Bug#1051841: debian-edu-testsuite reports errors
On Thu, 14 Sep 2023 10:57:32 +0200 Petter Reinholdtsen wrote: > [Guido Berhoerster] > >> error: ./ldap-client: Not only one PAM module of krb5, ldap and sss is > >> enabled > > > > /etc/pam.d/common-auth contains: > > > > … > > auth[success=3 default=ignore] pam_krb5.so minimum_uid=1000 > > auth[success=2 default=ignore] pam_unix.so nullok > > try_first_pass > > auth[success=1 default=ignore] pam_ldap.so minimum_uid=1000 > > use_first_pass > > … > > > > So PAM tries them in the given order until one succeeds, I'm not sure > > what is wrong with that. The git history of testsuite/ldap-client is > > not helpful either why this was added. > > The pam_ldap.so line should be removed. The LDAP authentication send > the password over to the LDAP server for verification, hopefully via an > TLS channel, allowing a rouge server to collect user passwords, while > Kerberos only send an encrypted timestamp to the server. Because of > this Debian Edu do not want LDAP authentication enabled, and uses > Kerberos exclusively over the network. OK, digging into history shows that this has been a problem before (#591773) which had a workaround via cfengine. However, that was removed in https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/3a2cb02332e0dea3bb1dae1847de1a7fe542b1c6 well before bullseye and in bullseye libpam-ldapd does not get pulled in on non-roaming installs. The dependency chain in bookworm is education-networked-common -> nslcd -> libpam-ldapd and nslcd still has "libpam-ldapd | libpam-ldap | libpam-krb5 | libpam-heimdal | libpam-sss" but education-networked-common also directly recommends libpam-ldapd which seems to be the culprit. The following commit introduced the dependency: https://salsa.debian.org/debian-edu/debian-edu/-/commit/16307694c2a24b13a5a910c7cbcacafc8bf6abec > >> error: ./rdp-server: xrdp service is not listening on 3389/tcp.' > > > > This can be probably be ignored as I have set up FAI on top of my LTSP > > setup. > > I do not understand what you mean here. How is this relevant? It's a quirk on my local system, I shouldn't have included it in the report. -- Guido Berhoerster
Bug#1051841: debian-edu-testsuite reports errors
[Guido Berhoerster] >> error: ./ldap-client: Not only one PAM module of krb5, ldap and sss is >> enabled > > /etc/pam.d/common-auth contains: > > … > auth[success=3 default=ignore] pam_krb5.so minimum_uid=1000 > auth[success=2 default=ignore] pam_unix.so nullok try_first_pass > auth[success=1 default=ignore] pam_ldap.so minimum_uid=1000 > use_first_pass > … > > So PAM tries them in the given order until one succeeds, I'm not sure > what is wrong with that. The git history of testsuite/ldap-client is > not helpful either why this was added. The pam_ldap.so line should be removed. The LDAP authentication send the password over to the LDAP server for verification, hopefully via an TLS channel, allowing a rouge server to collect user passwords, while Kerberos only send an encrypted timestamp to the server. Because of this Debian Edu do not want LDAP authentication enabled, and uses Kerberos exclusively over the network. >> error: ./rdp-server: xrdp service is not listening on 3389/tcp.' > > This can be probably be ignored as I have set up FAI on top of my LTSP > setup. I do not understand what you mean here. How is this relevant? -- Happy hacking Petter Reinholdtsen
Bug#1051841: debian-edu-testsuite reports errors
On Wed, 13 Sep 2023 13:03:45 +0200 Guido Berhoerster wrote: > error: ./filesystems: Using ext2 on /boot This seems bogus, there should be an exception for boot. > error: ./ldap-client: Missing /skole mount point in ldap > error: ./ldap-client: Missing tjener mount point in ldap > error: ./ldap-client: Missing / mount point in ldap > error: ./ldap-client: TLS search for cn=admins failed. All of the above are due to incorrect ldapsearch invocation. > error: ./ldap-client: Not only one PAM module of krb5, ldap and sss is enabled /etc/pam.d/common-auth contains: … auth[success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth[success=2 default=ignore] pam_unix.so nullok try_first_pass auth[success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass … So PAM tries them in the given order until one succeeds, I'm not sure what is wrong with that. The git history of testsuite/ldap-client is not helpful either why this was added. > error: ./ldap-server: search fail before flodding the LDAP server with 1200 > connections > error: ./ldap-server: search fail after flodding the LDAP server with 1200 > connections All of the above are due to incorrect ldapsearch invocation. > error: ./rdp-server: xrdp service is not listening on 3389/tcp.' This can be probably be ignored as I have set up FAI on top of my LTSP setup. -- Guido Berhoerster
Bug#1051841: debian-edu-testsuite reports errors
Package: debian-edu-install Version: 2.12.9 $ grep ^error /var/log/installer/debian-edu-install-testsuite error: ./doc: The manual for the Bookworm release has 1 FIXMEs. Please fix at https://wiki.debian.org/DebianEdu/Documentation/Bookworm. error: ./filesystems: Using ext2 on /boot error: ./ldap-client: Missing /skole mount point in ldap error: ./ldap-client: Missing tjener mount point in ldap error: ./ldap-client: Missing / mount point in ldap error: ./ldap-client: TLS search for cn=admins failed. error: ./ldap-client: Not only one PAM module of krb5, ldap and sss is enabled error: ./ldap-server: search fail before flodding the LDAP server with 1200 connections error: ./ldap-server: search fail after flodding the LDAP server with 1200 connections error: ./rdp-server: xrdp service is not listening on 3389/tcp. -- Guido Berhoerster
