Your message dated Wed, 29 Dec 2021 17:33:29 +0000
with message-id <[email protected]>
and subject line Bug#1002014: fixed in debian-edu-config 2.12.15
has caused the Debian Bug report #1002014,
regarding debian-edu-config: Kerberos host principals change far too often
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1002014: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002014
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: debian-edu-config
Version: 2.12.14
Severity: important
Currently, with every edit operation on a GOsa² system, the Host (and
nfs) Principal(s) of that host get updated (changed). This is
especially problematic if you use krb5i based NFS acrosse a school
site from various workstations.
The problem is that whever some admin edits a host in GOsa², this host
will loose NFS connectivity to /srv/nfs/home0 until the
/etc/krb5.keytab has been updated on that client host. This is hardly
maintainable.
The underlying reason is in the gosa-modify-host hook script. The
scripts runs add_principal for host/<client> and nfs/<client> after
every save operation on a GOsa² system. We need to check here, if
those Kerberos principals already exist and only if not, then add
those principals.
This has been discussed with Wolfgang Schweer on IRC...
22:03 < sunweaver> as mentioned yesterday, I played with krb5i and
diskless workstation quite a bit yesterday.
22:03 < sunweaver> I basically managed to get a Debian Edu 10 and 11
DLW (diskless workstation) running against a Debian Edu 11 TJENER.
22:03 < sunweaver> However...
22:04 < sunweaver> Whenever I edit either the client or the TJENER in
GOsa, the principal gets updated in krb5-ldap and my krb5.keytab
becomes invalid.
22:05 < schweer> hm, then the keytab needs to be updated, too.
22:05 < sunweaver> This is happening in gosa-modify-host which simply
runs an add_principal for that host.
22:05 < schweer> yes.
22:05 < sunweaver> I was wondering, if this gosa-modify-host
way-of-doing-things is intentional.
22:05 < schweer> yes, intentional, but obviously suboptimal
22:05 < sunweaver> because, I'd rather check if the host (and nfs)
principals exist in krb5-ldap and only create them if they don't exist.
22:06 < schweer> good idea
22:06 < sunweaver> because then, the principals won't change that
often as they do now.
22:06 < sunweaver> and krb5.keytab files stay valid
22:06 < sunweaver> I'll propose a patch, then.
22:07 < schweer> feel free to improve gosa-modify-host
22:07 < sunweaver> will do, np.
22:07 < schweer> just commit that change
22:07 < sunweaver> (you provided great work, however, I'll do a little
QA over the next couple of days, if ok).
22:08 < schweer> very appreciated
I'll propose a patch for this which then will require to be integrated
in next Debian 11 point release.
light+love
Mike
--
DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: [email protected], http://das-netzwerkteam.de
pgphh76sPVtdc.pgp
Description: Digitale PGP-Signatur
--- End Message ---
--- Begin Message ---
Source: debian-edu-config
Source-Version: 2.12.15
Done: Holger Levsen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Holger Levsen <[email protected]> (supplier of updated debian-edu-config
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 29 Dec 2021 18:15:27 +0100
Source: debian-edu-config
Architecture: source
Version: 2.12.15
Distribution: unstable
Urgency: medium
Maintainer: Debian Edu Developers <[email protected]>
Changed-By: Holger Levsen <[email protected]>
Closes: 1002014
Changes:
debian-edu-config (2.12.15) unstable; urgency=medium
.
[ Mike Gabriel ]
* share/d-e-c/tools/gosa-modify-host: Only create Kerberos host and service
principals if they don't yet exist. (Closes: #1002014).
* share/d-e-c/tools/copy-host-keytab: Restart nfs-common/rpc-gssd after
having copied over /etc/krb5.keytab. This avoids rebooting for applying
the copied over changes.
* share/d-e-c/tools/gosa-create-host: Fix copy+paste flaw in comment.
.
[ lintian-brush ]
* Add missing build dependency on dh addon.
Checksums-Sha1:
1928b35bf1d4e8dec1d80a0af6e6e9149afc9d88 2026 debian-edu-config_2.12.15.dsc
6f05009d0bc49f4d116d8129d25bed0464027526 346728
debian-edu-config_2.12.15.tar.xz
1fb011efed5c41064a012c5c14bc14e1aede1d17 5302
debian-edu-config_2.12.15_source.buildinfo
Checksums-Sha256:
eb6318157dc08e600418f4cc7cabdf1b92c4f689bdbd540ae3e97fac70ef5d8c 2026
debian-edu-config_2.12.15.dsc
dbce00830f808c4da2584e695c97e00853fa3cb3fbb836616837501b73b640f8 346728
debian-edu-config_2.12.15.tar.xz
762d9fb7b1d876f75935547ddfc4ff15c6f42029985a95c1f31adb5bf311b864 5302
debian-edu-config_2.12.15_source.buildinfo
Files:
3b34e51c31ad3a736e963d63d88e0d73 2026 misc optional
debian-edu-config_2.12.15.dsc
27cc2968fc504830188052e301363192 346728 misc optional
debian-edu-config_2.12.15.tar.xz
b0bf2504377dd4dd6a2e6140c66923ee 5302 misc optional
debian-edu-config_2.12.15_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmHMmG0ACgkQCRq4Vgaa
qhwOfhAAkumviMwUckZZCdl/fLmsEgJrsId0yKUOAbFZFxPax0uElGNQQWMHZYtX
nh2FqSwTirps2Bp3aDLcx3JzsQ2p99nMRfFmUQ9dn6ghmc0rItEgzaoDuy+tR83B
225xAoCKheIGgQSdbyYFHXb/ksq+FUHvCQBGlHNGfpKw2y9Xoo+/aRGKQKZm9sVJ
2HmQQxntxkDgr6DnxTna7i7cFLGG4CC0VzCWJB1+aO8e82YMX9fA70M7rcm3/EK7
WKZFtiwGLrE/u0ESxhC4dz3kNg/eXyc8cDEut/DYKeLnmFX9Sk+pdD1l/JT+JuII
+wiHezRpL8WOzCBYSpDDR0kNoS6YlJLYTXrOe7VF7Sq7pBY8diEUaPRl8zrmLdRQ
JMABJ0VGebqjLjuLHjL3PQ0TYIttR7gx9lIwS7+xGWG41Rmek1+Q9xsRPR+vMTfR
dmjEM2VwAbJEsIRLnzVIbMmTDC8VKXuJKK2DVDG95KwiEvHO6bbwsZME0ce9NEPV
JsEKfjEi5wCjo32ARbrbrlb4PkCxNIGdg1ANRk7kHZZBRNZQpsso1f7NUHF3Yo93
sjvt9EMzyw0NVN/mf60stOrJkEs/iQL6eLbdpjT0r/t5djYqabArIwtzzFInq7cO
1SgeWeuE2UWXwXD6iZfyo8Ht8GZX4UrlNOfQimMfTsNo8QFl1hY=
=ykAG
-----END PGP SIGNATURE-----
--- End Message ---
