Re: making listed maintainers match reality

[Andreas B. Mundt]

Hi Holger,

On Sat, Aug 06, 2016 at 11:03:45AM +, Holger Levsen wrote:
>
> I believe it's useful to have the maintainers/uploaders field of our
> packages match reality, that is, to only list people who are active
> on Debian Edu or plan to become active again.
>
> So I'm wondering, Andreas, Alexander and Andrew: do you still want to be
> listed as Debian Edu maintainers? ;-)

Indeed, maybe some time I'll become more active again, but not in the
near future.  So please remove myself from the maintainers/uploaders
field at the next occasion.

Thanks and best regards,

   Andi

Re: UCS School (Link to German page)

[Andreas B. Mundt]

Hi,

On Thu, Jun 23, 2016 at 08:26:12AM +0200, Andreas Tille wrote:

> I've just read this article about UCS@school
>
> http://www.pro-linux.de/news/1/23680/ucsschool-41-r2-freigegeben.html
>
> Is there any relation to Debian Edu work and if not why not or should we
> cooperate to some extend?
>

AFAICT this is just the standard univention domain controler with some
school administration stuff added.  GNU/Linux clients (as, for example,
the Univention Corporate Client UCC) are only partially supported [1]
by this solution and not first class citizens.  Focus is clearly on
the UCS-server with Windows clients, not in supporting Free Software
as the client OS.

Regards,

 Andi



[1] from 
  " Für die Integration von UCC in UCS@school gelten die folgenden
  Einschränkungen:

Für die Integration von UCC-Desktop-Systemen in UCS@school ist die
Verwendung von Samba 4 auf dem UCS@school-Schulserver erforderlich.
Die UCC-Systeme müssen mit dem offiziellen Desktop-Image (oder
einem äquivalenten, selbst erstellten Image) installiert
werden. UCC-ThinClient-Systeme bzw. UCC-Terminalserver werden in
Verbindung mit UCS@school nicht unterstützt.
Der über iTALC realisierte Präsentationsmodus sowie das
Beaufsichtigen von Systemen über das UMC-Modul Computerraum werden
für UCC-Systeme derzeit nicht unterstützt.
Die über CUPS eingebundenen Druckerfreigaben unterstützen
nicht alle Kombinationen für Zugriffsberechtigungen. Das Freigeben
aller Drucker über das Computerraum-Modul hat daher keine
Auswirkung auf UCC-Systeme.
Der Klassenarbeitsmodus von UCS@school wird auf UCC-Systemen
nicht unterstützt."

Re: Again netgroup problems

[Andreas B. Mundt]

Hi,

On Sun, Jul 05, 2015 at 11:40:36AM +0200, Giorgio Pioda wrote:

 I can confirm a boot race condition (IIRC somebody talked six months ago about
 autofs/systemd issues in this mailing list)

 Restarting manually the sercvices in the (more or less correct) order on 
 tjener:

 1) nscd  nslcd
 2) nfs-common nfs-kernel
 3) autofs

 Fixes WS login

 I guess some careful upstream check is really needed

Perhaps URL:https://bugs.debian.org/759544?

It's probably still an issue in stable.

Regards,

Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150705102800.GA3314@flashgordon

Re: Bug#771106: unblock: krb5/1.12.1+dfsg-15

[Andreas B. Mundt]

Hi Holger!

On Thu, Nov 27, 2014 at 08:05:54PM +0100, Holger Levsen wrote:

 (are you still subscribed to the list?)

Sure! (Although sometimes a bit flooded by mails ...)

 On Donnerstag, 27. November 2014, Andreas B. Mundt wrote:
  The issue at hand is discussed in #758992 and #769710.  With the
  unblock, both bugs should be fixed in jessie and things should work
  fine.

 ok, cool.

  However, #732263 could make it necessary to create certificates for
  dovecot in debian-edu/-lan by scripts soon ...

 ok, hopefully we'll notice or remember!

I hope debian-edu and -lan are allowed to sneak in some necessary last
minute fixes ... cf. #771586

Best regards,

 Andi  -- currently sucked down a bit by the cold and misty 
November/December days


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141201201608.GA17315@flashgordon

Re: Bug#771106: unblock: krb5/1.12.1+dfsg-15

[Andreas B. Mundt]

Hi,

On Wed, Nov 26, 2014 at 09:21:22PM +0100, Holger Levsen wrote:

 On Mittwoch, 26. November 2014, Benjamin Kaduk wrote:
  Please unblock package krb5
 
  systemd does not respect inserv overrides (see #759001) and does
  not plan to do so, since they appear to be used by only two packages
  in the archive, one of which is debian-edu-config.

 is this something we should fix? we use systemd by default now


The issue at hand is discussed in #758992 and #769710.  With the
unblock, both bugs should be fixed in jessie and things should work
fine.

However, #732263 could make it necessary to create certificates for
dovecot in debian-edu/-lan by scripts soon ...

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141127093645.GA2487@flashgordon

Re: Fixing the Jessie Main Server?

[Andreas B. Mundt]

Hi,

On Tue, Aug 26, 2014 at 06:40:30AM +0200, Petter Reinholdtsen wrote:

 Btw, regarding our Kerberos error on the main server, Andreas B. Mundt
 just mentioned on IRC that URL: https://bugs.debian.org/758992 would
 probably hit us too.  It affect Kerberos with LDAP backend when using
 systemd.

 He also mentioned that our cups test might always fail because cups is
 socket activated with systemd, thus not running unless something try
 to use it. :)

I guess it is not because of the socket activation, but the port has
to be made accessible in '/etc/cups/cupsd-systemd-listen.conf'.
Cf. 
http://anonscm.debian.org/cgit/printing/cups.git/tree/debian/cups-daemon.preinst

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140826161849.GB14310@flashgordon

Re: TI-calculator packages team maintained in debian-edu or debian-science on alioth?

[Andreas B. Mundt]

Hi Holger et. al,

[cc debian-science, related post:
URL:https://lists.debian.org/debian-edu/2013/06/msg00177.html]

On Fri, Jun 14, 2013 at 11:54:05PM +0200, Holger Levsen wrote:

 On Freitag, 14. Juni 2013, Andreas B. Mundt wrote:
   libticables-1.3.4
   libtifiles-1.1.6
   libticonv-1.1.4
   libticalcs-1.1.8
   gfm-1.07
   tilp2-1.17
   ... perhaps some more ...

 those are all source packages? If so, I would prefer to have them added to a
 subdirectory in the debian-edu git directory on alioth.


I had a look at the debian-science alioth repository, they use a
subdirectory 'packages' for packaging [1].  So I suggest to follow
that convention and put the source packages in debian-edu/packages/
like:

debian-edu/packages/libticables
debian-edu/packages/libtifiles
debian-edu/packages/libticonv
debian-edu/packages/libticalcs
debian-edu/packages/gfm
debian-edu/packages/tilp2

When taking a look at debian-science, I realized that the packages fit
also there (Data Acquisition/Hardware).  What is the better fitting
team?  Any oppinions on that topic?

Best regards,

 Andi


[1] http://anonscm.debian.org/gitweb/?a=project_list;pf=debian-science/packages


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130615081223.GA23748@fuzi

TI-calculator packages team maintained in debian-edu on alioth?

[Andreas B. Mundt]

Hi all,

I would like to ask if everybody is fine with adding a few more
packages to the debian-edu alioth git repository.  The packages are
usefull for Texas Instruments calculators, and the -edu fits nicely I
guess:

 libticables-1.3.4
 libtifiles-1.1.6
 libticonv-1.1.4
 libticalcs-1.1.8
 gfm-1.07
 tilp2-1.17
 ... perhaps some more ...

We want to use the software in our school soon, so I started to take a
look at them and contacted the previous maintainer (Albert Huang),
cf. URL:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678059#25.
Albert already appreciated the idea of team maintenance in a private
mail.

If nobody sees a problem with adding them, I would start adding each
packages to
URL:http://anonscm.debian.org/gitweb/?a=project_list;pf=debian-edu.

Hints and recommendations how to do that best are appreciated.  What
is needed to give Albert commit access to the repository?

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130614193623.GA2792@fuzi

Re: eduroaming pam_sss issues

[Andreas B. Mundt]

Hi Giorgio,

On Sun, May 26, 2013 at 09:43:17AM +0200, Giorgio Pioda wrote:
 On Sat, May 25, 2013 at 05:37:20PM +0200, Petter Reinholdtsen wrote:
  
   pam_acct_mgmt: Authentication failure
  
   But actually sssd works, krb5 tickets are OK and right before this message
   pam_sss claims a successful authentication.
  
   Any clues?
 

The only problem I had was when /etc/nsswitch.conf was missing the
'sss'.  In addition you might want to check with 'pam-auth-update'
what authentication mechanisms you would like to allow.  I have only
'Unix' and 'SSS' installed and therefore available, and this seems to
work fine.

[...]


 Sssd seems to work properly. Ubuntu's pam_mklocaluser is still not working 
 correctly,
 (even in Ubuntu 13.04, even using the fixed Wheezy package) and homedirs
 are not created automatically.


Note that pam_mklocaluser is not necessarily needed.  If you have home
directories available for off-line use (which can be created with
pretty easily during login [1]), there is no need to 'recreate' the users
locally.

Best regards,

 Andi

[1] Add 'session required  pam_mkhomedir.so skel=/etc/skel umask=0027'
to /etc/pam.d/common-session
However this only creates the directories when no NFS-homedirs are
availabel.  To create the directories in any login, I use
libpam-script
(Cf. 
http://anonscm.debian.org/gitweb/?p=collab-maint/debian-lan.git;a=blob;f=fai/config/scripts/ROAMING/10-home_nfs4_krb5;h=9b6b6d3749483b6ff9bfd207f21f5a8698019d46;hb=0600527f83621ba2a09fd3346ea23f2fe5884f77)


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130526082341.GA19033@fuzi

Re: eduroaming pam_sss issues

[Andreas B. Mundt]

Hi Petter,

On Sun, May 26, 2013 at 11:41:48AM +0200, Petter Reinholdtsen wrote:
 [Andreas B. Mundt]
  [1] Add 'session required  pam_mkhomedir.so skel=/etc/skel umask=0027'
  to /etc/pam.d/common-session
  However this only creates the directories when no NFS-homedirs are
  availabel.  To create the directories in any login, I use
  libpam-script
  (Cf. 
  http://anonscm.debian.org/gitweb/?p=collab-maint/debian-lan.git;a=blob;f=fai/config/scripts/ROAMING/10-home_nfs4_krb5;h=9b6b6d3749483b6ff9bfd207f21f5a8698019d46;hb=0600527f83621ba2a09fd3346ea23f2fe5884f77)
 

 Why do you recreate the functionallity of libpam-mkhome using a
 libpam-script script?


If a user logs in the first time, he has to be in the debian-lan
network.  In that case the debian-lan home directory is mounted, and
therefore libpam-mkhome does not create anything.  The user has no
local directory to drop data to work on later when being away from the
debian-lan network.

If later the user logs in away from the debian-lan network, his local
home directory will be created by libpam-mkhome.  He has to go back to
the network now, to fetch his data for off-line use.

By adding:

   cp -pR /etc/skel $HOMEDIR
   chmod 750 $HOMEDIR
   chown -R $PAM_USER:$PAM_USER $HOMEDIR

to the script executed by libpam-script (which is needed for kerberos
keys anyway if you use kerberized NFS and no machine key), there is no
need for the repeated logins.  Instead of login in three times:

 first:  on-line to make credentials available
 second: off-line to create the home directory
 third:  on-line to fetch data to work on off-line

it is sufficient to log in on-line, your local home directory will
already be available, you drop the data needed for off-line work there
and it will be available for off-line use.

So far this seems to work pretty fine.

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130526101313.GA3942@fuzi

Re: eduroaming pam_sss issues

[Andreas B. Mundt]

Hi Giorgio,

On Sun, May 26, 2013 at 11:28:43AM +0200, Giorgio Pioda wrote:
 On Sun, May 26, 2013 at 10:23:41AM +0200, Andreas B. Mundt wrote:
  Hi Giorgio,
 
  On Sun, May 26, 2013 at 09:43:17AM +0200, Giorgio Pioda wrote:
   On Sat, May 25, 2013 at 05:37:20PM +0200, Petter Reinholdtsen wrote:

 pam_acct_mgmt: Authentication failure

 But actually sssd works, krb5 tickets are OK and right before this 
 message
 pam_sss claims a successful authentication.

 Any clues?

[...]

 Thanks. Disabling mklocalusers (and all the rest) and keeping only Unix and 
 SSS fixes the
 login. But then the problem relies in the fact that the sss users expect a 
 homedir
 in /skole/tjener/..  and not in /home/..

I solve this by making /home/ available under /skole/tjener/.. by bind
mounting it there, i.e. add: /home  $HOMEDIRS  none  bind  0  0 to
/etc/fstab.

So the user has always the same home directory path.  If online, the
idea is to use unison ore something else to sync the NFS home
directory with the local one (at /home).

Best regards,

 Andi



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130526102509.GB3942@fuzi

Network performance ToDo/ToTest (was: Roaming workstations in Debian-LAN available)

[Andreas B. Mundt]

Hi Julien,

I hope you enjoyed holidays!

On Thu, May 23, 2013 at 10:29:41AM +0200, Julien Lambot wrote:

 Many thanks for that feature ! Great you could implement it.

 Back on testing after some holidays :)

How is your network performance going?  I found two issues that might
be interesting to have a look at, discussed here:

NFSv4 mount options:
   URL:https://lists.debian.org/debian-edu/2013/05/msg00224.html
   I switched to not providing any {r,w}size now, we have to test if
   this makes any difference.  You could modify/delete the options in
   LDAP with:
  ldapvi -ZZ -D cn=admin,dc=intern -w `cat /root/installation/LDAPadminPW`
   on the mainserver.

Iceweasel caching:
   URL:https://lists.debian.org/debian-edu/2013/05/msg00156.html
   I switched off caching (some?) stuff in:
   
URL:http://lists.alioth.debian.org/pipermail/debian-lan-devel/2013q2/000384.html
   in addition, I found:
   URL:http://packages.debian.org/wheezy/unburden-home-dir which
   sounds interesting.  If it works fine and improves the setup we'll
   add and configure it on the machines.

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130523100115.GA29850@fuzi

Re: Reduce the server load by asking firefox to not cache on disk

[Andreas B. Mundt]

Hi all,

I just accidentally came along a package which seems to be interesting
in the current context:

   http://packages.debian.org/wheezy/unburden-home-dir

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130522102408.GA4886@fuzi

Roaming workstations in Debian-LAN available

[Andreas B. Mundt]

(cc debian-edu, as they are working on the same issue ...)

Hi all,

with the latest commit, roaming workstations are available in
Debian-LAN!


URL:http://anonscm.debian.org/gitweb/?p=collab-maint/debian-lan.git;a=commitdiff;h=9aef028d091e30f2a560315e89c604e7a07c2ffc

The ROAMING class allows to log into machines without connection to
the Debian-LAN network.  The class can be added to any standard
workstation.

A users first needs to log into the roaming machine when it is in the
Debian-LAN network.  After that, the machine may be taken off-line,
the user can now still log in and a local home directory is created.

Back in the Debian-LAN network and in the NFS-home directory, the user
will find his off-line data in '/home/username/'.

After some testing, I have already some improvement in mind: Copy the
Debian-LAN home directory to the machine locally on the first login.

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130522202237.GA5420@fuzi

nfs4 mount options rsize wsize

[Andreas B. Mundt]

Hi,

I am wondering what the 'best' options mounting the home directories
via NFSv4 are.

IIRC, by default debian-edu uses rsize=32768,wsize=32768, which has
been adopted by debian-lan too.

Running a test without defining rsize,wsize on 3 different setups, I
got the following (remove rsize,wsize in LDAP and check with 'mount'
after mounting the directory):

virtual machine setup:   rsize=wsize=131072
real hardware 1  :   rsize=wsize=262144
real hardware 2  :   rsize=wsize=524288

All values are considerably larger than the values defined manually.
It would be nice to understand the reasons why such a small value has
been chosen in debian-edu.

Best regards

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130520062359.GA20714@fuzi

Re: nfs4 mount options rsize wsize

[Andreas B. Mundt]

Hi Klaus,

many thanks for sharing your experience!

On Mon, May 20, 2013 at 12:28:24PM +0200, Klaus Knopper wrote:

 We have been running NFS over WLAN, and experienced problems that turned
 out to be related to bufferbloat
 (http://en.wikipedia.org/wiki/Bufferbloat) in combination with low
 bandwidth.

[...]

 The solution after many tests was at first somewhat surprising: We
 reduced rsize and wsize to a very small value (4096), and set mount
 options to sync, which is known to be very slow on local file systems,
 but resulted in a big performance boost when used on NFS. After the
 changes, Bandwidth was equally shared amongst all clients with no more
 timeouts and sudden logouts.

 While a single workstation surely has a somewhat lower data throughput,
 the entire class of 20+ Desktops connected as NFS clients was
 operational again.

 From this experience, we created a HOWTO which you can still find at
 https://rp.skolelinux.de/rlp-wiki/bin/view/RlpSkolelinuxPublic/NetworkPerformanceTuning
 (I sent this link before in a different context).

 Also, we used a local NFS cache (mount option fsc) which is only
 possible with new kernels and xattr file system support. This option
 lowers network bandwidth peaks somewhat when reading parts of files that
 were just written from a client. But the sync option and smaller rsize
 and wsize were actually the client options that gained the biggest
 performance boost.

Did all this happen with NFSv4 or was this still NFSv3?  My impression
is that with NFSv4, quite some stuff has been changed and improved, for
example 'sync' is the default and recommended option.

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130520121815.GA12025@fuzi

Re: [debian-lan-devel] samba support

[Andreas B. Mundt]

[cc ... let's ask on the debian-edu list if they know more ... ]

Hi all,

we would like to implement something like 'roaming workstations' in
debian-lan.  Can someone give us some hints on how to do that best?
Is there any experience available with roaming workstations, do they
work sucessfully, or are there known problems?

On Thu, Apr 25, 2013 at 12:40:57AM +0200, Julien Lambot wrote:
 - pam-synccr
 
 I ment libpam-ccreds, of course.

 I checked
 http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.htmland
 sssd seems promising but I could not get libpam-mklocaluser to work
 and
 create the local home.

 So I will further test that whole stuff but isn't there anything already
 set up in skolelinux you heard of?

The Information I know about is:


http://anonscm.debian.org/viewvc/debian-edu/trunk/src/eduroaming/debian/control?view=markup

http://anonscm.debian.org/viewvc/debian-edu/trunk/src/debian-edu/tasks/roaming-workstation

and perhaps some modifications done by cfengine:

http://anonscm.debian.org/viewvc/debian-edu/trunk/src/debian-edu-config/cf/

Any help and pointers or comments are appreciated!

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130425064657.GB31493@fuzi

Re: 'krbPrincipalKey' and 'sambaMungedDial'

[Andreas B. Mundt]

Hi all,

On Mon, Mar 25, 2013 at 09:56:27PM +0100, Petter Reinholdtsen wrote:

 [Martin Schulte]
  thank you for your answer.
  I found a way to get the passwords in cleartext from lenny ldap, thanks
  to windows, the secures OS ever :-) and his LM-Hash. You can crack this
  LM-hash using ophcrack (http://en.wikipedia.org/wiki/Ophcrack ), which
  uses rainbow tables.

 Interesting and scary.  Even in Debian Edu Squeeze, the user passwords
 are stored in three places in the user LDAP object.  Once for Kerberos,
 once for Samba and once for GOsa.  We should really try to get rid of
 the last two.


For the record, an attempt to unify GOsa and Kerberos:
URL:http://bugs.debian.org/698544

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130325224254.GB14338@fuzi

Re: 'krbPrincipalKey' and 'sambaMungedDial'

[Andreas B. Mundt]

Hi Martin,

On Fri, Mar 22, 2013 at 06:33:11PM +0100, Martin Schulte wrote:

 while trying to upgrade to squeeze and restore old passwords, i had
 a look to the ldap in squeeze. I found the two attributes
 'krbPrincipalKey' and 'sambaMungedDial'. Can someone tell me, what
 is the use of these two attributes and how they are generated? Is
 there a relation between the userpassword and these two attributes?

 Actually i try to replace the value of the attributes
 'userPassword', 'sambaLMPassword', 'sambaNTPassword' from the
 squeeze ldap with the values from the lenny ldap.


The authentication method has changed completely in squeeze.  Instead
of storing a hashed password in LDAP as it has been the case in Lenny,
Squeeze uses Kerberos keys.  These are also some kind of a user's
password, but can also be used to encrypt any connection over the
network.  There is no way to convert the password hash from Lenny to a
Kerberos principal key, so you have to create these from clear text
passwords.  I am not familliar with the samba stuff however.

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130322180127.GA10478@fuzi

Re: allow_weak_crypto = true not needed for wheezy

[Andreas B. Mundt]

Hi,

On Sun, Feb 03, 2013 at 06:24:52PM +0100, Petter Reinholdtsen wrote:
 [Andreas B. Mundt]

  FYI, it looks as if allow_weak_crypto = true [1] is not needed
  anymore for wheezy.  This is at least the case for debian-lan.

 What was it needed for in the first place?

Mounting NFSv4 IIRC. Cf. http://bugs.debian.org/657802
I remember debian-edu needed:

  permitted_enctypes = ...

too, because of pam_sss, which I never used.
(http://bugs.debian.org/657802#24)


 Do you have the commit rights needed to update the source with this
 change?

I would prefer if someone currently running and testing the code would
commit it, to make sure it really works in the end also on debian-edu.

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130203175038.GA18251@fuzi

allow_weak_crypto = true not needed for wheezy

[Andreas B. Mundt]

Hi,

FYI, it looks as if allow_weak_crypto = true [1] is not needed
anymore for wheezy.  This is at least the case for debian-lan.

Best regards,

 Andi


[1] c.f. debian-edu-config/share/debian-edu-config/tools/kerberos-kdc-init


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130202084835.GA3813@fuzi

Re: Wheezy Gosa² setup

[Andreas B. Mundt]

Hi,

On Sun, Jan 20, 2013 at 05:25:16PM +0100, Wolfgang Schweer wrote:
 On Sun, Jan 20, 2013 at 01:38:22PM +0100, Andreas B. Mundt wrote:
  I had to modify the variable name to be send to gosa-sync:
 
  - postmodify=USERPASSWORD=%userPassword /usr/bin/sudo
 /usr/local/sbin/gosa-sync %dn
  + postmodify=USERPASSWORD=%new_password /usr/bin/sudo
 /usr/local/sbin/gosa-sync %dn

 Seems to be that this change is required in the administration section
 too.

Strange, it seems to work here with just one occurrence.  Perhaps because
I use fewer features.

In addition, I had to rewrite gosa-sync.  Take a look at:

URL: 
http://anonscm.debian.org/gitweb/?p=collab-maint/debian-lan.git;a=blob;f=fai/config/files/usr/local/sbin/gosa-sync/GOSA

If kadmin.local gives an error, the error message is shown in GOsa and
the password change reverted.

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130121221737.GA7713@fuzi

Re: Wheezy Gosa² setup

[Andreas B. Mundt]

Hi,

On Tue, Jan 22, 2013 at 05:43:59AM +0100, Mike Gabriel wrote:
 Hi Andi, hi Wolfgang,

 On Di 22 Jan 2013 00:38:32 CET Wolfgang Schweer wrote:

 In addition, I had to rewrite gosa-sync.
 
 gosa-sync seems to work here without any change.

 In Debian Edu squeeze and GOsa² 2.6 the gosa-sync script does not
 report back failures to GOsa², thus, passwords run out of sync. As
 we have several OTRS tickets open about this with our customers,
 this definitely would be an improvement for squeeze, at least. Are
 you really sure that error handling is correct with wheezy and GOsa²
 2.7 (/me doubts it by what is written in this thread).

 Simple way to test gosa-sync failures: e.g. stop kadmind and try to
 modify or add a user with GOsa².


I just tried this test, however, even with kadmind stopped, the
password can be modified as gosa-sync operates via kadmin.local
directly on the database, I guess.

The test I used is changing to a password with just a single class of
characters, for example 12345.  GOsa allows this password, but I use
a Kerberos policy that demands 2 character classes:  This error is
reported in GOsa and the password modification canceled (also within
LDAP).

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130122073509.GA17391@fuzi

Wheezy Gosa² setup

[Andreas B. Mundt]

Hi,

concerning Wolfgangs work on the GOsa setup for wheezy which I
currently do for debian-lan, I found the following which I would like
to share to not double debugging.

I had to modify the variable name to be send to gosa-sync:


  pathMenu
   plugin
   
acl=users/netatalk:self,users/environment:self,users/posixAccount:self,users/kolabAccount:self,users/php
   plugin acl=users/password:self class=password
- postmodify=USERPASSWORD=%userPassword /usr/bin/sudo
   /usr/local/sbin/gosa-sync %dn
+ postmodify=USERPASSWORD=%new_password /usr/bin/sudo
   /usr/local/sbin/gosa-sync %dn
  /
   /pathMenu


If I don't do that, I end up with the hash in the variable making gosa
sync fail.  If you don't need that, it would be rather interesting to
find out why it's needed here.

In addition and for your information, I filed
http://bugs.debian.org/698544 on the use of SASL instead of ssha as
password hash in GOsa.  Using SASL would allow to authenticate login
to gosa with kerberos authentication.  The password hashes would
only be stored in kerberos and additionally providing the hash in LDAP
wouldn't be needed anymore. kpasswd could be used for changes as well
as the GOsa interface.

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130120123822.GA16810@fuzi

Re: Upgrading Squeeze to Debian-Education?

[Andreas B. Mundt]

Hi Bengt,

On Sun, Oct 14, 2012 at 10:38:39AM +1100, Bengt Thuree wrote:
[...]
 
 I really wish I can get this to work, but might have to have a second
 look at Edubuntu :(, but since everything else is Debian, I am not to
 keen on that.
 

Another possibility you might want to take a look at is Debian-LAN:

URL:http://wiki.debian.org/DebianLAN

It shouldn't be a problem to switch to a XEN kernel, there is already 
a RAID_XEN_VIRTUAL class in the FAI example, which should help with 
adding the packages needed for XEN.  After that, build your CD or install 
via PXE as described in the wiki.

Best regards,

Andi 


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20121014073251.GA32584@fuzi

Re: Userimport (csv), GOSA, homedirectories - wrong ownership

[Andreas B. Mundt]

Hi Sebastian,

 I've added users via csv-import and most user-accounts are fine, but
 some have no acces to their own homedirectory. (The owner is someone
 else) Any suggestion how this could happen and/or how to fix it?

This could be worth a try:

 
https://init.linpro.no/pipermail/skolelinux.no/commits/2012-August/119291.html

Log:
In gosa-create script: Invalidate libnss cache before applying chown
on new home directories. Fixes multiple failures during mass user
import into GOsa

Good luck,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120821200220.GA4856@fuzi

Re: Userimport (csv), GOSA, homedirectories - wrong ownership

[Andreas B. Mundt]

Hi Mike,

On Tue, Aug 21, 2012 at 10:19:00PM +0200, Mike Gabriel wrote:
 On Di 21 Aug 2012 22:02:20 CEST Andreas B. Mundt wrote:
[...]
 
 This could be worth a try:
 
 https://init.linpro.no/pipermail/skolelinux.no/commits/2012-August/119291.html
 
[...]

 I have just yesterday committed such a change as you propose:
 http://anonscm.debian.org/viewvc/debian-edu?view=revisionrevision=77998


Yes sure, that's where I got it from. :-)

I saw the commit in IRC and digged it up in the archive at linpro.no
(as I do not have the commit mails).  But your link is of course much
better.

Cheers,

Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120821211449.GA30830@fuzi

Re: Debian Local Area Network' (Debian-LAN): no hardcoded IP addresses left

[Andreas B. Mundt]

Hi everybody,

I am happy to report that with the last commits there are no specific
hardcoded IP addresses left in the config space [1] and it should be
possible to use debian-lan in a variety of networks.

All network-specific information and used IP addresses are collected
in class/SERVER_A.var [2].

The code generating the DHCP and DNS configuration does for sure not
work for all possible networks and netmasks, however it should work
for standard cases, perhaps with minor modifications.

Best regards,

 Andi



[1]
debian-lan/fai/config$ rgrep 
'[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' *

class/SERVER_A.var:MAINSERVER_IPADDR=10.0.0.1
class/SERVER_A.var:GATEWAY=10.0.0.1
class/SERVER_A.var:BROADCAST=10.0.255.255
class/SERVER_A.var:SUBNET=10.0.0.0
class/SERVER_A.var:NETMASK=255.255.0.0
class/SERVER_A.var:SUBNETMASK=10.0.0.0/16
class/SERVER_A.var:FAINETMASK=10.0.0.0/24
class/SERVER_A.var:RANGE=10.0.1.10 10.0.1.200
files/etc/hosts/diskless:127.0.0.1  localhost
files/etc/hosts/diskless:127.0.1.1  host.intern host
files/etc/hosts/mainserver:127.0.0.1localhost
files/etc/hosts/mainserver:127.0.1.1mainserver.intern mainserver
files/etc/networks/FAIBASE:default 0.0.0.0
files/etc/networks/FAIBASE:loopback127.0.0.0
files/etc/networks/FAIBASE:link-local  169.254.0.0
files/etc/fai/grub.cfg/SERVER_A:linux /boot/vmlinuz boot=live 
FAI_FLAGS=verbose,createvt FAI_ACTION=sysinfo ip=10.0.1.100:eth0:off 
hostname=demohost
files/etc/fai/grub.cfg/SERVER_A:linux   /boot/vmlinuz boot=live 
FAI_FLAGS=verbose,createvt FAI_ACTION=install ip=192.168.1.1:eth0:off 
hostname=demohost
files/etc/fai/grub.cfg/SERVER_A:linux /boot/vmlinuz boot=live 
FAI_FLAGS=verbose,createvt FAI_ACTION=install ip=192.168.1.1:eth0:off 
hostname=gnomehost
files/etc/fai/grub.cfg/SERVER_A:linux /boot/vmlinuz boot=live 
FAI_FLAGS=verbose,createvt FAI_ACTION=install 
ip=192.168.1.250::192.168.1.254:255.255.255.0::xxx:off hostname=faiserver
files/etc/fai/grub.cfg/SERVER_A:linux /boot/vmlinuz boot=live 
FAI_FLAGS=verbose,createvt FAI_ACTION=sysinfo ip=192.168.1.1:eth0:off 
hostname=demohost
scripts/NTP_SERVER/10-ntp.conf:   ReplaceAll #broadcast 192.168.123.255 With 
broadcast ${BROADCAST}
scripts/NTP_SERVER/10-ntp.conf:   AppendIfNoSuchLine server 127.127.1.0 # 
local clock
scripts/NTP_SERVER/10-ntp.conf:   AppendIfNoSuchLine fudge 127.127.1.0 stratum 
10
scripts/PROXY/10-config:  ReplaceAll #acl localnet src 10.0.0.0/8 
With acl localnet src ${SUBNETMASK}


[2]
debian-lan/fai/config$ cat class/SERVER_A.var
[...]
## Variables that define the network.  If you choose the same IP
## address for mainserver ($MAINSERVER_IPADDR) and gateway ($GATEWAY),
## the mainserver is configured as gateway to the external network.
## You'll need two network cards in that case.
MAINSERVER_IPADDR=10.0.0.1
GATEWAY=10.0.0.1
BROADCAST=10.0.255.255
NAMESERVER_IPADDR=  # leave empty to use mainserver's IP address

SUBNET=10.0.0.0
NETMASK=255.255.0.0
SUBNETMASK=10.0.0.0/16

## NETMASK for FAI config space access:
FAINETMASK=10.0.0.0/24

## DHCP range for unknown clients (cf. dhcpd.conf):
RANGE=10.0.1.10 10.0.1.200

## IP address-endings for workstations and diskless machines (the list
## is generated using 'seq $WS_RANGE' respectively 'seq $DL_RANGE'):
WS_RANGE=50 149
DL_RANGE=150 249
[...]


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120410092909.GA13118@flashgordon

Re: Debian Local Area Network' (Debian-LAN)

[Andreas B. Mundt]

Hi Giorgio and others,

On Mon, Apr 09, 2012 at 11:21:37AM +0200, Giorgio Pioda wrote:
 In my case is not a matter of randomizing.

 We have an internal 10.x.x.x/23 provided by the
 national telecom and we are not able to
 change the subnet, otherwise we would collide
 with other schools.


I had a look into the issue of modifying the IP addresses.
The following files contain an IP address:

debian-lan/fai/config$ rgrep -l 
'[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'  *
files/etc/dhcp/dhcpd.conf/INT_GATEWAY
files/etc/dhcp/dhcpd.conf/EXT_GATEWAY
files/etc/network/interfaces/INT_GATEWAY
files/etc/network/interfaces/EXT_GATEWAY
files/etc/hosts/diskless
files/etc/hosts/mainserver
files/etc/networks/FAIBASE
files/etc/fai/grub.cfg/SERVER_A
files/etc/bind/db.intern/INT_GATEWAY
files/etc/bind/db.intern/EXT_GATEWAY
scripts/NTP_SERVER/10-ntp.conf
scripts/NFS_SERVER/10-config
scripts/PROXY/10-config
scripts/FAISERVER/30-exports
scripts/DISKLESS_SERVER/10-setup

If we remove DNS and DHCP configuration files and files that contain
no specific I addresses, we are left with:

files/etc/network/interfaces/INT_GATEWAY
files/etc/network/interfaces/EXT_GATEWAY

scripts/NTP_SERVER/10-ntp.conf
scripts/NFS_SERVER/10-config
scripts/PROXY/10-config
scripts/FAISERVER/30-exports
scripts/DISKLESS_SERVER/10-setup

So appart from DHCP, DNS and your interface configuration, you are
left to modify:

scripts/NTP_SERVER/10-ntp.conf:   ReplaceAll #broadcast 192.168.123.255 With 
broadcast 10.255.255.255
scripts/NFS_SERVER/10-config: AppendIfNoSuchLine /srv/nfs4 
10.0.0.0/8(sec=krb5p:krb5i:sys,rw,sync,fsid=0,crossmnt,no_subtree_check)
scripts/NFS_SERVER/10-config: AppendIfNoSuchLine /srv/nfs4/home0 
10.0.0.0/8(sec=krb5p:krb5i:sys,rw,sync,no_subtree_check)
scripts/PROXY/10-config:  ReplaceAll #acl localnet src 10.0.0.0/8 
With acl localnet src 10.0.0.0/8
scripts/FAISERVER/30-exports:ainsl $target/etc/exports /srv/fai/nfsroot 
10.0.0.0/24(async,ro,no_subtree_check,no_root_squash)
scripts/FAISERVER/30-exports:ainsl $target/etc/exports /srv/fai/config 
10.0.0.0/24(async,ro,no_subtree_check,no_root_squash)
scripts/DISKLESS_SERVER/10-setup:ainsl $target/etc/exports /opt  
10.0.0.0/8(async,ro,no_subtree_check,no_root_squash)

So that does not look too terrible.  The automatic solution would be
to generate DNS and DHCP configuration automatically and use variables
in the scripts.

Best regards,

 Andi



 On Sun, Apr 08, 2012 at 05:15:27PM +0100, Steven Chamberlain wrote:
  Hi,
 
  On 08/04/12 10:13, Giorgio Pioda wrote:
   1) Subnet switch to an arbitrary 10.x.x.x/24 or even better 10.x.x.x/23 
   and
   also 192.169.x.x networks
 
  I agree, that aspect of Debian Edu's network architecture has always
  bugged me too, but I imagine it's because an address had to be hardcoded
  in some of the configs.
 
 
  Using a randomly-chosen 10.x.x.0/24 subnet means you can link several of
  these subnets together with straightforward routing between gateway
  machines, without resorting to awkward NAT.
 
  It would be easy and very fun to link together neighbouring Debian-LANs
  between homes/offices with wireless meshes and fast wired links.
 
  Randomising as much as you can in network address avoids the chance of a
  collision and having to renumber (and the chance is higher than you
  might think, due to the birthday paradox).
 
  This is similar in principle to RFC4193 unique local IPv6 subnets.
  (Debian-LAN could implement those too!)
 
 
  Or, you can run as many /24's as you need off the same mainserver and it
  can still route traffic between hosts, so I doubt there's a need for a
  /23 subnet or larger.  (Unless you really need for a broadcast domain to
  span more than 254 hosts...).
 
  Regards,
  --
  Steven Chamberlain
  ste...@pyro.eu.org
 


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120409113651.GA11569@flashgordon

Debian Local Area Network' (Debian-LAN)

[Andreas B. Mundt]

Dear Reader,

it is my pleasure to draw your attention to the 'Debian Local Area
Network' project (Debian-LAN).

The goal of Debian-LAN is to make setting up a local network with
centralized user and machine management, intranet, etc. as easy as
possible in Debian.

To do that, the project aims for providing anything needed for such
systems: Documentation, code, whatever.  For the time being, the FAI
framework [1] is employed to setup the system.  However, the project
is in general not limited to FAI.
FAI's class system allows for great flexibility without loosing
control over customization.  All modifications are implemented in the
config space and thereby documented in a well-structured way.


So far, a set of FAI classes and the corresponding config space has
been prepared to implement a Debian-LAN:

  * A mainserver with Kerberos KDC and LDAP including the FAI-server
to install clients.
  * Clients are installed over the network from the mainserver,
automounting their kerberized home directories.
  * Diskless clients are implemented as an option.

The system is comparable to the debian-edu network and can be used for
schools, small enterprises, associations, (university) work groups and
much more.  It provides the Gnome and LXDE desktop environment by
default on the clients.  Depending on your needs, you can easily add a
customized package selection.  For example the metapackages of a
Debian Blend.


Everybody is invited to take a look, test, report back and of course
contribute.  More information can be obtained from the sources listed
below [2].  We use a git repository [3] on collab-maint on Alioth.  To
install the mainserver, prepare a CD image following the instructions
in the wiki[4] and get started!

Looking forward to comments and ideas,
best regards,

Andi



[1] URL:http://wiki.debian.org/FAI

[2] Please do not hesitate to ask:
   Documentation: URL:http://wiki.debian.org/DebianLAN/,
   Mailing List:  
URL:http://lists.alioth.debian.org/pipermail/debian-lan-devel/
   IRC Channel:   #debian-lan on irc.debian.org
   Alioth Project pages:  
URL:https://alioth.debian.org/projects/debian-lan/

[3] To clone the repository use:
   git clone git://git.debian.org/git/collab-maint/debian-lan
The repository contains the FAI config space for the provided setup.

[4] URL:http://wiki.debian.org/DebianLAN/bootstrap


--
--

A N D R E A S   B.   M U N D T

GPG key: 4096R/617B586D 2010-03-22 Andreas B. Mundt--andreas.b.mu...@web.de
   Andreas B. Mundt--andi.mu...@web.de




signature.asc
Description: Digital signature

Re: Debian Local Area Network' (Debian-LAN)

[Andreas B. Mundt]

Hi,

On Sun, Apr 08, 2012 at 11:13:40AM +0200, Giorgio Pioda wrote:

 Debian LAN is indeed interesting, simpler approach tha Edu. But I see some
 blocking missing features.

 1) Subnet switch to an arbitrary 10.x.x.x/24 or even better 10.x.x.x/23 and
 also 192.169.x.x networks


It shouldn't be a problem to grep/sed through the config space and
modify that.  Providing an 'automatic' implementation (some variables
defining the network with automatic creation/modification of files) is
of course possible, but will add code and complexity.

 2) The mainserver shouldn't act as gateway. Most plain, small organization 
 networks
 have a dedicated gateway (which often is an ADSL router/gateway) and
 the server should live with this.

I run the system on exactly such a system, however there is a
M$-windows system attached to the same ADSL router/gateway I do not
want to interfere with.  The only modification of the published setup
I need is modifying the external interface in /etc/network/interfaces to
read:

# The external network interface
allow-hotplug eth0
auto eth0
#iface eth0 inet dhcp
   iface eth0 inet static
   address 192.168.123.12  -- available address in the 'router network'
   netmask 255.255.255.0
   broadcast 192.168.123.255
   gateway 192.168.123.254 -- ADSL router IP


 Givent that you'll provide such a fix, I'll probably do a test.


Providing a setup without the mainerver acting as gateway ( issue 2) )
is planed for Setup_B.

Best regards,

 Andi




 --
 Sysadmin SPSE-Tenero
 Ufficio:   +41 91 735 62 48
 Cellulare: +41 79 629 20 63


 --
 To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: http://lists.debian.org/20120408091339.ga5...@ticino.com



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120408095239.GC9680@flashgordon

Re: Debian Local Area Network' (Debian-LAN)

[Andreas B. Mundt]

Hi Giorgio,

On Sun, Apr 08, 2012 at 12:01:19PM +0200, Giorgio Pioda wrote:

 
  Providing a setup without the mainerver acting as gateway ( issue 2) )
  is planed for Setup_B.
 

 Teased to see it soon :-)


Done.

Here it is:

 
http://lists.alioth.debian.org/pipermail/debian-lan-devel/2012q2/77.html
 
http://lists.alioth.debian.org/pipermail/debian-lan-devel/2012q2/78.html

I also updated the wiki http://wiki.debian.org/DebianLAN/Setup_A

Let me know if you run into problems or something is unclear.

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120408143154.GD9680@flashgordon

Re: Bug#664596: User seems to missing ability to login via ssh/console after some days

[Andreas B. Mundt]

Hi,

On Tue, Mar 20, 2012 at 09:04:54PM +0100, Petter Reinholdtsen wrote:
 [Petter Reinholdtsen]
  Anyone got any ideas how to properly fix this?

Just remove the -maxlife option completely.  Use something like:

 kadmin.local -q add_policy -minlength 4 -minclasses 2 user

Regards,

Andi


 I suspect this patch will solve it for first time installations.  We
 need to figure out how to fix it for existing installations too.

 Index: share/debian-edu-config/tools/kerberos-kdc-init
 ===
 --- share/debian-edu-config/tools/kerberos-kdc-init (revisjon 77105)
 +++ share/debian-edu-config/tools/kerberos-kdc-init (arbeidskopi)
 @@ -237,8 +237,9 @@
  kadmin.local -q ktadd -k /etc/krb5.keytab.smtp smtp/tjener.intern
  chown Debian-exim:Debian-exim /etc/krb5.keytab.smtp

 -# Kerberos policy setup
 -kadmin.local -q addpol -maxlife \2 days\ -minlength 5 users
 +# Kerberos policy setup.  Make sure passwords never expire, as
 +# long as LDAP and Samba passwords do not expire.
 +kadmin.local -q addpol -maxlife never -minlength 5 users
  kadmin.local -q addpol -minclasses 2 hosts
  }


 Anyone know why the -maxlife 2 days were there in the first place?
 --
 Happy hacking
 Petter Reinholdtsen



 --
 To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: http://lists.debian.org/20120320200454.gf18...@login2.uio.no


--

--

A N D R E A S   B.   M U N D T

GPG key: 4096R/617B586D 2010-03-22 Andreas B. Mundt--andreas.b.mu...@web.de
   Andreas B. Mundt--andi.mu...@web.de




-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120320203517.GB5795@flashgordon

Bug#664596: User seems to missing ability to login via ssh/console after some days

[Andreas B. Mundt]

On Tue, Mar 20, 2012 at 10:00:43PM +0100, Petter Reinholdtsen wrote:
 [Andreas B. Mundt]

  Just remove the -maxlife option completely.  Use something like:
 
   kadmin.local -q add_policy -minlength 4 -minclasses 2 user

 What is the default value when -maxlife is not used?
 --

I use a default policy created by:

  kadmin.local -q add_policy -minlength 4 -minclasses 2 default

A user principal foo with this policy shows the following:

root@mainserver:~# kadmin.local
Authenticating as principal root/admin@INTERN with password.
kadmin.local:  get_principal foo
Principal: foo@INTERN
Expiration date: [never]
Last password change: Thu Mar 01 20:12:10 CET 2012
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Mar 01 20:12:11 CET 2012 (root/admin@INTERN)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, Version 5
Key: vno 1, ArcFour with HMAC/md5, Version 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1, Version 5
Key: vno 1, DES cbc mode with CRC-32, Version 5
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default
kadmin.local:

So the default seems to be:

   Password expiration date: [none]

Regards,

Andi



--

A N D R E A S   B.   M U N D T

GPG key: 4096R/617B586D 2010-03-22 Andreas B. Mundt--andreas.b.mu...@web.de
   Andreas B. Mundt--andi.mu...@web.de





-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120320214740.GA13674@flashgordon

Bug#664596: User seems to missing ability to login via ssh/console after some days]

[Andreas B. Mundt]

Forwarded message, as I forgot to cc the debian-edu list:

On Tue, Mar 20, 2012 at 10:00:43PM +0100, Petter Reinholdtsen wrote:
 [Andreas B. Mundt]

  Just remove the -maxlife option completely.  Use something like:
 
   kadmin.local -q add_policy -minlength 4 -minclasses 2 user

 What is the default value when -maxlife is not used?
 --

I use a default policy created by:

  kadmin.local -q add_policy -minlength 4 -minclasses 2 default

A user principal foo with this policy shows the following:

root@mainserver:~# kadmin.local
Authenticating as principal root/admin@INTERN with password.
kadmin.local:  get_principal foo
Principal: foo@INTERN
Expiration date: [never]
Last password change: Thu Mar 01 20:12:10 CET 2012
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Mar 01 20:12:11 CET 2012 (root/admin@INTERN)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, Version 5
Key: vno 1, ArcFour with HMAC/md5, Version 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1, Version 5
Key: vno 1, DES cbc mode with CRC-32, Version 5
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default
kadmin.local:

So the default seems to be:

   Password expiration date: [none]

Regards,

Andi



--

A N D R E A S   B.   M U N D T

GPG key: 4096R/617B586D 2010-03-22 Andreas B. Mundt--andreas.b.mu...@web.de
   Andreas B. Mundt--andi.mu...@web.de




-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120320215612.GB13674@flashgordon

Re: Problem with sitesummary2ldapdhcp

[Andreas B. Mundt]

Hi all,

On Fri, Feb 10, 2012 at 10:20:57PM +0100, Petter Reinholdtsen wrote:
 
 I assume netdevice is for routers and switches, not for Linux hosts.
 If this is wrong, please tell me and we can easiliy change this.


IIRC I used netdevice for all machines that do not serve any services
to the network, so in a standard setup these are all machines except
tjener (LTSP servers are independent and not managed by GOsa). 

Other profiles (Workstation etc.) are only available if you use
certain plugins (gosa-fai ?), which we do not use. 

So if you only want to assign netgroups and DNS/DHCP, the netdevices
seem to be the best fit.

Regards,
 
Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120211081055.GA30050@fuzi

Re: Educlient (still very raw)

[Andreas B. Mundt]

Hi,

On Sat, Feb 11, 2012 at 09:17:13AM +0100, Giorgio Pioda wrote:

[...]
 
 Now I'm hanging with the autofs question. I have to test again but
 it seems that only Ubuntu 1004 have a good implementation; all other
 suffers, like debian wheezy, the fact that autofs starts to early
 in boot phase and, after not finding LDAP server, hangs and only
 a manual restart fix the problem.
 
 But I have also a terrible dought. I don't know if this behaviour is
 qemu related, or if it reproducible on real devices (suche that
 for exemple qemu freezes from time to time the virtual network...).
 In fact also PXE installation hangs, and I have to type a couple of
 times autoboot before network boot occours.
 
 From time to time, I also observed hanging of autofs also on
 plain Edu workstations...
 
 Would be nice if somebody who have a real testing server could test
 my package. Unfortunately I don't have enough hardware to do it.
 


I observe strange autofs behavior in virtual machines here too. (Guest
is squeeze, virt-manager/kvm).  On my desktop, anything is fine (host is
wheezy) on my laptop (also wheezy) it doesn't work.  
However, on real hardware I have no issues. The setup is not exactly
skolelinux but comparable. 

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120211211724.GA4994@flashgordon

Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds

[Andreas B. Mundt]

Hi,

On Sun, Feb 05, 2012 at 05:25:20PM +0100, Giorgio Pioda wrote:

  The script executed right after authentication copies the user's
  Kerberos ticket to the file krb5cc_diskless which is owned by root. 
  This ticket will be picked up by gssd to create the security context
  needed.  However, it's needed to restart autofs, I am not exactly sure
  why.  It looks like autofs caches failures in mounting a directory
  (which it tries earlier in the login process), and does not try again
  immediately when the ticket is available. 
  
 
 What about setting a delay in autofs?
 

How long?  I think entering the username triggers autofs (to read the
user's configuration, for example which desktop he want's to start by
default).  What if someone takes 15 seconds to enter his password, and
someone else needs only 3 seconds?  Only if exactly at the right
moment where pam gives the OK (i.e. the ticket is available) for login
the autofs is triggered it will manage to provide the home directory.
Imediatelly after that the user will have / as home (or might not be
allowed to login on gdm).

So I don't think that will work.  Did you have any success with the 
   
   verify_ap_req_nofail = false

stuff?

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120205213507.GA6821@flashgordon

Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds

[Andreas B. Mundt]

On Sun, Feb 05, 2012 at 10:51:08PM +0100, Petter Reinholdtsen wrote:
 
 [Andreas B. Mundt]
  How long?  I think entering the username triggers autofs (to read the
  user's configuration, for example which desktop he want's to start by
  default).  What if someone takes 15 seconds to enter his password, and
  someone else needs only 3 seconds?
 
 This do not sound right.  Setups using pam_mount work, and I believe PAM
 is only invoked after the password is entered.  Because of this, I
 believe the users home directory isn't accessed before the password is
 entered.
 

I did not say that pam_mount doesn't work.  I believe gdm tries to
access the home directory.  If it doesn't succeed, this is non-fatal.
However we don't have to argue about that, it should be easy to
check: Login on a terminal on a workstation as root, check if the home
directories are not yet mounted and then login on gdm as a user and
carefully check when the home directory is accessed/mounted using the
terminal.   

 What are you seeing that make you believe PAM is invoked too late?
 Could it be some other pam module called earlier in the stack that
 causes the effect?

Hm?  Are we talking about the same issue, making a diskless
workstation work without machine credentials?

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120206075235.GA4158@fuzi

Re: Kerberos TGT and NFS

[Andreas B. Mundt]

Hi Giorgio,

On Sat, Feb 04, 2012 at 10:17:23AM +0100, Giorgio Pioda wrote:

 I got Ubuntu running, nice. But IMHO it shouldn't. I don't understand
 the black magic I've produced by myself, about the nfs/client kerberos
 granting.
 
 I didn't copy nor generate any krb5.keytab for the nfs/client and
 although this fact nfs works.
 
 How is the TGT nfs working? Is the keytab stored i ldap? In this latter case
 I fear that a MAC spoof would lead to unattended mounting of clients that are
 not aknowledged.
 
 Do you have an explanation, a reference link?
 

Skolelinux doesn't use kerberized NFSv4 yet.  There is no mechanism
available to create and copy the keytabs.  Perhaps this can be done
with a GOsa hook, however then the client needs to be available to scp
the keytab ...

However, you might be able to switch kerberization on by doing the
above manually and remove the sec=sys part in /etc/exports of the
mainserver. 

Regards,

Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120204093014.GC5149@fuzi

Re: debian-edu-doc 6.0.3: Please update the PO translation for the package debian-edu-doc

[Andreas B. Mundt]

Hi Helge,

On Fri, Feb 03, 2012 at 05:36:01PM +0100, Helge Kreutzmann wrote:
 On Thu, Jan 19, 2012 at 10:21:27PM -0400, David Prévot wrote:
  You are noted as the last translator of the translation for
  debian-edu-doc. The English template has been changed, and now some messages
  are marked fuzzy in your translation or are missing.
  
  I would be grateful if you could take the time and update it.
  Please send the updated file to me, or submit it as a wishlist bug
  against debian-edu-doc.
 
 are you going to update the translation or should some other
 translator take over?

If you have resources available it would be great if they could take
over.  I am rather busy right now and also next week.  Unfortunately
it's again quite a lot that needs to be translated/unfuzzied.  If
nobody else is available, I'll try to find some time, but I cannot
guarantee that I'll finish it before the deadline closes.  

Best regards,

 Andi 


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120203191457.GA5044@flashgordon

Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds

[Andreas B. Mundt]

Hi,

On Fri, Jan 27, 2012 at 11:14:04PM +0100, Giorgio Pioda wrote:
 
 your solution seems more or less an unavoidable hack.
 
 Nice would be to tell Kerberos to avoid service check and control
 only user ID.
 
 What about this:
 
 http://docs.oracle.com/cd/E19963-01/html/821-1456/setup-148.html#gihyu
 
 Maybe could be a solution, but I don't know exactly if it works
 as I think it should:
 
 client # cat /etc/krb5/krb5.conf
 [libdefaults]
 default_realm = EXAMPLE.COM
 verify_ap_req_nofail = false
   ...

I just tried with 

  verify_ap_req_nofail = false

and disabled the ticket copying, unfortunatelly it seems not to work
here.  I have to think about it, but isn't it necessary to have a
ticket available as it is used to encrypt the connection to the NFS
server (sec=krb5p)?

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120128094033.GA5120@flashgordon

Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds

[Andreas B. Mundt]

Hi everybody!

Since quite some time we have been thinking about how to make
kerberized NFSv4 mounting of home directories work with diskless
clients, where no machine credentials (keytab) are available.  

It was mentioned [1] that using -n for gssd on the diskless client
might help, however this seems not to be enough.  

I finally figured out a way now, which works here and is not too
invasive:

First, make sure you have the package libpam-script available at the
diskless client's chroot.  libpam-script allows to run a script after
successfull authentication.  The script executed can be created by
running: 

#!/bin/sh
#
set -e

FILE=/usr/share/libpam-script/pam_script_auth

cat  $FILE EOF
#!/bin/sh
#
set -e
if [ \$PAM_USER = root ] || ls /tmp/krb5cc_diskless  /dev/null
21; then
exit 0
fi

FILE=/tmp/krb5cc_diskless
cp -v /tmp/krb5cc_pam_* \$FILE
/etc/init.d/autofs restart  /dev/null

exit 0
EOF

chmod 0755 $FILE
#

The script executed right after authentication copies the user's
Kerberos ticket to the file krb5cc_diskless which is owned by root. 
This ticket will be picked up by gssd to create the security context
needed.  However, it's needed to restart autofs, I am not exactly sure
why.  It looks like autofs caches failures in mounting a directory
(which it tries earlier in the login process), and does not try again
immediately when the ticket is available. 

In addition, add the line 
   RPCGSSDOPTS=-n 
to /etc/default/nfs-common and the line
   authoptional  pam_script.so
to /etc/pam.d/common-auth. 

With these modifications fully kerberized NFSv4 mounting should
be possible on all machines if there are no other issues like those
reported in URL:http://bugs.debian.org/613167#30 (pending?).  I did
not test LTSP diskless clients but a home-made chroot in combination
with aufs.

Best regards,  

 Andi
  

[1] http://lists.debian.org/debian-edu/2010/07/msg00065.html


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120127161853.GA17722@flashgordon

Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds

[Andreas B. Mundt]

Hi, 

On Fri, Jan 27, 2012 at 09:19:21PM +0100, Petter Reinholdtsen wrote:
 [Andreas B. Mundt]
[...]
 
  The script executed right after authentication copies the user's
  Kerberos ticket to the file krb5cc_diskless which is owned by root.
  This ticket will be picked up by gssd to create the security context
  needed.  However, it's needed to restart autofs, I am not exactly
  sure why.  It looks like autofs caches failures in mounting a
  directory (which it tries earlier in the login process), and does
  not try again immediately when the ticket is available.
 
 I guess we also need to remove the file when the user log in, to make
 sure other users can't use another users ticket to mount?
 

I think the ticket is used as if it where root's ticket, as the
automounter runs under root's ID.  If the ticket is removed and the
automounter umounts the NFS after some time, accessing the home
directory again will fail, because there is no ticket anymore to
remount.  The trick is a bit dirty, but so far I could not think of
any way to misuse the copied ticket, as it's only accessible by root.
A user logging in later or in parallel has no access.

  With these modifications fully kerberized NFSv4 mounting should be
  possible on all machines if there are no other issues like those
  reported in URL:http://bugs.debian.org/613167#30 (pending?).  I
  did not test LTSP diskless clients but a home-made chroot in
  combination with aufs.
 
 This approach look really promosing.  What about just dropping autofs
 and mount the NFS volume in the pam module instead, like pam-mount?

I don't know if pam-mount has any disadvantages compared to autofs
(umounting after some time of 'silence' on the file system?), but if
not, it's probably a good idea to switch.

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120127211156.GA9727@flashgordon

Re: r74053 - in trunk/src/debian-edu-config: cf debian etc/bind ldap-bootstrap

[Andreas B. Mundt]

Hi Mike,

On Sun, Sep 04, 2011 at 09:57:25PM +0200, Mike Gabriel wrote:

 Also: on diskless workstations the preseeding values for krb5-config
 do not all ,,arrive'', only the default_realm is set, but not the
 INTERN = {servers} server definitions... That's why I chose
 cfengine in the first place...
 

The INTERN = {servers} is only needed if you want to use kadmin on
that machine.  Authentication works fine without, the information is
fetched from DNS.

Best regards,   

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110905085041.GB4333@flashgordon

Re: Bug#613167: Diskless Workstations not using kerberized NFSv4 for homes currently

[Andreas B. Mundt]

user debian-edu@lists.debian.org
usertag 638157 + debian-edu
thanks 


On Thu, Aug 18, 2011 at 10:52:18AM +0200, Mike Gabriel wrote:
 Hi all,
 
 is it intended that current diskless workstations in Skolelinux do
 not use kerberized NFSv4?
 

Hi, 

it looks like kerberization does not work with current nfs-utils, see
URL: http://bugs.debian.org/638157.  Hopefully this can be fixed in
a point release, the patch doesn't look very invasive ...

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110819154100.GA4242@flashgordon

Re: General question on Debian-Edu

[Andreas B. Mundt]

Hi Thomas,

On Sun, Jul 24, 2011 at 08:10:47PM +0200, Thomas Koch wrote:

 the Debian-Edu talk tomorrow on debconf will overlap with the ZSH Skills-
 Exchange session... :-(

Luckily not tomorrow, but on thursday ... :-)
 
 So I read the documentation and throw out some questions here:
 
 * Could the base of Debian-Edu also be usable by small companies? At my 
 former 
 company for example we had Debian thin-clients for call support staff and 
 even 
 for some junior developers/students.

No, it's highly specialized for schools.  But I propose to work in a
direction that allows for a broader user and developer base.

 
 * Which IMAP server is used?
 
Dovecot

 * Could Debian-Edu be made replicated with automated fail-over of services? 
 Use case: The network administrator is on holiday, the main server fails, but 
 everything should continue to just work.
Nothing in that direction has been done yet, as far as I know ...


 * Is there a roadmap to update do cfengine3?
 
Unfortunatelly, I fear there is no roadmap at all :(

 * Is there any integration with school administration, so that administrative 
 changes are automatically reflected in LDAP (addition of pupils, classes, 
 leaving of pupils, assignements of pupils to classes)
No.  However, the design of the LDAP tree is flexible, so pupils
associated with classes can have their own department (ou) in LDAP.  

 * Is there a calendaring solution used with Debian-Edu? Kolab, Horde?
No.  I know that there is a Kolab plugin for GOsa, but never tested that.

 * Are there any schools that also have mailing lists for parents?
I don't know of any.

 * Are there any schools actively using encrypted mails?
Same here, I don't know of any.

Thomas, let's meet in Banja Luka for a chat.  I'll arrive some time on
wednesday. 

Best regards,
 
 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110724183424.GA4099@flashgordon

DebConf Debian-Edu Talks

[Andreas B. Mundt]

Hi all,

right now I started preparing the slides for the DebConf talks I
registered:

http://penta.debconf.org/dc11_schedule/events/744.en.html
http://penta.debconf.org/dc11_schedule/events/779.en.html

The talks are bof's i.e. open discussions and although I
registered both of them, this doesn't mean that they are thought as a 
'one man show'.  I would be very happy if anybody interested in the
topics could contribute with ideas and topics to be discussed, no
matter if you can or cannot attend DebConf.

Please reply to this mail, I will try to address and fit in all
contributions to the discussion.   

Many thanks,

 Andi 


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110718195902.GA6139@flashgordon

Bug#632464: diskless machine probably not added in GOsa

[Andreas B. Mundt]

Hi Marius,

On Sat, Jul 02, 2011 at 11:06:20PM +0200, Marius Kotsbak wrote:
 On 02. juli 2011 15:43, Andreas B. Mundt wrote:
  usually this happens when the home directory cannot be mounted.
 
  Did you add the diskless machine in GOa and run ldap2bind after that?
 
 You mean ldap2netgroup?

No, ldap2bind is correct.  It's not in the search path of an ordinary
user: /usr/sbin/ldap2bind.

  Whenever I tested that (and added the machine correctly to LDAP), 
  things worked fine here.
 
 
 Nope, the documentation is still lacking such details for GOsa. I tried
 though to add the machine under administration-Systems-Net device.

I don't have time this month to work on that documentation.
 
 IP: 10.0.2.51
 Base: /Students
 MAC: the mac I found using dhcp leases
 Enable dhcp  Enable DNS.

I never tested with Bases other than /, so if it doesn't work with
/Students, try /.  

 Are there more options that needs to be changed from default?

You need to add the machine to the workstation-hosts netgroup (in the
NIS Netgroups-tab or in Administration-NIS Netgroups).

Cheers,

Andi



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110703072527.GA13512@flashgordon

Bug#632464: diskless machine probably not added in GOsa

[Andreas B. Mundt]

tags 632464 + moreinfo unreproducible
thanks

Hi,

usually this happens when the home directory cannot be mounted.

Did you add the diskless machine in GOa and run ldap2bind after that?

Whenever I tested that (and added the machine correctly to LDAP), 
things worked fine here.

Best regards, 
 
 Andi



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110702134322.GA6609@flashgordon

Bug#631357: debian-edu-config: debian-edu-fsautoresize does not work

[Andreas B. Mundt]

Package: debian-edu-config
Severity: normal

User: debian-edu@lists.debian.org
UserTags: debian-edu

Hi,

unfortuntelly, it looks like debian-edu-fsautoresize does not work at
all for d-e-squeeze:

root@tjener:~# debian-edu-fsautoresize -vn
Checking / [/dev/mapper/vg_system-root]
  A: 983704 905648 28088 (0.0285533046526191%)
Checking /boot [/dev/sda1]
  A: 240972 22484 206047 (0.855066148764172%)
Checking /opt [/dev/mapper/vg_system-opt]
  A: 8978360 6365728 2156544 (0.240193532003618%)
Checking /skole/backup [/dev/mapper/vg_system-skole+backup]
  A: 325269 10287 298189 (0.916745831911433%)
Checking /skole/tjener/home0
[/dev/mapper/vg_system-skole+tjener+home0]
  A: 528112 178684 322600 (0.610855273123883%)
Checking /usr [/dev/mapper/vg_system-usr]
  A: 8732600 6533668 1755336 (0.201009550420264%)
Checking /var [/dev/mapper/vg_system-var]
  A: 4305784 476116 3610944 (0.838626368624158%)
Checking /var/opt/ltsp/swapfiles
[/dev/mapper/vg_system-var+opt+ltsp+swapfiles]
  A: 729704 17156 675480 (0.925690416936182%)
Checking /var/spool/squid [/dev/mapper/vg_system-var+spool+squid]
  A: 325269 183142 125334 (0.385324147090562%)

And that's all :(

Cheers,

Andi


-- System Information:
Debian Release: wheezy/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20110623085945.18450.54328.reportbug@flashgordon

Bug#631357: names seem to have changed

[Andreas B. Mundt]

tags 631357 + pending
# fixed in svn
thanks

Looks as if the devices get other names today. Fixed in svn, hopefully
there are no other changes necessary, but resizing worked again after
applying the fix. 



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110623104958.GA3924@flashgordon

Re: browser races

[Andreas B. Mundt]

Dear Nigel,

On Wed, Jun 22, 2011 at 09:39:20AM +0900, Nigel Barker wrote:
 
 I have some concerns about browsers that might affect other schools,
 

[...]

 So it seems that browsers are expected to be updated every few months
 nowadays! It might not be possible to even complete a school year with
 one version and still have everyone's apps/mail/ who knows what
 working. How would you manage this kind of thing on a skolelinux
 network? Create a local apt repo? Install from testing or unstable?
 How would you perform the updates on the individual workstations and
 servers all at once?


Are you aware of:

URL:http://mozilla.debian.net/

Perhaps it's possible to use that archive in your case. Let us know it
it is a good (or at least working) solution. 

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110622065304.GA4409@flashgordon

remaining errors testsuite

[Andreas B. Mundt]

Hi,

I tried to find the reason for the remaining errors reported by the
testsuite (Terminalserver DVD installation): 

error: can not find SSL certificate for http://www, 
error: Unable to download 
http://ftp.skolelinux.org/debian/dists/squeeze/main/installer-i386/current/images/netboot/netboot.tar.gz,
error: ./webserver: Missing /etc/iceweasel/profile/cert_override.txt.

I found that one if not the only reason for these errors is, that
within the installer, there is no DNS available.  The network is
available, but hostnames cannot be resolved.  I tried to understand
why, but /etc/resolv.conf and /target/etc/resolv.conf are rather
confusing, a broken link that starts working when rebooting after
installation (?!?) and so on.

Does anybody have more clue on how the network is managed in the
installer?

It would be great to fix these remaining errors even if they are
not fatal.

Any help appreciated, bests regards,

Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110616204237.GA12951@flashgordon

Re: cd/dvd status

[Andreas B. Mundt]

Hi,

On Wed, Jun 15, 2011 at 02:54:40PM +0200, Holger Levsen wrote:

  I had to revert some modifications concerning krb5-config, as it was
  not possible to login at all on other machines.  I suggest to postpone
  these modifications until wheezy.  The same is valid for NFSv4 with
  sec=krb5p:krb5i:krb5.
 
 So that means we still use unencrypted nfs3 and machines have to be added 
 before users can log in?!
 

No, we use NFSv4, but without added kerberos
privacy/integrity/authentication.  The machines have to be added to 
the workstation-netgroup to be able to mount the home directories. 

It should be possible to switch the features on easily at least for
some profiles, but this is not done out of the box yet.  (I had other
things to fix before looking into that issue.)

Cheers,

Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110615154608.GA4288@flashgordon

Re: cd/dvd status

[Andreas B. Mundt]

Hi all,

On Tue, Jun 07, 2011 at 01:35:19AM +0200, Holger Levsen wrote:

 The big result of the meeting:
 
 - Beta1 release - codename no more nice to have
 - known problems: windows clients cannot join the samba domain
 
 --endquote ---
 
 afaik the installation also hangs at the end and diskless workstations dont 
 get their hostname - anything else?
 
 
 cheers,
   Holger, who has not really read mail today, just skimmed irc
 
   and who also wants to get beta1 out in the next 12 days!!
 

After another week of testing, I am happy to report that the latest
DVD/CD seems to work.  There are left some minor errors after reboot
depending on the chosen profile, but the system seems to slowly become
usable.  I tested Tjener, Tjener+Terminalserver, Terminalserver and
Workstation.  Thin-Clients and Diskless machines worked too.

I had to revert some modifications concerning krb5-config, as it was
not possible to login at all on other machines.  I suggest to postpone
these modifications until wheezy.  The same is valid for NFSv4 with
sec=krb5p:krb5i:krb5.

I did not look into samba.   

So please test and help fixing the remaining issues, 
best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110614181553.GA4433@flashgordon

Bug#630389: sitesummary-client: sitesummary client drops config snipplet in /etc/nagios/ but should use /etc/nagios/nrpe.d/

[Andreas B. Mundt]

Package: sitesummary-client
Severity: important

User: debian-edu@lists.debian.org
Usertags: debian-edu

An error is reported by nagios although anything is OK. The reason seems to be
the wrong-placed nagios-nrpe-commands.cfg, (see subject.) From the source of 
nagios-nrpe-2.12 (debian/patches/03_support_nrpe.d.dpatch, I don't have the 
final file handy right now): 

# you can place your config snipplets into nrpe.d/
include_dir=/etc/nagios/nrpe.d/

So I think this is where we should drop sitesummaries nagios-nrpe-commands.cfg.
Fixed in SVN.

Cheers,

Andi


-- System Information:
Debian Release: wheezy/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110613170536.9724.61005.reportbug@flashgordon

Bug#630389: sitesummary-client: sitesummary client drops config snipplet in /etc/nagios/ but should use /etc/nagios/nrpe.d/

[Andreas B. Mundt]

On Mon, Jun 13, 2011 at 07:14:29PM +0200, Petter Reinholdtsen wrote:
 [Andreas B. Mundt]
  An error is reported by nagios although anything is OK.
 
 Which error?  I know of one such error, and its reason is probably not
 what you suggested.

check_kernel_status fails with UNKNOWN.  This is not due to a newer
kernel, the lenny stuff works for squeeze, and the script gives the
correct answer when called on the command line.  Modifications in the
script do not change the warning at all. 

After moving it to /etc/nagios3/ the warning vanished and anything
works as expected.  

However, I don't know where the warning comes from in the first place.

Regards,

Andi



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110613172332.GB4107@flashgordon

Bug#630389: sitesummary-client: sitesummary client drops config snipplet in /etc/nagios/ but should use /etc/nagios/nrpe.d/

[Andreas B. Mundt]

Hi, 

On Mon, Jun 13, 2011 at 07:36:16PM +0200, Petter Reinholdtsen wrote:
 [Andreas B. Mundt]
  check_kernel_status fails with UNKNOWN.  This is not due to a newer
  kernel, the lenny stuff works for squeeze, and the script gives the
  correct answer when called on the command line.  Modifications in
  the script do not change the warning at all.
 
 Right.  Same I have seen for a while.  The error show up for a while
 after the first boot, and then disappears after some time without
 anything being changed.  I have not been able to figure out why it
 fail, but it is not related to moving any configuration.
 
  However, I don't know where the warning comes from in the first
  place.
 
 Me neither.  I suspect some background job running after installation
 is blocking something, and the check start working when this
 background job is done.  But I have never been able to find such
 job. :)


When testing again, I found that indeed restarting nagios3 fixed the
wrong warning.  Perhaps something does not yet work when nagios
starts at boot-time.  I'll revert the changes in svn.

Cheers,

Andi
  



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110613192857.GC4107@flashgordon

Re: GOsa/LDAP/Samba integration - GoPDC integration in debian-edu-config

[Andreas B. Mundt]

Hi,

On Mon, Jun 06, 2011 at 11:11:12PM +0200, Mike Gabriel wrote:

 last night I have looked into Samba+LDAP+GOsa. The realization about
 that part for Debian Edu/Skolelinux is: if we want flawless und
 fluent Windows integration in Debian Edu (yes, we want that!!!) then
 there is still a bunch of work to do.

[...]
 
 Any comments, any other ideas?
 

Can we first bring the current system to a status where the things
that worked before the Hamburg meeting work again and the things we
fixed in Hamburg can be tested?

I think of NetworkManager issues, NFS4 and Kerberos, LTSP-CLients, ...

Best regards,

 Andi



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110606212145.GB8029@flashgordon

Re: the gathering next week in hamburg...

[Andreas B. Mundt]

Hi,

On Mon, May 30, 2011 at 01:26:16PM +0200, Holger Levsen wrote:
 On Montag, 30. Mai 2011, Holger Levsen wrote:
  meet for dinner sounds like a great plan! 20oo?
 
 I suggest either frank  frei which is located close to the city center (S-
 Bahn Sternschanze) or the Schachcafe which is located directly at the 
 subway 
 Station Alte Wöhr which very close (800m or so) to the attraktor venue, 
 where the gathering will take place.
 
 I'm fine with either.
 
 http://www.schachcafe-hamburg.de/
 http://www.qype.com/place/19530-Frank-und-Frei-Hamburg
 

I'm thinking about joining you and getting rid of traveling stress
early Friday morning. Would it be possible to spend the night
somewhere'? (Mattress+sleeping-bag is available).

Best regards and looking forward to meet you all,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110530183928.GA3542@flashgordon

Re: diskless workstation

[Andreas B. Mundt]

Hi Volker,

On Tue, May 17, 2011 at 08:10:27PM +0200, Volker Cordes wrote:

 Do I have to register the clients somewhere? I changed /etc/exports to
 allow mounts from 192.168.0.0/24 because I still haven't installed the
 netgroups plugin.
 

I would expect that if you don't use the netgroups in /etc/exports
things should work. Also, if after reboot or 'sometimes' things work
fine is an indication that something else happens.  No idea what.  If
you can debug this further it would be great.

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110517185257.GA8623@flashgordon

Re: debian-edu squeeze feature complete

[Andreas B. Mundt]

Hi all,

an update after the latest DVD build:

On Mon, May 09, 2011 at 08:40:02PM +0200, Andreas B. Mundt wrote:
 
 * kdm is missing after the installation. (?!)
 

kdm is installed and works again.

The netgroups plugin is not yet installed by default. 
Installation steps:

 aptitude install subversion
 svn co https://oss.gonicus.de/repositories/gosa-contrib/netgroups/trunk 
 netgroups
 cd netgroups/
 update-gosa install plugin.dsc
 /etc/init.d/apache2 restart


Cheers, 
Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110516200752.GA17258@flashgordon

Re: debian-edu squeeze feature complete

[Andreas B. Mundt]

Hi,

On Tue, May 10, 2011 at 11:56:22AM +0200, Holger Levsen wrote:
 On Montag, 9. Mai 2011, Andreas B. Mundt wrote:
  after installing a debian-edu squeeze tjener from the latest DVD, I am
  happy to announce that it looks like debian-edu is kind of feature
  complete. 

[...]
 
  But before that, add the netgroups plugin:
  
  aptitude install subversion
  svn co https://oss.gonicus.de/repositories/gosa-contrib/netgroups/trunk
  netgroups cd netgroups/
  update-gosa install plugin.dsc
  /etc/init.d/apache2 restart
  
  It should already work, and some more work is underway to make this
  work out of the box:
  URL:https://forge.fusiondirectory.org/issues/238
  URL:https://forge.fusiondirectory.org/issues/233


 Do you think its feasable to drop this into the debian-edu-config package 
 (somehow+temporarily), so that we neither have to modify the gosa package 
 that 
 heavily nor introduce a new package?

I thought it would be easiest to drop the netgroups-plugin (which is
an extra package, as many GOsa plugins) in our skolelinux repo and
install it from there. No further configuration would be necessary.
With this approach we could fix bugs with a new package.  For wheezy,
the plugin should be available in Debian's repositories.  However, if
it is preferred to install the plugin directly with d-e-c, this should
be possible too. 

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110512202543.GA4080@flashgordon

Re: fresh install problems

[Andreas B. Mundt]

Hi Volker,

On Tue, May 10, 2011 at 07:32:08PM +0200, Volker Cordes wrote:

 I just installed debian edu based on squeeze and need some help with
 configuring the things I need. It would be great if you could point
 me to some documentation or answer my questions directly.
 
 So here is how far I got on my own (with help of the german mailing list):
 - Installed Tjener, workstation and terminal server
 - solved LDAP TLS issue (thanks to the german mailing list)
 - disabled netgroups in /etc/exports (granted access to *)
 - creating users works, also login on the workstation, TS and ThinClient
 
 But some problems remain:
 - I didn't add the workstation nor the terminal server to LDAP, I
 understand that the required gosa modules are missing. Is it
 necessary to add the machines?

If you use the * in /etc/exports and no netgroup features
fs-autoresize etc. it should work without.  But it's not much work to
add the machines to netgroups.  Have a look at: 
URL:http://lists.debian.org/debian-edu/2011/05/msg00052.html.
and install the netgroups plugin as described. 

 - I cannot connect my windows xp pro machine to the domain, I get
 Domain not found. Is there a step by step guide for this? Since
 there is no lwat anymore the manual doesn't help or can I install
 lwat without problems?

I don't know anything about the windows stuff. :(

 - I would like to have diskless workstations. What do I have to do?

Take a look at
URL:http://wiki.debian.org/DebianEdu/Documentation/Squeeze/HowTo/NetworkClients#Machine_type_selection_based_on_the_network
(The manual is not yet up to date for squeeze, but most things
shouldn't have changed from Lenny):

 If one wants clients on the 192.168.x.x interface of a thin client
 server to boot as diskless workstations instead of thin clients, edit
 /var/lib/tftpboot/ltsp/i386/pxelinux.cfg/default
 and add a '3' (no quotes) to the end of the line.

Please report all issues and problems you run into, so that we can
improve things. Good luck!

Regards,

Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110510195257.GA4662@flashgordon

debian-edu squeeze feature complete

[Andreas B. Mundt]

Hi all,

after installing a debian-edu squeeze tjener from the latest DVD, I am
happy to announce that it looks like debian-edu is kind of feature
complete. However, there is still some work to do:

* kdm is missing after the installation. (?!)

Here is how to test the latest installation. After login from a remote
shell (ssh -X root@10.0.2.2): 

aptitude update
aptitude install kdm
/etc/init.d/kdm start 

You cannot login as root anymore, so add a user from the remote
shell. But before that, add the netgroups plugin:

aptitude install subversion
svn co https://oss.gonicus.de/repositories/gosa-contrib/netgroups/trunk 
netgroups
cd netgroups/
update-gosa install plugin.dsc
/etc/init.d/apache2 restart

It should already work, and some more work is underway to make this
work out of the box: 
URL:https://forge.fusiondirectory.org/issues/238
URL:https://forge.fusiondirectory.org/issues/233

Now fire up iceweasel from remote and point the browser to www/gosa/,
login as super-admin with your root password, add a user and after
that you are able to login from the kdm screen.

It looks as if kdm is missing in the chroot as well. And there is
still the mysterious 'Nagios count NUMSVCUNKN is not zero ...'-error
which seems to be a fake.  

Best regards and happy testing,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110509184002.GA22718@flashgordon

Re: debian-edu on debconf11

[Andreas B. Mundt]

Hi,

On Thu, May 05, 2011 at 10:16:19PM +0200, Holger Levsen wrote:
 On Donnerstag, 5. Mai 2011, Andreas B. Mundt wrote:
  Are you going to be there too?  Does anybody plan to give a
  presentation about debian-edu?  I think we should at least have some
  kind of open discussion like a BoF session to discuss the present
  status and further development.
 
 sounds like a great idea!
 
 Andreas, can you please submit an event, I'd suggest exactly what you 
 suggested :) plans  challenges for wheezy 8-)
 

Done:

DebConf11 - submitted Events:

  Debian-Edu: Current Status and Future Development
  
  How can we make Debian even more attractive in education?
  
  Event type : bof
  Track :
  Language : en
  Event state : undecided
  Progress : new
  Abstract :
  Debian-Edu/Skolelinux has come a long way: This year we celebrate its
  10th anniversary. What are the plans and challenges for wheezy? We
  would like to discuss the current status, problems, possible solutions
  and the goals of the future development of Debian-Edu. Everybody
  interested in a Debian pure blend especially targeted at schools and
  the area of education is welcome.

Please report further ideas/content/changes.

Best regards,

 Andi 


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110506144414.GA9014@flashgordon

debian-edu on debconf11

[Andreas B. Mundt]

Hi everybody,

yesterday I registered for debconf11. Unfortunatelly, I am not able to
be there from the beginning, but probably I'll turn up on Wednesday.

Are you going to be there too?  Does anybody plan to give a
presentation about debian-edu?  I think we should at least have some
kind of open discussion like a BoF session to discuss the present
status and further development. 

Best regards,

 Andi


 



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110505180003.GA4582@flashgordon

Re: linux musterlösung vom Landesmedienzentrum BW?

[Andreas B. Mundt]

Hi,

On Mon, May 02, 2011 at 08:07:25PM +0200, Thomas Koch wrote:
 Philipp Huebner:
  On 02/05/11 17:52, Thomas Koch wrote:
   to be seriously lacking behind Debian releases.
  
  To be honest - so does Debian Edu ;)
 Well, I should have made this more clear: They are currently in the release 
 process of the first version based on Lenny! (AFAIK)

 It makes me wonder, if there is some conspiracy to let Linux look old by 
 purpose. [...]

I am working at a school here in Baden-Württemberg, but we have the M$
Musterlösung in my school.  When I tried to find out more about the
GNU/Linux version (on the web), I got almost exactly that expression:
There seems to be neither concern to share ideas and knowledge, nor
the interest to promote the System as a true alternative.  

Perhaps another fig leaf which then ends commented as we tried it,
but _unfortunately_ the users prefer another system. 

Regards,

Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110502184152.GA28676@flashgordon

Re: gosa on installation from cd-squeeze-test-amd64-i386-netinst

[Andreas B. Mundt]

Hi,

On Thu, Apr 28, 2011 at 09:40:37AM +0200, Frank Weißer wrote:
 
 I can login to gosa as admin with root-password but don't see any
 possibility to add users, groups, machines or anything else. Is my
 installation broken or how  have i to administrate  tjener?
 

Log in as 'super-admin', not admin.

URL:http://wiki.debian.org/DebianEdu/Documentation/Squeeze/GettingStarted

Cheers,

Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110428112400.GA7511@flashgordon

Re: strange network-configuration on installation from cd-squeeze-test-amd64-i386-netinst

[Andreas B. Mundt]

Hi Frank,

On Tue, Apr 26, 2011 at 10:33:52PM +0200, Frank Weißer wrote:
 I just tried to install a pure tjener from 
 ftp://ftp.skolelinux.org/cd-squeeze-test-amd64-i386-netinst/debian-edu-amd64-i386-NETINST-1.iso
 
 date 17.04.2011 and get 10.0.2.2/255.255.254.0 as its network configuration.
 
 Having dhcp-clients connected to eth0 i get leases 10.0.2.xxx, but with
 Bcast:10.255.255.255  Maske:255.0.0.0
 

Unfortunately, the network definition in GOsa allows only the classical
A-, B- and C-networks but not the 255.255.254.0 network mask which was
used before.  (No idea why 255.255.254.0 was chosen in the beginning).

So we can either choose 255.255.0.0 or 255.0.0.0 network masks for
our setup now.  To keep the range of available network addresses as
flexible as possible, I decided to use a Class-A network mask.  The
configuration of the tjener interface wasn't modified to reflect that,
as things are not yet settled.  

Perhaps someone with deeper insights in the reasons why the network
was set up the way it is can comment on the issue and help how to
proceed with classical network masks best.

Best regards,

 Andi


  


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110427102911.GA18972@flashgordon

Re: developer meeting in May in Hamburg?

[Andreas B. Mundt]

Hi,

On Mon, Mar 28, 2011 at 01:01:52PM +0100, Holger Levsen wrote:
 I'm wondering who/how many would be joining a developer meeting May in 
 Hamburg?

I am rather busy right now (and probably in May again), but I would
try to join you in any case.

 The goal I would like to work on is the release of Debian Edu squeeze. 
 Probably also _only_ work on that? ;)

Yes, we should get that out the sooner the better ...

 I'm thinking about 6-8th or 13-15th of May, but thats just an idea to get 
 some 
 more comments.

For me, one weekend earlier (April 29th-May 1st) would be better, because
of vacancies (beginning April 22nd, ending May 1st.). 
 
 So, comments? Would you be interested to join and make the Debian Edu squeeze 
 release happen?!

Yes, definitely!

Cheers,

Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110330191327.GA4108@flashgordon

Re: /etc/init.d/update-hostname and Networkmanager.

[Andreas B. Mundt]

Hi,

On Fri, Mar 11, 2011 at 05:20:47PM +0100, Andreas Schockenhoff wrote:
 in /etc/init.d/update-hostname we try to set the hostname for the
 workstations  from DNS Server. 
 
 This can not work because Networkmanager is not started.

Strange, it works nicely here (latest DVD installation). The
workstation get's the hostname entered in GOsa at tjener (don't forget
ldap2bind after adding the machine). However, NetworkManager is doing
the job, I could not find a trace of the init script in the logs.

What fails here is PXE installations (installer freezes).

There are still some errors reported after installation from DVD,
however, I am not sure if they are all to be taken seriously: After
logging in only about 3 errors remain when running
/usr/sbin/debian-edu-test-install on the workstation/ltspserver.
Perhaps most of the errors after first boot are related to not as
early working network with NetworkManager as without?  

Remaining errors tjener/terminal-server:
  error: ./ldap-client: TLS search for cn=admins failed.
  = not yet investigated

  error: ./nagios: Nagios count NUMSVCUNKN is not zero but 1.
  = unclear to me, the script (iirc in sitesummary) that
  reports the error doesn't report any error when called alone(?!) 

Remaining errors workstation/terminal-server:
  error: ./ldap-client: TLS search for cn=admins failed.
  error: ./ltsp: /etc/iceweasel/profile/cert_override.txt differ inside
  and outside LTSP
  error: ./webserver: Missing /etc/iceweasel/profile/cert_override.txt.
  = none of the above investigated yet

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110311173129.GA6660@flashgordon

isc-dhcp-relay instead of isc-dhcp-server on terminal-servers?

[Andreas B. Mundt]

Hi all,

while working on the DHCP-setup I accidentally met the
isc-dhcp-relay package which can be used to relay DHCP requests. For
example, we could use it instead of running dhcp-servers on the
terminal-servers. 

Is there a reason we don't use the relay method but stand-alone
dhcp-servers? (Tjener needs to be accessible in both cases, 
because the configuration is fetched from tjener's ldap anyway). 
An advantage of the relay method: You don't need to start several
dhcp-servers after modifications to the configuration.

In a quick test it looks like isc-dhcp-relay works fine. Any
opinions/experiences about that?  

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110307085743.GA10786@flashgordon

Re: DNS for the thin client network should be handlet by Gosa (Was: r73056 - in trunk/src/debian-edu-config: . cf debian etc/bind ldap-bootstrap)

[Andreas B. Mundt]

Hi Petter,

thanks for your comment. 

On Fri, Feb 25, 2011 at 01:31:19PM +0100, Petter Reinholdtsen wrote:
  * Move DNS resolution of 'ltspserver' from ldap to static files, as
the thin clients' subnet is not a subdomain that should be managed
in GOsa.
 
 Eh, of course it should.  All hosts on the thin client network should
 have names, and it should be possible to put them in netgroups to get
 them to turn themselves automatically off during the night, as well as
 group them based on location.

Right, this is a good point and I am not sure how to implement
that.

If the 192.168.0.-network is a subdomain, then the second
terminal server serves the 192.168.1.-network? And the third one
serves the 192.168.2.-network and so on? This would be different from
the Figure in
URL:http://wiki.debian.org/DebianEdu/Documentation/Squeeze/Architecture,
where from my understanding it's impossible to deduce from a given IP
in the 192.168.0.-networks the corresponding machine. However, when we
install a terminal-server, how does the installer know which
192.168.X.-network to implement?

Is this correct?

If we define subdomains we would have for the terminal-servers something
like:

ltspserver.subnet01.intern.
ltspserver.subnet02.intern.

and so on. This also wouldn't be a problem. Do we have names for these
subdomains?

Any help is appreciated,

Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110225125745.GA7684@flashgordon

Can we get rid of network-manager?

[Andreas B. Mundt]

Hi,

when installing the workstation profile (I tested this in combination
with the ltsp-server-profile), the network-manager package seems to
spoil the installed system. 

First, it removes the dhcp interface by adding '#NetworkManager#' in
front of the relevant line in /etc/network/interfaces:

auto eth0   
   
#NetworkManager#iface eth0 inet dhcp

Cf. #530024, #612247 and http://wiki.debian.org/NetworkManager for
more information.  

I tried to add the interface again. However, from the log messages I
concluded that NetworkManager was still very active for reasons I'm 
not sure they make sense, because the machine failed to accept the
name offered by dhcp and other faiures. 

I removed networkmanager now (see aptitude log below) and a whole bunch
of other packages we don't want on a workstation could be removed too,
because they had no dependencies left (libnss-mdns was installed). 

After these changes, the machine seems to work. Can we make sure that
NetworkManager isn't installed from the beginning? IIRC we already had
discussions about that issue, but I don't remember the final
conclusions (if any). 
To me it looks as if NetworkManager is unnecessary and only causes
unforeseeable problems and complications. 

Any hints or ideas?

Best regards,

 Andi 


From the sucessive aptitude runs:

Aptitude 0.6.3: log report
Wed, Feb 23 2011 19:57:56 +0100
[...]
Will install 1 packages, and remove 3 packages.
5,431 kB of disk space will be freed
===
[REMOVE, DEPENDENCIES] knm-runtime
[REMOVE, DEPENDENCIES] plasma-widget-networkmanagement
[INSTALL] libnss-mdns
[REMOVE] network-manager
===

Log complete.
Aptitude 0.6.3: log report
Wed, Feb 23 2011 19:59:46 +0100
[...]
Will install 0 packages, and remove 18 packages.
21.4 MB of disk space will be freed
===
[REMOVE, NOT USED] dnsmasq-base
[REMOVE, NOT USED] libnm-glib-vpn1
[REMOVE, NOT USED] libpcsclite1
[REMOVE, NOT USED] libpkcs11-helper1
[REMOVE, NOT USED] modemmanager
[REMOVE, NOT USED] network-manager-openvpn
[REMOVE, NOT USED] network-manager-pptp
[REMOVE, NOT USED] network-manager-vpnc
[REMOVE, NOT USED] openssl-blacklist
[REMOVE, NOT USED] openvpn
[REMOVE, NOT USED] openvpn-blacklist
[REMOVE, NOT USED] ppp
[REMOVE, NOT USED] pptp-linux
[REMOVE, NOT USED] tcl
[REMOVE, NOT USED] usb-modeswitch
[REMOVE, NOT USED] usb-modeswitch-data
[REMOVE, NOT USED] vpnc
[REMOVE, NOT USED] wpasupplicant
===


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110223194829.GA12780@flashgordon

Re: SRV records can't point to CNAMEs

[Andreas B. Mundt]

Hi,

On Sat, Feb 19, 2011 at 08:14:03AM +0100, Petter Reinholdtsen wrote:
 [Andreas B. Mundt]
  Hmm, I don't know how to fix this. To me it looks a bit like
  sacrificing a clear and common DNS setup in favor of a very special
  setup (for which I don't know how to get Kerberos working).  This
  tuned setup works out of the box at the University of Oslo in a
  special environment, but causes hassle and confusion probably
  everywhere else.
 
 Note that as far as I can tell, the university of Oslo is not a
 special environment, and the script is written to handle the common
 way to set up Kerberos and LDAP on unix in a mixed AD/Unix network.
 It allow Windows and AD clients to get their separate setup without
 one leaking into the other unless it is the indended behaviour.  The
 script also generate what seem to be a working setup for mit.edu, and
 I would very much welcome info on other environments (DNS-domains)
 where I can test it. :)
 
 There were many considerations to take when writing the code to
 dynamically set up all clients during installation based on DNS, and I
 believe I ended up with the most sensible way to do it.
 

Well I don't know.  But I wonder when asking for the domain's ldap
server in the basic setup right now (and not the mixed Windows AD
setup):   

root@localhost:~# nslookup -type=srv _ldap._tcp.intern
Server: 127.0.0.1
Address:127.0.0.1#53

_ldap._tcp.intern   service = 100 0 389 tjener.intern.

I get the correct answer: LDAP is currently provided by
tjener.intern. This is what I expect.

But if I use the script debian-edu-ldapserver which I would think has
exactly the same job, to tell me the ldap server, it fails. Hopefully
this is fixed now with the latest commit. It fixes a bug that
prevented the fallback to 'ldap' in debian-edu-ldapserver to work.

Let's see how far we get with that now. But if a function called
'find_ldap_server' does not find the ldapserver which is clearly
announced by its service record in the domain, I'm not sure if that
function works as intended.

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110219083648.GB12790@flashgordon

Re: exim brocken in test debian-edu-squeeze?

[Andreas B. Mundt]

Hi,

On Sat, Feb 19, 2011 at 12:33:33PM +0100, Andreas Schockenhoff wrote:
 Hi,
 
 On Sat, 2011-02-19 at 12:21 +0100, Andreas B. Mundt wrote:
   But exim seems to be broken no mail delivery to root. 
  
  Right. Hmm. Permissins on /root seem not to allow the transport of
  mail to root's mbox. Where is root's mail usually being delivered to?
  Perhaps we have to change that location if we want to keep the
  restrictive permissions. 
 exim I have figured out like to deliver mail to /var/mail/mail instead of 
 root on other systems. Also if root stands in /etc/alias. No idea
 why exim do this or if this is our problem.
 

Hm, in the exim config I have for the rootmail transport:

rootmail:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  file = /var/mail/root
  no_maildir_format
  mode = 0600
  no_mode_fail_narrower
  return_path_add
  user = mail

No idea why this is ignored. :(

   Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110219120940.GA29109@flashgordon

Re: workstation problem is a ldap problem?

[Andreas B. Mundt]

Hi all,

a short update from my side:

On Sat, Feb 19, 2011 at 06:22:54PM +0100, Andreas Schockenhoff wrote:
 a new hint. dns seams to works also on a workstation now. 
 
 ldapsearch -xZWD
 'uid=super-admin,ou=People,dc=skole,dc=skolelinux,dc=no'
 
 Works on tjener and on the diskless workstation but not on the extra
 installed workstation.
 
 ldapsearch -xZWD 'uid=super-admin,ou=People,dc=skole,dc=skolelinux,dc=no'
 ldap_start_tls: Connect error (-11)
 Enter LDAP Password: 
 ldap_result: Can't contact LDAP server (-1)
 
 I also see some log messages that says can not connect LDAP server.

Update on the latest fixes/problems (from debian-edu-changelog):
(URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/?op=logrev=0sc=1isdir=1)

 * Rename cf.ldap2bind to cf.bind. Add rule to switch off IPv6 for
   bind to silence IPv6 lookup failure messages.

== less error messages in the syslog from named

 * Fix bug in debian-edu-ldapserver that inhibits the fallback to
   'ldap' as ldap server.  State the cause of failure precisely in the log.

== this makes the can not connect LDAP server messages vanish and
many things start to work

 * Add mail alias for bind pointing to root.
 * Allow users of group 'bind' to write in /etc/bind/.  Needed to
   make ldap2bind chronjob work.

== this should make cronjob ldap2bind work

 * Add 'current_directory = /' to exim's rootmail transport
   configuration to make mail services to root work again.

== this should solve the exim-no-mail problem 

These fixes will probably be uploaded tomorrow and should work as soon
as the DVD is rebuilt after that. 

New observations:

* After installation (workstation), I found one interface commented
  out in /etc/network/interfaces by NetworkManager (I remember that I
  have seen something like that before). After reactivation, (and with
  aboves fix to find 'ldap'), almost anything seems to work on my
  workstation.  

* Workstation log messages do not appear on tjener (works on diskless).

For me diskless workstations work, but there are warnings/errors when
booting and it's rather slow. So if someone could have a look into
that, it would be great.

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110219200506.GA3289@flashgordon

Re: DVD works again: please test, report and contribute to debian-edu-squeeze

[Andreas B. Mundt]

Hi,

first, thanks for starting the tests!

On Fri, Feb 18, 2011 at 10:00:55AM +0100, Andreas Schockenhoff wrote:
 On Wed, 2011-02-16 at 23:10 +0100, Andreas B. Mundt wrote: 
  I am happy to report that the latest test-DVD of our forthcoming
  debian-edu-squeeze release is ready for testing. It includes Kerberos
  user (and mail) authorization, GOsa as LDAP admin tool and bind as
  DNS. The home directory is distributed via NFSv4.


[...]

 I can log in as root get the web page log into gosa as admin. There I
 stops because only a menu for this user occurs. I can not add
 workstations or user.
 GOSA Error message:
 Cannot find a suitable password method for the current hash! 

IIRC someone already replied: use 'super-admin' and the root password. I
plan to add a 'admin' account with slightly limited permissions (only
user/group and machine management and less confusing options i.e. no
sudo-stuff etc).  
 
 -
 This message come up after installing tjener or combi-server:
 error: Unable to calculate size of partition for /var/spool/squid,
 error: ./dnsd: Unable to look up '192.168.0.254' on server
 'localhost' ('' != 'ltspserver')., error: ./dnsd: Unable to look up
 '10.0.2.2' on server 'localhost' ('ldap.intern, error: ./filesystems:
 Using ext2 on /boot, error: ./filesystems: No lost+found
 in /skole/tjener/home0/. Blocked by autofs?, error: ./nagios: Nagios
 count NUMSVCCRIT is not zero but 1., error: ./network: 
 
 Consider reporting them to the Debian Edu developers.
 -

Right, I also got some error reports. We have to check the origin, no
idea yet.
 
 I get the message on workstation and combi-server that Cerberus has
 expired.

Correct. If you lock in as (local) root, you don't use
Kerberos. However, you can fetch a ticket by entering 'kinit' after login. 
 
 A stand alone terminal server has problems in the partition tools: To
 many primary partitions Combi server seams to install. 
 
 --
 So please tell us what we should test first to help you. 
 
 I think tjener with normal workstations may be the first target. Or 
 the combi server? Also the gosa menus? What is important?


I installed a combined server and a workstation. I can start a
diskless machine and log in. The hostname is like the one I set in
GOsa. 

If I start the workstation, there is no way to log in, the hostname is
not set and other stuff fails too. So this is an issue.

I plan the following:

1) It would be great if someone can have a look at the DNS and DHCP
   setup. (Related is the SRV-record/A-record problem:
   URL:http://lists.debian.org/debian-edu/2011/02/msg00160.html) 

2) Then of course we have to find the reasons for the error messages
   after installation. (If still there).

3) Polishing GOsa

4) Try to get NFSv4 with Kerberos work on diskless clients.
(URL:http://lists.debian.org/debian-edu/2011/02/msg00137.html)  
 
 I do not like to file bugs in this stage of testing any better ideas?
 
I think for now reporting 'unknown' failures to the list is
enough. The bug reporting causes too much overhead at this early
stage.  

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110218154648.GA7303@flashgordon

Re: Bug#613167: /etc/hosts on Diskless Clients

[Andreas B. Mundt]

X-Debbugs-Cc: vagr...@debian.org

Hi,

On Wed, Feb 16, 2011 at 09:59:44PM +0100, Wolfgang Schweer wrote:
 On Mi, 16 Feb 2011, Andreas B. Mundt wrote:
 
  to get Diskless Clients work with Kerberos we first have to find a way
  to modify the entires in /etc/hosts.
  
  Currently, there is an entry: 
  
  10.0.2.2   server  
   
 This entry is supposed to be written by /usr/share/ltsp/screen.d/ldm 
 (inside the chroot - by default /opt/ltsp/i386)

Thanks for the pointer. With its help I found the following:

The 'server' looks like being hardcoded in the function configure_resolver()
defined in:  

 /opt/ltsp/i386/usr/share/ltsp/ltsp-init-common

Any ideas how to modify that entry easily?

Regards

Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110218160347.GB7303@flashgordon

Re: SRV records can't point to CNAMEs

[Andreas B. Mundt]

Hi Petter,

I guess your help is needed on this issue ...

On Fri, Feb 18, 2011 at 12:09:04PM +0100, Petter Reinholdtsen wrote:
 [Andreas B. Mundt]
  Is there a problem with that I've missed? 
 
 I might be mistaken, but I believe the sssd setup script will actually
 look up the SRV entry and store the value it points to in its config
 file.  Thus it do not help to change the SRV entry in DNS after sssd
 has been configured, as the sssd client will continue to use the old
 value.
 
 The value is copied to ensure that the client try to talk to the same
 servers even if it move to a different network.
 

Can you elaborate a bit on the scripts that provide this
configurations?

I had a quick look on the find_ldap_server function in 
share/perl5/Debian/Edu.pm (debian-edu-config) which is used in
debian-edu-ldapserver and fails on my workstation to provide the
correct ldap server (resulting in an almost complete failure of the
system). However, when I enter (on the workstation):

root@localhost:~# nslookup -type=srv _ldap._tcp.intern
Server: 127.0.0.1
Address:127.0.0.1#53

_ldap._tcp.intern   service = 100 0 389 tjener.intern.

I get the correct answer: LDAP is currently provided by
tjener.intern. 

Would it be possible to modify debian-edu-ldapserver and perhaps
corresponding tools to work with the provided SRV-records?

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110218171204.GA14204@flashgordon

migrate users to debian-edu squeeze (was: Re: ldap: ou=group versus ou=groups)

[Andreas B. Mundt]

Hi,

On Tue, Feb 15, 2011 at 11:18:05PM +0100, Christian Kuelker wrote:
 On 02/15/2011 07:31 PM, Andreas B. Mundt wrote:
  I think the best way to do the migration is completely independent of
  all changes I proposed: 
 
  * Prepare a list (csv) of all user for every category you use:
students, teachers, etc.  
 
 Yes? At some schools the default database are indeed an external
 one. There this might be possible.
 
 However, for universities or large companies - where the users
 seldom change and large changes can be seen in LDAP, I always used
 the LDAP database as authoritative choice.

Sure, but it should be not too complicated to create a list of all
users from ldap.  

 Are you really suggesting to build a CSV file from a LDAP server to
 re-import that? Which LDAP attributes should be considered for the
 CVS file?

The simplest one is:

UID, GIVENNAME, SURNAME, PASSWD

one line per user. (You may create a random password for the last
column, print the list on paper, cut strips and hand every strip to
the corresponding user for the first login).

Now with this list, you use the LDAP-manager in GOsa. You are free to
add other attributes and you are able to choose which column has which
meaning. In addition, choose or prepare a template. The data is
applied to that template when imported.

  * Prepare a (GOsa-) template for each category. 
 
 Could you elaborate more on this?

A template in GOsa is a predefined 'user' which defines attributes
that are the same for all users. Currently there is a student and a
teacher template. They differ in group membership. To add a student,
the only thing you have to do is add his given- and family name. The
uid is created (you can use %name etc. variables to fill some
attributes currently for the uid
idGenerator={%givenName[3-6]}{%sn[3-6]}  is used. Common attributes
for all users of one category (like default shell) are taken from the
template.  

  * Mass-create all users from the lists. For each category use the
corresponding template.  
  

Yes, that's it. Shouldn't be too much hassle.

Best regards,

Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110218204927.GA28750@flashgordon

Re: SRV records can't point to CNAMEs

[Andreas B. Mundt]

Hi Petter,

thanks for your reply:

On Fri, Feb 18, 2011 at 07:54:42PM +0100, Petter Reinholdtsen wrote:
 [Andreas B. Mundt]
  Can you elaborate a bit on the scripts that provide this
  configurations?
 
 See the postinst of the sssd package.
 
  Would it be possible to modify debian-edu-ldapserver and perhaps
  corresponding tools to work with the provided SRV-records?
 
 Sure, but it would break on sites where windows control the SRV
 records (required by Windows AD), and unix should not use AD as its
 LDAP server.  This is the setup at the University of Oslo, where
 debian-edu-ldapserver and friends work out of the box.

Hmm, I don't know how to fix this. To me it looks a bit like
sacrificing a clear and common DNS setup in favor of a very special 
setup (for which I don't know how to get Kerberos working).  This tuned
setup works out of the box at the University of Oslo in a special
environment, but causes hassle and confusion probably everywhere else.

Any ideas how to solve that and continue?

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110218212955.GA29678@flashgordon

Re: DVD works again: please test, report and contribute to debian-edu-squeeze

[Andreas B. Mundt]

Hi,

On Fri, Feb 18, 2011 at 11:24:44PM +0100, Andreas Schockenhoff wrote:
 On Fri, 2011-02-18 at 16:46 +0100, Andreas B. Mundt wrote:
  I installed a combined server and a workstation. I can start a
  diskless machine and log in. The hostname is like the one I set in
  GOsa. 
 The disk less terminals works here in 10er and 192er net. They have
 there name static00 like I set this in gosa. IP 
 The disk less boots works but shows a lot of errors.
 
 But disk less workstations need the netgroup hack.
 
 I can not install over the network: partman hangs. May be a VirtualBox
 problem?

I don't have the partion/partitioning errors (with KVM).
 
  If I start the workstation, there is no way to log in, the hostname is
  not set and other stuff fails too. So this is an issue.
 I can log in as root. :-) No DNS for hosts that I put with gosa in ldap.
 Also on tjener himself. host static00 not found.

Did you run ldap2bind after adding the machine?
 
 Disk less clients and workstations seams to get the name over DHCP? 

Yes. I just expored that problem a bit more. Most if not all of the
DNS related errors after installation correspond to the failure of
debian-edu-ldapserver and/or the removeal of the multiple A-records:
cf. URL:http://lists.debian.org/debian-edu/2011/02/msg00179.html   
We can either change some scripts that expect multiple A-records or
make Kerberos work with this multiplicity.  

  I plan the following:
  
  1) It would be great if someone can have a look at the DNS and DHCP
 setup. (Related is the SRV-record/A-record problem:
 URL:http://lists.debian.org/debian-edu/2011/02/msg00160.html) 
  
  2) Then of course we have to find the reasons for the error messages
 after installation. (If still there).

 May be it is a gosa to ldap problem because tjeners dns seams to be OK.

See above, ldap2bind ?! (A cron job does this every hour and at boot).

Good night,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110218223920.GA4013@flashgordon

Re: SRV records can't point to CNAMEs (Was: r73002 - in trunk/src/debian-edu-config: debian etc/bind ldap-bootstrap)

[Andreas B. Mundt]

On Thu, Feb 17, 2011 at 06:03:02PM +0100, Petter Reinholdtsen wrote:
 
 [Andreas B. Mundt]
  Remove duplicate A-records from DNS configuration to make sure the
  reverse address mapping needed for reliably issuing a Kerberos service
  ticket works.  To move services to another machine, add the machine to
  DNS, remove the CNAME-record(s) and modify the service record(s) to
  point to that new machine. 
  (Cf. URL:http://lists.debian.org/debian-edu/2011/01/msg00041.html and 
  tread).
 
 DNS do not allow SRV records to point to CNAME entries.  To avoid
 breaking the DNS specification, a different solution is needed.
 

That's why I changed them pointing to tjener.intern, the machine where
the service is actually running after the default installation.

To move services to other machines, these pointers have to be changed
accordingly. (With multiple A-records in place, you have to modify the
A-records and PTR-records to correspond to the new machine. In that
case you can leave the SRV-records untouched. Now you have to add the
PTR- and A-record to the new machine, remove the CNAME and modify the
SRV-record to point to that new machine.)

Is there a problem with that I've missed? 
 
Regards,

Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110217191331.GA30460@flashgordon

Bug#602859: netgroup support for gosa

[Andreas B. Mundt]

Hey,

concerning the netgroups in GOsa, here's a collections of stuff that
might help as a starter:

Very basic draft patch (no creation of any netgroups, just adding
machines to existig ones):
 URL:http://lists.debian.org/debian-edu/2010/04/msg00124.html

Comment from Cajus:
 URL:https://oss.gonicus.de/pipermail/gosa/2010-May/004547.html

Perhaps it's possible to cooperate with the GOsa people, Benoit (on
freenode irc 'gosa') might know if there are already activities/how to 
contribute etc. . IIRC they also have a repository for contributions.

Best regards,

 Andi





-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110216124329.GA8534@flashgordon

Bug#613167: /etc/hosts on Diskless Clients

[Andreas B. Mundt]

Hi,

to get Diskless Clients work with Kerberos we first have to find a way
to modify the entires in /etc/hosts.

Currently, there is an entry: 

10.0.2.2   server  

which spoils Kerberos (error messages about for example
ldap/server@INTERN service tickets not being available). 

I tried to find a way to change this by editing a variable in
lts.conf, but without success (the same after considering 'man
lts.conf').

Any help or pointers are appreciated,

Andi



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110216144632.GA17555@flashgordon

DVD works again: please test, report and contribute to debian-edu-squeeze

[Andreas B. Mundt]

Hi all,

I am happy to report that the latest test-DVD of our forthcoming
debian-edu-squeeze release is ready for testing. It includes Kerberos
user (and mail) authorization, GOsa as LDAP admin tool and bind as
DNS. The home directory is distributed via NFSv4.

You can rsync your DVD with:  

rsync -avzP 
ftp.skolelinux.org::cd-squeeze-test-dvd/debian-edu-amd64-i386-DVD-1.iso 
debian-edu-DVD-1-squeeze.iso

It's the first time that all these components work together in our
setup, so don't expect a perfect system yet. However, please test and
report issues, in order to make polishing the setup easier. 

To work around the (yet) missing netgroup support, modify /etc/exports
to allow all hosts (replace @netgroup by a *) if you need home
directories mounted.

If all goes well, we hopefully can prepare a release candidate soon,
perhaps with netgroup support and Kerberos NFSv4. 

Happy testing,

  Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110216221048.GA14862@flashgordon

ldap: ou=group versus ou=groups

[Andreas B. Mundt]

Hi,

in the process of overhauling the ldap tree, I am thinking about
renaming ou=group to ou=groups in order to better reflect the plural
form. 

I don't know why ou=group was chosen, perhaps because the expired and
in the meantime deleted RFC2307bis used ou=group in an example. I
cannot imagine that using ou=group or ou=groups makes any difference
for storing our possix groups, but from what I have seen, it looks as
if using ou=groups is more common and the linguistic correct form.

The change is not worth an argument, but I think as we need to make
some changes in ldap with the upcoming release anyway, we should use
that chance to also improve that little thing.

Neither using ou=groups nor ou=group is a big deal, but we have to
live for some (hopefully long) time with what we choose now ... 

What do you think?  

Best regards,

   Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110215095811.GA4282@flashgordon

Re: ldap: ou=group versus ou=groups

[Andreas B. Mundt]

On Tue, Feb 15, 2011 at 11:18:25AM +0100, Petter Reinholdtsen wrote:
 [Andreas B. Mundt]
  I don't know why ou=group was chosen,
 
 It was selected because it is the proposal in the only known document
 proposing a standardized LDAP structure, the draft available from
 URL:http://tools.ietf.org/html/draft-howard-rfc2307bis-02.  I saw no
 need to divert from this proposal.

Yeah, I looked into that too, but I think it's really just an example.
I don't think using ou=group or ou=groups is of any technical relevance.

  I cannot imagine that using ou=group or ou=groups makes any
  difference for storing our possix groups, but from what I have seen,
  it looks as if using ou=groups is more common and the linguistic
  correct form.
 
 How do you determine that ou=groups is more common?

From books, mails, examples:
 
 At the University of Oslo, cn=filegroups and cn=netgroups are used.

:) cn=filegroups and cn=netgroups , both with the plural 's' ...

 The former represent the cn=group subtree in Skolelinux.  In
 db.debian.org, file groups are stored in the ou=users subtree.

... ou=user_s_  

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110215105622.GA10981@flashgordon

Re: Is this package relevant for Debian-edu Squeeze?: slapd-smbk5pwd

[Andreas B. Mundt]

Hi Jonas,

On Mon, Feb 14, 2011 at 09:33:12PM +0100, Jonas Smedegaard wrote:

 Just stumbled across the package slapd-smbk5pwd, which is also
 available in Debian Squeeze.
 
 Could those of you knowledgeable in Samba and Kerberos check it out?
 
 Seems potentially beneficial to use (and disable similar routines in
 high-level tools like GoSA and CipUX!) to have passwords in sync
 always, not only when using high-level admin tools.
 

Yes, the package is well-known. However, it is for Heimdal Kerberos
(which was missing other features when I compared Heimdal to MIT
Kerberos). Currently MIT Kerberos is used in debian-edu.

Veli-Matti Lintu prepared something comparable for MIT Kerberos
IIRC, but it is not (yet?) available in Debian.

Regards,

Andi 

 


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110215170023.GA4704@flashgordon

Re: ldap: ou=group versus ou=groups

[Andreas B. Mundt]

Hi again,

some more (and partially general) thoughts ...

On Tue, Feb 15, 2011 at 12:40:31PM +0100, Christian Kuelker wrote:
 On 02/15/2011 11:18 AM, Petter Reinholdtsen wrote:
  I believe we should leave it unchanged unless we have a good reason to
  change it.
 
 Every change in an LDAP DIT causes drain of human man power. Admins
 or maintenance contractors have to work more for using continuously
 Skolelinux. Migration scripts have to written any way, but the s
 add some extra minutes of writing, testing, verifying ... Which
 leads to demotivation and less acceptance.

I think the best way to do the migration is completely independent of
all changes I proposed: 

* Prepare a list (csv) of all user for every category you use:
  students, teachers, etc.  

* Prepare a (GOsa-) template for each category. 

* Mass-create all users from the lists. For each category use the
  corresponding template.  

I cannot imagine a more efficient way to do that, and if we want to
avoid that way and have it simpler we need to revert all the 'new
stuff' (Kerberos, GOsa) which has been developed since lenny.

 If a change is nessessary due to technical reasons, this unavoidable
 drain of man power is mostly accepted.

 However if the cause is just a normative rule (that plural looks
 better) it is hardly to justify to use man power for a Debian Pure
 Blend that is not respecting the time of others.

Well, where do you draw the line? It is now the chance to make these
changes (and in my opinion without extra minutes for the 's'). This
chance will not come again soon (hopefully). The missing 's' will be
missing forever. If every second school in the world uses debian-edu
;-) it will be too late, but the missing 's' will be still annoying
(at least to some). 

It's clear that backwards compatibility is important. You have to
compare what you gain with the work you create (especially for
others). My point of view is for sure the one of a developer not being
the one who has to do the migration (but maybe this changes soon...).

But I think (and made the experience when working on debian-edu), that
after quite some years since the beginning of skolelinux,  here and
there cruft has built up. It's time to refurbish some things. This may
cause a bit more work for now (not the 's'), but will in the end
lead to a more attractive and better maintainable system. And this is
true for maintainers, developers as well as for our users in the
schools.  

If you are too conservative, the next generation will one day
overtake you.

Best Regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110215183157.GA9023@flashgordon

Re: NFS4 and Kerberos (next steps)

[Andreas B. Mundt]

Hi Mike,

On Tue, Jan 11, 2011 at 11:20:15PM +0100, Mike Gabriel wrote:
 On So 09 Jan 2011 10:29:52 CET Andreas B. Mundt wrote:
 On Sat, Jan 08, 2011 at 11:41:42PM +0100, Mike Gabriel wrote:
 [...]
 Here is what I will do next:
 
 1)
 
   o I have a Debian server setup in the cloud for my ,,company''
 with a working
 NFSv4+Kerberos server setup
   o I have installed a Debian SID in the cloud today that I will
 integrate as
 NFSv4 client with sec=krb5p
   o I will document all steps needed, this would be pure Debian then...
 
 OK.
 
 here are the test results for attaching a new NFS4+Krb5 client to a
 working server:
 
   o standard Debian squeeze install
   o extra packages: nfs-common krb5-user libnss-ldapd nslcd
   o during install of the above packages...
   - libnss/LDAP gets configured
   - use LDAP for libnss services: passwd, group (not shadow)
   - libpam/LDAP gets configured (not needed for pure NFSv4+Krb5)
   - krb5.conf gets configured
   o krb5.conf
   - add ,,allow_weak_crypt = true'' under [libdefaults]
   - add ,,default_domain'' option to the realm definition (section
 [realms]):
 quote
 INTERN = {
 kdc = tjener.intern
 default_domain = intern
 admin_server = tjener.intern
 }
 /quote
   - add domain2realm mapping to section [domain_realm]
 quote
 .intern = INTERN
 intern = INTERN
 /quote
   - add section ,,logging'' (I quite like that):
 quote
 [logging]
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmin.log
   default = FILE:/var/log/krb5lib.log
 /quote

OK, so far it looks like we do the same ...
 
   o /etc/default/nfs-common:
   quote
 NEED_IDMAPD=yes
 NEED_GSSD=yes
   /quote

  
That's the stuff we will see with the next d-e-c package upload. 

   o idmapd.conf: replace line
   quote
   Domain = localdomain
   /quote
 for Skolelinux replace with domain name ,,intern''
   quote
   Domain = intern
   /quote

^
Not yet imlemented iirc, is this really needed?

   o Make sure time between KDC and NFS client is in sync (ntp)!
   o DNS Resolve of NFS Client FQDN:
 
 ;; ANSWER SECTION:
 dhcp001.intern. 83684  IN  A   10.0.2.101
 
   o Reverse DNS Resolve of NFS Client IP
 
 101.2.0.10.in-addr.arpa domain name pointer dhcp001.intern.
 
   o For the KDC server / NFS Server DNS (Rev)Resolve must function in the same
 way...
 
 These were the preparations... Now we come to the mount process and
 its preparations...
 
 
 ALL STEPS TAKE PLACE ON THE CLIENT AS USER ROOT
 
 1.
 make sure NFS idmapd has read its new config:
 /etc/init.d/nfs-common restart
 
 2.
 create and add the NFS service principal to local krb5.keytab file
 (on the client dhcp001.intern), on my server I have a Kerberos
 policy called ,,service''...
 
 kinit admin/admin
 kadmin -q add_principal -policy service -randkey nfs/dhcp001.intern
 kadmin -q ktadd -k /etc/krb5.keytab nfs/dhcp001.intern
 
 - ein host/dhcp001.intern principal wird nicht benötigt!!!
 
 - kadmin unterstützt die Option ,,-t keytabfile''. Damit könnte man
 die Passwortabfrage von kadmin umgehen.
 
 3.
 Als root ein Testmount:
 mount -tnfs4 -o sec=krb5p tjener.intern:/skole/tjener/home0 /mnt
 
 4.
 Try
 
   ls -al /mnt - should show home directories (with correct user id and group
  id mapppings)
   cd /mnt/user - will fail... (Access denied)
 
 Then do (as root...):
 
   su - user
   kinit user
 
 Now try (as user, still in su shell):
 
   cd /mnt/user - should work
   ls -al /mnt/user - should also work
 

Ok, that's where I'm currently stuck. I think this procedure works
already here (but have to check systematically again).

What makes problems right now afaics is: 

 1) the combination with the automounter (worked/stopped working,
 strange things, not clear what changed, etc. = check
 systematically, only gave it a first try so far). 

 2) login from kdm/gdm: The home dir is mounted (automounter) but
 not writable yet (not the case for sec=sys), so for (sec=krb5X)
 processes that try to write files complain and the user logging
 in is logged out again immediately. I tried  to modify the
 configuration of kdm/Xsession to write files to other
 directories, but it did not help so far: Error: cannot create
 ~/.dbus  or something like that was the last issue iirc.  

I am busy the next days, don't know when I can continue testing.

 
 Factors that do and do not matter with MIT Kerberos5:
 -
 
   o /etc/hostname can contain a string that is different from the DNS hostname
   o no host/dnsname host principal keytab file is needed on the client
   o but a nfs/dnsname service principal keytab file

Re: DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)

[Andreas B. Mundt]

Hi Petter,

I don't want to discuss the technical points, but:
 
On Sun, Jan 09, 2011 at 10:40:18PM +0100, Petter Reinholdtsen wrote:
 [Andreas B. Mundt]
  So I conclude, that the current DNS setup, as a mixture of ldap
  objects prepared for bind with extra attributes to make powerDNS
  (sort of) work, is broken.
 
 It is not quite as you expect it to be, but I would not go as far as
 claiming it is broken.  It was broken and the installation failed
 completely (DNS failed to look up any info in LDAP) after you replaced
 the original powerdns tree with the gosa dns setup tree, but as you
 have noticed, I adjusted the gosa tree to get it to work again with
 powerdns.
 

I have the greatest respect for your work and experience, and all the
time you have devoted to debian-edu. Without that, skolelinux would
not be where and what it is today. By calling the setup broken, I
did in no way want to decry the quality of your work. 

However, you blame me here for breaking stuff and caring a shit about
it. The changes you probably mean can be found here, committed on
2010-11-10: 
http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/ldap-tools/?rev=71084sc=1

Two days before that commit, on 2010-11-09, we had an irc meeting where
we discussed how to proceed. 
http://lists.debian.org/debian-edu/2010/11/msg00090.html
(The discussion/decision that we continue with GOsa was even earlier
around 2010-10-20). 
In the meeting I clearly stated: and1bm  I do not have the time to
work on the pdns issue (and I am not sure if it's that easy).

Already on 2010-10-29, about two weeks before the commit, I provided
the solution to solve the DNS problem with packages available in
Debian and minimal modifications as repeated yesterday:
http://lists.debian.org/debian-edu/2010/10/msg00209.html

What should I have done instead of committing the changes? 
Waiting for the implementation of powerDNS in general? 
Doesn't the commit also pave the way to start with the powerDNS
implementation on the problem itself and on other improvements?

[...]
 
  With such a system, it's extremely hard to stay motivated, because
  you waist your time fixing things that are known not to work
  properly instead of really being able to test new things.
 
 Yes, but I managed to stay motivated anyway, even if you broke the
 installation by inserting a DNS LDAP tree that did not work with the
 packages we install.  

If this is taken as an argument, I hope debian-edu does not evolve
into some kind of intellectual masochism-club.
 
Please compare with my comment above. The solution was provided way in
advance. If it's not acceptable and technical arguments are not really
convincing (at least not for the temporary solution, if not at all), I
don't see it as my job (and I clearly expressed that, see also above)
to provide the solution that suits you. 

 I hope you will manage the same, and keep up
 your good work while testing changes and ensuring that the
 installation keep working.

Well, I have to say that in my daily work (that started today again,
btw), I have already a sufficiently high frustration potential, and I
don't think it's a good idea to further increase that in my spare
time. (It's already above the point where it can be seen as a good
exercise to push that level).

[...]

 Part of the reason we went with powerdns is that it fetches
 information directly from LDAP, so changes done to LDAP take effect
 imediately.  A reason we moved the DNS from files to LDAP is to allow
 dynamic updates of DNS information without having to edit other
 packages conffiles to easy upgrades and stay within the Debian policy
 requirements.  

I don't see the need for immediate updates. In most schools the system
will be set up and not changed that often.
The Debian Policy is a rather funny argument. There is a directory
full of cf-rules that violates this policy. But we pick probably one
of the minest issues (adding a line in a config-file that includes
another file; isn't that almost .d-directory-like?) and use it to
promote source-code modification of packages. Or the use of modified
extra packages not in Debian. 

I whished we could use the time and energy spent for these discussions
to work on technical problems the violation of Debian Policy (and
that's the reason for the Policy) causes.

However, I am looking forward to the time where powerDNS works nicely
in combination with GOsa. 

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110110191208.ga7...@flashgordon

Re: NFS4 and Kerberos (next steps)

[Andreas B. Mundt]

Hi Mike,

On Sat, Jan 08, 2011 at 11:41:42PM +0100, Mike Gabriel wrote:
[...]
 Here is what I will do next:
 
 1)
 
   o I have a Debian server setup in the cloud for my ,,company''
 with a working
 NFSv4+Kerberos server setup
   o I have installed a Debian SID in the cloud today that I will integrate as
 NFSv4 client with sec=krb5p
   o I will document all steps needed, this would be pure Debian then...

OK.
 
 2)
 
   o I will install a squeeze TJENER and a squeeze Debian Edu client and I will
 take a look at the NFSv4+Kerberos setup in particular
   o I will test the already present NFSv4 and Kerberos stuff (not for all
 services, only for the core stuff: PAM, libnss, autofs, ...)
   o I will try to manually configure the steps needed for finishing what might
 be missing and document those.
   o I will also post aspects that I would approach differently

Great!

 Concerning NFSv4+Krb5 I would like to focus on the basic service
 level for now and I will add test modifications to LDAP by hand. If
 the needed fixes and modifications or extensions and the workflow
 during installation starts cristalizing out I think then we should
 take a look at Gosa and maybe CipUX integration.
 
 Does this make sense? Any other suggestions/recommendations/preferences?
 
That's fantastic news! Let me just add what I did so far to give
you another idea of the status here:

I played a bit with the system yesterday. Beside the commited changes
I tested the kerberized services ldap (ldapwhoami -Y GSSAPI), exim and
dovecot (by sending/receiving mail). They still seem to work, at least
on tjener itself: I got a ldap/tjener.intern, smtp/tjener.intern and
imap/tjener.intern service ticket. I was also able to mount the NFS4
share with krb5p enabled (by adding tjener:/ /mnt nfs4 user,sec=krb5p
0 0 to fstab and doing the usual manual mount as unprivileged user). 
Great stuff: The directory is mounted (service no ticket yet), but as
soon as I access it, the nfs/tjener.intern ticket is there :).

After that, I thought how to improve adding machines in GOsa, it would
be good to find the MAC of new machines automatically. This is
implemented in gosa-si (with a service daemon (?)), but we do not have
that in Debian yet. However, the sitesummary program also collects
information about the machines in the net
(see /var/lib/sitesummary/entries/), and perhaps it's possible to use
that (I guess with gosa-si there is a ou=incomming in ldap which can
be used, but if we want to do something like that perhaps let's better
ask the GOsa people how it is intended to work.)

Ok. I'm just installing a workstation to check if things work there
too. 

Happy testing,
best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110109092952.ga3...@flashgordon

Re: Testing changes to Debian Edu SVN

[Andreas B. Mundt]

Hi,

On Sun, Jan 09, 2011 at 12:15:34AM +0100, Mike Gabriel wrote:
 I have a question about testing Debian Edu squeeze, esp. changes to
 Debian Edu SVN that concern the installation process of Debian Edu.
 
 Currently, if I want to test changes to Debian Edu, esp. the
 installation process, I have to download another daily built ISO
 (4.4G or 600M for the NETINST image) and re-install my system. This
 feels rather archaic... Is there a smarter way?
 
 Hints and ideas are very welcome,
 Mike
 

What I do is rsyncing the DVD image. This happens usually in an
acceptable time frame. 

However, the installation of a Workstation (especially with LTSP)
takes another couple of hours. Sooner or later we should perhaps think
about ways to reduce that, absolutely.
(URL:http://lists.debian.org/debian-edu/2010/12/msg00139.html)

Perhaps providing a base version without any educational packages as
install option? 

Another really good thing for testing: With the command:
etckeeper vcs diff
You can figure out what you changed when modifying the system (but no
ldap entries etc. of course).  

Cheers,

Andi
 


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110109094534.gb3...@flashgordon

DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)

[Andreas B. Mundt]

Hi again,

concerning the strange results which I accused to multiple A-records,
I found something new. I started to doubt our powerdns setup and
modifying it in ldap got annoying, so I switched on to bind instead[1].  
 
After that, asking for DNS lookups changed. PowerDNS:

r...@tjener:~# host 10.0.2.2
2.2.0.10.in-addr.arpa domain name pointer tjener.intern.
2.2.0.10.in-addr.arpa domain name pointer kerberos.intern.
2.2.0.10.in-addr.arpa domain name pointer ldap.intern.
2.2.0.10.in-addr.arpa domain name pointer domain.intern.
2.2.0.10.in-addr.arpa domain name pointer postoffice.intern.
2.2.0.10.in-addr.arpa domain name pointer syslog.intern.

With bind:

r...@workstation01:~# host 10.0.2.2
2.2.0.10.in-addr.arpa domain name pointer tjener.intern.
r...@workstation01:~# host ldap
ldap.intern has address 10.0.2.2
r...@workstation01:~# host www
www.intern is an alias for tjener.intern.
tjener.intern has address 10.0.2.2

As you see, ldap is an A-record as before (I double checked in
/etc/bind/db.intern), however host 10.0.2.2 is resolved to only
tjener. So I conclude, that the current DNS setup, as a mixture of ldap
objects prepared for bind with extra attributes to make powerDNS (sort
of) work, is broken. In addition, there is absolutely no use of GOsa
with regard to DNS, as modifications are not accepted by GOsa with the
added powerDNS attributes. 

With such a system, it's extremely hard to stay motivated, because you
waist your time fixing things that are known not to work properly
instead of really being able to test new things.

I propose three choices: 

1) We move powerDNS to its own tree (as before) and switch of the
systems-stuff in GOsa. This means we don't have a GUI to make
changes, but hopefully a working DNS again that doesn't block all
other activities. 

2) We drop powerDNS and give bind a try. This means merely installing
bind instead of powerDNS, appending a line to a configuration file and
touching another one [1]. Regarding the simplicity, it could also be
considered as an intermediate solution until we have something else. 

3) Someone has time and volunteers to cooperate with Alejandro
(URL:http://lists.debian.org/debian-edu/2010/12/msg00117.html) to
implement powerDNS in GOsa properly. This should happen soon, because
the current broken system only leads to frustration.

So please comment on the issue. I think we should have other problems
than wasting time getting adventurous powerDNS/bind combinations
running, and the current situation is not acceptable.  

Best regards,

 Andi



[1] It's almost nothing that has to be done to use bind with the
current setup:

aptitude install bind9
aptitude install ldap2zone

# bind configuration:
echo 'include /etc/bind/named.conf.ldap2zone;'  /etc/bind/named.conf.local
touch /etc/bind/named.conf.ldap2zone
ldap2bind

# check if anything makes sense:
less /etc/bind/db.intern
less /etc/bind/db.2.0.10.in-addr.arpa.



If anything is fine, switch off pdns (in /etc/default):

--- a/default/pdns-recursor
+++ b/default/pdns-recursor
@@ -1,5 +1,5 @@
 # Variables for PowerDNS recursor
 #
 # Set START to yes to start the pdns-recursor
-START=yes
+START=no

--- a/default/pdns
+++ b/default/pdns
@@ -1,5 +1,5 @@
# Variables for PowerDNS
#
# Whether you want to start PowerDNS automatically.
-START=yes
+START=no

http://lists.debian.org/debian-edu/2010/10/msg00209.html 


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110109205430.ga17...@flashgordon

LINBO and self-healing workstations

[Andreas B. Mundt]

Hi,

as we are just discussing future development, I would like to
understand the concept and the ideas behind LINBO and self-healing
workstations better. 

From a quick search I found that it is used to quickly (re-)install
workstations that are spoiled.

Ok, now I know from my system here at the local school (MS-XP
Musterlösung Baden-Württemberg) that there is need to make a clean
table at least every year where all user data and all accounts are
removed (and probably the whole sytem is set up again). However, this
system also doesn't allow users to use the command line, but you can
write your commands in a batch file and execute that, so I wouldn't
expect too much from its security aspects. 

However, I would have hoped that we can do better. Is it really on a
regular basis that machines are attacked and spoiled in the evil
school environment? How often does that happen? Where are the flaws
that allow compromising the machines, is there anything known about?

It is clear that a professional cracker can attack the system, but I
would expect that he can as easily attack infrastructure that is not 
self-healing like tjener (and thereby much more interesting). To live
with those crackers, I think the only way is to use the strategy of
the nightclub-owner: Ask (at least half of) the guys that cause you
troubles to make sure there is no trouble anymore. 

It would be nice if admins running the system under real conditions at
school can comment and help me getting off my naive and unrealistic 
attitude. 

Concerning the integration in Debian, it might be interesting to look
at something comparable (?) that just appeared these days from Michael
Prokop and team:
URL:http://michael-prokop.at/blog/2011/01/07/booting-iso-images-from-within-grub2/
Again, perhaps there is also a way to cooperate and work together.

Cheers,

Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110108084043.ga2...@flashgordon

Re: NFS4 and Kerberos

[Andreas B. Mundt]

Hi,

On Thu, Jan 06, 2011 at 10:13:12PM +0100, Mike Gabriel wrote:
 Hi Andreas,
 
 On Do 06 Jan 2011 12:12:35 CET Andreas B. Mundt wrote:

[...]
 
 Each client needs a Kerberos setup as well. Is this also already
 coded somewhere? I am sorry that I cannot remember exactly which of
 the services (PAM, NFS, ...) was DNS and host principal critical,
 but a healthy Kerberos setup cannot be setup up with host principals
 on every client. Same for NFS4 sec=krb5p or sec=krb5i.
 

The client setup is also implemented, iirc it only needs preseeding of
the corresponding Kerberos packages. (We might need to add a cf-rule
to have allow_weak_encryption = true in /etc/krb5.conf on the clients).

 With this setup, users are authenticated to the system via a Kerberos
 TGT, which works.
 
 I think PAM alone was quite handsome and did not require host
 principals when I set up my servers...
 

Iirc this is how it's done already. So far we have no (and need no) host
principals (only for the services on tjener).

[...]

 My hope was, that by using Kerberos in combination with nfs4, the
 machine management would simplify and we could get rid of IP- and
 netgroup based security.
 
 What exactly do you mean by this netgroup based ,,security'' (please
 execuse that I have not dived into the details of the lenny-tjener
 that deep)?

see below

 
 The problem about NFSv3 or NFSv4 with sec=sys is: I come to some
 school with my linux netbook, create a local user account with a
 uidNumber of some interesting account on tjener and then I mount the
 user's home dir on my netbook with rw-access.
 

Take a look at 
URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/cf/cf.homes,
i.e. our exports file. If a machine want's to mount the home
directories, it first has to be added to a netgroup that allows
mounting the share. So if you walk into the school with your Laptop to
fake an identity on the net, it will not work the first time, because
your MAC address will be differerent from the machines in the netgroup
you need the membership of. The next day you walk into school you
will be better prepared, you modified the Laptop's MAC. Now, just
plug off the machine you got the MAC from and use your Laptop
instead with the nice user ID. I guess that's how current security is
thought to be. 

So using sec=sys in NFS4 is the same as using NFS3 now. It doesn't
help with the netgroups, but it also doesn't hurt.

 However, netgroups are really quite handy, because amongst others
 they allow the group of hosts in a way that can be pulled down on
 libnss level (with usage scenario e.g. with pam_access.so and
 /etc/security/access.conf). Whereas netgroups can help you to set up
 the on-site-systems in a versatile manner, it does not protect you
 against people bringing in their own devices (like my netbook).
 
 (Which would also resolve the need for very
 special administrative tools).
 
 Netgroups are not too special... but you may be right about Netgroup
 integration in WebGUI tools...
 

Yes, the GUI administration is the problem right now.

Do you have access to a debian-edu setup? Maybe if you want to take a
look, try a virtual setup with virt-manager + KVM (rsync the DVD image):
URL:http://wiki.debian.org/DebianEdu/HowTo/TestCDinstall
You need about a 25GiB image for Tjener+LTSPserver.

Regards,

Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110107094141.ga7...@flashgordon