the three-headed dog at the doorstep...
Hi all, after some successful tests I have been thinking about how to proceed with the implementation of kerberos. The changes to our sources might not be too small and the whole setup is probably influenced (in a positive way). Here are some ideas and thoughts that are puzzling me: Can we get rid of the hardwired, predefined machine management? Currently, when ldap is bootstrapped, there is already a long list of staticXX, dhcpXXX and some more entries. The IP ranges are predefined and machines have to be added to the correct network range. This complicates the administration of the ldap-tree, and to do that in a user-friendly way special tools are necessary (currently lwat). Is it possible to get rid of (part of) that? Correct me if I am wrong: With kerberos, a machine is authenticated by an entry in its keytab. With that key, it identifies with the kdc. To mount the home directory, the user needs a valid TGT (ticket-granting-ticket) which is obtained during login. A special IP-adress might not be needed. So you would have to act on standard objects in ldap: users, groups and machines, and no lwat-magic remains. The only thing left (outside ldap) is to attach a principal to every ldap object needed for authentication (combine this with the creation of home directories?) and to drop keytabs on machines (combine this with the distribution of our certificate?). So far I tried to implement kerberos in parallel to the existing setup, but I have the impression this complicates things a lot. So currently I suggest to start implementing regardless of the existing stuff (and really break it), and concentrate with all manpower getting things to work with kerberos for a week or so. If it works out, we have a superb system without the cruft of the past. If not, it is easily possible to revert all changes because they will have happened in a clearly defined time frame. So what do you think about that? I do not have the experience to oversee all implications, but as far as I can tell we can gain a simpler system, easier to set up, easier to maintain our configuration packages, and more flexible and straight forward without loss of security features. But I am not an expert in this field. Someone who knows the reasons for the current setup and its security framework should give his ok too. Regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100505080712.ga4...@flashgordon
Re: the three-headed dog at the doorstep...
[Andreas B. Mundt] Hi all, after some successful tests I have been thinking about how to proceed with the implementation of kerberos. The changes to our sources might not be too small and the whole setup is probably influenced (in a positive way). Here are some ideas and thoughts that are puzzling me: Very good to hear you have success with Kerberos. It has been on the wishlist for a few years now, and might finally be within reach. :) Can we get rid of the hardwired, predefined machine management? Currently, when ldap is bootstrapped, there is already a long list of staticXX, dhcpXXX and some more entries. The IP ranges are predefined and machines have to be added to the correct network range. This complicates the administration of the ldap-tree, and to do that in a user-friendly way special tools are necessary (currently lwat). All these entries are only for convenience and are not required for anything. If it is easier to drop them, we can do that already, without switching to Kerberos first. Is it possible to get rid of (part of) that? Correct me if I am wrong: With kerberos, a machine is authenticated by an entry in its keytab. With that key, it identifies with the kdc. To mount the home directory, the user needs a valid TGT (ticket-granting-ticket) which is obtained during login. A special IP-adress might not be needed. So you would have to act on standard objects in ldap: users, groups and machines, and no lwat-magic remains. The only thing left (outside ldap) is to attach a principal to every ldap object needed for authentication (combine this with the creation of home directories?) and to drop keytabs on machines (combine this with the distribution of our certificate?). The only reason we have static allocation of IP addresses today is for NFS 3 exports, which uses IP addresses for access control. If we can use Kerberos instead for access control (which probably would require us to replace autofs with something else), we can drop the static IP allocation. Which file system did you have in mind for use with Kerberos? NFS v3 can't be used, as far as I know. NFS v4 might work, but I know no-one using it in production at the moment, and we do not really want to be the first. :) AFS is an option, but can't export existing file systems and need to export devices. So what do you think about that? I do not have the experience to oversee all implications, but as far as I can tell we can gain a simpler system, easier to set up, easier to maintain our configuration packages, and more flexible and straight forward without loss of security features. But I am not an expert in this field. Someone who knows the reasons for the current setup and its security framework should give his ok too. I believe we should take it step by step, by first delegating password checking to Kerberos while keeping LDAP as the database, and when this is operational, look at replacing the current NFS v3 autofs setup with something that uses Kerberos for authentication. This way we have a chance of getting someting ready for release shortly after Squeeze is released. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100505084233.ga28...@login1.uio.no
Re: MIT-kerberos versus Heimdal
ma, 2010-05-03 kello 21:47 +0200, Andreas B. Mundt kirjoitti: The critical point in using kerberos is the synchronization i.e. integration of all passwords: posix, samba and kerberos. Again, [1] gives an idea how it can be done with Heimdal and smbk5pwd, an (ldap-) overlay which will soon be in testing [2]. In general, I got the impression that MIT-Kerberos is kind of more mainstream, there is more info on the web. Heimdal's documentation can be rather short sometimes. To sum up: The only advantage I see for Heimdal currently might be the use of smbk5pwd. However, if we need scripts anyway, I think it's better to add the few lines of code necessary for synchronization and use MIT. [1] http://wiki.mandriva.com/en/Projects/OpenLDAP_DIT [2] http://packages.qa.debian.org/o/openldap.html Hi, We've been figuring out for a while what to do with this syncing problem and we just finished smbkrb5pwd for MIT kerberos. Its implementation differs from smbk5pwd for Heimdal, but the idea is to sync all the passwords at once when ldap password is changed. This is the first version and it still needs work, but if you are interested testing it, here are instructions on how to use it: http://www.opinsys.fi/en/smbkrb5pwd-password-syncing-for-openldap-mit-kerberos-and-samba smbkrb5pwd does not alter the kerberos ldap entries directly, but connects kadmind to do the work. This has pros and cons, but for us it seems to work nicely in test environments. The testing has been done on Ubuntu 10.04, but I cannot see why it wouldn't work in Debian also. Veli-Matti -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1273066901.2643.13397.ca...@vm-lucid
Need testers for LTSP thin client device popup in KDE
The last few days Vagrant and I have been looking into how to get LTSP thin clients to get a popup in KDE when a USB stick and other local devices are inserted on the client. The work and progress is documented in bug #575031. One approach we considered is to use hal to notify KDE about the LTSP mounts. This script should implement this approach. Can someone with a LTSP test lab test how this approach work when several users are logged into the same server and insert USB sticks on their thin client. What happen if a USB stick is inserted on the server itself? tjener:~# cat /etc/ltspfs/mounter.d/hal-notify #!/bin/sh case $1 in add) mountpoint=$2 devname=$(basename $mountpoint) halname=storage_serial_LTSP_$devname cat EOF | hal-device --add $halname block.is_volume = true (bool) block.storage_device = '/org/freedesktop/Hal/devices/$halname' (string) storage.removable = true (bool) storage.hotpluggable = true (bool) info.capabilities = {'volume', 'block'} (string list) info.category = 'volume' (string) info.interfaces = {'org.freedesktop.Hal.Device.Volume'} (string list) info.product = 'LTSP $devname' (string) info.parent = '/org/freedesktop/Hal/devices/computer' (string) volume.fstype = 'ltspfs' (string) volume.fsusage = 'filesystem' (string) volume.ignore = false (bool) volume.is_disc = false (bool) volume.is_mounted = true (bool) volume.is_mounted_read_only = false (bool) volume.is_partition = false (bool) volume.label = '' (string) volume.mount_point = '$mountpoint' (string) EOF ;; remove) mountpoint=$2 devname=$(basename $mountpoint) halname=storage_serial_LTSP_$devname hal-device --remove $halname ;; cleanup) # XXX Not quite sure what is supposed to happen here ;; esac tjener:~# Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2fl7hniidv2@login2.uio.no
Processing of debian-edu_0.847_i386.changes
debian-edu_0.847_i386.changes uploaded successfully to localhost along with the files: debian-edu_0.847.dsc debian-edu_0.847.tar.gz education-tasks_0.847_i386.deb education-menus_0.847_i386.deb education-astronomy_0.847_i386.deb education-chemistry_0.847_i386.deb education-common_0.847_i386.deb education-desktop-gnome_0.847_i386.deb education-desktop-kde_0.847_i386.deb education-desktop-lxde_0.847_i386.deb education-desktop-other_0.847_i386.deb education-desktop-sugar_0.847_i386.deb education-development_0.847_i386.deb education-electronics_0.847_i386.deb education-geography_0.847_i386.deb education-graphics_0.847_i386.deb education-language_0.847_i386.deb education-laptop_0.847_i386.deb education-logic-games_0.847_i386.deb education-main-server_0.847_i386.deb education-mathematics_0.847_i386.deb education-misc_0.847_i386.deb education-music_0.847_i386.deb education-networked_0.847_i386.deb education-physics_0.847_i386.deb education-services_0.847_i386.deb education-standalone_0.847_i386.deb education-thin-client_0.847_i386.deb education-thin-client-server_0.847_i386.deb education-workstation_0.847_i386.deb Greetings, Your Debian queue daemon (running on host ries.debian.org) -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1o9jqe-0005ul...@ries.debian.org
debian-edu_0.847_i386.changes ACCEPTED
Accepted: debian-edu_0.847.dsc to main/d/debian-edu/debian-edu_0.847.dsc debian-edu_0.847.tar.gz to main/d/debian-edu/debian-edu_0.847.tar.gz education-astronomy_0.847_i386.deb to main/d/debian-edu/education-astronomy_0.847_i386.deb education-chemistry_0.847_i386.deb to main/d/debian-edu/education-chemistry_0.847_i386.deb education-common_0.847_i386.deb to main/d/debian-edu/education-common_0.847_i386.deb education-desktop-gnome_0.847_i386.deb to main/d/debian-edu/education-desktop-gnome_0.847_i386.deb education-desktop-kde_0.847_i386.deb to main/d/debian-edu/education-desktop-kde_0.847_i386.deb education-desktop-lxde_0.847_i386.deb to main/d/debian-edu/education-desktop-lxde_0.847_i386.deb education-desktop-other_0.847_i386.deb to main/d/debian-edu/education-desktop-other_0.847_i386.deb education-desktop-sugar_0.847_i386.deb to main/d/debian-edu/education-desktop-sugar_0.847_i386.deb education-development_0.847_i386.deb to main/d/debian-edu/education-development_0.847_i386.deb education-electronics_0.847_i386.deb to main/d/debian-edu/education-electronics_0.847_i386.deb education-geography_0.847_i386.deb to main/d/debian-edu/education-geography_0.847_i386.deb education-graphics_0.847_i386.deb to main/d/debian-edu/education-graphics_0.847_i386.deb education-language_0.847_i386.deb to main/d/debian-edu/education-language_0.847_i386.deb education-laptop_0.847_i386.deb to main/d/debian-edu/education-laptop_0.847_i386.deb education-logic-games_0.847_i386.deb to main/d/debian-edu/education-logic-games_0.847_i386.deb education-main-server_0.847_i386.deb to main/d/debian-edu/education-main-server_0.847_i386.deb education-mathematics_0.847_i386.deb to main/d/debian-edu/education-mathematics_0.847_i386.deb education-menus_0.847_i386.deb to main/d/debian-edu/education-menus_0.847_i386.deb education-misc_0.847_i386.deb to main/d/debian-edu/education-misc_0.847_i386.deb education-music_0.847_i386.deb to main/d/debian-edu/education-music_0.847_i386.deb education-networked_0.847_i386.deb to main/d/debian-edu/education-networked_0.847_i386.deb education-physics_0.847_i386.deb to main/d/debian-edu/education-physics_0.847_i386.deb education-services_0.847_i386.deb to main/d/debian-edu/education-services_0.847_i386.deb education-standalone_0.847_i386.deb to main/d/debian-edu/education-standalone_0.847_i386.deb education-tasks_0.847_i386.deb to main/d/debian-edu/education-tasks_0.847_i386.deb education-thin-client-server_0.847_i386.deb to main/d/debian-edu/education-thin-client-server_0.847_i386.deb education-thin-client_0.847_i386.deb to main/d/debian-edu/education-thin-client_0.847_i386.deb education-workstation_0.847_i386.deb to main/d/debian-edu/education-workstation_0.847_i386.deb Override entries for your package: debian-edu_0.847.dsc - source misc education-astronomy_0.847_i386.deb - extra misc education-chemistry_0.847_i386.deb - extra misc education-common_0.847_i386.deb - extra misc education-desktop-gnome_0.847_i386.deb - extra gnome education-desktop-kde_0.847_i386.deb - extra kde education-desktop-lxde_0.847_i386.deb - extra x11 education-desktop-other_0.847_i386.deb - extra misc education-desktop-sugar_0.847_i386.deb - extra x11 education-development_0.847_i386.deb - extra misc education-electronics_0.847_i386.deb - extra misc education-geography_0.847_i386.deb - extra misc education-graphics_0.847_i386.deb - extra misc education-language_0.847_i386.deb - extra misc education-laptop_0.847_i386.deb - extra misc education-logic-games_0.847_i386.deb - extra misc education-main-server_0.847_i386.deb - extra misc education-mathematics_0.847_i386.deb - extra misc education-menus_0.847_i386.deb - extra misc education-misc_0.847_i386.deb - extra misc education-music_0.847_i386.deb - extra misc education-networked_0.847_i386.deb - extra misc education-physics_0.847_i386.deb - extra misc education-services_0.847_i386.deb - extra misc education-standalone_0.847_i386.deb - extra misc education-tasks_0.847_i386.deb - extra misc education-thin-client-server_0.847_i386.deb - extra misc education-thin-client_0.847_i386.deb - extra misc education-workstation_0.847_i386.deb - extra misc Announcing to debian-devel-chan...@lists.debian.org Closing bugs: 570799 Thank you for your contribution to Debian. -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1o9jtl-0006wo...@ries.debian.org
Bug#570799: marked as done (squeeze: use libpam-ldapd instead of libpam-ldap)
Your message dated Wed, 05 May 2010 19:04:19 + with message-id e1o9jtl-0006wu...@ries.debian.org and subject line Bug#570799: fixed in debian-edu 0.847 has caused the Debian Bug report #570799, regarding squeeze: use libpam-ldapd instead of libpam-ldap to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 570799: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=570799 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- package: debian-edu-config severity: important version: 1.436 tags: moreinfo User: debian-edu@lists.debian.org Usertags: debian-edu Hi, quoting http://wiki.debian.org/DebianEdu/Status/Squeeze: libnss-ldapd have been split in two, and our preseeding need to preseed the nslcd package instead. Probably want to replace libpam-ldap with libpam-ldapd as well. I assume this bug should be filed with severity serious, as the effect is the same as with 570773, though maybe this is one is the cause for 570773? cheers, Holger signature.asc Description: This is a digitally signed message part. ---End Message--- ---BeginMessage--- Source: debian-edu Source-Version: 0.847 We believe that the bug you reported is fixed in the latest version of debian-edu, which is due to be installed in the Debian FTP archive: debian-edu_0.847.dsc to main/d/debian-edu/debian-edu_0.847.dsc debian-edu_0.847.tar.gz to main/d/debian-edu/debian-edu_0.847.tar.gz education-astronomy_0.847_i386.deb to main/d/debian-edu/education-astronomy_0.847_i386.deb education-chemistry_0.847_i386.deb to main/d/debian-edu/education-chemistry_0.847_i386.deb education-common_0.847_i386.deb to main/d/debian-edu/education-common_0.847_i386.deb education-desktop-gnome_0.847_i386.deb to main/d/debian-edu/education-desktop-gnome_0.847_i386.deb education-desktop-kde_0.847_i386.deb to main/d/debian-edu/education-desktop-kde_0.847_i386.deb education-desktop-lxde_0.847_i386.deb to main/d/debian-edu/education-desktop-lxde_0.847_i386.deb education-desktop-other_0.847_i386.deb to main/d/debian-edu/education-desktop-other_0.847_i386.deb education-desktop-sugar_0.847_i386.deb to main/d/debian-edu/education-desktop-sugar_0.847_i386.deb education-development_0.847_i386.deb to main/d/debian-edu/education-development_0.847_i386.deb education-electronics_0.847_i386.deb to main/d/debian-edu/education-electronics_0.847_i386.deb education-geography_0.847_i386.deb to main/d/debian-edu/education-geography_0.847_i386.deb education-graphics_0.847_i386.deb to main/d/debian-edu/education-graphics_0.847_i386.deb education-language_0.847_i386.deb to main/d/debian-edu/education-language_0.847_i386.deb education-laptop_0.847_i386.deb to main/d/debian-edu/education-laptop_0.847_i386.deb education-logic-games_0.847_i386.deb to main/d/debian-edu/education-logic-games_0.847_i386.deb education-main-server_0.847_i386.deb to main/d/debian-edu/education-main-server_0.847_i386.deb education-mathematics_0.847_i386.deb to main/d/debian-edu/education-mathematics_0.847_i386.deb education-menus_0.847_i386.deb to main/d/debian-edu/education-menus_0.847_i386.deb education-misc_0.847_i386.deb to main/d/debian-edu/education-misc_0.847_i386.deb education-music_0.847_i386.deb to main/d/debian-edu/education-music_0.847_i386.deb education-networked_0.847_i386.deb to main/d/debian-edu/education-networked_0.847_i386.deb education-physics_0.847_i386.deb to main/d/debian-edu/education-physics_0.847_i386.deb education-services_0.847_i386.deb to main/d/debian-edu/education-services_0.847_i386.deb education-standalone_0.847_i386.deb to main/d/debian-edu/education-standalone_0.847_i386.deb education-tasks_0.847_i386.deb to main/d/debian-edu/education-tasks_0.847_i386.deb education-thin-client-server_0.847_i386.deb to main/d/debian-edu/education-thin-client-server_0.847_i386.deb education-thin-client_0.847_i386.deb to main/d/debian-edu/education-thin-client_0.847_i386.deb education-workstation_0.847_i386.deb to main/d/debian-edu/education-workstation_0.847_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 570...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Petter Reinholdtsen p...@debian.org (supplier of updated debian-edu package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by
Re: Forcing new users to change their password on first login?
On 05/02/2010 01:43 PM, Petter Reinholdtsen wrote: One interesting feature in Active Directory, is the ability to create a new user with an expired password, and thus force the user to change the password on the first login attempt. I'm not quite sure how to do that with the LDAP setup in Debian Edu, but did some initial testing with a local account. The account and password aging information is available in /etc/shadow, but unfortunately, it is not possible to specify an expiration time for passwords, only a maximum age for passwords. Using kdm/ssh works nice if you only use ssh/kdm to log in. But if you also use samba, either with windows/mac machines, or linux machine that uses smbfs/cifs (laptops and others), you will get a problem, because kdm/ssh (or more exactly /etc/pam.d/passwd) only changes the unix-password, and not the samba password. And to have the users have a 7 days period for changing the password could be a bad idea, since many schools don't use the computers that often. So the local admin would get a higher workload. The students would experience that their account is locked, and will have to get a new one either from the teacher or the local admin. and it would cause that the students would use the system more seldom. -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4be25735.3010...@bzz.no