Bug#1064885: debian-edu-doc: please add links files for ro and uk pkgs
Source: debian-edu-doc Version: 2.12.24 Severity: normal Tags: patch Dear Maintainer, the recently added ro and uk packages are both missing the related links file. Files attached, please check. Wolfgang /usr/share/doc/debian-edu-doc-ro /usr/share/doc/debian-edu-doc/ro /usr/share/doc/debian-edu-doc-uk /usr/share/doc/debian-edu-doc/uk /usr/share/doc/debian-edu-doc-legacy-uk /usr/share/doc/debian-edu-doc/legacy-uk signature.asc Description: PGP signature
Bug#1064412: debian-edu-doc: Link errors in Bookworm doc
Hi Rafael, thanks for reporting the link errors. These are gone after my wiki.d.o edits: > Error: no ID for constraint linkend: "DebianEdu". wrong name, should have been Debian Edu; the wrong one is considered to be an internal link. > Error: no ID for constraint linkend: > "Installation--Installing_a_gateway_using_debian-edu-router". related anchor added on the target wiki page > Error: no ID for constraint linkend: > "Administration--ldap-createuser-krb5.2C_a_command-line_tool_for_adding_users". linking to Administration chapter, anchor for deep link didn't work out like expected Wolfgang signature.asc Description: PGP signature
Bug#1058789: defaults.common: don't add contrib and non-free mirror components
Source: debian-edu-install Version: 2.12.9~deb12u1 Severity: normal Tags: patch Dear Maintainer, since the Debian bookworm release, d-i apt-setup adds non-free-firmware as new default mirror component by default. This improves user experience in case of awkward hardware (esp. network components). As a Debian Pure Blend, Debian Edu should no longer enable contrib and non-free mirror components. Those have been a service for users when d-e-config/.../tools/pxe-addfirmware and .../tools/ltsp-addfirmware were needed to add required non-free firmware. Please note: Both scripts might be obsolete as of bookworm. Also, the manual might need revision concerning non-free firmware. This change will fix the bug (patch also attached): diff --git a/preseed-values/defaults.common b/preseed-values/defaults.common index cd4d08ca..9bb71e35 100644 --- a/preseed-values/defaults.common +++ b/preseed-values/defaults.common @@ -41,5 +41,3 @@ hddtemp hddtemp/daemon boolean false # remove the need to set up APT sources using cfengine. choose-mirror-bin mirror/http/hostname string deb.debian.org choose-mirror-bin mirror/http/directory string /debian/ -apt-mirror-setup apt-setup/non-free boolean true -apt-mirror-setup apt-setup/contrib boolean true Wolfgang diff --git a/preseed-values/defaults.common b/preseed-values/defaults.common index cd4d08ca..9bb71e35 100644 --- a/preseed-values/defaults.common +++ b/preseed-values/defaults.common @@ -41,5 +41,3 @@ hddtemp hddtemp/daemon boolean false # remove the need to set up APT sources using cfengine. choose-mirror-bin mirror/http/hostname string deb.debian.org choose-mirror-bin mirror/http/directory string /debian/ -apt-mirror-setup apt-setup/non-free boolean true -apt-mirror-setup apt-setup/contrib boolean true signature.asc Description: PGP signature
Bug#1058788: apt-setup: fails to add security mirror entry
Source: debian-edu-install Version: 2.11.3 Severity: important Tags: patch Dear Maintainer, since Debian changed the security mirror URL (as of bullseye), the related Debian Edu apt-setup generator script (70debian-edu-install) prevents the Debian installer apt-setup mechanism to write the security mirror entry *also in case of an existing Internet connection*. The Debian Edu apt-setup generator script is useful in case of completely offline installations (using the BD ISO image). The manual informes about the missing security mirror entry in this case, see: https://wiki.debian.org/DebianEdu/Documentation/Bullseye/Installation#A_note_on_USB_flash_drive_.2F_Blu-ray_disc_image_installs This change will fix the bug (patch also attached): diff --git a/apt-setup/generators/70debian-edu-install b/apt-setup/generators/70debian-edu-install index ae977616..bfabc59f 100755 --- a/apt-setup/generators/70debian-edu-install +++ b/apt-setup/generators/70debian-edu-install @@ -28,7 +28,7 @@ DISTRIBUTION="$RET" # Prevent installer to contact security host as we don't have network # connection. Setting apt-setup/security_host to an empty value will # make apt-setup/generators/90security skip the security mirror -if ! wget -qO - http://security.debian.org/dists/$DISTRIBUTION/updates/Release ; then +if ! wget -qO - http://security.debian.org/dists/$DISTRIBUTION-security/Release ; then log "Disabling security mirror, unable to reach it using http/wget" db_fset apt-setup/security_host seen true || true db_set apt-setup/security_host "" || true Wolfgang diff --git a/apt-setup/generators/70debian-edu-install b/apt-setup/generators/70debian-edu-install index ae977616..bfabc59f 100755 --- a/apt-setup/generators/70debian-edu-install +++ b/apt-setup/generators/70debian-edu-install @@ -28,7 +28,7 @@ DISTRIBUTION="$RET" # Prevent installer to contact security host as we don't have network # connection. Setting apt-setup/security_host to an empty value will # make apt-setup/generators/90security skip the security mirror -if ! wget -qO - http://security.debian.org/dists/$DISTRIBUTION/updates/Release ; then +if ! wget -qO - http://security.debian.org/dists/$DISTRIBUTION-security/Release ; then log "Disabling security mirror, unable to reach it using http/wget" db_fset apt-setup/security_host seen true || true db_set apt-setup/security_host "" || true signature.asc Description: PGP signature
Bug#1058786: debian-edu-artwork-emerald: login background.svg: wrong logo position
Package: debian-edu-artwork-emerald Version: 2.12.3-2~deb12u1 Severity: normal Dear Maintainer, in case of default installations the Debian Edu logo is missing on the LightDM login screen (lightdm w/ default gtk greeter). Reason: due to the logo's centered position, it is hidden behind the greeter; see: https://salsa.debian.org/debian-edu/debian-edu-artwork/-/blob/master/art-emerald/desktop-base/background.svg?ref_type=heads Please place the logo at a suitable place, just like older themes do it, e.g.: https://salsa.debian.org/debian-edu/debian-edu-artwork/-/blob/master/art-homeworld/desktop-base/background.svg?ref_type=heads Something like the attached background.svg file should do it. Wolfgang signature.asc Description: PGP signature
Bug#1057777: missing dependency on dconf-cli
Hi Mike, [ Mike Gabriel, 2023-12-08 ] > as the new dconf logic in update-proxy-from-wpad is only for desktops, I'd > suggest we check whether pkg dconf-cli / executable dconf is installed and > if not, skip that bit in the script. > > Acceptable solution? maybe yes, can't dig into it. iirc cf-agent runs the script in the d-i environment; installations using 12.3 -edu- ISO images (available tomorrow) might be broken. Wolfgang signature.asc Description: PGP signature
Bug#1057777: missing dependency on dconf-cli
Package: debian-edu-config Version: 2.12.41~deb12u1 Severity: important Dear Maintainer, the update-proxy-from-wpad tool fails with error 'dconf: not found' on a plain main server. dconf is shipped with the dconf-cli package; it seems that this package is supposed to be pulled in only in case the 'Workstation' profile has (also) been chosen and 'desktop=mate' or 'desktop=gnome' has been set on the kernel command line during installation (non-default edu desktop). Please test with default installations w/ and w/o GUI. Wolfgang signature.asc Description: PGP signature
Bug#1057395: desktop-base: Debian logo missing on login screen
[ Wolfgang Schweer, 2023-12-04 ] > in case LightDM is used, the Debian logo is missing on the login screen. > > Reason: the logo is hidden behind the greeter due to its centered position, > see: > https://salsa.debian.org/debian-desktop-team/desktop-base/-/blob/master/emerald-theme/login/background.svg > > Please place the logo at a suitable place similar to other themes, e.g.: > https://salsa.debian.org/debian-desktop-team/desktop-base/-/blob/master/homeworld-theme/login/background.svg The attached background.svg file works for me, please test. It has been created with Inkscape, applying https://salsa.debian.org/debian-desktop-team/desktop-base/-/blob/master/source/salsa-debian-icon.svg to https://salsa.debian.org/debian-desktop-team/desktop-base/-/blob/master/emerald-theme/login/background-nologo.svg and then scaling and moving the logo to a suitable position. Wolfgang signature.asc Description: PGP signature
Bug#1057395: desktop-base: Debian logo missing on login screen
Source: desktop-base Version: 12.0.6+nmu1 Severity: normal Dear Maintainer, in case LightDM is used, the Debian logo is missing on the login screen. Reason: the logo is hidden behind the greeter due to its centered position, see: https://salsa.debian.org/debian-desktop-team/desktop-base/-/blob/master/emerald-theme/login/background.svg Please place the logo at a suitable place similar to other themes, e.g.: https://salsa.debian.org/debian-desktop-team/desktop-base/-/blob/master/homeworld-theme/login/background.svg Wolfgang signature.asc Description: PGP signature
Bug#1033547: debian/rules: adjustment needed for up-to-date docs
> To also fix the dblatex docs, two more patches would be needed For the docs related changes to take effect, the rules file seems to need adjustment; patch attached, please check. Wolfgang --- a/debian/rules +++ b/debian/rules @@ -9,9 +9,10 @@ override_dh_clean: dh_clean override_dh_auto_build: - # - Nothing to be compiled # - Don't call build_doc, as it's superfluous and will run into # bootstrap problems. + # - But rebuild the PDF manuals, just in case source files contain changes. + rm --force docs/*.pdf override_dh_installchangelogs: dh_installchangelogs docs/changes/changes.txt signature.asc Description: PGP signature
Bug#1033547: dblatex invokes inkscape with deprecated options
Hi Oliver, [ Oliver Smith, 2023-03-27 ] > dblatex uses Inkscape to convert svgs to pdfs. The options > --without-gui and --export-pdf it uses for this are deprecated. This > generates a lot of unrelated warnings that make the output hard to > read, and Inkscape may stop supporting these options altogether in the > future. > > Fedora ships a patch that replaces inkscape with rsvg-convert, maybe > that makes sense for Debian too: > https://src.fedoraproject.org/rpms/dblatex/blob/rawhide/f/dblatex-0.3.11-replace-inkscape-by-rsvg.patch IMO a simple change would fix the options issue. (The -z option has been a shortcut for the deprecated --without-gui option): --- a/lib/dbtexmf/core/imagedata.py +++ b/lib/dbtexmf/core/imagedata.py @@ -181,7 +181,7 @@ class FigConverter(ImageConverter): class SvgConverter(ImageConverter): def __init__(self, imgsrc, imgdst="", docformat="", backend=""): ImageConverter.__init__(self, imgsrc="svg", imgdst=imgdst) -self.add_command(["inkscape", "-z", "-D", "--export-%(dst)s=%(output)s", +self.add_command(["inkscape", "-D", "--export-filename=%(output)s", "%(input)s"]) This works for me in case the output file is PNG. Could you test the PDF case? Related information concerning Inkscape changes: https://wiki.inkscape.org/wiki/Using_the_Command_Line#Deprecations_and_Replacements and the recent man page: https://inkscape.org/doc/inkscape-man.html To also fix the dblatex docs, two more patches would be needed; all three patches are attached. Wolfgang Author: Wolfgang Schweer Description: Adjust Inkscape options for SVG conversion Inkscape removed the -z option (--without-gui shortcut) and deprecated the --without-gui, --export-png and --export-pdf options (among others). Now, --export-filename and/or --export-type are needed, --without-gui is the default for commandline usage. Bug-Debian: https://bugs.debian.org/1033547 --- a/lib/dbtexmf/core/imagedata.py +++ b/lib/dbtexmf/core/imagedata.py @@ -181,7 +181,7 @@ class FigConverter(ImageConverter): class SvgConverter(ImageConverter): def __init__(self, imgsrc, imgdst="", docformat="", backend=""): ImageConverter.__init__(self, imgsrc="svg", imgdst=imgdst) -self.add_command(["inkscape", "-z", "-D", "--export-%(dst)s=%(output)s", +self.add_command(["inkscape", "-D", "--export-filename=%(output)s", "%(input)s"]) Author: Wolfgang Schweer Description: Adjust custom dblatex conf file after Inkscape changes --- a/docs/custom/dblatex.xconf +++ b/docs/custom/dblatex.xconf @@ -18,7 +18,7 @@ -inkscape -z -D --export-dpi=600 --export-%(dst)s=%(output)s %(input)s +inkscape -D --export-dpi=600 --export-filename=%(output)s %(input)s Author: Wolfgang Schweer Description: Adjust manual after Inkscape command line option changes --- a/docs/xhtml/manual/sec-specs.html +++ b/docs/xhtml/manual/sec-specs.html @@ -35,7 +35,7 @@ imagedata converter src="svg" dst="*" docformat="pdf" command -inkscape -z -D --export-dpi=600 --export-%(dst)s=%(output)s %(input)s +inkscape -D --export-dpi=600 --export-filename=%(output)s %(input)s /command /converter /imagedata @@ -225,4 +225,4 @@ options specified by the parameter are d following paths, in respect of the order:The current directory$HOME/.dblatex/etc/dblatexThe dblatex package configuration directories.You can add some extra paths where to look for by setting the DBLATEX_CONFIG_FILES environment variable. The paths are separated by ":" in Unix like systems, and by ";" on Windows. These paths - are used only when nothing is found in the default paths.Prev Up NextLatex post process script Home Customization Precedence \ No newline at end of file + are used only when nothing is found in the default paths.Prev Up NextLatex post process script Home Customization Precedence signature.asc Description: PGP signature
Bug#1033451: please fix wrong condition contained in debian-edu-ltsp-install script
Package: debian-edu-config Version: 2.11.56+deb11u4 Severity: normal Tags: patch While trying to install a dedicated LTSP diskless workstation chroot, I noticed that running 'debian-edu-ltsp-install --dlw' fails in case the Debian Edu BD ISO image isn't available. This is due to a missing check. To fix the issue on a system with 'LTSP-Server' profile, run as root: sed -i 's/if ! mountpoint/if [ "true" == "$BD_ISO" ] \&\& ! mountpoint/' /usr/sbin/debian-edu-ltsp-install Patch for the d-e-c git master branch: diff --git a/sbin/debian-edu-ltsp-install b/sbin/debian-edu-ltsp-install index 3c353202..90627977 100755 --- a/sbin/debian-edu-ltsp-install +++ b/sbin/debian-edu-ltsp-install @@ -18,7 +18,7 @@ # Licence: GPL2+ # first edited:2019-11-21 -version=2021-11-18 +version=2023-03-25 set -e @@ -598,7 +598,7 @@ EOF mkdir -p /srv/ltsp/dlw chmod 755 /srv/ltsp/dlw # Use BD-ISO if available. - if ! mountpoint -q /media/cdrom ; then + if [ "true" == "$BD_ISO" ] && ! mountpoint -q /media/cdrom ; then mount /media/cdrom fi if grep -q BD /etc/apt/sources.list && [ -f /media/cdrom/.disk/info ] ; then Wolfgang signature.asc Description: PGP signature
Bug#1031613: apt: examples/sources.list should be updated to match bookworm
Package: apt Version: 2.5.6 Severity: normal Dear Maintainer, /usr/share/doc/apt/examples/sources.list still contains information for the bullseye release, please update to match bookworm. Also, the non-free-firmware section should be dealt with. Regards, Wolfgang signature.asc Description: PGP signature
Bug#1024033: debian-edu-config: broken thin client chroot installation in case type is (mini-)desktop and language is English
Package: debian-edu-config Version: 2.11.56+deb11u4 Severity: normal Dashamir Hoxha reported on debian-edu@lists.d.o some time ago: > When I try to create the image for a mini-desktop thin client, with the > command: > > debian-edu-ltsp-install --thin_type desktop > > I get this error message: > "E: Unable to locate package firefox-esr-l10n-en" The script tries to install firefox-esr-l10n-"$LANGCODE", with $LANGCODE grabbed from the /etc/debian-edu/config file. Since Firefox supports 'en' (and 'en-us') natively, the firefox-esr-l10n-en package doesn't exist. The issue has been fixed in Git (master branch): https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/6202ef11fe4159c521b9be1cc503552543cdfc91 Since the firefox-esr-l10n-en-gb package does exist, a simple workaround for bullseye would be: Set LANGCODE="en-gb" in /etc/debian-edu/config (temporarily). Run 'debian-edu-ltsp-install --thin_type desktop' Wolfgang signature.asc Description: PGP signature
Bug#1021688: debian-edu-config: Broken network setup if LXQt desktop environment is used on main or LTSP server
Package: debian-edu-config Version: 2.11.56+debu4 Severity: normal On systems with 'Main server' and/or 'LTSP server' profiles the network setup fails to work correctly in case the LXQt desktop environment is used. To fix it locally, replace connman with network-manager-gnome (ConnMan is the preferred LXQt network manager). apt install network-manager-gnome -y apt purge connman -y Reboot the system. Also, if Diskless workstations are used, rebuild the related image: debian-edu-ltsp-install --diskless_workstation yes The fix is easy, see this commit: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/3d02cdc270db00ac09f9907a2bd93573e796a559 Wolfgang signature.asc Description: PGP signature
Bug#1021687: debian-edu-config: Make sure the ntp package is installed on the main server
Package: debian-edu-config Version: 2.11.56+deb11u4 Severity: normal In case Internet connection isn't available, synchronizing clocks on the Debian Edu network requires running a local time server (e.g. for kerberized services like SSH and NFS). On the main server, the ntp package should be installed, like recommended by the education-main-server package. But due to changes some time ago, systemd-timesyncd gets installed earlier and prevents the ntp package from being installed. To fix it, run run as root user on the main server: 'apt install ntp -y' to install the package and 'cf-agent -I -D installation' to adjust the ntp configuration like needed. This bug has already been fixed in sid/testing (debian-edu-config 2.12.11), see: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/69d83ae46c72d4a7b70088f87b38164c09941669 Wolfgang signature.asc Description: PGP signature
Bug#1021414: debian-edu-config: Wrong DHCP configuration on separate LTSP server
Source: debian-edu-config Version: 2.11.56+deb11u4 Severity: normal On a separate LTSP server the DHCP service fails to start after stopping it. This is caused by a wrong Requires statement in the systemd unit file. Instead of slapd.service, nslcd.service is required: diff --git a/share/debian-edu-config/isc-dhcp-server.service.eth1_only b/share/debian-edu-config/isc-dhcp-server.service.eth1_only index 46557e6b..f2b7fb58 100644 --- a/share/debian-edu-config/isc-dhcp-server.service.eth1_only +++ b/share/debian-edu-config/isc-dhcp-server.service.eth1_only @@ -1,7 +1,7 @@ [Unit] Description=DHCP server After=network.target network-online.target -Requires=slapd.service +Requires=nslcd.service [Service] Type=forking Wolfgang signature.asc Description: PGP signature
Bug#1010432: debian-edu-config: autopkgtest regression: update-mime: not found
[ Paul Gevers, 2022-05-01 ] > It seems that with the fix for bug #1010102 you either picked the > wrong Depends of two, or you forgot to update the postinst for the > change as update-mime lives in mailcap. AFAICT calling update-mime in d-e-c.postinst is unneeded since the obsolete debian-edu-mailcap file has been removed, see commit 2aaa1adf: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/2aaa1adfac0f1ea63520bd884c2c48c674b51e3c and commit 24f26f25: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/24f26f2552cdc62e5b580cac4d7e40a6f973c326 The update-mime call should be removed from the postinst script. The Depends on mime-support had been added in 2004 due to moving the mailcap file and calling update-mime in d-e-c.postinst, see commit 91550cf1: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/91550cf1d35774f10cc9989f16038eeabf95e86b IMO d-e-config neither needs media-types nor mailcap as dependencies, please check. Wolfgang signature.asc Description: PGP signature
Bug#1008597: debian-edu-install: Ask for hostname during standalone installation
[ Petter Reinholdtsen, 2022-03-29 ] > [Mike Gabriel] > > While testing 11u3 ISO images, I noticed that a standalone Debian Edu > > installation does not ask for a hostname. It tries to find a hostname > > via DNS/DHCP and falls back to am-. > > Will it accept the hostname on the boot prompt as > hostname=some.domain.name? No; the update-hostname-from-ip script will overwrite the hostname given as kernel command line param with am-, just like it happens with 'hostname=pxeinstall' for PXE installed systems. Wolfgang signature.asc Description: PGP signature
Bug#1008602: debian-edu-config: Xfce/MATE in X2Go sessions very sluggish with Compositing enabled in xfwm
[ Mike Gabriel, 2022-03-29 ] > A real fix for this could be provided in Xfce4 itself (see librda, Remote > Desktop Awareness library). Until that has landed in Xfce (I might provide a > patch for Xfce some time), we should consider disabling compositing in > Xfce4- > > Same applies for the MATE desktop environment. Compositing should be > disabled by default, as well. > > This makes the desktop environments look more simple, but they work > out-of-the-box then when accessed via X2Go thinclients. > > This is probably very debatable... Maybe it needs to be covered by > documentation instead? Sounds good; just document how to disable/enable the compositor via the related settings submenu (so that users know how to toggle it depending on their use case). Maybe it could be added to the Desktop chapter: https://wiki.debian.org/DebianEdu/Documentation/Bullseye/HowTo/Desktop Wolfgang signature.asc Description: PGP signature
Bug#1008057: Debian Installer on CD netinst image doesn't use http_proxy on Debian Edu network
[ Mike Gabriel, 2022-03-21 ] > I have just tried to install a Debian Edu system from the netinst CD image > for the first time (in ages) on a fully up-and-running Debian Edu network. > > One part of my favourite setup is blocking all outgoing traffic to the > internet for Debian Edu clients and have all internet connections mediated > by squid on TJENER (or some other host serving webcache.intern.3128). > > So, my simple expectation was, that a Debian Edu installation from CD image > would automatically use the proxy server configured via WPAD. This obviously > is not in the case: Quoting the manual: "You can use an existing HTTP proxy service on the network to speed up the installation of the main server profile from CD. Add e.g. mirror/http/proxy=http://10.0.2.2:3128 as an additional boot parameter." https://wiki.debian.org/DebianEdu/Documentation/Bullseye/Installation#Installation_types_and_options Similar instruction since the Etch release... Wolfgang signature.asc Description: PGP signature
Bug#1006604: debian-edu-config: Debian Edu clients without GOsa system entry loose IP address after 30min
[ Mike Gabriel, 2022-03-01 ] > On Di 01 Mär 2022 11:22:46 CET, Wolfgang Schweer wrote: > > > [ Petter Reinholdtsen, 2022-03-01 ] > > > > > > [Holger Levsen] > > > > I wonder if this is a bug in Debian Edu at all: don't we require > > > hosts to be > > > > added to GOsa in the first place? > > > > > > Well, it is a bug in Debian Edu that the problem is obscure and hard to > > > debug. I guess the issue should be detected and reported in the face of > > > the person trying to set up a new machine, instead of the machine > > > silently failing to keep its IP address [..] > > > Traditionally it was required to register clients in GOsa to ensure > > > home directories could be mounted, not for it to get an IP address. > > > > Yes, that's still the case. > > Nope, see my previous mail about NFSv4+krb5i. Kerberized NFS is the default for Debian Edu 11 (bullseye) and has already been available as a Debian Edu 10 (buster) feature, see: https://wiki.debian.org/DebianEdu/Documentation/Buster/Features#Other_changes_compared_to_the_previous_release with information how to enable it: https://wiki.debian.org/DebianEdu/Documentation/Buster/HowTo/Administration#Kerberized_NFS Since a long time, the manual contains detailed information about machine management. For Debian Edu 11 kerberized NFS is also explained, see: https://wiki.debian.org/DebianEdu/Documentation/Bullseye/GettingStarted#Machine_Management_with_GOsa.2BALI- I don't understand why some admins seem to avoid reading the manual. Wolfgang signature.asc Description: PGP signature
Bug#1006604: debian-edu-config: Debian Edu clients without GOsa system entry loose IP address after 30min
[ Petter Reinholdtsen, 2022-03-01 ] > > [Holger Levsen] > > I wonder if this is a bug in Debian Edu at all: don't we require hosts to be > > added to GOsa in the first place? > > Well, it is a bug in Debian Edu that the problem is obscure and hard to > debug. I guess the issue should be detected and reported in the face of > the person trying to set up a new machine, instead of the machine > silently failing to keep its IP address Sure. But then this seems to be a site specific non-standard use case, so site specific modification could be sufficient, I figure. Fixing it for bookworm would be good, though. > Traditionally it was required to register clients in GOsa to ensure > home directories could be mounted, not for it to get an IP address. Yes, that's still the case. I'm just wondering about the reported 30 minutes. It seems to be the default lease time on the backbone network (1800). Maybe raise it to a site specific value? (Can't test it, can't contribute more for the time being.) Wolfgang signature.asc Description: PGP signature
Bug#1006362: debian-edu-config: PXE-installed Debian Edu clients don't boot into graphical.target
[ Mike Gabriel, 2022-02-24 ] > The underlying causes of this is that we append "-- ipappend 2" to the > kernel cmdline when doing the PXE boot into the Debian Installer. This > kernel boot cmdline is generated by /usr/sbin/debian-edu-pxeinstall (and was > necessary in older times). Right. 'ipappend' is used by PXELINUX, but for 'bullseye' we switched to iPXE to be compliant with the re-written LTSP. > What happens with this "-- ipappend 2" bit of the kernel cmdline is that it > gets added (during the installation process) to the GRUB_CMDLINE_LINUX > variable in /etc/default/grub: > > GRUB_CMDLINE_LINUX="ipappend 2" PXELINUX evaluates 'ipappend 2' and adds BOOTIF= to the kernel command line, allowing the initrd program to determine from which interface the system booted. Obviously, iPXE doesn't understand 'ipappend'. I'm just wondering if there are other side-effects. > So, the booting systems finds a "2" in the kernel boot cmdline after the > system has been installed via PXE and this "2" is interpreted as runlevel 2 > by systemd (PID 1). While PXE installations have always been tested during development (and also at release and point release days), the 'Minimal' profile has been chosen for this test case to save time. As there's no GUI, this bug got away undetected. It might be a good idea to choose 'Workstation' for future tests. Wolfgang signature.asc Description: PGP signature
Bug#1005813: debian-edu-config: apparmor blocks cups-browsed.conf from being read
[ Petter Reinholdtsen, 2022-02-19 ] > [Wolfgang Schweer] > > As the symlink seems to be the problem, another solution would be to > > let cfengine copy the file instead: > > Sure. The reason a symlink was used was to ensure upgrades would take > effect. Right. In case an upgraded debian-edu-config package contains a changed cups-browsed-debian-edu.conf file, 'cf-agent -v -D installation' would need to be run to update the cups-browsed.conf file. In the past, the status pages have been updated at point release days to cope with changes concerning (among others) the debian-edu-config package, including information if a cf-agent run is needed; see: https://wiki.debian.org/DebianEdu/Status/Buster and https://wiki.debian.org/DebianEdu/Status/Bullseye In case of release upgrades, a cf-agent run is required anyway (like documented in the manuals) Wolfgang signature.asc Description: PGP signature
Bug#1005813: debian-edu-config: apparmor blocks cups-browsed.conf from being read
[ Holger Levsen, 2022-02-19 ]
> On Tue, Feb 15, 2022 at 07:20:01PM +, Mike Gabriel wrote:
> > Solution 2:
> > ---
> > Ask the cups src:pkg maintainers to add a line
> > /etc/cups/cups-browsed-debian-edu.conf to their
> > /etc/appamor.d/usr.sbin.cups-browsed apparmor profile.
>
> to me this seems to be the cleanest approach.
As the symlink seems to be the problem, another solution would be to
let cfengine copy the file instead:
diff --git a/cf3/cf.cups b/cf3/cf.cups
index 9788fa5c..58a64493 100644
--- a/cf3/cf.cups
+++ b/cf3/cf.cups
@@ -29,7 +29,7 @@ files:
debian.desktopintern.!server.installation::
"/etc/cups/cups-browsed.conf"
- link_from => ln_s("/etc/cups/cups-browsed-debian-edu.conf"),
+ copy_from => local_cp("/etc/cups/cups-browsed-debian-edu.conf"),
move_obstructions => "true";
}
(In both cases, the original file is renamed to
/etc/cups/cups-browsed.conf.cfsaved)
Wolfgang
signature.asc
Description: PGP signature
Bug#1005841: debian-edu-config: No TJENER print queues appearing on Debian Edu clients, print queues named not like queue name on TJENER
[ Mike Gabriel, 2022-02-16 ] > The problem is that I think that the cups-browsing (or more strictly spoken > cups-browsed-debian-edu.conf) never got really fully tested, because > cups-browsed fails/failed to read cups-browsed-debian-edu.conf due to > apparmor blocking. Right. > On normal workstations, I sense that some cups-browsed defaults kick into > place (as the cups-browsed-debian-edu.conf is being blocked from reading at > cups-browsed service startup) and that these defaults provide CUPS queues on > TJENER to the clients via dnssd and the printer naming scheme is > __ (which is an unwanted naming scheme here). Right. Like you proposed, the correct file content should rather be: diff --git a/etc/cups/cups-browsed-debian-edu.conf b/etc/cups/cups-browsed-debian-edu.conf index b1479a4f..f58a99ad 100644 --- a/etc/cups/cups-browsed-debian-edu.conf +++ b/etc/cups/cups-browsed-debian-edu.conf @@ -28,5 +28,5 @@ BrowseAllow ipp.intern # to "No". CreateIPPPrinterQueues No -CreateRemoteCUPSPrinterQueues No - +CreateRemoteCUPSPrinterQueues Yes +LocalQueueNamingRemoteCUPS RemoteName Wolfgang signature.asc Description: PGP signature
Bug#1005841: debian-edu-config: No TJENER print queues appearing on Debian Edu clients, print queues named not like queue name on TJENER
Hi Mike, [ Mike Gabriel, 2022-02-15 ] > Package: debian-edu-config > Severity: important > Version: 2.12.16 > Control: found -1 2.11.56+deb11u3 > > If allowing read access to /etc/cups/cups-browsed-debian-edu.conf in > apparmor (see #1005813), the current configuration won't create remote CUPS > printer queues on Debian Edu workstations. > > To make CUPS printer queues on TJENER available on Debian Edu workstations, > one needs to set "CreateRemoteCUPSPrinterQueues Yes" in > /etc/cups/cups-browsed(-debian-edu).conf. "CreateRemoteCUPSPrinterQueues No" has been used intentionally. The existing (centralized) approach has been documented, see: https://wiki.debian.org/DebianEdu/Documentation/Bullseye/GettingStarted#Printer_Management Wolfgang signature.asc Description: PGP signature
Bug#955707: debian-edu-config: use DuckDuckGo as Chromium's default search provider
Hi Mike,
[ Mike Gabriel, 2022-01-30 ]
> Hi Wolfgang,
>
> On Sa 04 Apr 2020 00:20:37 CEST, Mike Gabriel wrote:
>
> > Package: debian-edu-config
> > Severity: wishlist
> >
> > Currently (during the bullseye release cycle), chromium uses Google as
> > the default search provider.
> >
> > With the below snippet dropped into
> > /etc/chromium/policies/managed/.json we could switch that to
> > DuckDuckGo:
> >
> > {
> > "DefaultSearchProviderEnabled":true,
> > "DefaultSearchProviderName": "DuckDuckGo",
> > "DefaultSearchProviderIconURL":"https://duckduckgo.com/favicon.ico;,
> > "DefaultSearchProviderEncodings":["UTF-8"],
> >
> > "DefaultSearchProviderSearchURL":"https://duckduckgo.com/?q={searchTerms};,
> > "DefaultSearchProviderSuggestURL":"https://duckduckgo.com/ac/?q={searchTerms}=list;,
> > "DefaultSearchProviderNewTabURL":"https://duckduckgo.com/chrome_newtab;,
> > }
> >
> > Possibly an option for Debian Edu? Maybe even for Chromium in Debian?
> >
> > Mike
>
> I saw the above as part of the release notes for Debian Edu bullseye, right?
> Can we close #955707?
Two times: yes. Not done then because of
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955707#15
Wolfgang
signature.asc
Description: PGP signature
Bug#1003694: gosa: PHP deprecation warnings
[ Mike Gabriel, 2022-01-13 ] > Package: src:gosa > Severity: important > Version: 2.7.4+reloaded3-16 > > There are some PHP deprecations warnings appearing on screen when using GOsa > on Debian bullseye against PHP 7.4. Probably much worse with upcoming PHP > 8.x: [ ] > Deprecated: Array and string offset access syntax with curly braces is > deprecated in > /usr/share/gosa/include/utils/excel/class.writeexcel_formula.inc.php on line > 156 Now with src:php-defaults/92 a fatal error is thrown because 'Array and string offset access syntax with curly braces is no longer supported'. Due to this, the GOsa web UI access is broken in bookworm. > I will collect more of these an propose a fix for them... For an overview of deprecated features, see: https://www.php.net/manual/en/migration74.deprecated.php Wolfgang signature.asc Description: PGP signature
Bug#1002299: debian-edu-config: hosts installed via the minimal profile lack libpam-krb5 and fail to mount NFS krb5i shares on TJENER
Hi Mike, [ Mike Gabriel, 2021-12-21 ] > Package: debian-edu > Severity: important > Version: 2.12.4 > > When installing a Debian Edu system based on the Minimal installation > profile, then the package libpam-krb5 is missing on that host. An installed > Minimal system fails to allow users to log in (and get their home directory > mounted via NFSv4 and sec=krb5i). As far as I can tell, this is done by intention: it's not a system providing user access by default. From the documented profile description: (see: https://wiki.debian.org/DebianEdu/Documentation/Bookworm/Installation#The_installation_process ) This profile will install the base packages and configure the machine to integrate into the Debian Edu network, but without any services and applications. It is useful as a platform for single services manually moved out from the main-server. To access such a system over the network, run (thanks to kerberized SSH) as root (on a system on the main network): kinit ssh or use scp (Assuming the minimal system has been added correctly using GOsa² and the generated krb5.keytab has been copied to the minimal system like explained in the manual, see: https://wiki.debian.org/DebianEdu/Documentation/Bookworm/GettingStarted#Machine_Management_with_GOsa.2BALI- ) Wolfgang signature.asc Description: PGP signature
Bug#1002019: debian-edu-config: /etc/debian-edu/host-keytabs/ contain non-config data
Hi Mike, [ Mike Gabriel, 2021-12-20 ] > I have filed a merge request for introducing this change: > https://salsa.debian.org/debian-edu/debian-edu-config/-/merge_requests/2 > > Can you review? Done so on salsa. Wolfgang signature.asc Description: PGP signature
Bug#1000511: bullseye-pu: package debian-edu-config/2.11.56+deb11u2
Hi Adam, [ Adam D. Barratt, 2021-11-30 ] > Control: tags -1 + moreinfo > > On Wed, 2021-11-24 at 13:29 +0100, Wolfgang Schweer wrote: > > It has been detected on real world deployments that some needed > > changes > > due to the re-written LTSP in bullseye have not been addressed > > properly > > or are missing, so: > > (1) Fix TFTP server path (/var/lib/tftpboot-> /srv/tftp), #995610 > > (2) Add real support for LTSP chroot setup and maintenance, #996103 > > > > The metadata for the first bug implies that it affects unstable and is > not yet fixed there. Could you please confirm the status? Yes, the bug is also fixed in unstable, please see the first changelog entry: https://tracker.debian.org/news/1266906/accepted-debian-edu-config-2125-source-into-unstable/ Kind regards, Wolfgang signature.asc Description: PGP signature
Bug#1000811: bullseye-pu: package debian-edu-doc/2.11.26+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu Dear relese team, [ Reason ] Documentation update for the Debian Edu Bullseye manual and translation updates for both the Debian Edu Bullseye and Buster manuals. [ Impact ] Users would be left without proper documentation concerning the Debian Edu specific LTSP setup and maintenance tools. Also, improved translations would be missing. [ Tests ] Manual tests, translation status equals the one in the master branch / Debian unstable. [ Risks ] No risk apparent. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] Update Debian Edu Bullseye manual from the wiki; this makes sure that: - all LTSP setup and maintenance related changes are in the manual. - the Debian Edu Bullseye manual source file is the same like the one in the master branch / Debian unstable. Update Bullseye and Buster manual translations (PO files) from the master branch / Debian unstable. Update related PO addendum files from the master branch to make sure that all translators are credited correctly in the generated manuals. [ Other info ] Holger Levsen will do the upload. Wolfgang debdiff_d-e-doc.xz Description: application/xz signature.asc Description: PGP signature
Bug#1000511: bullseye-pu: package debian-edu-config/2.11.56+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu Dear release team, [ Reason ] It has been detected on real world deployments that some needed changes due to the re-written LTSP in bullseye have not been addressed properly or are missing, so: (1) Fix TFTP server path (/var/lib/tftpboot-> /srv/tftp), #995610 (2) Add real support for LTSP chroot setup and maintenance, #996103 [ Impact ] (1) Updating the PXE setup in case of missing firmware on client systems would fail. (2) The LTSP chroot setup and maintenance would be very complicated if not impossible for local admins. [ Tests ] Manual tests have been done using VMs on a virtual Debian Edu network. [ Risks ] Very low: only Debian Edu LTSP server installations are concerned and the default behaviour of installed systems is left unchanged. Adjusted as well as new man pages are provided and the related manual will also be updated. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] Fix TFTP server path (var/lib/tftpboot-> /srv/tftp) sbin/debian-edu-ltsp-install: Add LTSP diskless client chroot creation, use uniform locations for X2Go thin clients and diskless workstations, ensure sitesummary-client setup and configuration inside chroots, care for proper mount and umount operation, add xrdp-sesman to the list of masked services for LTSP clients, make sure all kernels are updated, adjust the ltsp.conf file content to match the changes. share/debian-edu-config/tools/run-at-firstboot: Care for the changed 'debian-edu-ltsp-install' default options to make sure combined server installations have a generated SquashFS image file just like before. share/man/man8/debian-edu-ltsp-install.8: Update to reflect the changes. sbin/debian-edu-ltsp-chroot: New tool to make LTSP chroot maintenance easy. sbin/debian-edu-ltsp-initrd: New wrapper script for 'ltsp initrd' command. It makes sure that a use case specific initrd (/srv/tftp/ltsp/ltsp.img) is generated and moved to the right location. sbin/debian-edu-ltsp-ipxe: New Wrapper script for 'ltsp ipxe' command. It cares for a Debian Edu specific /srv/tftp/ltsp/ltsp.ipxe content. share/debian-edu-config/tools/ltsp-addfirmware: Install firmware in LTSP chroots in case clients won't work otherwise. (Adjusted tool from Buster re-added to the binary package.) New manual pages: share/man/man8/debian-edu-ltsp-chroot.8 share/man/man8/debian-edu-ltsp-initrd.8 share/man/man8/debian-edu-ltsp-ipxe.8 [ Other info ] The package will be uploaded soonish by Holger Levsen. Wolfgang debdiff_d-e-c.gz Description: application/gzip signature.asc Description: PGP signature
Bug#996103: debian-edu-config: missing real support for LTSP chroot creation and maintenance
[ Wolfgang Schweer, 2021-11-12 ] > I noticed that a wrapper tool is also needed for the new LTSP 'ltsp > initrd' command (which generates /srv/tftp/ltsp/ltsp.img for all use > cases). > > The Debian Edu LTSP setup (with X2Go thin client support included) needs > to use case specific LTSP initrds located in case related directories > (as opposed to vanilla LTSP). Updating ltsp.img is eg. needed after the > /etc/ltsp/ltsp.conf [clients] section has been modified. This is > supposed to be the case for LTSP clients running in real world > deployments. > > The tool is now available in Git [1] and should IMO also go into > bullseye once tested. The wrapper script is available in sid (and about to show up in bookworm). Testing all above changes for bullseye (modifications inside d-i) revealed that the 'share/debian-edu-config/tools/run-at-firstboot' tool needs to be adjusted to make sure the SquashFS image from the server's filesystem is generated. The adjusted file is already used for bookworm since some time: diff --git a/share/debian-edu-config/tools/run-at-firstboot b/share/debian-edu-config/tools/run-at-firstboot index 7e3bb335..fa31786d 100755 --- a/share/debian-edu-config/tools/run-at-firstboot +++ b/share/debian-edu-config/tools/run-at-firstboot @@ -64,7 +64,7 @@ fi # needs to include the krb5.keytab file which isn't available at this time. if echo "$PROFILE" | grep -Eq 'Main-Server.*LTSP-Server' && \ [ ! -f /srv/ltsp/images/$ltspimg ] ; then - /usr/sbin/debian-edu-ltsp-install --dist $dist + /usr/sbin/debian-edu-ltsp-install --diskless_workstation yes fi # Update PXE setup on LTSP servers with proxy values set in environment Wolfgang signature.asc Description: PGP signature
Bug#996103: debian-edu-config: missing real support for LTSP chroot creation and maintenance
[ Wolfgang Schweer, 2021-10-11 ] > A wrapper tool for the 'ltsp ipxe' command needs to be added to allow > one to easily update the iPXE menue after changing the default netboot > menue item after /etc/ltsp/ltsp.conf file edits. I noticed that a wrapper tool is also needed for the new LTSP 'ltsp initrd' command (which generates /srv/tftp/ltsp/ltsp.img for all use cases). The Debian Edu LTSP setup (with X2Go thin client support included) needs to use case specific LTSP initrds located in case related directories (as opposed to vanilla LTSP). Updating ltsp.img is eg. needed after the /etc/ltsp/ltsp.conf [clients] section has been modified. This is supposed to be the case for LTSP clients running in real world deployments. The tool is now available in Git [1] and should IMO also go into bullseye once tested. Wolfgang [1] https://deb.li/jLcI signature.asc Description: PGP signature
Bug#996103: debian-edu-config: missing real support for LTSP chroot creation and maintenance
Package: debian-edu-config Version: 2.11.56+deb11u1 Severity: important Hi, bug #995610 has been reported concerning possibly missing firmware when doing PXE installations on real hardware. Same applies to LTSP thin clients and diskless workstations, but this issue slipped my attention, too. (No real hardware available, VMs only.) As of now, after generating the SquashFS image for thin clients, the related chroot is removed. Updating the image after possible package upgrades is done via running chroot creation from scratch again; reason has been to don't bother unexperienced admins to deal with chroot issues (like temporary files, proc and devpts). Installing firmware packages inside the thin client chroot would even require to adjust the sbin/debian-edu-ltsp-install tool (after having copied it to /usr/local/sbin). Unexperienced admins would be left w/o a clue if LTSP client boot fails in case of network cards needing firmware. The new LTSP (as of bullseye) has an approach different to LTSP5 which shipped a dedicated tool to create and maintain chroots. Such a tool should be available for Debian Edu 11. In addition, a tool allowing to easily install firmware packages in LTSP chroots should be available. LTSP chroot creation and maintenance for diskless workstations should be possible (as opposed to creating the SquashFS image from the LTSP server's file system). It would allow one to generate dedicated client images with possible needed firmware w/o spoiling the LTSP server filesystem by installing them there. This would also be a secure fix for #993935 (privacy issues for combined servers). Unexperienced admins can't be expected to copy the sbin/debian-edu-ltsp-install tool to /usr/local/sbin and adjusting the exclude list to site specific needs. The sbin/debian-edu-ltsp-install tool (and some others) would need related adjustments. Related manual pages need to be adjusted/added. A wrapper tool for the 'ltsp ipxe' command needs to be added to allow one to easily update the iPXE menue after changing the default netboot menue item after /etc/ltsp/ltsp.conf file edits. All above mentioned changes are already in unstable (with fixes in Git). Once tested, these should go into bullseye-pu. Wolfgang signature.asc Description: PGP signature
Bug#994627: bullseye-pu: package debian-edu-config/2.11.56+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu Hi, Bug #993935 (Netboot image exposes private data and crypto keys) has already been fixed in unstable, but should also be fixed in stable. [ Reason ] This bug has been introduced while integrating the re-written LTSP into Debian Edu 11 (bullseye). The bug shows up in case someone installs a system with both Main-Server and LTSP-Server profiles on the same machine (aka combined server). The manual recommends to use separate machines but the turnkey solution 'combined server' seems to be used quite often. [ Impact ] Skilled users on the internal Debian Edu network would be able to get access to sensible data. [ Tests ] Manual tests have been done for both existent and new installations. [ Risks ] No actual risks, the fix is trivial and only Debian Edu installations are involved. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] Add sensible data concerning directories and files to the main server related exclude list for the SquashFS image. Mask slapd and make sure autofs is configured correctly to ensure home directory access after this change. Also mask xrdp-sesman to avoid a useless (false) failure message during client boot. [ Other info ] Holger Levsen will upload the package in case of approval. Thanks for caring, Wolfgang diff -Nru debian-edu-config-2.11.56/debian/changelog debian-edu-config-2.11.56+deb11u1/debian/changelog --- debian-edu-config-2.11.56/debian/changelog 2021-06-05 00:06:13.0 +0200 +++ debian-edu-config-2.11.56+deb11u1/debian/changelog 2021-09-09 12:52:03.0 +0200 @@ -1,3 +1,13 @@ +debian-edu-config (2.11.56+deb11u1) UNRELEASED; urgency=medium + + * Adjust sbin/debian-edu-ltsp-install. (Closes: #993935) +Thanks to Dominik George for spotting and reporting the issue. +- Extend main server related exclude list. +- Add slapd and xrdp-sesman to the list of masked services. +- Ensure home directory access after above changes. + + -- Wolfgang Schweer Thu, 09 Sep 2021 12:52:03 +0200 + debian-edu-config (2.11.56) unstable; urgency=medium [ Wolfgang Schweer ] diff -Nru debian-edu-config-2.11.56/sbin/debian-edu-ltsp-install debian-edu-config-2.11.56+deb11u1/sbin/debian-edu-ltsp-install --- debian-edu-config-2.11.56/sbin/debian-edu-ltsp-install 2021-06-05 00:06:13.0 +0200 +++ debian-edu-config-2.11.56+deb11u1/sbin/debian-edu-ltsp-install 2021-09-09 12:52:03.0 +0200 @@ -17,7 +17,7 @@ # Author/Copyright:Wolfgang Schweer # Licence: GPL2+ # first edited:2019-11-21 -# last edited: 2021-04-26 +# last edited: 2021-09-14 set -e @@ -197,6 +197,27 @@ # FIXME: On the main server even more additional excludes might be useful. if echo "$PROFILE" | grep -Eq 'Main-Server' ; then cat <> /etc/ltsp/image-local.excludes +etc/apache2 +etc/bind +etc/dbconfig-common +etc/dovecot +etc/etckeeper +etc/gosa +etc/freeradius +etc/icinga +etc/icinga2 +etc/icingaweb2 +etc/krb5kdc +etc/krb5.keytab.imap +etc/krb5.keytab.ldap +etc/krb5.keytab.smtp +etc/mysql +etc/nagios +etc/nagios-plugins +etc/nagios3 +etc/samba +etc/slbackup +etc/slbackup-php usr/lib/apache2 usr/lib/exim4 usr/lib/icinga @@ -219,9 +240,12 @@ var/lib/dpkg/* var/lib/exim4/* var/lib/icinga/* +var/lib/ldap/* var/lib/munin/* var/lib/munin-node/* var/lib/nfs/* +var/lib/samba/* +var/log/apache2/* var/log/cfengine/* var/log/installer/* var/log/munin/* @@ -470,10 +494,11 @@ # is disabled, but it is needed for diskless workstations. # OTOH some services need to be disabled, i.e. 'masked'. cat <> /etc/ltsp/ltsp.conf +PRE_INIT_AUTOFS="echo 'LDAPURI=ldap://ldap' >> /etc/default/autofs" PRE_INIT_MAIN_SERVER="systemctl enable autofs" POST_INIT_USE_FQDN="sed -i '/10.0.2.2/ s/server/tjener.intern tjener/' /etc/hosts" MASK_SYSTEM_SERVICES="apache2 named cups dovecot etckeeper exim4 squid tftpd-hpa \ -icinga2 nmbd smbd systemd-journald xrdp krb5-kdc mariadb cfengine3 isc-dhcp-server" +icinga2 nmbd slapd smbd systemd-journald xrdp xrdp-sesman krb5-kdc mariadb cfengine3 isc-dhcp-server" EOF else cat <> /etc/ltsp/ltsp.conf @@ -500,6 +525,7 @@ fi # Clean up ltsp.conf from specific items. sed -i '/PRE_INIT_MAIN/d' /etc/ltsp/ltsp.conf + sed -i '/PRE_INIT_AUTOFS/d' /etc/ltsp/ltsp.conf sed -i '/MASK_SYSTEM/d' /etc/ltsp/ltsp.conf fi signature.asc Description: PGP signature
Bug#993988: debian-edu-config: consider to drop diskless workstation support as default for Main-Server+LTSP-Server profile
[ Dominik George, 2021-09-09 ] > > It would be quite easy to drop the diskless workstation support > > (done by default at first boot of a combined server), only provide > > thin client support on the combined server and leave the (site > > specific) setup for diskless ws to the local admin. (The manual > > should then contain hints how to do this.) > > I take it that by "drop support", you mean "not install by default"? Yes. Instead of running 'debian-edu-ltsp.install --diskless_workstation yes' at first boot of a combined server, leave this step to the local admin - just like it has to be done on a separate machine w/ LTSP-server profile. > Diskless workstations are one (probably the) Unique Selling Point of > Debian Edu, so I would like to make very clear that dropping support > for it in general would be problematic. Sure. Wolfgang signature.asc Description: PGP signature
Bug#993988: debian-edu-config: consider to drop diskless workstation support as default for Main-Server+LTSP-Server profile
Package: debian-edu-config Version: 2.12.1 Severity: wishlist Like reported in #993935, a local admin might install additional packages on a combined server causing potential leakage of sensible data in the SquashFS image file for diskless workstations. It would be quite easy to drop the diskless workstation support (done by default at first boot of a combined server), only provide thin client support on the combined server and leave the (site specific) setup for diskless ws to the local admin. (The manual should then contain hints how to do this.) Wolfgang signature.asc Description: PGP signature
Bug#993935: debian-edu-ltsp-install: Netboot image exposes private data and crypto keys
[ Dominik George, 2021-09-08 ] > Package: debian-edu-config > Version: 2.11.56 > Severity: critical > Tags: security > Justification: root security hole > X-Debbugs-Cc: Debian Security Team > > The LTSP netboot image produced by debian-edu-ltsp-install includes full > copies > of files that should never leave the Debian Edu main server, if run on a > so-called > "combined server" (a system using the Main Server and Terminal Server > profiles, > as done in small installations). Yes, confirmed. > Among these files are full copies of, among others: > > - /var/lib/ldap, containing the full, unencrypted LDAP database with all >private information on all users, password hashes, and Kerberos keys > - /etc/krb5-kdc, containing information on decrypting Kerberos data in the >LDAP database > - /etc/gosa, containing the (encrypted) LDAP manager credentials, plus the >key to decrypt it These should be added to the exclude list, and some more. Other fixes are then needed, too. > Any user with access to the local terminal server network can acquire > the netboot image, unauthenticated, and extract the listed information > from it. SSH, tftp: I fail to get the SqushFS image file in both cases. But then I'm no expert. > The issue is caused by the new LTSP system using the LTSP PnP system > now in all cases, thus packing the entire mai nserver filesystem in > squashfs image. The debian-edu-ltsp-install script produces a list of > files to exclude from the image, which is not sufficient, most > probably because it was tailored to the use case where the image is > produced from a dedicated Terminal Server instead of a combined > server. Yes. > IMHO, the use case of the combined server cannot be fixed. The new > LTSP system de facto disallows any use of a combiend server – even if > we make a very carefully curated list of excluded files, any > administrator would have to take care to add their own excludes for > just about any file they place on the main server that was not palced > there by the Debian Edu software. In fact, the whole new LTSP system > seems unfit to be used on any server that is not limited to producing > LTSP images, and supporting netbooting them. While it's best to use separated LTSP servers (like recommended in the manual), people are used to get a turnkey system like the combined server. So maybe we should strive to keep that option (and add a hint to the exclude list in the manual). > For now, the issue should be mitigated by carefully adding all > relevant paths that are known to exist only on the main server to the > exclude list, but I do not think that is a viable fix in the long > term. I've set up a test environment and will take a look. Wolfgang signature.asc Description: PGP signature
Bug#989936: make clean should clean images-tmp dir
[ hox...@noramail.jp, 2021-06-16 ] > Package: debian-edu-doc > Version: 2.11.24 > Severity: wishlist > > Dear Debian Edu team, > > After making "make" error on .po task such like syntax error, > debian-edu-doc/documentation/common/Makefile.common fails at > "mkdir images-tmp". > > Since "make clean" does not purge that tmp dir, > "make" keep failing even after fixing the error on .po file. Thanks, confirmed. This should be fixed for Bookworm. Wolfgang signature.asc Description: PGP signature
Bug#989937: some non CDATA commands are hard to read
[ hox...@noramail.jp, 2021-06-16 ] > Package: debian-edu-doc > Version:2.11.24 > Severity: wishlist > > Dear Debian Edu team, > > Some commands for upgrading written in section 12 "upgrade" > are "listitem" type in po files (not "CDATA"). > > As a result some of crucial texts are rendered as > list items which I think it could confuse readers a bit > (by depth of list and wrap on browser). > > e.g. 12.2.1. ldapvi manipulation (iPXE) > > Perhaps "computeroutput" and/or "CDATA" be nice, > for both readers and translators, I think. Thanks for the hint. The related chapter has been reworked (waiting for revision), see: https://wiki.debian.org/DebianEdu/Documentation/Bullseye/Upgrades Wolfgang signature.asc Description: PGP signature
Bug#989485: d-e-install: drop powerpc recipes
[ Holger Levsen, 2021-06-04 ] > wait, what? why do we still have powerpc recipes in Debian Edu? We > dropped powerpc support some time ago :) > > (not fully sure we want this change for bullseye but then I also don't > see how it could hurt to drop those properly.) > > (and in any case this shouldn't be a blocker for #989483, the current > d-e-install unblock request...) I noticed the superflous recipes as well (and those should definitly be removed), but then thought restricting the changes to fix the UEFI related bug would be the way to go for bullseye… Wolfgang signature.asc Description: PGP signature
Bug#989342: debian-edu-config: fails to setup thin client support if used outside d-i
[ Wolfgang Schweer, 2021-06-01 ] > During a recent installation test I noticed that the > debian-edu-ltsp-install script fails to setup thin client support if > used outside the Debian Installer environment. > > As there are too many ways to install a combined server with or > without Internet connection using the BD iso image it is best to > adjust debian-edu-ltsp-install to only use the BD ISO image if run > inside d-i. > > The fix is simple: > > diff --git a/sbin/debian-edu-ltsp-install b/sbin/debian-edu-ltsp-install > index 1edb407a..a22d8ca8 100755 > --- a/sbin/debian-edu-ltsp-install > +++ b/sbin/debian-edu-ltsp-install > @@ -341,8 +341,8 @@ cat < /etc/ltsp/skel/.x2goclient/settings > show=false > EOF > > -# Specific settings needed if BD ISO image is used for installation. > -if grep -q BD /etc/apt/sources.list ; then > +# Specific settings needed if BD ISO image is used for installation inside > d-i. > +if [ -e /etc/apt/apt.conf.d/00IgnoreTimeConflict ] && grep -q BD > /etc/apt/sources.list ; then > BD_ISO="true"; > device="$(grep media/cdrom /etc/fstab | cut -d' ' -f1)" > mirror="file:///media/cdrom/" > @@ -365,7 +365,6 @@ debootstrap --arch="$arch" --no-check-gpg > --variant=minbase --include=linux-imag > if [ "true" == "$BD_ISO" ] ; then > mkdir -p /srv/ltsp/thin/"$thin_type"-"$arch"/media/cdrom > mount $device /srv/ltsp/thin/"$thin_type"-"$arch"/media/cdrom > - cp /var/cache/apt/*.bin > /srv/ltsp/thin/"$thin_type"-"$arch"/var/cache/apt/ > echo "deb [trusted=yes] $mirror $dist main" > > /srv/ltsp/thin/"$thin_type"-"$arch"/etc/apt/sources.list > fi > chroot /srv/ltsp/thin/"$thin_type"-"$arch"/ apt -y -qq install > education-thin-client p910nd > Explaining the fix: If the BD ISO image is used in offline mode, 'apt update' isn't run, so /var/cache/apt/ doesn't contain pkgcache.bin and srcpkgcache.bin; the script errors out. A fix could have been to append '|| true' to the line cp /var/cache/apt/*.bin /srv/ltsp/thin/"$thin_type"-"$arch"/var/cache/apt/ But a second issue showed up while testing a fix for the script: There are too many ways to use the script outside d-i for installation (with or without Internet connection, with or without adjusting the sources list, with or without running apt update, support for amd64 or i386 thin clients, with or without a related DVD / USB flash drive being mounted / available) to cover all these cases. So it seemed to be best to use the BD ISO image to setup X2Go thin client support only in case the script is run inside the Debian Installer environment. This said, instead of appending '|| true' to the mentioned line, get rid of it completely. Wolfgang signature.asc Description: PGP signature
Bug#971275: isc-dhcp-server-ldap: fails to activate the service
[ Wolfgang Schweer, 2020-09-28 ]
> while working on Debian Edu Bullseye, I noticed that the DHCP service
> stopped working after upgrading the system.
[..]
> Reason seems to be that the init script timed out, maybe
> /etc/default/isc-dhcp-server could not be sourced:
This isn't the case; it seems that testing the configurations is the
cause.
> root@tjener:~# service isc-dhcp-server status
> * isc-dhcp-server.service - LSB: DHCP server
> Loaded: loaded (/etc/init.d/isc-dhcp-server; generated)
> Active: activating (start) since Mon 2020-09-28 18:24:25 CEST; 2min 36s
> ago
>Docs: man:systemd-sysv-generator(8)
> Cntrl PID: 1280 (isc-dhcp-server)
> Tasks: 8 (limit: 4671)
> Memory: 17.6M
> CGroup: /system.slice/isc-dhcp-server.service
> |-1280 /bin/sh /etc/init.d/isc-dhcp-server start
> `-1310 /usr/sbin/dhcpd -t -4 -q -cf /etc/dhcp/dhcpd.conf
>
> Sep 28 18:24:25 tjener.intern systemd[1]: Starting LSB: DHCP server...
> Sep 28 18:24:26 tjener.intern isc-dhcp-server[1280]: Launching IPv4 server
> only.
I've found two ways to work around this issue:
(1) Commenting the related code in /etc/init.d/isc-dhcp-server
test_config()
{
VERSION="$1"
CONF="$2"
#if ! /usr/sbin/dhcpd -t $VERSION -q -cf "$CONF" > /dev/null 2>&1; then
# echo "dhcpd self-test failed. Please fix $CONF."
# echo "The error was: "
# /usr/sbin/dhcpd -t $VERSION -cf "$CONF"
# exit 1
#fi
}
and adjusting related lines in /etc/default/isc-dhcp-server (for a
Debian Edu combined server with two network interfaces as an example):
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="eth0 eth1"
#INTERFACESv6=""
--
(2) Use a systemd unit file /etc/systemd/system/isc-dhcp-server.service
[Unit]
Description=DHCP server
After=network.target network-online.target
Requires=slapd.service
[Service]
Type=forking
RestartSec=2s
Restart=on-failure
ExecStartPre=-/usr/bin/touch /var/lib/dhcp/dhcpd.leases
ExecStart=/usr/sbin/dhcpd -4 -q -cf /etc/dhcp/dhcpd.conf
[Install]
WantedBy=multi-user.target
-
Please note that I'm no expert, I guess the unit file could be improved.
Wolfgang
signature.asc
Description: PGP signature
Bug#989342: debian-edu-config: fails to setup thin client support if used outside d-i
Package: debian-edu-config Version: 2.11.55 Severity: important During a recent installation test I noticed that the debian-edu-ltsp-install script fails to setup thin client support if used outside the Debian Installer environment. As there are too many ways to install a combined server with or without Internet connection using the BD iso image it is best to adjust debian-edu-ltsp-install to only use the BD ISO image if run inside d-i. The fix is simple: diff --git a/sbin/debian-edu-ltsp-install b/sbin/debian-edu-ltsp-install index 1edb407a..a22d8ca8 100755 --- a/sbin/debian-edu-ltsp-install +++ b/sbin/debian-edu-ltsp-install @@ -341,8 +341,8 @@ cat < /etc/ltsp/skel/.x2goclient/settings show=false EOF -# Specific settings needed if BD ISO image is used for installation. -if grep -q BD /etc/apt/sources.list ; then +# Specific settings needed if BD ISO image is used for installation inside d-i. +if [ -e /etc/apt/apt.conf.d/00IgnoreTimeConflict ] && grep -q BD /etc/apt/sources.list ; then BD_ISO="true"; device="$(grep media/cdrom /etc/fstab | cut -d' ' -f1)" mirror="file:///media/cdrom/" @@ -365,7 +365,6 @@ debootstrap --arch="$arch" --no-check-gpg --variant=minbase --include=linux-imag if [ "true" == "$BD_ISO" ] ; then mkdir -p /srv/ltsp/thin/"$thin_type"-"$arch"/media/cdrom mount $device /srv/ltsp/thin/"$thin_type"-"$arch"/media/cdrom - cp /var/cache/apt/*.bin /srv/ltsp/thin/"$thin_type"-"$arch"/var/cache/apt/ echo "deb [trusted=yes] $mirror $dist main" > /srv/ltsp/thin/"$thin_type"-"$arch"/etc/apt/sources.list fi chroot /srv/ltsp/thin/"$thin_type"-"$arch"/ apt -y -qq install education-thin-client p910nd Wolfgang
Bug#989340: debian-edu-config: broken DHCP configuration
Package: debian-edu-config Version: 2.11.55 Severity: important During a recent upgrade test I noticed that DHCP stopped working. The isc-dhcp-server-server package ships an init-script that already stopped working before, see https://bugs.debian.org/971275 for details. The previous setup using changes done to /etc/default/isc/dhcp-server and the init script had been replaced by conditionally providing a systemd unit file. This setup is failing since I upgraded a combined server installed using the DI-rc1 BD ISO image, see: https://cdimage.debian.org/cdimage/bullseye_di_rc1/amd64/iso-bd/ Replacing ExecStartPre with a command inspired by the init script makes DHCP work again. The fix is tiny: diff --git a/share/debian-edu-config/isc-dhcp-server.service b/share/debian-edu-config/isc-dhcp-server.service index be60b45a..22d77f76 100644 --- a/share/debian-edu-config/isc-dhcp-server.service +++ b/share/debian-edu-config/isc-dhcp-server.service @@ -7,7 +7,7 @@ Requires=slapd.service Type=forking RestartSec=2s Restart=on-failure -ExecStartPre=-sleep 2 +ExecStartPre=-/usr/bin/touch /var/lib/dhcp/dhcpd.leases ExecStart=/usr/sbin/dhcpd -4 -q -cf /etc/dhcp/dhcpd.conf [Install] diff --git a/share/debian-edu-config/isc-dhcp-server.service.eth1_only b/share/debian-edu-config/isc-dhcp-server.service.eth1_only index 87cc93a8..46557e6b 100644 --- a/share/debian-edu-config/isc-dhcp-server.service.eth1_only +++ b/share/debian-edu-config/isc-dhcp-server.service.eth1_only @@ -7,7 +7,7 @@ Requires=slapd.service Type=forking RestartSec=2s Restart=on-failure -ExecStartPre=-sleep 2 +ExecStartPre=-/usr/bin/touch /var/lib/dhcp/dhcpd.leases ExecStart=/usr/sbin/dhcpd -4 -q -cf /etc/dhcp/dhcpd.conf eth1 [Install] Wolfgang
Bug#989338: debian-edu-config: sending system emails from machines inside internal network broken
Package: debian-edu-config
Version: 2.11.55
Severity: important
During a recent upgrade test I noticed that sending system emails from machines
inside the internal network is no longer working. This seems to be due to
changes in src:exim4 4.94.
Client system are configured using preseeding, but this setup is failing now.
Using the (already shipped, but unsused) exim-ldap-client-v4.conf file as
exim4.conf on client machines re-enables sending system emails.
The fix is simple:
diff --git a/cf3/cf.exim b/cf3/cf.exim
index 904f94df..3dff1ea0 100644
--- a/cf3/cf.exim
+++ b/cf3/cf.exim
@@ -10,6 +10,12 @@ files:
move_obstructions => "true";
"/etc/default/exim4"
edit_line => exim_default;
+
+ debian.!server.(workstation|minimal).installation::
+
+"/etc/exim4/exim4.conf"
+ link_from => ln_s("/etc/exim4/exim-ldap-client-v4.conf"),
+ move_obstructions => "true";
}
bundle edit_line exim_default
Bug#988396: debian-edu-config: EFI partition is missing during automatic partitioning
Hi, [ Monsieur Cyril ETCHEVERRIA, 2021-05-11 ] > Package: debian-edu-config > Version: 2.11.54 > Severity: normal [..] > installing debian-edu 11 with debian-edu-bullseye-DI-rc1-amd64-netinst.iso > image with automatic partitioning on a UEFI system results in a systematic > error no EFI partition. Thanks for trying Debian Edu and for reporting this bug. Unfortunately UEFI system support is missing in the automatic partitioning setup. As far as I've been able to find out, the whole disk is wiped out (including an existing EFI partition). UEFI support should definitly be added, but maybe it's to late for Debian 11. > With an automatic partitioning on the second disk with an EFI > partition present on the first disk, the installation continues > successfully. The Debian Installer seems to be smart enough to figure that out. Wolfgang signature.asc Description: PGP signature
Bug#937234: pam-python: Python2 removal in sid/bullseye
[ Holger Levsen, 2021-05-05 ] > The pam-python website (http://pam-python.sourceforge.net/) also > grants an additional permission "The copyright holders grant you an > additional permission under Section 7 of the GNU Affero General Public > License, version 3, exempting you from the requirement in Section 6 of > the GNU General Public License, version 3, to accompany Corresponding > Source with Installation Information for the Program or any work based > on the Program. You are still required to comply with all other > Section 6 requirements to provide Corresponding Source." This additional permission is also part of d/copyright, see the last section: https://sources.debian.org/src/pam-python/1.0.9-2/debian/copyright/ Wolfgang signature.asc Description: PGP signature
Bug#987634: fails to configure diskless client support during i386 main server installation
Package: debian-edu-config Version: 2.11.54 Severity: important In case a 32-bit combined server (Main-Server, Workstation and LTSP-Server profiles) is installed, the LTSP specific Initrd (ltsp.img) is missing, and a diskless workstation fails to start. The command 'uname -m' is used to construct the path where ltsp.img should be located. In the 32-bit case, the command returns 'i686' while LTSP expects the path component to be 'x86_32' (like x86_64 for 32-bit systems). Wolfgang signature.asc Description: PGP signature
Bug#987633: fails to create thin client support if a combined server is installed in offline mode
Package: debian-edu-config Version: 2.11.54 Severity: normal When using the BD ISO image to install a combined server (Main-Server, Workstation and LTSP-Server profiles) in offline mode (i.e. without Internet connection), setting up the X2Go thin client chroot fails because debootstrap uses deb.debian.org as mirror. Instead, the BD ISO image should be used as mirror. Wolfgang signature.asc Description: PGP signature
Bug#987632: fails to create Samba account for first user during main server installation
Package: debian-edu-config Version: 2.11.54 Severity: normal During main server installation information is still missing to create the first user's Samba account. This should be done at first booot of the main server when all required information is available via LDAP and debconf. Wolfgang signature.asc Description: PGP signature
Bug#986984: Bug#987327: autopkgtests for debian-edu-doc binary packages
[ Holger Levsen, 2021-04-21 ] > we should add autopkgtests to debian-edu-doc to ensure each document > has been built for the three formats pdf, epub and html. > > another condition is that every debian-edu-doc-* package should > contain at least one document, unless the package has 'transitional' > in it's description. sounds good. > On Wed, Apr 21, 2021 at 09:20:38PM +0200, Petter Reinholdtsen wrote: > > [Holger Levsen] > > > I'll guess I'll invent something myself then... > > What about looking for selected keywords like 'Debian Edu', 'Skolelinux, > > "$(lsb_release -c -s)" or similar by grepping the documentation files, > > thanks, grepping for known strings is indeed a good idea, though > we should choose those few untranslated english ones... > > > to ensure the content is somewhat relevant? And perhaps linting the > > HTML (weblint-perl?) and epub (epubcheck?) files to verify the format is > > correct? > > I was thinking of just using /usr/bin/file... IIRC, we had all sorts of problems in the past, some of them unnoticed for some time: - missing files of some format due to wrong XML syntax in PO files - missing PDF files for a specific language - problems with non-ascii language PDF files - HTML files with somehow broken markup - invalid EPUB files In some cases, verifying the format would have revealed the cause for missing files/internal issues, i.e would have allowed one to locate the broken XML syntax (most cases) more easily. src:desktop-base has an autopkgtest to validate XML files, xmllint from libxml2-utils is used. Maybe xmllint could also be used to check HTML files. Besides checking EPUB files, epubcheck has also been useful in the past to detect HTML markup errors caused by XML tag mismatch (which xmllint failed to detect). And 'qpdf --check ' could be used to validate PDF files. Wolfgang signature.asc Description: PGP signature
Bug#987225: debian-edu-config: openQA 'standalone' install test failing
Hi Phil, [ Philip Hands, 2021-04-19 ] > I've re-run the job with DEBCONF_DEBUG=5 set, which gives one a more verbose > logging, and you can find the resulting syslog here: > > https://openqa.debian.net/tests/1220/file/grub-syslog The broken install might be due to a space problem, see these lines from grub-syslog:: Apr 19 20:25:53 in-target: Processing triggers for initramfs-tools (0.140) ...^M Apr 19 20:25:53 in-target: update-initramfs: Generating /boot/initrd.img-5.10.0-6-amd64^M Apr 19 20:26:05 in-target: cpio: write error Apr 19 20:26:05 in-target: : No space left on device^M Apr 19 20:26:05 in-target: E: mkinitramfs failure cpio 2^M Apr 19 20:26:05 in-target: update-initramfs: failed for /boot/initrd.img-5.10.0-6-amd64 with 1.^M Apr 19 20:26:05 in-target: dpkg: error processing package initramfs-tools (--configure):^M Apr 19 20:26:05 in-target: installed initramfs-tools package post-installation script subprocess returned error exit status 1^M Wolfgang signature.asc Description: PGP signature
Bug#986535: debian-edu-artwork-buster: leaves alternatives after purge: /usr/share/ldm/themes/default -> /etc/alternatives/ldm-theme -> /usr/share/ldm/themes/debian-edu-buster
Hi Andreas, [ Andreas Beckmann, 2021-04-07 ] > Followup-For: Bug #986535 > Control: tag -1 patch > > I've verified that the attached patch works (at least for the -buster > package). Thanks for the patch, very much appreciated. Wolfgang signature.asc Description: PGP signature
Bug#985703: debian-edu-doc-legacy-en: broken symlink: /usr/share/doc/debian-edu-doc-legacy-en/debian-edu-itil-manual-images/alert.png -> /debian-edu-doc-en/usr/share/doc/debian-edu-doc-en/debian-edu-b
Hi Andreas, [ Andreas Beckmann, 2021-04-06 ] > On 22/03/2021 13.14, Wolfgang Schweer wrote: > > The package education-common (installed by default on Debian Edu > > systems) has a Recommends: on debian-debian-edu-doc-legacy-en > > already. But the Suggests: might be useful for people installing > > debian-edu-doc-en independently. > > Now that we have the Suggests for en (and I'm installing that in my piuparts > instance for these broken symlink tests), the same problem shows up more > languages (that didn't get tested previously since their dependency -en was > failing): fr, ja, nl, pt-pt - they should probably suggest their legacy > counterparts as well. Yes; thanks for the hint. In addition to the four above also nb-no and zh should do so. Wolfgang signature.asc Description: PGP signature
Bug#986448: debian-edu-config: wrong panel configuration makes Edu MATE DE unusable
Package: debian-edu-config Version: 2.11.53 Severity: important While testing supported desktop environments, the Edu specific MATE DE turned out to be unusable: the panel is missing and there's no way to add one. The MATE configuration is tweaked using gschema override files. Apparently an inconsistent configuration slipped in: The share/glib-2.0/schemas/31_debian-edu+mate.gschema.override file refers to 'debian-edu' as layout file, but the file 'debian-edu.layout' is missing. Instead, the existing file debian-edu-mate.layout should be refered to. Wolfgang
Bug#986122: debian-edu-config: user account setup via GOsa appears to fail according to (false) error message
Package: debian-edu-config Version: 2.11.52 Severity: important While testing mass user account setup via a CSV file, an error message is shown stating that password change failed. (Please note that 'password change' is also used if the password is set for the first time, this is GOsa specific.) Same thing also happens if a single new account is created via the wizard. Actually, everything is just fine despite the error message, i.e. the user is able to log in, both Kerberos and Samba passwords are correct. When separating Samba account creation and Samba password change, the error message is gone. (Samba account creation can be done in tools/gosa-create.) This error message is supposed to confuse users quite a lot… Wolfgang
Bug#985902: debian-edu-config: internal web site: partially broken / wrong content
Package: debian-edu-config Version: 2.11.51 Severity: normal While testing installation of a main server using various locales I noticed that the internal web site didn't show up in case of pt_PT locale, instead a question appeared what to do with the file index.html.pt; also some translations were wrong content wise (concerning esp. links), most probably caused by a poor sed script used some time ago. Wolfgang
Bug#985703: debian-edu-doc-legacy-en: broken symlink: /usr/share/doc/debian-edu-doc-legacy-en/debian-edu-itil-manual-images/alert.png -> /debian-edu-doc-en/usr/share/doc/debian-edu-doc-en/debian-edu-b
Hi Andreas, [ Andreas Beckmann, 2021-03-22 ] > On 22/03/2021 13.14, Wolfgang Schweer wrote: > > Actually > > /debian-edu-doc-en/usr/share/doc/debian-edu-doc-en/debian-edu-bullseye-manual-images/alert.png > > should be shipped, but is missing. I'll take a look. > > There is an extra '/debian-edu-doc-en/' prefix to the target path, that > likely the problem. I didn't check the source how that gets generated ... Thanks for the pointer. After digging into it, the failure seems to be caused by a workaround introduced five years ago but not working anymore after legacy manuals have been split out into debian-edu-doc-legacy-xx some time ago. Please note that the alert.png file is actually unneeded for the debian-edu-itil-manual. Replacing alert.png (which points to a file also belonging to debian-edu-doc-en) with an image exclusively belonging to a manual shipped with debian-edu-doc-legacy-en fixes the issue. This image is only there to make sure at least one image is available in the image directory (that's the mentioned workaround as far as I was able to find out). Wolfgang signature.asc Description: PGP signature
Bug#985773: debian-edu-doc: all English PDF manuals are missing
Source: debian-edu-doc Version: 2.11.21 Severity: normal PDF variants are missing for all manuals; HTML and EPUB variants are available. This problem only concerns $language=en, for all other supported languages, all three variants are available for all manuals. Wolfgang
Bug#985703: debian-edu-doc-legacy-en: broken symlink: /usr/share/doc/debian-edu-doc-legacy-en/debian-edu-itil-manual-images/alert.png -> /debian-edu-doc-en/usr/share/doc/debian-edu-doc-en/debian-edu-b
Hi Andreas, [ Andreas Beckmann, 2021-03-22 ] > Package: debian-edu-doc-legacy-en > Version: 2.11.20 > Severity: normal > User: debian...@lists.debian.org > Usertags: piuparts Thanks for noticing. > 0m23.4s ERROR: FAIL: Broken symlinks: > > /usr/share/doc/debian-edu-doc-legacy-en/debian-edu-itil-manual-images/alert.png > > -> > > /debian-edu-doc-en/usr/share/doc/debian-edu-doc-en/debian-edu-bullseye-manual-images/alert.png > > (debian-edu-doc-legacy-en) Actually /debian-edu-doc-en/usr/share/doc/debian-edu-doc-en/debian-edu-bullseye-manual-images/alert.png should be shipped, but is missing. I'll take a look. > There is also in debian-edu-doc-en: > > 0m22.5s ERROR: FAIL: Broken symlinks: > /usr/share/doc/debian-edu-doc/legacy-en -> ../debian-edu-doc-legacy-en > (debian-edu-doc-en) > > Should there be at least a Suggests: debian-edu-doc-legacy-en ? Yes, maybe it should be so. The package education-common (installed by default on Debian Edu systems) has a Recommends: on debian-debian-edu-doc-legacy-en already. But the Suggests: might be useful for people installing debian-edu-doc-en independently. Wolfgang signature.asc Description: PGP signature
Bug#984596: debian-edu-config: dhcpd fails to start due to missing leases file
Package: debian-edu-config Version: 2.11.50 Severity: important During recent installation media tests I noticed that isc-dhcp-server failed to start. This happens when switching from the init script to a custom systemd service file (via cfengine at the end of the installation process). This switch has been needed because the LDAP connection is broken if the init script is used (#971275). As the dhcpd server could not start successfully, the /var/lib/dhcpd.leases file is missing. So to really fix #971275 in all possible cases, cf3/cf.dhcpserver should also care for the leases file. Wolfgang
Bug#982767: Thunderbird - Kerberos/GSSAPI ticket was not accepted
Hi Mark, hi Andrei,
[ Andrei POPESCU, 2021-02-14 ]
> Control: reassign -1 debian-edu-config
>
> On Du, 14 feb 21, 08:21:21, Mark Richards wrote:
> > package: debian-edu-{config}
> > severity: {normal}
> > version: {buster,latest with all updates}
> >
> > I've got Debian Edu (Debian 10) setup with a main server, a thin client and
> > a few users connecting successfully. I've also setup Thunderbird as per the
> > instructions here:
> > https://wiki.debian.org/DebianEdu/Documentation/Buster/HowTo/Users#Using_email
> > but although I get the welcome e-mail, I cannot send. When I try to send, I
> > get the error: "The Kerberos/GSSAPI ticket was not accepted by the Outgoing
> > server (SMTP) postoffice.intern. Please check that you are logged in to the
> > Kerberos/GSSAPI realm.
[..]
> Reassigning to correct package.
This is a known issue. The Debian Edu status page contains instructions
how to fix it, see:
https://wiki.debian.org/DebianEdu/Status/Buster#Known_problems_that_can_be_fixed_locally
Please consider to bookmark the status page. The page will be updated if
needed.
Wolfgang
signature.asc
Description: PGP signature
Bug#982473: debian-installer-netboot-images: Please provide the d-i-n-i packages a bit earlier before a release
Bonsoir Cyril, [ Cyril Brulebois, 2021-02-10 ] > Feel free to prepare/upload those packages, I see no reasons why you > couldn't do that yourself if that's something you rely on. :) I'll then fork https://salsa.debian.org/installer-team/debian-installer-netboot-images and try to prepare a merge request. Might take some time. Wolfgang signature.asc Description: PGP signature
Bug#982448: debian-edu-config: Unable to upgrade
[ nicolas.patr...@gmail.com, 2021-02-10 ] > > /etc/debian-edu/config > > This file is empty. Then this is causing the upgrade failure. The postinst script should check the file content. Thanks again for reporting the issue and giving feedback. Wolfgang signature.asc Description: PGP signature
Bug#982473: debian-installer-netboot-images: Please provide the d-i-n-i packages a bit earlier before a release
Source: debian-installer-netboot-images Severity: wishlist User: debian-...@lists.debian.org Usertags: debian-edu Dear Maintainer, Debian Edu aimes to provide a complete network setup including the capability for PXE installations. During development, the required netboot tarballs are fetched from deb.debian.org/debian/dists/testing/main/installer-$arch/current/images/netboot/ until they are available via the d-i-n-i packages. Debian Edu also aimes to provide a BD ISO image (both archs amd64 and i386) containing all needed packages to allow offline installations. These images also need to be tested before a release. So it would help us a lot if the Debian Installer netboot images could be made available a bit earlier before a release - maybe at soft freeze time. Wolfgang
Bug#982448: debian-edu-config: Unable to upgrade
Hi Nicolas, [ Nicolas Patrois, 2021-02-10 ] > Package: debian-edu-config > Version: 2.11.48 > Severity: normal > > Dear Maintainer, > > The upgrade process is broken because there seem to be a bug in a script. sed > is not recognized… but it exists indeed in my machine. > > Paramétrage de debian-edu-config (2.11.48) ... > sed: impossible de lire sed: Aucun fichier ou dossier de ce type > sed: impossible de lire /iface eth0 inet dhcp/a \post-up > \/usr\/sbin\/update-hostname-from-ip: Aucun fichier ou dossier de ce type > > That means: > Impossible to read sed, no such file or directory. > Maybe the script has a wrong shebang. Thanks for your report. Upgrading the package had been tested before the upload to unstable (on arch: amd64). > -- System Information: > Debian Release: bullseye/sid > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: i386 (i686) I've now installed Debian Edu, profile 'Workstation' on a 32-bit virtual machine inside a virtual Debian Edu network using debian-edu-testing-i386-netinst.iso (dated 2021-02-01), see: http://get.debian.org/cdimage/weekly-builds/i386/iso-cd/debian-edu-testing-i386-netinst.iso to exclude possible arch specific reasons. Upgrading the debian-edu-config package from testing --> sid works like expected, no error reported. Also, running 'apt full-upgrade' causes no errors. Could it be that you are using a somehow modified system? > Kernel: Linux 5.7.0-1-686-pae (SMP w/3 CPU threads) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, > TAINT_UNSIGNED_MODULE ^ This seems to be a bit strange. Is it a self compiled kernel? > pn resolvconf ^ By default, resolvconf is installed. > -- Configuration Files: > /etc/sssd/sssd-debian-edu.conf [Errno 13] Permission non accordée: > '/etc/sssd/sssd-debian-edu.conf' > /etc/wicd/scripts/preconnect/set_wireless_mac_from_eth0 [Errno 2] Aucun > fichier > ou dossier de ce type: > '/etc/wicd/scripts/preconnect/set_wireless_mac_from_eth0' ^ These seem to be strange as well. Any modification / file removal? If possible, please also report the content of these both files: /etc/network/interfaces /etc/debian-edu/config Wolfgang signature.asc Description: PGP signature
Bug#980491: [pre-approval] buster-pu: package debian-edu-config/2.10.65+deb10u7
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Dear Debian Buster Release Team, the Debian Edu team would like to get a fix for bug #935080 into Buster. This bug has already been fixed in testing and has proven to work in a real world deployment. Actually, the fix stems from there. The reason for the change is present in the changelog: share/debian-edu-config/tools/clean-up-host-keytabs: Add script. Move host keytabs cleanup code out of gosa-modify-host into a standalone script, but still call it from there (for now). Major script improvement: Reduce LDAP calls to a single ldapsearch query which greatly improves the execution speed of the code. (Closes: #935080). Full source debdiff attached. Wolfgang (on behalf of the Debian Edu team) debdiff.gz Description: application/gzip signature.asc Description: PGP signature
Bug#977604: smarty3: broken internal parsetree code
[ Mike Gabriel, 2020-12-29 ] > What is the origin of this patch. Are you the author? How did you get to > that solution? Maybe I should have been more verbose. It isn't a solution and not a patch. These are the changes done to smarty_internal_templatecompilerbase.php since the last release, please take a look at the timestamps: diff -u a/smarty_internal_templatecompilerbase.php b/smarty_internal_templatecompilerbase.php --- a/smarty_internal_templatecompilerbase.php 2018-08-31 00:00:00.0 +0200 +++ b/smarty_internal_templatecompilerbase.php 2020-04-14 00:00:00.0 +0200 According to the file's upstream history, the diff is due to the last two commits concerning smarty_internal_templatecompilerbase.php ( which is now causing the GOsa and slbackup-php issues). Maybe these fixes (for other issues) broke code shipped with GOsa and slbackup-php, maybe both the GOsa and slbackup-php code is outdated. I just wanted to point to something to investigate further... No idea how to fix it. Wolfgang signature.asc Description: PGP signature
Bug#977604: smarty3: broken internal parsetree code
Moin Mike,
[ Mike Gabriel, 2020-12-18 ]
> I looked into this today and failed to get the issue fixed.
>
> I tried updating smarty-lexer to upstream's Git master and rebuilt smarty3
> 3.1.36. Without success...
>
> So, I filed an upstream report on this and hope for feedback from Uwe...
> https://github.com/smarty-php/smarty/issues/621
This might rather be an issue concerning oldish code in GOsa and
slbackup-php than a Smarty bug. At least it seems to be unrelated to
internal parsetree code...
After digging into this a bit (w/o having a real clue about PHP and
Smarty), I noticed that it is sufficient to replace one file to make
both Gosa and slbackup-php work; see the comment about variables prior
to PHP 5.5:
diff -u a/smarty_internal_templatecompilerbase.php
b/smarty_internal_templatecompilerbase.php
--- a/smarty_internal_templatecompilerbase.php 2018-08-31 00:00:00.0
+0200
+++ b/smarty_internal_templatecompilerbase.php 2020-04-14 00:00:00.0
+0200
@@ -621,22 +621,18 @@
|| strcasecmp($name, 'array') === 0 || is_callable($name)
) {
$func_name = strtolower($name);
-$par = implode(',', $parameter);
-$parHasFuction = strpos($par, '(') !== false;
+
if ($func_name === 'isset') {
if (count($parameter) === 0) {
$this->trigger_template_error('Illegal number of
parameter in "isset()"');
}
-if ($parHasFuction) {
-$pa = array();
-foreach ($parameter as $p) {
-$pa[] = (strpos($p, '(') === false) ? ('isset(' .
$p . ')') : ('(' . $p . ' !== null )');
-}
-return '(' . implode(' && ', $pa) . ')';
-} else {
-$isset_par = str_replace("')->value",
"',null,true,false)->value", $par);
-}
-return $name . '(' . $isset_par . ')';
+
+ $pa = array();
+ foreach ($parameter as $p) {
+ $pa[] = $this->syntaxMatchesVariable($p) ?
'isset(' . $p . ')' : '(' . $p . ' !== null )';
+ }
+ return '(' . implode(' && ', $pa) . ')';
+
} elseif (in_array(
$func_name,
array(
@@ -653,7 +649,7 @@
$this->trigger_template_error("Illegal number of
parameter in '{$func_name()}'");
}
if ($func_name === 'empty') {
-if ($parHasFuction && version_compare(PHP_VERSION,
'5.5.0', '<')) {
+if (!$this->syntaxMatchesVariable($parameter[0]) &&
version_compare(PHP_VERSION, '5.5.0', '<')) {
return '(' . $parameter[ 0 ] . ' === false )';
} else {
return $func_name . '(' .
@@ -671,74 +667,82 @@
}
}
+ /**
+* Determines whether the passed string represents a valid (PHP)
variable.
+* This is important, because `isset()` only works on variables and
`empty()` can only be passed
+* a variable prior to php5.5
+* @param $string
+* @return bool
+*/
+ private function syntaxMatchesVariable($string) {
+ static $regex_pattern =
'/^\$[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*((->)[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\[.*]*\])*$/';
+ return 1 === preg_match($regex_pattern, trim($string));
+}
+
/**
- * This method is called from parser to process a text content section
+ * This method is called from parser to process a text content section if
strip is enabled
* - remove text from inheritance child templates as they may generate
output
- * - strip text if strip is enabled
*
* @param string $text
*
- * @return null|\Smarty_Internal_ParseTree_Text
+ * @return string
*/
public function processText($text)
{
-if ((string)$text != '') {
-$store = array();
-$_store = 0;
-if ($this->parser->strip) {
-if (strpos($text, '<') !== false) {
-// capture html elements not to be messed with
-$_offset = 0;
-if (preg_match_all(
-
'#(]*>.*?]*>)|(]*>.*?]*>)|(]*>.*?]*>)#is',
-$text,
-$matches,
-PREG_OFFSET_CAPTURE | PREG_SET_ORDER
-)
-) {
-foreach ($matches as $match) {
-$store[] = $match[ 0 ][ 0 ];
-$_length = strlen($match[ 0 ][ 0 ]);
-$replace = '@!@SMARTY:' . $_store . ':SMARTY@!@';
-
Bug#977198: cups service should start after nslcd service
[ Didier 'OdyX' Raboud, 2020-12-18 ] > Ah nice. Note that there's a typo (networ.service), and that an > override doesn't need to copy all the lines from the original file. corrected now, see: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/506ad6088ae36e68611c9893557be3d3db814169 Merci bien, Wolfgang signature.asc Description: PGP signature
Bug#977198: cups service should start after nslcd service
Hi Didier, [ Didier 'OdyX' Raboud, 2020-12-18 ] > Therefore, instead of patching CUPS for each-and-every user authentication/ > provisioning service, could Debian Edu provide a systemd override file > instead? Yes, that has already been done, see: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/665390a69a5e641a83da7225e6b5f62617320ce9 > I have pushed this patch proposal to the (new) upstream: > > https://github.com/OpenPrinting/cups/pull/69 > > Of course, if upstream accepts this, I'll backport and upload to Debian. Thanks a lot for caring, Wolfgang signature.asc Description: PGP signature
Bug#977604: smarty3: broken internal parsetree code
Package: smarty3 Version: 3.1.36-1 Severity: critical Justification: breaks unrelated software User: debian-...@lists.debian.org Usertags: debian-edu Hi, after an upgrade to this version the GOsa² web interface is unusable. Calling the related URL shows this error: Fatal error: Uncaught TypeError: Argument 2 passed to Smarty_Internal_ParseTree_Template::append_subtree() must be an instance of Smarty_Internal_ParseTree, string given, called in /usr/share/php/smarty3/sysplugins/smarty_internal_templateparser.php on line 2065 and defined in /usr/share/php/smarty3/sysplugins/smarty_internal_parsetree_template.php:41 Stack trace: #0 /usr/share/php/smarty3/sysplugins/smarty_internal_templateparser.php(2065): Smarty_Internal_ParseTree_Template->append_subtree() #1 /usr/share/php/smarty3/sysplugins/smarty_internal_templateparser.php(2799): Smarty_Internal_Templateparser->yy_r2() #2 /usr/share/php/smarty3/sysplugins/smarty_internal_templateparser.php(2894): Smarty_Internal_Templateparser->yy_reduce() #3 /usr/share/php/smarty3/sysplugins/smarty_internal_smartytemplatecompiler.php(128): Smarty_Internal_Templateparser->doParse() #4 /usr/share/php/smarty3/sysplugins/smarty_internal_templatecompilerbase.php(481): Smarty_Internal_SmartyTemplateCompiler->doCompile() #5 /usr/share/php/smarty3/sysplu in /usr/share/php/smarty3/sysplugins/smarty_internal_parsetree_template.php on line 41 Downgrading to the previous version makes the error go away, GOsa² is usable. So this seems to be most probably an issue due to smarty 3.1.36-1. Wolfgang signature.asc Description: PGP signature
Bug#977462: Debian Edu sssd.conf conflicts with sssd service sockets
[ Wolfgang Schweer, 2020-12-16 ] > After reading man 5 sssd.conf, some other cleanup should be done: > - remove obsolete / wrong settings > - drop default settings > > About to test the changes... Revised sssd-generate-config script tested both inside Debian Edu network and outside. Works like it should. This is the diff: diff --git a/share/debian-edu-config/tools/sssd-generate-config b/share/debian-edu-config/tools/sssd-generate-config index 031c77a1..1af98791 100755 --- a/share/debian-edu-config/tools/sssd-generate-config +++ b/share/debian-edu-config/tools/sssd-generate-config @@ -109,20 +109,11 @@ cat < signature.asc Description: PGP signature
Bug#977462: Debian Edu sssd.conf conflicts with sssd service sockets
Moin Mike, [ Mike Gabriel, 2020-12-16 ] > It seems the simplest fix for d-e-c would be to adapt sssd-generate-config > in /usr/share/d-e-c/tools/. yes. > It is sufficient to omit the "services = pam, nss, autofs line from > /etc/sssd/sssd.conf. yes. After reading man 5 sssd.conf, some other cleanup should be done: - remove obsolete / wrong settings - drop default settings About to test the changes... Wolfgang signature.asc Description: PGP signature
Bug#977462: Debian Edu sssd.conf conflicts with sssd service sockets
[ Wolfgang Schweer, 2020-12-16 ] > I'm just wondering if this is a Debian Edu specific bug at all. If > /usr/share/sssd/generate-config is used to generate sssd.conf, the same > messages are showing up upon reboot. Maybe the shipped script is outdated. After reading the logs twice, I noticed that maybe the only change needed is to comment the services line in /etc/sssd/sssd.conf. It seems that sssd switched to socket activation as default to reduce the amount of running services. (And services = x, y, z means that these services are running permanently, see the 'systemctl status sssd' output before and after commenting the services line. Also, see the information below /var/lib/sss/, e.g. pipes. Please test Wolfgang signature.asc Description: PGP signature
Bug#977462: Debian Edu sssd.conf conflicts with sssd service sockets
Hi Mike, I'm just wondering if this is a Debian Edu specific bug at all. If /usr/share/sssd/generate-config is used to generate sssd.conf, the same messages are showing up upon reboot. /usr/share/sssd/generate-config > /etc/sssd/sssd.conf chmod 600 /etc/sssd/sssd.conf reboot Wolfgang signature.asc Description: PGP signature
Bug#977462: Debian Edu sssd.conf conflicts with sssd service sockets
[ Mike Gabriel, 2020-12-15 ] > You should see those bugs, when hitting ESC during the boot splash. If you > don't have them, it would be interesting to analyze the difference between a > fresh install and my systems (fresh installs in August 2020, upgraded > today). ok, confirmed. > Btw., I run the test machines off-site (that is: without TJENER being > around). (But that should not trigger the socket listeners' startup errors, > they should also occur on-site). yes, they do. I guess your proposed solution 2 could be the right one - at least that's my coclusion from the output (see below) Wolfgang ░░ Subject: A start job for unit sssd-nss.socket has begun execution ░░ A start job for unit sssd-nss.socket has begun execution. ░░ Subject: A start job for unit sssd-pam-priv.socket has begun execution ░░ A start job for unit sssd-pam-priv.socket has begun execution. Dez 15 23:41:09 am-080027a69b7b.intern sssd_check_socket_activated_responders[572]: (2020-12-15 23:41:09:157321): [sssd] [main] (0x0010): Misconfiguration found for the nss responder. Dez 15 23:41:09 am-080027a69b7b.intern sssd_check_socket_activated_responders[572]: The nss responder has been configured to be socket-activated but it's still mentioned in the services' line in /etc/sssd/sssd.conf. Dez 15 23:41:09 am-080027a69b7b.intern sssd_check_socket_activated_responders[572]: Please, consider either adjusting your services' line in /etc/sssd/sssd.conf or disabling the nss's socket by calling: Dez 15 23:41:09 am-080027a69b7b.intern sssd_check_socket_activated_responders[572]: "systemctl disable sssd-nss.socket" Dez 15 23:41:09 am-080027a69b7b.intern sssd_check_socket_activated_responders[573]: (2020-12-15 23:41:09:162260): [sssd] [main] (0x0010): Misconfiguration found for the pam responder. Dez 15 23:41:09 am-080027a69b7b.intern sssd_check_socket_activated_responders[573]: The pam responder has been configured to be socket-activated but it's still mentioned in the services' line in /etc/sssd/sssd.conf. Dez 15 23:41:09 am-080027a69b7b.intern sssd_check_socket_activated_responders[573]: Please, consider either adjusting your services' line in /etc/sssd/sssd.conf or disabling the pam's socket by calling: Dez 15 23:41:09 am-080027a69b7b.intern sssd_check_socket_activated_responders[573]: "systemctl disable sssd-pam.socket" Dez 15 23:41:09 am-080027a69b7b.intern systemd[1]: sssd-nss.socket: Control process exited, code=exited, status=17/n/a signature.asc Description: PGP signature
Bug#977462: Debian Edu sssd.conf conflicts with sssd service sockets
A more complete output: ● sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2020-12-15 23:09:26 CET; 15s ago Main PID: 443 (sssd) Tasks: 5 (limit: 1125) Memory: 45.1M CGroup: /system.slice/sssd.service ├─443 /usr/sbin/sssd -i --logger=files ├─512 /usr/libexec/sssd/sssd_be --domain intern --uid 0 --gid 0 --logger=files ├─537 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files ├─538 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files └─539 /usr/libexec/sssd/sssd_autofs --uid 0 --gid 0 --logger=files Dez 15 23:09:24 am-080027a69b7b.intern systemd[1]: Starting System Security Services Daemon... Dez 15 23:09:25 am-080027a69b7b.intern sssd[443]: Starting up Dez 15 23:09:25 am-080027a69b7b.intern be[intern][512]: Starting up Dez 15 23:09:25 am-080027a69b7b.intern be[intern][512]: Your configuration uses the autofs provider with schema set to rfc2307 and default attribute mappings. The default map has changed in this release, please make sure the configuration matches the server attributes. Dez 15 23:09:25 am-080027a69b7b.intern autofs[539]: Starting up Dez 15 23:09:25 am-080027a69b7b.intern nss[537]: Starting up Dez 15 23:09:25 am-080027a69b7b.intern pam[538]: Starting up Dez 15 23:09:26 am-080027a69b7b.intern systemd[1]: Started System Security Services Daemon. Dez 15 23:09:26 am-080027a69b7b.intern nss[537]: Enumeration requested but not enabled Wolfgang signature.asc Description: PGP signature
Bug#977462: Debian Edu sssd.conf conflicts with sssd service sockets
Moin Mike, [ Mike Gabriel, 2020-12-15 ] > On Roaming Workstation, the /etc/sssd/sssd-debian-edu.conf causes error > messages during boot: I'm unable to reproduce the sssd issue (running a Bullseye roaming workstation against a Bullseye main server, both fresh installations): sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2020-12-15 22:20:44 CET; 17min ago Main PID: 445 (sssd) Tasks: 5 (limit: 1125) Memory: 12.3M CGroup: /system.slice/sssd.service ├─445 /usr/sbin/sssd -i --logger=files ├─515 /usr/libexec/sssd/sssd_be --domain intern --uid 0 --gid 0 --logger=files ├─542 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files ├─543 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files └─544 /usr/libexec/sssd/sssd_autofs --uid 0 --gid 0 --logger=files Wolfgang signature.asc Description: PGP signature
Bug#977198: cups service should start after nslcd service
Package: cups Version: 2.3.3op1-3 Severity: normal Tags: patch User: debian-...@lists.debian.org Usertags: debian-edu Dear Maintainer, while working on Debian Edu 11 Bullseye, I noticed the cups service failing randomly after rebooting the system: ● cups.service - CUPS Scheduler Loaded: loaded (/lib/systemd/system/cups.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Sat 2020-12-12 10:25:50 CET; 3min 46s ago TriggeredBy: ● cups.path ● cups.socket Docs: man:cupsd(8) Process: 1201 ExecStart=/usr/sbin/cupsd -l (code=exited, status=1/FAILURE) Main PID: 1201 (code=exited, status=1/FAILURE) Dez 12 10:25:50 tjener.intern systemd[1]: Failed to start CUPS Scheduler. Dez 12 10:25:50 tjener.intern systemd[1]: cups.service: Scheduled restart job, restart counter is at 5. Dez 12 10:25:50 tjener.intern systemd[1]: Stopped CUPS Scheduler. Dez 12 10:25:50 tjener.intern systemd[1]: cups.service: Start request repeated too quickly. Dez 12 10:25:50 tjener.intern systemd[1]: cups.service: Failed with result 'exit-code'. Dez 12 10:25:50 tjener.intern systemd[1]: Failed to start CUPS Scheduler. Debian Edu uses an LDAP group printer-admins in cups-files.conf like so: SystemGroup lpadmin printer-admins Please note that Debian Edu uses nslcd. After adding the nslcd.service (in addition to sssd.service and ypbind.service) to the cups.service unit file, things work like expected, this is the proposed change: diff --git a/scheduler/cups.service.in b/scheduler/cups.service.in index 9e70b2973..a3fa0e83f 100644 --- a/scheduler/cups.service.in +++ b/scheduler/cups.service.in @@ -1,7 +1,7 @@ [Unit] Description=CUPS Scheduler Documentation=man:cupsd(8) -After=network.target sssd.service ypbind.service +After=network.target sssd.service ypbind.service nslcd.service Requires=cups.socket [Service] Please check if the change could be accepted. Wolfgang signature.asc Description: PGP signature
Bug#973514: debian-edu-doc-legacy-fr: Package description not too clear, possible copy-paste error
Hi Beatrice, [ Beatrice Torracca, 2020-11-01 ] > in the recently appeared package description a snippet saying "Though > outdated, still useful in parts." has been inserted in all > debian-edu-doc-legacy-* packages. > > In the case of debian-edu-doc-legacy-fr, the snippet has been added at > the end of the second paragraph where it talks about the Debian Edu > Pure Blend, rather than at the end of the first paragraph where it > talks about the manuals inside the package. Thanks for noticing. Indeed, a copy-pase error. About to fix it. Regards, Wolfgang signature.asc Description: PGP signature
Bug#971767: debian-edu-config: Wrong certificate path in Firefox's policies.json file
Hi Mike, [ Mike Gabriel, 2020-10-08 ] > On Mi 07 Okt 2020 10:56:08 CEST, Wolfgang Schweer wrote: > > I'm just wondering why this failed in your use case. > > I extracted the below test command line from the fetch-rootca-cert script > (lines 33ff.): > > ``` > root@tjener:~# https_proxy= curl -fk > https://www.intern/Debian-Edu_rootCA.crt 1> /tmp/1 | tee /tmp/2 2>/dev/null > > % Total% Received % Xferd Average Speed TimeTime Time > Current > Dload Upload Total SpentLeft Speed > 100 1395 100 13950 0 91553 0 --:--:-- --:--:-- --:--:-- 93000 > > root@tjener:~# cat /tmp/1 > -BEGIN CERTIFICATE- > MIID2jCCAsICCQCZfn9CcXwnQTANBgkqhkiG9w0BAQsFADCBrjELMAkGA1UEBhMC > Tk8xDzANBgNVBAgMBkludGVybjEbMBkGA1UEBwwSRGViaWFuIEVkdSBOZXR3b3Jr > MRMwEQYDVQQKDApEZWJpYW4gRWR1MRowGAYDVQQLDBFEZWJpYW4gRWR1IFJvb3RD > QTETMBEGA1UEAwwKd3d3LmludGVybjErMCkGCSqGSIb3DQEJARYccG9zdG1hc3Rl > ckBwb3N0b2ZmaWNlLmludGVybjAeFw0yMDEwMDYxOTM4MjRaFw0zMDEwMDQxOTM4 > MjRaMIGuMQswCQYDVQQGEwJOTzEPMA0GA1UECAwGSW50ZXJuMRswGQYDVQQHDBJE > ZWJpYW4gRWR1IE5ldHdvcmsxEzARBgNVBAoMCkRlYmlhbiBFZHUxGjAYBgNVBAsM > EURlYmlhbiBFZHUgUm9vdENBMRMwEQYDVQQDDAp3d3cuaW50ZXJuMSswKQYJKoZI > hvcNAQkBFhxwb3N0bWFzdGVyQHBvc3RvZmZpY2UuaW50ZXJuMIIBIjANBgkqhkiG > 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyJ89uVEX+RG8Acu6y/7xgyhYICk9/6OrZM2i > URg1dMVs6fs0gSkNeAKm7TqkoEhGJPctVTCnBvDiezbS0zHfDg5NOBwielT1m7i3 > G/iN9nVM/G/rbu4nUrpyHyfxWIBqoSyK6r3JExPFMDPYkliM+k6+2ENYlZ0Fz9KA > SAr15VyWD33lx0f83t0v8xyqIUqyonlwwt6vQSUyOnVxJG8li031QWZx5L/UwAv2 > YgIdXMtDSKfD45HjQcCc+0XNPcYkj596UfJgSo7EHUfZy3HdVkh0VF4YNR06vjr4 > ICFw6i6rDqzXZrdwrplX+Ez4vUkY2pqVNbBlHqBrypVMvJkWNQIDAQABMA0GCSqG > SIb3DQEBCwUAA4IBAQA7Zt+QczzwNnO4Q2Rcs3GWKXfoSV/RXPrtm62Iik3rWFKJ > PJSfXMh+4lQphMXGGJKH84o/dsbb3L5B2DLfydCTJHtVPyM7iP1PFq7OfwcltRVW > zB/NgBZHwBt5CFnR3xFxhegwvDgS/JZ4tLeNRvHH5EeJ6P02EzkndmPtoi7o4DXe > U97eoCQolVZVTj34kFrJv9+lUCJ1jTq05Bik3poa2b6rTG/mwD26EZjPqlLEWaY4 > VoDO43gdc5R1gbjwZi6OvGztGjbF094bkTDvgMMVf4P+Gz37k7HXNbPPICDtiAN1 > DbfMm/oz6llchMkC0vj/uEGNbrmquPx34oq3Oi4f > -END CERTIFICATE- > > root@tjener:~# cat /tmp/2 > > root@tjener:~# > ``` > > As you see /tmp/1 has the file content while /tmp/2 does not. Hm, while I'm able to reproduce this, I can't reproduce the issue you reported. On Bullseye everything works like expected... Anyway, I've tried to amend the script and committed the change. Please check and test. Wolfgang signature.asc Description: PGP signature
Bug#971780: debian-edu-config: adapt fetch-ldap-cert and fetch-rootca-cert
Hi Mike, [ Mike Gabriel, 2020-10-07 ] > IMHO, fetch-ldap-cert should not try to download the Debian-Edu_rootCA.crt > anymore as that's handled by fetch-rootca-cert. The fetch-ldap-cert script > should only handle situations where a Debian Edu clients runs against a > TJENER from stretch (or earlier) or buster 10.0. > > Comments on that? Yes, it has only been kept for the purpose of older main servers, please fix the script. Wolfgang signature.asc Description: PGP signature
Bug#971767: debian-edu-config: Wrong certificate path in Firefox's policies.json file
Hi Mike,
[ Mike Gabriel, 2020-10-06 ]
> I am currently facing myself with Debian Edu testing/bullseye notebooks
> running against a Debian Edu TJENER based on stretch.
>
> I am currently adding the Debian Edu PKI as we have them in buster +
> bullseye (rootCA and all that) to the stretch TJENER.
>
> When doing this, I stumbled over this:
>
> {
> "policies": {
> "Certificates": {
> "ImportEnterpriseRoots": true,
> "Install": [
> "/etc/ssl/certs/Debian-Edu_rootCA.crt"
> ]
> },
> "NewTabPage": false,
> "OverrideFirstRunPage": ""
> }
> }
>
> However, if I look into /etc/ssl/certs, I only see Debian-Edu_rootCA.pem.
ATM, I don' have a proper test environment. IIRC,
/etc/ssl/certs/Debian-Edu_rootCA.crt should actually exist (see tee
command in /etc/init.d/fetch-root-ca-cert).
I'm just wondering why this failed in your use case.
Wolfgang
signature.asc
Description: PGP signature
Bug#967194: pam-python/libpam-mklocaluser/debian-edu-config python3 migration.
[ Mike Gabriel, 2020-09-23 ] > Am Samstag, 19. September 2020 schrieb peter green: > > What needs to happen long-term is for pam-python to move to python > > 3. I suspect this will involve renaming the binary package and > > adjusting the reverse dependencies to depend on the new binary > > package and use python 3 compatible code. > > I was pretty sure that pam-python.so and mklocaluser already operate > on Python3. This mail makes me unsure about this, now. libpam-mklocaluser depends on libpam-python (which depends on libpython2.7). Also, debian-edu-config depends on libpam-python; reason (from d-e-c/debian/changelog): Add PAM module to reject Kerberos password changes and point users to the Gosa web page instead to try to keep the password databases in sync (Closes: 704461). Depend on libpam-python for this. This d-e-c dependency is now also causing the failure of autopkgtest for debian-edu/2.11.22, see: https://ci.debian.net/data/autopkgtest/testing/amd64/d/debian-edu/7292037/log.gz Wolfgang signature.asc Description: PGP signature
Bug#971275: isc-dhcp-server-ldap: fails to activate the service
Package: isc-dhcp-server-ldap Version: 4.4.1-2.1+b2 Severity: important User: debian-...@lists.debian.org Usertags: debian-edu Dear Maintainer, while working on Debian Edu Bullseye, I noticed that the DHCP service stopped working after upgrading the system. Reason seems to be that the init script timed out, maybe /etc/default/isc-dhcp-server could not be sourced: root@tjener:~# service isc-dhcp-server status * isc-dhcp-server.service - LSB: DHCP server Loaded: loaded (/etc/init.d/isc-dhcp-server; generated) Active: activating (start) since Mon 2020-09-28 18:24:25 CEST; 2min 36s ago Docs: man:systemd-sysv-generator(8) Cntrl PID: 1280 (isc-dhcp-server) Tasks: 8 (limit: 4671) Memory: 17.6M CGroup: /system.slice/isc-dhcp-server.service |-1280 /bin/sh /etc/init.d/isc-dhcp-server start `-1310 /usr/sbin/dhcpd -t -4 -q -cf /etc/dhcp/dhcpd.conf Sep 28 18:24:25 tjener.intern systemd[1]: Starting LSB: DHCP server... Sep 28 18:24:26 tjener.intern isc-dhcp-server[1280]: Launching IPv4 server only. The installed version: root@tjener:~# dpkg -l isc-dhcp-server-ldap Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++----= ii isc-dhcp-server-ldap 4.4.1-2.1+b2 amd64DHCP server that uses LDAP as its backend I was wondering if downgrading to the Buster version would help: root@tjener:~# apt install isc-dhcp-server-ldap/buster Reading package lists... Done Building dependency tree Reading state information... Done Selected version '4.4.1-2' (Debian:10.6/stable [amd64]) for 'isc-dhcp-server-ldap' Selected version '4.4.1-2' (Debian:10.6/stable [amd64]) for 'isc-dhcp-server' because of 'isc-dhcp-server-ldap' The following additional packages will be installed: isc-dhcp-server Suggested packages: policykit-1 The following packages will be DOWNGRADED: isc-dhcp-server isc-dhcp-server-ldap 0 upgraded, 0 newly installed, 2 downgraded, 0 to remove and 0 not upgraded. Need to get 994 kB of archives. After this operation, 22.5 kB disk space will be freed. Do you want to continue? [Y/n] Get:1 http://ftp.debian.org/debian buster/main amd64 isc-dhcp-server-ldap amd64 4.4.1-2 [446 kB] Get:2 http://ftp.debian.org/debian buster/main amd64 isc-dhcp-server amd64 4.4.1-2 [548 kB] Fetched 994 kB in 0s (7729 kB/s) Preconfiguring packages ... dpkg: warning: downgrading isc-dhcp-server-ldap from 4.4.1-2.1+b2 to 4.4.1-2 (Reading database ... 259124 files and directories currently installed.) Preparing to unpack .../isc-dhcp-server-ldap_4.4.1-2_amd64.deb ... Unpacking isc-dhcp-server-ldap (4.4.1-2) over (4.4.1-2.1+b2) ... dpkg: warning: downgrading isc-dhcp-server from 4.4.1-2.1+b2 to 4.4.1-2 Preparing to unpack .../isc-dhcp-server_4.4.1-2_amd64.deb ... invoke-rc.d: policy-rc.d denied execution of stop. Unpacking isc-dhcp-server (4.4.1-2) over (4.4.1-2.1+b2) ... Setting up isc-dhcp-server (4.4.1-2) ... invoke-rc.d: policy-rc.d denied execution of start. Setting up isc-dhcp-server-ldap (4.4.1-2) ... Processing triggers for systemd (246.6-1) ... Processing triggers for man-db (2.9.3-2) ... It did so (process 1310 stems from the Bullseye version): root@tjener:~# service isc-dhcp-server stop root@tjener:~# service isc-dhcp-server start root@tjener:~# service isc-dhcp-server status * isc-dhcp-server.service - LSB: DHCP server Loaded: loaded (/etc/init.d/isc-dhcp-server; generated) Active: active (running) since Mon 2020-09-28 18:27:57 CEST; 4s ago Docs: man:systemd-sysv-generator(8) Process: 3264 ExecStart=/etc/init.d/isc-dhcp-server start (code=exited, status=0/SUCCESS) Tasks: 8 (limit: 4671) Memory: 27.4M CGroup: /system.slice/isc-dhcp-server.service |-1310 /usr/sbin/dhcpd -t -4 -q -cf /etc/dhcp/dhcpd.conf `-3277 /usr/sbin/dhcpd -4 -q -cf /etc/dhcp/dhcpd.conf eth0 eth1 Sep 28 18:27:55 tjener.intern systemd[1]: Starting LSB: DHCP server... Sep 28 18:27:55 tjener.intern isc-dhcp-server[3264]: Launching IPv4 server only. Sep 28 18:27:55 tjener.intern dhcpd[3277]: Wrote 3 leases to leases file. Sep 28 18:27:55 tjener.intern dhcpd[3277]: Server starting service. Sep 28 18:27:57 tjener.intern isc-dhcp-server[3264]: Starting ISC DHCPv4 server: dhcpd. Sep 28 18:27:57 tjener.intern systemd[1]: Started LSB: DHCP server. root@tjener:~# Wolfgang signature.asc Description: PGP signature
Bug#969935: debian-edu-ltsp: unused variables, $securitymirror needs /updates -> -security
[ Vagrant Cascadian, 2020-09-08 ] > On 2020-09-09, Paul Wise wrote: > > The debian-edu-ltsp script contains a $securitymirror variable that is > > hard coded to use $dist/updates but with the bullseye suite and later > > it should be $dist-security instead. OTOH the $securitymirror variable > > appears to be unused so perhaps it and the other unused variables > > should either be removed or passed to the ltsp-build-client script at > > the end of the debian-edu-ltsp script. As ltsp-build-client doesn't > > appear to exist in any package in Debian, perhaps the debian-edu-ltsp > > script should just be dropped instead? [..] > I had the impression debian-edu had switched over to the new style ltsp > as well; presumably this should be removed from debian-edu* or is it > still there for buster and earlier to be able to use the same packaging? Yes, Debian Edu switched to re-written LTSP. The script isn't used atm. It could have been removed but has been kept because a revised version might be used instead of /usr/share/debian-edu-config/tools/edu-ltsp-install, which is used for Bullseye but doesn't seem to be quite handy. Also, all LTSP related documentation still needs some love after the existing LTSP setup has been tested in real world deployments... Wolfgang signature.asc Description: PGP signature
Bug#966129: debian-edu-config: Please fix loss of dynamically allocated v4 IP address
Package: debian-edu-config Version: 2.10.65+deb10u5 Severity: important On the Debian Edu mailing list, Roland F. Teichert reported that normal workstations loose their IP address after about 30 minutes since system boot, see: https://lists.debian.org/debian-edu/2020/07/msg00010.html Removing a Debian Edu script below /etc/network/if-up.d fixed the problem for him. Wolfgang signature.asc Description: PGP signature
Bug#964318: gosa login broken with PHP 7.4
On Mon, Jul 06, 2020 at 12:05:44PM +0200, Wolfgang Schweer wrote:
> In both encrypt and decrypt cases, the chosen cipher method seems to
> return 0.
This is the case because the chosen method (aes-256-ecb) doesn't use an
initialization vector ($iv) at all, causing its length ($ivlen) to be 0,
see e.g. https://usr.ed48.com/php/ssl/?xf=7
So the encrypt/decrypt implementation seems to have been sort of wrong
before (and only now with PHP 7.4 an error is thrown).
Please check and test the attached changes to
/usr/share/gosa/include/functions.inc and
/usr/sbin/gosa-encrypt-passwords; works for me, but then my skills are
low level and this is a quite sensitive issue.
Wolfgang
diff -u a/functions.inc b/functions.inc
--- a/functions.inc 2020-04-20 07:32:48.0 +0200
+++ b/functions.inc 2020-07-09 21:09:16.311305601 +0200
@@ -3308,11 +3308,10 @@
}
-function cred_encrypt($input, $password, $cipher = "aes-256-ecb") {
+function cred_encrypt($input, $password) {
+ $cipher = "aes-256-ecb";
if (in_array($cipher, openssl_get_cipher_methods())) {
-$ivlen = openssl_cipher_iv_length($cipher);
-$iv = openssl_random_pseudo_bytes($ivlen);
-return bin2hex(openssl_encrypt($input, $cipher, $password, OPENSSL_RAW_DATA, $iv));
+return bin2hex(openssl_encrypt($input, $cipher, $password));
}
return null;
@@ -3320,9 +3319,7 @@
function cred_decrypt($input, $password, $cipher = "aes-256-ecb") {
if (in_array($cipher, openssl_get_cipher_methods())) {
-$ivlen = openssl_cipher_iv_length($cipher);
-$iv = openssl_random_pseudo_bytes($ivlen);
-return rtrim(openssl_decrypt(pack("H*", $input), $cipher, $password, OPENSSL_RAW_DATA, $iv ), "\0\3\4\n");
+return rtrim(openssl_decrypt(pack("H*", $input), $cipher, $password, $options=0, ), "\0\3\4\n");
}
return null;
diff -u a/gosa-encrypt-passwords b/gosa-encrypt-passwords
--- a/gosa-encrypt-passwords 2020-04-20 07:32:00.0 +0200
+++ b/gosa-encrypt-passwords 2020-07-09 21:07:27.143219922 +0200
@@ -1,11 +1,10 @@
#!/usr/bin/php
signature.asc
Description: PGP signature
Bug#964600: deprecated implode() usage with PHP 7.4
Package: gosa
Version: 2.7.4+reloaded3-11
Severity: normal
Tags: upstream
Moin Mike,
while working on Debian Edu Bullseye, I noticed that a warning message
pops when clicking several GUI items (PHP 7.4 in use).
Deprecated: implode(): Passing glue string after array is deprecated.
Swap the parameters...
These warnings disappear with the attached changes applied.
There might be more files affected upstream.
Please check and test.
Wolfgang
diff -ur /usr/share/gosa/include/class_acl.inc modified/gosa/include/class_acl.inc
--- /usr/share/gosa/include/class_acl.inc 2020-04-20 07:32:48.0 +0200
+++ modified/gosa/include/class_acl.inc 2020-07-09 12:17:52.002910541 +0200
@@ -306,9 +306,9 @@
function convertForListing($entry)
{
-$member = implode($entry['members'],", ");
+$member = implode(", ",$entry['members']);
if(isset($entry['acl']) && is_array($entry['acl'])){
-$acl = implode(array_keys($entry['acl']),", ");
+$acl = implode(", ",array_keys($entry['acl']));
}else{
$acl="";
}
@@ -638,7 +638,7 @@
// Create a map of all used sections, this allows us to simply hide the remove button
// if no acl is configured for the given section
// e.g. ';all;department/country;users/user;
-$usedList = ";".implode(array_keys($this->aclContents),';').";";
+$usedList = ";".implode(';',array_keys($this->aclContents)).";";
/* Add settings for all categories to the (permanent) list */
$data = $lData = array();
diff -ur /usr/share/gosa/plugins/admin/acl/class_aclRole.inc modified/gosa/plugins/admin/acl/class_aclRole.inc
--- /usr/share/gosa/plugins/admin/acl/class_aclRole.inc 2020-04-20 07:32:48.0 +0200
+++ modified/gosa/plugins/admin/acl/class_aclRole.inc 2020-07-09 12:15:59.202864908 +0200
@@ -194,9 +194,9 @@
function convertForListing($entry)
{
-$member = implode($entry['members'],", ");
-$acl = implode(array_keys($entry['acl']),", ");
-$type = implode(array_keys($entry['acl']),", ");
+$member = implode(", ",$entry['members']);
+$acl = implode(", ",array_keys($entry['acl']));
+$type = implode(", ",array_keys($entry['acl']));
return(array('data' => array($acl, $this->aclTypes[$entry['type']])));
}
@@ -385,7 +385,7 @@
// Create a map of all used sections, this allows us to simply hide the remove button
// if no acl is configured for the given section
// e.g. ';all;department/country;users/user;
- $usedList = ";".implode(array_keys($this->aclContents),';').";";
+ $usedList = ";".implode(';',array_keys($this->aclContents)).";";
/* Add settings for all categories to the (permanent) list */
foreach ($this->aclObjects as $section => $dsc){
diff -ur /usr/share/gosa/plugins/admin/departments/class_department.inc modified/gosa/plugins/admin/departments/class_department.inc
--- /usr/share/gosa/plugins/admin/departments/class_department.inc 2020-04-20 07:32:48.0 +0200
+++ modified/gosa/plugins/admin/departments/class_department.inc 2020-07-09 12:01:38.365073986 +0200
@@ -172,7 +172,7 @@
$smarty= get_smarty();
// Clear manager attribute if requested
-if(preg_match("/ removeManager/i", " ".implode(array_keys($_POST),' ')." ")){
+if(preg_match("/ removeManager/i", " ".implode(' ',array_keys($_POST))." ")){
$this->manager = "";
$this->manager_name = "";
}
@@ -181,7 +181,7 @@
if($this->manager_enabled){
// Allow to select a new inetOrgPersion:manager
-if(preg_match("/ editManager/i", " ".implode(array_keys($_POST),' ')." ")){
+if(preg_match("/ editManager/i", " ".implode(' ',array_keys($_POST))." ")){
$this->dialog = new singleUserSelect($this->config, get_userinfo());
}
if($this->dialog && count($this->dialog->detectPostActions())){
diff -ur /usr/share/gosa/plugins/generic/references/class_aclResolver.inc modified/gosa/plugins/generic/references/class_aclResolver.inc
--- /usr/share/gosa/plugins/generic/references/class_aclResolver.inc 2011-07-27 08:38:29.0 +0200
+++ modified/gosa/plugins/generic/references/class_aclResolver.inc 2020-07-09 12:23:40.271141058 +0200
@@ -284,8 +284,8 @@
}
if(!empty($filter)) $filter =sprintf($filter_tpl,$class,$filter);
if(!empty($defs)) $defs = sprintf($acl_tpl,$class,$defs);
-if(count($users)) $umem = sprintf($umem_tpl,$class,"".implode($users,'')."");
-if(count($groups)) $gmem = sprintf($gmem_tpl,$class,"".implode($groups,'')."");
+if(count($users)) $umem = sprintf($umem_tpl,$class,"".implode('',$users)."");
+if(count($groups)) $gmem =
Bug#964318: gosa login broken with PHP 7.4
On Sun, Jul 05, 2020 at 10:34:43PM +, Holger Levsen wrote:
> this pretty much sounds like a 'serious' bug ( = unsuitable for a stable
> release as per https://www.debian.org/Bugs/Developer#severities and not
> just important ("major impact, without rendering it completely unusable
> to everyone") or less, though I will follow Wolfgang's example and opt
> for the lesser severity. (maybe it still works with new accounts?)
It doesn't. Also, setting up LDAP from scratch fails as well, i.e.
installation of a new Debian Edu main server is broken.
Error message:
info: Creating first user 'jdoe'.
To initialize a brand new LDAP+KDC:
rm /var/lib/ldap/__db* /var/lib/ldap/*.bdb
rm /etc/krb5kdc/stash /etc/krb5.keytab*
LDAP passwords cleared from debconf database.
The provided LDAP password is valid.
PHP Fatal error: Uncaught Error: Length must be greater than 0 in
/usr/sbin/gosa-encrypt-passwords:7
Stack trace:
#0 /usr/sbin/gosa-encrypt-passwords(7): openssl_random_pseudo_bytes()
#1 /usr/sbin/gosa-encrypt-passwords(74): cred_encrypt()
#2 {main}
thrown in /usr/sbin/gosa-encrypt-passwords on line 7
Related code in /usr/sbin/gosa-encrypt-passwords causing the error:
function cred_encrypt($input, $password, $cipher = "aes-256-ecb") {
if (in_array($cipher, openssl_get_cipher_methods())) {
$ivlen = openssl_cipher_iv_length($cipher);
$iv = openssl_random_pseudo_bytes($ivlen);
return bin2hex(openssl_encrypt($input, $cipher, $password,
OPENSSL_RAW_DATA, $iv));
}
return null;
}
Similar GOSa² web interface related code in /usr/share/gosa/functions.inc:
function cred_encrypt($input, $password, $cipher = "aes-256-ecb") {
if (in_array($cipher, openssl_get_cipher_methods())) {
$ivlen = openssl_cipher_iv_length($cipher);
$iv = openssl_random_pseudo_bytes($ivlen);
return bin2hex(openssl_encrypt($input, $cipher, $password,
OPENSSL_RAW_DATA, $iv));
}
return null;
}
function cred_decrypt($input, $password, $cipher = "aes-256-ecb") {
if (in_array($cipher, openssl_get_cipher_methods())) {
$ivlen = openssl_cipher_iv_length($cipher);
$iv = openssl_random_pseudo_bytes(64);
return rtrim(openssl_decrypt(pack("H*", $input), $cipher, $password,
OPENSSL_RAW_DATA, $iv ), "\0\3\4\n");
}
return null;
}
In both encrypt and decrypt cases, the chosen cipher method seems to return 0.
The severity is rather 'grave', I figure.
@Mike: Also, src:fusiondirectory might be affected.
Wolfgang
signature.asc
Description: PGP signature
Bug#964318: gosa login broken with PHP 7.4
Package: gosa
Version: 2.7.4+reloaded3-11
Severity: normal
Tags: upstream
Hi Mike,
while working on Debian Edu Bullseye, I noticed that it is no longer
possible to log into the GOSa² web interface after a main server
upgrade.
This error message is popping up:
Fatal error: Uncaught Error: Length must be greater than 0 in
/usr/share/gosa/include/functions.inc:3324 Stack trace:
#0 /usr/share/gosa/include/functions.inc(3324):
openssl_random_pseudo_bytes()
#1 /usr/share/gosa/include/class_config.inc(310): cred_decrypt()
#2 /usr/share/gosa/include/class_config.inc(362): config->get_credentials()
#3 /usr/share/gosa/include/class_configRegistry.inc(408):
config->get_ldap_link()
#4 /usr/share/gosa/include/class_config.inc(453): configRegistry->reload()
#5 /usr/share/gosa/include/class_config.inc(441): config->load_servers()
#6 /usr/share/gosa/html/index.php(267): config->set_current()
#7 {main}
thrown in /usr/share/gosa/include/functions.inc on line 3324
This happened after upgrading the main server.
The error is most probably due to PHP 7.4 incompatible gosa code, see:
https://www.php.net/manual/en/migration74.incompatible.php
Wolfgang
signature.asc
Description: PGP signature
Bug#890517: killer's CRON logs out users once per hour
Moin Mike, On Wed, 06 Feb 2019 11:25:54 + Mike Gabriel wrote: > > control: severity -1 serious > > # x2go-server is now in buster > > thanks > > neither x2goserver nor killer are unusable due to the missing > utmp/wtmp registration. Thus, reducing severity to imporant. > > I will look into this issue for buster is out while we are still in > soft-freeze (in fact I have some local prototype already, but need to > revisit). Any news on this one? Debian Edu Bullseye intends to use x2goserver on LTSP servers for Thin Client support... Wolfgang signature.asc Description: PGP signature
Bug#961729: education-networked-common: Please remove Recommends: haveged
On Sat, May 30, 2020 at 12:21:14AM +0200, Wolfgang Schweer wrote: > On Fri, May 29, 2020 at 11:47:37AM +0200, Petter Reinholdtsen wrote: > > The module do not seem to do a great job in Buster, at least. > [..] > > With the jitterentropy_rng kernel module, entropy still drain out. > > This was without typing on the keyboard and not moving the mouse. > > After reading the Jitter RNG Daemon description, see: > > https://packages.debian.org/buster/jitterentropy-rngd > > I figure that besides enabling the jitterentropy_rng kernel module also > the jitterentropy-rngd package needs to be installed. For background information concerning kernel module and user space daemon, see: https://bugs.debian.org/927972#41 (and follow-up messages). Wolfgang signature.asc Description: PGP signature
Bug#961729: education-networked-common: Please remove Recommends: haveged
On Fri, May 29, 2020 at 11:47:37AM +0200, Petter Reinholdtsen wrote: > The module do not seem to do a great job in Buster, at least. [..] > With the jitterentropy_rng kernel module, entropy still drain out. > This was without typing on the keyboard and not moving the mouse. After reading the Jitter RNG Daemon description, see: https://packages.debian.org/buster/jitterentropy-rngd I figure that besides enabling the jitterentropy_rng kernel module also the jitterentropy-rngd package needs to be installed. Wolfgang signature.asc Description: PGP signature
