RE: [suse-linux-uk-schools] Network migration starting with squid.. help
--- Alan Loughlin <loughlina@swalcliffepark.co.uk> wrote:
When I talk about locking files down, to me that means, restricting user access and controlling what they see. I really just going by what I can do at the moment in group policy, as this is what I know.
There's a few ways you can do this -- you could change a $USER's primary group to something you have created that then is only associated with various items you want them to see (crude). You'd be better of with LDAP, if that's possible though.
Menu locking and altering from a central location (folder redirection in group policy)
Menu locking would best be done via changing perms on ~/.kde or ~/.gnome
Home folder located on a server
Many ways you can do that. Samba, for instance.
Authentication from a Linux server basically replace active directory, as I won't need it if my workstations are a Linux distro.
Samba again.
Taking drive visibly away from the file manager so they just see their home folder and any shares
You can lock them in, using a variety of methods, although restricting users in this way has always been a bit of a black art. You could use a chroot-jail, but this would involve having to recreate a lot of the top-level directories within one's $HOME -- something that's probably not desireable. You might get away with setting their shell to 'rbash', if you want to really lock them down.
Replace roaming profiles with Linux version (are all user settings located in /home?)
Yes.
Scripts or a method to ensure printers for each room are setup for every pc in that room with the ability to have some printers roam with certain users.
CUPS + Samba can do this.
Kiosk seems the way to go, but does this have to be run on every Linux client? All my pcs are decent, except they have windows on them at the moment ;-)
The kiosk would have to run on every client, unless you centralised it so that the Xserver was running on another machine, and the clients connected to it (think XDCMP). But this would probably create a bottleneck and a very hughload on the server running the Xserver. I'd probably just keep the kiosk running on the local workstation, along with KDE (if you went for that particular desktop environment, of course.)
Is the webmin environment good for network management? Especially for the likes of what Im trying to achieve?
Not really. I really have a hatred for webmin, but it really isn't appropriate, in my opinion, for your needs here.
I really like xfce, it's a pity it doesn't seem it has anything like kiosk.
But you can lock it down. You can do the same thing with FVWM as well. The only problem is that it requires some time to put everything in place, alas.
I have used a few distros at home, suse, ubuntu, kubuntu (same I know), fedora and more recently simply mepis. I've stayed with mepis purely because the setup for my wireless adaptor was completely flawless and hasn't stopped working since. And its a really good distro, in my opinion...
I've heard some nice things about it. One thing they do which I thought is a nice touch is they prelink openoffice so that it loads much faster.
From tinkering with Linux and collection of info, I think (based on limited knowledge) that the set should be as follows:
Central authentication/management server - 2 for redundancy/load balancing would be nice.
That would be an intresting project to work on.
File server - backed up every night to dds4 drive - could be on same server as above
There's many programs you can use for this -- I use 'Amanda', although theres rsync and friends.
Intranet/antivirus management server - non critical files also stored here Windows server with terminal services - I still need to run 4 windows apps, successmaker, Pass for windows, phoenix and epar
Internet filtering server - cachepilot, censornet, squid/dansguardian (all to be properly assessed)
Yup - things have moved on a lot since I last setup squid properly in a working environment. You'll get plenty of help here on that.
Linux fat client workstations - school wide based image, easily deployed
-- Thomas Adam ___________________________________________________________ Yahoo! Messenger - want a free and easy way to contact your friends online? http://uk.messenger.yahoo.com
We are working on a Fat Linux client at the moment, that does do all of the things you list, though its not at all ready yet!! I think I will role it out here with dual boot first so those students who want to use Linux can. Jo -- Spread FireFox: http://www.spreadfirefox.com/?q=user/register&r=32751 Get FireFox: http://www.getfirefox.com OpenOffice: http://www.openoffice.org Mandrake: http://www.mandrakelinux.com Karoshi: http://www.karoshi.org.uk
On Thu, 2005-05-12 at 10:41 +0100, Thomas Adam wrote:
Menu locking and altering from a central location (folder redirection in group policy)
Menu locking would best be done via changing perms on ~/.kde or ~/.gnome
In Gnome the more "official" way to lock down menus and other settings is to use gconf, see the Gnome Sys admin guide http://www.gnome.org/learn/admin-guide/2.6/ which unfortunately hasn't been updated since 2.6 (it'll all still work but there might be newer stuff we're missing out on). I've used this to set defaults, but could quite easily have set mandatory policy (also for things like preventing users opening a terminal). RedHat are working on a system called Sabayon to make doing this alot easier http://www.gnome.org/projects/sabayon/ Probably not ready for prime time yet unfortunately.
Home folder located on a server
Many ways you can do that. Samba, for instance.
If you're talking about linux -> linux sharing then NFS much better way of sharing /home (and much easier to setup) and still use samba to share the same files to any legacy windows machines
Authentication from a Linux server basically replace active directory, as I won't need it if my workstations are a Linux distro.
Samba again.
You could use LDAP and PAM for this.
Taking drive visibly away from the file manager so they just see their home folder and any shares
You can lock them in, using a variety of methods, although restricting users in this way has always been a bit of a black art. You could use a chroot-jail, but this would involve having to recreate a lot of the top-level directories within one's $HOME -- something that's probably not desireable. You might get away with setting their shell to 'rbash', if you want to really lock them down.
Well this isn't much help, but users wont see the rest of the system unless they go looking for it - open save dialog default to $HOME or some subdirectory of it (e.g. $HOME/Documents). Even if users do start digging around the system they can't do any damage because they don't have permission to. Also you should be careful locking them into $HOME if you also want to allow access to cdroms, floppies or usb drives, since they will be mounted in /media Paul -- Paul Cooper | Tel: 0121 634 1620 Assistant Director | Fax: 0121 634 1630 OpenAdvantage | http://www.openadvantage.org
Microsoft are running a "video" promotion on "thought thieves", re intellectual property. http://www.msn.co.uk/img/en/en-gb/portal/specials/thoughtthieves/poster.PDF Wouldn't it be a good idea to find some kids who were up to it, to portray the Stac vs Microsoft case? I'd love to see someone dressed up as Bill. For reminders... http://www.vaxxine.com/lawyers/articles/stac.html Clearly, although the T&C's don't permit us to use the trademark names... it's a perfect example of "intellectual property theft and the impact this can have" Thomas
participants (4)
-
linuxgirlie -
Paul Cooper -
Thomas Adam -
Thomas Dyer