Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

we'd like to update src:debian-edu-changes in jessie with the following
changes, fixing a number of rather important bugs for Debian Edu. The
debian-edu-config package is also only *used* by Debian Edu itself, so
potential harm is limited on us ;-)

The changelog reads:

debian-edu-config (1.818+deb8u1) jessie; urgency=low

  [ Petter Reinholdtsen ]
  * Translation updates:
    - Updated Brazilian Portuguese translation for debconf questions
      (Closes: #785467).  Translated by Adriano Rafael Gomes.

  [ Mike Gabriel ]
  * Add quotes around DNs when evoking kadmin.local in gosa-create and
    gosa-create-host. (Closes: #792042).
  * debian-edu-fsautoresize: Always use mapper names instead of kernel names
    when detecting supported mount points. (Closes: #800651). Thanks
    to Wolfgang Schweer and Giorgio Pioda.
  * gosa-sync: Test if a given user account actually is a Kerberos account. If
    not, don't try to set the Kerberos password for this account. (Closes:
    #798435).
  * gosa-sync: Fix escaping double quotes and semicolons. (Closes: #794000).
  * exim4 mainserver configuration: Allow Debian Edu clients on the default
    Debian Edu network to directly send mails to the main server (by white-
    listing the 10./8 network). This fixes console mailing and system mails
    on Debian Edu clients (Closes: #794602).
  * Set configVersion="Managed-by-Debian-Edu" in gosa.conf. (Closes: #794189).
    This requires gosa (>= 2.7.4+reloaded2-1+deb8u2~) to be installed on the
    main server.
  * wpad.dat: Use DIRECT connects for URL hosts being in network 127./8 and
    for hosts being in the .local domain. (Closes: #803911).
  * GOsa: Add POSTLOCK and POSTUNLOCK hooks for GOsa password locking. These
    hook scripts (gosa-lock-user, gosa-unlock-user) take care of locking/
    unlocking the Kerberos part of user accounts. (Closes: #804207).
  * Adapt to a code injection prevention fix in GOsa (starting with Debian
    package gosa 2.7.4+reloaded2-1+deb8u2): Don't mention the sambaHashHook
    parameter in gosa.conf anymore (as hashed passwords now have to be base64
    encoded). Already existing gosa.conf files on deployed servers should drop
    the sambaHashHook from the gosa.conf file, as well, once gosa is updated to
    the above referenced GOsa version.
  * CUPS: Do hostname lookups, so https redirects are done to the FQDN of the
    CUPS server instead of to its IP address. (Closes: #805402).
  * Improve gosa-lock-user, gosa-unlock-user: When logging success/failure,
    differentiate between non-existent and non-kerberized accounts.
  * Don't create home dir and Kerberos principal for GOsa user template
    account. (Closes: #815040).

  [ Wolfgang Schweer ]
  * Adjust tools/subnet-change for squid3. (Closes: #800654)
  * Fix XML syntax error in gosa.conf. (Closes: #820551).
  * Add script sbin/debian-edu-nscd-netgroup-cache (workaround for #791562).

 -- Holger Levsen <hol...@debian.org>  Wed, 25 May 2016 00:21:53 +0200

The diffstat is:

$ debdiff debian-edu-config_1.818.dsc debian-edu-config_1.818+deb8u1.dsc | 
diffstat
 Makefile                                       |    3 +
 debian/changelog                               |   49 +++++++++++++++++++++++++
 debian/po/pt_BR.po                             |   31 +++++++++++----
 etc/cups/cupsd-debian-edu.conf                 |    2 -
 etc/exim4/exim-ldap-server-v4.conf             |    5 +-
 etc/gosa/gosa.conf                             |    9 ++--
 ldap-bootstrap/sudo.ldif                       |    2 +
 sbin/debian-edu-fsautoresize                   |    8 ++++
 sbin/debian-edu-nscd-netgroup-cache            |   32 ++++++++++++++++
 share/debian-edu-config/tools/gosa-create      |    4 +-
 share/debian-edu-config/tools/gosa-create-host |    2 -
 share/debian-edu-config/tools/gosa-lock-user   |   48 ++++++++++++++++++++++++
 share/debian-edu-config/tools/gosa-sync        |   15 +++++++
 share/debian-edu-config/tools/gosa-unlock-user |   48 ++++++++++++++++++++++++
 share/debian-edu-config/tools/subnet-change    |    2 -
 www/wpad.dat                                   |    9 +++-
 16 files changed, 246 insertions(+), 23 deletions(-)

The full diff is attached. I haven't uploading to jessie yet, should you be
unhappy with a change. I have however prepared the packages for upload.

The changes have been tested by various Debian Edu developers in the
last weeks and months.

Please acceept debian-edu-config/1.818+deb8u1 into jessie.

Thanks for your work on Jessie 8.5!


-- 
cheers,
        Holger
diff -Nru debian-edu-config-1.818/debian/changelog debian-edu-config-1.818+deb8u1/debian/changelog
--- debian-edu-config-1.818/debian/changelog	2015-04-14 19:49:38.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/debian/changelog	2016-05-25 00:24:13.000000000 +0200
@@ -1,3 +1,52 @@
+debian-edu-config (1.818+deb8u1) jessie; urgency=low
+
+  [ Petter Reinholdtsen ]
+  * Translation updates:
+    - Updated Brazilian Portuguese translation for debconf questions
+      (Closes: #785467).  Translated by Adriano Rafael Gomes.
+
+  [ Mike Gabriel ]
+  * Add quotes around DNs when evoking kadmin.local in gosa-create and
+    gosa-create-host. (Closes: #792042).
+  * debian-edu-fsautoresize: Always use mapper names instead of kernel names
+    when detecting supported mount points. (Closes: #800651). Thanks
+    to Wolfgang Schweer and Giorgio Pioda.
+  * gosa-sync: Test if a given user account actually is a Kerberos account. If
+    not, don't try to set the Kerberos password for this account. (Closes:
+    #798435).
+  * gosa-sync: Fix escaping double quotes and semicolons. (Closes: #794000).
+  * exim4 mainserver configuration: Allow Debian Edu clients on the default
+    Debian Edu network to directly send mails to the main server (by white-
+    listing the 10./8 network). This fixes console mailing and system mails
+    on Debian Edu clients (Closes: #794602).
+  * Set configVersion="Managed-by-Debian-Edu" in gosa.conf. (Closes: #794189).
+    This requires gosa (>= 2.7.4+reloaded2-1+deb8u2~) to be installed on the
+    main server.
+  * wpad.dat: Use DIRECT connects for URL hosts being in network 127./8 and
+    for hosts being in the .local domain. (Closes: #803911).
+  * GOsa: Add POSTLOCK and POSTUNLOCK hooks for GOsa password locking. These
+    hook scripts (gosa-lock-user, gosa-unlock-user) take care of locking/
+    unlocking the Kerberos part of user accounts. (Closes: #804207).
+  * Adapt to a code injection prevention fix in GOsa (starting with Debian
+    package gosa 2.7.4+reloaded2-1+deb8u2): Don't mention the sambaHashHook
+    parameter in gosa.conf anymore (as hashed passwords now have to be base64
+    encoded). Already existing gosa.conf files on deployed servers should drop
+    the sambaHashHook from the gosa.conf file, as well, once gosa is updated to
+    the above referenced GOsa version.
+  * CUPS: Do hostname lookups, so https redirects are done to the FQDN of the
+    CUPS server instead of to its IP address. (Closes: #805402).
+  * Improve gosa-lock-user, gosa-unlock-user: When logging success/failure,
+    differentiate between non-existent and non-kerberized accounts.
+  * Don't create home dir and Kerberos principal for GOsa user template
+    account. (Closes: #815040).
+
+  [ Wolfgang Schweer ]
+  * Adjust tools/subnet-change for squid3. (Closes: #800654)
+  * Fix XML syntax error in gosa.conf. (Closes: #820551).
+  * Add script sbin/debian-edu-nscd-netgroup-cache (workaround for #791562).
+
+ -- Holger Levsen <hol...@debian.org>  Wed, 25 May 2016 00:21:53 +0200
+
 debian-edu-config (1.818) unstable; urgency=high
 
   [ Holger Levsen ]
diff -Nru debian-edu-config-1.818/debian/po/pt_BR.po debian-edu-config-1.818+deb8u1/debian/po/pt_BR.po
--- debian-edu-config-1.818/debian/po/pt_BR.po	2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/debian/po/pt_BR.po	2016-05-18 19:44:48.000000000 +0200
@@ -5,14 +5,16 @@
 #
 # Priscila Gutierres <priscila.gutier...@gmail.com>, 2007.
 # Felipe Augusto van de Wiel (faw) <f...@debian.org>, 2008.
+# Albino B Neto (binoanb) <bino...@binoanb.eti.br>, 2013.
+# Adriano Rafael Gomes <adrian...@arg.eti.br>, 2014-2015.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: debian-edu-config_0.409_templates\n"
+"Project-Id-Version: debian-edu-config 1.818\n"
 "Report-Msgid-Bugs-To: debian-edu-con...@packages.debian.org\n"
 "POT-Creation-Date: 2013-05-22 15:09+0200\n"
-"PO-Revision-Date: 2008-10-09 22:48-0300\n"
-"Last-Translator: Felipe Augusto van de Wiel (faw) <f...@debian.org>\n"
+"PO-Revision-Date: 2015-05-16 14:07-0300\n"
+"Last-Translator: Adriano Rafael Gomes <adrian...@arg.eti.br>\n"
 "Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian."
 "org>\n"
 "Language: pt_BR\n"
@@ -47,7 +49,7 @@
 #. Description
 #: ../debian-edu-config.templates:4001
 msgid "Enter the Kerberos KDC master key:"
-msgstr ""
+msgstr "Digite a chave principal Kerberos KDC:"
 
 #. Type: password
 #. Description
@@ -57,6 +59,9 @@
 "You can use your root password or type something else. Make sure you "
 "remember the password."
 msgstr ""
+"Uma senha é necessária como chave principal do Kerberos e para todos os "
+"padrões principais. Você pode usar a sua senha de root ou digitar outra. "
+"Tenha certeza de que você se lembra da senha."
 
 #. Type: password
 #. Description
@@ -64,7 +69,7 @@
 #. Description
 #: ../debian-edu-config.templates:4001 ../debian-edu-config.templates:9001
 msgid "Note that you will not be able to see the password as you type it."
-msgstr ""
+msgstr "Note que não será possível ver a senha enquanto você a digita."
 
 #. Type: password
 #. Description
@@ -72,7 +77,7 @@
 #. Description
 #: ../debian-edu-config.templates:5001 ../debian-edu-config.templates:10001
 msgid "Re-enter password to verify:"
-msgstr ""
+msgstr "Digite novamente a senha para verificação:"
 
 #. Type: password
 #. Description
@@ -83,6 +88,8 @@
 "Please enter the same password again to verify that you have typed it "
 "correctly."
 msgstr ""
+"Por favor, digite a mesma senha novamente para verificar se você a digitou "
+"corretamente."
 
 #. Type: error
 #. Description
@@ -90,7 +97,7 @@
 #. Description
 #: ../debian-edu-config.templates:6001 ../debian-edu-config.templates:11001
 msgid "Password input error"
-msgstr ""
+msgstr "Erro ao digitar a senha"
 
 #. Type: error
 #. Description
@@ -99,6 +106,7 @@
 #: ../debian-edu-config.templates:6001 ../debian-edu-config.templates:11001
 msgid "The two passwords you entered were not the same. Please try again."
 msgstr ""
+"As duas senhas que você digitou não são iguais. Por favor, tente novamente."
 
 #. Type: error
 #. Description
@@ -106,7 +114,7 @@
 #. Description
 #: ../debian-edu-config.templates:7001 ../debian-edu-config.templates:12001
 msgid "Empty password"
-msgstr ""
+msgstr "Senha em branco"
 
 #. Type: error
 #. Description
@@ -117,12 +125,14 @@
 "You entered an empty password, which is not allowed. Please choose a non-"
 "empty password."
 msgstr ""
+"Você digitou uma senha em branco, o que não é permitido. Por favor, escolha "
+"uma senha que não seja em branco."
 
 #. Type: password
 #. Description
 #: ../debian-edu-config.templates:9001
 msgid "Enter the LDAP super-admin password:"
-msgstr ""
+msgstr "Digite a senha do super-admin do LDAP:"
 
 #. Type: password
 #. Description
@@ -132,3 +142,6 @@
 "You can use your root password or type something else. Make sure you "
 "remember the password."
 msgstr ""
+"Uma senha é usada como senha inicial para o usuário super-admin do GOsa². "
+"Você pode usar a sua senha de root ou digitar outra. Tenha certeza de que "
+"você se lembra da senha."
diff -Nru debian-edu-config-1.818/etc/cups/cupsd-debian-edu.conf debian-edu-config-1.818+deb8u1/etc/cups/cupsd-debian-edu.conf
--- debian-edu-config-1.818/etc/cups/cupsd-debian-edu.conf	2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/etc/cups/cupsd-debian-edu.conf	2016-05-18 19:44:48.000000000 +0200
@@ -221,7 +221,7 @@
 # fully-qualified hostname.  This defaults to Off for performance reasons...
 #
 
-#HostNameLookups Off
+HostNameLookups On
 
 #
 # KeepAlive: whether or not to support the Keep-Alive connection
diff -Nru debian-edu-config-1.818/etc/exim4/exim-ldap-server-v4.conf debian-edu-config-1.818+deb8u1/etc/exim4/exim-ldap-server-v4.conf
--- debian-edu-config-1.818/etc/exim4/exim-ldap-server-v4.conf	2014-10-12 12:51:32.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/etc/exim4/exim-ldap-server-v4.conf	2016-05-18 19:44:48.000000000 +0200
@@ -192,14 +192,15 @@
   # Make sure users can not fake sender address vis SMTP.  Reject
   # unauthenticated connections and check that the sender is the same
   # as the Kerberos ID.
+  accept  hosts = :
+  accept  hosts = +relay_hosts
+
   deny  !authenticated = *
         message = SMTP server requires authentication. Check your SMTP client configuration.
   deny condition = ${if eq{$authenticated_id}{$sender_address_local_part@INTERN}{false}{true}}
         message = Sender address $sender_address conflicts with authentication $authenticated_id.
 
-  accept  hosts = :
   accept  domains = +local_domains
-  accept  hosts = +relay_hosts
   deny    message = relay not permitted
 
 # ACL that is used after the DATA command
diff -Nru debian-edu-config-1.818/etc/gosa/gosa.conf debian-edu-config-1.818+deb8u1/etc/gosa/gosa.conf
--- debian-edu-config-1.818/etc/gosa/gosa.conf	2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/etc/gosa/gosa.conf	2016-05-24 18:00:30.000000000 +0200
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<conf configVersion="edb33ed1745798da76048582c2f16a48">
+<conf configVersion="Managed-by-Debian-Edu">
 
   <!-- GOsa menu definition **************************************************
 
@@ -76,7 +76,9 @@
   <pathMenu>
       <plugin acl="users/netatalk:self,users/environment:self,users/posixAccount:self,users/kolabAccount:self,users/phpscheduleitAccount:self,users/oxchangeAccount:self,users/proxyAccount:self,users/connectivity:self,users/pureftpdAccount:self,users/phpgwAccount:self,users/opengwAccount:self,users/pptpAccount:self,users/intranetAccount:self, users/webdavAccount:self,users/nagiosAccount:self,users/sambaAccount:self,users/mailAccount:self,users/groupware, users/user:self,users/scalixAccount:self,users/gofaxAccount:self,users/phoneAccount:self,users/Groupware:self" class="MyAccount" />
       <plugin acl="users/password:self" class="password" 
-              postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"/>
+              postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"
+              postlock="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-lock-user %dn"
+              postunlock="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-unlock-user %dn" />
   </pathMenu>
 
 
@@ -387,8 +389,7 @@
     debugLevel="0" 
     passwordMinLength="5" 
     passwordMinDiffer="2" 
-    passwordHook="" 
-    sambaHashHook='perl -MCrypt::SmbHash -e "print join(q[:], ntlmgen %password), $/;"'>
+    passwordHook="">
 
     <!-- Location definition -->
     <location name="Debian Edu" 
diff -Nru debian-edu-config-1.818/ldap-bootstrap/sudo.ldif debian-edu-config-1.818+deb8u1/ldap-bootstrap/sudo.ldif
--- debian-edu-config-1.818/ldap-bootstrap/sudo.ldif	2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/ldap-bootstrap/sudo.ldif	2016-05-18 19:44:48.000000000 +0200
@@ -25,6 +25,8 @@
 sudoCommand: /usr/share/debian-edu-config/tools/gosa-remove
 sudoCommand: /usr/share/debian-edu-config/tools/gosa-create
 sudoCommand: /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
+sudoCommand: /usr/share/debian-edu-config/tools/gosa-lock-user
+sudoCommand: /usr/share/debian-edu-config/tools/gosa-unlock-user
 
 dn: cn=root,ou=sudoers,dc=skole,dc=skolelinux,dc=no
 objectClass: top
diff -Nru debian-edu-config-1.818/Makefile debian-edu-config-1.818+deb8u1/Makefile
--- debian-edu-config-1.818/Makefile	2015-04-14 19:48:30.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/Makefile	2016-05-24 18:00:30.000000000 +0200
@@ -13,6 +13,7 @@
 	debian-edu-hwsetup \
 	debian-edu-ltsp \
 	debian-edu-ltsp-audiodivert \
+	debian-edu-nscd-netgroup-cache \
 	debian-edu-pxeinstall \
 	debian-edu-restart-services \
 	debian-edu-test-install \
@@ -357,9 +358,11 @@
 		share/debian-edu-config/tools/get-default-homepage \
 		share/debian-edu-config/tools/gosa-create \
 		share/debian-edu-config/tools/gosa-create-host \
+		share/debian-edu-config/tools/gosa-lock-user \
 		share/debian-edu-config/tools/gosa-remove \
 		share/debian-edu-config/tools/gosa-sync \
 		share/debian-edu-config/tools/gosa-sync-dns-nfs \
+		share/debian-edu-config/tools/gosa-unlock-user \
 		share/debian-edu-config/tools/iceweasel-plugin-support \
 		share/debian-edu-config/tools/kerberos-kdc-init \
 		share/debian-edu-config/tools/ldap2bind-updatezonelist \
diff -Nru debian-edu-config-1.818/sbin/debian-edu-fsautoresize debian-edu-config-1.818+deb8u1/sbin/debian-edu-fsautoresize
--- debian-edu-config-1.818/sbin/debian-edu-fsautoresize	2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/sbin/debian-edu-fsautoresize	2016-05-18 19:34:49.000000000 +0200
@@ -14,6 +14,7 @@
 
 use Getopt::Std;
 use Sys::Syslog qw(openlog syslog closelog LOG_NOTICE);
+use File::Basename;
 
 # Using this module (instead of Filesys::DiskSpace) to get a version
 # providing the device size, and not only free and used.
@@ -194,6 +195,13 @@
         chomp;
         my @f = split(/\s+/);
         my $device = $f[0];
+        # Always use mapper names instead of kernel ones.
+        if (index ($f[0], "/dev/dm-") != -1) {
+            for my $mapdevice (glob "/dev/mapper/*") {
+                my $dmdevice = basename(readlink $mapdevice) if -l $mapdevice;
+                $device = $mapdevice if defined($dmdevice) && $dmdevice =~ basename($f[0]);
+            }
+        }
         my $mountpoint = $f[1];
         my $typename = $f[2];
         next unless (exists $fsops{$typename});
diff -Nru debian-edu-config-1.818/sbin/debian-edu-nscd-netgroup-cache debian-edu-config-1.818+deb8u1/sbin/debian-edu-nscd-netgroup-cache
--- debian-edu-config-1.818/sbin/debian-edu-nscd-netgroup-cache	1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-1.818+deb8u1/sbin/debian-edu-nscd-netgroup-cache	2016-05-23 13:13:48.000000000 +0200
@@ -0,0 +1,32 @@
+#!/bin/bash -e
+# debian-edu-nscd-netgroup-cache
+#
+# 2016-23-05, workaround for bug #791562
+
+if [ -z $1 ] ; then
+  echo "usage: $0 (disable|enable)"
+  exit 0
+fi
+
+# Get profile.
+. /etc/debian-edu/config
+
+# Disable/enable nscd netgroup caching.
+if echo "$PROFILE" | grep -q 'Main-Server' ; then
+    systemctl stop nscd.service
+    sleep 1
+    case "$1" in
+	disable)
+	    if [ -e /var/cache/nscd/netgroup ] ; then
+		rm /var/cache/nscd/netgroup
+	    fi
+	    sed -i '/netgroup/ s=yes=no=' /etc/nscd.conf
+	;;
+	enable)
+	    sed -i '/netgroup/ s=no=yes=' /etc/nscd.conf
+	;;
+    esac
+    systemctl start nscd.service
+fi
+
+# Further information:  https://wiki.debian.org/DebianEdu/Status/Jessie
diff -Nru debian-edu-config-1.818/share/debian-edu-config/tools/gosa-create debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-create
--- debian-edu-config-1.818/share/debian-edu-config/tools/gosa-create	2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-create	2016-05-24 18:00:30.000000000 +0200
@@ -19,7 +19,7 @@
 # One ide might be to look for objects without the krbPasswordExpiration attributes.
 
 ## lookup user and create home directory and principal:
-ldapsearch -xLLL "(&(uid=$USERID)(objectClass=posixAccount))" \
+ldapsearch -xLLL "(&(uid=$USERID)(objectClass=posixAccount)(!(objectClass=gosaUserTemplate)))" \
     cn homeDirectory gidNumber 2>/dev/null | perl -p0e 's/\n //g' | \
 while read KEY VALUE ; do 
     case "$KEY" in 
@@ -39,7 +39,7 @@
                 nscd -i group || true
             fi
     	    chown -R $USERID:$GROUPID $HOMEDIR
-	    kadmin.local -q "add_principal -policy users -randkey -x $USERDN $USERID"
+	    kadmin.local -q "add_principal -policy users -randkey -x \"$USERDN\" $USERID"
     	    logger -t gosa-create -p notice Home directory \'$HOMEDIR\' and principal \'$USERID\' created. 
 ## send a welcome-email: 
             cat << EOF | /usr/lib/sendmail $USERID
diff -Nru debian-edu-config-1.818/share/debian-edu-config/tools/gosa-create-host debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-create-host
--- debian-edu-config-1.818/share/debian-edu-config/tools/gosa-create-host	2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-create-host	2016-05-24 18:00:30.000000000 +0200
@@ -44,7 +44,7 @@
                 macAddress:) MAC="$VALUE"  ;;
                 "")
                         FQDN=`find_fqdn $HOSTNAME $IP`
-                        test -n $FQDN && kadmin.local -q "add_principal -policy hosts -randkey -x $HOSTDN host/$FQDN" && logger -t gosa-create-host -p notice Krb5 principal \'host/$FQDN\' created.
+                        test -n $FQDN && kadmin.local -q "add_principal -policy hosts -randkey -x \"$HOSTDN\" host/$FQDN" && logger -t gosa-create-host -p notice Krb5 principal \'host/$FQDN\' created.
                         ;;
                 esac 
 done
diff -Nru debian-edu-config-1.818/share/debian-edu-config/tools/gosa-lock-user debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-lock-user
--- debian-edu-config-1.818/share/debian-edu-config/tools/gosa-lock-user	1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-lock-user	2016-05-18 19:44:48.000000000 +0200
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+set -e
+
+## This script is run by www-data using sudo. Keep that in mind!
+## Make sure that malicious execution cannot hurt.
+##
+## This script creates the home directories and principals for users
+## added with gosa.  There are some tests that make sure only
+## non-existent home directories are created.  Malicious execution
+## cannot hurt, because either the user is missing in ldap or his home
+## directory already exists. In both cases nothing should happen.
+
+USERDN="$1"
+USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`
+USEROU=`echo "$USERDN" | sed "s/^uid=[^,]*,\(.*\)$/\1/"`
+
+# test if user ID exists
+set +e
+LANG=C ldapsearch -x "(&(uid=$USERID)(objectClass=gosaAccount))" -b "${USEROU}" | tail -n1 | grep -q -E "^# numEntries: 1$"
+ret=$?
+set -e
+if [ "x$ret" = "x0" ]; then
+	set +e
+	LANG=C ldapsearch -x "(&(uid=$USERID)(objectClass=gosaAccount)(objectClass=krbPrincipalAux))" -b "${USEROU}" | tail -n1 | grep -q -E "^# numEntries: 1$"
+	ret=$?
+	set -e
+	if [ "x$ret" = "x0" ]; then
+		set +e
+		success=$(LANG=C kadmin.local -q "modify_principal -allow_tix $USERID" | grep -E "^Principal\ .*@.*\ modified.$")
+		set -e
+		if [ -n "$success" ]; then
+			logger -t gosa-lock-user -p notice "Kerberos account of user '$USERID' (DN: $USERDN) has been locked."
+		else
+			OUT="Locking Kerberos account of user '$USERID' (DN: $USERDN) failed."
+			echo "$OUT"
+			logger -t gosa-lock-user -p warning "$OUT"
+		fi
+	else
+		logger -t gosa-lock-user -p notice "User account '$USERID' (DN: $USERDN) is not a Kerberos-enabled account. (Thus, skipping...)."
+	fi
+else
+	OUT="User account '$USERID' (DN: $USERDN) does not exist."
+	echo "$OUT"
+	logger -t gosa-lock-user -p warning "$OUT"
+fi
+
+exit 0
diff -Nru debian-edu-config-1.818/share/debian-edu-config/tools/gosa-sync debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-sync
--- debian-edu-config-1.818/share/debian-edu-config/tools/gosa-sync	2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-sync	2016-05-18 19:44:48.000000000 +0200
@@ -17,6 +17,15 @@
 USERDN="$1"
 USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`
 
+# check if the given user account has the Kerberos principal objectClass set...
+is_krbprincipal=`ldapsearch -LLL -x "(&(uid=${USERID})(objectClass=krbPrincipalAux))"`
+if [ -z "$is_krbprincipal" ]; then
+
+   # if not, simply bail out here without noise...
+    exit 0
+
+fi
+
 ## The new user password is in environment, $USERPASSWORD.
 ## Check if provided password corresponds to hash saved in ldap database:
 
@@ -27,10 +36,14 @@
 $USERPASSWORD
 EOF
 
+# remove escapes from the password added by GOsa²...
+sed -i $TMPFILE  -e 's/\\//g'
+
+# check the password in $TMPfile against LDAP...
 IAM=`ldapwhoami -x -Z -y "$TMPFILE" -D "$USERDN" 2>/dev/null || true`
 
 # Escapes " because kadmin needs to use double quotes:
-EUSERPASSWORD="$(cat $TMPFILE | sed -e 's/\"/\"\"/g')"
+EUSERPASSWORD="$(cat $TMPFILE | sed -e 's/\"/\\\"/g')"
 
 if [ "$IAM" = "dn:$USERDN" ] ; then
     cat > "$TMPFILE" <<EOF
diff -Nru debian-edu-config-1.818/share/debian-edu-config/tools/gosa-unlock-user debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-unlock-user
--- debian-edu-config-1.818/share/debian-edu-config/tools/gosa-unlock-user	1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-unlock-user	2016-05-18 19:44:48.000000000 +0200
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+set -e
+
+## This script is run by www-data using sudo. Keep that in mind!
+## Make sure that malicious execution cannot hurt.
+##
+## This script creates the home directories and principals for users
+## added with gosa.  There are some tests that make sure only
+## non-existent home directories are created.  Malicious execution
+## cannot hurt, because either the user is missing in ldap or his home
+## directory already exists. In both cases nothing should happen.
+
+USERDN="$1"
+USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`
+USEROU=`echo "$USERDN" | sed "s/^uid=[^,]*,\(.*\)$/\1/"`
+
+# test if user ID exists
+set +e
+LANG=C ldapsearch -x "(&(uid=$USERID)(objectClass=gosaAccount))" -b "${USEROU}" | tail -n1 | grep -q -E "^# numEntries: 1$"
+ret=$?
+set -e
+if [ "x$ret" = "x0" ]; then
+	set +e
+	LANG=C ldapsearch -x "(&(uid=$USERID)(objectClass=gosaAccount)(objectClass=krbPrincipalAux))" -b "${USEROU}" | tail -n1 | grep -q -E "^# numEntries: 1$"
+	ret=$?
+	set -e
+	if [ "x$ret" = "x0" ]; then
+		set +e
+		success=$(LANG=C kadmin.local -q "modify_principal +allow_tix $USERID" | grep -E "^Principal\ .*@.*\ modified.$")
+		set -e
+		if [ -n "$success" ]; then
+			logger -t gosa-unlock-user -p notice "Kerberos account of user '$USERID' (DN: $USERDN) has been unlocked."
+		else
+			OUT="Unlocking Kerberos account of user '$USERID' (DN: $USERDN) failed."
+			echo "$OUT"
+			logger -t gosa-unlock-user -p warning $OUT
+		fi
+	else
+		logger -t gosa-unlock-user -p notice "User account '$USERID' (DN: $USERDN) is not a Kerberos-enabled account. (Thus, skipping...)."
+	fi
+else
+	OUT="User account '$USERID' (DN: $USERDN) does not exist."
+	echo "$OUT"
+	logger -t gosa-lock-user -p warning "$OUT"
+fi
+
+exit 0
diff -Nru debian-edu-config-1.818/share/debian-edu-config/tools/subnet-change debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/subnet-change
--- debian-edu-config-1.818/share/debian-edu-config/tools/subnet-change	2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/subnet-change	2016-05-24 18:00:30.000000000 +0200
@@ -117,7 +117,7 @@
 replace_exports_ip("/etc/exports", $oldsubnet, $newsubnet);
 replace_interfaces_ip("/etc/network/interfaces", $oldsubnet, $newsubnet);
 replace_ips("/etc/samba/smb-debian-edu.conf", $oldsubnet, $newsubnet);
-replace_ips("/etc/squid/squid.conf", $oldsubnet, $newsubnet);
+replace_ips("/etc/squid3/squid-debian-edu.conf", $oldsubnet, $newsubnet);
 change_muninnode("/etc/munin/debian-edu-munin-node.conf", $oldsubnet,
                  $newsubnet);
 change_hostallow("/etc/hosts.allow", $oldsubnet, $newsubnet);
diff -Nru debian-edu-config-1.818/www/wpad.dat debian-edu-config-1.818+deb8u1/www/wpad.dat
--- debian-edu-config-1.818/www/wpad.dat	2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/www/wpad.dat	2016-05-18 19:44:48.000000000 +0200
@@ -2,8 +2,13 @@
     {
         if (!isResolvable(host) ||
             isPlainHostName(host) ||
-            dnsDomainIs(host, ".intern"))
+            isInNet(host,"127.0.0.1","255.0.0.0") ||
+            dnsDomainIs(host, ".intern") ||
+            dnsDomainIs(host, ".local"))
+        {
             return "DIRECT";
-        else
+        }
+        else {
             return "PROXY webcache:3128; DIRECT";
+        }
     }

Attachment: signature.asc
Description: Digital signature

Reply via email to