Your Bugzilla buglist needs attention.
[This e-mail has been automatically generated.] You have one or more bugs assigned to you in the Bugzilla bug tracking system (http://bugs.skolelinux.org/) that require attention. All of these bugs are in the NEW or REOPENED state, and have not been touched in 7 days or more. You need to take a look at them, and decide on an initial action. Generally, this means one of three things: (1) You decide this bug is really quick to deal with (like, it's INVALID), and so you get rid of it immediately. (2) You decide the bug doesn't belong to you, and you reassign it to someone else. (Hint: if you don't know who to reassign it to, make sure that the Component field seems reasonable, and then use the "Reassign bug to default assignee of selected component" option.) (3) You decide the bug belongs to you, but you can't solve it this moment. Just use the "Accept bug" command. To get a list of all NEW/REOPENED bugs, you can use this URL (bookmark it if you like!): http://bugs.skolelinux.org/buglist.cgi?bug_status=NEW&bug_status=REOPENED&assigned_to=debian-...@lists.debian.org Or, you can use the general query page, at http://bugs.skolelinux.org/query.cgi Appended below are the individual URLs to get to all of your NEW bugs that haven't been touched for a week or more. You will get this message once a day until you've dealt with these bugs! installer ignores mirror/http/proxy preseeding -> http://bugs.skolelinux.org/show_bug.cgi?id=1458 ignores mirror/http/hostname preseed -> http://bugs.skolelinux.org/show_bug.cgi?id=1459 -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1pcals-0005ti...@maintainer.skolelinux.no
Re: DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)
Hi Klaus, hi Andi, On So 09 Jan 2011 22:04:46 CET Klaus Knopper wrote: 2) We drop powerDNS and give bind a try. This means merely installing bind instead of powerDNS, appending a line to a configuration file and touching another one [1]. Regarding the simplicity, it could also be considered as an intermediate solution until we have something else. I strongly support this option. IMHO, DNS data just does not belong into LDAP. Bind is optimized to distribute DNS data with the most efficiency and reliability, and "PowerDNS" may just add an additional layer of abstraction that can introduce unwanted side effects like the one you observed. Btw, what was the reason to chose PowerDNS in Skolelinux as default, anyways? Just to "have everything in LDAP"? There was surely a discussion about this that I have missed. for small customers I sometimes extract /etc/hosts files and dyndnsmasq configurations from LDAP via cron. (I am not throwing another dns service in the race, I am just pronouncing the benefits of LDAP2FILE syncs for DNS). As DNS is a vital functionality (esp. with Kerberos) and LDAP _can_ fail in production sometimes I think it very wise to have DNS based on files (and not on an available slapd service). However, with a regular or hook-based ldap->bind9-sync (i.e. after modifications of the info stored in LDAP), one must make sure, that---in case slapd is offline or dysfunctional---the system does not end up with an empty bind9 DNS-zone configuration... Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0x1943CA5B mail: m.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpsrc1LXDPBi.pgp Description: Digitale PGP-Unterschrift
Re: DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)
Hi Andi, On So 09 Jan 2011 21:54:30 CET "Andreas B. Mundt" wrote: 2) We drop powerDNS and give bind a try. This means merely installing bind instead of powerDNS, appending a line to a configuration file and touching another one [1]. Regarding the simplicity, it could also be considered as an intermediate solution until we have something else. As I consider bind to be rock stable (personal experience) and very reliable (I use it as proxy as well as production domain name service) there is a +1 from me The simplicity of the change necessary you described speaks for itself... Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0x1943CA5B mail: m.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpFUw0bV37C1.pgp Description: Digitale PGP-Unterschrift
Re: DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)
[Andreas B. Mundt] > So I conclude, that the current DNS setup, as a mixture of ldap > objects prepared for bind with extra attributes to make powerDNS > (sort of) work, is broken. It is not quite as you expect it to be, but I would not go as far as claiming it is broken. It was broken and the installation failed completely (DNS failed to look up any info in LDAP) after you replaced the original powerdns tree with the gosa dns setup tree, but as you have noticed, I adjusted the gosa tree to get it to work again with powerdns. The issues with the current setup is that there is a unused reverse map in LDAP, and because we need several A records to point to 10.0.2.2 and we use powerdns in strict mode, we get several PTR records from 10.0.2.2 pointing to the names we need A records for. Nothing really serious so far, but the Kerberos requirements might make these a bit more problematic. > In addition, there is absolutely no use of GOsa with regard to DNS, > as modifications are not accepted by GOsa with the added powerDNS > attributes. Unless we add our own gosa module (or adjust the existing module) for updating DNS with the two extra attributes. Should not be too hard. I had a look at the source, and suspect it should be possible to get working in a day or two. Have not been able to find the two spare days so far, but hope someone will in time for squeeze. > With such a system, it's extremely hard to stay motivated, because > you waist your time fixing things that are "known not to work > properly" instead of really being able to test new things. Yes, but I managed to stay motivated anyway, even if you broke the installation by inserting a DNS LDAP tree that did not work with the packages we install. I hope you will manage the same, and keep up your good work while testing changes and ensuring that the installation keep working. > I propose three choices: > > 1) We move powerDNS to its own tree (as before) and switch of the > "systems"-stuff in GOsa. This means we don't have a GUI to make > changes, but hopefully a working DNS again that doesn't block all > other activities. > > 2) We drop powerDNS and give bind a try. This means merely installing > bind instead of powerDNS, appending a line to a configuration file and > touching another one [1]. Regarding the simplicity, it could also be > considered as an intermediate solution until we have something else. Both these options have their own set of problems, and I would rather see work done on this option: > 3) Someone has time and volunteers to cooperate with Alejandro > (http://lists.debian.org/debian-edu/2010/12/msg00117.html>) to > implement powerDNS in GOsa properly. This should happen soon, because > the current broken system only leads to frustration. Part of the reason we went with powerdns is that it fetches information directly from LDAP, so changes done to LDAP take effect imediately. A reason we moved the DNS from files to LDAP is to allow dynamic updates of DNS information without having to edit other packages conffiles to easy upgrades and stay within the Debian policy requirements. It is also the DNS server used by the Extremadura installation, and we belive their claims that powerdns scale better. They have >80 000 clients using powerdns. The reason I switched powerdns to strict mode was to make it easier to change the IP range used. We used the non-strict mode earlier, with separate forward and reverse entries in LDAP. The script /usr/share/debian-edu-config/tools/subnet-change in debian-edu-config handle this transformation (changing the subnet) already, but there are a few files in /etc/ left to edit and more testing to be done before it is complete. Also, I started to suspect it would be better to adjust this during installation by adding a filter to the LDAP loading process, and thus am unsure if the design is the correct one. I believe we should ensure that all of these features are kept when we consider our DNS setup. The bind setup uses regular dumps from LDAP to files, thus adding a delay from DNS changes are done in LDAP to the show up in DNS. It also make it a lot more complex to change the subnet used as both forward and reverse maps need to be rewritten, and rewriting the reverse maps require moving LDAP subtrees to different names. As for NFS4 and Kerberos, we do not really want to authenticate hosts, we want to authenticate users, to ensure home directory mounting also work on the stateless diskless clients. If we can't get this working, we might have to look at other solutions for home directory mounting, as we can't really drop the diskless workstation feature. :/ Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110109214018.gw...@login1.uio.no
Re: DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)
On Sun, Jan 09, 2011 at 09:54:30PM +0100, Andreas B. Mundt wrote: > concerning the strange results which I accused to multiple A-records, > I found something new. I started to doubt our powerdns setup and > modifying it in ldap got annoying, so I switched on to bind instead[1]. > > After that, asking for DNS lookups changed. PowerDNS: > > r...@tjener:~# host 10.0.2.2 > 2.2.0.10.in-addr.arpa domain name pointer tjener.intern. > 2.2.0.10.in-addr.arpa domain name pointer kerberos.intern. > 2.2.0.10.in-addr.arpa domain name pointer ldap.intern. > 2.2.0.10.in-addr.arpa domain name pointer domain.intern. > 2.2.0.10.in-addr.arpa domain name pointer postoffice.intern. > 2.2.0.10.in-addr.arpa domain name pointer syslog.intern. > > With bind: > > r...@workstation01:~# host 10.0.2.2 > 2.2.0.10.in-addr.arpa domain name pointer tjener.intern. > r...@workstation01:~# host ldap > ldap.intern has address 10.0.2.2 > r...@workstation01:~# host www > www.intern is an alias for tjener.intern. > tjener.intern has address 10.0.2.2 > > As you see, ldap is an A-record as before (I double checked in > /etc/bind/db.intern), however host 10.0.2.2 is resolved to only > tjener. So I conclude, that the current DNS setup, as a mixture of ldap > objects prepared for bind with extra attributes to make powerDNS (sort > of) work, is broken. In addition, there is absolutely no use of GOsa > with regard to DNS, as modifications are not accepted by GOsa with the > added powerDNS attributes. > > With such a system, it's extremely hard to stay motivated, because you > waist your time fixing things that are "known not to work properly" > instead of really being able to test new things. > > I propose three choices: > > 1) We move powerDNS to its own tree (as before) and switch of the > "systems"-stuff in GOsa. This means we don't have a GUI to make > changes, but hopefully a working DNS again that doesn't block all > other activities. > > 2) We drop powerDNS and give bind a try. This means merely installing > bind instead of powerDNS, appending a line to a configuration file and > touching another one [1]. Regarding the simplicity, it could also be > considered as an intermediate solution until we have something else. I strongly support this option. IMHO, DNS data just does not belong into LDAP. Bind is optimized to distribute DNS data with the most efficiency and reliability, and "PowerDNS" may just add an additional layer of abstraction that can introduce unwanted side effects like the one you observed. Btw, what was the reason to chose PowerDNS in Skolelinux as default, anyways? Just to "have everything in LDAP"? There was surely a discussion about this that I have missed. > 3) Someone has time and volunteers to cooperate with Alejandro > (http://lists.debian.org/debian-edu/2010/12/msg00117.html>) to > implement powerDNS in GOsa properly. This should happen soon, because > the current broken system only leads to frustration. > > So please comment on the issue. I think we should have other problems > than wasting time getting adventurous powerDNS/bind combinations > running, and the current situation is not acceptable. /me agrees Regards -Klaus -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110109210446.gn2...@knopper.net
DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)
Hi again, concerning the strange results which I accused to multiple A-records, I found something new. I started to doubt our powerdns setup and modifying it in ldap got annoying, so I switched on to bind instead[1]. After that, asking for DNS lookups changed. PowerDNS: r...@tjener:~# host 10.0.2.2 2.2.0.10.in-addr.arpa domain name pointer tjener.intern. 2.2.0.10.in-addr.arpa domain name pointer kerberos.intern. 2.2.0.10.in-addr.arpa domain name pointer ldap.intern. 2.2.0.10.in-addr.arpa domain name pointer domain.intern. 2.2.0.10.in-addr.arpa domain name pointer postoffice.intern. 2.2.0.10.in-addr.arpa domain name pointer syslog.intern. With bind: r...@workstation01:~# host 10.0.2.2 2.2.0.10.in-addr.arpa domain name pointer tjener.intern. r...@workstation01:~# host ldap ldap.intern has address 10.0.2.2 r...@workstation01:~# host www www.intern is an alias for tjener.intern. tjener.intern has address 10.0.2.2 As you see, ldap is an A-record as before (I double checked in /etc/bind/db.intern), however host 10.0.2.2 is resolved to only tjener. So I conclude, that the current DNS setup, as a mixture of ldap objects prepared for bind with extra attributes to make powerDNS (sort of) work, is broken. In addition, there is absolutely no use of GOsa with regard to DNS, as modifications are not accepted by GOsa with the added powerDNS attributes. With such a system, it's extremely hard to stay motivated, because you waist your time fixing things that are "known not to work properly" instead of really being able to test new things. I propose three choices: 1) We move powerDNS to its own tree (as before) and switch of the "systems"-stuff in GOsa. This means we don't have a GUI to make changes, but hopefully a working DNS again that doesn't block all other activities. 2) We drop powerDNS and give bind a try. This means merely installing bind instead of powerDNS, appending a line to a configuration file and touching another one [1]. Regarding the simplicity, it could also be considered as an intermediate solution until we have something else. 3) Someone has time and volunteers to cooperate with Alejandro (http://lists.debian.org/debian-edu/2010/12/msg00117.html>) to implement powerDNS in GOsa properly. This should happen soon, because the current broken system only leads to frustration. So please comment on the issue. I think we should have other problems than wasting time getting adventurous powerDNS/bind combinations running, and the current situation is not acceptable. Best regards, Andi [1] It's almost nothing that has to be done to use bind with the current setup: aptitude install bind9 aptitude install ldap2zone # bind configuration: echo 'include "/etc/bind/named.conf.ldap2zone";' >> /etc/bind/named.conf.local touch /etc/bind/named.conf.ldap2zone ldap2bind # check if anything makes sense: less /etc/bind/db.intern less /etc/bind/db.2.0.10.in-addr.arpa. If anything is fine, switch off pdns (in /etc/default): --- a/default/pdns-recursor +++ b/default/pdns-recursor @@ -1,5 +1,5 @@ # Variables for PowerDNS recursor # # Set START to yes to start the pdns-recursor -START=yes +START=no --- a/default/pdns +++ b/default/pdns @@ -1,5 +1,5 @@ # Variables for PowerDNS # # Whether you want to start PowerDNS automatically. -START=yes +START=no http://lists.debian.org/debian-edu/2010/10/msg00209.html -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110109205430.ga17...@flashgordon
Re: Testing changes to Debian Edu SVN
Am Sonntag, 9. Januar 2011 schrieb Andreas B. Mundt: > What I do is rsyncing the DVD image. This happens usually in an > acceptable time frame. cf. http://wiki.debian.org/DebianEdu/Download and http://wiki.skolelinux.de/Lenny/DownLoad -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201101092120.38000@gmx.de
Developer meeting & confere nce Skolelinux-RLP in Zweibrücken/German y 10-13.02.2011
Hello all, Here comes the official invitation. :-) This international developer meeting & conference is for us (http://rp.skolelinux.de/) the final big event at the end of the 3 year period in which we developed extensions, customization and installation help as requested by our schools for Skolelinux in Rheinland-Pfalz/Germany. Within these 3 years, the project goals, prerequisites and participants have changed somewhat, many parts were rewritten from scratch when we switched from etch to lenny, and some plans had to be replaced by others. Kurt Gramlich from Skolelinux-DE has already set up an overview page at http://wiki.debian.org/DebianEdu/Zweibruecken2011, and the preliminary conference program is now also available in an english translation at http://wiki.debian.org/DebianEdu/Zweibruecken2011/Programm As you can see in the schedule, on Day 2 (Friday), we give an overview of the entire system for teachers and application managers of schools in Rheinland-Pfalz, which will primarily be held in german language, but it is also possible to conduct workshops in separate rooms during these seminars. WLAN and LAN internet access is available to registered participants. Especially important to me personally, are the sessions on Saturday, where we would like to discuss further cooperation and coordination of development between Skolelinux-RLP and Skolelinux/international. Of course we would like to keep our developments available to the community beyond our projects official runtime, even if some of them may not be possible to get integrated into DebianEdu directly, as was already discussed on this list. It would be nice if some of the core people of DebianEdu, not necessarily only developers, could find the time to attend the meeting for some brainstorming about how we can keep the good work up in both directions, local and international development. We have existing-but-limited funding for supporting flight&accommodation. Please register at the Wiki and let us know when you will arrive, and if you need help with your travel. With kind regards -Klaus Knopper -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110109172803.gh2...@knopper.net
Developer Meeting in Zweibrücken // Re: LINBO & italc-rlp integration (Re: Gosa vs. CipUX)
Hi Klaus, hello everybody, happy new year to you all! Am Freitag, 7. Januar 2011 schrieb Klaus Knopper: > Me, too. It would be great if some people who have the power to make it > happen, could attend our developer meeting in February in > Zweibrücken/Germany. More about this later. I take this as an preliminary invitation - although I won't make it there. As far as I can see, there is a wiki page to sign in: http://wiki.debian.org/DebianEdu/Zweibruecken2011 The program needs translation (and to be integrated into the wiki page). Please tell me if you need a hand with translation. Kind regards Ralf -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201101091607.09716@gmx.de
LINBO and Debian Edu / Skolelinux (Re: LINBO & italc-rlp integration (Re: Gosa vs. CipUX)
Hi, a requirement to use LINBO in Debian Edu is that LINBO is in Debian. Something which builds 20 MB binary packages out of 1.2 GB sources will very very probably never be in Debian, so until this has changed, this aspect of the discussion is kind of useless ;-) (Never say never though.) Also, I think (and I have been dealing with such and other installers since >10 years) that image installers are technically inferior. Keeping them up2date is a lot of work which cannot really be automated, so it's also error prone. But foremost the biggest problem is, that noone really knows whats inside an image and how it was done. And, we already have two installation systems in place: first, the normal d-i installer, with or without PXE, can be extended quite heavily with preseeding. Second, we have Gosa² and FAI. FAI is a package+script based installer so each installation is done from source, not from images, so changes are easy to do and redo (and thus to reproduce and change). Also a single machine installation from scratch (as FAI does) is not much slower than deploying a ready made image: ie. in 2007 a 2.6ghz system with 2600 MB software was installed in 15min, installing 20 such systems only took 17min in total! An image installer might be faster for a single machine installation, but I bet (based on experience + knowing whats going on on the network...!) that it's slower for 20 installations in parallel. I'd like to get real numbers on this though ;) (I've got plenty of numbers on FAI installation speed, none on Linbo though.) Gosa² allows to group machines into different FAI classes and supports installation _and updating_ existing machines. And, FAI+Gosa² are available in Debian already. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: italc-rlp integration into Skolelinux (was: Re: LINBO & italc-rlp integration (Re: Gosa vs. CipUX))
Hi Patrick, On Samstag, 8. Januar 2011, Patrick Winnertz wrote: > A new italc version 1.0.13 is waiting for a upload as soon as squeeze is > released. A upload before makes no sense. Squeeze has to live with the > older version 1.0.9 . great to hear that you're still working on italc! As Jonas said, I think an upload to experimental now would be a good thing :-) Another question: do you plan to support italc in squeeze-backports? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: LINBO integration into Skolelinux (was Re: LINBO & italc-rlp integration (Re: Gosa vs. CipUX))
Hi, On Sonntag, 9. Januar 2011, Christian Kuelker wrote: > As far as I understood Alioth is dedicated to Debian specific > software and packaging. Is Linbo Debian specific? > > @Holger: did the policy changed? I never heard about that policy (so I dont know if and when it changed) and Tux4Kids is hosted on tux4kids.alioth.debian.org since several years, incl. windows and macos builds. The policy is described on the URL I gave in this thread. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Testing changes to Debian Edu SVN
Hi, On Sun, Jan 09, 2011 at 12:15:34AM +0100, Mike Gabriel wrote: > I have a question about testing Debian Edu squeeze, esp. changes to > Debian Edu SVN that concern the installation process of Debian Edu. > > Currently, if I want to test changes to Debian Edu, esp. the > installation process, I have to download another daily built ISO > (4.4G or 600M for the NETINST image) and re-install my system. This > feels rather archaic... Is there a smarter way? > > Hints and ideas are very welcome, > Mike > What I do is rsyncing the DVD image. This happens usually in an acceptable time frame. However, the installation of a Workstation (especially with LTSP) takes another couple of hours. Sooner or later we should perhaps think about ways to reduce that, absolutely. (http://lists.debian.org/debian-edu/2010/12/msg00139.html>) Perhaps providing a base version without any educational packages as install option? Another really good thing for testing: With the command: etckeeper vcs diff You can figure out what you changed when modifying the system (but no ldap entries etc. of course). Cheers, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110109094534.gb3...@flashgordon
Re: NFS4 and Kerberos
On 08/01/11 23:41, Mike Gabriel wrote: > On Sa 08 Jan 2011 01:22:35 CET "Andreas B. Mundt" wrote: > >>> >Do you have access to a debian-edu setup? Maybe if you want to take a >>> >look, try a virtual setup with virt-manager + KVM (rsync the DVD >>> image): >>> >http://wiki.debian.org/DebianEdu/HowTo/TestCDinstall> >>> >You need about a 25GiB image for Tjener+LTSPserver. > > Here is what I will do next: [...] Sounds good, just one hint from me (maybe you already know it): http://www.kerberos-walkthrough.de/ Regards, -- .''`. Philipp Huebner : :' : pgp fp: 6719 25C5 B8CD E74A 5225 3DF9 E5CA 8C49 25E4 205F `. `'` HP: http://www.debalance.de, Skype: philipp-huebner `- ICQ: 235-524-440, Jabber: der_scha...@jabber.org signature.asc Description: OpenPGP digital signature
Re: NFS4 and Kerberos (next steps)
Hi Mike, On Sat, Jan 08, 2011 at 11:41:42PM +0100, Mike Gabriel wrote: [...] > Here is what I will do next: > > 1) > > o I have a Debian server setup in the cloud for my ,,company'' > with a working > NFSv4+Kerberos server setup > o I have installed a Debian SID in the cloud today that I will integrate as > NFSv4 client with sec=krb5p > o I will document all steps needed, this would be pure Debian then... OK. > 2) > > o I will install a squeeze TJENER and a squeeze Debian Edu client and I will > take a look at the NFSv4+Kerberos setup in particular > o I will test the already present NFSv4 and Kerberos stuff (not for all > services, only for the core stuff: PAM, libnss, autofs, ...) > o I will try to manually configure the steps needed for finishing what might > be missing and document those. > o I will also post aspects that I would approach differently Great! > Concerning NFSv4+Krb5 I would like to focus on the basic service > level for now and I will add test modifications to LDAP by hand. If > the needed fixes and modifications or extensions and the workflow > during installation starts cristalizing out I think then we should > take a look at Gosa and maybe CipUX integration. > > Does this make sense? Any other suggestions/recommendations/preferences? That's fantastic news! Let me just add what I did so far to give you another idea of the status here: I played a bit with the system yesterday. Beside the commited changes I tested the kerberized services ldap (ldapwhoami -Y GSSAPI), exim and dovecot (by sending/receiving mail). They still seem to work, at least on tjener itself: I got a ldap/tjener.intern, smtp/tjener.intern and imap/tjener.intern service ticket. I was also able to mount the NFS4 share with krb5p enabled (by adding "tjener:/ /mnt nfs4 user,sec=krb5p 0 0" to fstab and doing the usual manual mount as unprivileged user). Great stuff: The directory is mounted (service no ticket yet), but as soon as I access it, the nfs/tjener.intern ticket is there :). After that, I thought how to improve adding machines in GOsa, it would be good to find the MAC of new machines automatically. This is implemented in gosa-si (with a service daemon (?)), but we do not have that in Debian yet. However, the sitesummary program also collects information about the machines in the net (see /var/lib/sitesummary/entries/), and perhaps it's possible to use that (I guess with gosa-si there is a ou=incomming in ldap which can be used, but if we want to do something like that perhaps let's better ask the GOsa people how it is intended to work.) Ok. I'm just installing a workstation to check if things work there too. Happy testing, best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110109092952.ga3...@flashgordon
