Use variable localhome to determines whether the localhome module is installed.
Default: localhome=false
Further changes:
- Move pam-exec from common-auth to common-session
- Move pam-mkhomedir before pam-mount to avoid double login on first use
on localhome devices
Starting libvirtd.service provides iptable rules for NATed network virbr0.
When starting firewalld.service after libvirtd, these rules will be
overwritten. So NAT will no longer work. Restart of libvirtd fixes the
rules again.
Sometimes mounting the server shares fails when logging in (missing
krb5-tickts). On devices with localhome, users can still log in. To
prevent this, users are immediately logged out if the server mounts are
missing.
In Linux socket paths are limited to 108 char length.
/var/tmp/vm/$UID/.config will be too long in some cases.
So we use /var/tmp/vm/$UID
/var/tmp/vm must be
- cleaned on startup
- created with sticky-bit (used by different users)
When terminating screen lock, pam_exec is called in the context of the corresponding user.
Non-root users don't have the permission to start/stop firewalld. So exit immediately.
Exam mode don't collect home-directories on localhome clients.
Deleting home of exam-users will result in potential data loss. But keeping
the home under the same name will prevent new exam at the next day.
Solution: Rename home (and /lmn/media/) of user after 12h and delete after 10d.
For working exam-mode we need to block direct internet access by firewall.
Users have to use squid-proxy on firewall, which can be disabled for exam-users.
To allow VM-traffic (anonymous user), we use a local squid server with users
kerberos-ticket to authenticate on the parent squid.
When using VMs on teacherdevices offsite, the local squid has to use direct internet access.
So we need two squid configs. When switching between offsite and onsite,
the squid has to be restartet with corresponding config.
Some Windows programs have problems with virtiofsd drives.
So that the appropriate SMB shares can be mounted directly in Windows,
a corresponding list of network drives is created before the VM starts.
Existing dolphin configs can be incorrect for two reasons:
- Instead of the class identifier, a * was incorrectly entered in the home@server URL.
- If the student has changed classes, the old class name is still in the home URL.
lmn-patch-dolphin.sh no longer enters a * in the home@server URL.
lmn-fixhome-dolphin.sh will fix existing configs.
Fixed EDID modes are set on the HDMI switch (ACER 120Hz problem).
This means that the affected PCs always see a second screen, even if beamer is off.
To avoid confusion, it must be ensured that no information is displayed on invisible devices:
- set primary screen for login dialog
- set primary screen after login
- clone screen
If the primary screen deviates from the standard, this information is maintained via inventory.
In addition, some PCs have different audio autputs than HDMI (or they have multiple HDMI outputs).
It is therefore possible to specify the audio device in the inventory.
During installation and automatic updates applied by the emmiter
permissions to access the wg server are not available.
Switch the task on with the tag: "--tags all,wgconfig".
