upgrade the old hook fetch-ldap-cert will be left behind and
lead to errors because the init script it tries to start no longer exists.
The old hook should probably be removed by a maintainer script.
--
Guido Berhoerster
du-config/-/merge_requests/28
The fix is only applicable for unstable and cannot be backported to bookworm.
--
Guido Berhoerster
,
however for trixie we should reconsider the dependencies, i.e. use a
common approach where the current debian-edu-artwork is renamed to
debian-edu-artwork-common and each subpackage provides a virtual package
debian-edu-artwork and depends on debian-edu-artwork-common.
--
Guido Berhoerster
suggestion of replacing html/index.php line 384
$config->ldap->clearResult();
with
unset($config->ldap->re);
I can use GOsa, but still get the above error in the footer. Setting a
user's password does not result in the initial error any more but the
password does not seem to be set correctly and logging in with the set
password is not possible.
--
Guido Berhoerster
copies.
However I'm wondering why the package is set up the way it is, couldn't
we rename debian-edu-artwork to debian-edu-artwork-common, make the
theme subpackages require that and turn debian-edu-artwork into a
virtual package provided by each theme subpackage?
--
Guido Berhoerster
theme there is no such rule.
--
Guido Berhoerster
is
passwordMinLength="5". When using the classic theme no minimum length
seems to be enforced at all.
--
Guido Berhoerster
y on gosa to enforce
password complexity or if we want to configure all of the above so each
one enforces the common policy on its own?
In case of the former, what about the gosa option to have the user
change his password on the next login?
--
Guido Berhoerster
the effort to change existing
master keys. However, it is possible to upgrade them if desired.
See
https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html#the-database-master-key
for details.
--
Guido Berhoerster
in winbindd to change the test from 'has a PAC' to 'has a
PAC with LOGON_INFO'.
(see https://lists.samba.org/archive/samba/2023-April/244999.html)
So if we don't want to set up a AD DC we will probably not be able to use
Kerberos authentication with our current setup.
--
Guido Berhoerster
The changes in debian-edu-config, debian-edu-install, and pam-mklocaluser
should cover new installations, but how should upgrades be handled?
--
Guido Berhoerster
On Fri, 22 Sep 2023 13:57:09 +0200 Guido Berhoerster
wrote:
> In addition to systemd, polkitd now also uses a UID above 499, on a main
> server with MATE desktop I have the following UIDs above 499:
>
> 995 polkitd
> 997 systemd-timesync
> 998 systemd-network
Regardin
the internal defaults
and create local users with UID/GID 1000 and higher.
In addition to systemd, polkitd now also uses a UID above 499, on a main
server with MATE desktop I have the following UIDs above 499:
995 polkitd
997 systemd-timesync
998 systemd-network
--
Guido Berhoerster
On 21.09.23 17:54, Mike Gabriel wrote:
On Do 21 Sep 2023 16:05:51 CEST, Guido Berhoerster wrote:
This is actually a bug in LightDM which makes assumptions about the home
directory not changing and hardcoding paths to the Xauthority file.
There is also a small fix for libpam-mklocaluser
the correct home directory.
If you want to test, you need to rebuild lightdm with the patch from
https://github.com/canonical/lightdm/pull/323 and change the
libpam-mklocaluser pam-config priority.
The latter is necessary for other display managers as well.
--
Guido Berhoerster
Am 21.09.23 um 12:02 schrieb Petter Reinholdtsen:
> [Guido Berhoerster]
>> When logging in with LightDM the first login always fails due to a
>> discrepancy between the the home directory obtained from LDAP via
>> getpwent() and the newly created home directory. Specifically,
resulting in fatal errors.
--
Guido Berhoerster
On Fri, 15 Sep 2023 09:55:03 -0600 Sam Hartman wrote:
> >>>>> "Guido" == Guido Berhoerster writes:
>
> Guido> Are there plans to get this into stable-updates?
>
> No, not currently.
> But if you would agree to test in testing/unstable now, and
.
There are two possible solutions:
- a shorter maximum delay
- stop using anacron and rely on systemd timers which support random delays
--
Guido Berhoerster
(gensec_spnego_server_negTokenInit_step)
gensec_spnego_server_negTokenInit_step: Could not find a suitable mechtype in
NEG_TOKEN_INIT
[2023/09/19 14:04:01.342972, 5]
../../auth/gensec/gensec.c:534(gensec_update_done)
gensec_update_done: spnego[0x5618c5c0b850]: NT_STATUS_INVALID_PARAMETER
--
Guido Berhoerster
ot allowed in [no active file]:0\nStack trace:\n#0
{main}\n thrown in [no active file] on line 0, referer:
https://www/gosa/main.php?plug=1
--
Guido Berhoerster
On 15.09.23 17:55, Sam Hartman wrote:
"Guido" == Guido Berhoerster writes:
Guido> Are there plans to get this into stable-updates?
No, not currently.
But if you would agree to test in testing/unstable now, and test again
once it gets into stable-proposed, I'd be h
/share/gosa/include/class_acl.inc,
line 180)
Sep 15 16:27:35 tjener.intern apache2[241429]: GOsa[server-admin]: (view) error
: PHP error: Undefined property: acl::$Array
(/usr/share/gosa/include/class_acl.inc, line 180)
--
Guido Berhoerster
ew of
type users/posixAccount
--
Guido Berhoerster
Are there plans to get this into stable-updates?
This is needed in debian-edu-config in bookworm, we get libpam-ldapd as a
dependency via nslcd and need to programmatically disable pam_ldap as we use
Kerberos (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051841#20).
--
Guido
On Thu, 14 Sep 2023 10:57:32 +0200 Petter Reinholdtsen wrote:
> [Guido Berhoerster]
> >> error: ./ldap-client: Not only one PAM module of krb5, ldap and sss is
> >> enabled
> >
> > /etc/pam.d/common-auth contains:
> >
> > …
> >
On Wed, 13 Sep 2023 13:03:45 +0200 Guido Berhoerster
wrote:
> error: ./filesystems: Using ext2 on /boot
This seems bogus, there should be an exception for boot.
> error: ./ldap-client: Missing /skole mount point in ldap
> error: ./ldap-client: Missing tjener mount point in ldap
> e
: ./ldap-server: search fail before flodding the LDAP server with 1200
connections
error: ./ldap-server: search fail after flodding the LDAP server with 1200
connections
error: ./rdp-server: xrdp service is not listening on 3389/tcp.
--
Guido Berhoerster
with limits it would be convenient to include the mail logs
there in order to enforce a log size limit.
--
Guido Berhoerster
://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html#ratelimit-interval
--
Guido Berhoerster
logged
through syslog. This would be suitable for the portable profile as well.
Suggestions?
--
Guido Berhoerster
On Fri, 8 Sep 2023 13:42:24 +0200 Guido Berhoerster
wrote:
> This is caused by debian-edu-fai in the DEBIAN/40-misc script:
>
> ainsl -a /etc/mailname ${HOSTNAME}
>
> which appends to the file rather than overwriting it.
It is also not clear why ${HOSTNAME} is used here rath
On Fri, 8 Sep 2023 11:44:00 +0200 Guido Berhoerster
wrote:
> debian-edu-fai installs currently prefers nullmailer over exim4. However,
> both the mailname and remote are not configured correctly so that mail
> cannot be delivered.
>
> /etc/mailname contains:
>
> postoffice
·shared/mailname→string→·postoffice.intern
--
Guido Berhoerster
edu-update-netblock: 116: iptables: not found
/usr/sbin/debian-edu-update-netblock: 117: iptables: not found
/usr/sbin/debian-edu-update-netblock: 118: iptables: not found
--
Guido Berhoerster
logging be local-only?
--
Guido Berhoerster
config/tools/fetch-rootca-cert#L28).
Isn't this already the TOFU behavior you suggest?
--
Guido Berhoerster
lass,FAIclass], referer:
https://www/gosa/main.php?plug=1=1
--
Guido Berhoerster
up the /tmp or root partition depending on disk size and
partition scheme.
Furthermore, the script will create the tar file following the same naming
scheme /tmp/sitesummary-.tar.gz which in the absence of kernel symlink
protection allows for symlink attacks.
--
Guido Berhoerster
Package: gosa-plugins-systems
Version: 2.8~git20211027.5741b8f-6
After filling out the form to add a new network printer
gosa returns to the systems listing without actually
adding the printer to LDAP. AFAICS there are no related
errors in the logs.
--
Guido Berhoerster
On Wed, 28 Jun 2023 13:36:04 +0200 Guido Berhoerster
wrote:
> Package: debian-edu-config
> Version: 2.12.32
>
> After adding a workstation (hostname: "ws01.intern") as shown in
> https://jenkins.debian.net/userContent/debian-edu-doc/debian-edu-doc-en/debian-e
e
default values (I suppose not locked down since enviroment variables
are also overridable by the user?) which can be achieved with dconf
system databases (see
https://help.gnome.org/admin/system-admin-guide/stable/dconf-custom-defaults.html.en).
--
Guido Berhoerster
intern apache2[53367]: GOsa[server-admin]: (debug)
/usr/share/gosa/include/class_pathNavigator.inc of type all : Type:2,
Message:Undefined array key "new",
File:/usr/share/gosa/include/class_pathNavigator.inc, Line: 36
--
Guido Berhoerster
Package: gosa
Version: 2.8~git20230203.10abe45+dfsg-8
The debug toolbar at the top of the page does not show icons
any more when using the default theme, instead of the
element only the file name is shown.
--
Guido Berhoerster
root fs on NFS
to fail due to an initrd script which temporarily renames the /sbin/init
symlink, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049397
--
Guido Berhoerster
On Tue, 15 Aug 2023 10:42:05 +0200 Guido Berhoerster
wrote:
> [ 12.587974] overlayfs: failed to retrieve lower fileattr (sbin/init,
> err=-6)
> mv: can't rename '/root/sbin/init': No such device or address
The actual problem is that rename(2) fails with ENXIO as overlayfs for so
On Tue, 15 Aug 2023 10:33:03 +0200 Guido Berhoerster
wrote:
> The cause is apparently that during installation
> debian-edu-ltsp-install is invoked with a --desktop argument
> which then defaults to Xfce.
The above should read "without a --desktop argument", however tha
to retrieve lower fileattr (sbin/init, err=-6)
mv: can't rename '/root/sbin/init': No such device or address
LTSP command failed: mv /root/sbin/init /root/sbin/init.ltsp
Aborting ltsp
LTSP boot error! Enable DEBUG_SHELL to troubleshoot!
--
Guido Berhoerster
-edu-ltsp-install is invoked with a --desktop argument
which then defaults to Xfce.
--
Guido Berhoerster
Package: gosa
Version: 2.8~git20230203.10abe45+dfsg-5
When creating a new student or teacher user based on the
corresponding template the LDAP operation will fail due to a
missing gidNumber for the posixUser class *unless* the POSIX
tab was clicked before.
--
Guido Berhoerster
for uif
seems to have been added.
--
Guido Berhoerster
and delete the new configuration again (see
attachment).
IMHO a reasonable solution would be to present a warning at the
beginning, then bring down/flush the interfaces which are to be
configured, and remove their configuration stanzas from
/etc/network/interfaces.
--
Guido Berhoerster
Am 10.08.23 um 13:59 schrieb Mike Gabriel:
> On Do 10 Aug 2023 11:46:21 UTC, Guido Berhoerster wrote:
>
>> Package: debian-edu-config
>> Version: 2.12.33
>>
>> Setting up a router following the documentation at
>> https://wiki.debian.org/DebianEdu/Documentati
iptables to the minimal installation
Suggestions?
--
Guido Berhoerster
should be. Right now it is
inconsistent,depening on whether systemd is installed
or not, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043353
--
Guido Berhoerster
Package: debian-edu-config
Version: 2.12.33
The debian-edu-config additions to the cups configuration
remove access by root via the SystemGroup setting, this
e.g. disallows root to cancel all jobs and causes
debian-edu-cups-queue-autoflush.service to fail.
--
Guido Berhoerster
/cfengine3/inputs/promises.cf
RUN_CFMONITORD=0
RUN_CFSERVERD=0
RUN_CFEXECD=0
…
On the other hand the systemd services for all three daemons are enabled by
default as long as /var/lib/cfengine3/inputs/promises.cf exists.
The behavior should be the same for both cases.
--
Guido Berhoerster
On Thu, 20 Jul 2023 11:25:09 +0200 Guido Berhoerster
wrote:
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) TRUST
> FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEng
On Mon, 31 Jul 2023 13:37:17 +0200 Guido Berhoerster
wrote:
> I've fixed and improved ldap-createuser-krb5 based on the template users,
> gosa behavior in bullseye, the gosa-create script as well as above
> suggestion so that it can now be used to create student/teacher which can
>
a/include/accept-to-gettext.inc of type all : Type:2,
Message:Undefined array key "ru-ru",
File:/usr/share/gosa/include/accept-to-gettext.inc, Line: 154
Aug 04 14:00:16 tjener.intern apache2[1143590]: GOsa[unauthenticated]: (debug)
/usr/share/gosa/include/accept-to-gettext.inc of type all : Type:2,
Message:Undefined array key "ru",
File:/usr/share/gosa/include/accept-to-gettext.inc, Line: 155
Aug 04 14:00:16 tjener.intern apache2[1143590]: GOsa[unauthenticated]: (debug)
/usr/share/gosa/include/accept-to-gettext.inc of type all : Type:2,
Message:Undefined array key "*",
File:/usr/share/gosa/include/accept-to-gettext.inc, Line: 156
Aug 04 14:00:16 tjener.intern apache2[1143590]: GOsa[unauthenticated]: (debug)
/usr/share/gosa/include/accept-to-gettext.inc of type all : Type:2,
Message:Undefined array key "UTF-8",
File:/usr/share/gosa/include/accept-to-gettext.inc, Line: 156
Aug 04 14:00:16 tjener.intern apache2[1143590]: GOsa[unauthenticated]: (debug)
/usr/share/gosa/include/accept-to-gettext.inc of type all : Type:2,
Message:Undefined array key "*",
File:/usr/share/gosa/include/accept-to-gettext.inc, Line: 157
--
Guido Berhoerster
On Fri, 21 Jul 2023 11:34:21 +0200 Guido Berhoerster
wrote:
> I must have done something wrong before, with the newstudent
> template applied gosa creates the following on bullseye, which
> looks more correct/as expected:
I just noticed that a "posixUser" class is only
r first and then rebase the
diff on top of develop since the latter is the base of our package but has
truncated git history.
--
Guido Berhoerster
Package: debian-edu-config
Version: 2.12.33
debian-edu-restart-services is based around sysvinit, directly
looks into /etc/rc*.d/ and tries to kill services which haven't
been stopped successfully by itself. On systemd-based systems
it should use systemd facilities instead.
--
Guido Berhoerster
/8eb0d468422cb3e06eed0092643d1bb4082f9b1c/src/index.php#L48)
--
Guido Berhoerster
:
https://www/slbackup-php/index.php
--
Guido Berhoerster
in yes
--
Guido Berhoerster
I'm not sure whether this is another problem in gosa or if the LDAP user is
still missing something.
--
Guido Berhoerster
Package: debian-edu-config
Version: 2.12.33
Running ldap-createuser-krb5 in order to create a user as recommended
in the documentation does not work and returns a LDAP error, e.g.
$ /usr/bin/ldap-createuser-krb5 gber 'Guido Berhoerster,,,'
error: unable to find sambaDomain LDAP object
correctly at least.
Note to self: testing this required adding the workstation with
gosa on the server, as well as running copy-host-keytab and
manually removing Debian-Edu_rootCA.crt on the workstation with
a reboot afterwards.
--
Guido Berhoerster
create entries with fully qualified hostnames
under ou=workstations,ou=systems,dc=skole,dc=skolelinux,dc=no the script
could also be adapted to skip qualifying the hostname if it contains a ".".
--
Guido Berhoerster
e contains a "." or the fully qualified hostname
cannot be determined
--
Guido Berhoerster
the attached script, it is
invoked as follows:
debian-edu-add-user.sh 1010 afoo Alice Foo
in order to create an example user afoo with the uid/gid 1010.
--
Guido Berhoerster
debian-edu-add-user.sh
Description: application/shellscript
Package: gosa
Version: 2.8~git20230203.10abe45+dfsg-4
With the default theme it is impossible to enable DHCP
or DNS when adding a new system, the corresponding checkboxes
seem to be hidden and cannot be activated.
--
Guido Berhoerster
: pam_ldap(lightdm:auth):
Authentication failure; user=mamus
--
Guido Berhoerster
des Benutzers Max Mustermann
gidNumber: 1003
objectClass: top
objectClass: posixGroup
--
Guido Berhoerster
ass: gosaUserTemplate
objectClass: posixAccount
objectClass: shadowAccount
sn: NewStudent
givenName: NewStudent
uid: newstudent
cn: NewStudent NewStudent
homeDirectory: /skole/tjener/home0/%uid
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
gecos: NewStudent NewStudent
--
Guido Berhoerster
On a related note, these error only shows up when cf-agent is run by cf-execd.
Invoking it manually works fine.
--
Guido Berhoerster
lable for a new
policy update to reduce the distributed load'
Q: ".../cf-agent" -f /":
error: Errors encountered when actuating files promise
'/var/lib/cfengine3/inputs/cf_promises_validated'
Q: ".../cf-agent" -f /":
error: Method 'cfe_internal_update_policy_cpv' failed in some repairs
Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) R: Built-in
failsafe policy triggered
--
Guido Berhoerster
/2b22a5550089bab108177a41254f3f9de07eb20c/include/class_plugin.inc#L1612).
However I don't see any changes in git blame since 2016, not sure why
this used to work in bullseye.
--
Guido Berhoerster
ver using
the IPv6 loopback address which does not seem to be allowed
by the configuration.
--
Guido Berhoerster
)
--
Guido Berhoerster
s a "memberUid"
instead of a "member" attribute
@Daniel: Could you please look into fixing this in gosa?
--
Guido Berhoerster
is run
before ldapserver. So putting the icinga bundle after ldapserver might fix the
availability of the group via LDAP. However, this still needs testing.
--
Guido Berhoerster
The postcreate command error might be related to bug #1039698.
--
Guido Berhoerster
uid lease 10.0.16.22 for
client 00:16:3e:22:7b:5e is duplicate on intern
2023-06-28T11:19:42.898709+02:00 tjener dhcpd[1368]: DHCPREQUEST for 10.0.0.2
(10.0.2.2) from 00:16:3e:22:7b:5e via eth0
2023-06-28T11:19:42.898830+02:00 tjener dhcpd[1368]: DHCPACK on 10.0.0.2 to
00:16:3e:22:7b:5e via eth0
sixAccount nicht ausführen!
--
Guido Berhoerster
to have been added correctly and is
configured as expected via DHCP.
--
Guido Berhoerster
hare/php/smarty4/sysplugins/smarty_internal_template.php on line 196,
referer: https://localhost/gosa/main.php?plug=1=1
When switching to the "classic" theme, the new user form appears as
exepected.
--
Guido Berhoerster
Even after creating a database for icingaweb and recreating the
configuration using the setup module I am getting the same error.
Related support forum post:
https://community.icinga.com/t/no-backend-has-been-configured-after-initial-setup/12245
--
Guido Berhoerster
oadConfig() confirms
that the backends ($backends) configuration is actually empty, i.e. that
no backends are defined in the configuration (see
https://github.com/Icinga/icingaweb2/blob/v2.11.4/modules/monitoring/library/Monitoring/Backend/MonitoringBackend.php#L160
for context).
--
Guido Berhoerster
dbname = "icingadb"
username = "icinga2"
password = "v64nhbe27dfBjR3T"
charset = ""
use_ssl = "0"
--
Guido Berhoerster
blem seems to be that the students group is defined in LDAP and
the server is either not running or cannot be reached.
On the installed system the "stduents" group does exist:
$ getent group students
students:*:10004:server-admin,newstudent,newteacher
This issue also affects
Package: debian-edu-config
Version: 2.12.32
ntp has been replaced with ntpsec in bookworm, the configuration has to
be adapted to a different path and syntax.
--
Guido Berhoerster
Package: debian-edu-install
Version: 2.12.8
The minimum partition sizes are no longer up-to-date for bookworm and
later and should be updated based on the actual current installations.
--
Guido Berhoerster
BerhoersterDescription: Disable SuicidalProcess unit test
Author: Guido Berhoerster
Abstract:
The test checks whether the process has the correct arguments and is still
alive via ps, the value of argv[0] depends on how the process is exec'd which
is an implementation detail and the used ps arguments as well
and refraining
from starting dbus-daemon in that case.
In addition it fixes a copy & paste error in the address check of
system instances of dbus-daemon.
--
Guido BerhoersterFrom: Guido Berhoerster
Subject: Make reading address from dbus-daemon more robust
After starting dbus-daemon DBusTestRunner atte
BerhoersterFrom: Guido Berhoerster
Subject: Make reading address from dbus-daemon more robust
After starting dbus-daemon DBusTestRunner attempts to read the address from
stdout and puts it into DBUS_SESSION_BUS_ADDRESS and DBUS_SYSTEM_BUS_ADDRESS
environemnt variables. Unfortunately it sets
in an error because the actual
plugin is not found, i.e. this causes build errors for all consumers
using cmake.
If the plugin isn't there the corresponding cmake file shouldn't be
there. Attached patch fixes the packaging.
--
Guido Berhoerster
>From 7a9d3a97847caee774a02f6628ce78966cea267e Mon Sep 17 00
ced in
https://gitlab.gnome.org/GNOME/glib/-/commit/ba8ca443051f93a74c0d03d62e70402036f967a5
Note the missing NULL-pointer check before line 187.
--
Guido Berhoerster
lts in a compilation with the PACKAGE_LOCALE_DIR
macro set to "/usr/local/share/locale" and package-update-indicator
looking in the wrong directory for translation data at runtime.
The fix is to build with prefix defined: make prefix=/usr
Thanks,
--
Guido Berhoerster
1 - 100 of 108 matches
Mail list logo