Customizing a distribution for multiple users

Dash · May 16, 2022, 8:42am

Good day to everyone. I trust everyone is keeping well and safe.

I want to deploy a distribution something like, pop os or zoron to multiple users but I need to tweak some of the settings. For example in libre office I need each user to be able to save automatically in the Microsoft formats.

I also need to install the Ubuntu restricted extras.

I could do this manually per machine I was hoping however I could create some type of custom iso Image aftermaking all my changes and just deploy the instant

ThatGuyB · May 16, 2022, 10:54am

What do you mean with multiple users? Is this a school environment, where different children may sit at different computers? Is this a work-like environment, where everyone has their own workstation? Is this a place where one user uses the computer during some hours and one or more during different hours, but they never change the location?

Depending on the answer, it might be easier to just set up OpenLDAP or something and have the users authenticate via LDAP from whatever workstation they want. As for the LibreOffice part, I don’t know, I think that once you open it and set it to microsoft format, it creates a file in your home folder, probably under .local. So do this: create a new, fresh user, open LO, but don’t click on the format yet, that’s just to load up all the cache and other files, then do a find on the home folder (and include .* paths) and save that to a text file, select the microsoft format in LO, do the same find, but this time, save it to another file, then do a diff on both files and see what file was added. Then you can grab that and either script it to always get copied to people’s home directory to the same path, or edit it and you can script a way for this file to be created “by hand” via a script, instead of copied from a place. Your choice.

If you have to apply the same setting to many computers at once, use pssh to create the paths and pscp (part of pssh) to copy that file on each user’s folder.

If you know people are going to “roam” from a computer to the other, I would set up a NFS path on your network and configure a new path, like /exports/home where you mount the NFS share and configure the user profiles in /exports/home/username. You also have to mount the NFS at startup. But this way, if you also use OpenLDAP, anyone can use any computer and it will preserve their home folder. And you would need less storage on the computers itself, you can probably get away with just 64 GB of storage, since the home dir would be on a NFS.

Bonus points for NFS home folders: easy to backup all users’ files. If you use ZFS, just do a snapshot and send it to another array.

Dash · May 16, 2022, 11:37am

Ok this was a lot to digest however this is for a group of people with there own computers at work.

I have a company that wants to migrate to Linux

Buffy · May 16, 2022, 12:45pm

Debian has an Education Edition that has all the bits you need to make this happen.

Dash · May 16, 2022, 1:43pm

Can you explain further?

Dash · May 16, 2022, 1:45pm

So basically what I was looking for is to create A system with all the settings that this group of people will use then burn that to an iso and install it on multiple computers

Buffy · May 16, 2022, 1:57pm

They have a complete wiki: DebianEdu/Status/Bullseye - Debian Wiki

GraysonPeddie · May 16, 2022, 4:39pm

You could make use of a /etc/skel directory, although I’m unsure how that would work for an OpenLDAP server. An /etc/skel directory can store all the settings needed when a new user is created in a workstation.

https://www.linuxhowtos.org/Tips%20and%20Tricks/using_skel.htm

I think this is something that can be done using Ansible for modifying the /etc/skel directory as root. However, I’m not sure if the directories and files in /etc/skel can be pushed automatically to existing users using Ansible given that the owner and group permissions need to be set correctly.

Also, for Ansible, you can create an Ansible user in OpenLDAP or Active Directory and assign it an Administrators group. As root, you need to use the visudo command and add the following line as follows:

# ...
##
## User privilege specification
##
root ALL=(ALL:ALL) ALL

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL:ALL) ALL
%Administrators ALL=(ALL:ALL) ALL

## Same thing without a password
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL:ALL) ALL
# ...

And now Ansible can sudo without an issue. Of course, that’s a manual process, so you would definitely need to create an image.

Oh, I found an article about Cubic. Perhaps this will help. You can setup an LDAP authentication from there that will authenticate users to an LDAP server.

For example, to add LDAP packages along with PAM support (Pluggable Authentication Module), add the following packages like so:

libpam-ldapd
libnss-ldapd
nslcd

Then, you can configure LDAP authentication as follows:

/etc/nslcd.conf

# The location at which the LDAP server(s) should be reachable.
uri ldap://172.20.30.2/

# The search base that will be used for all queries.
base cn=Users,dc=companyname,dc=lan
base   group  ou=Groups,dc=companyname,dc=lan
base   passwd ou=Users,dc=companyname,dc=lan
base   shadow ou=Users,dc=companyname,dc=lan

If your company has a root certificate stored in the server, add that root certificate to /etc/ssl/certs.

Then, to configure SSL for LDAP, add or edit the following lines in /etc/nslcd.conf:

# SSL options
ssl start_tls
tls_reqcert demand
tls_cacertfile /etc/ssl/certs/yourrootcert.crt

You can configure anything you like with Cubic.

Hope that helps!

Dash · May 16, 2022, 5:53pm

Thanks all will keep you updated

Dash · May 16, 2022, 6:17pm

I was just thinking about something what if I create a clonezilla Image once I am complete with all the necessary tweaking. Would I not be able to just restore this image on other machines?

ThatGuyB · May 17, 2022, 2:40am

There are many options to just flash a image with similar settings, including clonezilla, cloud-init and copying the rootfs and modifying fstab and reconfiguring the bootloader.

Now, again, it’s a matter of people switching workstations or not. If not, then all you need is to configure a workstation with multiple users and call it a day. If they do move people around, then you’d likely want to leverage a AAA (OpenLDAP or anything else) and a centralized network share where users can keep their files and sync their settings on all computers they log into.

I don’t have the exact details, I can help you with maybe making the NFS share and auto-mount it on all the computers, but I don’t have any knowledge in OpenLDAP. I tried it once, but failed to implement it (as in, I didn’t have time to look more into it, so I gave up after too much time had passed). I used Active Directory before and used some limited LDAP query commands, but I don’t really remember what I did.

Bonus points if you start with OpenLDAP is that you can expand in the future, like use OpenLDAP or a connector to it to authenticate other services, like nextcloud and stuff… So it is worth the investment to take the time to set it up IMO, but if people work remotely, you need to have a very good way for people to change their passwords when they expire, which is not an easy task, unless the VPN connects automatically and doesn’t use the same credentials (like maybe wireguard or something). For remote or hybrid remote work, the setup gets just a tiny bit more complicated, but it can be worked around if the people can get ways to connect to the company’s OpenLDAP server remotely without using the expired password / credentials.

Don’t ask me how I know it.