I am trying to install SuSE 9.1 as a workstation in a NT 4 Domain network. The default suse 9.1 install installed winbind etc, and configured them allowing me to log on to ssh with a NT username and password. I now want to configure pam_mount to mount a subdirectory of the unix home directory as the NT home directory. I had configured this on an old SuSE 8.1 box, so I think /etc/pam_mount.conf should be OK. However, having added auth and session lines for pam_mount into /etc/pam.d/sshd I can only get to the stage that in /var/log/messages I see pam_mount: error trying to retrieve authtok from auth code How do I enable pam_mount? My /etc/pam.d/sshd file is as follows #%PAM-1.0 auth required pam_unix2.so set_secrpc auth required pam_nologin.so auth required pam_env.so auth optional pam_mount.so use_first_pass account required pam_unix2.so account required pam_nologin.so password required pam_pwcheck.so password required pam_unix2.so use_first_pass use_authtok session required pam_unix2.so # trace or debug session required pam_limits.so session optional pam_mount.so use_first_pass # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE) #session optional pam_resmgr.so fake_ttyname Thanks Rob Keeling -- I love deadlines. I love the whooshing noise they make as they go by. - Douglas Adams
Not directly related to Linux, but hopefully the feedback you give might help me to persuade this school I am working with to explore the Linux server route. At present this school has some 200 oe so XP-Pro based workstations that have a modest but not inadequate spec. At the server end they are running three well speced Xenon based Raid-5 systems. The server software is RM CC3 (Community Connect Three), which is based on Windows Server 2000 with RM's ageing proprietary management / security overlay. Now here's the problem: Workstations take about 2.5 minutes to boot up to the Login prompt -- apparently the CC3 workstation overlay does loads of checking with the server to implement security settings etc before the user can log in. Now when I say 2.5 minutes to reach a Login prompt ...well that's on a good day. On a bad day this can take a good ten minutes or even longer. As for the time it takes to get from logging in to being presented with a usable XP 'Start' menu, well this takes at least another two minutes ...again on a good day. In practice it sometimes takes between a quarter-of-an-hour and twenty minutes to get from 'power on' to a usable 'Start' menu. OK. So the two managed service providers involved in supporting this school's site are playing 'pass the buck'. Meanwhile the school management is gradually waking up to the fact this level of performance isn't actually normal! So what I want to know from the good members of this list is how long in practice does it take you to boot a networked XP workstation to Logon and thereafter to a usable menu ...talking to either a Linux (Samba) server or a Windows 2000 / 2003 server? Note that all users of this school network use 'roaming profiles'. Also if anyone on this list can get access to a RM CC3 based network, what sort of boot / logon / Start Menu times are you commonly achieving with this setup in practice? Thanks in advance. David Bowles
Thanks for all the replies I've received to date regarding the atrociously slow logon times achievable using RM 'CC3' (Community Connect 3) based Win-XP workstations. Please keep your comments / own experiences flowing in. ...and BTW are there many other disgruntled users of RM software out in TeacherLand who might be interested in forming an "RM Users Association" for the purpose of pooling our collective RM experience and putting pressure on RM to either get their act together or get out of the education market, I'd love to hear from you. Here's my take on what I believe is the root cause of RM's problem: XP is a lot more sophisticated than previous '9X' versions of MS Windows, which means this ought to takes far longer to boot. Except those clever(?) boffins at Microsoft realised their customers would never stand for this. So they got around this problem by developing some pretty nifty 'fast-boot' and 'pre-fetch' technology. Hence a medium spec'd XP workstation (talking to a vanila MS or Linux server) should be capable of booting in around 30 seconds of so. Now the other major improvement to XP is it's a lot more secure than earlier versions of Wndows. Indeed XP is now pretty much as good as everything RM used to overlay onto older versions of Windows. So with the advent of XP this meant RM found it was left without a genuine use for their ageing premium-priced 'Community Connect' workstation overlay. So what did RM do? Well first they concentrated on making CC3 even more secure -- to justify it's continued existence. How? Well they kludged their now obsolete (seven or there abouts year old) 'CC' technology into the heart of Windows XP. But in the process they completely trashed Microsoft's new 'FastStart' technology and crippled their new 'pre-fetch' facility. This RM CC3 based overlay is of course now marketed by RM as a 'feature'. But of course they neglect to point out to prospective new customers or upgraders that their unlucky users will take between four minutes and a full quarter-of-an-hour (or even longer) to logon and reach a usable 'start' menu. For non technical members of this list or for non technical people you knoiw who might be considering purchasing RM's CC3, let me explain the implications of all this in 'laymans' terms. Here I'll use the example of a car dealer whose name I won't reveal ...I'll simply refer to them by their initials -- 'RM' Motors. Now this motor company did rather well in the 90s selling bog-standard motor cars they'd modified to better meet the needs of school-teachers. However eventually all major car manufacturers caught up with the limitations 'RM' Motors had previously addressed so well. This left 'RM' Motors without an excuse to sell their 'cars for school-teachers' at a premium price. But wait, behind the garage they remembered they'd stashed away gallons and gallons of used sump-oil. OK, so this is a bit sludgy and so carcinogenic you'd better not spill it on your hands. But when poured into the engines of sophisticated modern cars this causes an evil smelling blue oil-haze to belch from the exhaust pipe. Well in salesman-speak this of course be represents positive proof that 'RM' Motors' premium priced specially modified motor cars must be far superior to the generic vehicle on which this is based. Well so what if the engine runs a bit rough. As long as this keeps going until after the warranty period runs out why should 'RM' Motors care! In fact if the motor packs up shortly thereafter, well this represents a great excuse for flogging the customer another engine or even a whole new car ...and likely several more after that!!! Only let's hope none of 'RM' Motors' customers twig they've simply been adding snake-oil to their car engines. IMHO RM (the Managed ICT services supplier) is in deep trouble because they've failed to keep up with the latest technology. You might recall this happened to RM once before with regard to their proprietary 'Risk OS' and their 'Acorn' machines. On that occasion they successfully reinvented themselves by fixing the security holes in early versions of Windows, making them more usable in schools. But right now I suspect they are up a creek without as paddle. Only time will tell. In the meantime I'd recommend schools shouldn't touch RM's latest "improved" 'CC3' system with XP workstations with a barge pole. And if you've got any shares in RM you'd better get rid of them fast. Now if your school's management has been suckered by their hype about enhanced security, then you can point out that in the education market the wrong kind of security is all too often grossly oversold. IMHO the real (hidden) purpose of RM style security is to make the life of the ICT Coordinator / Network manager / RM support people as easy as possible, at the expense of the usability and educational value of a school's ICT infrastructure. As for me, the principal task I have ahead of me is to persuade my school's senior management they are currently wedded to a real lemon of an managed ICT services supplier ...one who needs to be given the boot ASAP, no matter how much money the school will have to write off in the process. Wish me luck. David
On Wed, 2004-06-02 at 01:20, David Bowles wrote:
IMHO RM (the Managed ICT services supplier) is in deep trouble because they've failed to keep up with the latest technology. You might recall this happened to RM once before with regard to their proprietary 'Risk OS' and their 'Acorn' machines.
? RM were competitors to Acorn?
On that occasion they successfully reinvented themselves by fixing the security holes in early versions of Windows, making them more usable in schools. But right now I suspect they are up a creek without as paddle. Only time will tell.
-- ian <ian.lynch@zmsl.com>
Not a fan of RM... Logging on of XP is a problem because of the massive profiles it downloads. I was at RM the other week and was very impressed at the speed at which the XP (CC3) machines logged in and asked about this. (I think that this is an RM (read MS) bit of code - because I was unable to find reference to profile caching when I looked). But what they do is cache the profile locally and then just check for changes. So downloading about 3MB instead of 30+MB (I've seen profiles that report to be over a gig!) Depending upon the number w/s / users this could work quite well. It also manages the cache itself, flushing less used when high tide (1000? profiles) is hit. Agreed, virtually all of CC3 is slightly better C2.x or things that were glaringly missing. The less well thought out bits will just never work. However the improved security of the XP w/s (yes, I know that you can do it with LINUX, but we're talking CC3) makes the system so much more secure than 2.x, however the server-side is still woolly! Back to the garden now :-) Later Adrian ----- Original Message ----- From: "David Bowles" <dbowles@educationsupport.fsnet.co.uk> To: "SuSE Linux UK Schools" <suse-linux-uk-schools@suse.com> Sent: Wednesday, June 02, 2004 1:20 AM Subject: [suse-linux-uk-schools] RM woes...
Thanks for all the replies I've received to date regarding the atrociously slow logon times achievable using RM 'CC3' (Community Connect 3) based Win-XP workstations. Please keep your comments / own experiences flowing in.
...and BTW are there many other disgruntled users of RM software out in TeacherLand who might be interested in forming an "RM Users Association" for the purpose of pooling our collective RM experience and putting pressure on RM to either get their act together or get out of the education market, I'd love to hear from you.
Here's my take on what I believe is the root cause of RM's problem:
XP is a lot more sophisticated than previous '9X' versions of MS Windows, which means this ought to takes far longer to boot. Except those clever(?) boffins at Microsoft realised their customers would never stand for this. So they got around this problem by developing some pretty nifty 'fast-boot' and 'pre-fetch' technology. Hence a medium spec'd XP workstation (talking to a vanila MS or Linux server) should be capable of booting in around 30 seconds of so.
Now the other major improvement to XP is it's a lot more secure than earlier versions of Wndows. Indeed XP is now pretty much as good as everything RM used to overlay onto older versions of Windows. So with the advent of XP this meant RM found it was left without a genuine use for their ageing premium-priced 'Community Connect' workstation overlay.
So what did RM do? Well first they concentrated on making CC3 even more secure -- to justify it's continued existence. How? Well they kludged their now obsolete (seven or there abouts year old) 'CC' technology into the heart of Windows XP. But in the process they completely trashed Microsoft's new 'FastStart' technology and crippled their new 'pre-fetch' facility.
This RM CC3 based overlay is of course now marketed by RM as a 'feature'. But of course they neglect to point out to prospective new customers or upgraders that their unlucky users will take between four minutes and a full quarter-of-an-hour (or even longer) to logon and reach a usable 'start' menu.
For non technical members of this list or for non technical people you knoiw who might be considering purchasing RM's CC3, let me explain the implications of all this in 'laymans' terms. Here I'll use the example of a car dealer whose name I won't reveal ...I'll simply refer to them by their initials -- 'RM' Motors.
Now this motor company did rather well in the 90s selling bog-standard motor cars they'd modified to better meet the needs of school-teachers. However eventually all major car manufacturers caught up with the limitations 'RM' Motors had previously addressed so well. This left 'RM' Motors without an excuse to sell their 'cars for school-teachers' at a premium price.
But wait, behind the garage they remembered they'd stashed away gallons and gallons of used sump-oil. OK, so this is a bit sludgy and so carcinogenic you'd better not spill it on your hands. But when poured into the engines of sophisticated modern cars this causes an evil smelling blue oil-haze to belch from the exhaust pipe. Well in salesman-speak this of course be represents positive proof that 'RM' Motors' premium priced specially modified motor cars must be far superior to the generic vehicle on which this is based. Well so what if the engine runs a bit rough. As long as this keeps going until after the warranty period runs out why should 'RM' Motors care!
In fact if the motor packs up shortly thereafter, well this represents a great excuse for flogging the customer another engine or even a whole new car ...and likely several more after that!!! Only let's hope none of 'RM' Motors' customers twig they've simply been adding snake-oil to their car engines.
IMHO RM (the Managed ICT services supplier) is in deep trouble because they've failed to keep up with the latest technology. You might recall this happened to RM once before with regard to their proprietary 'Risk OS' and their 'Acorn' machines. On that occasion they successfully reinvented themselves by fixing the security holes in early versions of Windows, making them more usable in schools. But right now I suspect they are up a creek without as paddle. Only time will tell.
In the meantime I'd recommend schools shouldn't touch RM's latest "improved" 'CC3' system with XP workstations with a barge pole. And if you've got any shares in RM you'd better get rid of them fast.
Now if your school's management has been suckered by their hype about enhanced security, then you can point out that in the education market the wrong kind of security is all too often grossly oversold. IMHO the real (hidden) purpose of RM style security is to make the life of the ICT Coordinator / Network manager / RM support people as easy as possible, at the expense of the usability and educational value of a school's ICT infrastructure.
As for me, the principal task I have ahead of me is to persuade my school's senior management they are currently wedded to a real lemon of an managed ICT services supplier ...one who needs to be given the boot ASAP, no matter how much money the school will have to write off in the process.
Wish me luck.
David
-- To unsubscribe, e-mail: suse-linux-uk-schools-unsubscribe@suse.com For additional commands, e-mail: suse-linux-uk-schools-help@suse.com
Not a fan of RM... Logging on of XP is a problem because of the massive profiles it downloads. I was at RM the other week and was very impressed at the speed at which the XP (CC3) machines logged in and asked about this.
If the same user logs onto the same machine, not having logged onto another machine in the meantime, then it's fast. That's because the most up-to-date profile is cached on the local machine. But that's not how most schools work, as students are more likely to logon to a different machine each time -- at least they do in my and probably most other secondary schools. Furthermore it's easy peasy to tweek an ultra fast login on a workstation used in a demo environment, which I assume is what you were shown. But in the real world...
(I think that this is an RM (read MS) bit of code - because I was unable to find reference to profile caching when I looked).
As far as I can ascertain RM adds a bit of proprietary code at the very beginning of the XP boot sequence that takes over before anything else can rum. This crudely accesses the CC3 server (hence CC3 workstations only work with a severely limited range of RM approved network adapters) and then clunkily downloads any pending new RM proprietary (kludged MS) security updates, virus signature updates, plus other RM stuff. Well in the process this completely negates the big advantage of Microsoft's 'Fastboot' and 'Prefetch' technology. In essence this RM orange-peel patch turns vanilla Windows-XP into an RM proprietary closed 'XP look-alike' operating system. Now here I get a strong sense of dejavue, having struggled with 3Com's ill fated '3+Open' proprietary version of MS's OS/2 based LanManager back in the 80s ...the NOS that nearly sunk my networking business!!!
But what they do is cache the profile locally and then just check for changes. So downloading about 3MB instead of 30+MB (I've seen profiles that report to be over a gig!) Depending upon the number w/s / users this could work quite well. It also manages the cache itself, flushing less used when high tide (1000? profiles) is hit.
Well yes CC3 used to flush out unused profiles. But then RM announced a 'product recall' and requested all their CC3 customers to downgrade back to an earlier non-flushing version. So far this problem (among many others) has yet to be resolved.
Agreed, virtually all of CC3 is slightly better C2.x or things that were glaringly missing. The less well thought out bits will just never work.
As far as I am concerned CC3 is premised on the basis of some sharp marketing hype. Namely "Let's fill potential users with FUD (fear uncertainty and doubt) about the poor security of generic Windows-XP." Then let's offer them an expensive kludged RM proprietary version of Windows-XP that we claim will address all that imaginary security FUD we've been spreading around.
However the improved security of the XP w/s (yes, I know that you can do it with LINUX, but we're talking CC3) makes the system so much more secure than 2.x, however the server-side is still woolly!
...but in the process RM has made CC3 almost completely unusable in a typical secondary school environment. Furthermore they are highly secretive about how their system actually works. It took me ages to gain access to their password-protected KnowledgeBase -- not that I learned much from this anyway. As far as I can work out if you really need to find out more about the inner workings of CC3, then you have to pay through the nose for their expensive seminars or for access to one of their senior support people. David
Logging on of XP is a problem because of the massive profiles it downloads.
Exactly. This has been a known problem for at least the past four years, so I don't know why it hasn't been fixed. We've only faced it since a batch of XP machines was put in last September. When people started complaining of long login times I hacked an old directory-walking Perl script so that it attacks all ~/.profiles directories at 1am each night and then at 6am sends me a list of the ten largest .profiles directories with their sizes. I investigate the largest ones and anything in them I delete and/or add to the wipe list. This clears several hundred megabytes most nights. It's very inefficient (but it covers 400 directories in two minutes). For your interest the guts of it at present are: ================ guts of .profiles-clearing script ============ $fname="/.profiles"; $fname1="/.profiles/My Documents"; $startmenuprogs="/.profiles/Start Menu/Programs/"; $applicationdata="/.profiles/Application\ Data/"; $gimpdir="/.profiles/.gimp-1.2/"; #print"checking..."; foreach $i (0 .. $#users) #users contains a list of all directories in this group { if (!-e $users[$i].$fname) {next;} # {print "\n$i $users[$i]";} # {print "$users[$i]/";} # system("du -s \'".$users[$i].$fname."\'"); system("rm -rf ".$users[$i]."/.profiles"."/.jpi_cache/*"); system("rm -rf ".$users[$i]."/.profiles/Desktop/cache/*"); system("rm -rf ".$users[$i]."/.profiles/Desktop/Demo*"); system("rm -rf ".$users[$i]."/.profiles/Desktop/New*"); system("rm -rf \'".$users[$i]."/.profiles/Start Menu/Programs/Soldat\'"); #system("rm -rf \'".$users[$i].$startmenuprogs."Soldat\'"); system("rm -rf \'".$users[$i].$applicationdata."InstallShield\'"); system("rm -rf \'".$users[$i].$applicationdata."InstallShield Installation Information\'"); system("rm -rf \'".$users[$i].$gimpdir."gimpswap.\*\'"); # big problem: the gimpswap wildcard does not work inside the ' system("rm -rf \'".$users[$i].$gimpdir."tmp\'"); system("rm -rf \'".$users[$i].$fname1."\'"); # {print "$users[$i]\n";} if (-d $users[$i]."/.profiles/Desktop/cstrike") { system("rm -rf ".$users[$i]."/.profiles/Desktop/\*");} system("find ".$users[$i]."/.profiles -name *.msi -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name *.eml -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name *.mov -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name *.nws -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name *.zip -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name *.tmp -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name *.wmz -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name *.asd -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name setup.exe -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name SETUPNT.EXE -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name SetupDl.exe -print0 | xargs -0 rm"); ========== end of guts of .profiles-clearing script ========= You will notice that most of the solutions are violent (e.g. all "My Documents" within .profiles are wiped, if any "cstrike" exists then the whole "Desktop" is cleared), but Donald Rumsfeld would approve. -- Christopher Dawkins, Felsted School, Dunmow, Essex CM6 3JG 01371-822698, mobile 07816 821659 cchd@felsted.essex.sch.uk
Logging on of XP is a problem because of the massive profiles it downloads.
Exactly. This has been a known problem for at least the past four years, so I don't know why it hasn't been fixed.
...most likely because Micro$oft's principal (most profitable) market is the corporate sector where most workers are allocated their own PC or at least their own desk. Overall the education sector is simply small fry to Microsoft, especially given the educational discounts they feel obliged to give. So why make things complicated with a non-standardised separate product line aimed at school students. Furthermore, Microsoft's preferred solution to any problems with overblown profiles is the brute-force approach ...go buy another server or three ...not forgetting the additional MS server software licenses these require!
When people started complaining of long login times I hacked an old directory-walking Perl script
Thanks for this Christopher. Unfortunately if you are running RM CC3 clobbered servers and workstations then one is locked out from applying such niceties, or at the very least RM will refuse to support systems where this has been applied and likely use this as an excuse to simply 'pass the buck'. David Bowles
Nearly all OS's and commercial software applications are written with the business sector firmly in mind. Consequently their configuration and functionality is usually less than optimal for a school environment. So what tips / wish-list features can you recommend? For starters here's two of mine... My #1 Configuration tip; If your school runs an office suite (OpenOffice or MS-Office), then it makes sense to slightly modify the standard document templates (normal.doc?) to automatically include a student's Login name in the footer, so this gets printed on each sheet by default. Why? Because this helps avoid the inevitable scrum around the printer whenever a class of 20+ students attempts to print out their work all at the same time. Why not include page numbers in the standard template as well? I've lost count of the number of times I've witnessed a ream's worth of useless printout end up strewn across the floor, with most of the next lesson completely unnecessarily dedicated to reprinting everything over again ...and again. My #1 Wish-list item; Vast amounts of PC time gets wasted by students (in secondary schools at least) logging on to chat rooms, surfing banal on-line games and aimlessly Googling for no educational whatsoever. As one teacher put it "So much learning time is simply wasted by just 'mousing around'". This is a bit like holding a WeightWatchers meeting inside a sweet factory, with piles of 'free samples' to hand! It seems the standard solution in most schools is to block access to the offending student's network account. But of course this is usually completely counter-productive, given the bored student is left with nothing better to do but disrupt everyone else's work (why are some ICT coordinators devoid of any common sense?)! I've known many desperate subject teachers let said disruptive pupil use their own staff account out of pure desperation, which of course allows them read / write access to all sorts of confidential information!!! Now why hasn't someone come up with a simple way of disabling Internet access to an individual student's PC or group of student PCs for a fixed period of say the rest of the lesson? ...with access to a specified (approved) web-site easily enabled by the teacher. So how might this work in practice? Well in most schools the only person in the ICT suite who doesn't have exclusive access to a PC logged onto their own account is the teacher. So what's needed is a facility whereby a teacher can commandeer a student's PC for a few seconds for the purpose of setting up or releasing an Internet block. Now when a student needs access to the Internet maybe a 'Password' prompt could pop up when they enter a URL or click on a site that's not been pre-approved. Perhaps this prompt might include a unique access number the busy teacher can cross-check against a printed table of pin-codes they keep in their pocket. Furthermore, different pin codes might allow the student or a groups of students different levels or time lengths of access to the Internet. Well I'm sure this would be a doddle for someone with better programming skills than me to set up, perhaps by patching a pre-existing web- or proxy-server. Any volunteers? I know loads of teachers who would be eternally grateful. And if you've got any real mean config tips or wish-list items then do please share them... David Bowles
David Bowles wrote:
It seems the standard solution in most schools is to block access to the offending student's network account. But of course this is usually completely counter-productive, given the bored student is left with nothing better to do but disrupt everyone else's work (why are some ICT coordinators devoid of any common sense?)! I've known many desperate subject teachers let said disruptive pupil use their own staff account out of pure desperation, which of course allows them read / write access to all sorts of confidential information!!!
Now why hasn't someone come up with a simple way of disabling Internet access to an individual student's PC or group of student PCs for a fixed period of say the rest of the lesson? ...with access to a specified (approved) web-site easily enabled by the teacher.
Hi David, You might want to consider looking at CensorNet from Adelix. Their website is http://www.censornet.com. It is a GPL Linux distribution (based on Debian) that uses Apache, Squid, Dan's Guardian etc. to provide a filtering router, bridge or proxy server. It supports various permutations of filtering - by client machine, user, "whitelist only", etc etc. and the logging facilities are useful too. At my school, teachers request internet access when they book an IT room. My technicians set the day's schedule up for each of the rooms in the morning, and CensorNet switches access on and off for each room as the day goes on. (It is possible to do scheduling for an individual user and machine too - for example we suspend internet access for pupils who have been trying to download something dodgy. This still leaves them able to access the internal network and, in theory, work!)
So how might this work in practice? Well in most schools the only person in the ICT suite who doesn't have exclusive access to a PC logged onto their own account is the teacher. So what's needed is a facility whereby a teacher can commandeer a student's PC for a few seconds for the purpose of setting up or releasing an Internet block.
Now when a student needs access to the Internet maybe a 'Password' prompt could pop up when they enter a URL or click on a site that's not been pre-approved. Perhaps this prompt might include a unique access number the busy teacher can cross-check against a printed table of pin-codes they keep in their pocket. Furthermore, different pin codes might allow the student or a groups of students different levels or time lengths of access to the Internet.
I know another school who combine this sort of feature with a CensorNet proxy server to allow teacher's to control the internet access state themselves. A list of passwords for each period of the day is automatically generated and made available to staff. The pupil's user profiles are set to a null proxy server by default. If a teacher wants pupils to access the internet during the lesson, they give the password out. Pupils then run a little script from an icon on the Start menu. This prompts them for the password and, if correct, imports a registry key with the CensorNet proxy settings. Cheers, Tony Whitmore
David Bowles <dbowles@educationsupport.fsnet.co.uk> wrote:
Now why hasn't someone come up with a simple way of disabling Internet access to an individual student's PC or group of student PCs for a fixed period of say the rest of the lesson? ...with access to a specified (approved) web-site easily enabled by the teacher.
So how might this work in practice? Well in most schools the only person in the ICT suite who doesn't have exclusive access to a PC logged onto their own account is the teacher. So what's needed is a facility whereby a teacher can commandeer a student's PC for a few seconds for the purpose of setting up or releasing an Internet block.
Now when a student needs access to the Internet maybe a 'Password' prompt could pop up when they enter a URL or click on a site that's not been pre-approved. Perhaps this prompt might include a unique access number the busy teacher can cross-check against a printed table of pin-codes they keep in their pocket. Furthermore, different pin codes might allow the student or a groups of students different levels or time lengths of access to the Internet.
Well I'm sure this would be a doddle for someone with better programming skills than me to set up, perhaps by patching a pre-existing web- or proxy-server. Any volunteers? I know loads of teachers who would be eternally grateful.
And if you've got any real mean config tips or wish-list items then do please share them...
All of this is relatively simple with Squid as a proxy. Dave Williams
David Bowles wrote:
Logging on of XP is a problem because of the massive profiles it downloads.
Exactly. This has been a known problem for at least the past four years, so I don't know why it hasn't been fixed.
...most likely because Micro$oft's principal (most profitable) market is the corporate sector where most workers are allocated their own PC
The Microsoft "profile" system dosn't even always work well in the corporate environment. The whole thing is IMHO very badly engineered. -- Mark Evans St. Peter's CofE High School Phone: +44 1392 204764 X109 Fax: +44 1392 204763
----- Original Message ----- From: "Christopher Dawkins" <cchd@felsted.essex.sch.uk> To: "SuSE Linux UK Schools" <suse-linux-uk-schools@suse.com> Sent: Thursday, June 03, 2004 9:51 PM Subject: Re: [suse-linux-uk-schools] RM woes...
Logging on of XP is a problem because of the massive profiles it downloads.
Exactly. This has been a known problem for at least the past four years, so I don't know why it hasn't been fixed. We've only faced it since a batch of XP machines was put in last September. When people started complaining of long login times I hacked an old directory-walking Perl script so that it attacks all ~/.profiles directories at 1am each night and then at 6am sends me a list of the ten largest .profiles directories with their sizes. I investigate the largest ones and anything in them I delete and/or add to the wipe list. This clears several hundred megabytes most nights. It's very inefficient (but it covers 400 directories in two minutes). For your interest the guts of it at present are: ================ guts of .profiles-clearing script ============ $fname="/.profiles"; $fname1="/.profiles/My Documents"; $startmenuprogs="/.profiles/Start Menu/Programs/"; $applicationdata="/.profiles/Application\ Data/"; $gimpdir="/.profiles/.gimp-1.2/"; #print"checking..."; foreach $i (0 .. $#users) #users contains a list of all directories in this group { if (!-e $users[$i].$fname) {next;} # {print "\n$i $users[$i]";} # {print "$users[$i]/";} # system("du -s \'".$users[$i].$fname."\'"); system("rm -rf ".$users[$i]."/.profiles"."/.jpi_cache/*"); system("rm -rf ".$users[$i]."/.profiles/Desktop/cache/*"); system("rm -rf ".$users[$i]."/.profiles/Desktop/Demo*"); system("rm -rf ".$users[$i]."/.profiles/Desktop/New*"); system("rm -rf \'".$users[$i]."/.profiles/Start Menu/Programs/Soldat\'"); #system("rm -rf \'".$users[$i].$startmenuprogs."Soldat\'"); system("rm -rf \'".$users[$i].$applicationdata."InstallShield\'"); system("rm -rf \'".$users[$i].$applicationdata."InstallShield Installation Information\'"); system("rm -rf \'".$users[$i].$gimpdir."gimpswap.\*\'"); # big problem: the gimpswap wildcard does not work inside the ' system("rm -rf \'".$users[$i].$gimpdir."tmp\'"); system("rm -rf \'".$users[$i].$fname1."\'"); # {print "$users[$i]\n";} if (-d $users[$i]."/.profiles/Desktop/cstrike") { system("rm -rf ".$users[$i]."/.profiles/Desktop/\*");} system("find ".$users[$i]."/.profiles -name *.msi -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name *.eml -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name *.mov -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name *.nws -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name *.zip -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name *.tmp -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name *.wmz -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name *.asd -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name setup.exe -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name SETUPNT.EXE -print0 | xargs -0 rm"); system("find ".$users[$i]."/.profiles -name SetupDl.exe -print0 | xargs -0 rm"); ========== end of guts of .profiles-clearing script ========= You will notice that most of the solutions are violent (e.g. all "My Documents" within .profiles are wiped, if any "cstrike" exists then the whole "Desktop" is cleared), but Donald Rumsfeld would approve. -- Christopher Dawkins, Felsted School, Dunmow, Essex CM6 3JG 01371-822698, mobile 07816 821659 cchd@felsted.essex.sch.uk Like NT4 XP saves locally the profiles for all those that logged onto a particular machine. It is possible, via a registry entry, to tell it not to save any, or only to save a certain number and delete the oldest. I haven't got the entry to hand, but I will look it up in due course. Also if you get a corrupt local stored network profile you can delete the whole profile in XP and it will be re-created the next time a user log into the network from that machine. Hey I thought that this was a Linux list! :-) Is there anyone from a school in Cheshire on this list? That's besides me of course. ********************************************************************** Note : This E-Mail is sent in confidence for the addressee only. Unauthorised recipients must preserve this confidentiality and should please advise the sender immediately by telephone and then delete the message without copying or storing it or disclosing its contents to any other person. We have taken all reasonable precautions to ensure that no viruses are transmitted to any third party. Any liability (in negligence or otherwise) arising from any party acting, or refraining from acting on any information contained in this e mail is hereby excluded. Should you communicate with anyone at this address by e-mail, you consent to us monitoring and reading any such correspondence. Printing this email? Please think environmentally and only print when essential! **********************************************************************
This article appeared in today's Times Educational Supplement: http://www.tes.co.uk/2094985 The article covers Becta's TCO study that reveals how using open source software "raises the prospect of millions of pounds of savings for British schools and colleges which spend around £1 billion a year on ICT." A big "thank you" is due to this community for all the pioneering hard work that has demonstrated how such savings are possible. The time is coming when we can turn these possibilities into reality! John Ingleby ************ Webmaster - www.schoolforge.org.uk
TES SAID: ~Find out how much open source software could save your school in this week's TES~ Well they better do a good job, otherwise we might get even more confused people out there!! Jo On 5/6/05, John Ingleby <john@coronet.co.uk> wrote:
This article appeared in today's Times Educational Supplement:
The article covers Becta's TCO study that reveals how using open source software "raises the prospect of millions of pounds of savings for British schools and colleges which spend around £1 billion a year on ICT."
A big "thank you" is due to this community for all the pioneering hard work that has demonstrated how such savings are possible. The time is coming when we can turn these possibilities into reality!
John Ingleby ************ Webmaster - www.schoolforge.org.uk
-- To unsubscribe, e-mail: suse-linux-uk-schools-unsubscribe@suse.com For additional commands, e-mail: suse-linux-uk-schools-help@suse.com
-- Spread FireFox: http://www.spreadfirefox.com/?q=user/register&r=32751 Get FireFox: http://www.getfirefox.com OpenOffice: http://www.openoffice.org Mandrake: http://www.mandrakelinux.com Karoshi: http://www.karoshi.org.uk
David Bowles <dbowles@educationsupport.fsnet.co.uk> wrote:
IMHO RM (the Managed ICT services supplier) is in deep trouble because they've failed to keep up with the latest technology. You might recall this happened to RM once before with regard to their proprietary 'Risk OS' and their 'Acorn' machines. On that occasion they successfully reinvented themselves by fixing the security holes in early versions of Windows, making them more usable in schools. But right now I suspect they are up a creek without as paddle. Only time will tell.
Acorn (Risc OS included) were the superior (IMO) alternatives to RM and to hear them labelled together makes me shudder. We bowed to the inevitable and moved over to W98 clients/Linux server and got rid of our last Acorn machines only 2 years ago. I am still appalled at what we have lost in terms of simplicity, elegance and robustness. I am depressed by the crap I have to use on a daily basis. Dave Williams ICT Coordinator
Acorn (Risc OS included) were the superior (IMO) alternatives to RM and to hear them labelled together makes me shudder.
Apologies for lumping Acorn and RM together, for as several people have pointed out they are not (or were not?) the same company.
We bowed to the inevitable and moved over to W98 clients/Linux server and got rid of our last Acorn machines only 2 years ago.
...and if I were you I'd strongly resist a further upgrade to Windows-XP, at least not without a great deal of world testing.
I am still appalled at what we have lost in terms of simplicity, elegance and robustness. I am depressed by the crap I have to use on a daily basis.
Now what would be useful is some feedback on how best to configure a Linux / Samba server for use in a real-world school environment ...including some well documented configuration scripts. Would Dave or anyone else on this list like to chip in here, David Bowles
David Bowles <dbowles@educationsupport.fsnet.co.uk> wrote:
Now what would be useful is some feedback on how best to configure a Linux / Samba server for use in a real-world school environment ....including some well documented configuration scripts. Would Dave or anyone else on this list like to chip in here,
David Bowles
We've been using Linux servers for many years with great success. I'm happy to share our smb.conf files but I think many of the problems that can surface are linked to active directory use and integrating with MS servers. We do have a 2000 server for bits of software that need it but try and base everything on the Linux side as much as possible. I am not a Linux/Networking expert but I have been able to construct a working system with the help of this group. I am happy to share any knowledge with interested colleagues. Dave Williams
Now what would be useful is some feedback on how best to configure a Linux / Samba server for use in a real-world school environment ...including some well documented configuration scripts. Would Dave or anyone else on this list like to chip in here,
David Bowles
If we go back to first principles, why do you nee a particular OS? - To run programs. Since virtually all educational software will run on Windows 98,NT,2000, if you have paid for these try and avoid upgrading. To run major productivity tools you have GNU/Linux with OO.o, GIMP, Mozilla etc all of which can be run thin client so you don't need to upgrade your stations unless they physically break down. So you have a network that is fundamentally thin/intermetiate client running off servers for major productivity tools and networking, and local work stations running older versions of windows for backward compatibility. Use rsync to reset any student hacked workstations and to distribute software. We have a number of schools using this set up and it seems to work OK. Its not trivial though to set it all up so its seamless to the user, but by charging for such services we have a commercial model that really is necessary if FLOSS is to go beyond its current niche. It would not be too hard to use VNC to implement a system for teacher to take control of any workstation from anywhere on the network and to "look in" on any student without them knowing. Unfortunately to develop this in an easy to use format which will work with both OSs will cost about £15k and this is the problem. We can't develop things from no resources when there is no guarantee that it will pay for itself. Regards, -- ian <ian.lynch@zmsl.com>
To run major productivity tools you have GNU/Linux with OO.o, GIMP, Mozilla etc all of which can be run thin client so you don't need to upgrade your stations unless they physically break down.
Now where do I find out how to set up a thin / intermediate client Linux / Samba based network. I'm a quick learner, but I'm hopeless at memorizing the names of configuration setting and syntax of configuration files.
Its not trivial though to set it all up so its seamless to the user,
...I was afraid you'd say that...
but by charging for such services we have a commercial model that really is necessary if FLOSS is to go beyond its current niche.
...I agree, but now that my school has blown it's budget on an unusable RM based system...
It would not be too hard to use VNC to implement a system for teacher to take control of any workstation from anywhere on the network and to "look in" on any student without them knowing.
This is not a priority as far as I am concerned. Teachers are busy people and the last thing they have time for in a busy classroom is patrolling their student's desktops by remote control. Furthermore, as I've stated elsewhere most teachers don't even have access to a machine for their exclusive use in most ICT suites. Even if they did it's unlikely this would be used very often. For attending to your own 'teacher PC' is a huge distraction in a busy classroom where almost all of your attention needs to be focused on your students.
Unfortunately to develop this in an easy to use format which will work with both OSs will cost about £15k and this is the problem. We can't develop things from no resources when there is no guarantee that it will pay for itself.
But is someone has already done this in some school somewhere and is willing to share... David Bowles
On Fri, 4 Jun 2004, ian wrote:
It would not be too hard to use VNC to implement a system for teacher to take control of any workstation from anywhere on the network and to "look in" on any student without them knowing. Unfortunately to develop this in an easy to use format which will work with both OSs will cost about £15k and this is the problem. We can't develop things from no resources when there is no guarantee that it will pay for itself.
We have been playing with VNCon recently, and it works fairly well. Lets you have 4,9,16 or 32 (iirc) thumbnails of computers visible on screen, and then to view full screen you just click in the thumbnail. We have had this running on the projector PC so that the students can see that they are being watched. http://vncon.chronetal.co.uk/ It's not 100% perfect, but it's very usable. We've only used it to monitor the windows clients, not yet tried it for our linux clients as there's no need for us (yet...) Steve
Steve King wrote:
It's not 100% perfect, but it's very usable. We've only used it to monitor the windows clients, not yet tried it for our linux clients as there's no need for us (yet...)
The issue you might come up against if you do try to use VNC with Linux clients is that the VNC server under Linux works in a very different way from the Windows VNC server. Whilst the Windows VNC server allows the remote viewer to observe activity going on on the Windows desktop, the Linux VNC server is more similar to the X server based model. Log into a Linux based VNC server and you don't see a duplicate of the desktop that the user is working on, rather a separate instance of the default desktop environment of the user that started the VNC server. So you wouldn't be able to see what your pupils are up to.... :( Cheers, Tony
Tony Whitmore wrote:
The issue you might come up against if you do try to use VNC with Linux clients is that the VNC server under Linux works in a very different way from the Windows VNC server. Whilst the Windows VNC server allows the remote viewer to observe activity going on on the Windows desktop, the Linux VNC server is more similar to the X server based model. Log into a Linux based VNC server and you don't see a duplicate of the desktop that the user is working on, rather a separate instance of the default desktop environment of the user that started the VNC server. So you wouldn't be able to see what your pupils are up to.... :(
x11vnc, from http://www.karlrunge.com/x11vnc/ will do the trick. -- Mark Evans St. Peter's CofE High School Phone: +44 1392 204764 X109 Fax: +44 1392 204763
Hi, I believe that the ver of VNC that comes with V9.0 does allow the same desktop to be seen, but the connection has to be initated from the linux box as it creates a unique password (need to check if this can be overridden). I've never been sucessfull using vanilla VNC with LINUX I never manage more than a chequerd desktop. see... system, remote access, desktop sharing on your "start" button PS Mark Evans Why do all your emails come as attachments? You may have answered this VNC issue, but I've stopped reading your emails - so I suppose the question is moote as I'll not see your reply! :-) Adrian
Steve King wrote:
It's not 100% perfect, but it's very usable. We've only used it to monitor the windows clients, not yet tried it for our linux clients as there's no need for us (yet...)
The issue you might come up against if you do try to use VNC with Linux clients is that the VNC server under Linux works in a very different way from the Windows VNC server. Whilst the Windows VNC server allows the remote viewer to observe activity going on on the Windows desktop, the Linux VNC server is more similar to the X server based model. Log into a Linux based VNC server and you don't see a duplicate of the desktop that the user is working on, rather a separate instance of the default desktop environment of the user that started the VNC server. So you wouldn't be able to see what your pupils are up to.... :(
Cheers,
Tony
-- To unsubscribe, e-mail: suse-linux-uk-schools-unsubscribe@suse.com For additional commands, e-mail: suse-linux-uk-schools-help@suse.com
Steve King wrote:
We have been playing with VNCon recently, and it works fairly well. Lets you have 4,9,16 or 32 (iirc) thumbnails of computers visible on screen, and then to view full screen you just click in the thumbnail. We have had this running on the projector PC so that the students can see that they are being watched.
Only appears to be available for Windows and the Windows version does not agree with WINE. -- Mark Evans St. Peter's CofE High School Phone: +44 1392 204764 X109 Fax: +44 1392 204763
ian wrote:
If we go back to first principles, why do you nee a particular OS? - To
If you go to quite a few "educational suppliers" websites you are likely to find something similar to "*RM recommends Microsoft® Windows® XP Professional for Education." * This may have something to do with it... -- Mark Evans St. Peter's CofE High School Phone: +44 1392 204764 X109 Fax: +44 1392 204763
David Bowles wrote:
IMHO RM (the Managed ICT services supplier) is in deep trouble because they've failed to keep up with the latest technology. You might recall this happened to RM once before with regard to their proprietary 'Risk OS' and their 'Acorn' machines. On that occasion they successfully
Acron were never anything to do with RM. When they were still called RML company produced a system called the "Nimbus". -- Mark Evans St. Peter's CofE High School Phone: +44 1392 204764 X109 Fax: +44 1392 204763
participants (13)
-
Adrian Wells
-
adrian.wells
-
Christopher Dawkins
-
David Bowles
-
David Williams
-
Geoff Goode
-
ian
-
John Ingleby
-
linuxgirlie
-
Mark Evans
-
Rob Keeling
-
Steve King
-
Tony Whitmore