Re: NFS4 and Kerberos interrest and our diskless RW AUFS overlaid root

[Pavel Pisa]

Dear Mike,

I have noticed that you work on switching to NFS4+krb5 for homes
on school workstations. I am very interrested to switch to similar
for our university labs setup. We use Debian servers and diskless
workstations in our setups.

I would be very happy if you document your setup when you have
it working. The description from Mike Gabriel is the best
cookbook I have seen till now for this. I have been looking
for keyrings notices for years already but there has been
no simple specification how to use these and what level of integration
with distribution and mainline is reached.

I would be extremely happy if we could use single export of all homes
and protect access form individual client machines by logged in user
credential.

By the coincidence I have prepared some documentation for our
local GNU/Linux/open-source conference InstallFest
 about diskless boot
with readonly root and RW AUFS overlays which works quite well
for us but the secured user level access control to homes is missing
in our setup. May it be, something from my slides could
be reused by you

http://cmp.felk.cvut.cz/~pisa/linux/diskless/diskless_dce_slides.pdf

the configuration in form of patchseries for demonstration
(not our main production) server

http://cmp.felk.cvut.cz/~pisa/linux/diskless/

Thanks for possible more information about your setup and experience
in advance.

Best wishes,

Pavel Pisa
e-mail: p...@cmp.felk.cvut.cz
www:http://cmp.felk.cvut.cz/~pisa
university: http://dce.fel.cvut.cz/



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201103080209.40254.p...@cmp.felk.cvut.cz

File krb5.conf not configured right if it is a pxe installed workstation.

[Andreas Schockenhoff]

Hi,

kinit called as root says: kinit Cannot contact KDC for realm 'INTERN'
while getting initial credentials. 

File krb5.conf not configured right if I make a pxe installation of a
Workstation. If I install from DVD the Workstation works fine.

[libdefaults]
allow_weak_crypto = true   # must be added 
default_realm = INTERN
[realms] 
# must be added
INTERN ={
kdc = kerberos.intern
admin_server = kerberos.intern
}
# end must be added

regards Andreas


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1299535440.2718.8.camel@i965GMx-IF

GOsa-SI in Debian

[Mike Gabriel]

Dear GOsa package maintainers,

as I discovered lately, there is a Debian RFP for gosa-si still open:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534303

Is there a reason why gosa-si has not yet been included in Debian?

As GOsa has recently been chosen as _the_ LDAP administration frontend  
in Debian Edu / Skolelinux, the gosa-si package would be of deep  
interest to Debian Edu. Maybe not for Debian Edu squeeze, but  
definitely for Debian Edu wheezy.


If noone is yet working on that package, I will start working on it in  
the near future, but I will need a sponsor for that. Preferably there  
is a sponsor in the gosa packaging team, but if not, Holger Levsen  
from Debian Edu has also offered support with that.


I will be grateful if someone of the gosa packaging team could comment  
on this issue.


Thanks a lot,
Mike Gabriel

--

DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb


pgpiZBKj5BUiK.pgp
Description: Digitale PGP-Unterschrift

Re: isc-dhcp-relay instead of isc-dhcp-server on terminal-servers?

[Mike Gabriel]

Hi Andi,

On Mo 07 Mär 2011 09:57:43 CET "Andreas B. Mundt" wrote:


Hi all,

while working on the DHCP-setup I accidentally met the
isc-dhcp-relay package which can be used to relay DHCP requests. For
example, we could use it instead of running dhcp-servers on the
terminal-servers.

Is there a reason we don't use the relay method but stand-alone
dhcp-servers? (Tjener needs to be accessible in both cases,
because the configuration is fetched from tjener's ldap anyway).
An advantage of the relay method: You don't need to start several
dhcp-servers after modifications to the configuration.

In a quick test it looks like isc-dhcp-relay works fine. Any
opinions/experiences about that?


It sounds like a seemingly good idea to me, but I do not know about  
consequences and caveats...


Greets,
Mike


--

DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

pgpkqULb12ktT.pgp
Description: Digitale PGP-Unterschrift

automatic partition

[mo mo]

Hello,

I just test skole6-a1 and see, that you still use ext3 as a standard 
filesystem. I would ask you, that you switch to ext4 please, because it 
uninit_bg in the standard-configuration which speeds up filesystem-checks.
Filesystem-checks on the main-server profile with big partitions can be 
/really/ lengthy, so that would be a real improvement.

thank you

mo

  

Re: ldap: ou=group versus ou=groups

[Holger Levsen]

Hi,

last mail in my debian-edu@ backlog :)

On Dienstag, 15. Februar 2011, Mike Gabriel wrote:
> Anyway, GOsa has its own way of structuring LDAP (that's why GOsa in
> Skolelinux requires an LDAP-migration tool that is customized for the old
> lwat-based LDAP-DIT. My suggestion is to handle LDAP-stuff like GOsa
> proposes it. LDAP DIT has to be changed for GOsa anyway (part of the
> discussion in Zweibrücken), thus I recommend using the standard GOsa way
> (where the department ous are optional and should not be configured with
> standard Skolelinux, also part of the discussion in the Distro).

This sounds sensible to me, as it does sound sensible to use ou=groups if all 
the others use plural to me.

But, I would recommend to keep ou=group for now and do one of the above 
changes for wheezy instead. Shall we open a bug to track this?


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

Bug#613553: migrate users to debian-edu squeeze (was: Re: ldap: ou=group versus ou=groups)

[Holger Levsen]

just a forward from 
http://lists.debian.org/<20110218204927.GA28750@flashgordon>

On Freitag, 18. Februar 2011, Andreas B. Mundt wrote:
> Hi,
>
> On Tue, Feb 15, 2011 at 11:18:05PM +0100, Christian Kuelker wrote:
> > On 02/15/2011 07:31 PM, Andreas B. Mundt wrote:
> > > I think the best way to do the migration is completely independent of
> > > all changes I proposed:
> > >
> > > * Prepare a list (csv) of all user for every category you use:
> > >   students, teachers, etc.
> >
> > Yes? At some schools the default database are indeed an external
> > one. There this might be possible.
> >
> > However, for universities or large companies - where the users
> > seldom change and large changes can be seen in LDAP, I always used
> > the LDAP database as authoritative choice.
>
> Sure, but it should be not too complicated to create a list of all
> users from ldap.
>
> > Are you really suggesting to build a CSV file from a LDAP server to
> > re-import that? Which LDAP attributes should be considered for the
> > CVS file?
>
> The simplest one is:
>
> UID, GIVENNAME, SURNAME, PASSWD
>
> one line per user. (You may create a random password for the last
> column, print the list on paper, cut strips and hand every strip to
> the corresponding user for the first login).
>
> Now with this list, you use the LDAP-manager in GOsa. You are free to
> add other attributes and you are able to choose which column has which
> meaning. In addition, choose or prepare a template. The data is
> applied to that template when imported.
>
> > > * Prepare a (GOsa-) template for each category.
> >
> > Could you elaborate more on this?
>
> A template in GOsa is a predefined 'user' which defines attributes
> that are the same for all users. Currently there is a student and a
> teacher template. They differ in group membership. To add a student,
> the only thing you have to do is add his given- and family name. The
> uid is created (you can use %name etc. variables to fill some
> attributes currently for the uid
> idGenerator="{%givenName[3-6]}{%sn[3-6]}"  is used. Common attributes
> for all users of one category (like default shell) are taken from the
> template.
>
> > > * Mass-create all users from the lists. For each category use the
> > >   corresponding template.
>
> Yes, that's it. Shouldn't be too much hassle.
>
> Best regards,
>
> Andi




signature.asc
Description: This is a digitally signed message part.

Bug#613214: marked as done (use libpam-krb5 for uidNumbers greater than 10000 only (as opposed to the default > 1000))

[Debian Bug Tracking System]

Your message dated Mon, 7 Mar 2011 14:35:50 +0100
with message-id <201103071435.51304.hol...@layer-acht.org>
and subject line Re: Bug#613214: use libpam-krb5 for uidNumbers greater than 
1 only (as opposed to the default > 1000)
has caused the Debian Bug report #613214,
regarding use libpam-krb5 for uidNumbers greater than 1 only (as opposed to 
the default > 1000)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
613214: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=613214
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: debian-edu-config
Version: 1.446~svn72930
Severity: minor
Tags: squeeze


For integration of Kerberos5 libpam-krb5 needs to be tweaked in
a way that it will only apply krb5 pam rules to uidNumbers greater than
1 (presuming that LDAP users on the Tjener start with 1).

The current libpam-krb5 package hard-codes uidNumber = 1000 in

  /usr/share/pam-configs/krb5

The tweak probably has to be applied via a cfengine script. However, there
exists an optional ActiveDirectory integration for Debian Edu which hacks the
/etc/pam.d/common-* files. Thus, fixing this issue should try to be compliant
with the changes performed by

   
/share/debian-edu-config/tools/debian-edu-winbind




-- System Information:
Debian Release: 6.0
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages debian-edu-config depends on:
ii  base-files   6.0 Debian base system  
miscellaneous f
ii  bind9-host [host]1:9.7.2.dfsg.P3-1.1 Version of 'host' bundled  
with BIN
ii  cfengine22.2.10-2Tool for configuring and  
maintaini
ii  debconf [debconf-2.0 1.5.36.1Debian configuration  
management sy

ii  debconf-utils1.5.36.1debconf utilities
ii  debian-edu-artwork   0.0.32-2Debian Edu themes and artwork
ii  desktop-profiles 1.4.15+nmu1 framework for setting up  
desktop p

ii  discover 2.1.2-5 hardware identification system
ii  education-tasks  0.852~svn72130  Debian Edu tasks for tasksel
ii  fping2.4b2-to-ipv6-16.1  sends ICMP ECHO_REQUEST  
packets to

ii  host 1:9.7.2.dfsg.P3-1.1 Transitional package
ii  ldap-utils   2.4.23-7OpenLDAP utilities
ii  libconfig-inifiles-p 2.52-1  Read .ini-style  
configuration file
ii  libfilesys-df-perl   0.92-3+b1   Module to obtain  
filesystem disk s

ii  libhtml-fromtext-per 2.05-5.1Mark up text as HTML
ii  libio-socket-ssl-per 1.33-1+squeeze1 Perl module implementing  
object or
ii  libjavascript-perl   1.16-3  module for executing  
embedded Java

ii  libnet-ldap-perl 1:0.4001-2  client interface to LDAP servers
ii  libnet-netmask-perl  1.9015-4parse, manipulate and  
lookup IP ne

ii  libterm-readkey-perl 2.30-4  A perl module for simple terminal
ii  libtext-unaccent-per 1.08-1+b1   provides functions to  
remove accen
ii  lsb-base 3.2-23.2squeeze1Linux Standard Base 3.2  
init scrip
ii  mime-support 3.48-1  MIME files 'mime.types' &  
'mailcap

ii  net-tools1.60-23 The NET-3 networking toolkit
ii  ng-utils 0.7-1   Tool to access netgroups from the
ii  openssl  0.9.8o-4Secure Socket Layer (SSL)  
binary a

ii  patch2.6-2   Apply a diff file to an original
ii  python-notify0.1.1-2+b2  Python bindings for libnotify
ii  ssl-cert 1.0.28  simple debconf wrapper  
for OpenSSL
ii  tftp 0.17-18 Trivial file transfer  
protocol cli


Versions of packages debian-edu-config recommends:
ii  ddccontrol 0.4.2-6   a program to control  
monitor param
ii  libnotify-bin  0.5.0-2   sends desktop  
notifications to a n

ii  lsof   4.81.dfsg.1-1 List open files
ii  memtest86+ 4.10-1.1  thorough real-mode memory tester
ii  resolvconf 1.46  name server information handler
ii  syslinux   2:4.02+dfsg-7 collection of boot loaders

Versions of packages debian-edu-config suggests:
ii  atftpd  0.7.dfsg-9.1 advanced TFTP server

-- debconf information:
  debian-edu-config/kdc-password: (password omitted)
  debian-edu-config/kd

Re: Wanting to help the Debian-Edu project

[Holger Levsen]

Hi Michael,

welcome to Debian-Edu!

On Donnerstag, 3. März 2011, Michael Blum wrote:
> I have subscribed to the debian-edu list, but I wanted to introduce
> myself and my situation, and find out where I can best help out the
> Debian Edu project.

Yay!

> I am interested in helping the Debian-Edu project in whatever way I
> can.  I am a teacher, currently teaching both English Literature and
> 20th Century World History at a bilingual school in southern Mexico.  I
> have recently been introduced to Linux and the Debian distribution in
> particular and I absolutely love what I have found.  I am working at a
> school which is in the early stages of building up its program and I am
> trying to help them set up a network, running on Debian, for use as a
> computer laboratory.  Because we have limited staff, I have volunteered
> to learn whatever sysadmin stuff needed to maintain the network.  The
> Debian Edu project seems like just the kind of thing I was looking to
> put on our machines.  I would also like to help the project out if I can.

Very nice!

> I am a recreational programmer who is still in the process of learning.
> I know some Python as well as the web-related HTML, CSS, and PHP, but I
> do not think I am good enough at coding at this point to help out on the
> developing side of the project, although I am willing to learn whatever
> languages necessary to help out in that area eventually.  Currently I
> may only be able to help in the website, documentation, and testing
> areas.  I am a native English speaker from the US as well as being a
> high school English teacher, so my English skills are excellent and I
> could help with anything related to English or proof-reading.  I also
> know a bit about website programming (HTML, CSS, some PHP), so I may
> also be able to help the website team.  I also have multiple machines
> and would volunteer some time to testing Debian-Edu for bugs or other
> issues.  If there are other ways in which I could be of help which I
> haven't thought of please let me know.
>
> Please let me know what I can do to start helping the Debian Edu project.

So, first of all, I have full quoted your mail for the benefit of Gunnar and 
Rafael, who I've put in cc:

Gunnar is a long time Debian developer located in Mexico City, he can probably 
give you some useful pointers about mexican Debian communities. Rafael is 
based in El Salvador and currently translating our manual to spanish. I'm 
sure he'd welcome help. He will also know a lot more about Debian Edu in 
Latin America! :-)

The english version of the manual can be found at 
http://wiki.debian.org/DebianEdu/Documentation/Squeeze - translated versions 
are available in /usr/share/doc/debian-edu-doc*/ after installing the 
debian-edu-doc-* packages.

As you are a native English speaker, even an high school English teacher, you 
could probably help *a lot* by reading this manual and fixing the worst en_DE 
or en_NO wordings (english as written by a German or Norwegian person. other 
english variants can be found as well...)

If you do want to do so, just get an wiki account and start improving. :-)

Translating it is described in that very manual - you should read that manual 
anyway, as its a good starter.

But then, the manual is sadly currently incomplete, as we just moved to a new 
LDAP administration tool, gosa, which is not fully described in the "Getting 
Started" chapter of that manual... 

This is because we are still busy on finishing our Squeeze release, which 
status we track on http://wiki.debian.org/DebianEdu/Status/Squeeze 
This URL I consider the second most important URL for Debian Edu at the 
moment. It describes the status of our Squeeze release (oh yeah!) as well as 
means to test and what to test.

If you could help with testing and reporting things back, that would also help 
tremendously!

You already found the third ressource I'd have to mention, which is our 
mailing list. :-)

About our website, www.skolelinux.org: it's made with joomla and afaik the 
webteam is mostly lacking content and translations, though of course, there 
are always technical things to fix/add as well. 
http://wiki.debian.org/DebianEdu/WWW/ToDo is the best intro I could quickly 
find.


So much from me for now, please dont hesitate to ask more stuff! Have fun with 
Debian Edu! 


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: How to fill Action Button for DHCP with live for Debian-Edu.

[Holger Levsen]

Hi,

On Freitag, 4. März 2011, Mike Gabriel wrote:
> is the gosa-si daemon installed? I am not sure about wake-on-lan etc., but
> I guess that you need the daemon in the background to get this
> functionality up and running.
>
> So, basically: is gosa-si installed and running on Tjener? I suppose not
> (damn!!!):
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534303
>
> So we have a little issue here...

Yeah, but just a little. :-) Wake-on-lan is really nice to have, but I wouldnt 
hold our squeeze release for it. And as the gosa-si package is not even 
available I would suggest to leave this feature out for squeeze, release 
squeeze, and then work on this and much more for wheezy.

> @Jonas, Holger and other DD: couldn't one of you grab the above named RFP?
>
> So that GOsa SI at least enters Debian. What is the best strategy to handle
> this. I am also willing to adapt packages and upload them via a sponsor...

The bug is an "request for packaging" bug, so do as requested: prepare the 
package, upload it to mentors.debian.net, find a sponsor. Best approach would 
probably to join the gosa maintainers and maintain it with them together.

I'm happy to help with that, but would prefer if we concentrate on getting our 
Squeeze release first. Which doesnt mean work for wheezy should not at all be 
done now, just maybe with lower priorities.


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

isc-dhcp-relay instead of isc-dhcp-server on terminal-servers?

[Andreas B. Mundt]

Hi all,

while working on the DHCP-setup I accidentally met the
isc-dhcp-relay package which can be used to relay DHCP requests. For
example, we could use it instead of running dhcp-servers on the
terminal-servers. 

Is there a reason we don't use the relay method but stand-alone
dhcp-servers? (Tjener needs to be accessible in both cases, 
because the configuration is fetched from tjener's ldap anyway). 
An advantage of the relay method: You don't need to start several
dhcp-servers after modifications to the configuration.

In a quick test it looks like isc-dhcp-relay works fine. Any
opinions/experiences about that?  

Best regards,

 Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110307085743.GA10786@flashgordon

debian-edu-config_1.446~svn73127_amd64.changes ACCEPTED

[Skolelinux archive Installer]

Accepted:
debian-edu-config_1.446~svn73127.dsc
  to pool/local/d/debian-edu-config/debian-edu-config_1.446~svn73127.dsc
debian-edu-config_1.446~svn73127.tar.gz
  to pool/local/d/debian-edu-config/debian-edu-config_1.446~svn73127.tar.gz
debian-edu-config_1.446~svn73127_all.deb
  to pool/local/d/debian-edu-config/debian-edu-config_1.446~svn73127_all.deb


Override entries for your package:
debian-edu-config_1.446~svn73127.dsc - extra local/misc
debian-edu-config_1.446~svn73127_all.deb - extra local/misc

Announcing to comm...@skolelinux.org


Thank you for your contribution to Debian-Edu/Skolelinux archive.


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1pwvmn-0002kc...@administrator.skolelinux.no