.

16.3 Handwriting fonts

The package fonts-linex (which is installed by default) installs the font ”Abecedario” which is a nice handwriting font
for kids. The font has several forms to be used with kids: dotted, and with lines.

17 HowTos for networked clients

17.1 Introduction to thin clients and diskless workstations

Default for new Debian Edu Buster installations: LTSP clients are using the same architecture as the LTSP server, i.e.
64-bit-PC (aka amd64) or 32-bit-PC (aka i386).

Please keep in mind to use the correct architecture for all commands referred to below.
One generic term for both thin clients and diskless workstations is LTSP client. LTSP is the Linux Terminal Server Project.
Thin client
A thin client setup enables an ordinary PC to function as an (X-)terminal, where all software runs on the LTSP server. This
means that this machine boots via PXE without using a local client hard drive.
Debian Edu / Skolelinux Buster 10+edu0 Manual 78 / 102

Diskless workstation
A diskless workstation runs all software locally. The client machines boot directly from the LTSP server without a local hard
drive. Software is administered and maintained on the LTSP server (inside of the LTSP chroot), but it runs on the diskless
workstation. Home directories and system settings are stored on the server too. Diskless workstations are an excellent way
of reusing older (but powerful) hardware with the same low maintenance cost as with thin clients.
LTSP defines 320MB as the default minimum amount of RAM for diskless workstations. If the amount of RAM is less, the
machine will boot as thin client. The related LTSP parameter is FAT_RAM_THRESHOLD with the default value 300. So if
(for example) the clients should only boot as diskless workstations if they have 1 GB RAM, add FAT_RAM_THRESHOLD=1000
to lts.conf (or set this in LDAP). Unlike workstations diskless workstations run without any need to add them with GOsa²,
because LDM is used to login and connect to the LTSP server.
LTSP client firmware
LTSP client boot will fail if the client’s network interface requires a non-free firmware. A PXE installation can be used for
troubleshooting problems with netbooting a machine; if the Debian Installer complains about a missing XXX.bin file then
non-free firmware has to be added to the initrd used by LTSP clients.
In this case execute the following commands on an LTSP server.
# First get information about firmware packages
apt -get update && apt -cache search ^firmware -

# Decide which package has to be installed for the network interface (s).
# Most probably this will be firmware -linux - nonfree .
# Things have to take effect in the LTSP chroot for architecture amd64 .
ltsp - chroot -a amd64 apt -get update
ltsp - chroot -d -a amd64 apt -get -y -q install <package name >

# copy the new initrd to the server ’s tftpboot directory and update the NBD image.
ltsp -update - kernels
ltsp -update - image

As a shorter alternative -- installing all available firmware and updating the tftpboot directory -- you could execute:
/usr/ share /debian -edu - config /tools/ltsp - addfirmware

17.1.1 LTSP client type selection

Each LTSP server has two ethernet interfaces: one configured in the main 10.0.0.0/8 subnet (which is shared with the main
server), and another forming a local 192.168.0.0/24 subnet (a separate subnet for each LTSP server).
On the main subnet the complete PXE menu is provided; the separate subnet for each LTSP server allows only diskless and
thin LTSP client selection.
Using the default PXE menu on the main subnet 10.0.0.0/8, a machine could be started as diskless workstation or thin
client. By default clients in the separate subnet 192.168.0.0/24 will run as diskless workstations if the amount of RAM is
sufficient. If all clients in this LTSP client subnet should run as thin clients, the following has to be done.
(1) Open the file /opt/ltsp/amd64/etc/ltsp/update - kernels .conf with an editor
and replace the line
CMDLINE_LINUX_DEFAULT =” init =/ sbin/init -ltsp quiet”
with
CMDLINE_LINUX_DEFAULT =” init =/ sbin/init -ltsp LTSP_FATCLIENT =False quiet ”
(2) Execute ’ltsp - chroot -a amd64 /usr/share/ltsp/update -kernels ’
(3) Execute ’ltsp -update -kernels ’
(4) Execute ’ltsp -update -image ’
Debian Edu / Skolelinux Buster 10+edu0 Manual 79 / 102

17.2 Configuring the PXE menu

The PXE configuration is generated using the script debian-edu-pxeinstall. It allows some settings to be overridden
using the file /etc/debian-edu/pxeinstall.conf with replacement values.

17.2.1 Configuring the PXE installation

The PXE installation option is by default available to anyone able to PXE boot a machine. To password protect the PXE
installation options, a file /var/lib/tftpboot/menupassword.cfg can be created with content similar to this:
MENU PASSWD $4$NDk0OTUzNTQ1NTQ5$7d6KvAlVCJKRKcijtVSPfveuWPM$

The password hash should be replaced with an MD5 hash for the desired password.
The PXE installation will inherit the language, keyboard layout and mirror settings from the settings used when installing
the main-server, and the other questions will be asked during installation (profile, popcon participation, partitioning and
root password). To avoid these questions, the file /etc/debian-edu/www/debian-edu-install.dat can be modified
to provide preselected answers to debconf values. Some examples of available debconf values are already commented
in /etc/debian-edu/www/debian-edu-install.dat. Your changes will be lost as soon as debian-edu-pxeinstall is
used to recreate the PXE-installation environment. To append debconf values to /etc/debian-edu/www/debian-edu-install.da
during recreation with debian-edu-pxeinstall, add the file /etc/debian-edu/www/debian-edu-install.dat.local
with your additional debconf values.
More information about modifying PXE installations can be found in the Installation chapter.

17.2.2 Adding a custom repository for PXE installations

For adding a custom repository add something like this to /etc/debian-edu/www/debian-edu-install.dat.local:

#add the skole projects local repository
d-i apt - setup/ local1 / repository string http :// example .org/ debian stable main ←-
contrib non -free
d-i apt - setup/ local1 / comment string Example Software Repository
d-i apt - setup/ local1 / source boolean true
d-i apt - setup/ local1 /key string http :// example .org/key.asc

and then run /usr/sbin/debian-edu-pxeinstall once.

17.2.3 Changing the PXE menu on a combined (main and LTSP) server

The PXE menu allows network booting of LTSP clients, the installer and other alternatives. The file /var/lib/tftpboot/pxelinux
is used by default if no other file in that directory matches the client, and out of the box it is set to link to /var/lib/tftpboot/debia
If all clients should boot as diskless workstations instead of getting the full PXE menu, this can be implemented by changing
the symlink:
ln -s /var/lib/ tftpboot /debian -edu/default - diskless .cfg /var/lib/ tftpboot / pxelinux .cfg/ ←-
default

If all clients should boot as thin clients instead, change the symlink like this:
ln -s /var/lib/ tftpboot /debian -edu/default -thin.cfg /var/lib/ tftpboot / pxelinux .cfg/ default

See also the PXELINUX documentation at http://syslinux.zytor.com/wiki/index.php/PXELINUX .

Debian Edu / Skolelinux Buster 10+edu0 Manual 80 / 102

17.2.4 Separate main and LTSP server

For performance and security considerations it might be desired to set up a separate main server which doesn’t act as LTSP
server.
To have ltspserver00 serve diskless workstations on the main (10.0.0.0/8) network, when the main server is not a combined
server, follow these steps:

• copy the ltsp directory from /var/lib/tftpboot on ltspserver00 to the same directory on the main server.
• copy /var/lib/tftpboot/debian-edu/default-diskless.cfg to the same directory on the main server.
• edit /var/lib/tftpboot/debian-edu/default-diskless.cfg to use the IP address of ltspserver00; the following
example uses 10.0.2.10 for the IP address of ltspserver00 on the main network:

DEFAULT ltsp/amd64 / vmlinuz initrd =ltsp/amd64 / initrd .img nfsroot =10.0.2.10:/ opt/ltsp/ amd64 ←-
init =/ sbin/init -ltsp boot=nfs ro quiet ipappend 2

• set the symlink in /var/lib/tftpboot/pxelinux.cfg on the main server to point to /var/lib/tftpboot/debian-edu/defa

As an alternative, you could use ldapvi, search for ’next server tjener’ and replace tjener with ltspserver00.

17.2.5 Use a different LTSP client network

192.168.0.0/24 is the default LTSP client network if a machine is installed using the LTSP profile. If lots of LTSP clients are
used or if different LTSP servers should serve both i386 and amd64 chroot environments the second preconfigured network
192.168.1.0/24 could be used as well. Edit the file /etc/network/interfaces and adjust the eth1 settings accordingly.
Use ldapvi or any other LDAP editor to inspect DNS and DHCP configuration.

17.2.6 Add LTSP chroot to support 32-bit-PC clients

In case LTSP server and chroot are 64-bit-PC, it is still possible to support older 32-bit systems. At least 20 GiB additional
disk space on /opt would be required.

• Run ltsp-build-client --arch i386 to create chroot and NBD image.

• Use ldapvi -ZD ’(cn=admin)’ to replace amd64 with i386 (dhcp statements in LDAP for one dedicated network).
• Run service isc-dhcp-server restart.
• Run service nbd-server restart to serve the new NBD file.

17.3 Changing network settings

The debian-edu-config package comes with a tool which helps in changing the network from 10.0.0.0/8 to something else.
Have a look at /usr/share/debian-edu-config/tools/subnet-change. It is intended for use just after installation on
the main server, to update LDAP and other files that need to be edited to change the subnet.

Note that changing to one of the subnets already used elsewhere in Debian Edu will not work. 192.168.0.0/24 and
192.168.1.0/24 are already set up as LTSP client networks. Changing to these subnets will require manual editing of
configuration files to remove duplicate entries.
There is no easy way to change the DNS domain name. Changing it would require changes to both the LDAP structure
and several files in the main server file system. There is also no easy way to change the host and DNS name of the main
server (tjener.intern). To do so would also require changes to LDAP and files in the main-server and client file system. In
both cases the Kerberos setup would have to be changed, too.
Debian Edu / Skolelinux Buster 10+edu0 Manual 81 / 102

17.4 LTSP in detail

17.4.1 LTSP client configuration in LDAP (and lts.conf)

To configure specific LTSP clients with particular features, you can add settings in LDAP or edit the file /opt/ltsp/amd64/etc/lts.
Please note that ltsp-update-image has to be run after each change to lts.conf. The image update isn’t needed if lts.conf
is copied to the /var/lib/tftpboot/ltsp/amd64/ directory.

We recommend to configure clients in LDAP (and not edit lts.conf directly, however, configuration webforms for
LTSP are currently not available in GOsa², you have to use a plain LDAP browser/explorer or ldapvi), as this makes it
possible to add and/or replace LTSP servers without loosing (or having to redo) configuration.
The default values in LDAP are defined in the cn=ltspConfigDefault,ou=ltsp,dc=skole,dc=skolelinux,dc=no
LDAP object using the ltspConfig attribute. One can also add host specific entries in LDAP.
Run man lts.conf to have a look at available configuration options (see /usr/share/doc/ltsp/LTSPManual.html for
detailed information about LTSP).
The default values are defined under [default]; to configure one client, specify it in terms of its MAC address or IP address
like this: [192.168.0.10].
Example: To make the thin client ltsp010 use 1280x1024 resolution, add something like this:
[192.168.0.10]
X_MODE_0 = 1280 x1024
X_HORZSYNC = ”60 -70”
X_VERTREFRESH = ”59 -62”

somewhere below the default settings.

To force the use of a specific xserver on an LTSP client, set the XSERVER variable. For example:
[192.168.0.11]
XSERVER = nvidia

If a thin client comes up with a black screen the use of a specific color depth might help. For example:
[192.168.0.12]
X_COLOR_DEPTH =16

Depending on what changes you make, it may be necessary to restart the client.
To use IP addresses in lts.conf you need to add the client MAC address to your DHCP server. Otherwise you should use
the client MAC address directly in your lts.conf file.

17.4.2 Force all LTSP clients to use LXDE as default desktop environment

Make sure that LXDE is installed on the LTSP server; then add these lines below [default] in ”lts.conf”:
LDM_SESSION =LXDE
LDM_FORCE_SESSION =true

17.4.3 Desktop autoloader

This tool preloads the default Desktop environment (and programs of your choice). It is only useful for diskless clients. The
setup is site specific, also some technical skills are required.

• Read about it: run ltsp-chroot cat /usr/share/doc/desktop-autoloader/README.Debian

At least two files need to be edited. Available <editor> choices are: vi, nano, mcedit.
Debian Edu / Skolelinux Buster 10+edu0 Manual 82 / 102

• run ltsp-chroot <editor> /etc/cron.d/desktop-autoloader

• run ltsp-chroot <editor> /etc/default/desktop-autoloader

If the setup is complete, update the NBD image running ltsp-update-image and test it.

17.4.4 Load-balancing LTSP servers

17.4.4.1 Part 1

It is possible to set up the clients to connect to one of several LTSP servers for load-balancing. This is done by providing
/opt/ltsp/amd64/usr/share/ltsp/get_hosts as a script printing one or more servers for LDM to connect to. In
addition to this, each LTSP chroot needs to include the SSH host key for each of the servers.
First of all, you must choose one LTSP server to be the load-balancing server. All the clients will PXE-boot from this server
and load the Skolelinux image. After the image is loaded, LDM chooses which server to connect to by using the ”get_hosts”
script. You will decide later how this is done.
The load-balancing server must be announced to the clients as the ”next-server” via DHCP. As DHCP configuration is in
LDAP, modifications have to be done there. Use ldapvi --ldap-conf -ZD ’(cn=admin)’ to edit the appropriate entry
in LDAP. (Enter the main server’s root password at the prompt; if VISUAL isn’t set, the default editor will be nano.) Search
for a line reading dhcpStatements: next-server tjener Next-server should be the IP address or hostname of the server
you chose to be the load-balancing server. If you use hostname you must have a working DNS. Remember to restart the
DHCP service.
Now you have to move your clients from the 192.168.0.0 network to the 10.0.0.0 network; attach them to the backbone
network instead of the network attached to the LTSP server’s second network card. This is because when you use load-
balancing, the clients need direct access to the server chosen by LDM. If you leave your clients on the 192.168.0.0 network,
all of the clients’ traffic will go through that server before it reaches the chosen LDM server.

17.4.4.2 Part 2

Now you have to make a ”get_hosts” script which generates a list of server names for LDM to connect to. The parameter
LDM_SERVER overrides this script. In consequence, this parameter must not be defined if the get_hosts is going to be
used. The get_hosts script writes on the standard output each server IP address or host name, in random order.
Edit ”/opt/ltsp/amd64/etc/lts.conf” and add something like this:
MY_SERVER_LIST = ”xxxx xxxx xxxx”

Replace xxxx with either the IP addresses or hostnames of the servers as a space-separated list. Then, put the following
script in /opt/ltsp/amd64/usr/lib/ltsp/get_hosts on the server you chose to be the load-balancing server.
#!/ bin/bash
# Randomise the server list contained in MY_SERVER_LIST parameter
TMP_LIST =””
SHUFFLED_LIST =””
for i in $MY_SERVER_LIST ; do
rank= $RANDOM
let ”rank %= 100”
TMP_LIST =” $TMP_LIST \n${rank}_$i”
done
TMP_LIST =$(echo -e $TMP_LIST | sort)
for i in $TMP_LIST ; do
SHUFFLED_LIST =” $SHUFFLED_LIST $(echo $i | cut -d_ -f2)”
done
echo $SHUFFLED_LIST
Debian Edu / Skolelinux Buster 10+edu0 Manual 83 / 102

17.4.4.3 Part 3

Now that you’ve made the ”get_hosts” script, it’s time to make the SSH host key for the LTSP chroots. This can be done
by making a file containing the content of /opt/ltsp/amd64/etc/ssh/ssh_known_hosts from all the LTSP servers that
will be load-balanced. Save this file as /etc/ltsp/ssh_known_hosts.extra on all load-balanced servers. The last step is
very important because ltsp-update-sshkeys runs every time a server is booted, and /etc/ltsp/ssh_known_hosts.extra
is included if it exists.
If you save your new host file as /opt/ltsp/amd64/etc/ssh/ssh_known_hosts, it will be erased when you reboot
the server.
There are some obvious weaknesses with this setup. All clients get their image from the same server, which causes high
loads on the server if many clients are booted at the same time. Also, the clients require that server to be always available;
without it they cannot boot or get an LDM server. Therefore this setup is very dependent on one server, which isn’t very
good.
Your clients should now be load-balanced!

17.4.5 Sound with LTSP clients

LTSP thin clients use networked audio to pass audio from the server to the clients.
LTSP diskless workstations handle audio locally.

17.4.6 Use printers attached to LTSP clients

• Attach the printer to the LTSP client machine (both USB and parallel port are supported).
• Configure this machine to run a printer in lts.conf (default location: /opt/ltsp/amd64/etc/lts.conf), see the LTSP
manual /usr/share/doc/ltsp/LTSPManual.html#printer for details.
• Configure the printer using the web interface https://www:631 on the main server; choose network printer type
AppSocket/HP JetDirect (for all printers regardless of brand or model) and set socket://<LTSP client ip>:9100
as connection URI.

17.4.7 Use NFS instead of NBD

To speed up customizing and testing an LTSP chroot NFS could be used.

# Switch from NBD --> NFS:
sed -i ’s/ default ltsp -NBD/ default ltsp -NFS ’ /opt/ltsp/$(dpkg --print - architecture )/boot/ ←-
pxelinux .cfg/ltsp
sed -i ’s/ ontimeout ltsp -NBD/ ontimeout ltsp -NFS/’ /opt/ltsp/$(dpkg --print - architecture )/ ←-
boot/ pxelinux .cfg/ltsp
ltsp -update - kernels

# Switch from NFS --> NBD:

ltsp -update - image
sed -i ’s/ default ltsp -NFS/ default ltsp -NBD ’ /opt/ltsp/$(dpkg --print - architecture )/boot/ ←-
pxelinux .cfg/ltsp
sed -i ’s/ ontimeout ltsp -NFS/ ontimeout ltsp -NBD/’ /opt/ltsp/$(dpkg --print - architecture )/ ←-
boot/ pxelinux .cfg/ltsp
ltsp -update - kernels
Debian Edu / Skolelinux Buster 10+edu0 Manual 84 / 102

17.4.8 Upgrading the LTSP environment

It is useful to upgrade the LTSP environment with new packages fairly often, to make sure security fixes and improvements
are made available. To upgrade, run these commands as user root on each LTSP server:
ltsp - chroot -a amd64 # this does ” chroot /opt/ltsp/ amd64” and more , ie it also prevents ←-
daemons from being started
apt update
apt upgrade
apt full - upgrade
exit
ltsp -update - image

17.4.8.1 Installing additional software in the LTSP environment

To install additional software for an LTSP client you must perform the installation inside the chroot of the LTSP server.
ltsp - chroot -a amd64
## optionally , edit the sources .list:
# editor /etc/apt/ sources .list
apt update
apt install $new_package
exit
ltsp -update - image

17.4.9 Slow login and security

Skolelinux has added several security features on the client network preventing unauthorised superuser access, password sniff-
ing, and other tricks which may be used on a local network. One such security measure is secure login using SSH, which is the
default with LDM. This can slow down some client machines which are more than about fifteen years old, with as little as a 160
MHz processor and 32 MB RAM. Although it’s not recommended, you can add a line to /opt/ltsp/amd64/etc/lts.conf
containing:
LDM_DIRECTX =True

Warning: The above protects initial login, but all activities after that use unencrypted networked X. Passwords (except
the initial one) will travel in cleartext over the network, as well as anything else.
Note: Since such fifteen-year-old thin clients may also have trouble running newer versions of LibreOffice and Firefox due to
pixmap caching issues, you may consider running thin clients with at least 128 MB RAM, or upgrade the hardware, which
will also give you the benefit of being able to use them as diskless workstations.

17.5 Connecting Windows machines to the network / Windows integration

17.5.1 Joining a domain

For Windows clients the Windows domain ”SKOLELINUX” is available to be joined. A special service called Samba, installed
on the main server, enables Windows clients to store profiles and user data, and also authenticates the users during the
login.

Joining a domain with a Windows client requires the steps described in the Debian Edu Buster Samba Howto.
Windows will sync the profiles of domain users on every Windows login and logout. Depending on how much data is stored
in the profile, this could take some time. To minimise the time needed, deactivate things like local cache in browsers (you
can use the Squid proxy cache installed on the main server instead) and save files into the H: volume rather than under
”My Documents”.
Debian Edu / Skolelinux Buster 10+edu0 Manual 85 / 102

17.6 Remote Desktop

Choosing the LTSP server profile or the combined server profile also installs the xrdp and x2goserver packages.

17.6.1 Xrdp

Xrdp uses the Remote Desktop Protocol to present a graphical login to a remote client. Microsoft Windows users can
connect to the LTSP server running xrdp without installing additional software - they simply start a Remote Desktop
Connection on their Windows machine and connect.
Additionally, xrdp can connect to a VNC server or another RDP server.
Xrdp comes without sound support; to compile the required modules this script could be used.
#!/ bin/bash
# Script to compile / recompile xrdp PulseAudio modules .
# The caller needs to be root or a member of the sudo group.
# Also , /etc/apt/ sources .list must contain a valid deb -src line.
set -e
if [[ $UID -ne 0 ]] ; then
if ! groups | egrep -q sudo ; then
echo ”ERROR : You need to be root or a sudo group member .”
exit 1
fi
fi
if ! egrep -q ^deb -src /etc/apt/ sources .list ; then
echo ” ERROR: Make sure /etc/apt/ sources .list contains a deb -src line .”
exit 1
fi
TMP=$( mktemp -d)
PULSE_UPSTREAM_VERSION =”$(dpkg - query -W -f=’${ source :Upstream - Version }’ pulseaudio )”
XRDP_UPSTREAM_VERSION =”$(dpkg -query -W -f=’${ source :Upstream - Version }’ xrdp)”
sudo apt -q update
# Get sources and build dependencies :
sudo apt -q install dpkg -dev
cd $TMP
apt -q source pulseaudio xrdp
sudo apt -q build -dep pulseaudio xrdp
# For pulseaudio ’configure ’ is all what is needed :
cd pulseaudio - $PULSE_UPSTREAM_VERSION /
./ configure
# Adjust pulseaudio modules Makefile (needs absolute path)
# and build the pulseaudio modules .
cd $TMP/xrdp - $XRDP_UPSTREAM_VERSION / sesman / chansrv / pulse/
sed -i ’s/^ PULSE /# PULSE/’ Makefile
sed -i ”/# PULSE_DIR /a \
PULSE_DIR = $TMP/pulseaudio - $PULSE_UPSTREAM_VERSION ” Makefile
make
# Copy modules to Pulseaudio modules directory , adjust rights .
sudo cp *. so /usr/lib/pulse - $PULSE_UPSTREAM_VERSION / modules /
sudo chmod 644 /usr/lib/pulse - $PULSE_UPSTREAM_VERSION / modules /module -xrdp*
# Restart xrdp , now with sound enabled .
sudo service xrdp restart

17.6.2 X2Go

X2Go enables you to access a graphical desktop on the LTSP server over both low bandwidth and high bandwidth connections
from a PC running Linux, Windows or macOS. Additional software is needed on the client side, see the X2Go wiki for more
information.
Please note that the killer package should best be removed on the LTSP server if X2Go is used, see 890517.
Debian Edu / Skolelinux Buster 10+edu0 Manual 86 / 102

17.6.3 Available Remote Desktop clients

• freerdp-x11 is installed by default and is capable of RDP and VNC.

– RDP - the easiest way to access Windows terminal server. An alternative client package is rdesktop.
– VNC client (Virtual Network Computer) gives access to Skolelinux remotely. An alternative client package is xvncviewer.

• x2goclient is a graphical client for the X2Go system (not installed by default). You can use it to connect to running
sessions and start new ones.
• Citrix ICA client HowTo to access Windows terminal server from Skolelinux.

18 Samba in Debian Edu

Please read the information provided on the Samba wiki about supported Windows versions, needed registry patches
and other procedures before proceeding.
https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain
https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains
Samba has been fully prepared for use as an NT4-style domain controller. After a machine has joined the domain, this
machine can be fully managed with GOsa².

18.1 Getting Started

This documentation presumes that you have installed the Debian Edu main server and also a Debian Edu workstation. We
presume that you have already created some users that can login and use the Debian Edu workstation. We also presume
that you have a Windows workstation at hand, so you can test access to the Debian Edu main server from a Windows
machine.
After installation of the Debian Edu main server the Samba host \\TJENER should be visible in your Windows Network
Neighbourhood. Debian Edu’s Windows domain is SKOLELINUX. Use a Windows machine (or a Linux system with
smbclient) to browse your Windows/Samba network environment.

1. START -> Run command

2. enter \\TJENER and press return
3. -> a Windows Explorer window should open and show the netlogon share on \\TJENER, and maybe printers you
already have configured for printing under Unix/Linux (CUPS queues).

18.1.1 Accessing files via Samba

Student and teacher user accounts that have been configured via GOsa² should be able to authenticate against \\TJENER\HOMES
or \\TJENER\<username> and access their home directories even with Windows machines not joined to the Windows
SKOLELINUX domain.

1. START -> Run command

2. enter \\TJENER\HOMES or \\TJENER\<username> and press return
3. enter your login credentials (username, password) in the authentication dialog window that appears
4. -> a Windows Explorer window should open and show files and folders in your Debian Edu home directory.

By default only the [homes] and the [netlogon] shares are exported; further share examples for students and teachers can
be found in /etc/samba/smb-debian-edu.conf on your Debian Edu main server.
Debian Edu / Skolelinux Buster 10+edu0 Manual 87 / 102

18.2 Domain Membership

To use Samba on TJENER as a domain controller, your network’s Windows workstations have to join the SKOLELINUX
domain provided by the Debian Edu main server.
The first thing you have to do is to enable the SKOLELINUX\Administrator account. This account is not intended for
day-to-day usage; its current main purpose is to add Windows machines to the SKOLELINUX domain. To enable this
account log on to TJENER as the first user (created during main server installation) and run this command:

• $ sudo smbpasswd -e Administrator

The password of SKOLELINUX\Administrator has been preconfigured during the main server’s installation. Please use the
system’s root account when authenticating as SKOLELINUX\Administrator.
Once you are done with your administrative work make sure to disable the SKOLELINUX\Administrator account again:

• $ sudo smbpasswd -d Administrator

18.2.1 Windows hostname

Make sure your Windows machine has the name that you want to use in the SKOLELINUX domain. If not, rename it first
(and then reboot). The NetBIOS host name of the Windows machine will later on be used in GOsa² and cannot be changed
there (without breaking the domain membership for this machine).

18.3 First Domain Logon

Debian Edu ships some logon scripts that pre-configure the Windows user profile on first logon. When logging on to a
Windows workstation that has joined the SKOLELINUX domain for the first time the following tasks are run:

1. copy the user’s Firefox profile to a separate location and register that with Mozilla Firefox on Windows
2. set up Web-Proxy and start page in Firefox
3. set up Web-Proxy and start page in IE

4. add a MyHome icon to the Desktop that points to drive H: and opens Windows Explorer on double-click

Other tasks are run on every logon. For further information on this, please refer to the /etc/samba/netlogon folder on
your Debian Edu main server.

19 HowTos for teaching and learning

All Debian packages mentioned in this section can be installed by running apt install <package> (as root).

19.1 Teaching Programming

stable/education-development is a meta package depending on a lot of programming tools. Please note that almost 2 GiB
of disk space is needed if this package is installed. For more details (maybe to install only a few packages), see the Debian
Edu Development packages page.
Debian Edu / Skolelinux Buster 10+edu0 Manual 88 / 102

19.2 Monitoring pupils

Warning: make sure you know the status of the laws about monitoring and restricting computer users’ activities in your
jurisdiction.
Some schools use control tools like Epoptes or Veyon to supervise their students. See also: Epoptes Homepage and Veyon
Homepage.
To get full Epoptes support, these steps are required.
# Run on a combi server (and on each additional ltsp server ):
apt update
apt install epoptes
ltsp - chroot -m --arch amd64 apt update
ltsp - chroot -m --arch amd64 apt install epoptes - client
ltsp - chroot -m --arch amd64 apt install ssvnc
ltsp - chroot -m --arch amd64 sed -i ’s/test -f/# test -f/’ /etc/init.d/epoptes - client
ltsp - chroot -m --arch amd64 sed -i ’s/grep -qs /# grep -qs/’ /etc/init.d/epoptes - client
# If diskspace matters , use ’ltsp -update - image -n’ instead .
ltsp -update - image

19.3 Restricting pupils’ network access

Some schools use Squidguard or Dansguardian to restrict Internet access.

20 HowTos for users

20.1 Changing passwords

Every user should change her or his password by using GOsa². To do so, just use a browser and go to https://www/gosa/.
Using GOsa² to change the password ensures that passwords for Kerberos (krbPrincipalKey), LDAP (userPassword) and
Samba (sambaNTPassword and sambaLMPassword) are the same.
Changing passwords using PAM is working also at the GDM login prompt, but this will only update the Kerberos password,
and not the Samba and GOsa² (LDAP) password. So after you changed your password at the login prompt, you really
should also change it using GOsa².

20.2 Java

20.2.1 Running standalone Java applications

Standalone Java applications are supported out of the box by the OpenJDK Java runtime.

20.3 Using email

All users can send and receive mails within the internal network; certificates are provided to allow TLS secured connections.
To allow mail outside the internal network, the administrator needs to configure the mailserver exim4 to suit the local
situation, starting with dpkg-reconfigure exim4-config.
Every user who wants to use Thunderbird needs to configure it as follows. For a user with username jdoe the internal email
address is jdoe@postoffice.intern.
Debian Edu / Skolelinux Buster 10+edu0 Manual 89 / 102

20.3.1 Thunderbird

• Start Thunderbird
• Click ’Skip this and use my existing email’
• Enter your email address
• Don’t enter your password as Kerberos single sign on will be used
• Click ’Continue’
• For both IMAP and SMTP the settings should be ’STARTTLS’ and ’Kerberos/GSSAPI’; adjust if not detected auto-
matically
• Click ’Done’

20.3.2 Obtaining a Kerberos ticket to read email on diskless workstations

If working on a diskless workstation, you don’t have a Kerberos TGT by default. To get one, click the credentials button in
the system tray. Enter your password and the ticket will be granted.

20.4 Volume control

On thin clients, pavucontrol or alsamixer (but not kmix) can be used to change audio volume.
On other machines (workstations, LTSP servers, and diskless workstations), kmix or alsamixer can be used.

21 Contribute

21.1 Contribute locally

Currently there are local teams in Norway, Germany, the region of Extremadura in Spain, Taiwan and France. ”Isolated”
contributors and users exist in Greece, the Netherlands, Japan and elsewhere.
The support chapter has explanations and links to localised resources, as contribute and support are two sides of the same
coin.

21.2 Contribute globally

Internationally we are organised into various teams working on different subjects.

Most of the time, the developer mailing list is our main medium for communication, though we have monthly IRC meetings
on #debian-edu on irc.debian.org and even, less frequently, real gatherings, where we meet each other in person. New
contributors should read our http://wiki.debian.org/DebianEdu/ArchivePolicy.
A good way to learn what is happening in the development of Debian Edu is to subscribe to the commit mailinglist.

21.3 Documentation writers and translators

This document needs your help! First and foremost, it is not finished yet: if you read it, you will notice various FIXMEs
within the text. If you happen to know (a bit of) what needs to be explained there, please consider sharing your knowledge
with us.
The source of the text is a wiki and can be edited with a simple webbrowser. Just go to http://wiki.debian.org/
DebianEdu/Documentation/Buster/ and you can contribute easily. Note: a user account is needed to edit the pages;
you need to create a wiki user first.
Debian Edu / Skolelinux Buster 10+edu0 Manual 90 / 102

Another very good way to contribute and to help users is by translating software and documentation. Information on how
to translate this document can be found in the translations chapter of this book. Please consider helping the translation
effort of this book!

22 Support

22.1 Volunteer based support

22.1.1 in English

• http://wiki.debian.org/DebianEdu
• https://lists.skolelinux.org/listinfo/admin-discuss - support mailing list
• #debian-edu on irc.debian.org - IRC channel, mostly development related; do not expect real time support even though
it frequently happens

22.1.2 in Norwegian

• https://lists.skolelinux.org/listinfo/bruker - support mailing list

• https://lists.skolelinux.org/listinfo/linuxiskolen - mailing list for the development member organisation
in Norway (FRISK)
• #skolelinux on irc.debian.org - IRC channel to support Norwegian users

22.1.3 in German

• http://lists.debian.org/debian-edu-german - support mailing list

• https://www.skolelinux.de - official German representation
• #skolelinux.de on irc.debian.org - IRC channel to support German users

22.1.4 in French

• http://lists.debian.org/debian-edu-french - support mailing list

22.2 Professional support

Lists of companies providing professional support are available from http://wiki.debian.org/DebianEdu/Help/ProfessionalH

23 New features in Debian Edu Buster

23.1 New features for Debian Edu 10+edu0 Codename Buster

23.1.1 Installation changes

• This is the first time Debian Edu installation images are available at https://cdimage.debian.org, thus these are
official Debian images.
• New version of debian-installer from Debian Buster, see its installation manual for more details.
Debian Edu / Skolelinux Buster 10+edu0 Manual 91 / 102

• New artwork based on the futurePrototype theme, the default artwork for Debian 10 Buster.
• New default desktop environment Xfce (replacing KDE).
• New CFEngine configuration management (replacing unmaintained package cfengine2 with cfengine3); this is a major
change, for details see the official CFEngine documentation.
• The architecture of the LTSP chroot now defaults to the server one.

23.1.2 Software updates

• Everything which is new in Debian 10 Buster, eg:

– Linux kernel 4.19

– Desktop environments KDE Plasma Workspace 5.14, GNOME 3.30, Xfce 4.12, LXDE 0.99.2, MATE 1.20
– Firefox 60.7 ESR and Chromium 73.0
– LibreOffice 6.1
– Educational toolbox GCompris 0.95
– Music creator Rosegarden 18.12
– GOsa 2.74
– LTSP 5.18
– Debian Buster includes more than 57000 packages available for installation.

– More information about Debian 10 Buster is provided in the release notes and the installation manual.

23.1.3 Documentation and translation updates

• Translation updates for the templates used in the installer. These templates are now available in 76 languages, of which
31 are fully translated. The profile choice page is available in 29 languages, of which 19 are fully translated.
• The Debian Edu Buster Manual is fully translated to French, German, Italian, Danish, Dutch, Norwegian Bokmål and
Japanese.

– Partly translated versions exist for Polish, Spanish, Simplified Chinese and Traditional Chinese.

23.1.4 Other changes compared to the previous release

• The BD ISO image can be used for offline installations again.

• New school level related meta-packages education-preschool, education-primaryschool, education-secondaryschool and
education-highschool are available. None of them is installed by default.
• Some packages rather belonging to preschool or primaryschool level (like gcompris-qt, childsplay, tuxpaint or tuxmath)
are no longer installed by default.
• Site specific modular installation. It is now possible to install only those educational packages that are actually wanted.
See the installation chapter for more information.
• Site specific multi-language support. See the Desktop chapter for more information.
• LXQt 0.14 is offered as a new choice for the desktop environment.
• New GOsa²-Plugin Password Management.
• Unusable options have been removed from the GOsa² web interface.
• New netgroup available to exclude systems belonging to the shut-down-at-night-hosts netgroup from being woken up.
Debian Edu / Skolelinux Buster 10+edu0 Manual 92 / 102

• New tool Standardskriver (Default printer). See the Administration chapter for more information.
• New tool Desktop-autoloader. It allows performance improvements for LTSP diskless clients. See the NetworkClients
chapter for more information.
• Improved TLS/SSL support inside the internal network. A RootCA certificate is used to sign server certificates and user
home directories are configured to accept it at account creation time; besides Firefox ESR, also Chromium and Konqueror
can now use HTTPS without the need to allow insecure connections.
• Kerberized ssh. A password isn’t needed anymore for connections inside the internal network; root needs to run kinit
first to enable it.
• Kerberized NFS. It is now possible to use more secure home directory access, see the Administration chapter for more
information.
• Added configuration file /etc/debian-edu/pxeinstall.conf with examples to make site specific changes easier.
• Added configuration file /etc/ltsp/ltsp-build-client.conf with examples to make site specific changes easier.
• New tool /usr/share/debian-edu-config/tools/edu-ldap-from-scratch. It allows to re-generate the LDAP
database just like it has been right after the main server installation. The tool might also be useful to make site specific
changes easier.
• With X2Go server now available in Debian, the related packages are now installed on all systems with Profile LTSP-Server.
• Support for running Java applets in the Firefox ESR browser has been dropped upstream.

• Support for nonfree flash has been dropped from the Firefox ESR browser.
• Like it has been before Stretch, Debian 10 doesn’t install the unattended-upgrades package by default, see the
Maintenance chapter for more information about security upgrades.

23.1.5 Known issues

• see the Debian Edu Buster status page.

24 Copyright and authors

This document is written and copyrighted by Holger Levsen (2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016,
2017, 2018, 2019), Petter Reinholdtsen (2001, 2002, 2003, 2004, 2007, 2008, 2009, 2010, 2012, 2014), Daniel Heß (2007),
Patrick Winnertz (2007), Knut Yrvin (2007), Ralf Gesellensetter (2007), Ronny Aasen (2007), Morten Werner Forsbring
(2007), Bjarne Nielsen (2007, 2008), Nigel Barker (2007), José L. Redrejo Rodríguez (2007), John Bildoy (2007), Joakim
Seeberg (2008), Jürgen Leibner (2009, 2010, 2011, 2012, 2014), Oded Naveh (2009), Philipp Hübner (2009, 2010), Andreas
Mundt (2010), Olivier Vitrat (2010, 2012), Vagrant Cascadian (2010), Mike Gabriel (2011), Justin B Rye (2012), David
Prévot (2012), Wolfgang Schweer (2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019), Bernhard Hammes (2012) and Joe
Hansen (2015) and is released under the GPL2 or any later version. Enjoy!
If you add content to it, please only do so if you are the author. You need to release it under the same conditions!
Then add your name here and release it under the ”GPL v2 or any later version” licence.

25 Translation copyright and authors

The Spanish translation is copyrighted by José L. Redrejo Rodríguez (2007), Rafael Rivas (2009, 2010, 2011, 2012, 2015)
and Norman Garcia (2010, 2012, 2013) and is released under the GPL v2 or any later version.
The Bokmål translation is copyrighted by Petter Reinholdtsen (2007, 2012, 2014, 2015, 2016, 2017, 2018, 2019), Håvard
Korsvoll (2007-2009), Tore Skogly (2008), Ole-Anders Andreassen (2010), Jan Roar Rød (2010), Ole-Erik Yrvin (2014,
Debian Edu / Skolelinux Buster 10+edu0 Manual 93 / 102

2016, 2017), Ingrid Yrvin (2014, 2015, 2016, 2017), Hans Arthur Kielland Aanesen (2014), Knut Yrvin (2014), FourFire
Le’bard (2014), Stefan Mitchell-Lauridsen (2014), Ragnar Wisløff (2014) and Allan Nordhøy (2018, 2019) and is released
under the GPL v2 or any later version.
The German translation is copyrighted by Holger Levsen (2007), Patrick Winnertz (2007), Ralf Gesellensetter (2007, 2009),
Roland F. Teichert (2007, 2008, 2009), Jürgen Leibner (2007, 2009, 2011, 2014), Ludger Sicking (2008, 2010), Kai
Hatje (2008), Kurt Gramlich (2009), Franziska Teichert (2009), Philipp Hübner (2009), Andreas Mundt (2009, 2010) and
Wolfgang Schweer (2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019) and is released under the GPL v2 or any later version.
The Italian translation is copyrighted by Claudio Carboncini (2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016,
2017, 2018, 2019) and Beatrice Torracca (2013, 2014) and is released under the GPL v2 or any later version.
The French translation is copyrighted by Christophe Masson (2008), Olivier Vitrat (2010), Cédric Boutillier (2012, 2013,
2014, 2015), Jean-Paul Guilloneau (2012), David Prévot (2012), Thomas Vincent (2012), Jean-Pierre Giraud (2019) and
the French l10n team (2009, 2010, 2012, 2019) and is released under the GPL v2 or any later version.
The Danish translation is copyrighted by Joe Hansen (2012, 2013, 2014, 2015, 2016, 2019) and is released under the GPL
v2 or any later version.
The Dutch translation is copyrighted by Frans Spiesschaert (2014-2020) and is released under the GPL v2 or any later
version.
The Japanese translation is copyrighted by victory (2016, 2017) and hoxp18 (2019-2020) and is released under the GPL v2
or any later version.
The Polish translation is copyrighted by Stanisław Krukowski (2016, 2017), Wiktor Wandachowicz (2019), Adrian Bystrek
(2019) and Michal Biesiada (2020) and is released under the GPL v2 or any later version.
The Simplified Chinese translation is copyrighted by Ma Yong (2016-2020), Boyuan Yang (2017), Roy Zhang (2017) and
EldersJavas (2020) and is released under the GPL v2 or any later version.
The Traditional Chinese translation is copyrighted by Louies (2019) and is released under the GPL v2 or any later version.
The Romanian translation is copyrighted by Catalin Ene (2019) and is released under the GPL v2 or any later version.

26 Translations of this document

Versions of this document translated into German, Italian, French, Danish, Dutch, Norwegian Bokmål and Japanese are
available. Incomplete translations exist for Spanish, Polish and Simplified Chinese. There is an online overview of shipped
translations.

26.1 HowTo translate this document

26.1.1 Translate using PO files

As in many free software projects, translations of this document are kept in PO files. More information about the pro-
cess can be found in /usr/share/doc/debian-edu-doc/README.debian-edu-buster-manual-translations. The Git
repository (see below) contains this file too. Take a look there and at the language specific conventions if you want to help
translating this document.
To commit your translations you need to be a member of the Salsa project debian-edu.
Then check out the debian-edu-doc source using ssh access: git clone [email protected]:debian-edu/debian-edu-do
If you only want to translate, you need to check out only a few files from Git (which can be done anonymously). Please
file a bug against the debian-edu-doc package and attach the PO file to the bugreport. See instructions on how to submit
bugs for more information.
You can check out the debian-edu-doc source anonymously with the following command (you need to have the git
package installed for this to work):

• git clone https://salsa.debian.org/debian-edu/debian-edu-doc.git

Debian Edu / Skolelinux Buster 10+edu0 Manual 94 / 102

Then edit the file documentation/debian-edu-buster/debian-edu-buster-manual.$CC.po (replacing $CC with your

language code). There are many tools for translating available; we suggest using lokalize.
Then you either commit the file directly to Git (if you have the rights to do so) or send the file to the bugreport.
To update your local copy of the repository use the following command inside the debian-edu-doc directory:

• git pull

Read /usr/share/doc/debian-edu-doc/README.debian-edu-buster-manual-translations to find information how to create a

new PO file for your language if there isn’t one yet, and how to update translations.
Please keep in mind that this manual is still under development, so don’t translate any string which contains ” FIXME”.
Basic information about Salsa (the host where our Git repository is located) and Git is available at https://wiki.debian.
org/Salsa.
If you are new to Git, look at the Pro Git book; it has a chapter on the recording changes to the repository. Also you might
want to look at the gitk package that provides a GUI for Git.

26.1.2 Translate online using a web browser

Some language teams have decided to translate via Weblate. See https://hosted.weblate.org/projects/debian-edu-docume
debian-edu-buster/ for more information.
Please report any problems.

27 Appendix A - The GNU General Public License

Note to translators : there is no need to translate the GPL license text.
Translations are available at https :// www.gnu.org/ licenses /old - licenses /gpl -2.0 - ←-
translations .html.

27.1 Manual for Debian Edu 10+edu0 Codename Buster

Copyright (C) 2007-2018 Holger Levsen < [email protected] > and others, see the Copyright chapter for the full list of
copyright owners.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free
Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

27.2 GNU GENERAL PUBLIC LICENSE

Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Debian Edu / Skolelinux Buster 10+edu0 Manual 95 / 102

27.3 TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it
may be distributed under the terms of this General Public License. The ”Program”, below, refers to any such program or
work, and a ”work based on the Program” means either the Program or any derivative work under copyright law: that is to
say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in the term ”modification”.) Each licensee is addressed as
”you”.
Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The
act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a
work based on the Program (independent of having been made by running the Program). Whether that is true depends on
what the Program does.
1. You may copy and distribute verbatim copies of the Program’s source code as you receive it, in any medium, provided
that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty;
keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of
the Program a copy of this License along with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in
exchange for a fee.
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program,
and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of
these conditions:

• a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any
change.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the
Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
c) If the modified program normally reads commands interactively when run, you must cause it, when started running
for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright
notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute
the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program
itself is interactive but does not normally print such an announcement, your work based on the Program is not required
to print an announcement.)

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the
Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms,
do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as
part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License,
whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote
it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the
intent is to exercise the right to control the distribution of derivative or collective works based on the Program.
In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the
Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form
under the terms of Sections 1 and 2 above provided that you also do one of the following:

• a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the
terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code,
to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
Debian Edu / Skolelinux Buster 10+edu0 Manual 96 / 102

c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This
alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable
form with such an offer, in accord with Subsection b above.)

The source code for a work means the preferred form of the work for making modifications to it. For an executable work,
complete source code means all the source code for all modules it contains, plus any associated interface definition files,
plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source
code distributed need not include anything that is normally distributed (in either source or binary form) with the major
components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated place, then offering
equivalent access to copy the source code from the same place counts as distribution of the source code, even though third
parties are not compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any
attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights
under this License. However, parties who have received copies, or rights, from you under this License will not have their
licenses terminated so long as such parties remain in full compliance.
5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission
to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept
this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your
acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or
works based on it.
6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a
license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You
may not impose any further restrictions on the recipients’ exercise of the rights granted herein. You are not responsible for
enforcing compliance by third parties to this License.
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited
to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the
conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to
satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the
Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and
this License would be to refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section
is intended to apply and the section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity
of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system,
which is implemented by public license practices. Many people have made generous contributions to the wide range of
software distributed through that system in reliance on consistent application of that system; it is up to the author/donor
to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted
interfaces, the original copyright holder who places the Program under this License may add an explicit geographical
distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus
excluded. In such case, this License incorporates the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to
time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or
concerns.
Each version is given a distinguishing version number. If the Program specifies a version number of this License which
applies to it and ”any later version”, you have the option of following the terms and conditions either of that version or
of any later version published by the Free Software Foundation. If the Program does not specify a version number of this
License, you may choose any version ever published by the Free Software Foundation.
Debian Edu / Skolelinux Buster 10+edu0 Manual 97 / 102

10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different,
write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to
the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of
preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM,
TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE
COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM ”AS IS” WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY
AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU
ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT
HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED
ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSE-
QUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT
LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR
THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF
SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS

28 Appendix B - no Debian Edu Live CD/DVDs for Buster yet

Debian Edu Live CD/DVDs for Buster are not available at the moment.

28.1 Features of the Standalone image

• XFCE desktop
• All packages from the Standalone profile

• All packages from the laptop task

28.2 Features of the Workstation image

• XFCE desktop
• All packages from the Workstation profile

• All packages from the laptop task

28.3 Activating translations and regional support

To activate a specific translation, boot using locale=ll_CC.UTF-8 as a boot option, where ll_CC.UTF-8 is the locale
name you want. To activate a given keyboard layout, use the keyb=KB option where KB is the desired keyboard layout.
Here is a list of commonly used locale codes:
Debian Edu / Skolelinux Buster 10+edu0 Manual 98 / 102

Language (Region) Locale value Keyboard layout

Norwegian Bokmål nb_NO.UTF-8 no

Norwegian Nynorsk nn_NO.UTF-8 no

German de_DE.UTF-8 de

French (France) fr_FR.UTF-8 fr

Greek (Greece) el_GR.UTF-8 el

Japanese ja_JP.UTF-8 jp

Northern Sami (Norway) se_NO no(smi)

A complete list of locale codes is available in /usr/share/i18n/SUPPORTED, but only the UTF-8 locales are supported
by the live images. Not all locales have translations installed, though. The keyboard layout names can be found in
/usr/share/keymaps/i386/.

28.4 Stuff to know

• The password for the user is ”user”; root has no password set.

28.5 Known issues with the image

• There are no images yet

28.6 Download

The image would be (but currently isn’t) available via FTP, HTTP or rsync from ftp.skolelinux.org under cd-buster-live/.

29 Appendix C - Features in older releases

29.1 New features for Debian Edu 9+edu0 Codename Stretch released 2017-06-17

29.1.1 Installation changes

• New version of debian-installer from Debian Stretch, see its installation manual for more details.
• The ”Thin-Client-Server” profile has been renamed to ”LTSP-Server” profile.
• New artwork based on the ”soft Waves” theme, the default artwork for Debian 9 Stretch.

29.1.2 Software updates

• Everything which was new in Debian 9 Stretch, eg:

– Linux kernel 4.9

– Desktop environments KDE Plasma Workspace 5.8, GNOME 3.22, Xfce 4.12, LXDE 0.99.2, MATE 1.16
Debian Edu / Skolelinux Buster 10+edu0 Manual 99 / 102

∗ KDE Plasma Workspace is installed by default; to choose one of the others see this manual.
– Firefox 45.9 ESR and Chromium 59
∗ Iceweasel has been re-renamed to Firefox!
– Icedove has been re-renamed to Thunderbird and is now installed by default.
– LibreOffice 5.2.6
– Educational toolbox GCompris 15.10
– Music creator Rosegarden 16.06
– GOsa 2.7.4
– LTSP 5.5.9
– Debian Stretch includes more than 50000 packages available for installation.

– More information about Debian 9 Stretch is provided in the release notes and the installation manual.

29.1.3 Documentation and translation updates

• Translation updates for the templates used in the installer. These templates are now available in 29 languages.
• The Debian Edu Stretch Manual is fully translated to German, French, Italian, Danish, Dutch, Norwegian Bokmål and
Japanese. The Japanese translation was newly added for Stretch.

– Partly translated versions exist for Spanish, Polish and Simplified Chinese.

29.1.4 Other changes compared to the previous release

• Icinga replaces Nagios as monitoring tool.

• kde-spectacle replaces ksnapshot as screenshot tool.
• The free flash player gnash is back again.
• Plymouth is installed and activated by default, except for the ’Main Server’ and ’Minimal’ profiles; pressing ESC allows
to view boot and shutdown messages.
• Upon upgrade from Jessie the LDAP data base has to be adjusted. The sudoHost value ’tjener’ has to be replaced with
’tjener.intern’ using GOsa² or an LDAP editor.
• The 32-bit PC support (known as the Debian architecture i386) now no longer covers a plain i586 processor. The new
baseline is the i686, although some i586 processors (e.g. the ”AMD Geode”) will remain supported.
• Debian 9 enables unattended upgrades (for security updates) by default for new installations. This might cause a delay
of about 15 minutes if a system with a low uptime value is powered off.
• LTSP now uses NBD instead of NFS for the root filesystem. After each single change to an LTSP chroot, the related
NBD image must be regenerated (ltsp-update-image) for the changes to take effect.
• Concurrent logins of the same user on LTSP server and LTSP thin client are no longer allowed.

29.2 New features for Debian Edu 8+edu0 Codename Jessie released 2016-07-02

• read the release announcement on www.debian.org: Debian Edu / Skolelinux Jessie — a complete Linux solution for
your school.

29.2.1 Installation changes

• New version of debian-installer from Debian Jessie, see installation manual for more details.
Debian Edu / Skolelinux Buster 10+edu0 Manual 100 / 102

29.2.2 Software updates

• Everything which is new in Debian 8 Jessie, eg:

– Linux kernel 3.16.x

– Desktop environments KDE Plasma Workspace 4.11.13, GNOME 3.14, Xfce 4.10, LXDE 0.5.6
∗ new optional desktop environment: MATE 1.8
∗ KDE Plasma Workspace is installed by default; to choose one of the others see this manual.
– the browsers Iceweasel 31 ESR and Chromium 41
– LibreOffice 4.3.3
– Educational toolbox GCompris 14.12
– Music creator Rosegarden 14.02
– GOsa 2.7.4
– LTSP 5.5.4
– new boot framework: systemd. More information is available in the Debian systemd wiki page and in thesystemd
manual.
– Debian Jessie includes about 42000 packages available for installation.

– More information about Debian 8 Jessie is provided in the release notes and the installation manual.

29.2.3 Documentation and translation updates

• Translation updates for the templates used in the installer. These templates are now available in 29 languages.

• Two manual translations have been completed: Dutch and Norwegian Bokmål.
• The Debian Edu Jessie Manual is fully translated to German, French, Italian, Danish, Dutch and Norwegian Bokmål. A
partly translated version exists for Spanish.

29.2.4 Other changes compared to the previous release

• squid: Shutdown and reboot of the main server takes longer than before due to a new default setting shutdown_lifetime
30 seconds. As an example the delay could be set to 10 seconds by appending the line shutdown_lifetime 10
seconds to /etc/squid3/squid.conf.
• ssh: The root user is no longer allowed to login via SSH with password. The old default PermitRootLogin yes has
been replaced with PermitRootLogin without-password, so ssh-keys will still work.
• slbackup-php: To be able to use the slbackup-php site (which uses root logins via ssh), PermitRootLogin yes has to
be set temporarily in /etc/ssh/sshd_config.
• sugar: As the Sugar desktop was removed from Debian Jessie, it is also not available in Debian Edu jessie.

29.3 New features in Debian Edu 7.1+edu0 Codename Wheezy released 2013-09-28

29.3.1 User visible changes

• Updated artwork and new Debian Edu / Skolelinux logo, visible during installation, in the login screen and as desktop
wallpaper.
Debian Edu / Skolelinux Buster 10+edu0 Manual 101 / 102

29.3.2 Installation changes

• New version of debian-installer from Debian Wheezy, see installation manual for more details.
• The DVD image was dropped, instead we added a USB flash drive / Blu-ray disc image, which behaves like the DVD
image, but is too big to fit on a DVD.

29.3.3 Software updates

• Everything which is new in Debian Wheezy 7.1, eg:

– Linux kernel 3.2.x

– Desktop environments KDE ”Plasma” 4.8.4, GNOME 3.4, Xfce 4.8.6, and LXDE 0.5.5 (KDE ”Plasma” is installed by
default; to choose GNOME, Xfce or LXDE: see manual.)
– Web browser Iceweasel 17 ESR
– LibreOffice 3.5.4
– LTSP 5.4.2
– GOsa 2.7.4
– CUPS print system 1.5.3
– Educational toolbox GCompris 12.01
– Music creator Rosegarden 12.04
– Image editor Gimp 2.8.2
– Virtual universe Celestia 1.6.1
– Virtual stargazer Stellarium 0.11.3
– Scratch visual programming environment 1.4.0.6
– New version of debian-installer from Debian Wheezy, see installation manual for more details.
– Debian Wheezy includes about 37000 packages available for installation.

– More information about Debian Wheezy 7.1 is provided in the release notes and the installation manual.

29.3.4 Documentation and translation updates

• Translation updates for the templates used in the installer. These templates are now available in 29 languages.
• The Debian Edu Wheezy Manual is fully translated to German, French, Italian and Danish. Partly translated versions
exist for Norwegian Bokmål and Spanish.

29.3.5 LDAP related changes

• Slight changes to some objects and acls to have more types to choose from when adding systems in GOsa. Now systems
can be of type server, workstation, printer, terminal or netdevice.

29.3.6 Other changes

• New Xfce desktop task.

• LTSP diskless workstations run without any configuration.
• On the dedicated client network of LTSP servers (default 192.168.0.0/24), machines run by default as diskless worksta-
tions if they are powerful enough.
• GOsa gui: Now some options that seemed to be available, but are non functional, are greyed out (or are not clickable).
Some tabs are completely hidden to the end user, others even to the GOsa admin.
Debian Edu / Skolelinux Buster 10+edu0 Manual 102 / 102

29.3.7 Known issues

• Using KDE ”Plasma” on standalone and roaming workstations, at least Konqueror, Chromium and Step sometimes fail
to work out-of-the box when the machines are used outside the backbone network, proxy use is required to use the other
network but no wpad.dat information is found. Workaround: Use Iceweasel or configure the proxy manually.

29.4 Historic information about older releases

The following Debian Edu releases were made further in the past:

• Debian Edu 6.0.7+r1 Codename ”Squeeze”, released 2013-03-03.

• Debian Edu 6.0.4+r0 Codename ”Squeeze”, released 2012-03-11.

• Debian Edu 5.0.6+edu1 Codename ”Lenny”, released 2010-10-05.
• Debian Edu 5.0.4+edu0 Codename ”Lenny”, released 2010-02-08.

• Debian Edu ”3.0r1 Terra”, released 2007-12-05.

• Debian Edu ”3.0r0 Terra” released 2007-07-22. Based on Debian 4.0 Etch released 2007-04-08.
• Debian Edu 2.0, released 2006-03-14. Based on Debian 3.1 Sarge released 2005-06-06.
• Debian Edu ”1.0 Venus” release 2004-06-20. Based on Debian 3.0 Woody released 2002-07-19.

A complete and detailed overview about older releases is contained in Appendix C of the Jessie manual; or see the related
release manuals on the release manuals page.

29.4.1 More information on even older releases

More information on even older (pre-)releases can be found at http://developer.skolelinux.no/info/cdbygging/

news.html.