Classroom LTSP ConfigurationNote: this page should be moved to the Ubuntu LTSP Documentation when they fix the login bug and I can actually edit that wiki.

We're supporting a two-server, 15-terminal thin client system which has been running Ubuntu 8.04 (Hardy) in the Cama Samfya Resource Centre in Samfya, a rural town in Zambia. It has been working reasonably well for two years.

It's also used for IT training for about 150 school-leavers every year on Camfed's Goldman Sachs 10,000 Women Certificate Programme in Young Women's Leadership and Enterprise (the Camfed Programme) which takes place in Lubwe, Samfya District, Zambia. The equipment is moved from Samfya to Lubwe twice a year for the training course.

Contents

[hide]

1 Brief 2 Operating System Upgrade

o 2.1 Upgrade Issues 3 Partitioning with RAID and LVM 4 Installation Step by Step

o 4.1 Backup Existing Data o 4.2 IP Address Check o 4.3 Boot the Install CD o 4.4 Configure Language and Keyboard o 4.5 Configure Networking and Clock o 4.6 Partition disks: Configuring partitions o 4.7 Partition disks: Configuring Software RAID o 4.8 Partition disks: Create Logical Volumes o 4.9 Partition disks: Configure Filesystems o 4.10 Set up users and passwords o 4.11 Configure the package manager o 4.12 Configure LTSP o 4.13 Configuring grub-pc o 4.14 Finish the installation

5 General Post-Install Configuration o 5.1 Enable Local Repository o 5.2 Install Ubuntu updates o 5.3 Simplify File Management as Root o 5.4 Install Server Kernel o 5.5 Enable auto-creation of home directories o 5.6 Configure LTSP Interface

o 5.7 Install Adobe Flash Plugin o 5.8 Install Caching Servers o 5.9 Enable Proxy Cache by Default o 5.10 Enable Forwarding and Masquerading o 5.11 LTSP Screen Blanking o 5.12 Customising the LTSP Client Image o 5.13 Disable Compiz for Compatibility

6 Camfed Programme Specific o 6.1 Guest User Accounts o 6.2 Student Accounts o 6.3 Clean Guest Accounts o 6.4 Internet Cafe Software

7 Work in Progress o 7.1 Read-only Guest Users

[edit] 1 Brief

There are some problems that we'd like to fix:

Operating system needs to be upgraded before support expires Hard disk filled up with files in /home, and not partitioned, so the proxy server failed to

start and Firefox can't browse Users can corrupt the profiles of the guest accounts, by modifying panels and changing

icons Users save personal files on the hard disk without limit until it fills up No DNS cache installed UPSes not up to requested spec, only last a few minutes, batteries degraded due to

frequent use UPSes not monitored, servers and thin clients don't shut down automatically Standalone mode on thin clients (Aleutia E2) broken due to filesystems corrupted by

power outages Users storing important files on server which is not backed up One server had a memory failure and now only has 4 GB RAM (the other has 8 GB) Frequent internet outages at the SRC (no backup Internet access) leading to complaints

from customers No automatic logout or Internet cafe billing system for SRC customers Each terminal has its own LTSP guest user whose profile can become corrupted

[edit] 2 Operating System Upgrade

We will upgrade the system to a more recent Ubuntu version because:

the support lifetime for 8.04 will run out in April 2011, in four months we'd rather not upgrade in a rush in April

we'd rather not upgrade in the middle of this year's Camfed programme and confuse students with a new OS

much educational software is not available for 8.04 (e.g. GeoGebra).

We've been testing two newer versions of Ubuntu: 10.04 (Lucid) and 10.10 (Maverick). Lucid has the advantage of being a Long-Term Support release, which means that it's supported (as much as that means anything with Ubuntu) for three years, until April 2013. However we found a serious bug, where plugging in a USB stick to a thin client caused the server's screen to become corrupted and unusable. We have not yet been able to debug the problem sufficiently to file a bug report in Ubuntu, so it's unlikely to be fixed in Lucid.

This problem does not occur in Maverick, and so far our experience with Maverick has been quite good, so it looks like we'll be using Maverick for now. Maverick's support is only for 18 months, so we should either downgrade to Lucid, or upgrade to Natty (11.04, not released yet) in April in order to keep our system supported with security updates for the longest possible time.

[edit] 2.1 Upgrade Issues

Problems encountered during the upgrade process:

The Maverick installer crashed at least once while compressing the LTSP image (84% finished)

Maverick and Lucid's new version of Grub doesn't detect the old Hardy partition, and is extremely complex to configure compared to the old version, so it's not at all clear how we can now boot into the old system (maybe reinstall old Grub from an 8.04 rescue CD?)

Grub failed to install on the main server because the partition layout had no space after the boot sector, possibly due to the drive being replaced and the partition table being copied from the other disk, which has a different geometry

The Maverick kernel insists on trying to mirror /dev/sda3 with the whole of /dev/sdb, which corrupts the second disk in the RAID array, in a way that's not obvious. This was because, right at the end of /dev/sdb there was a RAID superblock with the same UUID as /dev/sda3, so the kernel placed /dev/sda3 and /dev/sdb in the same array.

The installer's partition editor still fails to recognise existing RAID devices (and the LVM logical volumes on them) automatically under some circumstances, and wouldn't recognise the existing logical volumes even after entering and exiting the RAID menu. When trying to create a new volume group, I was told that all devices were used, and shown that 4 logical volumes were detected, but the partitioner wouldn't allow me to partition them.

Maverick can't create working USB installers with usb-creator for older versions of Ubuntu (e.g. Lucid)

Only zambiaserver2 has a CD writer, zambiaserver1 only has a DVD-ROM Guest accounts appear on the login chooser Login sessions sometimes, randomly, fail on E2s due to compiz failure to run (screen

width is not a power of two?), needs a hack in the Gnome registry to disable compiz LTSP still fails to complete installation unless exactly one interface is configured, and

has to be manually configured later

NetworkManager tries to manage the LTSP server interface when the link comes up, and acquire an IP from its own DHCP server, which wrecks LTSP clients

Scroll bars, unchecked checkboxes, active tabs in Firefox and highlighted unfocused selections (e.g. usb-creator) are invisible in this theme

Physical power button on thin client does nothing (doesn't shut it down) Root account is still locked by default, so it's useful to chroot into the LTSP client image

(/opt/ltsp/i386), use passwd to set a password for the root account, and install openssh server with apt-get update; apt-get install openssh-server, and then rebuild the LTSP client image with ltsp-build-client

LDM doesn't allow logging in with just the keyboard, e.g. by entering a blank user name booting the system with a USB stick inserted generates scary messages on the text-mode

boot logo sshd still doesn't log authentication errors because there's no socket in the sshd chroot.

Add "$AddUnixListenSocket /var/run/sshd/dev/log" to /etc/rsyslog.d/sshd.conf on the server.

Favourite terminal keybindings: for i in "move_tab_left <Shift><Control>Left" "move_tab_right <Shift><Control>Right" "next_tab <Shift>Right" "prev_tab <Shift>Left"; do sudo -u guest_d9daff gconftool-2 --type string --set /apps/gnome-terminal/keybindings/$i; done

Shutting down the server (on Maverick) from gdm doesn't work.

[edit] 3 Partitioning with RAID and LVM

We originally used a single partition for simplicity, and because we decided to use only 1/3 of the 250 GB disk, or 75 GB, leaving the rest for backups or future uses. This came in handy for the upgrade to Maverick, allowing us to reinstall without wiping the existing system. But it did mean that the disk filled up faster.

For flexibility, we are reinstalling using LVM on the remaining space, with separate partitions for:

Root (and all software, and everything not included below) - 15 GB /var (logs, mailboxes and Squid cache) - 10 GB Home directories (to stop them from bringing down the system) - 80 GB Manager's home directory (to allow manager to use the system even if all other users fill

up their space) - 20 GB

Bjoern would like to enable video editing on these systems, which will require a lot of space, so I've left plenty unallocated (about 40 GB) for a potential future "video" user. More space can be reclaimed when the important parts of the old user data are copied over from the old Hardy partition, after which that partition can be removed.

[edit] 4 Installation Step by Step

[edit] 4.1 Backup Existing Data

Before starting the installation, back up all important user data from /home, and also /etc/passwd and /etc/shadow, onto an external hard disk.

[edit] 4.2 IP Address Check

Before proceeding, please check that your server's __eth0__ interface is attached to a network with a DHCP server, and that the address range of that network is __NOT__ 192.168.1.x/24. Also please check that __eth1__ is attached to a network switch that is powered up, but has no DHCP server attached.

This is because the LTSP auto-configuration will FAIL if there is no IP address on an interface (e.g. one interface connected to the Internet) or if that interface has an IP address in the range that LTSP wants to use by default for its own private network. The interface for the private network must also have a link.

The easiest way to check the IP address is to:

Attach a computer running Ubuntu desktop to the same Internet connection as the server that you're installing

Click on the Network Manager icon on the menu bar and select the wired network Wait for the computer to connect to the network (icon should change to up-and-down

arrows) Right-click on the Network Manager icon and click Connection Details Check that the IP Address doesn't start with 192.168.1.

[edit] 4.3 Boot the Install CD

On the server that you want to install (or reinstall), start by booting from the Ubuntu 10.10 Alternate CD. On the Dell servers: switch on/power up server. Press F11 when you see the Dell logo. When the "Boot device menu" appears, insert Ubuntu 10.10 Alternate CD and choose "Embedded Optical Drive Port C" from the menu.

A language menu will appear. Press Enter to select English.

Press F4 and choose Install an LTSP Server (using the down arrow key), then press Enter to load the installer.

Press Enter again to install Ubuntu.

[edit] 4.4 Configure Language and Keyboard

Choose the following settings:

Language: English Country: Other, then Africa, then Zambia (O, enter, A, enter, Z, enter) Detect keyboard layout: No (just press enter)

Origin of the keyboard: United Kingdom Keyboard layout: United Kingdom

[edit] 4.5 Configure Networking and Clock

Primary network interface: eth0 (The primary network interface is the one going to the Internet.)

o If no DHCP server was found on eth0, this error will appear: Network autoconfiguration failed. __DO NOT PROCEED__ - check that the DHCP server or router is working, and retry the network configuration.

Hostname: see label on front of server, e.g. Template:Zambiaserver1 or Template:Zambiaserver2

Ubuntu will then try to determine which country you are in from your Internet connection. If it says something other than Your timezone is Africa/Lusaka, then:

Choose No Scroll up to the top of the list (with the Page Up key) which should say Africa, then

choose Lusaka below that.

[edit] 4.6 Partition disks: Configuring partitions

The server has two disks. These are mirrored so that both contain the same data, as a backup in case one disk fails. This mirroring is done by Ubuntu, so we have to configure it now.

This process will delete all existing data on the disks, so please ensure that all important data is backed up before starting. (We can try to keep some data, but there are no guarantees).

Partitioning method: Manual You should see the Partition disks menu

Each disk (SCSI1 and SCSI2) should now show something like:

#1 primary 75.0 GB raid #2 primary 175.0 GB raid (if keeping existing data on partition #1)

Note that the sizes may be different. However, if the partitions don't appear like that, you'll need to edit them:

If no partitions appear under SCSI1 or SCSI2, then enter each in turn and: o Create new empty partition table on this device: Yes (if asked)

If you want to try to preserve existing data, then in the following steps, be careful not to delete partition #1 from either disk.

Select each partition under SCSI1 and SCSI2 (except #1 if you want to save the existing data), press Enter to edit it, and choose Delete the partition.

Each disk (SCSI1 and SCSI2) should now show: o #1 primary 75.0 GB raid (if keeping existing data, size may vary) o 175.0 GB FREE SPACE (amount of free space may vary)

Select the FREE SPACE on each disk in turn: o Choose Create a new partition o Press Enter to accept the default size (all of the free space) o Choose Primary as the type o Press Enter on Use as: Ext4 journaling file system o Choose Physical volume for RAID o Choose Done setting up the partition

[edit] 4.7 Partition disks: Configuring Software RAID

Choose Configure software RAID from the top of the Partition disks menu Choose Yes to write the changes to the storage devices, or keep the current partition

layout

If you get an error message about an Error informing the kernel about modifications, then choose Cancel and keep choosing Cancel until you get to the Software RAID configuration menu. Press Ctrl+Alt+Delete to reboot the server, and follow all the steps above again. However your partition changes should have been saved, so you may not need to delete or create any partitions this time.

You should see the Software RAID configuration menu Choose Create MD device Choose RAID1 Press Enter to accept the default of 2 active devices Press Enter to accept the default of 0 spare devices Use the up and down arrow keys to select each of the two 175000 MB: raid partitions,

and press Space to make an asterisk (*) appear in the box to the left of each one. There should be exactly two boxes with asterisks in them. DO NOT PROCEED unless two devices are selected! Press Tab to highlight the Continue button and Enter to continue You should see the Software RAID configuration menu again Choose Finish

[edit] 4.8 Partition disks: Create Logical Volumes

You should see the Partition disks menu Under RAID1 Device, choose partition #1 Choose Use as: do not use Choose physical volume for LVM Choose Done setting up the partition Choose Configure the Logical Volume Manager

Under Keep current partition layout and configure LVM, choose Yes Choose Create volume group Enter Raid as the volume group name Under Devices for the new volume group, highlight /dev/md0 (175000 MB) (or /dev/md1

(175000 MB) if you are preserving existing data) Use the Space key to put an asterisk (*) in the box next to it Choose Continue

Create the Root volume for Ubuntu Maverick (10.10):

Choose Create logical volume Choose the Raid volume group Enter Root_Maverick as the volume name Enter 15G (15 gigabytes) for the Logical volume size

Create the other volume groups:

One called Var_Maverick, 10G size One called Home, 80G size One called Home_Manager, 20G size One called Swap, 4G size

Then choose Display configuration details, and check that the logical volumes are displayed as follows:

Volume groups: Raid Uses physical volume: /dev/md1 (or /dev/md0) Provides logical volume: Home (79997 MB) Provides logical volume: Home_Manager (19998 MB) Provides logical volume: Root_Maverick (14998 MB) Provides logical volume: Swap (3997 MB) Provides logical volume: Var_Maverick (9999 MB)

Choose Continue to exit the Current LVM configuration screen. On the LVM configuration menu, choose Finish.

[edit] 4.9 Partition disks: Configure Filesystems

You should see the Partition disks menu Under LVM VG Raid, LV Swap:

o Choose the #1 partition o Choose Use as: do not use o Choose swap area o Choose Done setting up the partition

Under each of the other logical volumes created above (all except Swap):

o Remember which logical volume the partition belongs to, e.g. Home o Choose the #1 partition o Choose Use as: do not use o Choose Ext4 journalling file system o Choose Mount point: none o For the Home volume, choose /home o For the Home_Manager volume, choose Enter manually and then type

/home/manager o For the Root_Maverick volume, choose / o For the Var_Maverick volume, choose /var o Choose Label: none o Enter the name of the logical volume as its label, e.g. Root_Maverick o Choose Done setting up the partition

Check that you have the following structure: o LVM VG Raid, LV Home - 80.0 GB Linux device-mapper (linear)

#1 80.0 GB f ext4 /home o LVM VG Raid, LV Home_Manager - 20.0 GB Linux device-mapper (linear)

#1 20.0 GB f ext4 /home/manager o LVM VG Raid, LV Root_Maverick - 15.0 GB Linux device-mapper (linear)

#1 15.0 GB f ext4 / o LVM VG Raid, LV Swap - 4.0 GB Linux device-mapper (linear)

#1 4.0 GB f swap swap o LVM VG Raid, LV Var_Maverick - 10.0 GB Linux device-mapper (linear)

#1 10.0 GB f ext4 /var Scroll down to the bottom of the menu and choose Finish partitioning and write changes

to disk When asked Do you want to boot your system if your RAID becomes degraded choose No When asked Write the changes to disks? choose Yes

The system will them display partitions formatting and then 'installing base system'. Wait for process to finish.

[edit] 4.10 Set up users and passwords

For Full name for the new user: enter CAMA Network Manager, and continue. For User name: enter manager For Password: enter the password for the manager user (you will see a '*' for each

character)

[edit] 4.11 Configure the package manager

HTTP proxy information: leave blank, because no http proxy required, just press Enter to continue

System responds with 'select and install softare' Wait for the process to finish, which will take some time

You can cancel the Retrieving files steps if your internet connection is slow, and install updates later (recommended)

[edit] 4.12 Configure LTSP

On one of the servers you will probably get the error message: There are no free interfaces for use with LTSP or Build LTSP chroot: Installation step failed. In this case you will have to configure the second network interface for LTSP later. In the latter case, you will also be dropped to the installer menu, where you will have to choose the option Install the GRUB bootloader and then Finish the installation.

[edit] 4.13 Configuring grub-pc

When asked Install the GRUB boot loader on the Master Boot Record? choose Yes.

[edit] 4.14 Finish the installation

Is the system clock set to UTC: Yes Installation complete. Select continue to restart.

After installation has finished, the server should boot into Ubuntu. Once the boot has finished, you should see the ubuntu login screen.

[edit] 5 General Post-Install Configuration

[edit] 5.1 Enable Local Repository

If you have a mirrored copy of the Ubuntu repository, enable it now to speed up software installation. E.g. if it's mounted on /media/ubuntumirror, rename /etc/apt/sources.list to a backup copy, and recreate it with just the following lines inside:

deb file:/media/ubuntumirror/mirror/archive.ubuntu.com/ubuntu maverick main restricted universe multiversedeb file:/media/ubuntumirror/mirror/archive.ubuntu.com/ubuntu maverick-updates main restricted universe multiversedeb file:/media/ubuntumirror/mirror/archive.ubuntu.com/ubuntu maverick-security main restricted universe multiverse

Note that the path after the file: must exist, and must contain a subdirectory called "dists", which contains maverick, maverick-updates and maverick-security.

Connect the device and run apt-get update.

Run apt-get upgrade to install any pending software updates.

[edit] 5.2 Install Ubuntu updates

Login using the manager account. If you have an internet connection, install any updates available in the package manager.

[edit] 5.3 Simplify File Management as Root

Run Applications/Ubuntu Software Centre Type nautilus-gksu into the search box Click on Privilege granting extension for nautilus using gksu Click on the Install button Log out and log back in again to activate the extension

[edit] 5.4 Install Server Kernel

Allows use of RAM over 4GB.

Run Applications/Ubuntu Software Centre Type linux-server into the search box Click on Complete Linux kernel on Server Equipment Click on the Install button Reboot to activate the new kernel (Power off button then Restart and log back in once

rebooted).

[edit] 5.5 Enable auto-creation of home directories

Add the following line to the bottom of /etc/pam.d/common-session:

session required pam_mkhomedir.so umask=0077

Check it very carefully before saving, as a typing mistake could make it impossible for any user to log in. You might need to boot the system using a rescue CD in that case.

[edit] 5.6 Configure LTSP Interface

The private network for LTSP clients must have a different IP address range from the public (Internet) side of the server. Unfortunately the default is the very common 192.168.0.x range. It's better to change the range to something less common, such as 192.168.2.x.

Also, NetworkManager has a tendency to try to get an IP address from its own DHCP server, which breaks both Internet connectivity and thin clients. It's better to configure the LTSP interface using /etc/network/interfaces rather than NetworkManager.

Right-click on the NetworkManager icon (probably a pair of arrows, up and down) Choose Edit Connections... Choose Auto eth1 and click Delete Choose Auto eth2 if it exists, and click Delete Click Close

Edit /etc/network/interfaces and add the following lines:

auto eth1iface eth1 inet static address 192.168.2.254 netmask 255.255.255.0

Bring the interface up manually with sudo ifup eth1.

Edit /etc/ltsp/dhcpd.conf Change all instances of 192.168.0 to another subnet, such as 192.168.2 Start the DHCP server with sudo service dhcp3-server start

Run sudo ltsp-update-image to install the NBD server so that clients can boot.

[edit] 5.7 Install Adobe Flash Plugin

sudo apt-get install flashplugin-installer

[edit] 5.8 Install Caching Servers

Install Squid and Bind 9:

sudo apt-get install squid bind9

To stop Squid dying due to DNS tests failing if the system boots while the Internet connection is offline, edit /etc/default/squid and add:

SQUID_ARGS=-D

Start or restart Squid:

sudo service squid stopsudo service squid start

[edit] 5.9 Enable Proxy Cache by Default

To enable the proxy cache by default for all users:

Log in as the manager account Open System/Preferences/Network Proxy Choose Manual proxy configuration Tick Use the same proxy for all protocols For HTTP proxy: enter localhost For Port: enter 3128 Click the Apply System-Wide... button

Check that you can still browse the Internet.

[edit] 5.10 Enable Forwarding and Masquerading

Needed if the thin clients need Internet access from local applications, or when running in standalone mode.

Edit /etc/sysctl.conf, find the line that says:

#net.ipv4.ip_forward=1

and remove the "#" mark at the start of the line. Run this to apply immediately:

sudo sysctl -p /etc/sysctl.conf

Now enable masquerading:

sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

Save the rules to a file:

sudo iptables-save | sudo tee /etc/iptables.conf

And configure the system to load these rules whenever the eth0 (public) interface comes up, by editing /etc/network/interfaces, find the following line:

iface eth0 inet dhcp

If it starts with a "#" character, remove it. Then add a line below it which says:

post-up /sbin/iptables-restore < /etc/iptables.conf && echo "Rules loaded."

Test it by bringing the interface down and up again, and check for the line that says "Rules loaded" in the output:

sudo ifdown eth0sudo ifup eth0

Edit /etc/ltsp/dhcpd.conf and edit the following values:

option domain-name-servers option routers

Change both to 192.168.2.254, save, and restart dhcpd:

sudo service dhcp3-server restart

Check that the DNS service is running: sudo service bind9 status should say bind9 is running.

[edit] 5.11 LTSP Screen Blanking

We use the following script to blank all guest screens until the command is killed with Ctrl+C:

#!/bin/sh

set -e

command_all(){ps --no-headers -oeuid:1 -o command -p $(pgrep -d, -G guest ) |sed -ne 's/^\([0-9]*\)\ .*DISPLAY=\([^ ]*\).*/\1 \2/p' |while read euid display ; do

sudo -H -u "#$euid" DISPLAY="$display" \sh -c "env XAUTHORITY=\$HOME/.Xauthority gnome-screensaver-

command $1"done

}

trap 'command_all --deactivate' EXITtrap 'command_all --deactivate' INT

while true; do command_all --activate --lock; sleep 2; done

You can also create an icon for it, that runs in a terminal, and close the terminal window to stop it.

The script runs Template:Sudo, and therefore requires that your user is a member of the Template:Admin group, e.g. Template:Manager.

[edit] 5.12 Customising the LTSP Client Image

You can make changes in Classroom LTSP Configuration/opt/ltsp/i386 and then run Template:Sudo ltsp-update-image to apply them. Each Aleutia needs to be rebooted for the changes to take effect on it.

To be able to log in as root on the Aleutia (highly recommended):

sudo chroot /opt/ltsp/i386passwd(enter a root password)exitsudo ltsp-update-image

To install software in the chroot using apt, either online:

Replace /opt/ltsp/i386/etc/apt/sources.list with the unmodified (Internet) copy from the server, for example /etc/apt/sources.list.bak

Or offline:

sudo mkdir /opt/ltsp/i386/cdrom sudo mount --bind /media/ubuntumirror /opt/ltsp/i386/cdrom sudo cp /etc/apt/sources.list /opt/ltsp/i386/etc/apt edit /opt/ltsp/i386/etc/apt/sources.list and change /media/ubuntumirror to

/cdrom sudo chroot apt-get update

To be able to log in remotely to the Aleutia for debugging (highly recommended):

sudo chroot /opt/ltsp/i386 apt-get install openssh-serversudo ltsp-update-image

If the LTSP client tree gets corrupted then you can rebuild it. You may need Internet access for this. Run the following commands:

sudo rm -rf /opt/ltsp/i386sudo ltsp-build-client

To build an LTSP client tree with updates, using a UK mirror and a proxy server:

sudo env http_proxy=http://fen-fw.aptivate.org:3128 \ ltsp-build-client \ --mirror "http://gb.archive.ubuntu.com/ubuntu" \ --extra-mirror "http://gb.archive.ubuntu.com/ubuntu hardy-updates main restricted"

[edit] 5.13 Disable Compiz for Compatibility

Some graphics cards in thin clients don't work with LTSP, or recent versions of Ubuntu in general. The symptom is that when you log in, the session exits immediately and you're dumped back at the login prompt.

If you look in the .xsession-errors file the user's home directory, you might see the following line:

/usr/bin/compiz (core) - Fatal: Support for non power of two textures missing/usr/bin/compiz (core) - Error: Failed to manage screen: 0/usr/bin/compiz (core) - Fatal: No manageable screens found on display localhost:11.0

The fix for this is to disable Compiz for each user individually:

sudo -u <user> gconftool-2 --type string --set /desktop/gnome/session/required_components/windowmanager metacity

Or for all users:

sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string --set /desktop/gnome/session/required_components/windowmanager metacity

Note that this disables pretty window effects for all users.

[edit] 6 Camfed Programme Specific

[edit] 6.1 Guest User Accounts

We use the "Login as Guest" feature of LDM in the classroom, to avoid having to hand out passwords. Guest users can also expect not to be able to save files locally. The recommended way seems to be to have a user account for each computer, with the same name as the computer, to avoid needing to configure each computer in lts.conf. However we still have to create a large number of user accounts in this case.

We use a script to create user accounts based on the MAC address of each thin client. This requires us to boot all the clients to get their MAC addresses into the DHCP database.

The script will rewrite /var/lib/tftpboot/ltsp/i386/lts.conf and destroy its previous contents, so don't run it if you've made any important changes to that file.

The user accounts are authenticated by an SSH public key pair, of which the private key is in the LTSP image. If the key does not exist, the script generates one when run. The key is restricted to logins from 192.168.1.0/24 (the default LTSP client subnet). The accounts have locked passwords so there is no other way to log in. A rogue or compromised client or network device could steal the key, so it's not completely secure, but much better than assigning passwords to guest users.

The script is this:

#!/bin/bash

# creates guest accounts for each LTSP terminal that has already# obtained an IP address using DHCP, so we know its MAC address# from the DHCP server database

set -e

groupadd -f guests

guesthouse=/home/guestsmkdir -p $guesthouse

apt-get install ipcalcsubnet=`ip addr ls dev eth1 | grep "inet " | awk '{ print $2 }'`subnet=`ipcalc $subnet | grep Network | awk '{ print $2 }'`

# generate a secure key to use for login to guest accounts

if [ ! -r /opt/ltsp/i386/root/.ssh/id_dsa ]; thenchroot /opt/ltsp/i386 ssh-keygen -t dsaltsp-update-image

fi

cat > /var/lib/tftpboot/ltsp/i386/lts.conf <<EOF# http://manpages.ubuntu.com/manpages/maverick/en/man5/lts.conf.5.html

[default]# Enable direct X connections (not using ssh), faster but not secure,# important for youtube and general responsiveness on the E2sLDM_DIRECTX = True# Enable the "Login as Guest" button in LDMLDM_GUESTLOGIN = True# Reduce volume of the Ubuntu startup soundVOLUME = 50# Prevent X clients from using all system RAM and hanging the terminalX_RAMPERC = 80

EOF

create_account(){

user=$1home=$2

# create the user if they don't exist, set their shell, put them in the

# "guest" group and lock their password to prevent password loginsif getent passwd $user >/dev/null; then

usermod -g guests -s /bin/bash -d $home -L $userelse

useradd -g guests -s /bin/bash -d $home -m $userfi

# Lock down the panel for guest users to stop them messing aroundsudo -u $user gconftool-2 \

--type boolean \--set /apps/panel/global/locked_down true

# Set preferred keybindings for the userfor i in \

"move_tab_left <Shift><Control>Left" \"move_tab_right <Shift><Control>Right" \"next_tab <Shift>Right" \"prev_tab <Shift>Left"

dosudo -u $user gconftool-2 --type string \

--set /apps/gnome-terminal/keybindings/$idone

}

create_account guest $guesthouse/guest

grep ethernet /var/lib/dhcp3/dhcpd.leases \| awk '{ print $3 }' \| sed -e 's/;//' \

| sort \| uniq \| while read mac; do

# echo something to show progressecho $mac

# extract the last two bytes of the MAC, enough to be unique# but not too longshortmac=`echo $mac | perl -pe

's/(..):(..):(..):(..):(..):(..)/$5$6/'`

# generate the user name based on the MACuser="guest_$shortmac"home="$guesthouse/$user"

# write an entry for each terminal into lts.confcat >> /var/lib/tftpboot/ltsp/i386/lts.conf <<EOF

[$mac]HOSTNAME = ltsp-$shortmacLDM_USERNAME = $user

EOF

create_account $user $home

# allow public-key logins from thin clients using the secure key that# we generated earliermkdir -p $home/.sshecho "from=\"$subnet\"" `cat /opt/ltsp/i386/root/.ssh/id_dsa.pub` \> $home/.ssh/authorized_keys

# Disable locking the screen for users with no password to unlock itsudo -u $user gconftool-2 \

--type boolean \--set /apps/gnome-screensaver/lock_enabled false

done

exit 0

You __must not__ have duplicate sections for the same machine in /var/lib/tftpboot/ltsp/i386/lts.conf, so please double-check this.

If any client doesn't log in automatically at boot, check that its configuration in lts.conf is correct, and see whether you can log on using its guest account on another station. The guest account name is made from the prefix Template:Guest, followed by the last three bytes of the MAC address, without colons, e.g. guest_d90e. You should not need to enter any password.

The MAC address of each Aleutia should be printed on a label on its back, but if not, boot the Aleutia to the LTSP login screen, press Ctrl+Alt+F1, login as root, run ifconfig eth0 and look for the HWaddr. Run logout and press Ctrl+Alt+F7 to get back to the LTSP login screen.

[edit] 6.2 Student Accounts

We have a list of students, with email addresses and passwords, in CSV format. To create accounts for them, we use the following script:

#!/bin/sh

# abort if anything goes wrongset -e# set -x

groupadd -f students

hostel=/home/studentsmkdir -p $hostel

if [ "$1" = "--delete" ]; thenDELETE=yes

fi

set_keybindings() {sudo_opts=$1shift

for i in \"move_tab_left <Shift><Control>Left" \"move_tab_right <Shift><Control>Right" \"next_tab <Shift>Right" \"prev_tab <Shift>Left"

dosudo $sudo_opts gconftool-2 "$@" --type string \

--set /apps/gnome-terminal/keybindings/$idone

}

set_keybindings "" --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.defaults

while IFS=' ' read number email firstname lastname oldpassword \newpassword type rest

doecho $email

if [ -n "$email" -a -n "$newpassword" ]; thencase $email in*@camanetwork.org)

# remove @camanetwork.org from email addressuser=`echo $email | sed -e 's/@.*//'`echo $user $newpassword

crypt=`perl -e "@a=('A'..'Z', 'a'..'z', '0'..'9'); print crypt '$newpassword',

join('', @a[rand @a,rand @a])"`home="$hostel/$user"opts="-p $crypt -g students -s /bin/bash -d $home"name="$firstname $lastname, $type, 2010"

if [ -n "$user" -a -d "$home" -a -n "$DELETE" ]; thenrm -rf "$home"

fi

if getent passwd $user >/dev/null && [ -n "$DELETE" ]; thenuserdel -r $user

fi

if getent passwd $user >/dev/null; thenusermod $opts -c "$name" $user

elseuseradd $opts -c "$name" $user

fi

if [ -d "$home" ]; thenset_keybindings "-u $user"

fi

;;esacfi

done

Which we run as cat students.csv | sudo ./create-student-accounts.sh.

[edit] 6.3 Clean Guest Accounts

This script resets all guest accounts to the state of the special guest user. Log in as this user only to configure what all other guest users should end up looking like when reset.

This can be useful if a guest user corrupts their profile, leaves litter in their home directory, or their session crashes leaving stale processes running. It does not prevent trojan attacks, only limits their scope.

__BE VERY CAREFUL WITH THIS.__ All the user's files and configuration be deleted. It double-checks that it's only being used on guest users.

#!/bin/bash

# Resets a specified guest account, or all guest accounts, to the state of# the "guest" user, to cleanup disk space and stale processes.# Users who are logged in will not be cleaned up. Use the "-f" option to# forcibly log them out first.

# abort on errorset -e

if [ "$1" = "-f" ]; thenforce=yes

fi

all_users=`getent passwd | sed -e 's/:.*//'`

for i in $all_users; dogroups=`groups $i | sed -e 's/.* : //'`for g in $groups; do

if [ "$g" = "guest" ]; thenguest_users="$guest_users $i"break

fidone

done

do_users="$guest_users"

if [ -n "$1" ]; thendo_users="$*"

fi

for i in $do_users; dofor g in $guest_users; do

if [ "$i" = "$g" ]; thenis_guest=yesbreak

fidone

if [ -z "$is_guest" ]; thenecho "$i is not a guest!"exit 2

fi

if who | grep -q "^$i "; thenecho -n "$i is logged in! "if [ -n "$force" ]; then

echo "killing session"gnome-session-save --force-logout $i

elseecho "skipping. Use -f to kill their session."continue

fifi

echo

if killall -0 -i $i; thenecho -n "$i has processes running!"if [ -n "$force" ]; then

echo "killing them"killall -9 -u $i

elseecho "skipping. Use -f to kill their processes."continue

fifi

do_users_loggedout="$do_users_loggedout $i"done

for i in $do_users_loggedout; do

home=`getent passwd $i | cut -d: -f6`rsync -a --delete ~guest/ $homechown -R $i $home

done

exit 0

[edit] 6.4 Internet Cafe Software

The SRC managers requested that we install some software that allows them to time-limit customers at the Internet Cafe. We chose OutKafe, a system that is free, fully featured and was supposed to be open source. We thought we would want to customise it, and in the end we did, but some of the download links didn't work and the author never responded to our questions.

Once it's installed, we needed a way to make the guest users automatically run the client program, oklin, in a way that they couldn't avoid or disable. As we're using the Gnome desktop, we created an autostart file in /usr/share/gnome/autostart/56outkafe-client with the following contents:

if groups | grep -qw guests; thenoklin > ~/.oklin.log 2>&1 &

fi

This will start the client for all guest users. Guests can login using LDM with no password. The oklin client then locks the computer and requires entry of a username and password from its own user database, which also stores user credit. It allows new users to set their passwords on first login. When the user's credit runs out, it locks their screen again.

We would have liked to add some features, such as a way to log the guest user out (so that a manager can log in on the same terminal), but without the source code we couldn't.

If the admin makes a mistake in OutKafe and gives too much credit to a user, there's no obvious way to fix it. However we did discover that you can give them a negative amount of credit, and this works to reduce their total credit.

[edit] 7 Work in Progress

[edit] 7.1 Read-only Guest Users