A system administrators guide for GNOME 3

GNOME 2 used to have a system administrators guide. Most of its content does not apply anymore, so we are collecting material for a new version here. There's another page collecting some ideas for necessary updates to the guide: SysAdminGuideUpdate but that page is now also outdated.

The new system administrators guide is taking shape at at http://library.gnome.org/admin/system-admin-guide/stable/

We should probably start from scratch and assemble a new system administrators guide for GNOME 3, since such a document is still useful to have. Our documentation team has started to put this material into a new guide. It lives in the gnome-user-docs repository, and you can see an online version of it online:http://library.gnome.org/admin/system-admin-guide/stable/

Content ideas (new)

Sysadmin guide planning (https://wiki.gnome.org/DocumentationProject/Tasks/SysAdminGuide) Get Started with GNOME Administration

  • Customization Utilities
    • Dconf
    • Gsettings
    • Journald / GNOME Journal

User Settings

Lockdown User Settings

  • Prevent users from changing settings (this can be used for whether the person can change all / some settings)
  • Disable webcam
  • No change disks/partition/format
  • Force users to change their passwords (periodically/once off) (is there a gnome feature / utility that can handle forced password resets?)
  • Disable printing
  • Disable file saving
  • Disable hot corner (I think this is just done by an extension - so you would need to require this extension & not allow it to be removed).

  • Partial super powers
  • Lock down online accounts
  • Prevent software installation
  • Prevent remote logging

Pre-seed user defaults

  • Set power management defaults
  • Auto-suspend/auto-dim/auto-screen off (power-dim-screen.page, screen-locking.page) (sort of)
  • Create an SSH/PGP key with every account
  • Global custom keyboard shortcuts
  • Enable the Compose key (compose-key.page)
  • Backups
  • Desktop sharing
  • Set language and input methods
  • Add Nautilus bookmarks (servers-list.page) (just for servers?)

Pre-seed email/calendar/groupware

  • Default email settings
  • Auto-setup Evolution to use PGP keys
  • Connect to corporate calendar
  • Connect to corporate contacts
  • Set the default IM accounts
  • Set default online accounts

Appearance

  • Add extra fonts (fonts.page, fonts-user.page) aruna
  • Add extra themes jana (plymouth)
  • Use dark theme by default
  • Set privacy/screen lock (screen-locking.page)
  • Add extra backgrounds (backgrounds-extra.page) jana
  • Customise favorites on the dashjana
  • Set default desktop background (desktop-background.page)

Setup

  • Access account from multiple machines
  • Printer access control
  • Date and time/NTP
  • Pre-seed multiple machines
  • Provide different default settings (for different users?)
  • Turn off tracker indexing (privacy/NFS)
  • Turn on tracker for other directories
  • Allow specific users to change printers, network
  • Configure net home directories to support multiple GNOME versions
  • Migrate users from GNOME 2 to GNOME 3
  • Set machine name

Login Settings

Appearance

  • Show logo on login page (login-logo.page) jana
  • Change login page background (not possible)
  • Text banner on login page (login-banner.page) jana
  • Auto-remove users from login screen after some time (not possible, login-userlist-expire.page.stub)
  • Remove the user list from login screen (login-userlist-disable.page)
  • Have specific users always on the login screen (not possible, login-userlist-always.page.stub)
  • Change shield (login-shield.page)
  • Disable the "login shield" and allow users to just log in without it (login-shield-disable.page.stub)
  • Change monitor/display settings (/var/lib/gdm/.config/monitors.xml)

Session management

  • Auto login on startup (login-automatic.page) (user-autologin.page)
  • Log in against domains (enterprise login) (login-enterprise.page)
  • Set autologout (logout-automatic.page)
  • Enable accessibility features by default (accessibility-on.page) (org.gnome.desktop.a11y)
  • Provide multiple keyboard layouts on the login screen (keyboard-layout.page) jana
  • Set language on the login screen (login-language.page.stub) jana
  • Enable fingerprint/smart card readers (login-fingerprint.page.stub/login-smart-card.page.stub) kat
  • Add custom session to GDM (session-custom.page.stub)
  • Bunch of different default sessions for different users (user-session.page) (sort of)
  • Remote home directories (dconf keyfiles) (dconf-nfs-home.page)
  • Skip initial setup (initial-setup-skip.page.stub)
  • Guest accounts (login-guest.page.stub)
  • Log out all users

Network

NetworkManager

  • Auto wireless defaults
  • Set up certificate for connecting to VPN
  • Set up default VPN connection (vpn-list.page)
  • Set up 4G connnection
  • Set default proxies
  • Allow connecting to a single wifi network only (possible?)

other

  • Avahi/sharing
  • Set up network printersjana
  • Remote administration

Software

Applications

  • Auto-start applications on login (autostart-applications.page)
  • Provide pre-installed apps
  • Set a default homepage for GNOME Web
  • Set browser preferences
  • Getting custom applications into Activities (should be integrated with "Provide pre-installed apps")
  • Link to web apps in Activities (see epiphany)
  • Set default NFS shares in GNOME Files
  • Set default Samba shares in GNOME Files

Extensions

  • Enable machine-wide extensions (extensions-enable.page)
  • Lock down enabled extensions (extensions-lockdown.page)
  • Install (install applications?)
  • Prevent installation/uninstallation (extensions-lockdown.page, extensions-mandatory.page)

Management

  • Set software update rules (e.g., disallow all updates or only allow security updates)
  • Auto software updates
  • Remotely push updates
  • List of default processes (processes.page) Petr
  • Add custom help topics to the user guide
  • Add a Custom MIME Type for All /Individual Users
  • Override the Default Registered Application for All / Individual Users

Troubleshooting/diagnosis

  • Remote debugging or troubleshooting
  • Access logs
  • xsession-errors
  • View the session logs (session-debug.page)jana
  • Debug printer not being in the printer dialog
  • GNOME Shell has frozen

Content ideas (old)

This is just a braindump / brainstorming area.

Questions to answer

  1. What happened to ~/.xsession-errors ? That file was very handy to debug session problems, and I can't find it anymore

    • It is now located at ~/.cache/gdm/session.log. This change was made to comply with the XDG directories spec

  2. How can I set system-wide power management settings that users can't change (eg: Dim screens after X min)
    • This is controlled by the org.gnome.settings-daemon.plugins.power.idle-dim-time, idle-dim-ac and idle-dim-battery gsettings keys. See below for how to install and enforce system-wide custom values for gsettings keys.

  3. How can I set system-wide screen saver locking settings that users can't change (eg: Lock screens after X min)
    • This is controlled by the org.gnome.desktop.screensaver.lock-delay and lock-enabled gsettings keys. See below for how to install and enforce system-wide custom values for gsettings keys.

  4. How can I migrate users from GNOME 2 → GNOME 3 (without them getting mad at me)
    • This is a tough question for any change of this magnitude. It might help to offer them a GNOME shell extensions that bring back certain aspects of the GNOME 2 user experience. A good way to do so is the 'classic mode'

  5. How can gnome auto-remove user names from GDM screen (for users that haven't logged in since X days)
    • A crude way to achieve this is to rotate wtmp, since GDM is relying on wtmp to know which users have logged in. A better mechanism for this may appear at some point

  6. Which tool can I use to explore gsettings ?
    • dconf-editor is a graphical utility that lets you browse gsettings. The gsettings commandline utility does the same in a non-graphical way; it has very useful bash completion. Note that these tools always operate on the current users gsettings database, so you don't want to run it as root. Also, they require a D-Bus session bus in order to make any changes (since that requires activating the dconf daemon via D-Bus).

  7. Which tool can I use to create or modify dconf profiles ?
    • dconf comes with a commandline utility which is also called dconf for this purpose; it is very minimal.

  8. Which processes should I expect to see running in a pristine, stock GNOME session ?
    • dbus-daemon, gnome-session, gnome-shell, gnome-settings-daemon, pulseaudio, gnome-keyring-daemon. Depending on the users setup, you might also see various gvfs processes, goa-daemon, gnome-shell-calendar-server, various evolution factory processes, gsd-printer, gnome-screensaver, at-spi2-dbus-launcher, at-spi2-registryd, etc

  9. How do I install a custom default value for setting xyz for all my users ?
  10. How do I prevent users from changing the settings xyz ?
  11. How do I make extra backgrounds available to my users ?
    • Install an xml file describing your extra backgrounds in /usr/share/gnome-background-properties. Here is a small example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE wallpapers SYSTEM "gnome-wp-list.dtd">
<wallpapers>
  <wallpaper deleted="false">
    <name>Company Background</name>
    <name xml:lang="de">Firmenhintergrund</name>
    <filename>/opt/corp/background.jpg</filename>
    <options>zoom</options>
    <shade_type>solid</shade_type>
    <pcolor>#ffffff</pcolor>
    <scolor>#000000</scolor>
  </wallpaper>
</wallpapers>

  1. How do I change the default background for new users ?
    • You can install an override for the org.gnome.desktop.background.picture-uri gsettings key. As an example, here is the file /usr/share/glib-2.0/schemas/org.gnome.desktop.background.fedora.gschema.override that is used in Fedora 17:

[org.gnome.desktop.background]
picture-uri='file:///usr/share/backgrounds/beefy-miracle/default/beefy-miracle.xml'

  1. How do I make extra fonts available to my users ?
    • Copy the fonts into a subdirectory of /usr/share/fonts and run fc-cache

  2. GNOME used to be great with themes. What happened to that ?
    • GNOME 3 is focusing on a single, polished experience, and the focus is on making one high-quality theme. That being said, themes are still available via the 'user themes' gnome-shell extension. gnome-tweak-tool supports this extension, too.

  3. If I need to change the default users theme for a specific reason (eg. make the dark theme the default for a set of users), how do I do that?
    • See the previous answer, about the 'user themes' shell extension

  4. Where does the background image on the login screen come from ?
    • See the org.gnome.desktop.background.picture-uri gsettings key. Note that gdm uses its own DConf profile, the way to change settings in this profile is to place a keyfile in /etc/dconf/db/gdm.d and run dconf update. Here is an example for such a keyfile, could be stored as /etc/dconf/db/gdm.d/corp-login:

[org/gnome/desktop/background]
picture-uri='file:///opt/corp/background.jpg'

Note that these DConf key files are slightly different from the gsettings override files mentioned earlier.

  1. And what about the background image on the lock screen ?
    • gnome-screensaver is running in the users session and uses the default value of the org.gnome.desktop.background.picture-uri gsettings key. To change the default, install an override

  2. I need my institute's logo to appear on the greeter. How ?
    • See the org.gnome.login-screen.logo gsettings key. Note that gdm uses its own DConf profile; the easiest way is to add this to the DConf keyfile mentioned earlier:

[org/gnome/desktop/background]
picture-uri='file:///opt/corp/background.jpg'

[org/gnome/login-screen]
logo='/opt/corp/logo.png'

  1. Can I show a disclaimer text on the login screen ?
    • Yes, this is controlled by the settings org.gnome.login-screen.banner-message-enable and org.gnome.login-screen.banner-message-text. Note that gdm uses its own DConf profile; the easiest way is to add this to the DConf keyfile mentioned earlier

  2. How do I set up multiple keyboard layouts on the login screen ?
    • The greeter will show a layout chooser if more than one layout is configured in /etc/X11/xorg.conf

  3. Can I make certain users always appear in the user list ?
  4. Can I turn the user list off altogether ?
    • See the org.gnome.login-screen.disable-user-list gsettings key. Note that gdm uses its own DConf profile; the easiest way is to add this to the DConf keyfile mentioned earlier

  5. How do I enable my users to use fingerprints for login ?
    • See the org.gnome.login-screen.enable-fingerprint-authentication gsettings key. Note that gdm uses its own DConf profile; the easiest way is to add this to the DConf keyfile mentioned earlier

  6. What about smart cards ?
    • See the org.gnome.login-screen.enable-smartcard-authentication gsettings key. Note that gdm uses its own DConf profile; the easiest way is to add this to the DConf keyfile mentioned earlier

  7. Where is autologin information for each user stored ?
    • The accountsservice writes this into the gdm configuration in /etc/gdm/custom.conf; this may change

  8. How do I make multiple sessions appear on the login screen ?
    • The session chooser is shown if there is more than one desktop file in /usr/share/xsessions/

  9. Can I create a 'custom' session ?
    • Install a desktop file for your custom session in /usr/share/xsessions/. If your custom session is using gnome-session as session manager, you can give it a --session=mysession argument, and define the contents of your session in the file /usr/share/gnome-session/sessions/mysession.session. Here is an example, /usr/share/xsession/custom.desktop:

[Desktop Entry]
Encoding=UTF-8
Type=Application
Name=Custom session
Name[de]=Spezial-Session
Comment=This is our custom session
Exec=gnome-session --session=mysession
TryExec=gnome-session 

This would be used together with a session definition file /usr/share/gnome-session/sessions/mysession.session that looks like this:

[GNOME Session]
Name=Custom session
Name[de]=Spezial-Session
RequiredComponents=my-window-manager;my-file-manager;my-custom-component;

Note that the names listed as RequiredComponents are expected to have desktop files behind them. E.g. there should be a /usr/share/applications/my-window-manager.desktop, and so on

  1. How can I run a certain application whenever a user logs in ?
    • Install an autostart file for the application in /etc/xdg/autostart/

  2. Can I give certain users a different session without making them choose it ?
    • The default session is determined by the Xsession key in the the /var/lib/AccountsService/users/<username> file

  3. How do I configure a user's home directory to support multiple versions of GNOME (over NFS or shared)?
  4. Can I allow certain users to configure printers, or install software ?
  5. How do I preconfigure VPN for all my users ?
    • NetworkManager stores system-wide connections in /etc/NetworkManager/system-connections - you can install your canned VPN connections there

  6. What do I do if a printer does not appear in the print dialog ?
    • Make sure cups is running; then check for firewall problems

  7. What do I do if sound does not work ?
    • Sound can be broken for a variety of reasons, so it is hard to say, but here is a number of things that are worth checking:

      • Is pulseaudio running ?
        Are there any sound-related warnings in the system logs ?
        Are the permissions of the sound devices getting set correctly ?
        Is the volume muted ?

  8. Extensions:
    1. How do I lock down access to extensions.gnome.org for my users?
    2. How do I mandate that the user can enable/disable extensions, but not install them
    3. How do I provide a set of extensions that the user have to use
  9. How do I make it easy for my users to access our file shares ?
    • nautilus stores a list of servers in ~/.config/nautilus/servers, and the list can be prepopulated there

  10. How do I make custom launchers (keyboard shortcuts) available ot all my users ?

DocumentationProject/Tasks/SysAdminGuide (last edited 2015-02-20 14:06:17 by ChuckAnderson)