Linux solution for schools

distribution-choiceldapsamba

The school I'm working for as an administrator requested a system upgrade. Currently we are using a government-suggested Linux distribution called SuliXerver – it would be great, but most of the admin functions have been disabled, and are controlled by the company managing the distro. As there are major issues with it that are ignored by this company, the school board decided to switch to something else.

As our budget is limited, Windows solutions are out of the question. This leaves us with open-source and free software.

I've been looking into education-oriented distros, but the thing is, none provides (by the things I see) the level of comfort for the end-user as SuliXerver did – mostly the unified web interface, which, while being limited, had all needed features (user management, user network access control, email, etc.).

I'm still undecided though about the best choice. The distros I've checked so far:

Debian Edu/Skolelinux – apparently the best choice for us. Supports a grand part of what we need be supported, BUT is limited when it comes to modifying the initial values it is preloaded with – the LDAP schemes, network setup, domain, server name, etc.
Karoshi Server – seems limited in my opinion, and still not yet ready for prime time. Also less maintained compared to Skolelinux
ClearOS – while not directly meant for schools, a great deal of the system can be salvaged and slightly modified to work with our setup.
Zentyal – same as ClearOS but limited functionality in regards of the web interface. Also has better support, and the interface is easier to use.

Is there any other distribution I've missed, that would be a better match for our solution? Due to the limited timeframe I was given to complete the whole transfer (by the end of October I should have a working prototype system, and latest end of December, transition must be done), I do not feel up to the task to write our own solution.

Requirements:

Unified web interface that is easy to use for students, teachers, and admins. Teachers should be able to control the rooms' internet access via proxy settings, modify students' passwords, but not core system settings. Students can change their own password.
E-mail system – web interface is given (RoundCube or RainLoop), back-end is not yet decided (would like to have Exchange ActiveSync)
OpenLDAP + Samba for Windows domain login and Documents storage (to store user settings, bookmarks, files). Also automatic assignment of network drives.
Web server – either Apache or NGINX, running with PHP and MySQL.
Print server for the offices
DNS server for local computer name resolution

Best Answer

https://www.edubuntu.org/ seems to be popular amongst schools....

here is a list of where it is run:

==> https://wiki.edubuntu.org/Education/UbuntuSchools

Related Solutions

Creating linux distro for use during exam

Without at least the threat of harm you cannot enforce a student booting your Exam OS. Skip to the horizontal rule for how I would achieve your overall goal. This is how I would fool your system:

I would boot into my Linux, where I will always have root privileges and everything I may need. Then I would mount the Exam OS root file system. That file system is on the CD you gave me and I will always be able to mount it. Then I would open a new terminal, chroot into Exam OS and fire up Exam OS inside that chroot-jail. If you based Exam OS on Debian or one of its derivatives I'd

/etc/init.d/rc S
/etc/init.d/rc 2

In effect I will have your Exam OS, which means I have everything you want to give me and at the same time I have my own Linux for everything you don't want to give me.

Maybe I'm overshooting a little by running /etc/init.d/rc S and probably should restrict myself to running /etc/init.d/rc 2 only. Every distribution has an easy to find out similar magic incartation.

Yes, you can go to war and make this cost me valuable exam time, but for every minute you cost me you have to invest several hours! Also, you have to make Exam OS refuse to boot inside a virtual machine, as that's another option to fool your system.

So much for the destructive part, let's get constructive. :-)

If you don't want students doing something, tell them and fail them, if they break that rule. That has worked for centuries! I would hand out Exam OS CDs and tell them using another OS during this exam is considered cheating. Now we have that problem solved. All we need to do now is catch them cheating (which they most likely won't anyway anymore).

To create Exam OS I'd modify some existing Live-CD. Which is almost irrelevant, however, it will be easiest if it is some "full scale" Linux so Ubuntu and Fedora are the first that come to mind, here is an incredibly large list of alternatives. I'd pick the one with the best documentation on how to create/rebuild the live-cd! The finished Exam OS would have to fulfill the following requirements:

students have quick access to all programs I want them to have
the desktop has distinctive design/skin so I can tell from a distance with 80% certainty if somebody is not using Exam OS
no username password authentication is required by default
to log in as another user, su or sudo you need an USB-stick (the one on your keychain) to authenticate
have funky network settings so to restrict the internet and local communication to fit my needs.
have a customised kernel that doesn't even have support for bluetooth, irda or any other subsystem than ethernet that could enable communication. USB needs to be restricted as well!

1 basically means I put desktop shortcuts to everything I want them to be able to use. That way I would have easy testing if everything works.

To achieve 2 I would skin the desktop with the school colors and an occational logo so that I recognise the Exam OS desktop when I see it. During the exam, when I see odd colors or pictures or even miss something I know should be there I can investicate more closely.

3 is easy, makes Exam OS uncomplicated and when I think somebody is cheating I can close the laptop, turn it around and open it up. When I see an Exam OS I appoligise, if I don't or even see a locked screen I caught someone cheating.

4 means to harden the system so you can only become root by having my usb key. There is a pam module for that so the USB-stick authentication is not hard to do (google pam_usb). With the basic OS of a live CD and that pam module in place for any service that can be used to get super user privileges, i.e., login, su, sudo and maybe some desktop manager and sshd, it should be sufficiently hard to become root. After that one still has to make sure that the normal user may not edit important configuration files and directories!

5 means no nameserver-entry in /etc/resolv.conf but some entries in /etc/hosts for all the websites I want the users to be able to visit. Also there needs to be a restrictive firewall which drops all incomming and outgoing packets and for each host I want the students to be able to reach an exception by ip-address has to be defined.

6 means just that. take the config from the generic kernel of the live-cd you chose and rip out all the subsystems you don't want. sound, video for linux, bluetooth, everything that is not needed during the exam. Rip out everything usb that is not usb-hid and usb-storage. Very important w.r.t. USB-stricks: remove all the filesystems that you do not need, and keep only those you need. For the authentication stick I would choose some odd FS that nobody anymore. Maybe even an experimental one that is not part of standard linux.

That's a rough guide only, sorry :D

Windows – Store Windows print driver on Samba for a CUPS print server

1.

So your first problem seems to be this:

Currently not working:

Cannot add the Windows printer driver to CUPS using the "printmanagement.msc" MMC (I get a "access denied" error). So Samba's Point'n'Print will not work.

Note, that the Windows clients do not retrieve their printer drivers from CUPS, and CUPS itself cannot communicate with the Windows clients directly.

Only Samba can do that, so Windows clients will retrieve their printer drivers from Samba. Samba poses as a Windows print server for the clients, and Samba will also provide a special share (listed [print$] in smb.conf) for clients to auto-install the drivers from. (You should try to use the UNC path of \\myserver\print$ or \\myworkstation\print$ in Windows explorer and see the drivers from any host which shares a printer.)

Windows users need a special privilege in to administer printers and configuring/uploading drivers. This privilege was named SePrintOperatorPrivilege by Microsoft.

Samba implements the SMB set of Windows networking protocols and procedures so Windows clients can use its services.

Hence, only users which have this privilege granted can upload and preconfigure printer drivers to a Samba server, just like it would be the case for a Windows print server.

Typically, you would want to grant the privilege to the Domain Admins group, plus, maybe another Domain Group you may have called Our Printer Admins. I now assume your domain name is MYDOMAIN.

To grant the named user groups that right, execute the following commands:

  net rpc rights grant "MYDOMAIN\Domain Admins" \
     SePrintOperatorPrivilege -U "MYDOMAIN\administrator"

  net rpc rights grant "MYDOMAIN\Our Printer Admins" \
     SePrintOperatorPrivilege -U "MYDOMAIN\administrator"

  net rpc rights grant "MYDOMAIN\User54321" \
     SePrintOperatorPrivilege -U "MYDOMAIN\administrator"

In each case you'll be prompted to supply the domain admin password:

  Enter MYDOMAIN\administrator's password:

If you know this password and everything works, you'll see this confirmation:

  Successfully granted rights.

Of course, you could grant this privilege to one or more individual domain users (example above: MYDOMAIN\User54321) too. But this is not recommended. Better grant the privilege to a group instead of individual accounts. This enables you to add and revoke the privilege by updating the group membership.

To list all users and groups having the SePrintOperatorPrivilege privilege granted, enter:

  net rpc rights list privileges SePrintOperatorPrivilege\
     -U "MYDOMAIN\administrator"

You should see the following output:

  SePrintOperatorPrivilege:
     BUILTIN\Administrators
     MYDOMAIN\Domain Admins
     MYDOMAIN\Our Printer Admins
     MYDOMAIN\User54321

You've now created the pre-condition that users listed above can upload and install printer drivers to your Samba server.

(Update: Just had a closer look at the smb.conf you quoted above... Replace MYDOMAIN\ with MYWORKGRP\ for the commands I gave, or skip it altogether and just use a user name or a group name known to Samba. You could possibly also temporarily try guest ok = yes inside the [print$] stanza. Don't forget to set it back to no once your drivers are in place...)

2.

Your second problem seems to be:

It seems CUPS default options interfere with the workstation's ones: I set duplex printing off by default on CUPS but want it to work if the user tick the checkbox on it's printing settings.

Where should I go to make CUPS use user's settings?

CUPS by default does not "filter" print jobs it gets handed over by Samba. It processes them as "raw" jobs and just passes them to the real print hardware device.

So if the driver is correctly installed on the Windows print clients, whatever job options they click, should be honored by the printer, regardless of default settings which may be configured into CUPS for CUPS-local printing...

You cannot "make" CUPS use user's settings -- CUPS will just pass them through.

Best Answer

Related Solutions

Creating linux distro for use during exam

Windows – Store Windows print driver on Samba for a CUPS print server

1.

2.

Related Question