Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Dear release team, for Debian Edu 10.1, we'd kindly ask to accept the below fixes into Debian 10.1: ### Common Bug Fixes +debian-edu-config (2.10.65+deb10u1) buster; urgency=medium + + [ Wolfgang Schweer ] + * Adjust ltsp-build-client/Debian-custom/001-ltsp-setting. (Closes: #928756) + - Use PXE option 'ipappend 2' for LTSP client boot. This option makes sure + that all DHCP server information is getting through to LTSP clients. + (LTSP used this option before, but switched to 'ipappend 3' during the + Buster development cycle to ease setups with ProxyDHCP.) This resolves an issue on the LTSP client network of a Debian Edu LTSP server. It was observed that the search domain did not get propagated to the LTSP clients. + * Adjust share/debian-edu-config/sudo-ldap.conf. (Closes: #929964) + - Fix sudo-ldap configuration. (The LDAP URI is needed on LDAP clients.) Make sure LDAP configured sudo configuration is found by Debian Edu client systems. + * Set environment variable to deal with Firefox profile. (Closes: #930122) + This is a workaround for bug #930125, preventing firefox-esr startup issues + if the mozilla profile is on an NFS share). + - Ship share/debian-edu-config/edu-firefox-nfs with NSS_SDB_USE_CACHE="yes" + as content. Thanks to Mike Gabriel for spotting the issue and providing + this information. + - Add instructions to cf3/cf.workarounds to link the 'edu-firefox-nfs' file + to appropriate files below '/etc/X11/Xsession.d' and '/etc/profile.d'. It was observed that Firefox delays its start-up tremendously (by serveral 10s of seconds), if the home directory is on NFS. On Debian Edu networks, homes are mostly always on NFS shares. Such a delay of Firefox startups in class rooms is unacceptable. + * Adjust cf3/cf.homes: Set correct LTSP chroot path. (Closes: #931680) + - While the reported arch is i686, LTSP uses i386. Set arch accordingly. If people happen to do i386 LTSP server installations, the above change fixes the correct creation of /etc/exports (used for sharing the LTSP clients' chroot over NFS). + * Adjust share/debian-edu-config/tools/kerberos-kdc-init. (Closes: #931366) + - Remove outdated (and now wrong) logging section. The [logging] section in krb5.conf needs to be removed to make Kerberos logging work via systemd/journald. + * Fix loss of dynamically allocated v4 IP address. (Closes: #933580) + - Drop etc/network/if-up.d/hostname. This script doesn't work anymore due + to changed behaviour of the ifupdown/dhclient/systemd combination and now + also causes the loss of a dynamically allocated ipv4 IP address after 20 + to 30 minutes after booting. + - Add code to d/debian-edu-config.postinstall to implement the intended + hostname update just after rebooting the system after a change. + - Adjust Makefile. It was observed that Debian Edu hosts using ifupdown for network setup lost their network connection after 20 to 30 minutes. (Work-around was to replace ifupdown by NetworkManager). The above changes resolve this problem (RC bug). ### Debian Edu PKI Re-Doings The Debian Edu PKI had been entirely redone by Wolfgang Schweer between Debian Edu 9 and Debian Edu 10. After Debian Edu 10 was released, I migrated a huge school setup from Debian Edu 8 + 9 (mixed setup) to Debian Edu 10 and finally found the time to post-release review those PKI re-doings. The below changes all tackle fixes, also slight concept changes, that the Debian Edu team would love to see accepted into Debian (Edu) 10.1: + * Provide Debian Edu RootCA certificate for download. (Closes: #933183) + - Adjust share/debian-edu-config/tools/create-debian-edu-certs to copy the + rootCA file to the web server directory at certificate generation time. + - Adjust cf3/cf.finalize to care for the rootCA file as well. + - Adjust cf3/cf.workarounds to copy the rootCA file to the web server + directory upon main server upgrade. In Debian Edu 10.0, a crt bundle file got distributed via the main server. This was implicitly handled by the init script fetch-ldap-cert. The concept change for 10.1 is: distribute the CA file of the self-signed Debian Edu PKI instead. The above changes modify the main server on upgrades accordingly, so that the Debian-Edu_RootCA file is available for download via http://www.intern/. + * Add LDAP server certificate to the initial LTSP NBD image. (Closes: #932828) + - etc/ltsp/ltsp-build-client.conf: Don't create the image by default. + - cf3/edu.cf: Define new class 'ltspimages'. + - cf3/cf.finalize: Add code to include the LDAP server certificate for all + possible use cases, to generate the image and to adjust various rights. This injects a certificate installation between chroot debootstrapping and the creation of the SquashFS LTSP client image. This is required to get the rootCA file installed into the LTSP chroot _and_ LTSP image directly after their creation. (Otherwise, one would have to reboot the LTSP server, or manually run fetch-ldap-cert, and recreate the LTSP SquashFS image again. Too clonky for the normal admin.) + * Changes to debian-edu-config.fetch-ldap-cert from 2.10.67). + - Use independent conditions to make sure that the LDAP server certificate + is only downloaded once for both host and LTSP chroot. (Closes: #934380) We consider the one-time download of the PKI related files for LDAP communication a security fix. LDAP client<->server communication should be blocked if the client does not use the correct PKI files. This blocking assures that a client system only talks to the LDAP server that was present during client installation time. In Debian Edu 10.0, the PKI files got updated on every client reboot. This could have been used for password phishing attacks. + - Add code to validate the LDAP server certificate in case the Debian Edu + RootCA certificate is available for download. This provides an extra layer of security and verifies that the certificate of ldap.intern matches the rootCA available via www.intern. + [ Mike Gabriel ] + * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.66): + - Make the script (and with it Debian Edu buster workstations) work in a + Debian Edu environment where the main server (TJENER) is still on Debian + Edu 8 or 9. (Closes: #926933) + - Retrieve TJENER's PKI server certificate only once per host to improve + security. This re-introduces the behaviour of fetch-ldap-cert in stretch + and earlier. (Closes: #931413). + * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.67): + - White-space-only change: Fix broken and inconsistent indentations. + - Fully inline-document fetch-ldap-cert script. + - Add "-f" option to all curl calls that don't have it set so far. + This assures that curl bails out with a non-zero exit code, if anything + goes wrong while retrieving certificate files. + - Also report a successful certificate verification if we verified the + LDAP server certificate using the Debian Edu RootCA. + - Really check that the LDAP server uses a certificate issued by the + "Debian Edu RootCA", not just by (some) "RootCA". + - Add 2x FIXME about BUNDLECRT file removal from host and from LTSP chroots. + - LTSP chroot certificate copying: only log those actions, if they are + actually about to happen.. + - Silence curl stderr and gnutls-cli stdout+stderr. + - Certificate retrieval: Fix upgrade path for RootCA deployment. Re-run + CERTFILE (and ROOTCACRT retrieval) until we have both on the client. + This will lead to repetitive downloads of the CERTFILE on system boot. + To get rid of this, people must upgrade their TJENERs from Debian Edu + 10.0 to 10.1. Then it will stop. This hack is necessary to assure + distribution of the RootCA to all clients that don't have it, yet. + - Detach dependency of ROOTCACRT chroot copying and BUNDLECRT chroot + copying from chroot copying of the CERTFILE. The chroot may have the + CERTFILE, but not the ROOTCACRT, yet. This assures a smooth upgrade + path from Debian Edu 10.0 to Debian Edu 10.1. + - Do a simple validity check if a directory under /opt/ltsp really is + a chroot (and e.g. not the SquashFS images' directory). All above changes come from a security and compatibility review done for the script "fetch-ldap-cert" which handles the certificate and rootCA retrieval on clients (for the host system and also for LTSP chroots if present). The changset basically is a rewrite of the fetch-ldap-cert script. The script is relevant for Debian Edu network clients and for LTSP servers. The changes have been done with following aspects in mind: * use correct indentation levels to ease reviewing * very verbosely document all script steps using inline comments * make sure rootCA and LDAP server cert get deployed only once, but do definitely get deployed * assure that all sorts of client -> server combinations work: - Debian Edu 10.1 clients <-> Debian Edu 8 + 9 server - Debian Edu 10.1 clients <-> Debian Edu 10.0 server - Debian Edu 10.1 clients <-> Debian Edu 10.1 server * make sure no superfluous output hits stdout+stderr (informative logging goes to syslog) light+love Mike Gabriel (aka sunweaver, on behalf of the Debian Edu Team). -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru debian-edu-config-2.10.65/cf3/cf.finalize debian-edu-config-2.10.65+deb10u1/cf3/cf.finalize --- debian-edu-config-2.10.65/cf3/cf.finalize 2019-04-12 22:13:55.000000000 +0200 +++ debian-edu-config-2.10.65+deb10u1/cf3/cf.finalize 2019-08-19 21:04:05.000000000 +0200 @@ -4,6 +4,11 @@ # Moved from other bundles to this last one in the sequence to get the right # execution order. +vars: + + "default_arch" string => ifelse("x86_64", "amd64", + "i686", "i386", + $(sys.arch)); files: # Add the language chooser to the lightdm-greeter panel. @@ -52,6 +57,18 @@ link_from => ln_s("/usr/share/debian-edu/menu/menus/xfce-applications.menu"), move_obstructions => "true"; + # Make sure the LDAP server certificate is available in the LTSP chroot of a + # new combined server before the SqushFS image is generated (see bundle end). + + debian.server.ltspserver.!ltspimages.installation:: + + "/opt/ltsp/$(default_arch)/etc/ssl/certs/debian-edu-server.crt" + copy_from => local_cp("/etc/ssl/certs/debian-edu-server.crt"); + "/opt/ltsp/$(default_arch)/etc/ssl/certs/debian-edu-bundle.crt" + copy_from => local_cp("/etc/ssl/certs/debian-edu-bundle.crt"); + "/opt/ltsp/$(default_arch)/etc/ssl/certs/Debian-Edu_rootCA.crt" + copy_from => local_cp("/etc/ssl/certs/Debian-Edu_rootCA.crt"); + commands: debian.server.installation:: @@ -97,6 +114,41 @@ "/usr/sbin/pam-auth-update --package" contain => in_shell; + + # Make sure the LDAP server certificate is available in the chroot of a separate + # LTSP server before the SqushFS image is generated. Also needed just in case + # an LTSP chroot is re-generated. + + debian.ltspclient.installation:: + + "/etc/init.d/fetch-ldap-cert start" + contain => in_shell; + + # Adjust certificate rights to make them accessible. + + debian.server.installation:: + + "/bin/chmod 0644 /etc/debian-edu/www/Debian-Edu_rootCA.crt" + contain => in_shell; + + debian.ltspclient.installation:: + + "/bin/chmod 0644 /etc/ssl/certs/debian-edu*.crt" + contain => in_shell; + "/bin/chmod 0644 /etc/ssl/certs/Debian-Edu_rootCA.crt" + contain => in_shell; + + # Note that 'ltsp-update-image --config-nbd' is needed to generate the image and + # to configure NBD; adjust rights to make the image available for the NBD server. + + debian.ltspserver.!ltspimages.installation:: + + "/usr/sbin/ltsp-update-image --config-nbd" + contain => in_shell; + "/bin/chmod 0755 /opt/ltsp/images/" + contain => in_shell; + "/bin/chmod 0644 /opt/ltsp/images/*.img" + contain => in_shell; } bundle edit_line profile diff -Nru debian-edu-config-2.10.65/cf3/cf.homes debian-edu-config-2.10.65+deb10u1/cf3/cf.homes --- debian-edu-config-2.10.65/cf3/cf.homes 2019-04-12 22:13:55.000000000 +0200 +++ debian-edu-config-2.10.65+deb10u1/cf3/cf.homes 2019-08-19 21:02:54.000000000 +0200 @@ -38,7 +38,7 @@ vars: "default_arch" string => ifelse("x86_64", "amd64", - "i386", "i386", + "i686", "i386", $(sys.arch)); "combined" slist => { "/srv/nfs4 @ltsp-server-hosts(sec=krb5p:krb5i:krb5:sys,rw,sync,fsid=0,crossmnt,no_subtree_check) @workstation-hosts(sec=krb5p:krb5i:krb5:sys,rw,sync,fsid=0,crossmnt,no_subtree_check) @server-hosts(sec=krb5p:krb5i:krb5:sys,rw,sync,fsid=0,crossmnt,no_subtree_check)", "/srv/nfs4/home0 @ltsp-server-hosts(sec=krb5p:krb5i:krb5:sys,rw,sync,no_subtree_check) @workstation-hosts(sec=krb5p:krb5i:krb5:sys,rw,sync,no_subtree_check) @server-hosts(sec=krb5p:krb5i:krb5:sys,rw,sync,no_subtree_check)", diff -Nru debian-edu-config-2.10.65/cf3/cf.workarounds debian-edu-config-2.10.65+deb10u1/cf3/cf.workarounds --- debian-edu-config-2.10.65/cf3/cf.workarounds 2019-04-12 22:13:55.000000000 +0200 +++ debian-edu-config-2.10.65+deb10u1/cf3/cf.workarounds 2019-08-19 21:04:05.000000000 +0200 @@ -23,6 +23,22 @@ link_from => ln_s("/usr/share/debian-edu-config/squid.resolvconf"), move_obstructions => "true"; + debian.workstation.installation:: + # Fix black frame issue for mozilla profile on NFS share (workaround for #930125). + # FIXME: check if this is still needed with firefox-esr 68.x + "/etc/X11/Xsession.d/99edu-firefox-nfs" + link_from => ln_s("/usr/share/debian-edu-config/edu-firefox-nfs"), + move_obstructions => "true"; + "/etc/profile.d/edu-firefox-nfs.sh" + link_from => ln_s("/usr/share/debian-edu-config/edu-firefox-nfs"), + move_obstructions => "true"; + + # Provide Debian Edu RootCA pub key file for download. + + debian.server.installation:: + "/etc/debian-edu/www/Debian-Edu_rootCA.crt" + copy_from => local_cp("/etc/ssl/certs/Debian-Edu_rootCA.crt"); + commands: debian.xfce.(ltspclient|ltspserver).installation:: diff -Nru debian-edu-config-2.10.65/cf3/edu.cf debian-edu-config-2.10.65+deb10u1/cf3/edu.cf --- debian-edu-config-2.10.65/cf3/edu.cf 2019-04-12 22:13:55.000000000 +0200 +++ debian-edu-config-2.10.65+deb10u1/cf3/edu.cf 2019-08-19 21:03:55.000000000 +0200 @@ -23,6 +23,7 @@ "standalone" expression => not( fileexists("/usr/bin/ntpq") ); "minimal" expression => returnszero("/bin/grep 'Minimal' /etc/debian-edu/config","noshell"); "ltspclient" expression => fileexists("/usr/bin/getltscfg"); + "ltspimages" expression => isdir("/opt/ltsp/images"); "installation" expression => fileexists("/sbin/start-stop-daemon.REAL"); "testinstall" expression => returnszero("/bin/grep 'TESTINSTALL=\"true\"' /etc/debian-edu/config","noshell"); # Set if the internet is reachable for downloading files. diff -Nru debian-edu-config-2.10.65/debian/changelog debian-edu-config-2.10.65+deb10u1/debian/changelog --- debian-edu-config-2.10.65/debian/changelog 2019-04-12 22:13:55.000000000 +0200 +++ debian-edu-config-2.10.65+deb10u1/debian/changelog 2019-08-26 07:24:31.000000000 +0200 @@ -1,3 +1,87 @@ +debian-edu-config (2.10.65+deb10u1) buster; urgency=medium + + [ Wolfgang Schweer ] + * Adjust ltsp-build-client/Debian-custom/001-ltsp-setting. (Closes: #928756) + - Use PXE option 'ipappend 2' for LTSP client boot. This option makes sure + that all DHCP server information is getting through to LTSP clients. + (LTSP used this option before, but switched to 'ipappend 3' during the + Buster development cycle to ease setups with ProxyDHCP.) + * Adjust share/debian-edu-config/sudo-ldap.conf. (Closes: #929964) + - Fix sudo-ldap configuration. (The LDAP URI is needed on LDAP clients.) + * Set environment variable to deal with Firefox profile. (Closes: #930122) + This is a workaround for bug #930125, preventing firefox-esr startup issues + if the mozilla profile is on an NFS share). + - Ship share/debian-edu-config/edu-firefox-nfs with NSS_SDB_USE_CACHE="yes" + as content. Thanks to Mike Gabriel for spotting the issue and providing + this information. + - Add instructions to cf3/cf.workarounds to link the 'edu-firefox-nfs' file + to appropriate files below '/etc/X11/Xsession.d' and '/etc/profile.d'. + * Adjust cf3/cf.homes: Set correct LTSP chroot path. (Closes: #931680) + - While the reported arch is i686, LTSP uses i386. Set arch accordingly. + * Adjust share/debian-edu-config/tools/kerberos-kdc-init. (Closes: #931366) + - Remove outdated (and now wrong) logging section. + * Fix loss of dynamically allocated v4 IP address. (Closes: #933580) + - Drop etc/network/if-up.d/hostname. This script doesn't work anymore due + to changed behaviour of the ifupdown/dhclient/systemd combination and now + also causes the loss of a dynamically allocated ipv4 IP address after 20 + to 30 minutes after booting. + - Add code to d/debian-edu-config.postinstall to implement the intended + hostname update just after rebooting the system after a change. + - Adjust Makefile. + * Provide Debian Edu RootCA certificate for download. (Closes: #933183) + - Adjust share/debian-edu-config/tools/create-debian-edu-certs to copy the + rootCA file to the web server directory at certificate generation time. + - Adjust cf3/cf.finalize to care for the rootCA file as well. + - Adjust cf3/cf.workarounds to copy the rootCA file to the web server + directory upon main server upgrade. + * Add LDAP server certificate to the initial LTSP NBD image. (Closes: #932828) + - etc/ltsp/ltsp-build-client.conf: Don't create the image by default. + - cf3/edu.cf: Define new class 'ltspimages'. + - cf3/cf.finalize: Add code to include the LDAP server certificate for all + possible use cases, to generate the image and to adjust various rights. + * Changes to debian-edu-config.fetch-ldap-cert from 2.10.67). + - Use independent conditions to make sure that the LDAP server certificate + is only downloaded once for both host and LTSP chroot. (Closes: #934380) + - Add code to validate the LDAP server certificate in case the Debian Edu + RootCA certificate is available for download. + + [ Mike Gabriel ] + * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.66): + - Make the script (and with it Debian Edu buster workstations) work in a + Debian Edu environment where the main server (TJENER) is still on Debian + Edu 8 or 9. (Closes: #926933) + - Retrieve TJENER's PKI server certificate only once per host to improve + security. This re-introduces the behaviour of fetch-ldap-cert in stretch + and earlier. (Closes: #931413). + * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.67): + - White-space-only change: Fix broken and inconsistent indentations. + - Fully inline-document fetch-ldap-cert script. + - Add "-f" option to all curl calls that don't have it set so far. + This assures that curl bails out with a non-zero exit code, if anything + goes wrong while retrieving certificate files. + - Also report a successful certificate verification if we verified the + LDAP server certificate using the Debian Edu RootCA. + - Really check that the LDAP server uses a certificate issued by the + "Debian Edu RootCA", not just by (some) "RootCA". + - Add 2x FIXME about BUNDLECRT file removal from host and from LTSP chroots. + - LTSP chroot certificate copying: only log those actions, if they are + actually about to happen.. + - Silence curl stderr and gnutls-cli stdout+stderr. + - Certificate retrieval: Fix upgrade path for RootCA deployment. Re-run + CERTFILE (and ROOTCACRT retrieval) until we have both on the client. + This will lead to repetitive downloads of the CERTFILE on system boot. + To get rid of this, people must upgrade their TJENERs from Debian Edu + 10.0 to 10.1. Then it will stop. This hack is necessary to assure + distribution of the RootCA to all clients that don't have it, yet. + - Detach dependency of ROOTCACRT chroot copying and BUNDLECRT chroot + copying from chroot copying of the CERTFILE. The chroot may have the + CERTFILE, but not the ROOTCACRT, yet. This assures a smooth upgrade + path from Debian Edu 10.0 to Debian Edu 10.1. + - Do a simple validity check if a directory under /opt/ltsp really is + a chroot (and e.g. not the SquashFS images' directory). + + -- Mike Gabriel <mike.gabr...@das-netzwerkteam.de> Mon, 26 Aug 2019 07:24:31 +0200 + debian-edu-config (2.10.65) unstable; urgency=medium [ Wolfgang Schweer ] diff -Nru debian-edu-config-2.10.65/debian/debian-edu-config.fetch-ldap-cert debian-edu-config-2.10.65+deb10u1/debian/debian-edu-config.fetch-ldap-cert --- debian-edu-config-2.10.65/debian/debian-edu-config.fetch-ldap-cert 2019-04-12 22:13:55.000000000 +0200 +++ debian-edu-config-2.10.65+deb10u1/debian/debian-edu-config.fetch-ldap-cert 2019-08-19 21:19:58.000000000 +0200 @@ -23,67 +23,244 @@ CERTFILE=/etc/ssl/certs/debian-edu-server.crt BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt +ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt do_start() { - # Locate LDAP server - LDAPSERVER=$(debian-edu-ldapserver) - ERROR=false - if [ -f /etc/nslcd.conf ] && - grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then - if [ -z "$LDAPSERVER" ] ; then - msg="Failed to locate LDAP server" - log_action_begin_msg "$msg" - log_action_end_msg 1 - logger -t fetch-ldap-cert "$msg." - return 1 + # Locate LDAP server + LDAPSERVER=$(debian-edu-ldapserver) + LDAPPORT=636 # ldaps + ERROR=false + + ### + ### PHASE 1: RootCA / bundle-cert / LDAP server cert retrieval + ### + + if ( [ ! -f $CERTFILE ] || [ ! -f $ROOTCACRT ] ) && [ -f /etc/nslcd.conf ] && + grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then + + # LDAP server host not known/found, bailing out... + if [ -z "$LDAPSERVER" ] ; then + msg="Failed to locate LDAP server" + log_action_begin_msg "$msg" + log_action_end_msg 1 + logger -t fetch-ldap-cert "$msg." + return 1 + fi + + [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate." + + # do an openssl connect to the LDAP server, and check whether its certificate + # has been issued by the "Debian Edu RootCA", if not we are likely dealing with a + # pre-Debian Edu 10 (aka buster) TJENER or with some other non-Debian-Edu LDAP + # server. + if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep -q "Debian Edu RootCA" ; then + + # Since Debian Edu 10, the LDAP certificate (or the RootCA file) is distributed + # over http (always via the host serving www.intern, by default: TJENER) + # + # We do an availability check for the webserver first, to provide proper + # error reporting (see below). So, the following check merely discovers, + # if the webserver is online at all. + if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then + + # Now let's see if the webserver has the "Debian Edu RootCA" file. + # This has been the case for Debian Edu main servers (TJENER) since + # Debian Edu 10.1. + if curl -fk https://www.intern/Debian-Edu_rootCA.crt 1> $ROOTCACRT 2>/dev/null && \ + + grep -q CERTIFICATE $ROOTCACRT ; then + + # Obtained a RootCA-verified version of the LDAP server's server certificate. + gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null 1>/dev/null 2>/dev/null + logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern." + + # If the host previously had got the BUNDLECERT file installed, + # we make sure here to have it removed. From now on, the LTSP chroot + # can operate on the ROOTCACRT file and the BUNDLECERT will never get + # update anymore once the ROOTCACRT is available on www.intern. + rm -f $BUNDLECRT + else + + # If there is no Debian Edu RootCA available on www.intern, fallback to + # debian-edu-bundle.crt download (an approach done by a Debian Edu 10.0 + # main server (aka TJENER) only and changed to RootCA provisioning in + # in Debian Edu 10.1. + + # Drop the ROOTCACRT file, as it probably only contains some 404 http + # error message in html. + rm -f $ROOTCACRT + + # So, now let's see if the webserver has the "debian-edu-bundle.crt" + # file. If so (and no Debian Edu RootCA file), then we are likely dealing + # with a Debian Edu 10.0 main server. + if curl -fk https://www.intern/debian-edu-bundle.crt 1> $BUNDLECRT 2>/dev/null && \ + grep -q CERTIFICATE $BUNDLECRT ; then + + # Obtained a self-verified version of the LDAP server's server certificate. + # (The BUNDLECERT file should already contain the LDAP server's certificate, + # so having this cert file should allow us to successfully and "verified'ly" + # connect to the LDAP server and let us retrieve that very same certificate). + gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null 1>/dev/null 2>/dev/null + logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern." + else + + # We should never get here... If we do anyway, then something went + # terribly wrong or the www.intern servicing server is misconfigured. + + # Drop the ROOTCACRT file, as it probably only contains some 404 http + # error message in html. + rm -f $BUNDLECRT + + logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern." + fi + + fi + + else + + # Report an error, if www.intern is down http-wise. This can happen and is probably + # a temporary problem that needs an admin to fix it. + log_action_end_msg 1 + logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down." + ERROR=true + + fi + + else + + # Fallback: Fetch LDAP certificate from a pre-Debian-Edu-10 (aka buster) LDAP server + # (or some non-Debian-Edu LDAP server) + /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new + chmod 644 $CERTFILE.new + logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate." + + # FIXME: Add some error handling here: + # - LDAP server down + # - what-not-else... + + fi + + # By now, we should have obtained the LDAP server's CERTFILE (verified in two cases (10.0 or 10.1 TJENER), + # simply downloaded from the LDAP server itself in the third case (pre-10.0 TJENER) + if test -s $CERTFILE.new ; then + mv $CERTFILE.new $CERTFILE + [ "$VERBOSE" != no ] && log_action_end_msg 0 + if [ -f $BUNDLECRT ] || [ -f $ROOTCACRT ] ; then + logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER." + else + logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER." + fi + else + + # We obviously have failed in some other way, if the CERTFILE.new is empty (zero size) + # Again, something went awfully wrong, if we end up here... + rm -f $CERTFILE.new + log_action_end_msg 1 + logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER." + ERROR=true + + fi + fi - [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate." - if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then - gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null + + ### + ### PHASE 2: Deploy the obtained CERTFILE to LTSP chroots, if any are present. + ### + + if [ -d /opt/ltsp ] ; then + + # Loop over all to be found LTSP chroots... + for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do + + if [ ! -d $ltsp_chroot/etc/ssl/certs/ ]; then + # likely not a chroot dir, skipping... + continue + fi + + # Only install the CERTFILE into this chroot, if not already present... + if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] && + grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then + + # Copy the obtained CERTFILE into the LTSP chroot (containing the LDAP server's + # certificate. + log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot " + [ "$VERBOSE" != no ] && + if test -s $CERTFILE; then + cp $CERTFILE $ltsp_chroot$CERTFILE + [ "$VERBOSE" != no ] && log_action_end_msg 0 + else + log_action_end_msg 1 + ERROR=true + fi + fi + + if [ ! -f $ltsp_chroot$ROOTCACRT ]; then + + if test -e $ROOTCACRT; then + + # If we retrieved it, we also copy the obtained ROOTCACRT into the LTSP chroot + # (containing the self-built rootCA of the Debian Edu site). + log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot " + if test -s $ROOTCACRT; then + + # If the chroot previously had got the BUNDLECERT file installed, + # we should make sure here to have it removed. From now on, the LTSP chroot + # can operate on the ROOTCACRT file and the BUNDLECERT will never get + # update anymore once the ROOTCACRT is available on www.intern. + rm -f $ltsp_chroot$BUNDLECRT + cp $ROOTCACRT $ltsp_chroot$ROOTCACRT + [ "$VERBOSE" != no ] && log_action_end_msg 0 + + else + log_action_end_msg 1 + ERROR=true + fi + + fi + + fi + + if [ ! -f $ltsp_chroot$BUNDLECRT ] && [ ! -f $ltsp_chroot$ROOTCACRT ]; then + + if test -e $BUNDLECRT; then + # If we talked to a Debian Edu 10.0 main server (aka TJENER) above, then we + # don't have the ROOTCACRT. We copy the BUNDLECRT file into the LTSP chroot + # instead (containing all certificates ever issued for the Debian Edu site). + # This is just a fallback, in fact, we need the Debian Edu RootCA. + + # If you end up here, then please upgrade your Debian Edu 10.0 server to a + # a newer version (Debian Edu 10.1 and beyond). + log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot " + if test -s $BUNDLECRT; then + cp $BUNDLECRT $ltsp_chroot$BUNDLECRT + [ "$VERBOSE" != no ] && log_action_end_msg 0 + else + log_action_end_msg 1 + ERROR=true + fi + fi + + fi + + done fi - if test -s $CERTFILE.new ; then - mv $CERTFILE.new $CERTFILE - [ "$VERBOSE" != no ] && log_action_end_msg 0 - logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER." - else - rm $CERTFILE.new - log_action_end_msg 1 - logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER." - ERROR=true + + if $ERROR; then + return 1 fi - fi - if [ -d /opt/ltsp ] ; then - for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do - if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] && - grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then - [ "$VERBOSE" != no ] && - log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot " - if test -s $CERTFILE; then - cp $CERTFILE $ltsp_chroot$CERTFILE - [ "$VERBOSE" != no ] && log_action_end_msg 0 - else - log_action_end_msg 1 - ERROR=true - fi - fi - done - fi - if $ERROR; then - return 1 - fi } case "$1" in - start) - do_start - ;; - stop) - ;; - restart|force-reload) - ;; - *) - echo "Usage: $0 {start|stop|restart|force-reload}" - exit 2 + start) + do_start + ;; + stop) + ;; + restart|force-reload) + ;; + *) + echo "Usage: $0 {start|stop|restart|force-reload}" + exit 2 esac exit 0 diff -Nru debian-edu-config-2.10.65/debian/debian-edu-config.postinst debian-edu-config-2.10.65+deb10u1/debian/debian-edu-config.postinst --- debian-edu-config-2.10.65/debian/debian-edu-config.postinst 2019-04-12 22:13:55.000000000 +0200 +++ debian-edu-config-2.10.65+deb10u1/debian/debian-edu-config.postinst 2019-08-19 21:05:04.000000000 +0200 @@ -225,15 +225,23 @@ chown root:root /etc/sssd/sssd-debian-edu.conf # The scripts in /etc/network/if-up.d need to be executable. - chmod +x /etc/network/if-up.d/hostname # Drop wpad-proxy-update for the main server, it makes no sense to run the - # script at this time. - if egrep -q "(Main-Server)" /etc/debian-edu/config ; then + # script at this time. Also drop it for the gateway, it doesn't make sense. + if egrep -q "(Main-Server)" /etc/debian-edu/config || grep -q gateway /etc/hostname; then rm -f /etc/network/if-up.d/wpad-proxy-update else chmod +x /etc/network/if-up.d/wpad-proxy-update fi + # Add post-up stanza to interfaces file to let hostname changes take effect + # immediately after reboot (would take up to 15 min. otherwise). Exclude the + # gateway; the script doesn't make sense and would taint network setup. + if [ -f /etc/network/interfaces ] && ! grep -q gateway /etc/hostname && \ + ! grep -q post-up /etc/network/interfaces ; then + sed -i '/iface eth0 inet dhcp/a \ post-up \/usr\/sbin\/update-hostname-from-ip' \ + /etc/network/interfaces + fi + # silence dovecot's message: if you have trouble with authentication failures, # enable auth_debug setting. See http://wiki.dovecot.org/WhyDoesItNotWork # This message goes away after the first successful login. diff -Nru debian-edu-config-2.10.65/etc/ltsp/ltsp-build-client.conf debian-edu-config-2.10.65+deb10u1/etc/ltsp/ltsp-build-client.conf --- debian-edu-config-2.10.65/etc/ltsp/ltsp-build-client.conf 2019-04-12 22:13:55.000000000 +0200 +++ debian-edu-config-2.10.65+deb10u1/etc/ltsp/ltsp-build-client.conf 2019-08-19 21:03:55.000000000 +0200 @@ -7,7 +7,7 @@ # Uncomment the next two entries, if NFS instead of NBD should be used for a # manually created LTSP chroot. #NFS_ROOT="True" -#SQUASHFS_IMAGE="False" +SQUASHFS_IMAGE="False" # This setting is needed to be able to install a chroot using the BD ISO image. TRUST_FILE_MIRROR="True" diff -Nru debian-edu-config-2.10.65/etc/network/if-up.d/hostname debian-edu-config-2.10.65+deb10u1/etc/network/if-up.d/hostname --- debian-edu-config-2.10.65/etc/network/if-up.d/hostname 2019-04-12 22:13:55.000000000 +0200 +++ debian-edu-config-2.10.65+deb10u1/etc/network/if-up.d/hostname 1970-01-01 01:00:00.000000000 +0100 @@ -1,43 +0,0 @@ -#!/bin/sh - -# Purpose: Used by dhclient-script to set the hostname of the system -# to match the DNS information for the host as provided by DHCP. -# -# This script is based on code found on the web: -# http://www.debian-administration.org/articles/447 and -# http://nxhelp.com/blog/2013/01/24/automatically-set-hostname-from-dhcp/ -# - -PATH=/sbin:$PATH -export PATH - -# Should not update hostname on Main-Server, Roaming-Workstation and -# Standalone. Those get their fixed hostname set during installation -# (or manually after installation) and should not change dynamically -# if moved between networks. -if [ -r /etc/debian-edu/config ] ; then - . /etc/debian-edu/config -fi - -if echo "$PROFILE" | egrep -q 'Main-Server|Roaming-Workstation|Standalone' ; then - exit 0 - else - if echo "$PROFILE" | egrep -q 'Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then - : - fi -fi - -log() { - logger -t network/if-up.d/hostname "$1" -} - -sethostname() { - hostname="$1" - namesource="$2" - echo $hostname > /etc/hostname - hostname $hostname - log "changing hostname to $hostname based on $namesource" -} - -namesource="DHCP IP address $new_ip_address" -/usr/sbin/update-hostname-from-ip diff -Nru debian-edu-config-2.10.65/Makefile debian-edu-config-2.10.65+deb10u1/Makefile --- debian-edu-config-2.10.65/Makefile 2019-04-12 22:13:55.000000000 +0200 +++ debian-edu-config-2.10.65+deb10u1/Makefile 2019-08-19 21:05:04.000000000 +0200 @@ -102,7 +102,6 @@ ldap/rootDSE-debian-edu.ldif \ ldap/slapd-debian-edu.conf \ ltsp/ltsp-build-client.conf \ - network/if-up.d/hostname \ network/if-up.d/wpad-proxy-update \ samba/netlogon/1stlogon/1stlogon.bat \ samba/netlogon/config/get_time.bat \ @@ -389,6 +388,7 @@ share/debian-edu-config/55xfce4-session-debian-edu \ share/debian-edu-config/lightdm-gtk-greeter.conf \ share/debian-edu-config/sudo-ldap.conf \ + share/debian-edu-config/edu-firefox-nfs \ share/pam-configs/edu-group \ share/pam-configs/edu-umask \ share/perl5/Debian/Edu.pm \ diff -Nru debian-edu-config-2.10.65/share/debian-edu-config/edu-firefox-nfs debian-edu-config-2.10.65+deb10u1/share/debian-edu-config/edu-firefox-nfs --- debian-edu-config-2.10.65/share/debian-edu-config/edu-firefox-nfs 1970-01-01 01:00:00.000000000 +0100 +++ debian-edu-config-2.10.65+deb10u1/share/debian-edu-config/edu-firefox-nfs 2019-08-19 20:59:23.000000000 +0200 @@ -0,0 +1 @@ +export NSS_SDB_USE_CACHE="yes" diff -Nru debian-edu-config-2.10.65/share/debian-edu-config/sudo-ldap.conf debian-edu-config-2.10.65+deb10u1/share/debian-edu-config/sudo-ldap.conf --- debian-edu-config-2.10.65/share/debian-edu-config/sudo-ldap.conf 2019-04-12 22:13:55.000000000 +0200 +++ debian-edu-config-2.10.65+deb10u1/share/debian-edu-config/sudo-ldap.conf 2019-08-19 20:57:24.000000000 +0200 @@ -2,4 +2,5 @@ # Debian Edu specific setting needed in addition to those in /etc/nslcd.conf # Providing this file allows one to leave /etc/ldap/ldap.conf untouched. # +uri ldap://ldap.intern sudoers_base ou=sudoers,dc=skole,dc=skolelinux,dc=no diff -Nru debian-edu-config-2.10.65/share/debian-edu-config/tools/create-debian-edu-certs debian-edu-config-2.10.65+deb10u1/share/debian-edu-config/tools/create-debian-edu-certs --- debian-edu-config-2.10.65/share/debian-edu-config/tools/create-debian-edu-certs 2019-04-12 22:13:55.000000000 +0200 +++ debian-edu-config-2.10.65+deb10u1/share/debian-edu-config/tools/create-debian-edu-certs 2019-08-19 21:04:05.000000000 +0200 @@ -72,7 +72,9 @@ # available via web-server. cp /etc/ssl/certs/debian-edu-bundle.crt /etc/debian-edu/www cp /etc/ssl/certs/debian-edu-bundle.pem /etc/debian-edu/www + cp /etc/ssl/certs/Debian-Edu_rootCA.crt /etc/debian-edu/www chmod 644 /etc/debian-edu/www/debian-edu-bundle.* + chmod 644 /etc/debian-edu/www/Debian-Edu_rootCA.crt logger -t create-debian-edu-certs "Certs with both .crt and .pem extension made available in /etc/debian-edu/www." } diff -Nru debian-edu-config-2.10.65/share/debian-edu-config/tools/kerberos-kdc-init debian-edu-config-2.10.65+deb10u1/share/debian-edu-config/tools/kerberos-kdc-init --- debian-edu-config-2.10.65/share/debian-edu-config/tools/kerberos-kdc-init 2019-04-12 22:13:55.000000000 +0200 +++ debian-edu-config-2.10.65+deb10u1/share/debian-edu-config/tools/kerberos-kdc-init 2019-08-19 21:03:15.000000000 +0200 @@ -140,11 +140,6 @@ .intern = INTERN intern = INTERN -[logging] - kdc = FILE:/var/log/kdc.log - kadmin = FILE:/var/log/kadmin.log - default = FILE:/var/log/krb5.log - [dbdefaults] ldap_kerberos_container_dn = $DN_KRB_CONT diff -Nru debian-edu-config-2.10.65/share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings debian-edu-config-2.10.65+deb10u1/share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings --- debian-edu-config-2.10.65/share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings 2019-04-12 22:13:55.000000000 +0200 +++ debian-edu-config-2.10.65+deb10u1/share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings 2019-08-19 20:54:13.000000000 +0200 @@ -18,4 +18,8 @@ echo 'APT::Cmdline::ignore-trust-violations "true";' ) >> $ROOT/etc/apt/apt.conf.d/90ltsp-build-client ;; + after-install) + mkdir -p $ROOT/etc/ltsp/update-kernels.conf.d + echo 'IPAPPEND="2"' > $ROOT/etc/ltsp/update-kernels.conf.d/pxe + ;; esac