Re: Re: pt_BR website translation
[ Thiago Pezzo, 2024-04-02 ] Resending the pt_BR translation, now compressed. done, see and check: https://blends.debian.org/edu/index.pt-br.html Wolfgang signature.asc Description: PGP signature
Re: Debian Edu website PO file
Hi Thiago, [ Thiago Pezzo, 2024-04-02 ] > Thanks for the warning. New file sent to the list! Thanks, work in progress, see https://salsa.debian.org/blends-team/website/-/commits/master/?ref_type=HEADS Kind regards Wolfgang signature.asc Description: PGP signature
Bug#1064885: debian-edu-doc: please add links files for ro and uk pkgs
Source: debian-edu-doc Version: 2.12.24 Severity: normal Tags: patch Dear Maintainer, the recently added ro and uk packages are both missing the related links file. Files attached, please check. Wolfgang /usr/share/doc/debian-edu-doc-ro /usr/share/doc/debian-edu-doc/ro /usr/share/doc/debian-edu-doc-uk /usr/share/doc/debian-edu-doc/uk /usr/share/doc/debian-edu-doc-legacy-uk /usr/share/doc/debian-edu-doc/legacy-uk signature.asc Description: PGP signature
Bug#1064412: debian-edu-doc: Link errors in Bookworm doc
Hi Rafael, thanks for reporting the link errors. These are gone after my wiki.d.o edits: > Error: no ID for constraint linkend: "DebianEdu". wrong name, should have been Debian Edu; the wrong one is considered to be an internal link. > Error: no ID for constraint linkend: > "Installation--Installing_a_gateway_using_debian-edu-router". related anchor added on the target wiki page > Error: no ID for constraint linkend: > "Administration--ldap-createuser-krb5.2C_a_command-line_tool_for_adding_users". linking to Administration chapter, anchor for deep link didn't work out like expected Wolfgang signature.asc Description: PGP signature
Re: Unlocking Japanese and French translations of Debian Edu manuals on hosted-weblate
[ Mike Gabriel, 2024-02-18 ] > In fact, I'd really love to use (or see others use) hosted.weblate.org for > German translations, too. > > As far as I know Wolfgang has been the German translator over the past > years. If he is ok to shift over to hosted.weblate.org with the de.po > file(s), please add that to your list. No objections from my side BTW: I'm sure the French team would update the translation(s) ASAP once informed about it. Also, (ro) and (uk) translations seem to be complete: debian-edu-bookworm-manual.ro.po: 1038 translated messages. debian-edu-bookworm-manual.uk.po: 1038 translated messages. New binary packages should be provided. Wolfgang signature.asc Description: PGP signature
Bug#1058789: defaults.common: don't add contrib and non-free mirror components
Source: debian-edu-install Version: 2.12.9~deb12u1 Severity: normal Tags: patch Dear Maintainer, since the Debian bookworm release, d-i apt-setup adds non-free-firmware as new default mirror component by default. This improves user experience in case of awkward hardware (esp. network components). As a Debian Pure Blend, Debian Edu should no longer enable contrib and non-free mirror components. Those have been a service for users when d-e-config/.../tools/pxe-addfirmware and .../tools/ltsp-addfirmware were needed to add required non-free firmware. Please note: Both scripts might be obsolete as of bookworm. Also, the manual might need revision concerning non-free firmware. This change will fix the bug (patch also attached): diff --git a/preseed-values/defaults.common b/preseed-values/defaults.common index cd4d08ca..9bb71e35 100644 --- a/preseed-values/defaults.common +++ b/preseed-values/defaults.common @@ -41,5 +41,3 @@ hddtemp hddtemp/daemon boolean false # remove the need to set up APT sources using cfengine. choose-mirror-bin mirror/http/hostname string deb.debian.org choose-mirror-bin mirror/http/directory string /debian/ -apt-mirror-setup apt-setup/non-free boolean true -apt-mirror-setup apt-setup/contrib boolean true Wolfgang diff --git a/preseed-values/defaults.common b/preseed-values/defaults.common index cd4d08ca..9bb71e35 100644 --- a/preseed-values/defaults.common +++ b/preseed-values/defaults.common @@ -41,5 +41,3 @@ hddtemp hddtemp/daemon boolean false # remove the need to set up APT sources using cfengine. choose-mirror-bin mirror/http/hostname string deb.debian.org choose-mirror-bin mirror/http/directory string /debian/ -apt-mirror-setup apt-setup/non-free boolean true -apt-mirror-setup apt-setup/contrib boolean true signature.asc Description: PGP signature
Bug#1058788: apt-setup: fails to add security mirror entry
Source: debian-edu-install Version: 2.11.3 Severity: important Tags: patch Dear Maintainer, since Debian changed the security mirror URL (as of bullseye), the related Debian Edu apt-setup generator script (70debian-edu-install) prevents the Debian installer apt-setup mechanism to write the security mirror entry *also in case of an existing Internet connection*. The Debian Edu apt-setup generator script is useful in case of completely offline installations (using the BD ISO image). The manual informes about the missing security mirror entry in this case, see: https://wiki.debian.org/DebianEdu/Documentation/Bullseye/Installation#A_note_on_USB_flash_drive_.2F_Blu-ray_disc_image_installs This change will fix the bug (patch also attached): diff --git a/apt-setup/generators/70debian-edu-install b/apt-setup/generators/70debian-edu-install index ae977616..bfabc59f 100755 --- a/apt-setup/generators/70debian-edu-install +++ b/apt-setup/generators/70debian-edu-install @@ -28,7 +28,7 @@ DISTRIBUTION="$RET" # Prevent installer to contact security host as we don't have network # connection. Setting apt-setup/security_host to an empty value will # make apt-setup/generators/90security skip the security mirror -if ! wget -qO - http://security.debian.org/dists/$DISTRIBUTION/updates/Release ; then +if ! wget -qO - http://security.debian.org/dists/$DISTRIBUTION-security/Release ; then log "Disabling security mirror, unable to reach it using http/wget" db_fset apt-setup/security_host seen true || true db_set apt-setup/security_host "" || true Wolfgang diff --git a/apt-setup/generators/70debian-edu-install b/apt-setup/generators/70debian-edu-install index ae977616..bfabc59f 100755 --- a/apt-setup/generators/70debian-edu-install +++ b/apt-setup/generators/70debian-edu-install @@ -28,7 +28,7 @@ DISTRIBUTION="$RET" # Prevent installer to contact security host as we don't have network # connection. Setting apt-setup/security_host to an empty value will # make apt-setup/generators/90security skip the security mirror -if ! wget -qO - http://security.debian.org/dists/$DISTRIBUTION/updates/Release ; then +if ! wget -qO - http://security.debian.org/dists/$DISTRIBUTION-security/Release ; then log "Disabling security mirror, unable to reach it using http/wget" db_fset apt-setup/security_host seen true || true db_set apt-setup/security_host "" || true signature.asc Description: PGP signature
Bug#1058786: debian-edu-artwork-emerald: login background.svg: wrong logo position
Package: debian-edu-artwork-emerald Version: 2.12.3-2~deb12u1 Severity: normal Dear Maintainer, in case of default installations the Debian Edu logo is missing on the LightDM login screen (lightdm w/ default gtk greeter). Reason: due to the logo's centered position, it is hidden behind the greeter; see: https://salsa.debian.org/debian-edu/debian-edu-artwork/-/blob/master/art-emerald/desktop-base/background.svg?ref_type=heads Please place the logo at a suitable place, just like older themes do it, e.g.: https://salsa.debian.org/debian-edu/debian-edu-artwork/-/blob/master/art-homeworld/desktop-base/background.svg?ref_type=heads Something like the attached background.svg file should do it. Wolfgang signature.asc Description: PGP signature
Bug#1057777: missing dependency on dconf-cli
Hi Mike, [ Mike Gabriel, 2023-12-08 ] > as the new dconf logic in update-proxy-from-wpad is only for desktops, I'd > suggest we check whether pkg dconf-cli / executable dconf is installed and > if not, skip that bit in the script. > > Acceptable solution? maybe yes, can't dig into it. iirc cf-agent runs the script in the d-i environment; installations using 12.3 -edu- ISO images (available tomorrow) might be broken. Wolfgang signature.asc Description: PGP signature
Bug#1057777: missing dependency on dconf-cli
Package: debian-edu-config Version: 2.12.41~deb12u1 Severity: important Dear Maintainer, the update-proxy-from-wpad tool fails with error 'dconf: not found' on a plain main server. dconf is shipped with the dconf-cli package; it seems that this package is supposed to be pulled in only in case the 'Workstation' profile has (also) been chosen and 'desktop=mate' or 'desktop=gnome' has been set on the kernel command line during installation (non-default edu desktop). Please test with default installations w/ and w/o GUI. Wolfgang signature.asc Description: PGP signature
Bug#1033451: please fix wrong condition contained in debian-edu-ltsp-install script
Package: debian-edu-config Version: 2.11.56+deb11u4 Severity: normal Tags: patch While trying to install a dedicated LTSP diskless workstation chroot, I noticed that running 'debian-edu-ltsp-install --dlw' fails in case the Debian Edu BD ISO image isn't available. This is due to a missing check. To fix the issue on a system with 'LTSP-Server' profile, run as root: sed -i 's/if ! mountpoint/if [ "true" == "$BD_ISO" ] \&\& ! mountpoint/' /usr/sbin/debian-edu-ltsp-install Patch for the d-e-c git master branch: diff --git a/sbin/debian-edu-ltsp-install b/sbin/debian-edu-ltsp-install index 3c353202..90627977 100755 --- a/sbin/debian-edu-ltsp-install +++ b/sbin/debian-edu-ltsp-install @@ -18,7 +18,7 @@ # Licence: GPL2+ # first edited:2019-11-21 -version=2021-11-18 +version=2023-03-25 set -e @@ -598,7 +598,7 @@ EOF mkdir -p /srv/ltsp/dlw chmod 755 /srv/ltsp/dlw # Use BD-ISO if available. - if ! mountpoint -q /media/cdrom ; then + if [ "true" == "$BD_ISO" ] && ! mountpoint -q /media/cdrom ; then mount /media/cdrom fi if grep -q BD /etc/apt/sources.list && [ -f /media/cdrom/.disk/info ] ; then Wolfgang signature.asc Description: PGP signature
Re: no login on diskless-workstations
[ Frank Weißer, 2023-03-23 ] > diskless_workstations on boot still are dealing long time with the swap > partitions and logical volumes on tjener. Do you have any hint on that? Unwanted system services can be "masked" in the /etc/ltsp/ltsp.conf file. See https://ltsp.org/man/ltsp.conf/ for details. The /usr/local/sbin/debian-edu-ltsp-install script contains a list of excluded services on the main server, see the MASK_SYSTEM_SERVICES entry. If you were able to identify the related service on the main server, you could add a corresponding entry to /etc/ltsp/ltsp.conf file to extend the list. Remember to run debian-edu-ltsp-initrd after any change done to the ltsp.conf file. Wolfgang signature.asc Description: PGP signature
Re: no login on diskless-workstations
[ Frank Weißer, 2023-03-15 ]
> What does not work:
> Log in as that user graphical on diskless workstations 192.168.250.130
> (hostname ltsp130) nor 192.168.0.22 (ltsp22)
> Changing to console 1 I can log in, getting
> 'No directory, logging in with HOME=/'
LTSP needs to be adjusted, too. Please test the attached script.
Wolfgang
#!/bin/bash
# This script applies to Debian Edu 'bullseye'. It needs to be run on a combined
# server (profiles Main-Server, Workstation, LTSP-Server) after having run the
# subnet-change script and rebooted the main server afterwards.
# Author/Copyright: Wolfgang Schweer
# Licence: GPL2+
set -e
# The /etc/network/interfaces file should look like this:
#
# auto eth0 eth1
# iface eth0 inet static
# address 192.168.178.16
# gateway 192.168.178.1
# dns-search intern
# dns-nameserver 127.0.0.1
#
# iface eth1 inet static
# address 192.168.0.254
#
# Adjust in case of a wrong eth1 entry.
if [ "$(hostname -I | cut -d' ' -f2)" = "192.168.0.254" ] ; then
:
else
echo ""
echo "The /etc/network/interfaces file contains a wrong eth1 entry,"
echo "it should be 'address 192.168.0.254'. Replacing it."
ETH1ADD=$(hostname -I | cut -d' ' -f2)
sed -i 's/'"$ETH1ADD"'/192.168.0.254/' /etc/network/interfaces
echo "Restarting network"
service networking restart
fi
# In case the next five steps below have been executed successfully
# on the main server (after subnet-change and reboot) they could be commented.
service named stop
rm -rf /var/cache/bind/managed-keys*
service named start
## See
https://wiki.debian.org/DebianEdu/Status/Bullseye#Known_problems_that_can_be_fixed_locally
apt install ntp -y
cf-agent -I -D installation
# Adjust LTSP related config and tools.
#
# Get related IP addresses.
SERVER_IP="$(hostname -I | cut -d' ' -f1)"
GATEWAY_IP="$(host gateway | cut -d' ' -f4)"
# Modify LTSP configuration.
sed -i 's/10.0.2.2/'"$SERVER_IP"'/g' /etc/ltsp/ltsp.conf
# Copy LTSP tools and adjust these; they will take precedence due to root's
$PATH.
cp /sbin/debian-edu-ltsp-initrd /usr/local/sbin/
cp /sbin/debian-edu-ltsp-install /usr/local/sbin/
cp /sbin/debian-edu-pxeinstall /usr/local/sbin/
sed -i 's/10.0.2.2/'"$SERVER_IP"'/g' /usr/local/sbin/debian-edu-ltsp-initrd
sed -i 's/10.0.2.2/'"$SERVER_IP"'/g' /usr/local/sbin/debian-edu-ltsp-install
sed -i 's/10.0.0.1/'"$GATEWAY_IP"'/g' /usr/local/sbin/debian-edu-ltsp-install
sed -i 's/10.0.2.2/'"$SERVER_IP"'/g' /usr/local/sbin/debian-edu-pxeinstall
# Adjust LTSP initrd, image and PXE setup using the modified tools; takes some
time.
debian-edu-ltsp-initrd
debian-edu-ltsp-install --diskless_workstation yes
debian-edu-pxeinstall
# Delete first 192.168 related entry (written by subnet-change script) if the
# new subnet belongs to 192.168.0.0/16 to avoid LTSP client pitfall.
if [ "$(grep -c 192.168 /etc/squid/squid.conf)" = "5" ] ; then
sed -i '0,/src 192.168/{//d}' /etc/squid/squid.conf
service squid restart
fi
echo ""
echo "Done. No need to reboot the system."
echo ""
signature.asc
Description: PGP signature
Re: Bookworm manual and translations
[ Holger Levsen, 2023-01-28 ] > as we are getting closer to the freeze, it's time to update the manual. > > https://wiki.debian.org/DebianEdu/Documentation/Bookworm/Features > has some FIXMEs we need to address. also, the main server upgrade process needs to be documented: https://wiki.debian.org/DebianEdu/Documentation/Bookworm/Upgrades I used to do this for the last releases but can't continue doing so. > and then translations need to be updated: > debian-edu-bookworm-manual.de.po: 981 translated messages, 9 fuzzy > translations. I used to do translations to German but can't continue doing so. Wolfgang signature.asc Description: PGP signature
Bug#1024033: debian-edu-config: broken thin client chroot installation in case type is (mini-)desktop and language is English
Package: debian-edu-config Version: 2.11.56+deb11u4 Severity: normal Dashamir Hoxha reported on debian-edu@lists.d.o some time ago: > When I try to create the image for a mini-desktop thin client, with the > command: > > debian-edu-ltsp-install --thin_type desktop > > I get this error message: > "E: Unable to locate package firefox-esr-l10n-en" The script tries to install firefox-esr-l10n-"$LANGCODE", with $LANGCODE grabbed from the /etc/debian-edu/config file. Since Firefox supports 'en' (and 'en-us') natively, the firefox-esr-l10n-en package doesn't exist. The issue has been fixed in Git (master branch): https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/6202ef11fe4159c521b9be1cc503552543cdfc91 Since the firefox-esr-l10n-en-gb package does exist, a simple workaround for bullseye would be: Set LANGCODE="en-gb" in /etc/debian-edu/config (temporarily). Run 'debian-edu-ltsp-install --thin_type desktop' Wolfgang signature.asc Description: PGP signature
Re: 15.2.2. Easy access to USB drives and CD-ROMs/DVDs
[ Dashamir Hoxha, 2022-10-15 ] > On Sat, Oct 15, 2022 at 12:11 PM Wolfgang Schweer wrote: > > > [ Dashamir Hoxha, 2022-10-14 ] > > > It still doesn't work for me. I am testing by attaching a cdrom (a > > > virtual one). > > > > It's only for USB mass storage devices, just like the label is telling > > the user. > > > > Does it do autodetect and automount, or the device should be attached > before the thin client is booted? autofs; so autodetect and automount > I am curious to see the code that implements this feature. All LTSP related configuration including the x2goclient one is contained in the /usr/sbin/debian-edu-ltsp-install script. So local admins can copy this file to the /usr/local/sbin directory and modify the script to site specific needs. If you want to add CDROM support to your existing LTSP setup for whatever reason (IMO it doesn't make much sense on thin clients): (1) Create the file /etc/ltsp/autofs/auto.cdrom on the LTSP server with this single line as content: /cdrom -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom (2) Add this line to /etc/ltsp/autofs/extra.autofs: /- /etc/auto.cdrom --mode=0777 --timeout=3 (3) Add cdrom export (adjust one line) in /etc/ltsp/skel/.x2goclient/sessions: export="/usb0:1;/cdrom:1;" (4) Run 'debian-edu-ltsp-initrd' for the changes to take effect for the next start of a thin client. Wolfgang signature.asc Description: PGP signature
Re: 15.2.2. Easy access to USB drives and CD-ROMs/DVDs
[ Dashamir Hoxha, 2022-10-14 ] > On Fri, Oct 14, 2022 at 7:00 PM Wolfgang Schweer wrote: > > > [ Dashamir Hoxha, 2022-10-14 ] > > > - Attaching a removable media on a thin client (X2Go), does not make it > > > accessible from the thin client. > > > > Well, it does. Just doubleclick the network-disk icon on the Xfce > > desktop. IIRC it is labeled _usb0(sshfs-disk) or similar. Since the user > > is working on the LTSP server, the USB medium is a network disk attached > > to the thin client and accessed via SSHFS. > > > > It still doesn't work for me. I am testing by attaching a cdrom (a virtual > one). It's only for USB mass storage devices, just like the label is telling the user. Wolfgang signature.asc Description: PGP signature
Re: 15.2.2. Easy access to USB drives and CD-ROMs/DVDs
[ Dashamir Hoxha, 2022-10-14 ] > - Attaching a removable media on a thin client (X2Go), does not make it > accessible from the thin client. Well, it does. Just doubleclick the network-disk icon on the Xfce desktop. IIRC it is labeled _usb0(sshfs-disk) or similar. Since the user is working on the LTSP server, the USB medium is a network disk attached to the thin client and accessed via SSHFS. Wolfgang signature.asc Description: PGP signature
Bug#1021688: debian-edu-config: Broken network setup if LXQt desktop environment is used on main or LTSP server
Package: debian-edu-config Version: 2.11.56+debu4 Severity: normal On systems with 'Main server' and/or 'LTSP server' profiles the network setup fails to work correctly in case the LXQt desktop environment is used. To fix it locally, replace connman with network-manager-gnome (ConnMan is the preferred LXQt network manager). apt install network-manager-gnome -y apt purge connman -y Reboot the system. Also, if Diskless workstations are used, rebuild the related image: debian-edu-ltsp-install --diskless_workstation yes The fix is easy, see this commit: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/3d02cdc270db00ac09f9907a2bd93573e796a559 Wolfgang signature.asc Description: PGP signature
Bug#1021687: debian-edu-config: Make sure the ntp package is installed on the main server
Package: debian-edu-config Version: 2.11.56+deb11u4 Severity: normal In case Internet connection isn't available, synchronizing clocks on the Debian Edu network requires running a local time server (e.g. for kerberized services like SSH and NFS). On the main server, the ntp package should be installed, like recommended by the education-main-server package. But due to changes some time ago, systemd-timesyncd gets installed earlier and prevents the ntp package from being installed. To fix it, run run as root user on the main server: 'apt install ntp -y' to install the package and 'cf-agent -I -D installation' to adjust the ntp configuration like needed. This bug has already been fixed in sid/testing (debian-edu-config 2.12.11), see: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/69d83ae46c72d4a7b70088f87b38164c09941669 Wolfgang signature.asc Description: PGP signature
Separate LTSP server issues
[ Dashamir Hoxha, 2022-10-08 ] > Now I see some other problems, when trying to boot an LTSP diskless client > from a separate LTSP server: > https://peertube.debian.social/w/3vvhM6F3ipEJZ9VHiZ6v95 > The only command that I have executed on the LTSP server, after installing > it and connecting it to the main server (GOsa), is: > debian-edu-ltsp-install --diskless_workstation yes Makes sense. For more options run 'man debian-edu-ltsp-install' on the LTSP server, or read the manual page on the Internet: https://manpages.debian.org/bullseye/debian-edu-config/debian-edu-ltsp-install > Maybe those error messages make some sense to you. They do. It seems that the LXQt desktop environment is used. The preferred LXQt network manager tool ConnMan tries to bring up the network interfaces, but doesn't succeed. Consider to replace ConnMan with a more common tool: apt install network-manager-gnome -y apt purge connman -y service networking restart (or reboot the system) Then rebuild the image: debian-edu-ltsp-install --diskless_workstation yes Wolfgang signature.asc Description: PGP signature
Bug#1021414: debian-edu-config: Wrong DHCP configuration on separate LTSP server
Source: debian-edu-config Version: 2.11.56+deb11u4 Severity: normal On a separate LTSP server the DHCP service fails to start after stopping it. This is caused by a wrong Requires statement in the systemd unit file. Instead of slapd.service, nslcd.service is required: diff --git a/share/debian-edu-config/isc-dhcp-server.service.eth1_only b/share/debian-edu-config/isc-dhcp-server.service.eth1_only index 46557e6b..f2b7fb58 100644 --- a/share/debian-edu-config/isc-dhcp-server.service.eth1_only +++ b/share/debian-edu-config/isc-dhcp-server.service.eth1_only @@ -1,7 +1,7 @@ [Unit] Description=DHCP server After=network.target network-online.target -Requires=slapd.service +Requires=nslcd.service [Service] Type=forking Wolfgang signature.asc Description: PGP signature
Re: Editing boot options
Hi Dashamir, thanks for testing and feedback. [ Dashamir Hoxha, 2022-10-03 ] > The manual says that we should press TAB in order to edit a boot menu entry > (for example to change the default desktop): > https://wiki.debian.org/DebianEdu/Documentation/Bullseye/Installation#Installation_types_and_options > > However this doesn't work with GRUB. I have to press "e" in order to do > this. Maybe TAB worked in an earlier version of GRUB, but not now. This part of the bullseye manual only shows BIOS mode installation, where TAB applies (no hint in the menu itself). The UEFI installer menu informs one about how to edit entries. I'll add a hint anyway. > The same with editing an iPXE boot menu entry. The manual suggests pressing > TAB in order to change the default desktop: > https://wiki.debian.org/DebianEdu/Documentation/Bullseye/Installation#Installation_and_booting_over_the_network_via_PXE > But it doesn't work for me. Yes, this part is from the previous PXELINUX setup and doesn't make sense anymore. > Maybe the manual should be updated on these places. I'll update both the bullseye and bookworm manuals. Wolfgang signature.asc Description: PGP signature
Re: Thin client desktop
[ Dashamir Hoxha, 2022-09-27 ] > >From the tests that I have done with thin clients (X2Go), I get some > problems on the display, like those shown on the attached screenshot. I > don't see this problem with diskless clients etc. Those artefacts are a known issue, see: https://bugs.debian.org/1008602 Wolfgang signature.asc Description: PGP signature
Re: No Access to Internet
Hi Sebastian. [ Sebastian Sznauder, 2022-09-14 ] > I come with a problem of access to the internet in Debian Edu Network. I > have the connection between workstations and main server (and the base), > users may login to their accounts and have the access to their files, but > they have no access to the internet. If I configure DHCP server on tjener > for a workstation to send DNS address (8.8.8.8), the workstation gains the > access to the Internet but it loose access to debian edu network. Sorry for > that essential question. I have tried to set it up many times and in many > ways and eigher with no result or I quite loose the connection to the server > and base. Maybe the main server's named cache is corrupt. On the main server, run service named status If problems show up, run: service named stop rm /var/cache/bind/*.* service named start service named status Wolfgang signature.asc Description: PGP signature
Re: Kvm isolated network
Hi Claudio, [ Claudio Carboncini, 2022-08-27 ] > I tried to virtualize the Debian-edu network with virt-manager + Kvm > following https://wiki.debian.org/DebianEdu/HowTo/TestCDinstall with > debian-edu-11.3.0-amd64-BD-1.iso. > The installation works, but I can't connect from 10.0.2.2 with the outside. > The network is isolated. > Any suggestions to fixing the problem? The wiki page content is outdated since years. As far as the default network settings are concerned, I suspect you need to use instead of (last valid for the Lenny release, iirc). Consider to update the page in case you can fix the problem. Wolfgang signature.asc Description: PGP signature
Bug#1010432: debian-edu-config: autopkgtest regression: update-mime: not found
[ Paul Gevers, 2022-05-01 ] > It seems that with the fix for bug #1010102 you either picked the > wrong Depends of two, or you forgot to update the postinst for the > change as update-mime lives in mailcap. AFAICT calling update-mime in d-e-c.postinst is unneeded since the obsolete debian-edu-mailcap file has been removed, see commit 2aaa1adf: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/2aaa1adfac0f1ea63520bd884c2c48c674b51e3c and commit 24f26f25: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/24f26f2552cdc62e5b580cac4d7e40a6f973c326 The update-mime call should be removed from the postinst script. The Depends on mime-support had been added in 2004 due to moving the mailcap file and calling update-mime in d-e-c.postinst, see commit 91550cf1: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/91550cf1d35774f10cc9989f16038eeabf95e86b IMO d-e-config neither needs media-types nor mailcap as dependencies, please check. Wolfgang signature.asc Description: PGP signature
Bug#1008597: debian-edu-install: Ask for hostname during standalone installation
[ Petter Reinholdtsen, 2022-03-29 ] > [Mike Gabriel] > > While testing 11u3 ISO images, I noticed that a standalone Debian Edu > > installation does not ask for a hostname. It tries to find a hostname > > via DNS/DHCP and falls back to am-. > > Will it accept the hostname on the boot prompt as > hostname=some.domain.name? No; the update-hostname-from-ip script will overwrite the hostname given as kernel command line param with am-, just like it happens with 'hostname=pxeinstall' for PXE installed systems. Wolfgang signature.asc Description: PGP signature
Bug#1008602: debian-edu-config: Xfce/MATE in X2Go sessions very sluggish with Compositing enabled in xfwm
[ Mike Gabriel, 2022-03-29 ] > A real fix for this could be provided in Xfce4 itself (see librda, Remote > Desktop Awareness library). Until that has landed in Xfce (I might provide a > patch for Xfce some time), we should consider disabling compositing in > Xfce4- > > Same applies for the MATE desktop environment. Compositing should be > disabled by default, as well. > > This makes the desktop environments look more simple, but they work > out-of-the-box then when accessed via X2Go thinclients. > > This is probably very debatable... Maybe it needs to be covered by > documentation instead? Sounds good; just document how to disable/enable the compositor via the related settings submenu (so that users know how to toggle it depending on their use case). Maybe it could be added to the Desktop chapter: https://wiki.debian.org/DebianEdu/Documentation/Bullseye/HowTo/Desktop Wolfgang signature.asc Description: PGP signature
Re: Testing Debian Edu specific ISO images -- 2022-03-26
[ Mike Gabriel, 2022-03-18 ] > I can do some tests, but not over the weekend, I can schedule them for > Monday. Once done, please also inform distrowatch. See an example email: - Date: Sun, 19 Dec 2021 00:04:45 +0100 From: Wolfgang Schweer To: dis...@distrowatch.com Subject: Debian Edu 11 (bullseye) ISO images updated to version 11.2 Hi Jesse, new installation images are now available at the usual Debian places after the Debian 11.2 point release. Information about the dedicated -edu- images is available on the Bullseye status page, see: https://wiki.debian.org/DebianEdu/Status/Bullseye Intensive image testing has been done, see: https://wiki.debian.org/Teams/DebianCD/ReleaseTesting/Bullseye_r2#Edu_images - Wolfgang signature.asc Description: PGP signature
Bug#1008057: Debian Installer on CD netinst image doesn't use http_proxy on Debian Edu network
[ Mike Gabriel, 2022-03-21 ] > I have just tried to install a Debian Edu system from the netinst CD image > for the first time (in ages) on a fully up-and-running Debian Edu network. > > One part of my favourite setup is blocking all outgoing traffic to the > internet for Debian Edu clients and have all internet connections mediated > by squid on TJENER (or some other host serving webcache.intern.3128). > > So, my simple expectation was, that a Debian Edu installation from CD image > would automatically use the proxy server configured via WPAD. This obviously > is not in the case: Quoting the manual: "You can use an existing HTTP proxy service on the network to speed up the installation of the main server profile from CD. Add e.g. mirror/http/proxy=http://10.0.2.2:3128 as an additional boot parameter." https://wiki.debian.org/DebianEdu/Documentation/Bullseye/Installation#Installation_types_and_options Similar instruction since the Etch release... Wolfgang signature.asc Description: PGP signature
Re: Testing Debian Edu specific ISO images -- 2022-03-26
Hi Mike, [ Mike Gabriel, 2022-03-18 ] > I can do some tests, but not over the weekend, I can schedule them for Monday. > > Will that be sufficient? Do you know? Well, once the tests are done, the Debian CD team will push the new ISOs to the mirrors, the previous ISO images will be no longer available. I think the Edu team should care for working ISO images at any time. In the past, all Edu image tests were just fine, but this is no guarantee for the future. > Also, are the tests you did documented somewhere in more detail? No. Besides information for the Debian CD team about installations using other languages than English, this documentation serves more or less as a reminder for future tests. Just test what needs to be tested. > Other than simply installing a combined server from the ISO image, did > you run some (smoke) tests inside the installed system? (Create LDAP > users, add hosts, etc.?) I've always tested if GOsa access is working, if users and systems show up, and -- in case of point releases -- if Debian Edu related bugs are really fixed, and if LTSP clients and PXE installations are working. Also, if the menus/submenus show up correctly and if all localization packages are installed esp. in case of an offline installation of a combined server, eg. testing Thunderbird. > Also, where do you get the test numbers that you use in > https://wiki.debian.org/Teams/DebianCD/ReleaseTesting/Bullseye_r2#Edu_image These test numbers have been agreed upon with the Debian CD team. The new page https://wiki.debian.org/Teams/DebianCD/ReleaseTesting/Bullseye_r3 will be created by the Debian CD team at the next point release day as a somehow cleaned up and adjusted copy from Bullseye_r2 with the test numbers already contained, see the history of the 11.2 page as an example (scroll to the bottom): https://wiki.debian.org/Teams/DebianCD/ReleaseTesting/Bullseye_r2?action=recall&rev=1 Same should apply to the 10.12 point release file as a copy of the 10.11 one: https://wiki.debian.org/Teams/DebianCD/ReleaseTesting/Buster_r11?action=recall&rev=2 Wolfgang signature.asc Description: PGP signature
Testing Debian Edu specific ISO images -- 2022-03-26
Since the Debian 10 ("buster") release, also official Debian Edu
specific ISO images are provided.
At release and point release days, all Debian ISO images are built and
tested, included the Edu ones; coordination happens on IRC (#debian-cd),
documentation on wiki.debian.org (account required).
In the past, I've tested the Debian Edu specific images but can't do
this for the time being; it would be nice if others could step up doing
this in the future.
It needs some knowledge about Debian Edu and a dedicated test
environment (for a complete combined server functionality test).
General information with release related links:
https://wiki.debian.org/Teams/DebianCD/ReleaseTesting
Debian Edu specific testing overview:
- latest "bullseye" point release:
https://wiki.debian.org/Teams/DebianCD/ReleaseTesting/Bullseye_r2#Edu_images
- latest "buster" point release:
https://wiki.debian.org/Teams/DebianCD/ReleaseTesting/Buster_r11#Edu_images
Once the Debian CD team has released the tested ISO images, the related
Debian Edu status pages need to be updated:
https://wiki.debian.org/DebianEdu/Documentation/Bullseye
https://wiki.debian.org/DebianEdu/Documentation/Buster
The next point releases for "bullseye" (11.3) and for "buster" (10.12)
are scheduled for Saturday, March 26th. Last time, the first test ISO
images were available at around 13:00 UTC.
Wolfgang
signature.asc
Description: PGP signature
Bug#1006604: debian-edu-config: Debian Edu clients without GOsa system entry loose IP address after 30min
[ Mike Gabriel, 2022-03-01 ] > On Di 01 Mär 2022 11:22:46 CET, Wolfgang Schweer wrote: > > > [ Petter Reinholdtsen, 2022-03-01 ] > > > > > > [Holger Levsen] > > > > I wonder if this is a bug in Debian Edu at all: don't we require > > > hosts to be > > > > added to GOsa in the first place? > > > > > > Well, it is a bug in Debian Edu that the problem is obscure and hard to > > > debug. I guess the issue should be detected and reported in the face of > > > the person trying to set up a new machine, instead of the machine > > > silently failing to keep its IP address [..] > > > Traditionally it was required to register clients in GOsa to ensure > > > home directories could be mounted, not for it to get an IP address. > > > > Yes, that's still the case. > > Nope, see my previous mail about NFSv4+krb5i. Kerberized NFS is the default for Debian Edu 11 (bullseye) and has already been available as a Debian Edu 10 (buster) feature, see: https://wiki.debian.org/DebianEdu/Documentation/Buster/Features#Other_changes_compared_to_the_previous_release with information how to enable it: https://wiki.debian.org/DebianEdu/Documentation/Buster/HowTo/Administration#Kerberized_NFS Since a long time, the manual contains detailed information about machine management. For Debian Edu 11 kerberized NFS is also explained, see: https://wiki.debian.org/DebianEdu/Documentation/Bullseye/GettingStarted#Machine_Management_with_GOsa.2BALI- I don't understand why some admins seem to avoid reading the manual. Wolfgang signature.asc Description: PGP signature
Bug#1006604: debian-edu-config: Debian Edu clients without GOsa system entry loose IP address after 30min
[ Petter Reinholdtsen, 2022-03-01 ] > > [Holger Levsen] > > I wonder if this is a bug in Debian Edu at all: don't we require hosts to be > > added to GOsa in the first place? > > Well, it is a bug in Debian Edu that the problem is obscure and hard to > debug. I guess the issue should be detected and reported in the face of > the person trying to set up a new machine, instead of the machine > silently failing to keep its IP address Sure. But then this seems to be a site specific non-standard use case, so site specific modification could be sufficient, I figure. Fixing it for bookworm would be good, though. > Traditionally it was required to register clients in GOsa to ensure > home directories could be mounted, not for it to get an IP address. Yes, that's still the case. I'm just wondering about the reported 30 minutes. It seems to be the default lease time on the backbone network (1800). Maybe raise it to a site specific value? (Can't test it, can't contribute more for the time being.) Wolfgang signature.asc Description: PGP signature
Bug#1006362: debian-edu-config: PXE-installed Debian Edu clients don't boot into graphical.target
[ Mike Gabriel, 2022-02-24 ] > The underlying causes of this is that we append "-- ipappend 2" to the > kernel cmdline when doing the PXE boot into the Debian Installer. This > kernel boot cmdline is generated by /usr/sbin/debian-edu-pxeinstall (and was > necessary in older times). Right. 'ipappend' is used by PXELINUX, but for 'bullseye' we switched to iPXE to be compliant with the re-written LTSP. > What happens with this "-- ipappend 2" bit of the kernel cmdline is that it > gets added (during the installation process) to the GRUB_CMDLINE_LINUX > variable in /etc/default/grub: > > GRUB_CMDLINE_LINUX="ipappend 2" PXELINUX evaluates 'ipappend 2' and adds BOOTIF= to the kernel command line, allowing the initrd program to determine from which interface the system booted. Obviously, iPXE doesn't understand 'ipappend'. I'm just wondering if there are other side-effects. > So, the booting systems finds a "2" in the kernel boot cmdline after the > system has been installed via PXE and this "2" is interpreted as runlevel 2 > by systemd (PID 1). While PXE installations have always been tested during development (and also at release and point release days), the 'Minimal' profile has been chosen for this test case to save time. As there's no GUI, this bug got away undetected. It might be a good idea to choose 'Workstation' for future tests. Wolfgang signature.asc Description: PGP signature
Bug#1005813: debian-edu-config: apparmor blocks cups-browsed.conf from being read
[ Petter Reinholdtsen, 2022-02-19 ] > [Wolfgang Schweer] > > As the symlink seems to be the problem, another solution would be to > > let cfengine copy the file instead: > > Sure. The reason a symlink was used was to ensure upgrades would take > effect. Right. In case an upgraded debian-edu-config package contains a changed cups-browsed-debian-edu.conf file, 'cf-agent -v -D installation' would need to be run to update the cups-browsed.conf file. In the past, the status pages have been updated at point release days to cope with changes concerning (among others) the debian-edu-config package, including information if a cf-agent run is needed; see: https://wiki.debian.org/DebianEdu/Status/Buster and https://wiki.debian.org/DebianEdu/Status/Bullseye In case of release upgrades, a cf-agent run is required anyway (like documented in the manuals) Wolfgang signature.asc Description: PGP signature
Bug#1005841: debian-edu-config: No TJENER print queues appearing on Debian Edu clients, print queues named not like queue name on TJENER
[ Mike Gabriel, 2022-02-16 ] > The problem is that I think that the cups-browsing (or more strictly spoken > cups-browsed-debian-edu.conf) never got really fully tested, because > cups-browsed fails/failed to read cups-browsed-debian-edu.conf due to > apparmor blocking. Right. > On normal workstations, I sense that some cups-browsed defaults kick into > place (as the cups-browsed-debian-edu.conf is being blocked from reading at > cups-browsed service startup) and that these defaults provide CUPS queues on > TJENER to the clients via dnssd and the printer naming scheme is > __ (which is an unwanted naming scheme here). Right. Like you proposed, the correct file content should rather be: diff --git a/etc/cups/cups-browsed-debian-edu.conf b/etc/cups/cups-browsed-debian-edu.conf index b1479a4f..f58a99ad 100644 --- a/etc/cups/cups-browsed-debian-edu.conf +++ b/etc/cups/cups-browsed-debian-edu.conf @@ -28,5 +28,5 @@ BrowseAllow ipp.intern # to "No". CreateIPPPrinterQueues No -CreateRemoteCUPSPrinterQueues No - +CreateRemoteCUPSPrinterQueues Yes +LocalQueueNamingRemoteCUPS RemoteName Wolfgang signature.asc Description: PGP signature
Bug#1005813: debian-edu-config: apparmor blocks cups-browsed.conf from being read
[ Holger Levsen, 2022-02-19 ]
> On Tue, Feb 15, 2022 at 07:20:01PM +, Mike Gabriel wrote:
> > Solution 2:
> > ---
> > Ask the cups src:pkg maintainers to add a line
> > /etc/cups/cups-browsed-debian-edu.conf to their
> > /etc/appamor.d/usr.sbin.cups-browsed apparmor profile.
>
> to me this seems to be the cleanest approach.
As the symlink seems to be the problem, another solution would be to
let cfengine copy the file instead:
diff --git a/cf3/cf.cups b/cf3/cf.cups
index 9788fa5c..58a64493 100644
--- a/cf3/cf.cups
+++ b/cf3/cf.cups
@@ -29,7 +29,7 @@ files:
debian.desktopintern.!server.installation::
"/etc/cups/cups-browsed.conf"
- link_from => ln_s("/etc/cups/cups-browsed-debian-edu.conf"),
+ copy_from => local_cp("/etc/cups/cups-browsed-debian-edu.conf"),
move_obstructions => "true";
}
(In both cases, the original file is renamed to
/etc/cups/cups-browsed.conf.cfsaved)
Wolfgang
signature.asc
Description: PGP signature
Bug#1005841: debian-edu-config: No TJENER print queues appearing on Debian Edu clients, print queues named not like queue name on TJENER
Hi Mike, [ Mike Gabriel, 2022-02-15 ] > Package: debian-edu-config > Severity: important > Version: 2.12.16 > Control: found -1 2.11.56+deb11u3 > > If allowing read access to /etc/cups/cups-browsed-debian-edu.conf in > apparmor (see #1005813), the current configuration won't create remote CUPS > printer queues on Debian Edu workstations. > > To make CUPS printer queues on TJENER available on Debian Edu workstations, > one needs to set "CreateRemoteCUPSPrinterQueues Yes" in > /etc/cups/cups-browsed(-debian-edu).conf. "CreateRemoteCUPSPrinterQueues No" has been used intentionally. The existing (centralized) approach has been documented, see: https://wiki.debian.org/DebianEdu/Documentation/Bullseye/GettingStarted#Printer_Management Wolfgang signature.asc Description: PGP signature
Re: Review changes for d-e-c 2.12.16
Hi Mike, [ Mike Gabriel, 2022-02-03 ] > do you think you can take a look at my changes for d-e-c 2.12.16 > upload candidate? I plan to upload that package but would be happy to > get a second opinion on the rather comprehensive changes introduced. I'm sorry to tell that I can't do it for the time being. Wolfgang signature.asc Description: PGP signature
Bug#955707: debian-edu-config: use DuckDuckGo as Chromium's default search provider
Hi Mike,
[ Mike Gabriel, 2022-01-30 ]
> Hi Wolfgang,
>
> On Sa 04 Apr 2020 00:20:37 CEST, Mike Gabriel wrote:
>
> > Package: debian-edu-config
> > Severity: wishlist
> >
> > Currently (during the bullseye release cycle), chromium uses Google as
> > the default search provider.
> >
> > With the below snippet dropped into
> > /etc/chromium/policies/managed/.json we could switch that to
> > DuckDuckGo:
> >
> > {
> > "DefaultSearchProviderEnabled":true,
> > "DefaultSearchProviderName": "DuckDuckGo",
> > "DefaultSearchProviderIconURL":"https://duckduckgo.com/favicon.ico";,
> > "DefaultSearchProviderEncodings":["UTF-8"],
> >
> > "DefaultSearchProviderSearchURL":"https://duckduckgo.com/?q={searchTerms}";,
> > "DefaultSearchProviderSuggestURL":"https://duckduckgo.com/ac/?q={searchTerms}&type=list";,
> > "DefaultSearchProviderNewTabURL":"https://duckduckgo.com/chrome_newtab";,
> > }
> >
> > Possibly an option for Debian Edu? Maybe even for Chromium in Debian?
> >
> > Mike
>
> I saw the above as part of the release notes for Debian Edu bullseye, right?
> Can we close #955707?
Two times: yes. Not done then because of
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955707#15
Wolfgang
signature.asc
Description: PGP signature
Re: [Reopen][Solved] Re: Post installation network problem
[ Frank Weißer, 2022-01-26 ] > from tjener @school > > root@tjener:~# service named status > > ● named.service - BIND Domain Name Server > Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor > preset: enabled) > Active: active (running) since Tue 2022-01-25 16:40:10 CET; 16h ago >Docs: man:named(8) >Main PID: 2548 (named) > Tasks: 10 (limit: 38126) > Memory: 122.1M > CPU: 3.327s > CGroup: /system.slice/named.service > └─2548 /usr/sbin/named -f -4 -u bind > > Jan 26 08:45:53 tjener.intern named[2548]: validating com/DS: no valid > signature found > Jan 26 08:45:53 tjener.intern named[2548]: no valid RRSIG resolving > 'com/DS/IN': 199.7.83.42#53 > Jan 26 08:45:53 tjener.intern named[2548]: validating com/DS: no valid > signature found > Jan 26 08:45:53 tjener.intern named[2548]: no valid RRSIG resolving > 'com/DS/IN': 202.12.27.33#53 > Jan 26 08:45:53 tjener.intern named[2548]: validating com/DS: no valid > signature found > Jan 26 08:45:53 tjener.intern named[2548]: no valid RRSIG resolving > 'com/DS/IN': 199.9.14.201#53 > Jan 26 08:45:53 tjener.intern named[2548]: validating com/DS: no valid > signature found > Jan 26 08:45:53 tjener.intern named[2548]: no valid RRSIG resolving > 'com/DS/IN': 192.112.36.4#53 > Jan 26 08:45:53 tjener.intern named[2548]: broken trust chain resolving > 'raw.githubusercontent.com//IN': 205.251.192.181#53 > Jan 26 08:45:53 tjener.intern named[2548]: broken trust chain resolving > 'raw.githubusercontent.com/A/IN': 205.251.192.181#53 did you try cleaning up the cache and re-fetch? service named stop rm /var/cache/bind/managed-keys.* service named start then: service named status ls -l /var/cache/bind/ Wolfgang signature.asc Description: PGP signature
Re: PEAP-MSCHAPv2 Radius auth against bullseye TJENER
[ Mike Gabriel, 2022-01-19 ] > The problem was that --domain=SGM addressed a domain controller on site > which I did not take into account. However, without --domain=<...> ntlm_auth > would still fail. might be a site specific issue due to the existing SGM domain... Wolfgang signature.asc Description: PGP signature
Re: PEAP-MSCHAPv2 Radius auth against bullseye TJENER
[ Mike Gabriel, 2022-01-19 ] > I am currently setting up a FreeRADIUS on TJENER (bullseye) and find that > the Debian Edu documentation (esp. the Debian Edu 11 release announcement) > states that PEAP-MSCHAPv2 is supported by the FreeRADIUS setup script. > > @Wolfgang: do you have a PEAP-MSCHAPv2 setup running? atm no (missing resources). at the time I added the script, things worked justfine, using the edu cert on my phone as well. > For testing purposes, I have set ntlm_auth = yes in smb.conf. that isn't the way to go, use the provided config: https://salsa.debian.org/debian-edu/debian-edu-config/-/blob/master/etc/samba/smb-debian-edu.conf > When using ntlm_auth to authenticate against smbd on TJENER I always get > NT_STATUS_NO_SUCH_USER: > > ``` > $ ntlm_auth --username=gabmik --domain=SGM > Password: > NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc064) as of bullseye, PDC with 'domain' is gone, fake domain is tjener use 'smbclient -L tjener' (as user gabmik). > I understand that Samba user information for the standalone server is now > stored locally on TJENER (and password changes are managed via hook calls to > smbpasswd). > > Any idea how to track this down further? 'man pdbedit' is your friend, eg pdbedit -L -v -u gabmik Wolfgang signature.asc Description: PGP signature
Re: Bug#1003727: debian-edu-config: exim4 on TJENER does not accept system mails from Debian Edu clients
[ Petter Reinholdtsen, 2022-01-14 ] > [Mike Gabriel] > > @Petter: btw, do you have an idea, why things fail on a Debian Edu > > bullseye TJENER? My exim4 competence is zero. Postfix would be easy. > > Some help is much appreciated. > > No idea, too long since I looked at SMTP stuff. :) Try this one: diff --git a/etc/exim4/exim-ldap-server-v4.conf b/etc/exim4/exim-ldap-server-v4.conf index 6bf04762..dd9f6205 100644 --- a/etc/exim4/exim-ldap-server-v4.conf +++ b/etc/exim4/exim-ldap-server-v4.conf @@ -204,6 +204,7 @@ begin acl # ACL that is used after the RCPT command acl_check_rcpt: accept local_parts = postmaster + accept local_parts = root # Exim 3 had no checking on -bs messages, so for compatibility # we accept if the source is local SMTP (i.e. not over TCP/IP). # We do this by testing for an empty sending host field. Wolfgang (can't contribute much these days due to age related health issues) signature.asc Description: PGP signature
Re: [Reopen][Solved] Re: Post installation network problem
[ Petter Reinholdtsen, 2022-01-10 ] > Try 'ps -ef|grep bind' to see if the service is running, and 'service > bind status' to see if the service reported something. Check > /var/log/syslog for any errors. (As of bullseye: 'service named status') > No idea what is going on myself, I must admit. :) Might be something like this known issue: https://bugs.debian.org/983216 Wolfgang signature.asc Description: PGP signature
Re: [debian-edu-commits] [Debian Wiki] Update of "DebianEdu/Documentation/Bullseye/Installation" by WolfgangSchweer
[ Mike Gabriel, 2022-01-02 ] > Did we know that someone was working on that article? Bad publicity > still is publicity. Not to my knowledge, I came across it by chance. > I think I will wrap up some of the achievements I have worked on for > customers and implement them in debian-edu-* for the bookworm cycle. Good idea. Wolfgang signature.asc Description: PGP signature
Re: [debian-edu-commits] [Debian Wiki] Update of "DebianEdu/Documentation/Bullseye/Installation" by WolfgangSchweer
[ Holger Levsen, 2021-12-28 ] > On Tue, Dec 28, 2021 at 03:12:41PM -, Debian Wiki wrote: > > + /!\ Do not use `Graphical expert install` or `Expert install` under any > > circumstances, use `debian-edu-expert` instead as an additional kernel > > parameter in exceptional cases. > > "under any circumstances" sounds a bit too scary, especially as > there is no explaination why not. The explanation would be a bit longish. In most cases, people tend to mess up things once the tasksel page shows up. In expert mode this happens in addition to the profile choice page (after it). Recent example: https://www.linux-community.de/ausgaben/linuxuser/2021/11/debian-edu-linux-in-schulen/ > maybe rather: > > /!\ To install Debian Edu in expert mode, use `debian-edu-expert` > as an additional kernel parameter entered via GRUB. > The `Graphical expert install` or `Expert install` are not > suited to install Debian Edu, rather will they start a normal > Debian installer in expert mode. > > ? > > Or just drop those three words "under any circumstances"? yes, dropping those words sounds good. Wolfgang signature.asc Description: PGP signature
Bug#1002299: debian-edu-config: hosts installed via the minimal profile lack libpam-krb5 and fail to mount NFS krb5i shares on TJENER
Hi Mike, [ Mike Gabriel, 2021-12-21 ] > Package: debian-edu > Severity: important > Version: 2.12.4 > > When installing a Debian Edu system based on the Minimal installation > profile, then the package libpam-krb5 is missing on that host. An installed > Minimal system fails to allow users to log in (and get their home directory > mounted via NFSv4 and sec=krb5i). As far as I can tell, this is done by intention: it's not a system providing user access by default. From the documented profile description: (see: https://wiki.debian.org/DebianEdu/Documentation/Bookworm/Installation#The_installation_process ) This profile will install the base packages and configure the machine to integrate into the Debian Edu network, but without any services and applications. It is useful as a platform for single services manually moved out from the main-server. To access such a system over the network, run (thanks to kerberized SSH) as root (on a system on the main network): kinit ssh or use scp (Assuming the minimal system has been added correctly using GOsa² and the generated krb5.keytab has been copied to the minimal system like explained in the manual, see: https://wiki.debian.org/DebianEdu/Documentation/Bookworm/GettingStarted#Machine_Management_with_GOsa.2BALI- ) Wolfgang signature.asc Description: PGP signature
Bug#1002019: debian-edu-config: /etc/debian-edu/host-keytabs/ contain non-config data
Hi Mike, [ Mike Gabriel, 2021-12-20 ] > I have filed a merge request for introducing this change: > https://salsa.debian.org/debian-edu/debian-edu-config/-/merge_requests/2 > > Can you review? Done so on salsa. Wolfgang signature.asc Description: PGP signature
Re: Ldap problem.
Hi Marek, [ Marek Gębski, 2021-12-10 ] > I encountered a problem while using a freshly installed Debian-edu > bullseye. The problem with Ldap I think. I attach logs. Please provide more information: - installed profiles - network setup - use case (workstation, diskless workstation) - what did you try to do when the error occurred - what error message has been shown exactly - did you follow the documentation available at https://wiki.debian.org/DebianEdu/Documentation/Bullseye Wolfgang signature.asc Description: PGP signature
Bug#996103: debian-edu-config: missing real support for LTSP chroot creation and maintenance
[ Wolfgang Schweer, 2021-11-12 ] > I noticed that a wrapper tool is also needed for the new LTSP 'ltsp > initrd' command (which generates /srv/tftp/ltsp/ltsp.img for all use > cases). > > The Debian Edu LTSP setup (with X2Go thin client support included) needs > to use case specific LTSP initrds located in case related directories > (as opposed to vanilla LTSP). Updating ltsp.img is eg. needed after the > /etc/ltsp/ltsp.conf [clients] section has been modified. This is > supposed to be the case for LTSP clients running in real world > deployments. > > The tool is now available in Git [1] and should IMO also go into > bullseye once tested. The wrapper script is available in sid (and about to show up in bookworm). Testing all above changes for bullseye (modifications inside d-i) revealed that the 'share/debian-edu-config/tools/run-at-firstboot' tool needs to be adjusted to make sure the SquashFS image from the server's filesystem is generated. The adjusted file is already used for bookworm since some time: diff --git a/share/debian-edu-config/tools/run-at-firstboot b/share/debian-edu-config/tools/run-at-firstboot index 7e3bb335..fa31786d 100755 --- a/share/debian-edu-config/tools/run-at-firstboot +++ b/share/debian-edu-config/tools/run-at-firstboot @@ -64,7 +64,7 @@ fi # needs to include the krb5.keytab file which isn't available at this time. if echo "$PROFILE" | grep -Eq 'Main-Server.*LTSP-Server' && \ [ ! -f /srv/ltsp/images/$ltspimg ] ; then - /usr/sbin/debian-edu-ltsp-install --dist $dist + /usr/sbin/debian-edu-ltsp-install --diskless_workstation yes fi # Update PXE setup on LTSP servers with proxy values set in environment Wolfgang signature.asc Description: PGP signature
Bug#996103: debian-edu-config: missing real support for LTSP chroot creation and maintenance
[ Wolfgang Schweer, 2021-10-11 ] > A wrapper tool for the 'ltsp ipxe' command needs to be added to allow > one to easily update the iPXE menue after changing the default netboot > menue item after /etc/ltsp/ltsp.conf file edits. I noticed that a wrapper tool is also needed for the new LTSP 'ltsp initrd' command (which generates /srv/tftp/ltsp/ltsp.img for all use cases). The Debian Edu LTSP setup (with X2Go thin client support included) needs to use case specific LTSP initrds located in case related directories (as opposed to vanilla LTSP). Updating ltsp.img is eg. needed after the /etc/ltsp/ltsp.conf [clients] section has been modified. This is supposed to be the case for LTSP clients running in real world deployments. The tool is now available in Git [1] and should IMO also go into bullseye once tested. Wolfgang [1] https://deb.li/jLcI signature.asc Description: PGP signature
Re: unmaintained potential important CaRMetal (GeoGebra alike)
[ Jonathan Carter, 2021-10-28 ] > I can't seem to find an upstream web site for it, do you know where one > could get the source for version 4.3? I could only get 3.8 from some old > archive sites and some windows installers. Upstream web site: http://carmetal2.free.fr/site/index.php (in French) Downloads (Téléchargements): http://carmetal2.free.fr/site/telechargements.php Wolfgang signature.asc Description: PGP signature
Re: Indonesian Localization of Debian Edu Website
[ I. Musthafa, 2021-10-23 ] > The .po files is in the attachment and there's no addendum. Thanks. Thank you very much. Your translation has been added, also a 'localized' Xfce-Desktop screenshot, see: https://blends.debian.org/edu/index.id.html Wolfgang signature.asc Description: PGP signature
Re: Russian translation for Debian Edu Blend website
Hi, [ vofka, 2021-10-18 ] > It is reviewed here > https://lists.debian.org/debian-l10n-russian/2021/10/msg00024.html Thank you very much for the translation. It has been added (with the review changes included). I've added an Xfce desktop screenshot as well. See the result: https://blends.debian.org/edu/index.ru.html Wolfgang signature.asc Description: PGP signature
Re: Update link to Debian Edu logo license
[ vofka, 2021-10-17 ] > The link at the bottom of blends.debian.org/edu points to the GNU Lesser GPL, > but text of the link says that it is GPL v2. Thanks for spotting the error. Fixed now, see: https://salsa.debian.org/blends-team/website/-/commit/84730bfd71ab2f8e708562c96dde98e5ea81c5d2 The change should show up soonish. Wolfgang signature.asc Description: PGP signature
Re: First user
Hi Roman, [ roman.me...@gismap.ch, 2021-10-15 ] > The first user changed his password and is saying, he can't log in > anymore. How can I fix this? If you have another trusted user, say Jane Doe, with username jdoe: As root on the main server, run 'ldapvi -ZD '(cn=admin)', search for 'cn=gosa-admins' and add a line containing 'memberUID: jdoe' below the line containing 'memberUID: '. The user jdoe could then log into GOsa and should get the full admin overview. This includes the right to set a new password for the first user. Revert the LDAP change if things work like expected. Wolfgang signature.asc Description: PGP signature
Bug#996103: debian-edu-config: missing real support for LTSP chroot creation and maintenance
Package: debian-edu-config Version: 2.11.56+deb11u1 Severity: important Hi, bug #995610 has been reported concerning possibly missing firmware when doing PXE installations on real hardware. Same applies to LTSP thin clients and diskless workstations, but this issue slipped my attention, too. (No real hardware available, VMs only.) As of now, after generating the SquashFS image for thin clients, the related chroot is removed. Updating the image after possible package upgrades is done via running chroot creation from scratch again; reason has been to don't bother unexperienced admins to deal with chroot issues (like temporary files, proc and devpts). Installing firmware packages inside the thin client chroot would even require to adjust the sbin/debian-edu-ltsp-install tool (after having copied it to /usr/local/sbin). Unexperienced admins would be left w/o a clue if LTSP client boot fails in case of network cards needing firmware. The new LTSP (as of bullseye) has an approach different to LTSP5 which shipped a dedicated tool to create and maintain chroots. Such a tool should be available for Debian Edu 11. In addition, a tool allowing to easily install firmware packages in LTSP chroots should be available. LTSP chroot creation and maintenance for diskless workstations should be possible (as opposed to creating the SquashFS image from the LTSP server's file system). It would allow one to generate dedicated client images with possible needed firmware w/o spoiling the LTSP server filesystem by installing them there. This would also be a secure fix for #993935 (privacy issues for combined servers). Unexperienced admins can't be expected to copy the sbin/debian-edu-ltsp-install tool to /usr/local/sbin and adjusting the exclude list to site specific needs. The sbin/debian-edu-ltsp-install tool (and some others) would need related adjustments. Related manual pages need to be adjusted/added. A wrapper tool for the 'ltsp ipxe' command needs to be added to allow one to easily update the iPXE menue after changing the default netboot menue item after /etc/ltsp/ltsp.conf file edits. All above mentioned changes are already in unstable (with fixes in Git). Once tested, these should go into bullseye-pu. Wolfgang signature.asc Description: PGP signature
Re: New Debian from Microsoft Store using WSL2
[ Lee T. Davy - A3, 2021-09-23 ] > I put the standalone EDU from USB on an old slow 32 bit so I could reverse to > the WSL2 flavor. > Still WIP with WTF Microsoft ! > > Here is what the Debian from Microsoft Sore for WSL2 yields > > $ cat /etc/apt/sources.list > deb http://deb.debian.org/debian bullseye main > deb http://deb.debian.org/debian bullseye-updates main > deb http://security.debian.org/debian-security bullseye-security main > deb http://ftp.debian.org/debian bullseye-backports main > > Nothing in repository except doc ? > > > ~$ sudo apt-cache search edu- The above search produces an incomplete package list. The Debian Edu package namespace comprises debian-edu- and education- You should get the complete list running: apt search ^debian-edu- and apt search ^education- While it doesn't make any sense to install the debian-edu-install or debian-edu-config package on top of a vanilla Debian system, some of the education-* packages (e.g. topic related ones like education-music or school-level related ones like education-secondaryschool) could be useful. With the exception of education-tasks, all education-* packages are meta-packages. An overview is available at https://blends.debian.org/edu/tasks/ Don't ever install any of those meta-packages blindly; on the command line, apt show is your friend. For more information about Debian Edu in general, see: https://blends.debian.org/edu --- To turn a minimal Debian system into a Standalone Debian Edu one, you should be able to use this dedicated script: https://salsa.debian.org/debian-edu/debian-edu-config/-/blob/bullseye/share/debian-edu-config/tools/debian-edu-bless On your minimal Debian 11 (bullseye) system, get the raw version: wget https://salsa.debian.org/debian-edu/debian-edu-config/-/raw/bullseye/share/debian-edu-config/tools/debian-edu-bless Make the script executable: chmod +x debian-edu-bless Just to be sure that name resolution is working during installation, check if 'service systemd-resolved status' is active, otherwise run: apt install resolvconf systemctl enable systemd-resolved service systemd-resolved start Make sure you have at least 20 GiB disk space. Install on top of vanilla Debian 11 (bullseye) using the preferred Desktop environment: PROFILE=Standalone DESKTOP=xfce ./debian-edu-bless (Instead of xfce, you could use cinnamon, gnome, kde, lxde, lxqt, or mate.) --- As far as the Windows operating system is concerned: I don't use it, so can't provide any hint. Hope it helps, Wolfgang signature.asc Description: PGP signature
Re: Debian Edu 11 Diskless Workstation Management for multiple schools
[ Wolfgang Schweer, 2021-08-18 ] > [ Mike Gabriel, 2021-08-18 ] > > for my school customers, I maintained my own Diskless Workstation chroot in > > a subfolder on some central server that deployed this chroot over to other > > schools (over night, incrementally, only when changes had been applied). > > Basically, I'd like to keep things that way. > > It should be possible, I guess. > > > However, with the new LTSP approach, is there a chroot for diskless > > workstations anymore, at all. From my understanding, LTSP now creates a > > SquashFS image from the local system and thus uses that as a template. I > > wonder, if I can continue with my current deployment mechanism or if I need > > to re-invent things here. > > LTSP is also able to deal with diskless chroots that are maintained > manually like you ardebian-edu-ltsp-instale supposed doing it. The bookworm version of the 'sbin/debian-edu-ltsp-install' tool has been improved. It is now possible to create an LTSP chroot for diskless workstations, usable as root filesystem via NFS. Also, as another option, a related SquashFS image can be generated. If the BD ISO image has been used to install the combined server and the medium containing that ISO is still 'inserted' the ISO is used to install the chroot as well. As an example, copy the bookworm version to /usr/local/sbin on a stock Debian Edu combined server and run: debian-edu-ltsp-install --dlw yes --diskless_workstation no --desktop mate You will then be able to choose 'Diskless Workstation (NFS chroot rootfs)' from the iPXE menu on LTSP clients. As far as multiple LTSP servers are concerned, please note that due to kerberized NFS for the home directories the /etc/krb5.keytab file must be LTSP server specific. See the 'debian-edu-ltsp-install' tool code. Work in progress. Feel free to improve the tool. Wolfgang signature.asc Description: PGP signature
[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 2 commits: Adjust sbin/debian-edu-ltsp-install. (Closes: #993935)
Hi Dominik, do you have time to test / review the debian-edu-ltsp-install script changes? Any additional excludes needed? The excludes actually don't need to exist - for example I've added 'etc/freeradius' just in case someone uses the provided script to set up freeRadius. [ Wolfgang Schweer (@schweer-guest), 2021-09-08 ] > = > debian/changelog > = > @@ -1,3 +1,13 @@ > +debian-edu-config (2.12.2) UNRELEASED; urgency=medium > + > + * Adjust sbin/debian-edu-ltsp-install. (Closes: #993935) > +Thanks to Dominik George for spotting and reporting the issue. > +- Extend main server related exclude list. > +- Add slapd and xrdp-sesman to the list of masked services. > +- Ensure home directory access after above changes. > + > + -- Wolfgang Schweer Wed, 08 Sep 2021 22:58:14 +0200 > + > debian-edu-config (2.12.1) unstable; urgency=medium > >[ Wolfgang Schweer ] > > > = > sbin/debian-edu-ltsp-install > ===== > @@ -17,7 +17,7 @@ > # Author/Copyright: Wolfgang Schweer > # Licence: GPL2+ > # first edited: 2019-11-21 > -# last edited: 2021-04-26 > +# last edited: 2021-09-08 > > set -e > > @@ -197,6 +197,24 @@ fi > # FIXME: On the main server even more additional excludes might be useful. > if echo "$PROFILE" | grep -Eq 'Main-Server' ; then > cat <> /etc/ltsp/image-local.excludes > +etc/apache2 > +etc/bind > +etc/dbconfig-common > +etc/dovecot > +etc/etckeeper > +etc/gosa > +etc/freeradius > +etc/icinga > +etc/icinga2 > +etc/icingaweb2 > +etc/krb5kdc > +etc/mysql > +etc/nagios > +etc/nagios-plugins > +etc/nagios3 > +etc/samba > +etc/slbackup > +etc/slbackup-php > usr/lib/apache2 > usr/lib/exim4 > usr/lib/icinga > @@ -219,9 +237,12 @@ var/lib/dhcp/* > var/lib/dpkg/* > var/lib/exim4/* > var/lib/icinga/* > +var/lib/ldap/* > var/lib/munin/* > var/lib/munin-node/* > var/lib/nfs/* > +var/lib/samba/* > +var/log/apache2/* > var/log/cfengine/* > var/log/installer/* > var/log/munin/* > @@ -470,10 +491,11 @@ if [ "yes" == "$diskless_workstation" ] ; then > # is disabled, but it is needed for diskless workstations. > # OTOH some services need to be disabled, i.e. 'masked'. > cat <> /etc/ltsp/ltsp.conf > +PRE_INIT_AUTOFS="echo 'LDAPURI=ldap://ldap' >> /etc/default/autofs" > PRE_INIT_MAIN_SERVER="systemctl enable autofs" > POST_INIT_USE_FQDN="sed -i '/10.0.2.2/ s/server/tjener.intern tjener/' > /etc/hosts" > MASK_SYSTEM_SERVICES="apache2 named cups dovecot etckeeper exim4 squid > tftpd-hpa \ > -icinga2 nmbd smbd systemd-journald xrdp krb5-kdc mariadb cfengine3 > isc-dhcp-server" > +icinga2 nmbd slapd smbd systemd-journald xrdp xrdp-sesman krb5-kdc mariadb > cfengine3 isc-dhcp-server" > EOF > else > cat <> /etc/ltsp/ltsp.conf > @@ -500,6 +522,7 @@ EOF > fi > # Clean up ltsp.conf from specific items. > sed -i '/PRE_INIT_MAIN/d' /etc/ltsp/ltsp.conf > + sed -i '/PRE_INIT_AUTOFS/d' /etc/ltsp/ltsp.conf > sed -i '/MASK_SYSTEM/d' /etc/ltsp/ltsp.conf > fi > > > > > View it on GitLab: > https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/75944ab25ab4c7d7fe450b7cb021749f47348f0f...6d78f3dce0ccbd57e03ad12750abcc6e3978576a Wolfgang signature.asc Description: PGP signature
Bug#993988: debian-edu-config: consider to drop diskless workstation support as default for Main-Server+LTSP-Server profile
[ Dominik George, 2021-09-09 ] > > It would be quite easy to drop the diskless workstation support > > (done by default at first boot of a combined server), only provide > > thin client support on the combined server and leave the (site > > specific) setup for diskless ws to the local admin. (The manual > > should then contain hints how to do this.) > > I take it that by "drop support", you mean "not install by default"? Yes. Instead of running 'debian-edu-ltsp.install --diskless_workstation yes' at first boot of a combined server, leave this step to the local admin - just like it has to be done on a separate machine w/ LTSP-server profile. > Diskless workstations are one (probably the) Unique Selling Point of > Debian Edu, so I would like to make very clear that dropping support > for it in general would be problematic. Sure. Wolfgang signature.asc Description: PGP signature
Bug#993988: debian-edu-config: consider to drop diskless workstation support as default for Main-Server+LTSP-Server profile
Package: debian-edu-config Version: 2.12.1 Severity: wishlist Like reported in #993935, a local admin might install additional packages on a combined server causing potential leakage of sensible data in the SquashFS image file for diskless workstations. It would be quite easy to drop the diskless workstation support (done by default at first boot of a combined server), only provide thin client support on the combined server and leave the (site specific) setup for diskless ws to the local admin. (The manual should then contain hints how to do this.) Wolfgang signature.asc Description: PGP signature
Bug#993935: debian-edu-ltsp-install: Netboot image exposes private data and crypto keys
[ Dominik George, 2021-09-08 ] > Package: debian-edu-config > Version: 2.11.56 > Severity: critical > Tags: security > Justification: root security hole > X-Debbugs-Cc: Debian Security Team > > The LTSP netboot image produced by debian-edu-ltsp-install includes full > copies > of files that should never leave the Debian Edu main server, if run on a > so-called > "combined server" (a system using the Main Server and Terminal Server > profiles, > as done in small installations). Yes, confirmed. > Among these files are full copies of, among others: > > - /var/lib/ldap, containing the full, unencrypted LDAP database with all >private information on all users, password hashes, and Kerberos keys > - /etc/krb5-kdc, containing information on decrypting Kerberos data in the >LDAP database > - /etc/gosa, containing the (encrypted) LDAP manager credentials, plus the >key to decrypt it These should be added to the exclude list, and some more. Other fixes are then needed, too. > Any user with access to the local terminal server network can acquire > the netboot image, unauthenticated, and extract the listed information > from it. SSH, tftp: I fail to get the SqushFS image file in both cases. But then I'm no expert. > The issue is caused by the new LTSP system using the LTSP PnP system > now in all cases, thus packing the entire mai nserver filesystem in > squashfs image. The debian-edu-ltsp-install script produces a list of > files to exclude from the image, which is not sufficient, most > probably because it was tailored to the use case where the image is > produced from a dedicated Terminal Server instead of a combined > server. Yes. > IMHO, the use case of the combined server cannot be fixed. The new > LTSP system de facto disallows any use of a combiend server – even if > we make a very carefully curated list of excluded files, any > administrator would have to take care to add their own excludes for > just about any file they place on the main server that was not palced > there by the Debian Edu software. In fact, the whole new LTSP system > seems unfit to be used on any server that is not limited to producing > LTSP images, and supporting netbooting them. While it's best to use separated LTSP servers (like recommended in the manual), people are used to get a turnkey system like the combined server. So maybe we should strive to keep that option (and add a hint to the exclude list in the manual). > For now, the issue should be mitigated by carefully adding all > relevant paths that are known to exist only on the main server to the > exclude list, but I do not think that is a viable fix in the long > term. I've set up a test environment and will take a look. Wolfgang signature.asc Description: PGP signature
Re: Nightmares and ciritval security issue with new LTSP
[ Dominik George, 2021-09-07 ] > > Most probably forgotten to exclude. There's a list of excludes > > (/etc/ltsp/image-local.excludes) prepended by a FIXME. > > This file is empty, both on the upgraded and on the freshly installed > combined server. Yes, after building the related image for the use case, this file is removed (and touched for possible further usage). > > > I installed a fresh Debian Edu 11 combined server in a test > > > environment and can reproduce that issue, meaning that in my opinion, > > > Debian Edu 11 **must not be used with LTSP in a production > > > environment** without taking very much care to mitigate this issue. > > > > ATM I don't have a test environment. Feel free to fix the script after > > testing with an extended exclude list for the main server. > > > > That said, it would be best (for setups managed by professionals) to use > > separate LTSP servers anyway - like recommended in the manual: > > https://wiki.debian.org/DebianEdu/Documentation/Bullseye/Architecture#Services_running_on_the_main_server > > Yes, that would be the desirable case. Nonetheless, using a combined > server should not expose security-relevant data and keys to the > public. > > I will try my best to find out how to fix that. Very good. > In any case, should we warn users? There won't be many, I guess; but yes. Wolfgang signature.asc Description: PGP signature
Re: Nightmares and ciritval security issue with new LTSP
Hi Dominik, thanks for testing the bullseye release. [ Dominik George, 2021-09-07 ] > I am having very difficult times migrating a Debian Edu 10 > installation to Debian Edu 11. Until now, I could not get the LTSP > netboot image to work (running into issues with mounting the homes, or > with missing binaries, all of which I am sorting out one after the > other). Yes, much has changed. Please take a look at the /sbin/debian-edu-ltsp-install script: https://salsa.debian.org/debian-edu/debian-edu-config/-/blob/master/sbin/debian-edu-ltsp-install All Debian Edu specific LTSP configuration is kept in this script by intention to be able to modify it to match site specific needs. > But one major problem I found is that the new system of building the > image from the main server's root filesystem is prone to building > images that contain far too much – reaching from dhcpd to freeradius > and other services that should not be in the image, to a full copy of > the LDAP data directory, Kerberos database keys, the GOSa secret, and > everything else that should by all means not be shipped to random > netboot clients over the network. Most probably forgotten to exclude. There's a list of excludes (/etc/ltsp/image-local.excludes) prepended by a FIXME. > I installed a fresh Debian Edu 11 combined server in a test > environment and can reproduce that issue, meaning that in my opinion, > Debian Edu 11 **must not be used with LTSP in a production > environment** without taking very much care to mitigate this issue. ATM I don't have a test environment. Feel free to fix the script after testing with an extended exclude list for the main server. That said, it would be best (for setups managed by professionals) to use separate LTSP servers anyway - like recommended in the manual: https://wiki.debian.org/DebianEdu/Documentation/Bullseye/Architecture#Services_running_on_the_main_server Wolfgang signature.asc Description: PGP signature
Re: debian-edu-doc for buster, bullseye and bookworm
[ Holger Levsen, 2021-09-04 ] > so after some thinking this is my plan for debian-edu-doc: > > 1a. we add the manual for bookworm to the main branch (master) of > debian-edu-doc > and we keep the manual for buster (and bullseye of course) in that branch > too. > > 1b. we upload that branch to unstable and let it migrate to bookworm. > > 1c. in a year, when buster becomes LTS, we drop the buster manual from the > main branch. > > 2a. a bullseye branch is forked from the main branch at > 7b8eae644ada0e3eb9ce060ed1f0a139454dc1cc > > 2b. the manual and the translations for both bullseye and buster are > updated by copying files from the main branch. (as opposed to > cherry-picking.) > > What do you think? Anything I missed? (Except new translations for bullseye, > about which I'm not fully sure yet...) For me, this is a very good and complete plan. Wolfgang signature.asc Description: PGP signature
Re: iomega ix2-200 as slbackup server
Moin Frank, [ Frank Weißer, 2021-08-25 ] > I tried to run with > PROFILE=Minimal \ > DESKTOP=none \ > ./debian-edu-bless Should be DESKTOP= for no desktop environment. > and it installs a complete (kde?) Workstation :-( No idea what happens if the none desktop environment is chosen ;) (Maybe the Debian default one (gnome) is kept.) > btw.: are upper/lower cases correct? Yes. Wolfgang signature.asc Description: PGP signature
Re: iomega ix2-200 as slbackup server
Moin Frank, [ Frank Weißer, 2021-08-24 ] > Now I'd like to get the profile mimimal of DebianEdu installed. I don't find > any instruction, how to do that subsequently. Is there any way except > installing DebianEdu minimal on a i386 based system and copying, what's > installed there? Take a look at this script: https://salsa.debian.org/debian-edu/debian-edu-config/-/blob/master/share/debian-edu-config/tools/debian-edu-bless Wolfgang signature.asc Description: PGP signature
Re: Debian Edu 11 Diskless Workstation Management for multiple schools
Hi Mike, [ Mike Gabriel, 2021-08-18 ] > for my school customers, I maintained my own Diskless Workstation chroot in > a subfolder on some central server that deployed this chroot over to other > schools (over night, incrementally, only when changes had been applied). > Basically, I'd like to keep things that way. It should be possible, I guess. > However, with the new LTSP approach, is there a chroot for diskless > workstations anymore, at all. From my understanding, LTSP now creates a > SquashFS image from the local system and thus uses that as a template. I > wonder, if I can continue with my current deployment mechanism or if I need > to re-invent things here. LTSP is also able to deal with diskless chroots that are maintained manually like you are supposed doing it. > Note that I don't have one diskless image per school, but one image that I > use for all schools. This has been working smoothly over the past years. On the client LTSP server the chroot location should be something like /srv/ltsp/amd64 (for 64-bit clients). You need 'ltsp image ' to generate the SqashFS image and 'ltsp initrd' to generate the ltsp.img file. As an example, see the content of the 'debian-edu-ltsp-install' script for how these commands are used for building the thin client chroot. You'll need 'ltsp ipxe' to generate the iPXE configuration file. Locations of the generated files should be the only caveats, I guess. (Out of my head and never tested, so things might be different.) 'debian-edu-ltsp-install' contains all configuration as HERE documents by intention, no modifications are done to stock LTSP. So you can use the LTSP commands like explained on the LTSP website, see: https://ltsp.org/man/. Good luck, Wolfgang signature.asc Description: PGP signature
Debian Edu / Skolelinux 11 (bullseye) released
On behalf of the Debian press team, Laura Arjona Reina has just published the release announcement; translations are available in French, Galician, German, Italian, Dutch, Portuguese and Swedish, see the link to the News: https://www.debian.org/News/2021/20210815 From the announcement mail: The Debian Project https://www.debian.org/ Debian Edu / Skolelinux Bullseye — a complete Linux solution for your school pr...@debian.org August 15th, 2021 https://www.debian.org/News/2021/20210815 Are you the administrator for a computer lab or an entire school network? Would you like to install servers, workstations, and laptops to work together? Do you want the stability of Debian with network services already preconfigured? Do you wish to have a web-based tool to manage systems and several hundred or even more user accounts? Have you asked yourself if and how older computers could be used? Then Debian Edu is for you. The teachers themselves or their technical support can roll out a complete multi-user multi-machine study environment within a few days. Debian Edu comes with hundreds of applications pre-installed, and you can always add more packages from Debian. The Debian Edu developer team is happy to announce Debian Edu 11 "Bullseye", the Debian Edu / Skolelinux release based on the Debian 11 "Bullseye" release. Please consider testing it and reporting back () to help us to improve it further. About Debian Edu and Skolelinux --- Debian Edu, also known as Skolelinux [1], is a Linux distribution based on Debian providing an out-of-the box environment of a completely configured school network. Immediately after installation, a school server running all services needed for a school network is set up just waiting for users and machines to be added via GOsa², a comfortable web interface. A netbooting environment is prepared, so after initial installation of the main server from CD / DVD / BD or USB stick all other machines can be installed via the network. Older computers (even up to ten or so years old) can be used as LTSP thin clients or diskless workstations, booting from the network without any installation and configuration at all. The Debian Edu school server provides an LDAP database and Kerberos authentication service, centralized home directories, a DHCP server, a web proxy and many other services. The desktop environment contains more than 70 educational software packages and more are available from the Debian archive. Schools can choose between the desktop environments Xfce, GNOME, LXDE, MATE, KDE Plasma, Cinnamon and LXQt. 1: https://blends.debian.org/edu New features for Debian Edu 11 "Bullseye" - These are some items from the release notes for Debian Edu 11 "Bullseye", based on the Debian 11 "Bullseye" release. The full list including more detailed information is part of the related Debian Edu manual chapter [2]. * New LTSP [3] to support diskless workstations. Thin clients are still supported, now using X2Go [4] technology. * Booting over the network is provided using iPXE instead of PXELINUX to be compliant with LTSP. * The Debian Installer's graphical mode is used for iPXE installations. * Samba is now configured as "standalone server" with support for SMB2/SMB3. * DuckDuckGo is used as default search provider for both Firefox ESR and Chromium. * New tool added to set up freeRADIUS with support for both EAP-TTLS/PAP and PEAP-MSCHAPV2 methods. * Improved tool available to configure a new system with "Minimal" profile as dedicated gateway. 2: https://wiki.debian.org/DebianEdu/Documentation/Bullseye/Features#New_features_in_Debian_Edu_Bullseye 3: https://ltsp.org 4: https://wiki.x2go.org Download options, installation steps and manual --- Official Debian Network-Installer CD images for both 64-bit and 32-bit PCs are available. The 32-bit image will only be needed in rare cases (for PCs older than around 15 years). The images can be downloaded at the following locations: * http://get.debian.org/cdimage/release/current/amd64/iso-cd * http://get.debian.org/cdimage/release/current/i386/iso-cd Alternatively official Debian BD images (more than 5 GB in size) are also available. It is possible to set up a whole Debian Edu network without an Internet connection (including all desktop environments and localization for all languages supported by Debian). These images can be downloaded at the following locations: * http://get.debian.org/cdimage/release/current/amd64/iso-bd * http://get.debian.org/cdimage/release/current/i386/iso-bd The images can be verified using the signed checksums provided in the download directory. Once yo
Re: Upgrade to Debian Edu 11 – DHCP, iPXE, LDAP issue
[ Wolfgang Schweer, 2021-06-17 ] > [ Dominik George, 2021-06-16 ] > > > Using a file, say ipxe.ldif, containing: > > > > > > dn: cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no > > > changetype: modify > > > add: dhcpOption > > > dhcpOption: space ipxe > > > dhcpOption: ipxe-encap-opts code 175 = encapsulate ipxe > > > dhcpOption: ipxe.menu code 39 = unsigned integer 8 > > > dhcpOption: ipxe.no-pxedhcp code 176 = unsigned integer 8 > > > dhcpOption: arch code 93 = unsigned integer 16 > > > > > > and then running: > > > ldapadd -ZD 'cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no' -W -f > > > ipxe.ldif > > > > > > would avoid the hassle and should do it right; maybe add something > > > related to the wiki? > > > > Probably yes, but as I said, there is no guarantee – it's based on the > > good faith that slapd will always retain the order when returning data. > > I've checked this with debug log file enabled. The dhcpd ldap binary > fetches the data from LDAP in the exact same order like found in LDAP. > So the only requirement is keeping that one right. > > The updated upgrade guide has been tested to work ok. Thanks again for > you feedback. > > > The real fix would be for dhcpd to use a syntax that contains > > ordering. > > According to the debug file content, this is the case. Actually, the wrong ordering is a known ldapvi bug, see: https://bugs.debian.org/820790 With the patch posted in 820790#10 applied, ldapvi doesn't reorder the dhcpOption entries any more. Wolfgang signature.asc Description: PGP signature
Re: Installation help request
Hi Peter, [ Peter Ehlert, 2021-06-20 ] > I just installed EDU using firmware-edu-10.10.0-amd64-netinst.iso on a USB > stick. > > The installer is the traditional DI that I am accustomed to, but setup very > differently. Yes. Debian Edu is a subset of Debian aimed at setting up a network for schools or similar organisations; the installer sports a profile choice page, and all needed information is gathered at the beginning of an installation. See the projects landing page: https://blends.debian.org/edu/ containing links to all needed resources, including the manual. > It detected the network and all seemed fine... Good. > I created a 30 GB root partition, 10 GB swap, and a 50 GB home. > I deselected the other swap partitions for the other OSs on that computer. > I did not install a boot loader by choice. > Installer complained as expected... I told it to continue > restarted and booted on my default Debian 10 Mate, then update GRUB. I guess I don't understand your intention. Installing Debian Edu together with other distributions like you tried it is only supposed to work if you'd choose the 'Standalone' profile, see the manual. > First boot: I could not login as a user "wrong password". > > anyway, I logged in as root. > > the boot splash screen says it is fails to connect to the network > XFCE tools are alien to me, so that does not help. All these issues seem to indicate that your choice on the profile page has been something else than 'Standalone'. > How do I start? Please read the manual. Wolfgang signature.asc Description: PGP signature
Re: Upgrade to Debian Edu 11 – DHCP, iPXE, LDAP issue
[ Dominik George, 2021-06-16 ] > > Using a file, say ipxe.ldif, containing: > > > > dn: cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no > > changetype: modify > > add: dhcpOption > > dhcpOption: space ipxe > > dhcpOption: ipxe-encap-opts code 175 = encapsulate ipxe > > dhcpOption: ipxe.menu code 39 = unsigned integer 8 > > dhcpOption: ipxe.no-pxedhcp code 176 = unsigned integer 8 > > dhcpOption: arch code 93 = unsigned integer 16 > > > > and then running: > > ldapadd -ZD 'cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no' -W -f > > ipxe.ldif > > > > would avoid the hassle and should do it right; maybe add something > > related to the wiki? > > Probably yes, but as I said, there is no guarantee – it's based on the > good faith that slapd will always retain the order when returning data. I've checked this with debug log file enabled. The dhcpd ldap binary fetches the data from LDAP in the exact same order like found in LDAP. So the only requirement is keeping that one right. The updated upgrade guide has been tested to work ok. Thanks again for you feedback. > The real fix would be for dhcpd to use a syntax that contains > ordering. According to the debug file content, this is the case. Wolfgang signature.asc Description: PGP signature
Re: GOSa problem changing passwords after upgrade to Debian Edu 11
[ Dominik George, 2021-06-17 ] > > Strangely, the upgrade documentation explicitly says to enable this > > option after copying the KDC config… Maybe whoever wrote this part of > > the upgrade guide should reinvestigate, I am with my Latin at the end. done so, wiki updated, thanks again for sharing the upgrade issues. Wolfgang signature.asc Description: PGP signature
Re: Upgrade to Debian Edu 11 – DHCP, iPXE, LDAP issue
[ Dominik George, 2021-06-16 ] > > > Is it possible to place them all in one long line, with a separator, to > > > fix their ordering? Perhaps semicolor or something can be used to split > > > the options? I suspect it need code changes in dhcpd. :( > > > > No, it doesn't seem to be possible (after using ';' as separator) > > Do these options even need to be in LDAP? Can't we put them in the > config file before loading data from LDAP? These options need to be in LDAP. There's no config file to put them in, see /usr/share/doc/isc-dhcp-server-ldap/README.ldap.gz for details. Wolfgang signature.asc Description: PGP signature
Bug#989937: some non CDATA commands are hard to read
[ hox...@noramail.jp, 2021-06-16 ] > Package: debian-edu-doc > Version:2.11.24 > Severity: wishlist > > Dear Debian Edu team, > > Some commands for upgrading written in section 12 "upgrade" > are "listitem" type in po files (not "CDATA"). > > As a result some of crucial texts are rendered as > list items which I think it could confuse readers a bit > (by depth of list and wrap on browser). > > e.g. 12.2.1. ldapvi manipulation (iPXE) > > Perhaps "computeroutput" and/or "CDATA" be nice, > for both readers and translators, I think. Thanks for the hint. The related chapter has been reworked (waiting for revision), see: https://wiki.debian.org/DebianEdu/Documentation/Bullseye/Upgrades Wolfgang signature.asc Description: PGP signature
Bug#989936: make clean should clean images-tmp dir
[ hox...@noramail.jp, 2021-06-16 ] > Package: debian-edu-doc > Version: 2.11.24 > Severity: wishlist > > Dear Debian Edu team, > > After making "make" error on .po task such like syntax error, > debian-edu-doc/documentation/common/Makefile.common fails at > "mkdir images-tmp". > > Since "make clean" does not purge that tmp dir, > "make" keep failing even after fixing the error on .po file. Thanks, confirmed. This should be fixed for Bookworm. Wolfgang signature.asc Description: PGP signature
Re: GOSa problem changing passwords after upgrade to Debian Edu 11
[ Dominik George, 2021-06-16 ] > after upgrade to Debian Edu 11, GOSa² cannot change user passwords anymore. > > It successfully changes the Samba password, then fails in a postmodify hook: > > Password change - postmodify hook execution! - FAILED > > I dug around a bit and the only other rror I found (after fixing the > logging code) is this: > > Jun 16 14:54:33 tjener php: GOsa[nik]: (view) error : PHP error: Array to > string conversion (/usr/share/gosa/include/class_log.inc, line 129) > Jun 16 14:54:33 tjener php: GOsa[nik]: (view) error : PHP error: array ( > Jun 16 14:54:33 tjener php: 'user' => > 'uid=nik,ou=people,ou=Teachers,dc=skole,dc=skolelinux,dc=no', > Jun 16 14:54:33 tjener php: 'timestamp' => 1623848073, > Jun 16 14:54:33 tjener php: 'action' => 'modify', > Jun 16 14:54:33 tjener php: 'objecttype' => 'users/passwordMethod', > Jun 16 14:54:33 tjener php: 'object' => > 'uid=nik,ou=people,ou=Teachers,dc=skole,dc=skolelinux,dc=no', > Jun 16 14:54:33 tjener php: 'changes' => '', > Jun 16 14:54:33 tjener php: 'result' => > Jun 16 14:54:33 tjener php: array ( > Jun 16 14:54:33 tjener php: 0 => 'WARNING: tempfile is deprecated; > consider using mktemp instead.', > Jun 16 14:54:33 tjener php: ), > Jun 16 14:54:33 tjener php: ) (/usr/share/gosa/include/class_log.inc, line > 130) > > (The first line is the rror when writing the log; the rest after it is > logging added by myself; the interesting part is > > WARNING: tempfile is deprecated; consider using mktemp instead. > > This is logged directly after the postmodify failure above, I have no > idea whether it is related. I guess the tempfile issue is unrelated. On a rather fresh Bullseye system, things work like expected; so the hook scripts and GOsa seem to be ok. I figure this to be an upgrade issue… Wolfgang signature.asc Description: PGP signature
Re: Upgrade to Debian Edu 11 – DHCP, iPXE, LDAP issue
[ Petter Reinholdtsen, 2021-06-16 ] > [Wolfgang Schweer] > > Using a file, say ipxe.ldif, containing: > > > > dn: cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no > > changetype: modify > > add: dhcpOption > > dhcpOption: space ipxe > > dhcpOption: ipxe-encap-opts code 175 = encapsulate ipxe > > dhcpOption: ipxe.menu code 39 = unsigned integer 8 > > dhcpOption: ipxe.no-pxedhcp code 176 = unsigned integer 8 > > dhcpOption: arch code 93 = unsigned integer 16 > > Is it possible to place them all in one long line, with a separator, to > fix their ordering? Perhaps semicolor or something can be used to split > the options? I suspect it need code changes in dhcpd. :( No, it doesn't seem to be possible (after using ';' as separator) june 16 16:55:31 tjener.intern dhcpd[1378]: LDAP: cannot parse dhcpService entry 'cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no' june 16 16:55:31 tjener.intern dhcpd[1378]: Configuration file errors encountered -- exiting Wolfgang signature.asc Description: PGP signature
Re: Upgrade to Debian Edu 11 – DHCP, iPXE, LDAP issue
Hi Dominik, [ Dominik George, 2021-06-16 ] > I am currently upgrading a Debian Edu 10 installation to Debian Edu 11 > for testing, mostly finding the upgrade guide to work (with some minor > pitfalls, for which I am not yet sure whether they are documentation > issues or caused by local deviations). Thanks for the feedback and the correction on the wiki. > But I found one major issue when upgrading the DHCP configuration for > iPXE: the dhcpOption LDAP attribute is not ordered. Thus, it is > impossible to reliably configure the iPXE options in LDAP, because the > `option space ipxe` has to come before setting and using any options > below that space. Thanks for spotting this issue. > Now, ldapvi, which is recommened in the upgrade manual, sorts attributes > ascii-betically when generating the LDIF, and slapd seems to retain the > order the attribute was written. What worked for me was doing the > editing in ldapvi, then letting ldapvi write the LDIF file it would > apply, and then manually moving the space option to the top in the LDIF > before applying it using ldapmodify. Using a file, say ipxe.ldif, containing: dn: cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no changetype: modify add: dhcpOption dhcpOption: space ipxe dhcpOption: ipxe-encap-opts code 175 = encapsulate ipxe dhcpOption: ipxe.menu code 39 = unsigned integer 8 dhcpOption: ipxe.no-pxedhcp code 176 = unsigned integer 8 dhcpOption: arch code 93 = unsigned integer 16 and then running: ldapadd -ZD 'cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no' -W -f ipxe.ldif would avoid the hassle and should do it right; maybe add something related to the wiki? Wolfgang signature.asc Description: PGP signature
Re: Remote desktop client for Ubuntu
Hi Roman, [ roman.me...@gismap.ch, 2021-06-10 ] > Some of our teachers prefer to use Windows on their laptops. They use > a "remote desktop connection" to use Debian Edu and it works nicely > for them. > > We do have teachers using Linux aswell, e.g. Ubuntu. What is the > preferred tool to use Debian Edu for them? I recommend to use X2Go Client (package name x2goclient), the related X2Go server is already installed on each Debian Edu Buster LTSP server. A client is also available for Windows and macOS systems. See https://wiki.x2go.org/doku.php for details. Wolfgang signature.asc Description: PGP signature
Re: Bug#989485: d-e-install: drop powerpc recipes
[ Holger Levsen, 2021-06-04 ] > wait, what? why do we still have powerpc recipes in Debian Edu? We > dropped powerpc support some time ago :) > > (not fully sure we want this change for bullseye but then I also don't > see how it could hurt to drop those properly.) > > (and in any case this shouldn't be a blocker for #989483, the current > d-e-install unblock request...) I noticed the superflous recipes as well (and those should definitly be removed), but then thought restricting the changes to fix the UEFI related bug would be the way to go for bullseye… Wolfgang signature.asc Description: PGP signature
Bug#989342: debian-edu-config: fails to setup thin client support if used outside d-i
[ Wolfgang Schweer, 2021-06-01 ] > During a recent installation test I noticed that the > debian-edu-ltsp-install script fails to setup thin client support if > used outside the Debian Installer environment. > > As there are too many ways to install a combined server with or > without Internet connection using the BD iso image it is best to > adjust debian-edu-ltsp-install to only use the BD ISO image if run > inside d-i. > > The fix is simple: > > diff --git a/sbin/debian-edu-ltsp-install b/sbin/debian-edu-ltsp-install > index 1edb407a..a22d8ca8 100755 > --- a/sbin/debian-edu-ltsp-install > +++ b/sbin/debian-edu-ltsp-install > @@ -341,8 +341,8 @@ cat < /etc/ltsp/skel/.x2goclient/settings > show=false > EOF > > -# Specific settings needed if BD ISO image is used for installation. > -if grep -q BD /etc/apt/sources.list ; then > +# Specific settings needed if BD ISO image is used for installation inside > d-i. > +if [ -e /etc/apt/apt.conf.d/00IgnoreTimeConflict ] && grep -q BD > /etc/apt/sources.list ; then > BD_ISO="true"; > device="$(grep media/cdrom /etc/fstab | cut -d' ' -f1)" > mirror="file:///media/cdrom/" > @@ -365,7 +365,6 @@ debootstrap --arch="$arch" --no-check-gpg > --variant=minbase --include=linux-imag > if [ "true" == "$BD_ISO" ] ; then > mkdir -p /srv/ltsp/thin/"$thin_type"-"$arch"/media/cdrom > mount $device /srv/ltsp/thin/"$thin_type"-"$arch"/media/cdrom > - cp /var/cache/apt/*.bin > /srv/ltsp/thin/"$thin_type"-"$arch"/var/cache/apt/ > echo "deb [trusted=yes] $mirror $dist main" > > /srv/ltsp/thin/"$thin_type"-"$arch"/etc/apt/sources.list > fi > chroot /srv/ltsp/thin/"$thin_type"-"$arch"/ apt -y -qq install > education-thin-client p910nd > Explaining the fix: If the BD ISO image is used in offline mode, 'apt update' isn't run, so /var/cache/apt/ doesn't contain pkgcache.bin and srcpkgcache.bin; the script errors out. A fix could have been to append '|| true' to the line cp /var/cache/apt/*.bin /srv/ltsp/thin/"$thin_type"-"$arch"/var/cache/apt/ But a second issue showed up while testing a fix for the script: There are too many ways to use the script outside d-i for installation (with or without Internet connection, with or without adjusting the sources list, with or without running apt update, support for amd64 or i386 thin clients, with or without a related DVD / USB flash drive being mounted / available) to cover all these cases. So it seemed to be best to use the BD ISO image to setup X2Go thin client support only in case the script is run inside the Debian Installer environment. This said, instead of appending '|| true' to the mentioned line, get rid of it completely. Wolfgang signature.asc Description: PGP signature
Re: isc-dhcp-server-ldap: fails to activate the service
[ Wolfgang Schweer, 2020-09-28 ]
> while working on Debian Edu Bullseye, I noticed that the DHCP service
> stopped working after upgrading the system.
[..]
> Reason seems to be that the init script timed out, maybe
> /etc/default/isc-dhcp-server could not be sourced:
This isn't the case; it seems that testing the configurations is the
cause.
> root@tjener:~# service isc-dhcp-server status
> * isc-dhcp-server.service - LSB: DHCP server
> Loaded: loaded (/etc/init.d/isc-dhcp-server; generated)
> Active: activating (start) since Mon 2020-09-28 18:24:25 CEST; 2min 36s
> ago
>Docs: man:systemd-sysv-generator(8)
> Cntrl PID: 1280 (isc-dhcp-server)
> Tasks: 8 (limit: 4671)
> Memory: 17.6M
> CGroup: /system.slice/isc-dhcp-server.service
> |-1280 /bin/sh /etc/init.d/isc-dhcp-server start
> `-1310 /usr/sbin/dhcpd -t -4 -q -cf /etc/dhcp/dhcpd.conf
>
> Sep 28 18:24:25 tjener.intern systemd[1]: Starting LSB: DHCP server...
> Sep 28 18:24:26 tjener.intern isc-dhcp-server[1280]: Launching IPv4 server
> only.
I've found two ways to work around this issue:
(1) Commenting the related code in /etc/init.d/isc-dhcp-server
test_config()
{
VERSION="$1"
CONF="$2"
#if ! /usr/sbin/dhcpd -t $VERSION -q -cf "$CONF" > /dev/null 2>&1; then
# echo "dhcpd self-test failed. Please fix $CONF."
# echo "The error was: "
# /usr/sbin/dhcpd -t $VERSION -cf "$CONF"
# exit 1
#fi
}
and adjusting related lines in /etc/default/isc-dhcp-server (for a
Debian Edu combined server with two network interfaces as an example):
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="eth0 eth1"
#INTERFACESv6=""
--
(2) Use a systemd unit file /etc/systemd/system/isc-dhcp-server.service
[Unit]
Description=DHCP server
After=network.target network-online.target
Requires=slapd.service
[Service]
Type=forking
RestartSec=2s
Restart=on-failure
ExecStartPre=-/usr/bin/touch /var/lib/dhcp/dhcpd.leases
ExecStart=/usr/sbin/dhcpd -4 -q -cf /etc/dhcp/dhcpd.conf
[Install]
WantedBy=multi-user.target
-
Please note that I'm no expert, I guess the unit file could be improved.
Wolfgang
signature.asc
Description: PGP signature
Bug#989342: debian-edu-config: fails to setup thin client support if used outside d-i
Package: debian-edu-config Version: 2.11.55 Severity: important During a recent installation test I noticed that the debian-edu-ltsp-install script fails to setup thin client support if used outside the Debian Installer environment. As there are too many ways to install a combined server with or without Internet connection using the BD iso image it is best to adjust debian-edu-ltsp-install to only use the BD ISO image if run inside d-i. The fix is simple: diff --git a/sbin/debian-edu-ltsp-install b/sbin/debian-edu-ltsp-install index 1edb407a..a22d8ca8 100755 --- a/sbin/debian-edu-ltsp-install +++ b/sbin/debian-edu-ltsp-install @@ -341,8 +341,8 @@ cat < /etc/ltsp/skel/.x2goclient/settings show=false EOF -# Specific settings needed if BD ISO image is used for installation. -if grep -q BD /etc/apt/sources.list ; then +# Specific settings needed if BD ISO image is used for installation inside d-i. +if [ -e /etc/apt/apt.conf.d/00IgnoreTimeConflict ] && grep -q BD /etc/apt/sources.list ; then BD_ISO="true"; device="$(grep media/cdrom /etc/fstab | cut -d' ' -f1)" mirror="file:///media/cdrom/" @@ -365,7 +365,6 @@ debootstrap --arch="$arch" --no-check-gpg --variant=minbase --include=linux-imag if [ "true" == "$BD_ISO" ] ; then mkdir -p /srv/ltsp/thin/"$thin_type"-"$arch"/media/cdrom mount $device /srv/ltsp/thin/"$thin_type"-"$arch"/media/cdrom - cp /var/cache/apt/*.bin /srv/ltsp/thin/"$thin_type"-"$arch"/var/cache/apt/ echo "deb [trusted=yes] $mirror $dist main" > /srv/ltsp/thin/"$thin_type"-"$arch"/etc/apt/sources.list fi chroot /srv/ltsp/thin/"$thin_type"-"$arch"/ apt -y -qq install education-thin-client p910nd Wolfgang
Bug#989340: debian-edu-config: broken DHCP configuration
Package: debian-edu-config Version: 2.11.55 Severity: important During a recent upgrade test I noticed that DHCP stopped working. The isc-dhcp-server-server package ships an init-script that already stopped working before, see https://bugs.debian.org/971275 for details. The previous setup using changes done to /etc/default/isc/dhcp-server and the init script had been replaced by conditionally providing a systemd unit file. This setup is failing since I upgraded a combined server installed using the DI-rc1 BD ISO image, see: https://cdimage.debian.org/cdimage/bullseye_di_rc1/amd64/iso-bd/ Replacing ExecStartPre with a command inspired by the init script makes DHCP work again. The fix is tiny: diff --git a/share/debian-edu-config/isc-dhcp-server.service b/share/debian-edu-config/isc-dhcp-server.service index be60b45a..22d77f76 100644 --- a/share/debian-edu-config/isc-dhcp-server.service +++ b/share/debian-edu-config/isc-dhcp-server.service @@ -7,7 +7,7 @@ Requires=slapd.service Type=forking RestartSec=2s Restart=on-failure -ExecStartPre=-sleep 2 +ExecStartPre=-/usr/bin/touch /var/lib/dhcp/dhcpd.leases ExecStart=/usr/sbin/dhcpd -4 -q -cf /etc/dhcp/dhcpd.conf [Install] diff --git a/share/debian-edu-config/isc-dhcp-server.service.eth1_only b/share/debian-edu-config/isc-dhcp-server.service.eth1_only index 87cc93a8..46557e6b 100644 --- a/share/debian-edu-config/isc-dhcp-server.service.eth1_only +++ b/share/debian-edu-config/isc-dhcp-server.service.eth1_only @@ -7,7 +7,7 @@ Requires=slapd.service Type=forking RestartSec=2s Restart=on-failure -ExecStartPre=-sleep 2 +ExecStartPre=-/usr/bin/touch /var/lib/dhcp/dhcpd.leases ExecStart=/usr/sbin/dhcpd -4 -q -cf /etc/dhcp/dhcpd.conf eth1 [Install] Wolfgang
Bug#989338: debian-edu-config: sending system emails from machines inside internal network broken
Package: debian-edu-config
Version: 2.11.55
Severity: important
During a recent upgrade test I noticed that sending system emails from machines
inside the internal network is no longer working. This seems to be due to
changes in src:exim4 4.94.
Client system are configured using preseeding, but this setup is failing now.
Using the (already shipped, but unsused) exim-ldap-client-v4.conf file as
exim4.conf on client machines re-enables sending system emails.
The fix is simple:
diff --git a/cf3/cf.exim b/cf3/cf.exim
index 904f94df..3dff1ea0 100644
--- a/cf3/cf.exim
+++ b/cf3/cf.exim
@@ -10,6 +10,12 @@ files:
move_obstructions => "true";
"/etc/default/exim4"
edit_line => exim_default;
+
+ debian.!server.(workstation|minimal).installation::
+
+"/etc/exim4/exim4.conf"
+ link_from => ln_s("/etc/exim4/exim-ldap-client-v4.conf"),
+ move_obstructions => "true";
}
bundle edit_line exim_default
Re: Accessing the backup system (slbackup-php)
Hi Roman, [ roman.me...@gismap.ch, 2021-05-27 ] > I noticed that I can access Debian Edu's backup system (slbackup-php) > only if I log in on the server. If I'm trying to access it e.g. on my > workstation or a ltsp client, I don't get the login screen and I'm > redirected to a forbidden page. Maybe using IP address 10.0.2.2 (default) instead of 'www' would help. Wolfgang signature.asc Description: PGP signature
Processed: Bug#988899 marked as pending in debian-edu-artwork
Hi Mike, [ Mike Gabriel, 2021-05-25 ] > > > tag -1 pending > > Bug #988899 [src:debian-edu-artwork] debian-edu-artwork-*: Missing > > images background-nologo.svg > > Added tag(s) pending. > > > > Shall I upload and request unblock? IMO it is ready; the nologo images might also be useful for slick-greeter (lightdm related), wdm, lxdm and sddm. Wolfgang signature.asc Description: PGP signature
Re: support in Norwegian
[ Holger Levsen, 2021-05-17 ] > https://wiki.debian.org/DebianEdu/Documentation/Bullseye/Support > says > > Volunteer based support > > in English > [...] > in Norwegian > > https://lists.skolelinux.org/listinfo/bruker - support mailing list > > https://lists.skolelinux.org/listinfo/linuxiskolen - mailing list for the > development member organisation in Norway (FRISK) > #skolelinux on irc.debian.org - IRC channel to support Norwegian users > > > > however, the mailing lists are gone. Are there any plans to bring them > back or should we drop them from the documentation? Please correct me if I'm wrong, but those lists have been almost unused since years - at least when I checked it last autumn. The documentation shouldn't have broken links, so I propose to drop them. Wolfgang signature.asc Description: PGP signature
Bug#988396: debian-edu-config: EFI partition is missing during automatic partitioning
Hi, [ Monsieur Cyril ETCHEVERRIA, 2021-05-11 ] > Package: debian-edu-config > Version: 2.11.54 > Severity: normal [..] > installing debian-edu 11 with debian-edu-bullseye-DI-rc1-amd64-netinst.iso > image with automatic partitioning on a UEFI system results in a systematic > error no EFI partition. Thanks for trying Debian Edu and for reporting this bug. Unfortunately UEFI system support is missing in the automatic partitioning setup. As far as I've been able to find out, the whole disk is wiped out (including an existing EFI partition). UEFI support should definitly be added, but maybe it's to late for Debian 11. > With an automatic partitioning on the second disk with an EFI > partition present on the first disk, the installation continues > successfully. The Debian Installer seems to be smart enough to figure that out. Wolfgang signature.asc Description: PGP signature
Re: pam-python: Python2 removal in sid/bullseye
[ Holger Levsen, 2021-05-05 ] > The pam-python website (http://pam-python.sourceforge.net/) also > grants an additional permission "The copyright holders grant you an > additional permission under Section 7 of the GNU Affero General Public > License, version 3, exempting you from the requirement in Section 6 of > the GNU General Public License, version 3, to accompany Corresponding > Source with Installation Information for the Program or any work based > on the Program. You are still required to comply with all other > Section 6 requirements to provide Corresponding Source." This additional permission is also part of d/copyright, see the last section: https://sources.debian.org/src/pam-python/1.0.9-2/debian/copyright/ Wolfgang signature.asc Description: PGP signature
Re: Problems installing Epoptes for "diskless workstation"
Hi Roman, [ Wolfgang Schweer, 2021-05-01 ] > [ roman.me...@gismap.ch, 2021-05-01 ] > > I did more tests today with Epoptes on "diskless workstation". > > > > Service epoptes-client fails to start upon booting. The reason seems > > to be that the server certificate file is missing. I can manually run > > the following command on the client via console to fetch the > > certificate: > > > > /usr/sbin/epoptes-client -c > > > > Then I can start the epoptes-client service and Epoptes works fine. > > > > I think the above should be done upon booting, right? How is this done? > > I don't have a test environment, so just guessing: > > Use a systemd service override file (inserting a line like the following one): > ExecStartPre=-/usr/sbin/epoptes-client -c > > > Another question: > > > The Epoptes admin gui is missing on "diskless workstation". Therefore > > a teacher can't use Epoptes to assist the kids unless he switches to > > "thin client". How can this be added for "diskless workstation" as > > well? > > I guess the 'epoptes' package contains the GUI, so installing epoptes in > the LTSP chroot might help? After reading documentation on epoptes.org, it is clear that rather the GUI on the LTSP server needs to be used. So instead of the above guesswork: On the main server, - run 'ltsp-chroot -m --arch i386 epoptes-client -c' to fetch the server certificate into the LTSP chroot. - run 'ltsp-chroot -m --arch i386 apt update'. - run 'ltsp-chroot -m --arch i386 apt install x2goclient' to install X2Go client in the LTSP chroot. - run 'ltsp-update-image'. Log into a diskless workstation, choose 'X2Go Client' from the applications menu (needs to be configured if used for the first time: 'Session' tab: Host: (tjener) Login: (uid) Tick Kerberos5 (GSSAPI) for passwordless login Change session (use Xfce instead of default KDE) 'Connection' tab: Choose LAN instead of default ADSL Mostly out of my head, steps might be missing/different… Wolfgang signature.asc Description: PGP signature
Re: Problems installing Epoptes for "diskless workstation"
Hi Roman, [ roman.me...@gismap.ch, 2021-05-01 ] > I did more tests today with Epoptes on "diskless workstation". > > Service epoptes-client fails to start upon booting. The reason seems > to be that the server certificate file is missing. I can manually run > the following command on the client via console to fetch the > certificate: > > /usr/sbin/epoptes-client -c > > Then I can start the epoptes-client service and Epoptes works fine. > > I think the above should be done upon booting, right? How is this done? I don't have a test environment, so just guessing: Use a systemd service override file (inserting a line like the following one): ExecStartPre=-/usr/sbin/epoptes-client -c > Another question: > The Epoptes admin gui is missing on "diskless workstation". Therefore > a teacher can't use Epoptes to assist the kids unless he switches to > "thin client". How can this be added for "diskless workstation" as > well? I guess the 'epoptes' package contains the GUI, so installing epoptes in the LTSP chroot might help? Wolfgang signature.asc Description: PGP signature
Re: Client time/date synchronisation
[ roman.me...@gismap.ch, 2021-04-27 ] > > On 04/27/2021 11:36 AM Wolfgang Schweer wrote: > > [ roman.me...@gismap.ch, 2021-04-27 ] > > > However, I noticed that the value of FAT_RAM_THRESHOLD is ignored. All > > > devices whether they have more or less than 1000KB of RAM boot as > > > "thin client". Somehow it's acting like setting > > > LTSP_FATCLIENT="False". The threshold value was working well for me in > > > earlier installations of Debian Edu. > > > > Please check if you still have LTSP_FATCLIENT="False" in LDAP (or > > somewhere else). > > I don't think so. I triple checked that one. > > > > Also, rebuilding the image seems to have reduced the content of the > > > menu tree appearing when clicking Applications. It now starts with > > > "Settings" and ends with "System". > > > > Strange. Any other changes done? > > Does this also happen if using a fresh account? > > Ok, I've created a new account and this one is showing the complete > menu tree. How come and how to I fix the old ones? No idea why this could happen. I guess removing the .config/xfce4/panel directory in each user's homedir could fix it. Wolfgang signature.asc Description: PGP signature
Re: Client time/date synchronisation
Hi Roman, [ roman.me...@gismap.ch, 2021-04-27 ] > However, I noticed that the value of FAT_RAM_THRESHOLD is ignored. All > devices whether they have more or less than 1000KB of RAM boot as > "thin client". Somehow it's acting like setting > LTSP_FATCLIENT="False". The threshold value was working well for me in > earlier installations of Debian Edu. Please check if you still have LTSP_FATCLIENT="False" in LDAP (or somewhere else). > Also, rebuilding the image seems to have reduced the content of the > menu tree appearing when clicking Applications. It now starts with > "Settings" and ends with "System". Strange. Any other changes done? Does this also happen if using a fresh account? Wolfgang signature.asc Description: PGP signature
Bug#987634: fails to configure diskless client support during i386 main server installation
Package: debian-edu-config Version: 2.11.54 Severity: important In case a 32-bit combined server (Main-Server, Workstation and LTSP-Server profiles) is installed, the LTSP specific Initrd (ltsp.img) is missing, and a diskless workstation fails to start. The command 'uname -m' is used to construct the path where ltsp.img should be located. In the 32-bit case, the command returns 'i686' while LTSP expects the path component to be 'x86_32' (like x86_64 for 32-bit systems). Wolfgang signature.asc Description: PGP signature
