Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debian-...@lists.debian.org
[ Reason ]
While setting up a new Debian Edu school in Dec/Jan 2021/2022 several
issues popped up in Debian Edu 11 that have now been resolved in Debian
Edu testing/unstable and many of the fixes we would love to see available
in Debian Edu 11, as well.
[ Impact ]
For Debian Edu, the proposed 2.11.56+deb11u4 version of debian-edu-config
will provide many problem solutions for issues that have been encountered
with the current version of debian-edu-config (main package for Debian
Edu 11).
[ Tests ]
(What automated or manual tests cover the affected code?)
[ Risks ]
For non-Debian-Edu users there will be no risk, at all. For Debian Edu
users new issues may be introduced (hopefully not!), esp. due to the
large number of fixes provided / code changes shipped in 2.11.56+deb11u4.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
+ [ Wolfgang Schweer ]
+ * etc/exim4/exim-ldap-server-v4.conf: Accept incoming mail from internal
+ network sent to root@<mynetwork-names>. (Closes: #1003727).
-> TJENER's mainserver is configured as a local MTA collecting system mails
from Debian Edu clients. Such mails have been refused by TJENER's exim
configuration before (since Debian Edu 11).
+ * Use mktemp instead of deprecated tempfile, adjust:
+ - etc/X11/Xsession-debian-edu
+ - sbin/debian-edu-update-netblock
+ - share/debian-edu-config/tools/gosa-sync
+ - testsuite/postoffice
+ (Closes: #1005352).
-> The 'tempfile' executable produces warning messages about being
deprecated when used. The 'mktemp' file does not.
+ [ Mike Gabriel ]
+ * share/d-e-c/tools/gosa-modify-host: Only create Kerberos host and service
+ principals if they don't yet exist. (Closes: #1002014).
-> The above issue has been critical for Debian Edu 11 setups and was
only spotted recently. Whenever a system entry in GOsa² was edited, the
Krb5 principal would change. This lead to login failures on Debian Edu
clients (after a GOsa² edit of the system entry in LDAP).
+ * share/d-e-c/tools/gosa-create-host: Fix copy+paste flaw in comment.
-> Well, maybe not release critical, but comment mentioned stuff about
user accounts while this script is for host accounts.
+ * share/debian-edu-config/tools/setup-freeradius-server: Fix integer
+ comparison in run-by-root check. Script was not executable fully (not even
+ as root).
-> Make the setup-freeradius-server usable without manual editing of the
script before usage.
+ * debian/debian-edu-config.fetch-ldap-cert: Drop retrieval of
+ Debian-Edu_rootCA from this script. This now is the task of the
+ fetch-rootca-cert script. (Closes: #971780).
-> fetch-ldap-cert init script and fetch-rootca-cert script had some common
functionality (retrieval of the .intern domain's rootCA by clients).
After fetch-rootca-cert was added, we failed to reduce functionality of
fetch-ldap-cert.
On Debian Edu clients, these two scripts were actually interfering with
one another.
+ * debian/debian-edu-config.fetch-rootca-cert: Ensure proper symlinking of
+ Debian-Edu_rootCA.crt in /usr/local/share/ca-certificates/ to
+ Debian-Edu_rootCA.crt in /etc/ssl/ca-certificates. Forced symlinking is
+ required, because earlier versions of the fetch-ldap-cert init script put
+ Debian-Edu_rootCA.crt into /etc/ssl/ca-certificates/ as a file. Forced
+ symlinking replaces files by the wanted symlink. The -n option (no-
+ dereference) is required to make sure we don't follow any already existing
+ symlink. (This relates to #971780).
-> Fix an issue resulting from fetch-ldap-cert performing the rootCA
download differently from fetch-rootca-cert in previous versions of
debian-edu-config. With the change explained above, the transition of
Debian Edu client based on debian-edu-config 2.11.56+deb11u3 (and
earlier) to debian-edu-config 2.11.56+deb11u4 should be smooth.
+ * share/debian-edu-config/tools/update-proxy-from-wpad:
+ - Fix typo (wrong protocol) in APT proxy config creation.
+ - Create a Debian Edu specific proxy configuration in /etc/apt/apt.conf.d/
+ named 03debian-edu-config rather than meddling with /etc/apt/apt.conf
+ directly. Clean up any earlier meddling from apt.conf, as well. (Closes:
+ #1003560).
-> Stop meddling with /etc/apt/apt.conf directly, use a debian-edu-config
namespace file instead. Also, this allows deployment of Debian Edu
systems using FAI (and let FAI's default http proxy configuration
superceded Debian Edu's proxy configuration).
+ * share/debian-edu-config/tools/{update-proxy-from-wpad,wpad-extra}:
+ - Don't fail if proxy update is not possible, only send warnings to stderr
+ and syslog. Don't source wpad-extra script, execute it instead and
capture
+ stdout. (Closes: #1008067).
-> update-proxy-from-wpad is used in ifupdown as post-up hook. We don't
want to exit with error when doing the proxy update, because then
ifupdown will also fail with error.
+ * sbin/update-hostname-from-ip:
+ - Simply if-then-else-clauses, reduce number of exit calls, don't exit with
+ non-zero exitcode. Improve syslog messages if things fail. (Closes:
+ #1006604).
-> update-hostname-from-ip is (also) used in ifupdown as post-up hook. We
don't want to exit with error when doing the hostname update, because then
ifupdown will also fail with error.
+ * share/debian-edu-config/tools/setup-roaming: Assure libsss-sudo is
installed
+ on Roaming Workstation. (Closes: #1004605).
-> sudo for LDAP users is broken on roaming workstations without this...
+ * share/debian-edu-config/tools/gosa-remove: Capture removals of GOsa² user
+ templates and ignore them. (Closes: #815042).
-> user templates in GOsa² normally don't have a Kerberos account nor do
they have a home directory. The gosa-remove takes care of the removal of
both, so this goes down the drain if we don't bail out early for user
templates.
+ * ldap-schemas/: Update schema files from Debian's latest GOsa² list of
+ schemas.
-> Debian Edu ships its own LDAP schema files for GOsa² (why the hack!).
They should be at least of the same version as found in src:pkg gosa.
In fact, there was one issues fixed in src:pkg in the schema files. This
fix is now available to Debian Edu with this change:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989096
+ * share/debian-edu-config/tools/clean-up-host-keytabs: Don't fail
+ on Kerberos principal removal.
-> sometimes (for whatever reason) systems in GOsa² lack a Kerberos host
principal. When we remove such a system from LDAP via GOsa² we want to
ignore those missing Kerberos information.
+ * etc/cups/cups-browsed-debian-edu.conf:
+ - Let TJENER's print queues appear on Debian Edu clients, use same
+ print queue names on clients as on TJENER. (Closes: #1005841).
-> This change has been requested for Debian Edu earlier, but failed to be
really testable due to apparmor block loading of
/etc/cups/cups-browsed-debian-edu.conf. Unfortunately, this blockage was
also missed during Debian Edu testing for the Debian Edu 11 release.
The wanted behaviour is that print queues on Debian Edu clients have the
same name as the corresponding print queue on TJENER (aka ipp.intern).
The introduced change does exactly that.
+ * sbin/debian-edu-pxeinstall:
+ - Don't append 'ipappend 2' to the kernel boot cmdline anymore as it
+ confuses systemd when booting into the installed system. This resolves
+ the graphical.target not coming up on Debian Edu workstations that got
+ installed via the PXE/network based Debian Installer method. (Closes:
+ #1006362).
-> Debian Edu workstations installed via PXE would not come up with a
graphical system before this change got introduced.
+ - Silence stderr output if the artwork theme lacks a plymouth subfolder.
+ This can be silently ignored and should not trouble Debian Edu admins.
-> Don't report warnings/errors that can be ignored.
+ * Support krb5i on Diskless Workstations (aka LTSP FAT Clients):
+ - ldap-bootstrap/netgroup.ldif: Add diskless-workstation-hosts NIS netgroup
+ during LDAP bootstrap.
+ - debian/debian-edu-config.{postinst,postrm}: Create non-privileged
+ debian-edu system user account on Debian Edu mainserver (for distribution
+ of host keytabs to diskless workstations aka LTSP fat clients).
+ - share/debian-edu-config/tools/: Add update-dlw-krb5-keytabs script and
+ call it (with delay) from gosa-modify-host hook script. (Closes: #613167,
+ #1002018).
-> This whole block is more of a functionality backport than an error
fix. For years we have been thinking about secure NFS mounting of NFS
shares on diskless workstations (aka LTSP fat clients). The solution for this
now
is:
- provide a folder with .keytab files for each host that is meant to be
a diskless workstation
- make this folder available to a non-privileged user "debian-edu"
- during LTSP fat client boot, use scp debian-edu@tjener:/<path>/<keytabfile>
to copy over this client host's .keytabfile and use it as /etc/krb5.keytab
The above changelog block describes the required steps in debian-edu-config to
provide this feature on the Debian Edu mainserver (aka TJENER).
+ * Move /etc/debian-edu/host-keytabs/* to /var/lib/debian-edu/host-keytabs/
+ and replace directory /etc/debian-edu/host-keytabs by a symlink. (Closes:
+ #1002019).
-> In Debian Edu 11 there was a design flaw regarding the storage of
Kerberos <host>.keytab files. As a place for storing those files
/etc/debian/host-keytabs was used in the first design approach.
Using /etc for dynamic data is never a good idea, esp. if a tool like
etckeeper is used (which we do in Debian Edu by default).
A better place now has been discussed in Debian Edu team:
/var/lib/debian/host-keytabs. This version of debian-edu-config will
migrate existing .keytab files to this new location and provide a symlink
at the old location.
+ * share/debian-edu-config/squid.conf:
+ - Prefer DNSv4 lookups over DNSv6. Debian Edu does not yet fully support
+ IPv6 and many schools still use IPv4 primarily. This gives a great
+ performance boost to squid installations if IPv6 internet is not fully
+ available for whatever reason. (Closes: #1006375).
-> Performance boost for squid if IPv6 has not been set-up properly.
(Something that we observed more than once in a school network).
+ * share/debian-edu-config/tools/list-gosa-systems:
+ - Drop immature list-gosa-systems script again that got sneaked in via
+ upload of 2.11.56+deb11u3. We apologize for the noise.
-> Ouch! The list-gosa-system was lying around in my (Mike's) working copy of
Debian Edu, not yet added to Git. When working on the previous bullseye-security
upload, this script sneaked into the debian-edu-config src:pkg. It was not
installed to the debian-edu-config bin:pkg, though. So, we now remove it
again...
[ Other info ]
This bullseye-pu is presented to the SRM as a joint effort by the Debian
Edu team. Thanks for taking the time for looking into all the changes
provided via the attached .debdiff.
diff -Nru debian-edu-config-2.11.56+deb11u3/debian/changelog
debian-edu-config-2.11.56+deb11u4/debian/changelog
--- debian-edu-config-2.11.56+deb11u3/debian/changelog 2022-02-04
13:19:51.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/changelog 2022-03-23
12:28:00.000000000 +0100
@@ -1,3 +1,89 @@
+debian-edu-config (2.11.56+deb11u4) bullseye; urgency=medium
+
+ [ Wolfgang Schweer ]
+ * etc/exim4/exim-ldap-server-v4.conf: Accept incoming mail from internal
+ network sent to root@<mynetwork-names>. (Closes: #1003727).
+ * Use mktemp instead of deprecated tempfile, adjust:
+ - etc/X11/Xsession-debian-edu
+ - sbin/debian-edu-update-netblock
+ - share/debian-edu-config/tools/gosa-sync
+ - testsuite/postoffice
+ (Closes: #1005352).
+
+ [ Mike Gabriel ]
+ * share/d-e-c/tools/gosa-modify-host: Only create Kerberos host and service
+ principals if they don't yet exist. (Closes: #1002014).
+ * share/d-e-c/tools/gosa-create-host: Fix copy+paste flaw in comment.
+ * share/debian-edu-config/tools/setup-freeradius-server: Fix integer
+ comparison in run-by-root check. Script was not executable fully (not even
+ as root).
+ * debian/debian-edu-config.fetch-ldap-cert: Drop retrieval of
+ Debian-Edu_rootCA from this script. This now is the task of the
+ fetch-rootca-cert script. (Closes: #971780).
+ * debian/debian-edu-config.fetch-rootca-cert: Ensure proper symlinking of
+ Debian-Edu_rootCA.crt in /usr/local/share/ca-certificates/ to
+ Debian-Edu_rootCA.crt in /etc/ssl/ca-certificates. Forced symlinking is
+ required, because earlier versions of the fetch-ldap-cert init script put
+ Debian-Edu_rootCA.crt into /etc/ssl/ca-certificates/ as a file. Forced
+ symlinking replaces files by the wanted symlink. The -n option (no-
+ dereference) is required to make sure we don't follow any already existing
+ symlink. (This relates to #971780).
+ * share/debian-edu-config/tools/update-proxy-from-wpad:
+ - Fix typo (wrong protocol) in APT proxy config creation.
+ - Create a Debian Edu specific proxy configuration in /etc/apt/apt.conf.d/
+ named 03debian-edu-config rather than meddling with /etc/apt/apt.conf
+ directly. Clean up any earlier meddling from apt.conf, as well. (Closes:
+ #1003560).
+ * share/debian-edu-config/tools/{update-proxy-from-wpad,wpad-extra}:
+ - Don't fail if proxy update is not possible, only send warnings to stderr
+ and syslog. Don't source wpad-extra script, execute it instead and
capture
+ stdout. (Closes: #1008067).
+ * sbin/update-hostname-from-ip:
+ - Simply if-then-else-clauses, reduce number of exit calls, don't exit with
+ non-zero exitcode. Improve syslog messages if things fail. (Closes:
+ #1006604).
+ * share/debian-edu-config/tools/setup-roaming: Assure libsss-sudo is
installed
+ on Roaming Workstation. (Closes: #1004605).
+ * share/debian-edu-config/tools/gosa-remove: Capture removals of GOsa² user
+ templates and ignore them. (Closes: #815042).
+ * ldap-schemas/: Update schema files from Debian's latest GOsa² list of
+ schemas.
+ * share/debian-edu-config/tools/clean-up-host-keytabs: Don't fail
+ on Kerberos principal removal.
+ * etc/cups/cups-browsed-debian-edu.conf:
+ - Let TJENER's print queues appear on Debian Edu clients, use same
+ print queue names on clients as on TJENER. (Closes: #1005841).
+ * sbin/debian-edu-pxeinstall:
+ - Don't append 'ipappend 2' to the kernel boot cmdline anymore as it
+ confuses systemd when booting into the installed system. This resolves
+ the graphical.target not coming up on Debian Edu workstations that got
+ installed via the PXE/network based Debian Installer method. (Closes:
+ #1006362).
+ - Silence stderr output if the artwork theme lacks a plymouth subfolder.
+ This can be silently ignored and should not trouble Debian Edu admins.
+ * Support krb5i on Diskless Workstations (aka LTSP FAT Clients):
+ - ldap-bootstrap/netgroup.ldif: Add diskless-workstation-hosts NIS netgroup
+ during LDAP bootstrap.
+ - debian/debian-edu-config.{postinst,postrm}: Create non-privileged
+ debian-edu system user account on Debian Edu mainserver (for distribution
+ of host keytabs to diskless workstations aka LTSP fat clients).
+ - share/debian-edu-config/tools/: Add update-dlw-krb5-keytabs script and
+ call it (with delay) from gosa-modify-host hook script. (Closes: #613167,
+ #1002018).
+ * Move /etc/debian-edu/host-keytabs/* to /var/lib/debian-edu/host-keytabs/
+ and replace directory /etc/debian-edu/host-keytabs by a symlink. (Closes:
+ #1002019).
+ * share/debian-edu-config/squid.conf:
+ - Prefer DNSv4 lookups over DNSv6. Debian Edu does not yet fully support
+ IPv6 and many schools still use IPv4 primarily. This gives a great
+ performance boost to squid installations if IPv6 internet is not fully
+ available for whatever reason. (Closes: #1006375).
+ * share/debian-edu-config/tools/list-gosa-systems:
+ - Drop immature list-gosa-systems script again that got sneaked in via
+ upload of 2.11.56+deb11u3. We apologize for the noise.
+
+ -- Mike Gabriel <sunwea...@debian.org> Wed, 23 Mar 2022 12:28:00 +0100
+
debian-edu-config (2.11.56+deb11u3) bullseye-security; urgency=medium
* etc/apache2/mods-available/debian-edu-userdir.conf:
diff -Nru
debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.fetch-ldap-cert
debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.fetch-ldap-cert
--- debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.fetch-ldap-cert
2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.fetch-ldap-cert
2022-03-21 15:18:05.000000000 +0100
@@ -16,14 +16,25 @@
#
# Author: Petter Reinholdtsen <p...@hungry.com>
# Date: 2007-06-09
+#
+# Author: Mike Gabriel <mike.gabr...@das-netzwerkteam.de>
+# Date: 2022-01-06
+
+###
+### FIXME: Legacy init script for Debian Edu clients.
+###
+### --- Remove for Debian Edu bookworm+1 ---
+###
+### Warning: Removing this script will drop support for clients running
+### against Debian Edu main servers based on Debian Edu stretch and
+### earlier.
+###
set -e
. /lib/lsb/init-functions
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
-BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
-ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
do_start() {
@@ -33,7 +44,7 @@
ERROR=false
###
- ### PHASE 1: RootCA / bundle-cert / LDAP server cert retrieval
+ ### PHASE 1: LDAP server cert retrieval
###
if ( [ ! -f $CERTFILE ] || [ ! -f $ROOTCACRT ] ) && [ -f
/etc/nslcd.conf ] &&
@@ -50,116 +61,21 @@
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL
certificate."
- # do an openssl connect to the LDAP server, and check whether
its certificate
- # has been issued by the "Debian Edu RootCA", if not we are
likely dealing with a
- # pre-Debian Edu 10 (aka buster) TJENER or with some other
non-Debian-Edu LDAP
- # server.
- if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT"
2>/dev/null | grep -q "Debian Edu RootCA" ; then
-
- # Since Debian Edu 10, the LDAP certificate (or the
RootCA file) is distributed
- # over http (always via the host serving www.intern, by
default: TJENER)
- #
- # We do an availability check for the webserver first,
to provide proper
- # error reporting (see below). So, the following check
merely discovers,
- # if the webserver is online at all.
- if curl -sfk --head -o /dev/null https://www.intern
2>/dev/null; then
-
- # Now let's see if the webserver has the
"Debian Edu RootCA" file.
- # This has been the case for Debian Edu main
servers (TJENER) since
- # Debian Edu 10.1.
- if curl -fk
https://www.intern/Debian-Edu_rootCA.crt 1> $ROOTCACRT 2>/dev/null && \
-
- grep -q CERTIFICATE $ROOTCACRT ; then
-
- # Obtained a RootCA-verified version of
the LDAP server's server certificate.
- gnutls-cli --x509cafile $ROOTCACRT
--save-cert=$CERTFILE.new $LDAPSERVER < /dev/null 1>/dev/null 2>/dev/null
- logger -t fetch-ldap-cert "Fetched
rootCA certificate from www.intern."
-
- # If the host previously had got the
BUNDLECERT file installed,
- # we make sure here to have it removed.
From now on, the LTSP chroot
- # can operate on the ROOTCACRT file and
the BUNDLECERT will never get
- # update anymore once the ROOTCACRT is
available on www.intern.
- rm -f $BUNDLECRT
- else
-
- # If there is no Debian Edu RootCA
available on www.intern, fallback to
- # debian-edu-bundle.crt download (an
approach done by a Debian Edu 10.0
- # main server (aka TJENER) only and
changed to RootCA provisioning in
- # in Debian Edu 10.1.
-
- # Drop the ROOTCACRT file, as it
probably only contains some 404 http
- # error message in html.
- rm -f $ROOTCACRT
-
- # So, now let's see if the webserver
has the "debian-edu-bundle.crt"
- # file. If so (and no Debian Edu RootCA
file), then we are likely dealing
- # with a Debian Edu 10.0 main server.
- if curl -fk
https://www.intern/debian-edu-bundle.crt 1> $BUNDLECRT 2>/dev/null && \
- grep -q CERTIFICATE $BUNDLECRT ;
then
-
- # Obtained a self-verified
version of the LDAP server's server certificate.
- # (The BUNDLECERT file should
already contain the LDAP server's certificate,
- # so having this cert file
should allow us to successfully and "verified'ly"
- # connect to the LDAP server
and let us retrieve that very same certificate).
- gnutls-cli --x509cafile
$BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null 1>/dev/null
2>/dev/null
- logger -t fetch-ldap-cert
"Fetched bundle certificate from www.intern."
- else
-
- # We should never get here...
If we do anyway, then something went
- # terribly wrong or the
www.intern servicing server is misconfigured.
-
- # Drop the ROOTCACRT file, as
it probably only contains some 404 http
- # error message in html.
- rm -f $BUNDLECRT
-
- logger -t fetch-ldap-cert
"Failed to fetch certificates from www.intern."
- fi
-
- fi
-
- else
-
- # Report an error, if www.intern is down
http-wise. This can happen and is probably
- # a temporary problem that needs an admin to
fix it.
- log_action_end_msg 1
- logger -t fetch-ldap-cert "Failed to connect to
www.intern, maybe the web server down."
- ERROR=true
-
- fi
-
- else
-
- # Fallback: Fetch LDAP certificate from a
pre-Debian-Edu-10 (aka buster) LDAP server
- # (or some non-Debian-Edu LDAP server)
- /usr/share/debian-edu-config/tools/ldap-server-getcert
$LDAPSERVER > $CERTFILE.new
- chmod 644 $CERTFILE.new
- logger -t fetch-ldap-cert "Fetched pre Buster LDAP
server certificate."
-
- # FIXME: Add some error handling here:
- # - LDAP server down
- # - what-not-else...
-
- fi
+ # Fetch LDAP certificate from the Debian Edu main server (i.e.
from the LDAP server)
+ /usr/share/debian-edu-config/tools/ldap-server-getcert
$LDAPSERVER > $CERTFILE.new
+ chmod 644 $CERTFILE.new
- # By now, we should have obtained the LDAP server's CERTFILE
(verified in two cases (10.0 or 10.1 TJENER),
- # simply downloaded from the LDAP server itself in the third
case (pre-10.0 TJENER)
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
- if [ -f $BUNDLECRT ] || [ -f $ROOTCACRT ] ; then
- logger -t fetch-ldap-cert "Fetched and verified
LDAP SSL certificate from $LDAPSERVER."
- else
- logger -t fetch-ldap-cert "Fetched LDAP SSL
certificate from $LDAPSERVER."
- fi
+ logger -t fetch-ldap-cert "Fetched LDAP SSL certificate
from $LDAPSERVER."
else
-
- # We obviously have failed in some other way, if the
CERTFILE.new is empty (zero size)
- # Again, something went awfully wrong, if we end up
here...
+ # We obviously have failed in some way if the
CERTFILE.new is empty (zero size).
+ # Something went wrong, if we end up here...
rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL
certificate from $LDAPSERVER."
ERROR=true
-
fi
fi
@@ -168,7 +84,7 @@
### PHASE 2: Deploy the obtained CERTFILE to LTSP chroots, if any are
present.
###
- if [ -d /opt/ltsp ] ; then
+ if [ -d /opt/ltsp ] && [ "$ERROR" = "false" ]; then
# Loop over all to be found LTSP chroots...
for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1
-type d`; do
@@ -195,58 +111,10 @@
fi
fi
- if [ ! -f $ltsp_chroot$ROOTCACRT ]; then
-
- if test -e $ROOTCACRT; then
-
- # If we retrieved it, we also copy the
obtained ROOTCACRT into the LTSP chroot
- # (containing the self-built rootCA of
the Debian Edu site).
- log_action_begin_msg "Copying Debian
Edu rootCA certificate to ltsp-chroot $ltsp_chroot "
- if test -s $ROOTCACRT; then
-
- # If the chroot previously had
got the BUNDLECERT file installed,
- # we should make sure here to
have it removed. From now on, the LTSP chroot
- # can operate on the ROOTCACRT
file and the BUNDLECERT will never get
- # update anymore once the
ROOTCACRT is available on www.intern.
- rm -f $ltsp_chroot$BUNDLECRT
- cp $ROOTCACRT
$ltsp_chroot$ROOTCACRT
- [ "$VERBOSE" != no ] &&
log_action_end_msg 0
-
- else
- log_action_end_msg 1
- ERROR=true
- fi
-
- fi
-
- fi
-
- if [ ! -f $ltsp_chroot$BUNDLECRT ] && [ ! -f
$ltsp_chroot$ROOTCACRT ]; then
-
- if test -e $BUNDLECRT; then
- # If we talked to a Debian Edu 10.0
main server (aka TJENER) above, then we
- # don't have the ROOTCACRT. We copy the
BUNDLECRT file into the LTSP chroot
- # instead (containing all certificates
ever issued for the Debian Edu site).
- # This is just a fallback, in fact, we
need the Debian Edu RootCA.
-
- # If you end up here, then please
upgrade your Debian Edu 10.0 server to a
- # a newer version (Debian Edu 10.1 and
beyond).
- log_action_begin_msg "Copying TLS
certificate bundle to ltsp-chroot $ltsp_chroot "
- if test -s $BUNDLECRT; then
- cp $BUNDLECRT
$ltsp_chroot$BUNDLECRT
- [ "$VERBOSE" != no ] &&
log_action_end_msg 0
- else
- log_action_end_msg 1
- ERROR=true
- fi
- fi
-
- fi
-
done
fi
- if $ERROR; then
+ if [ "$ERROR" = "true" ]; then
return 1
fi
}
@@ -263,4 +131,5 @@
echo "Usage: $0 {start|stop|restart|force-reload}"
exit 2
esac
+
exit 0
diff -Nru
debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.fetch-rootca-cert
debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.fetch-rootca-cert
---
debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.fetch-rootca-cert
2022-02-04 13:18:16.000000000 +0100
+++
debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.fetch-rootca-cert
2022-03-21 15:18:05.000000000 +0100
@@ -53,7 +53,7 @@
if curl -fk https://www.intern/Debian-Edu_rootCA.crt >
$LOCALCACRT 2>/dev/null && \
grep -q CERTIFICATE $LOCALCACRT ; then
# Make rootCA certificate available in
/etc/ssl/certs/
- ln -s $LOCALCACRT $ROOTCACRT
+ ln -nsf $LOCALCACRT $ROOTCACRT
# Integrate the rootCA certificate into
/etc/ssl/certs/ca-certificates
update-ca-certificates
logger -t fetch-rootca-cert "Deploy the Debian
Edu rootCA certificate fetched from www.intern systemwide."
diff -Nru debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.links
debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.links
--- debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.links
2022-01-30 21:44:00.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.links
2022-03-22 09:14:06.000000000 +0100
@@ -1,3 +1,2 @@
usr/share/debian-edu-config/tools/ldapdump.sh etc/slbackup/pre.d/ldapdump.sh
etc/debian-edu/www/index.html.nb-no etc/debian-edu/www/index.html.no
-
diff -Nru
debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.maintscript
debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.maintscript
--- debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.maintscript
2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.maintscript
2022-03-23 12:26:34.000000000 +0100
@@ -4,4 +4,4 @@
rm_conffile /etc/apt/apt.conf.d/90squid 2.10.36
rm_conffile /etc/ltspfs/mounter.d/edu-notify 2.11.16
rm_conffile /etc/cfengine3/debian-edu/cf.tftpd 2.11.16
-
+dir_to_symlink /etc/debian-edu/host-keytabs /var/lib/debian-edu/host-keytabs
2.11.56+deb11u3
diff -Nru debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.postinst
debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.postinst
--- debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.postinst
2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.postinst
2022-03-23 12:26:34.000000000 +0100
@@ -178,6 +178,32 @@
fi
fi
+ # On Debian Edu main servers create a debian-edu system user account
with
+ # limited privileges for publishing host keytabs to diskless
workstations (this
+ # is the initial use case, further use cases might pop up later).
+ if [ -s /etc/debian-edu/config ] && grep -Eq "(Main-Server)"
/etc/debian-edu/config ; then
+
+ if ! getent 'passwd' 'debian-edu' >'/dev/null'; then
+ echo 'Creating debian-edu user.' >&2
+ adduser --system --home /var/lib/debian-edu \
+ --disabled-password --shell /bin/sh \
+ --group debian-edu
+ else
+ echo 'User debian-edu already exists.' >&2
+ # make sure all settings are appropriate
+ if [ "$(id -gn 'debian-edu')" != 'debian-edu' ]; then
+ usermod --gid 'debian-edu' 'debian-edu'
+ fi
+ fi
+
+ # Assure that permissions of /var/lib/debian-edu/ are appropriate
+ if [ -d /var/lib/debian-edu/ ]; then
+ chown debian-edu:debian-edu /var/lib/debian-edu/
+ chmod 0755 /var/lib/debian-edu/
+ fi
+
+ fi
+
# silence dovecot's message: if you have trouble with authentication
failures,
# enable auth_debug setting. See http://wiki.dovecot.org/WhyDoesItNotWork
# This message goes away after the first successful login.
@@ -266,6 +292,14 @@
fi
fi
+# On the main-server, point from the old keytab location
/etc/debian-edu/host-keytabs to the new
+# keytab location at /var/lib/debian-edu/host-keytabs...
+if grep -q Main-Server /etc/debian-edu/config; then
+ if [ ! -e /etc/debian-edu/host-keytabs ] && [ -d
/var/lib/debian-edu/host-keytabs ]; then
+ ln -s /var/lib/debian-edu/host-keytabs
/etc/debian-edu/host-keytabs
+ fi
+fi
+
# Register all changes done by this postinst script
if which etckeeper > /dev/null ; then
etckeeper commit "end of debian-edu-config postinst" || true
diff -Nru debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.postrm
debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.postrm
--- debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.postrm
2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.postrm
2022-03-23 12:26:34.000000000 +0100
@@ -25,6 +25,11 @@
fi
;;
purge)
+ # remove user/group debian-edu from system
+ getent passwd debian-edu 1>/dev/null && deluser debian-edu
+ getent group debian-edu 1>/dev/null && delgroup debian-edu
+ rm -Rf /var/lib/debian-edu
+
# Generated in the postinst
rm -f /etc/default/enable-nat
if [ ! -s /var/lib/dovecot/auth_success ] ; then
diff -Nru debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.preinst
debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.preinst
--- debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.preinst
2022-01-30 21:44:00.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.preinst
2022-03-23 12:26:34.000000000 +0100
@@ -44,6 +44,21 @@
if dpkg --compare-versions "$2" le "2.11.16" ; then
rm -rf /etc/ltspfs
fi
+
+ # Move .keytab files from /etc/debian-edu/host-keytabs to
+ # /var/lib/debian-edu/host-keytabs before dpkg-maintscript-helper moves
+ # the /etc/debian-edu/host-keytabs dir and replaces it by a symlink...
+ # We have to move the .keytab files manually, because they are not owned
+ # by debian-edu-config.
+ if dpkg --compare-versions "$2" le "2.11.56+deb11u4"; then
+ if [ -d /etc/debian-edu/host-keytabs ] && \
+ [ ! -h /etc/debian-edu/host-keytabs ] && \
+ find /etc/debian-edu/host-keytabs/* 1>/dev/null 2>/dev/null; then
+ mkdir -p /var/lib/debian-edu/host-keytabs/
+ mv /etc/debian-edu/host-keytabs/*.keytab
/var/lib/debian-edu/host-keytabs/
+ fi
+ fi
+
;;
esac
diff -Nru debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.prerm
debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.prerm
--- debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.prerm
2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.prerm
2022-03-23 12:26:34.000000000 +0100
@@ -16,6 +16,11 @@
rm /usr/share/pam-configs/edu-nopwdchange
fi
pam-auth-update --package --remove edu-group edu-umask
+
+ # drop /etc/debian-edu/host-keytabs symlink
+ if [ -h /etc/debian-edu/host-keytabs ]; then
+ rm /etc/debian-edu/host-keytabs
+ fi
;;
esac
diff -Nru debian-edu-config-2.11.56+deb11u3/debian/dirs
debian-edu-config-2.11.56+deb11u4/debian/dirs
--- debian-edu-config-2.11.56+deb11u3/debian/dirs 2022-01-30
21:44:00.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/dirs 2022-03-21
20:42:07.000000000 +0100
@@ -6,7 +6,6 @@
etc/cron.d
etc/cups
etc/debian-edu
-etc/debian-edu/host-keytabs
etc/default
etc/exports.d
etc/firefox-esr
@@ -26,3 +25,4 @@
usr/share/doc/debian-edu-config
usr/share/man
usr/share/man/man8
+var/lib/debian-edu/host-keytabs
diff -Nru
debian-edu-config-2.11.56+deb11u3/etc/cups/cups-browsed-debian-edu.conf
debian-edu-config-2.11.56+deb11u4/etc/cups/cups-browsed-debian-edu.conf
--- debian-edu-config-2.11.56+deb11u3/etc/cups/cups-browsed-debian-edu.conf
2022-01-30 21:44:00.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/etc/cups/cups-browsed-debian-edu.conf
2022-03-21 15:18:05.000000000 +0100
@@ -28,5 +28,5 @@
# to "No".
CreateIPPPrinterQueues No
-CreateRemoteCUPSPrinterQueues No
-
+CreateRemoteCUPSPrinterQueues Yes
+LocalQueueNamingRemoteCUPS RemoteName
diff -Nru debian-edu-config-2.11.56+deb11u3/etc/exim4/exim-ldap-server-v4.conf
debian-edu-config-2.11.56+deb11u4/etc/exim4/exim-ldap-server-v4.conf
--- debian-edu-config-2.11.56+deb11u3/etc/exim4/exim-ldap-server-v4.conf
2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/etc/exim4/exim-ldap-server-v4.conf
2022-03-21 15:18:05.000000000 +0100
@@ -204,6 +204,7 @@
# ACL that is used after the RCPT command
acl_check_rcpt:
accept local_parts = postmaster
+ accept local_parts = root
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
diff -Nru debian-edu-config-2.11.56+deb11u3/etc/X11/Xsession-debian-edu
debian-edu-config-2.11.56+deb11u4/etc/X11/Xsession-debian-edu
--- debian-edu-config-2.11.56+deb11u3/etc/X11/Xsession-debian-edu
2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/etc/X11/Xsession-debian-edu
2022-02-11 21:40:55.000000000 +0100
@@ -70,7 +70,7 @@
# attempt to create an error file; abort if we cannot
if touch $ERRFILE 2> /dev/null && [ -w $ERRFILE ]; then
chmod 600 "$ERRFILE"
-elif ERRFILE=$(tempfile 2> /dev/null); then
+elif ERRFILE=$(mktemp 2> /dev/null); then
if ! ln -sf "$ERRFILE" "${TMPDIR:=/tmp}/xsession-$USER"; then
message "Xsession: unable to symlink \"$TMPDIR/xsession-$USER\" to" \
"\"$ERRFILE\"."
diff -Nru debian-edu-config-2.11.56+deb11u3/ldap-bootstrap/netgroup.ldif
debian-edu-config-2.11.56+deb11u4/ldap-bootstrap/netgroup.ldif
--- debian-edu-config-2.11.56+deb11u3/ldap-bootstrap/netgroup.ldif
2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/ldap-bootstrap/netgroup.ldif
2022-03-23 11:49:36.000000000 +0100
@@ -15,6 +15,12 @@
description: All workstations
cn: workstation-hosts
+dn: cn=diskless-workstation-hosts,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+description: All diskless workstations
+cn: diskless-workstation-hosts
+
dn: cn=ltsp-server-hosts,ou=netgroup,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: nisNetgroup
diff -Nru debian-edu-config-2.11.56+deb11u3/ldap-schemas/gofon.schema
debian-edu-config-2.11.56+deb11u4/ldap-schemas/gofon.schema
--- debian-edu-config-2.11.56+deb11u3/ldap-schemas/gofon.schema 2022-02-04
13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/ldap-schemas/gofon.schema 2022-03-21
15:18:05.000000000 +0100
@@ -285,29 +285,29 @@
# objectclass
objectclass (1.3.6.1.4.1.10098.1.2.3.11 NAME 'goFonAccount' SUP top AUXILIARY
- DESC 'GOFon Account objectclass (v1.0)'
+ DESC 'GOFon Account objectclass (v2.7)'
MUST ( goFonDeliveryMode $ telephoneNumber $ uid )
MAY ( goFonFormat $ goFonForwarding $ goFonHardware $ goFonPIN $
goFonVoicemailPIN $ goFonMacro $ goFonHomeServer ))
objectclass (1.3.6.1.4.1.10098.1.2.3.12 NAME 'goFonHardware' SUP top STRUCTURAL
- DESC 'defines a telephone (v1.0)'
+ DESC 'defines a telephone (v2.7)'
MUST ( cn $ macAddress $ ipHostNumber )
MAY (description $ goFonType $ goFonDmtfMode $ goFonHost $
goFonDefaultIP $
goFonQualify $ goFonAuth $ goFonSecret $ goFonInkeys $
goFonOutkey $
goFonTrunk $ goFonAccountCode $ goFonMSN $ goFonPermit $
goFonDeny ) )
objectclass (1.3.6.1.4.1.10098.1.2.3.13 NAME 'goFonPickupGroup' SUP top
AUXILIARY
- DESC 'Additive for posixGroups (v1.0)'
+ DESC 'Additive for posixGroups (v2.7)'
MUST ( cn $ gidNumber ) )
objectclass (1.3.6.1.4.1.10098.1.2.3.14 NAME 'goFonMacro' SUP top STRUCTURAL
- DESC 'Macro definitions for asterisk machines (v1.0)'
+ DESC 'Macro definitions for asterisk machines (v2.7)'
MUST ( cn )
MAY ( goFonMacroVisible $ displayName $ goFonMacroContent $ description
$
goFonMacroParameter ))
objectclass (1.3.6.1.4.1.10098.1.2.3.15 NAME 'goFonQueue' SUP top AUXILIARY
- DESC 'Queue definitions for asterisk machines (v1.0)'
+ DESC 'Queue definitions for asterisk machines (v2.7)'
MUST ( cn )
MAY ( goFonTimeOut $ goFonMaxLen $ goFonAnnounceFrequency $
goFonDialOption $
goFonMusiconHold $ goFonWelcomeMusic $ goFonQueueReportHold $
@@ -317,7 +317,7 @@
goFonQueueRetry $ goFonQueueLessThan $ goFonHomeServer ))
objectclass (1.3.6.1.4.1.10098.1.2.3.16 NAME 'goFonConference' SUP top
STRUCTURAL
- DESC 'Conference definitions for asterisk machines (v1.0)'
+ DESC 'Conference definitions for asterisk machines (v2.7)'
MUST ( cn )
MAY ( description $ goFonConferenceOption $ goFonConferenceTimeout $
goFonPIN $
goFonConferenceOwner $ telephoneNumber $ goFonHomeServer))
diff -Nru debian-edu-config-2.11.56+deb11u3/ldap-schemas/gosa-samba3.schema
debian-edu-config-2.11.56+deb11u4/ldap-schemas/gosa-samba3.schema
--- debian-edu-config-2.11.56+deb11u3/ldap-schemas/gosa-samba3.schema
2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/ldap-schemas/gosa-samba3.schema
2022-03-21 15:18:05.000000000 +0100
@@ -272,6 +272,10 @@
DESC 'A user defined filter'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+attributetype ( 1.3.6.1.4.1.10098.1.1.12.48 NAME 'gosaWebDAVQuota'
+ DESC 'Webdav share quota in KB'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
attributetype ( 1.3.6.1.4.1.10098.1.1.6.2 NAME 'academicTitle'
DESC 'Field to represent the academic title'
EQUALITY caseIgnoreMatch
@@ -298,34 +302,42 @@
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+# alias used to provide alternative rfc822 email addresses for kolab users
+attributetype ( 1.3.6.1.4.1.19414.2.1.3
+ NAME 'alias'
+ DESC 'RFC1274: RFC822 Mailbox'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+
# Classes
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.1 NAME 'gosaObject' SUP top AUXILIARY
- DESC 'Class for GOsa settings (v2.6.1)'
+ DESC 'Class for GOsa settings (v2.7)'
MUST ( gosaSubtreeACL ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.2 NAME 'gosaLockEntry' SUP top
STRUCTURAL
- DESC 'Class for GOsa locking (v2.6.1)'
+ DESC 'Class for GOsa locking (v2.7)'
MUST ( gosaUser $ gosaObject $ cn ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.3 NAME 'gosaCacheEntry' SUP top
STRUCTURAL
- DESC 'Class for GOsa caching (v2.6.1)'
+ DESC 'Class for GOsa caching (v2.7)'
MAY ( gosaUser )
MUST ( cn ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.4 NAME 'gosaDepartment' SUP top
AUXILIARY
- DESC 'Class to mark Departments for GOsa (v2.6.1)'
+ DESC 'Class to mark Departments for GOsa (v2.7)'
MUST ( ou $ description )
MAY ( manager ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.5 NAME 'gosaMailAccount' SUP top
AUXILIARY
- DESC 'Class to mark MailAccounts for GOsa (v2.6.1)'
+ DESC 'Class to mark MailAccounts for GOsa (v2.7)'
MUST ( mail $ gosaMailServer $ gosaMailDeliveryMode)
- MAY ( gosaMailQuota $ gosaMailAlternateAddress $
gosaMailForwardingAddress $
+ MAY ( alias $ gosaMailQuota $ gosaMailAlternateAddress $
gosaMailForwardingAddress $
gosaMailMaxSize $ gosaSpamSortLevel $ gosaSpamMailbox $
gosaVacationMessage $ gosaVacationStart $ gosaVacationStop $
gosaSharedFolderTarget $ acl))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.6 NAME 'gosaAccount' SUP top AUXILIARY
- DESC 'Class for GOsa Accounts (v2.6.6)'
+ DESC 'Class for GOsa Accounts (v2.7)'
MUST ( uid )
MAY ( sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
gosaDefaultPrinter $
gosaDefaultLanguage $ academicTitle $ personalTitle $ gosaHostACL
$ dateOfBirth $
@@ -333,88 +345,89 @@
gotoLastSystemLogin $ gotoLastSystem $ gosaLoginRestriction ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.7 NAME 'gosaHost' SUP top AUXILIARY
- DESC 'Class for GOsa Hosts (v2.6.1)'
+ DESC 'Class for GOsa Hosts (v2.7)'
MUST ( cn )
MAY ( description $ gosaService ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.8 NAME 'gosaProxyAccount' SUP top
AUXILIARY
- DESC 'Class for GOsa Proxy settings (v2.6.1)'
+ DESC 'Class for GOsa Proxy settings (v2.7)'
MUST ( gosaProxyAcctFlags )
MAY ( gosaProxyID $ gosaProxyWorkingStart $ gosaProxyWorkingStop $
gosaProxyQuota $
gosaProxyQuotaPeriod ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.9 NAME 'gosaApplication' SUP top
STRUCTURAL
- DESC 'Class for GOsa applications (v2.6.1)'
+ DESC 'Class for GOsa applications (v2.7)'
MUST ( cn $ gosaApplicationExecute )
MAY ( gosaApplicationName $ gosaApplicationIcon $ gosaApplicationFlags
$ gosaApplicationMimeType $
gosaApplicationParameter $ gotoLogonScript $ description $
gosaApplicationCategory ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.10 NAME 'gosaApplicationGroup' SUP
top AUXILIARY
- DESC 'Class for GOsa application groups (v2.6.1)'
+ DESC 'Class for GOsa application groups (v2.7)'
MUST ( cn )
MAY ( gosaMemberApplication $ gosaApplicationParameter ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.11 NAME 'gosaUserTemplate' SUP top
AUXILIARY
- DESC 'Class for GOsa User Templates (v2.6.1)'
+ DESC 'Class for GOsa User Templates (v2.7)'
MUST ( cn ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.12 NAME 'gosaGroupOfNames'
- DESC 'GOsa object grouping (v2.6.1)'
+ DESC 'GOsa object grouping (v2.7)'
SUP top STRUCTURAL
MUST ( cn $ gosaGroupObjects ) MAY ( member $ description ) )
-objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.13 NAME 'gosaWebdavAccount'
- DESC 'GOsa webdav enabling account (v2.6.1)'
+objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.13 NAME 'gosaWebDAVAccount'
+ DESC 'GOsa webdav enabling account (v2.7)'
SUP top AUXILIARY
- MUST ( cn $ uid ))
+ MUST ( cn $ uid )
+ MAY ( gosaWebDAVQuota ) )
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.14 NAME 'gosaIntranetAccount'
- DESC 'GOsa Inatrent enabling account (v2.6.1)'
+ DESC 'GOsa Inatrent enabling account (v2.7)'
SUP top AUXILIARY
MUST ( cn $ uid )
MAY ( gosaDefaultLanguage ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.15 NAME 'gosaAdministrativeUnit'
- DESC 'Marker for administrational units (v2.6.1)'
+ DESC 'Marker for administrational units (v2.7)'
SUP top AUXILIARY
MUST ( gosaUnitTag ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.16 NAME 'gosaAdministrativeUnitTag'
- DESC 'Marker for objects below administrational units (v2.6.1)'
+ DESC 'Marker for objects below administrational units (v2.7)'
SUP top AUXILIARY
MUST ( gosaUnitTag ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.17 NAME 'gosaRole'
- DESC 'ACL container to define roles (v2.6.1)' SUP top STRUCTURAL
+ DESC 'ACL container to define roles (v2.7)' SUP top STRUCTURAL
MUST ( gosaAclTemplate $ cn )
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.18 NAME 'gosaAcl'
- DESC 'ACL container to define single ACLs (v2.6.1)' SUP top AUXILIARY
+ DESC 'ACL container to define single ACLs (v2.7)' SUP top AUXILIARY
MUST ( gosaAclEntry ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.19 NAME 'gosaSnapshotObject'
- DESC 'Container object for undo and snapshot data (v2.6.1)' SUP top
STRUCTURAL
+ DESC 'Container object for undo and snapshot data (v2.7)' SUP top
STRUCTURAL
MUST ( gosaSnapshotType $ gosaSnapshotTimestamp $ gosaSnapshotDN $
gosaSnapshotData )
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.20 NAME 'gosaConfig'
- DESC 'Settings for gosa. Replaces parts of the gosa.conf. (v2.6)' SUP
top STRUCTURAL
+ DESC 'Settings for gosa. Replaces parts of the gosa.conf. (v2.7)' SUP
top STRUCTURAL
MUST ( cn )
MAY ( gosaSetting ) )
-# GOto submenu entries
+# GOto submenu entry
objectclass (1.3.6.1.4.1.10098.1.2.1.43 NAME 'gotoSubmenuEntry'
- DESC 'GOto - contains environment settings (v2.6)' SUP top STRUCTURAL
+ DESC 'GOto - contains environment settings (v2.7)' SUP top STRUCTURAL
MUST ( cn )
MAY ( gosaApplicationIcon $ gosaApplicationPriority ) )
-# GOto menu entries
+# GOto menu entry
objectclass (1.3.6.1.4.1.10098.1.2.1.44 NAME 'gotoMenuEntry'
- DESC 'GOto - defines a menu entry (v2.6)' SUP top STRUCTURAL
+ DESC 'GOto - defines a menu entry (v2.7)' SUP top STRUCTURAL
MUST ( cn )
MAY ( gosaApplicationParameter $ gosaApplicationPriority ) )
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.21 NAME 'gosaProperties' SUP top
AUXILIARY
- DESC 'Class for GOsa Properties, stores for example user filters
(v2.6.8)'
- MAY ( gosaUserDefinedFilter ) )
+ DESC 'Store GOsa properties (v2.7)'
+ MAY ( gosaUserDefinedFilter ) )
diff -Nru debian-edu-config-2.11.56+deb11u3/ldap-schemas/goserver.schema
debian-edu-config-2.11.56+deb11u4/ldap-schemas/goserver.schema
--- debian-edu-config-2.11.56+deb11u3/ldap-schemas/goserver.schema
2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/ldap-schemas/goserver.schema
2022-03-21 15:18:05.000000000 +0100
@@ -473,86 +473,86 @@
# Terminal Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.16 NAME 'goTerminalServer' SUP top
AUXILIARY
- DESC 'Terminal server description (v2.6.1)'
+ DESC 'Terminal server description (v2.7)'
MUST ( cn $ goXdmcpIsEnabled )
- MAY ( description $ goTerminalServerStatus $ gotoSessionType ))
+ MAY ( description $ goTerminalServerStatus $ gotoSessionType $
goFontPath ))
# NFS Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.19 NAME 'goNfsServer' SUP top AUXILIARY
- DESC 'NFS server description (v2.6.1)'
+ DESC 'NFS server description (v2.7)'
MUST ( cn )
MAY ( goExportEntry $ description $ goNfsServerStatus ))
# Time Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.20 NAME 'goNtpServer' SUP top AUXILIARY
- DESC 'Time server description (v2.6.1)'
+ DESC 'Time server description (v2.7)'
MUST ( cn )
MAY ( goTimeSource $ description $ goNtpServerStatus ))
# Syslog Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.21 NAME 'goSyslogServer' SUP top AUXILIARY
- DESC 'Syslog server description (v2.6.1)'
+ DESC 'Syslog server description (v2.7)'
MUST ( cn )
MAY ( goSyslogSection $ description $ goSyslogServerStatus ))
# LDAP Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.22 NAME 'goLdapServer' SUP top AUXILIARY
- DESC 'LDAP server description (v2.6.1)'
+ DESC 'LDAP server description (v2.7)'
MUST ( cn )
MAY ( goLdapBase $ description $ goLdapServerStatus ))
# CUPS Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.23 NAME 'goCupsServer' SUP top AUXILIARY
- DESC 'CUPS server description (v2.6.1)'
+ DESC 'CUPS server description (v2.7)'
MUST ( cn )
MAY ( description $ goCupsServerStatus ))
# IMAP Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.24 NAME 'goImapServer' SUP top AUXILIARY
- DESC 'IMAP server description (v2.6.1)'
+ DESC 'IMAP server description (v2.7)'
MUST ( cn $ goImapName $ goImapConnect $ goImapAdmin $ goImapPassword )
MAY ( goImapSieveServer $ goImapSievePort $ description $
goImapServerStatus $
cyrusImap $ cyrusImapSSL $ cyrusPop3 $ cyrusPop3SSL ))
# Kerberos Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.25 NAME 'goKrbServer' SUP top AUXILIARY
- DESC 'Kerberos server description (v2.6.1)'
+ DESC 'Kerberos server description (v2.7)'
MUST ( cn $ goKrbRealm )
MAY ( description $ goKrbServerStatus ))
# Fax Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.26 NAME 'goFaxServer' SUP top AUXILIARY
- DESC 'Fax server description (v2.6.1)'
+ DESC 'Fax server description (v2.7)'
MUST ( cn $ goFaxAdmin $ goFaxPassword )
MAY ( description $ goFaxServerStatus ))
# Common server class
objectclass (1.3.6.1.4.1.10098.1.2.1.27 NAME 'goServer' SUP top AUXILIARY
- DESC 'Server description (v2.6.1)'
+ DESC 'Server description (v2.7)'
MUST ( cn )
MAY ( description $ macAddress $ ipHostNumber ))
# LogDB Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.28 NAME 'goLogDBServer' SUP top AUXILIARY
- DESC 'Log DB server description (v2.6.1)'
+ DESC 'Log DB server description (v2.7)'
MUST ( cn $ gosaLogDB $ goLogAdmin $ goLogPassword )
MAY ( goLogDBServerStatus ))
# Fon Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.29 NAME 'goFonServer' SUP top AUXILIARY
- DESC 'Fon server description (v2.6.1)'
+ DESC 'Fon server description (v2.7)'
MUST ( cn $ goFonAdmin $ goFonPassword $ goFonAreaCode $
goFonCountryCode )
MAY ( description $ goFonServerStatus ))
# Share Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.33 NAME 'goShareServer' SUP top AUXILIARY
- DESC 'Share server description (v2.6.1)'
+ DESC 'Share server description (v2.7)'
MUST ( cn )
MAY ( description $ goExportEntry $ goShareServerStatus ))
# Mail Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.36 NAME 'goMailServer' SUP top AUXILIARY
- DESC 'Mail server definition (v2.6.1)'
+ DESC 'Mail server definition (v2.7)'
MUST ( cn )
MAY ( description $ goMailServerStatus $ postfixHeaderSizeLimit $
postfixMailboxSizeLimit $ postfixMessageSizeLimit $
@@ -562,20 +562,20 @@
# Glpi Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.37 NAME 'goGlpiServer' SUP top AUXILIARY
- DESC 'Glpi server definition (v2.6.1)'
+ DESC 'Glpi server definition (v2.7)'
MUST ( cn $ goGlpiAdmin $ goGlpiDatabase)
MAY ( description $ goGlpiPassword $ goGlpiServerStatus ) )
# Spamassassin definitions
objectclass (1.3.6.1.4.1.10098.1.2.1.38 NAME 'goSpamServer' SUP top AUXILIARY
- DESC 'Spam server definition (v2.6.1)'
+ DESC 'Spam server definition (v2.7)'
MUST ( cn )
MAY ( saRewriteHeader $ saTrustedNetworks $ saRequiredScore $ saFlags $
saRule $ saStatus ) )
# Clamav definitions
objectclass (1.3.6.1.4.1.10098.1.2.1.39 NAME 'goVirusServer' SUP top AUXILIARY
- DESC 'Virus server definition (v2.6.1)'
+ DESC 'Virus server definition (v2.7)'
MUST ( cn )
MAY ( avMaxThreads $ avMaxDirectoryRecursions $ avUser $ avFlags $
avArchiveMaxFileSize $ avArchiveMaxRecursion $
avArchiveMaxCompressionRatio $
@@ -583,12 +583,12 @@
# LogDB Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.40 NAME 'gosaLogServer' SUP top AUXILIARY
- DESC 'GOsa log server (v2.6)'
+ DESC 'GOsa log server (v2.7)'
MUST ( cn $ goLogDB $ goLogDBUser $ goLogDBPassword ))
# Environment Server
objectclass (1.3.6.1.4.1.10098.1.2.1.41 NAME 'goEnvironmentServer' SUP top
AUXILIARY
- DESC 'Environment server definition (v2.6)'
+ DESC 'Environment server definition (v2.7)'
MUST ( cn )
MAY ( gotoKioskProfile ) )
diff -Nru debian-edu-config-2.11.56+deb11u3/ldap-schemas/gosystem.schema
debian-edu-config-2.11.56+deb11u4/ldap-schemas/gosystem.schema
--- debian-edu-config-2.11.56+deb11u3/ldap-schemas/gosystem.schema
2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/ldap-schemas/gosystem.schema
2022-03-21 15:18:05.000000000 +0100
@@ -333,7 +333,7 @@
# objectclass for Hardware definitions
objectclass (1.3.6.1.4.1.10098.1.2.1.3 NAME 'GOhard'
- DESC 'Gonicus Hardware definitions, objectclass (v2.6.1)' SUP top
STRUCTURAL
+ DESC 'Gonicus Hardware definitions, objectclass (v2.7)' SUP top
STRUCTURAL
MUST ( cn )
MAY ( ghGfxAdapter $ ghNetNic $ ghSoundAdapter $ ghIdeDev $ ghScsiDev $
macAddress $ ghUsbSupport $ ghMemSize $ ghCpuType $
ghInventoryNumber $
diff -Nru debian-edu-config-2.11.56+deb11u3/ldap-schemas/goto-mime.schema
debian-edu-config-2.11.56+deb11u4/ldap-schemas/goto-mime.schema
--- debian-edu-config-2.11.56+deb11u3/ldap-schemas/goto-mime.schema
2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/ldap-schemas/goto-mime.schema
2022-03-21 15:18:05.000000000 +0100
@@ -40,7 +40,7 @@
# E: show in external viewer
# O: take settings from global mime group
# These fields are taken as OR. Additionally you can add a
-# Q: to ask wether a question should pop up - to save it to
+# Q: to ask whether a question should pop up - to save it to
# the local disc or not.
attributetype ( 1.3.6.1.4.1.10098.1.1.14.5 NAME 'gotoMimeLeftClickAction'
DESC 'GOto - Gonicus Terminal Concept, PPD data'
@@ -54,7 +54,7 @@
SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 SINGLE-VALUE)
objectclass (1.3.6.1.4.1.10098.1.2.4.1 NAME 'gotoMimeType'
- DESC 'Class to represent global mime types (v2.6.1)' SUP top STRUCTURAL
+ DESC 'Class to represent global mime types (v2.7)' SUP top STRUCTURAL
MUST ( cn $ gotoMimeFilePattern $ gotoMimeGroup )
MAY ( description $ gotoMimeIcon $ gotoMimeApplication $
gotoMimeEmbeddedApplication $ gotoMimeLeftClickAction ))
diff -Nru debian-edu-config-2.11.56+deb11u3/ldap-schemas/goto.schema
debian-edu-config-2.11.56+deb11u4/ldap-schemas/goto.schema
--- debian-edu-config-2.11.56+deb11u3/ldap-schemas/goto.schema 2022-02-04
13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/ldap-schemas/goto.schema 2022-03-21
15:18:05.000000000 +0100
@@ -89,32 +89,32 @@
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
objectclass (1.3.6.1.4.1.10098.1.2.1.1 NAME 'gotoTerminal'
- DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.6.1)' SUP top
AUXILIARY
+ DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.7)' SUP top
AUXILIARY
MUST ( cn )
MAY ( description $ macAddress $ ipHostNumber $ gotoShare $
goFonHardware ))
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.30 NAME 'gotoWorkstation'
- DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.6.1)' SUP top
AUXILIARY
+ DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.7)' SUP top
AUXILIARY
MUST ( cn )
MAY ( description $ macAddress $ ipHostNumber $ gotoShare $
goFonHardware ))
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.31 NAME 'gotoPrinter'
- DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.2)' SUP top
STRUCTURAL
+ DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.7)' SUP top
STRUCTURAL
MUST ( cn )
MAY ( labeledURI $ description $ l $ gotoPrinterPPD $ macAddress $
ipHostNumber $ gotoUserPrinter $
gotoUserAdminPrinter $ gotoGroupPrinter $
gotoGroupAdminPrinter ) )
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.32 NAME 'gotoEnvironment'
- DESC 'GOto - contains environment settings (v2.2)' SUP top AUXILIARY
+ DESC 'GOto - contains environment settings (v2.7)' SUP top AUXILIARY
MAY ( gotoProfileServer $ gotoProfileFlags $ gotoXResolution $
gotoShare $ gotoLogonScript $
gotoKioskProfile $ gotoHotplugDevice $ gotoProfileQuota $
gotoHotplugDeviceDN ) )
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.34 NAME 'gotoWorkstationTemplate'
- DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.6.1)' SUP top
AUXILIARY
+ DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.7)' SUP top
AUXILIARY
MUST ( cn )
MAY ( description $ gotoShare $ goFonHardware $
ghGfxAdapter $ ghNetNic $ ghSoundAdapter $ ghIdeDev $ ghScsiDev $
@@ -131,7 +131,7 @@
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.35 NAME 'gotoTerminalTemplate'
- DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.6.1)' SUP top
AUXILIARY
+ DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.7)' SUP top
AUXILIARY
MUST ( cn )
MAY ( description $ gotoShare $ goFonHardware $
ghGfxAdapter $ ghNetNic $ ghSoundAdapter $ ghIdeDev $ ghScsiDev $
@@ -148,7 +148,7 @@
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.42 NAME 'gotoDevice'
- DESC 'GOto - contains environment settings (v2.6)' SUP top STRUCTURAL
+ DESC 'GOto - contains environment settings (v2.7)' SUP top STRUCTURAL
MUST ( cn )
MAY ( gotoHotplugDevice $ description ) )
diff -Nru debian-edu-config-2.11.56+deb11u3/Makefile
debian-edu-config-2.11.56+deb11u4/Makefile
--- debian-edu-config-2.11.56+deb11u3/Makefile 2022-02-04 13:18:16.000000000
+0100
+++ debian-edu-config-2.11.56+deb11u4/Makefile 2022-03-23 12:26:34.000000000
+0100
@@ -309,6 +309,7 @@
share/debian-edu-config/tools/squid-update-cachedir \
share/debian-edu-config/tools/subnet-change \
share/debian-edu-config/tools/update-cert-dbs \
+ share/debian-edu-config/tools/update-dlw-krb5-keytabs \
share/debian-edu-config/tools/update-firefox-homepage \
share/debian-edu-config/tools/update-chromium-homepage \
share/debian-edu-config/tools/update-proxy-from-wpad \
diff -Nru debian-edu-config-2.11.56+deb11u3/sbin/debian-edu-pxeinstall
debian-edu-config-2.11.56+deb11u4/sbin/debian-edu-pxeinstall
--- debian-edu-config-2.11.56+deb11u3/sbin/debian-edu-pxeinstall
2022-01-30 21:44:00.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/sbin/debian-edu-pxeinstall
2022-03-21 15:18:05.000000000 +0100
@@ -64,7 +64,7 @@
[ "$mydesktop" ] || mydesktop=xfce
[ "$graphicdi" ] || graphicdi=false
[ "$dailydi" ] || dailydi=false
-[ "$theme" ] || theme="$(ls -L /etc/alternatives/desktop-theme/plymouth |
grep script | cut -d'.' -f 1)"
+[ "$theme" ] || theme="$(ls -L /etc/alternatives/desktop-theme/plymouth
2>/dev/null | grep script | cut -d'.' -f 1)"
# Not hardcoded to allow PXE installation of a main-server without a
# proxy set
#[ "$http_proxy" ] || http_proxy=http://webcache:3128
@@ -268,7 +268,7 @@
# Based upon locale, keymap and desktop values used during main-server
installation; auto URL added.
:$arch
-set params auto url=http://www/debian-edu-install.dat hostname=$hostname
domain=$domain $installconfig $gtkvideo --- quiet ipappend 2
+set params auto url=http://www/debian-edu-install.dat hostname=$hostname
domain=$domain $installconfig $gtkvideo --- quiet
kernel /debian-installer/$arch/linux initrd=initrd.gz \${params}
initrd /debian-installer/$arch/initrd.gz
boot || goto failed
diff -Nru debian-edu-config-2.11.56+deb11u3/sbin/debian-edu-update-netblock
debian-edu-config-2.11.56+deb11u4/sbin/debian-edu-update-netblock
--- debian-edu-config-2.11.56+deb11u3/sbin/debian-edu-update-netblock
2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/sbin/debian-edu-update-netblock
2022-02-11 21:40:55.000000000 +0100
@@ -55,7 +55,7 @@
modprobe ip_tables
modprobe iptable_filter
- filterfile=$(tempfile)
+ filterfile=$(mktemp)
# We are the only filter firewall that should be in operation,
# so we flush all existing rules first. ... add others after
diff -Nru debian-edu-config-2.11.56+deb11u3/sbin/update-hostname-from-ip
debian-edu-config-2.11.56+deb11u4/sbin/update-hostname-from-ip
--- debian-edu-config-2.11.56+deb11u3/sbin/update-hostname-from-ip
2020-01-30 17:34:29.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/sbin/update-hostname-from-ip
2022-03-23 11:33:39.000000000 +0100
@@ -14,6 +14,10 @@
DNSDOMAIN=intern
+### IMPORTANT: We don't want this script to fail with a non-zero exitcode.
+### All problems should be reported as warnings, not errors.
+### See https://bugs.debian.org/1006604 for details.
+
log() {
$QUIET "$2"
logger -t update-hostname-from-ip "$1"
@@ -56,8 +60,8 @@
echo $hostname > /etc/hostname
log "info: changing hostname to $hostname based on $namesource"
else
- log "error: unable to set hostname to $hostname."
- exit 1
+ log "warning: unable to set hostname to $hostname."
+ return -1
fi
}
@@ -108,11 +112,6 @@
if [ "$IP" ] ; then
HOSTNAME=$(ip2hostname $IP)
SOURCE="reverse DNS of $IP"
-elif $USEMAC ; then
- HOSTNAME=$(ether2hostname $MAC)
- SOURCE="hardware MAC address"
-else
- exit 1
fi
if $USEMAC && [ -z "$HOSTNAME" ] ; then
@@ -123,7 +122,6 @@
if [ "$HOSTNAME" ]; then
if $onlyprint ; then
echo $HOSTNAME
- exit 0
else
# Already got the correct host name?
if [ "$HOSTNAME" != "$(uname -n)" ] ; then
@@ -131,7 +129,7 @@
fi
fi
else
- exit 1
+ log "warning: failed to detect (and set) hostname from IP or MAC address"
fi
exit 0
diff -Nru debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/squid.conf
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/squid.conf
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/squid.conf
2020-01-30 17:34:29.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/squid.conf
2022-03-23 11:27:58.000000000 +0100
@@ -6,6 +6,11 @@
# - Appends .intern to hostnames without any dots in them.
append_domain .intern
+# Currently, Debian Edu does not support IPv6 on the internal network
+# thus, we should try to use DNSv4 preferrably for the http proxy.
+# See https://bugs.debian.org/1006375
+dns_v4_first on
+
# Adjust cache size to fit size of /var/spool/squid, the initial capacity value
# is dynamically updated using
# /usr/share/debian-edu-config/tools/squid-update-cachedir
diff -Nru
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/clean-up-host-keytabs
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/clean-up-host-keytabs
---
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/clean-up-host-keytabs
2021-12-21 12:52:57.000000000 +0100
+++
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/clean-up-host-keytabs
2022-03-23 12:26:34.000000000 +0100
@@ -18,7 +18,7 @@
# Free Software Foundation, Inc.,
# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
-# This script cleans up /etc/debian-edu/host-keytabs/. It looks into TJENER's
+# This script cleans up /var/lib/debian-edu/host-keytabs/. It looks into
TJENER's
# LDAP tree (objectClass=dhcpHost) and removes all keytab files (and host
# principals) that don't have a dhcpHost object (anymore).
#
@@ -47,12 +47,12 @@
printf -v hosts_str -- ',,%q' "${hosts[@]}"
hosts_str=$(echo $hosts_str | tr 'A-Z' 'a-z')
-for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed
's#.intern.keytab##') ; do
+for i in $(basename -a /var/lib/debian-edu/host-keytabs/* | sed
's#.intern.keytab##') ; do
match_value=$(echo $i | tr 'A-Z' 'a-z')
if [[ ! "${hosts_str},," =~ ",,$match_value,," ]]; then
- kadmin.local delprinc host/$i.intern@INTERN
- kadmin.local delprinc nfs/$i.intern@INTERN
- rm /etc/debian-edu/host-keytabs/$i.intern.keytab
+ kadmin.local delprinc host/$i.intern@INTERN || true
+ kadmin.local delprinc nfs/$i.intern@INTERN || true
+ rm /var/lib/debian-edu/host-keytabs/$i.intern.keytab
fi
done
diff -Nru
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/copy-host-keytab
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/copy-host-keytab
---
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/copy-host-keytab
2022-02-04 13:18:16.000000000 +0100
+++
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/copy-host-keytab
2022-03-23 12:26:34.000000000 +0100
@@ -1,4 +1,4 @@
#!/bin/sh
set -e
kinit
-scp tjener:/etc/debian-edu/host-keytabs/$(hostname -s).intern.keytab
/etc/krb5.keytab
+scp tjener:/var/lib/debian-edu/host-keytabs/$(hostname -s).intern.keytab
/etc/krb5.keytab
diff -Nru
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/edu-ldap-from-scratch
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/edu-ldap-from-scratch
---
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/edu-ldap-from-scratch
2022-01-30 21:44:00.000000000 +0100
+++
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/edu-ldap-from-scratch
2022-03-21 20:42:07.000000000 +0100
@@ -53,7 +53,7 @@
if [ -e /etc/krb5kdc/stash ] ; then
rm /etc/krb5kdc/stash
rm /etc/krb5.keyt*
- rm -f /etc/debian-edu/host-keytabs/*.*
+ rm -f /var/lib/debian-edu/host-keytabs/*.*
fi
ldap-debian-edu-install
# send mail to first user (initialize /var/mail/<first-user uid>);
diff -Nru
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-create-host
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-create-host
---
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-create-host
2022-02-04 13:18:16.000000000 +0100
+++
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-create-host
2022-03-21 20:42:07.000000000 +0100
@@ -33,7 +33,7 @@
}
}
-## lookup user and create home directory and principal:
+## lookup host and create host/<host> and nfs/<host> Krb5 principals:
ldapsearch -xLLL
"(&(cn=$HOSTNAME)(|(objectClass=GOHard)(|(objectClass=ipHost))))" \
cn ipHostNumber macAddress 2>/dev/null | perl -p00e 's/\r?\n //g'
| \
while read KEY VALUE ; do
@@ -49,15 +49,24 @@
logger -t gosa-create-host -p notice Krb5 principal
\'host/$FQDN\' created.
kadmin.local -q "add_principal -policy hosts
-randkey nfs/$FQDN"
logger -t gosa-create-host -p notice Krb5 principal
\'nfs/$FQDN\' created.
- kadmin.local -q "ktadd -k
/etc/debian-edu/host-keytabs/$FQDN.keytab host/$FQDN"
- kadmin.local -q "ktadd -k
/etc/debian-edu/host-keytabs/$FQDN.keytab nfs/$FQDN"
+ kadmin.local -q "ktadd -k
/var/lib/debian-edu/host-keytabs/$FQDN.keytab host/$FQDN"
+ kadmin.local -q "ktadd -k
/var/lib/debian-edu/host-keytabs/$FQDN.keytab nfs/$FQDN"
logger -t gosa-create-host -p notice Krb5 keytab
file for \'$FQDN\' created.
fi
;;
esac
done
+# During creation of a host, we should ideally call update-dlw-krb5-keytabs
+# here already. However, it is not possible to add a NIS netgroup tab to a
+# GOsa² system before the system object (and the additional DNS bits) has/have
+# been created. So, calling the update-dlw-krb5-keytabs script
+# makes no sense here...
+
+# FIXME: And: it would be really helpful to have POST-action hooks available
for
+# NIS netgroups... In case people don't edit hosts individually, but prefer
+# mass-adding hosts to the diskless-workstation-hosts NIS netgroup.
+
/usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
exit 0
-
diff -Nru
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-modify-host
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-modify-host
---
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-modify-host
2022-02-04 13:18:16.000000000 +0100
+++
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-modify-host
2022-03-21 20:42:07.000000000 +0100
@@ -7,11 +7,24 @@
HOST="$1"
-kadmin.local -q "add_principal -policy hosts -randkey host/$HOST.intern"
-kadmin.local -q "ktadd -k /etc/debian-edu/host-keytabs/$HOST.intern.keytab
host/$HOST.intern"
-kadmin.local -q "add_principal -policy hosts -randkey nfs/$HOST.intern"
-kadmin.local -q "ktadd -k /etc/debian-edu/host-keytabs/$HOST.intern.keytab
nfs/$HOST.intern"
-logger -t gosa-modify-host -p notice Krb5 principals and keytab file for host
\'$HOST\' created.
+# This is only for kerberizing host entries in LDAP stemming from earlier
installations
+# of Debian Edu... Normally, host and service principals should have been
created
+# by the gosa-host-create hook script.
+if ! LANG=C kadmin.local -q "get_principal host/$HOST.intern" 2>/dev/null |
grep -q "^Principal: host/$HOST.intern@.*"; then
+ kadmin.local -q "add_principal -policy hosts -randkey host/$HOST.intern"
+ kadmin.local -q "ktadd -k
/var/lib/debian-edu/host-keytabs/$HOST.intern.keytab host/$HOST.intern"
+ logger -t gosa-modify-host -p notice Krb5 host principal
\'host/$HOST.intern\' created and added to host-specific keytab file.
+fi
+if ! LANG=C kadmin.local -q "get_principal nfs/$HOST.intern" 2>/dev/null |
grep -q "^Principal: nfs/$HOST.intern@.*"; then
+ kadmin.local -q "add_principal -policy hosts -randkey nfs/$HOST.intern"
+ kadmin.local -q "ktadd -k
/var/lib/debian-edu/host-keytabs/$HOST.intern.keytab nfs/$HOST.intern"
+ logger -t gosa-modify-host -p notice Krb5 service principal
\'nfs/$HOST.intern\' created and added to host-specific keytab file.
+fi
+
+# call DLW keytabs' update script (delay execution for 2s because GOsa² needs
+# to write the NIS netgroup information first (this hook gets called between
+# saving the host object to LDAP, but before updating the NIS netgroup
settings).
+( sleep 2; /usr/share/debian-edu-config/tools/update-dlw-krb5-keytabs ${@}
1>/dev/null 2>/dev/null) &
# update services:
/usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
diff -Nru
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-remove
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-remove
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-remove
2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-remove
2022-03-21 15:18:05.000000000 +0100
@@ -29,6 +29,12 @@
PREFIX=/skole
HOSTNAME=$(hostname -s)
+
+# Obviously a user template was removed. Ignoring.
+echo "$HOMEDIR" | egrep -q "^$PREFIX/$HOSTNAME.*/%uid" && exit 0
+
+# An LDAP user that did not have their home at a place we manage with this
script
+# has been removed. This should not happen. Exiting with error.
echo "$HOMEDIR" | egrep -q "^$PREFIX/$HOSTNAME.*$USERID" || exit 1
## move mail directory to home directory
diff -Nru
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-remove-host
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-remove-host
---
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-remove-host
2022-02-04 13:18:16.000000000 +0100
+++
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-remove-host
2022-03-23 12:26:36.000000000 +0100
@@ -6,7 +6,7 @@
## Make sure that malicious execution cannot hurt.
##
## This script removes the host and nfs principals for hosts removed with gosa.
-## It also removes the host specific keytab file (tjener:/etc/$fqdn.keytab).
+## It also removes the host specific keytab file
(tjener:/var/lib/debian-edu/host-keytabs/$fqdn.keytab).
HOST="$1"
@@ -16,7 +16,7 @@
for i in $(kadmin.local listprincs | grep $HOST) ; do
kadmin.local delprinc $i
done
- rm /etc/debian-edu/host-keytabs/$(ls -l /etc/debian-edu/host-keytabs |
grep $HOST | awk '{print $9}')
+ rm /var/lib/debian-edu/host-keytabs/$(ls -l
/var/lib/debian-edu/host-keytabs | grep $HOST | awk '{print $9}')
logger -t gosa-remove-host -p notice Krb5 principals and keytab file for
host \'$HOST\' removed.
fi
#
@@ -24,4 +24,8 @@
# update services:
/usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
+# Call DLW keytabs' update script for cleaning up
+# the DLW krb5 keytab collection for this host
+/usr/share/debian-edu-config/tools/update-dlw-krb5-keytabs ${@}
+
exit 0
diff -Nru
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-sync
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-sync
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-sync
2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-sync
2022-02-11 21:40:55.000000000 +0100
@@ -30,7 +30,7 @@
## The new user password is in environment, $USERPASSWORD.
## Check if provided password corresponds to hash saved in ldap database:
-TMPFILE=$(tempfile)
+TMPFILE=$(mktemp)
trap "rm -f $TMPFILE" ERR SIGHUP SIGINT SIGTERM
cat <<EOF | tr -d "\n" > "$TMPFILE"
diff -Nru
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/list-gosa-systems
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/list-gosa-systems
---
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/list-gosa-systems
2022-01-07 07:41:34.000000000 +0100
+++
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/list-gosa-systems
1970-01-01 01:00:00.000000000 +0100
@@ -1,42 +0,0 @@
-#!/bin/bash
-
-set -e
-
-# Copyright (C) 2017 Mike Gabriel <mike.gabr...@das-netzwerkteam.de>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-# FIXME: MAKE THIS MORE GENERIC BEFORE PUSHING!!!!
-
-ldapsearch -xLLL "(&(cn=*)(|(objectClass=ipHost)(objectClass=GOHard)))" \
- cn ipHostNumber macAddress description 2>/dev/null | perl -p0e 's/\n //g'
| \
-while read KEY VALUE ; do
- case "$KEY" in
- dn:)
- HOSTNAME= ; IP= ; MAC= ; DESC= ; DN=${VALUE}
- OU=$(echo $DN | sed -r -e
's/cn=[^,]+,ou=[^,]+,ou=[^,]+,ou=([^,]+),.*/\1/' | sed -r -e
's/cn=[^,]+,ou=[^,]+,ou=[^,]+,dc=.*/Servers/g')
- ;;
- cn:) HOSTNAME="${VALUE}";;
- ipHostNumber:) IP="${VALUE}";;
- macAddress:) MAC="${VALUE}";;
- description:) DESC="${VALUE}";;
- "")
- if [ -n "$DESC" ]; then DESC="\"${DESC}\""; fi
- echo "${OU},${HOSTNAME},${IP},${MAC},${DESC}"
- ;;
- esac
-done
-
-exit 0
diff -Nru
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/setup-freeradius-server
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/setup-freeradius-server
---
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/setup-freeradius-server
2022-02-04 13:18:16.000000000 +0100
+++
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/setup-freeradius-server
2022-03-21 15:18:05.000000000 +0100
@@ -28,7 +28,7 @@
fi
# Check execute permission.
-if [ ! -d $DIRNAME ] && [ $(id -u) > 0 ]; then
+if [ ! -d $DIRNAME ] && [ $(id -u) -gt 0 ]; then
echo "Please run $0 as root or use sudo, exiting."
exit 0
fi
diff -Nru
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/setup-roaming
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/setup-roaming
---
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/setup-roaming
2022-02-04 13:18:16.000000000 +0100
+++
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/setup-roaming
2022-03-21 15:18:05.000000000 +0100
@@ -13,7 +13,7 @@
apt-get install -y host ldap-utils
apt-get install -y libpam-mklocaluser
-apt-get install -y libpam-sss libnss-sss
+apt-get install -y libpam-sss libnss-sss libsss-sudo
# Make sure the NSS module refered below always is installed
apt-get install -y libnss-myhostname libnss-mdns libnss-ldapd
diff -Nru
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/update-dlw-krb5-keytabs
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/update-dlw-krb5-keytabs
---
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/update-dlw-krb5-keytabs
1970-01-01 01:00:00.000000000 +0100
+++
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/update-dlw-krb5-keytabs
2022-03-21 15:18:05.000000000 +0100
@@ -0,0 +1,168 @@
+#!/bin/bash
+
+set -e
+
+# Copyright (C) 2016 by Mike Gabriel <mike.gabr...@it-zukunft-schule.de>
+
+# This script is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This script is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the
+# Free Software Foundation, Inc.,
+# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# This script updates the krb5 host keytabs for a list of given hosts
+# in /var/lib/debian-edu/dlw-keytabs for all hosts that are members
+# in the NIS netgroup 'diskless-workstation-hosts'.
+#
+# The host keytab files are stored with read permissions for the
+# debian-edu system user.
+#
+# In a diskless workstation chroot (aka LTSP fat client), make sure
+# that the diskless system can copy over its own host keytab file
+# via
+#
+# scp
debian-edu@tjener.intern:/var/lib/debian-edu/dlw-keytabs/$HOSTNAME.keytab
/etc/krb5.keytab
+#
+# This line can be put into /etc/rc.local, for exmample. SSH private
+# and public key files need to be in place correctly to make this
+# work.
+#
+# This provides the possibility to use NFSv4 and Kerberos krb5i
+# authentication from a diskless machine against the NFS server
+# on the Debian Edu mainserver.
+
+DOMAIN="intern"
+
+SPECIAL_USER="debian-edu"
+SPECIAL_GROUP="${SPECIAL_USER}"
+
+DLW_KRB5_KEYTABS_DIR="/var/lib/debian-edu/dlw-keytabs"
+
+# Clear caching daemon's NIS netgroup cache (this assures an LDAP re-lookup).
+nscd -i netgroup
+DLW_HOSTS_NETGROUP=$(netgroup diskless-workstation-hosts | grep -E
"\.${DOMAIN}$")
+
+# Do some sanity checks...
+if [ "$(id -u)" != "0" ]; then
+ echo "ERROR: This script must be run as super-user root"
+ exit 1
+elif ! getent passwd ${SPECIALUSER} 1>/dev/null; then
+ echo "ERROR: This script requires the debian-edu system user account"
+ exit 1
+elif ! getent group ${SPECIAL_GROUP} 1>/dev/null; then
+ echo "ERROR: This script requires the debian-edu system group"
+ exit 1
+elif [ -z "${DLW_HOSTS_NETGROUP}" ]; then
+
+ # FIXME: differentiate between diskless-workstation-hosts not present
or empty!
+
+ echo "NOTICE: NIS netgroup 'diskless-workstation-hosts' not found.
Nothing to do."
+ exit 0
+fi
+
+DLW_HOSTS=""
+
+# obtain DLW_HOSTS from NIS Netgroup or from the command line
+if [ -z "${1}" ]; then
+ DLW_HOSTS="${DLW_HOSTS_NETGROUP}"
+else
+ logger -t update-dlw-krb5-keytabs -p notice "Called with command line:
${@}"
+
+ while [ -n "${1}" ]; do
+ if echo ${DLW_HOSTS_NETGROUP} | grep -q "${1}.${DOMAIN}"; then
+ DLW_HOSTS="${DLW_HOSTS} ${1}.${DOMAIN}"
+ else
+ echo "WARNING: Host ${1} not a diskless workstation"
+ logger -t update-dlw-krb5-keytabs -p warning "Host
'${1}' is not a diskless workstation."
+ fi
+ shift
+ done
+fi
+
+mkdir -p "${DLW_KRB5_KEYTABS_DIR}"
+chown "root:${SPECIAL_USER}" "${DLW_KRB5_KEYTABS_DIR}"
+chmod 0710 "${DLW_KRB5_KEYTABS_DIR}"
+
+for dlw_host in ${DLW_HOSTS}; do
+
+ DLW_KRB5_KEYTAB="${DLW_KRB5_KEYTABS_DIR}/${dlw_host}.keytab"
+
+ host_found="false"
+ ldap_cn=$(echo ${dlw_host} | cut -d"." -f1)
+
+ ldap_host=""
+
+ while read KEY VALUE; do
+ case "$KEY" in
+ dn:)
+ ldap_host=""
+ ;;
+ cn:)
+ ldap_host="$VALUE"
+ if [ "${ldap_host}.${DOMAIN}" = "${dlw_host}"
]; then
+ host_found="true"
+ else
+ continue
+ fi
+
+ if LANG=C kadmin.local -q "get_principal
host/${dlw_host}" 2>/dev/null | grep -q "^Principal: host/${dlw_host}@.*" &&
+ LANG=C kadmin.local -q "get_principal
nfs/${dlw_host}" 2>/dev/null | grep -q "^Principal: nfs/${dlw_host}@.*" ; then
+
+ kadmin.local -q "ktadd -k
${DLW_KRB5_KEYTAB}.new host/${dlw_host}"
+ kadmin.local -q "ktadd -k
${DLW_KRB5_KEYTAB}.new nfs/${dlw_host}"
+
+ chown "root:${SPECIAL_USER}"
"${DLW_KRB5_KEYTAB}.new"
+ chmod 0640 "${DLW_KRB5_KEYTAB}.new"
+ mv -v "${DLW_KRB5_KEYTAB}.new"
"${DLW_KRB5_KEYTAB}"
+ cp -av "${DLW_KRB5_KEYTAB}"
"${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
+ else
+ echo "WARNING: Diskless workstation
'${dlw_host}' is missing a host (host/${dlw_host}) or service (nfs/${dlw_host})
principal in the Kerberos database."
+ logger -t update-dlw-krb5-keytabs -p
warning "Diskless workstation '${dlw_host}' is missing a host
(host/${dlw_host}) or service (nfs/${dlw_host}) principal in the Kerberos
database."
+ fi
+ break
+ ;;
+ *)
+ ;;
+ esac
+ done <<< `ldapsearch -xLLL
"(&(cn=$ldap_cn)(|(objectClass=GOHard)(objectClass=ipHost)))" cn 2>/dev/null |
perl -p00e 's/\r?\n //g'`
+
+ if [ "$host_found" != "true" ]; then
+
+ # if we land here, three things might have happened:
+ #
+ # 1. this script is called from gosa-remove-host (and we need
to clean up the keytab file)
+ # 2. this script has been called with a wrong hostname (one
that does not exist in LDAP)
+ # 3. this script has found a DLW entry in NIS netgroup
'diskless-workstation-hosts' that
+ # does not exist in LDAP (any more). Manual tidying up is
required in that case.
+
+ if [ -f "${DLW_KRB5_KEYTAB}" ]; then
+ logger -t update-dlw-krb5-keytabs -p info "Cleaning up
DLW keytab file of host '${dlw_host}'."
+ rm -v "${DLW_KRB5_KEYTAB}"
+ rm -v "${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
+ elif [ -f "${DLW_KRB5_KEYTAB/.${DOMAIN}/}" ]; then
+ logger -t update-dlw-krb5-keytabs -p info "Cleaning up
leftover DLW keytab file of host '${dlw_host}' (without domain part)."
+ rm -v "${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
+ else
+
+ echo "WARNING: Hostname '${dlw_host}' listed in NIS
netgorup 'diskless-workstation-hosts', but not found as a host entry in Debian
Edu LDAP."
+ logger -t update-dlw-krb5-keytabs -p warning "Hostname
'${dlw_host}' listed in NIS netgorup 'diskless-workstation-hosts', but not
found as a host entry in Debian Edu LDAP."
+
+ fi
+
+ fi
+
+done
+
+# FIXME: count updated files / hosts
+logger -t update-dlw-krb5-keytabs -p notice "Diskless workstation Krb5 keytab
files updated."
+
+exit 0
diff -Nru
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/update-proxy-from-wpad
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/update-proxy-from-wpad
---
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/update-proxy-from-wpad
2022-02-04 13:18:16.000000000 +0100
+++
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/update-proxy-from-wpad
2022-03-23 12:26:34.000000000 +0100
@@ -9,11 +9,11 @@
logger -t update-proxy-from-wpad "$@"
}
-error() {
- if [ -t 1 ] ; then # Only print errors when stdout is a tty
- echo "error: $@"
+warning() {
+ if [ -t 1 ] ; then # Only print warnings when stdout is a tty
+ echo "warning: $@" 1>/dev/stderr
fi
- logger -t update-proxy-from-wpad "error: $@"
+ logger -t update-proxy-from-wpad "warning: $@"
}
append_if_missing() {
@@ -27,6 +27,18 @@
fi
}
+remove_if_matches() {
+ file="$1"
+ shift
+ regexp="$@"
+ if [ -e "$file" ] ; then
+ if grep -qE "$regexp" "$file" ; then
+ log "Removing line matching '$regexp' from $file."
+ sed -i $file -e "/$regexp/d"
+ fi
+ fi
+}
+
# Update /etc/environment with the current proxy settings extracted
# from the WPAD file
update_etc_environment() {
@@ -54,7 +66,7 @@
# /etc/apt/apt.conf is created by debian-installer if a proxy was used
# during installation, so we update this file.
update_apt_conf() {
- file=/etc/apt/apt.conf
+ file=/etc/apt/apt.conf.d/03debian-edu-config
touch $file
chmod a+r $file
sed -e "s%^Acquire::http::Proxy .*%Acquire::http::Proxy \"$http_proxy\";%"
\
@@ -71,7 +83,17 @@
fi
append_if_missing $file "Acquire::http::Proxy \"$http_proxy\";"
append_if_missing $file "Acquire::ftp::Proxy \"$ftp_proxy\";"
- append_if_missing $file "Acquire::ftp::Proxy \"$https_proxy\";"
+ append_if_missing $file "Acquire::https::Proxy \"$https_proxy\";"
+
+ # Fix main /etc/apt/apt.conf file (which we used until Debian Edu
bullseye).
+ #
+ # FIXME: This code portion can be removed in the bookworm+1 release cycle
+ previously_used_file=/etc/apt/apt.conf
+ if [ -e $previously_used_file ]; then
+ remove_if_matches $previously_used_file ".*Acquire::http::Proxy\ .*;"
+ remove_if_matches $previously_used_file ".*Acquire::ftp::Proxy\ .*;"
+ remove_if_matches $previously_used_file ".*Acquire::https::Proxy\ .*;"
+ fi
}
if [ -r /etc/debian-edu/config ] ; then
@@ -81,9 +103,14 @@
# Make sure to fetch the wpad file without proxy settings, to behave
# like browsers who need to get their proxy settings without using a
# proxy.
-http_proxy=
+http_proxy=$(/usr/share/debian-edu-config/tools/wpad-extract 2>/dev/null ||
true)
+
+if [ -z "$http_proxy" ]; then
+
+ warning "Failed to extract proxy host from WPAD data. Not configuring
proxy usage."
+
+else
-. /usr/share/debian-edu-config/tools/wpad-extract >/dev/null || exit 1
ftp_proxy=$http_proxy
https_proxy=$http_proxy
@@ -96,3 +123,4 @@
else
update_etc_environment
fi
+fi
diff -Nru
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/wpad-extract
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/wpad-extract
---
debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/wpad-extract
2020-01-30 17:34:29.000000000 +0100
+++
debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/wpad-extract
2022-03-23 11:36:06.000000000 +0100
@@ -13,8 +13,7 @@
-u http://130.89.148.14 | awk '{print $2}' | cut -d';' -f1)
if [ "$proxy_url" ]; then
- http_proxy=http://$proxy_url
- echo http_proxy=$http_proxy
+ echo "http://$proxy_url";
else
- return 1
+ exit 1
fi
diff -Nru debian-edu-config-2.11.56+deb11u3/testsuite/postoffice
debian-edu-config-2.11.56+deb11u4/testsuite/postoffice
--- debian-edu-config-2.11.56+deb11u3/testsuite/postoffice 2022-02-04
13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/testsuite/postoffice 2022-02-11
21:40:55.000000000 +0100
@@ -42,7 +42,7 @@
EOF
-tmpfile=$(tempfile)
+tmpfile=$(mktemp)
smtpserver=postoffice.intern
if swaks --to postmaster@postoffice.intern --server $smtpserver > $tmpfile;
then
echo "success: $0: SMTP to $smtpserver worked, email to postmaster sent."
diff -Nru debian-edu-config-2.11.56+deb11u3/testsuite/webcache
debian-edu-config-2.11.56+deb11u4/testsuite/webcache
--- debian-edu-config-2.11.56+deb11u3/testsuite/webcache 2020-01-30
17:34:29.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/testsuite/webcache 2022-03-23
11:36:06.000000000 +0100
@@ -69,8 +69,8 @@
# Subshell to avoid leaking http_proxy and ftp_proxy variables to
# the rest of this script
(
- . /usr/share/debian-edu-config/tools/wpad-extract >/dev/null
- if [ "$http_proxy" ] ; then
+ http_proxy=$(/usr/share/debian-edu-config/tools/wpad-extract
2>/dev/null || true)
+ if [ -n "$http_proxy" ] ; then
echo "success: $0: WPAD file '$url' includes HTTP proxy info."
else
echo "error: $0: WPAD file '$url' is missing HTTP proxy info.
(#644373?)"
