Re: making listed maintainers match reality
Hi Holger, On Sat, Aug 06, 2016 at 11:03:45AM +, Holger Levsen wrote: > > I believe it's useful to have the maintainers/uploaders field of our > packages match reality, that is, to only list people who are active > on Debian Edu or plan to become active again. > > So I'm wondering, Andreas, Alexander and Andrew: do you still want to be > listed as Debian Edu maintainers? ;-) Indeed, maybe some time I'll become more active again, but not in the near future. So please remove myself from the maintainers/uploaders field at the next occasion. Thanks and best regards, Andi
Re: UCS School (Link to German page)
Hi, On Thu, Jun 23, 2016 at 08:26:12AM +0200, Andreas Tille wrote: > I've just read this article about UCS@school > > http://www.pro-linux.de/news/1/23680/ucsschool-41-r2-freigegeben.html > > Is there any relation to Debian Edu work and if not why not or should we > cooperate to some extend? > AFAICT this is just the standard univention domain controler with some school administration stuff added. GNU/Linux clients (as, for example, the Univention Corporate Client UCC) are only partially supported [1] by this solution and not first class citizens. Focus is clearly on the UCS-server with Windows clients, not in supporting Free Software as the client OS. Regards, Andi [1] from http://docs.software-univention.de/ucsschool-handbuch.html> " Für die Integration von UCC in UCS@school gelten die folgenden Einschränkungen: Für die Integration von UCC-Desktop-Systemen in UCS@school ist die Verwendung von Samba 4 auf dem UCS@school-Schulserver erforderlich. Die UCC-Systeme müssen mit dem offiziellen Desktop-Image (oder einem äquivalenten, selbst erstellten Image) installiert werden. UCC-ThinClient-Systeme bzw. UCC-Terminalserver werden in Verbindung mit UCS@school nicht unterstützt. Der über iTALC realisierte Präsentationsmodus sowie das Beaufsichtigen von Systemen über das UMC-Modul Computerraum werden für UCC-Systeme derzeit nicht unterstützt. Die über CUPS eingebundenen Druckerfreigaben unterstützen nicht alle Kombinationen für Zugriffsberechtigungen. Das Freigeben aller Drucker über das Computerraum-Modul hat daher keine Auswirkung auf UCC-Systeme. Der Klassenarbeitsmodus von UCS@school wird auf UCC-Systemen nicht unterstützt."
Re: Again netgroup problems
Hi, On Sun, Jul 05, 2015 at 11:40:36AM +0200, Giorgio Pioda wrote: > I can confirm a boot race condition (IIRC somebody talked six months ago about > autofs/systemd issues in this mailing list) > > Restarting manually the sercvices in the (more or less correct) order on > tjener: > > 1) nscd & nslcd > 2) nfs-common nfs-kernel > 3) autofs > > Fixes WS login > > I guess some careful upstream check is really needed Perhaps https://bugs.debian.org/759544>? It's probably still an issue in stable. Regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150705102800.GA3314@flashgordon
Re: Bug#771106: unblock: krb5/1.12.1+dfsg-15
Hi Holger! On Thu, Nov 27, 2014 at 08:05:54PM +0100, Holger Levsen wrote: > (are you still subscribed to the list?) Sure! (Although sometimes a bit flooded by mails ...) > On Donnerstag, 27. November 2014, Andreas B. Mundt wrote: > > The issue at hand is discussed in #758992 and #769710. With the > > unblock, both bugs should be fixed in jessie and things should work > > fine. > > ok, cool. > > > However, #732263 could make it necessary to create certificates for > > dovecot in debian-edu/-lan by scripts soon ... > > ok, hopefully we'll notice or remember! I hope debian-edu and -lan are allowed to sneak in some necessary last minute fixes ... cf. #771586 Best regards, Andi -- currently sucked down a bit by the cold and misty November/December days -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141201201608.GA17315@flashgordon
Re: Bug#771106: unblock: krb5/1.12.1+dfsg-15
Hi, On Wed, Nov 26, 2014 at 09:21:22PM +0100, Holger Levsen wrote: > > On Mittwoch, 26. November 2014, Benjamin Kaduk wrote: > > Please unblock package krb5 > > > > systemd does not respect inserv overrides (see #759001) and does > > not plan to do so, since they appear to be used by only two packages > > in the archive, one of which is debian-edu-config. > > is this something we should fix? we use systemd by default now > The issue at hand is discussed in #758992 and #769710. With the unblock, both bugs should be fixed in jessie and things should work fine. However, #732263 could make it necessary to create certificates for dovecot in debian-edu/-lan by scripts soon ... Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141127093645.GA2487@flashgordon
Re: Fixing the Jessie Main Server?
Hi, On Tue, Aug 26, 2014 at 06:40:30AM +0200, Petter Reinholdtsen wrote: > > Btw, regarding our Kerberos error on the main server, Andreas B. Mundt > just mentioned on IRC that https://bugs.debian.org/758992> would > probably hit us too. It affect Kerberos with LDAP backend when using > systemd. > > He also mentioned that our cups test might always fail because cups is > socket activated with systemd, thus not running unless something try > to use it. :) I guess it is not because of the socket activation, but the port has to be made accessible in '/etc/cups/cupsd-systemd-listen.conf'. Cf. http://anonscm.debian.org/cgit/printing/cups.git/tree/debian/cups-daemon.preinst Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140826161849.GB14310@flashgordon
Re: TI-calculator packages team maintained in debian-edu or debian-science on alioth?
Hi Holger et. al, [cc debian-science, related post: https://lists.debian.org/debian-edu/2013/06/msg00177.html>] On Fri, Jun 14, 2013 at 11:54:05PM +0200, Holger Levsen wrote: > On Freitag, 14. Juni 2013, Andreas B. Mundt wrote: > > libticables-1.3.4 > > libtifiles-1.1.6 > > libticonv-1.1.4 > > libticalcs-1.1.8 > > gfm-1.07 > > tilp2-1.17 > > ... perhaps some more ... > > those are all source packages? If so, I would prefer to have them added to a > subdirectory in the debian-edu git directory on alioth. > I had a look at the debian-science alioth repository, they use a subdirectory 'packages' for packaging [1]. So I suggest to follow that convention and put the source packages in debian-edu/packages/ like: debian-edu/packages/libticables debian-edu/packages/libtifiles debian-edu/packages/libticonv debian-edu/packages/libticalcs debian-edu/packages/gfm debian-edu/packages/tilp2 When taking a look at debian-science, I realized that the packages fit also there (Data Acquisition/Hardware). What is the better fitting team? Any oppinions on that topic? Best regards, Andi [1] http://anonscm.debian.org/gitweb/?a=project_list;pf=debian-science/packages -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130615081223.GA23748@fuzi
TI-calculator packages team maintained in debian-edu on alioth?
Hi all, I would like to ask if everybody is fine with adding a few more packages to the debian-edu alioth git repository. The packages are usefull for Texas Instruments calculators, and the -edu fits nicely I guess: libticables-1.3.4 libtifiles-1.1.6 libticonv-1.1.4 libticalcs-1.1.8 gfm-1.07 tilp2-1.17 ... perhaps some more ... We want to use the software in our school soon, so I started to take a look at them and contacted the previous maintainer (Albert Huang), cf. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678059#25>. Albert already appreciated the idea of team maintenance in a private mail. If nobody sees a problem with adding them, I would start adding each packages to http://anonscm.debian.org/gitweb/?a=project_list;pf=debian-edu>. Hints and recommendations how to do that best are appreciated. What is needed to give Albert commit access to the repository? Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130614193623.GA2792@fuzi
Re: eduroaming pam_sss issues
Hi Giorgio, On Sun, May 26, 2013 at 11:28:43AM +0200, Giorgio Pioda wrote: > On Sun, May 26, 2013 at 10:23:41AM +0200, Andreas B. Mundt wrote: > > Hi Giorgio, > > > > On Sun, May 26, 2013 at 09:43:17AM +0200, Giorgio Pioda wrote: > > > On Sat, May 25, 2013 at 05:37:20PM +0200, Petter Reinholdtsen wrote: > > > > > > > > > > pam_acct_mgmt: Authentication failure > > > > > > > > > > But actually sssd works, krb5 tickets are OK and right before this > > > > > message > > > > > pam_sss claims a successful authentication. > > > > > > > > > > Any clues? [...] > Thanks. Disabling mklocalusers (and all the rest) and keeping only Unix and > SSS fixes the > login. But then the problem relies in the fact that the sss users expect a > homedir > in /skole/tjener/.. and not in /home/.. I solve this by making /home/ available under /skole/tjener/.. by bind mounting it there, i.e. add: "/home $HOMEDIRS none bind 0 0" to /etc/fstab. So the user has always the same home directory path. If online, the idea is to use unison ore something else to sync the NFS home directory with the local one (at /home). Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130526102509.GB3942@fuzi
Re: eduroaming pam_sss issues
Hi Petter, On Sun, May 26, 2013 at 11:41:48AM +0200, Petter Reinholdtsen wrote: > [Andreas B. Mundt] > > [1] Add 'session required pam_mkhomedir.so skel=/etc/skel umask=0027' > > to /etc/pam.d/common-session > > However this only creates the directories when no NFS-homedirs are > > availabel. To create the directories in any login, I use > > libpam-script > > (Cf. > > http://anonscm.debian.org/gitweb/?p=collab-maint/debian-lan.git;a=blob;f=fai/config/scripts/ROAMING/10-home_nfs4_krb5;h=9b6b6d3749483b6ff9bfd207f21f5a8698019d46;hb=0600527f83621ba2a09fd3346ea23f2fe5884f77) > > > > Why do you recreate the functionallity of libpam-mkhome using a > libpam-script script? > If a user logs in the first time, he has to be in the debian-lan network. In that case the debian-lan home directory is mounted, and therefore libpam-mkhome does not create anything. The user has no local directory to drop data to work on later when being away from the debian-lan network. If later the user logs in away from the debian-lan network, his local home directory will be created by libpam-mkhome. He has to go back to the network now, to fetch his data for off-line use. By adding: cp -pR /etc/skel $HOMEDIR chmod 750 $HOMEDIR chown -R $PAM_USER:$PAM_USER $HOMEDIR to the script executed by libpam-script (which is needed for kerberos keys anyway if you use kerberized NFS and no machine key), there is no need for the repeated logins. Instead of login in three times: first: on-line to make credentials available second: off-line to create the home directory third: on-line to fetch data to work on off-line it is sufficient to log in on-line, your local home directory will already be available, you drop the data needed for off-line work there and it will be available for off-line use. So far this seems to work pretty fine. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130526101313.GA3942@fuzi
Re: eduroaming pam_sss issues
Hi Giorgio, On Sun, May 26, 2013 at 09:43:17AM +0200, Giorgio Pioda wrote: > On Sat, May 25, 2013 at 05:37:20PM +0200, Petter Reinholdtsen wrote: > > > > > > pam_acct_mgmt: Authentication failure > > > > > > But actually sssd works, krb5 tickets are OK and right before this message > > > pam_sss claims a successful authentication. > > > > > > Any clues? > > The only problem I had was when /etc/nsswitch.conf was missing the 'sss'. In addition you might want to check with 'pam-auth-update' what authentication mechanisms you would like to allow. I have only 'Unix' and 'SSS' installed and therefore available, and this seems to work fine. [...] > > Sssd seems to work properly. Ubuntu's pam_mklocaluser is still not working > correctly, > (even in Ubuntu 13.04, even using the fixed Wheezy package) and homedirs > are not created automatically. > Note that pam_mklocaluser is not necessarily needed. If you have home directories available for off-line use (which can be created with pretty easily during login [1]), there is no need to 'recreate' the users locally. Best regards, Andi [1] Add 'session required pam_mkhomedir.so skel=/etc/skel umask=0027' to /etc/pam.d/common-session However this only creates the directories when no NFS-homedirs are availabel. To create the directories in any login, I use libpam-script (Cf. http://anonscm.debian.org/gitweb/?p=collab-maint/debian-lan.git;a=blob;f=fai/config/scripts/ROAMING/10-home_nfs4_krb5;h=9b6b6d3749483b6ff9bfd207f21f5a8698019d46;hb=0600527f83621ba2a09fd3346ea23f2fe5884f77) -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130526082341.GA19033@fuzi
Network performance ToDo/ToTest (was: Roaming workstations in Debian-LAN available)
Hi Julien, I hope you enjoyed holidays! On Thu, May 23, 2013 at 10:29:41AM +0200, Julien Lambot wrote: > Many thanks for that feature ! Great you could implement it. > > Back on testing after some holidays :) How is your network performance going? I found two issues that might be interesting to have a look at, discussed here: NFSv4 mount options: https://lists.debian.org/debian-edu/2013/05/msg00224.html> I switched to not providing any {r,w}size now, we have to test if this makes any difference. You could modify/delete the options in LDAP with: ldapvi -ZZ -D "cn=admin,dc=intern" -w `cat /root/installation/LDAPadminPW` on the mainserver. Iceweasel caching: https://lists.debian.org/debian-edu/2013/05/msg00156.html> I switched off caching (some?) stuff in: http://lists.alioth.debian.org/pipermail/debian-lan-devel/2013q2/000384.html> in addition, I found: http://packages.debian.org/wheezy/unburden-home-dir> which sounds interesting. If it works fine and improves the setup we'll add and configure it on the machines. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130523100115.GA29850@fuzi
Roaming workstations in Debian-LAN available
(cc debian-edu, as they are working on the same issue ...) Hi all, with the latest commit, roaming workstations are available in Debian-LAN! http://anonscm.debian.org/gitweb/?p=collab-maint/debian-lan.git;a=commitdiff;h=9aef028d091e30f2a560315e89c604e7a07c2ffc> The ROAMING class allows to log into machines without connection to the Debian-LAN network. The class can be added to any standard workstation. A users first needs to log into the roaming machine when it is in the Debian-LAN network. After that, the machine may be taken off-line, the user can now still log in and a local home directory is created. Back in the Debian-LAN network and in the NFS-home directory, the user will find his off-line data in '/home//'. After some testing, I have already some improvement in mind: Copy the Debian-LAN home directory to the machine locally on the first login. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130522202237.GA5420@fuzi
Re: Reduce the server load by asking firefox to not cache on disk
Hi all, I just accidentally came along a package which seems to be interesting in the current context: http://packages.debian.org/wheezy/unburden-home-dir Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130522102408.GA4886@fuzi
Re: nfs4 mount options rsize wsize
Hi Klaus, many thanks for sharing your experience! On Mon, May 20, 2013 at 12:28:24PM +0200, Klaus Knopper wrote: > We have been running NFS over WLAN, and experienced problems that turned > out to be related to bufferbloat > (http://en.wikipedia.org/wiki/Bufferbloat) in combination with low > bandwidth. [...] > > The solution after many tests was at first somewhat surprising: We > reduced rsize and wsize to a very small value (4096), and set mount > options to "sync", which is known to be very slow on local file systems, > but resulted in a big performance boost when used on NFS. After the > changes, Bandwidth was equally shared amongst all clients with no more > timeouts and sudden logouts. > > While a single workstation surely has a somewhat lower data throughput, > the entire class of 20+ Desktops connected as NFS clients was > operational again. > > >From this experience, we created a HOWTO which you can still find at > https://rp.skolelinux.de/rlp-wiki/bin/view/RlpSkolelinuxPublic/NetworkPerformanceTuning > (I sent this link before in a different context). > > Also, we used a local NFS cache (mount option fsc) which is only > possible with new kernels and xattr file system support. This option > lowers network bandwidth peaks somewhat when reading parts of files that > were just written from a client. But the "sync" option and smaller rsize > and wsize were actually the client options that gained the biggest > performance boost. Did all this happen with NFSv4 or was this still NFSv3? My impression is that with NFSv4, quite some stuff has been changed and improved, for example 'sync' is the default and recommended option. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130520121815.GA12025@fuzi
nfs4 mount options rsize wsize
Hi, I am wondering what the 'best' options mounting the home directories via NFSv4 are. IIRC, by default debian-edu uses rsize=32768,wsize=32768, which has been adopted by debian-lan too. Running a test without defining rsize,wsize on 3 different setups, I got the following (remove rsize,wsize in LDAP and check with 'mount' after mounting the directory): virtual machine setup: rsize=wsize=131072 real hardware 1 : rsize=wsize=262144 real hardware 2 : rsize=wsize=524288 All values are considerably larger than the values defined manually. It would be nice to understand the reasons why such a small value has been chosen in debian-edu. Best regards Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130520062359.GA20714@fuzi
Re: [debian-lan-devel] samba support
[cc ... let's ask on the debian-edu list if they know more ... ] Hi all, we would like to implement something like 'roaming workstations' in debian-lan. Can someone give us some hints on how to do that best? Is there any experience available with roaming workstations, do they work sucessfully, or are there known problems? On Thu, Apr 25, 2013 at 12:40:57AM +0200, Julien Lambot wrote: > - pam-synccr > > > I ment libpam-ccreds, of course. > > I checked > http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.htmland > sssd seems promising but I could not get libpam-mklocaluser to work > and > create the local home. > > So I will further test that whole stuff but isn't there anything already > set up in skolelinux you heard of? The Information I know about is: http://anonscm.debian.org/viewvc/debian-edu/trunk/src/eduroaming/debian/control?view=markup http://anonscm.debian.org/viewvc/debian-edu/trunk/src/debian-edu/tasks/roaming-workstation and perhaps some modifications done by cfengine: http://anonscm.debian.org/viewvc/debian-edu/trunk/src/debian-edu-config/cf/ Any help and pointers or comments are appreciated! Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130425064657.GB31493@fuzi
Re: 'krbPrincipalKey' and 'sambaMungedDial'
Hi all, On Mon, Mar 25, 2013 at 09:56:27PM +0100, Petter Reinholdtsen wrote: > > [Martin Schulte] > > thank you for your answer. > > I found a way to get the passwords in cleartext from lenny ldap, thanks > > to windows, the secures OS ever :-) and his LM-Hash. You can crack this > > LM-hash using ophcrack (http://en.wikipedia.org/wiki/Ophcrack ), which > > uses rainbow tables. > > Interesting and scary. Even in Debian Edu Squeeze, the user passwords > are stored in three places in the user LDAP object. Once for Kerberos, > once for Samba and once for GOsa. We should really try to get rid of > the last two. > For the record, an attempt to "unify" GOsa and Kerberos: http://bugs.debian.org/698544> Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130325224254.GB14338@fuzi
Re: 'krbPrincipalKey' and 'sambaMungedDial'
Hi Martin, On Fri, Mar 22, 2013 at 06:33:11PM +0100, Martin Schulte wrote: > > while trying to upgrade to squeeze and restore old passwords, i had > a look to the ldap in squeeze. I found the two attributes > 'krbPrincipalKey' and 'sambaMungedDial'. Can someone tell me, what > is the use of these two attributes and how they are generated? Is > there a relation between the userpassword and these two attributes? > > Actually i try to replace the value of the attributes > 'userPassword', 'sambaLMPassword', 'sambaNTPassword' from the > squeeze ldap with the values from the lenny ldap. The authentication method has changed completely in squeeze. Instead of storing a hashed password in LDAP as it has been the case in Lenny, Squeeze uses Kerberos keys. These are also some kind of a user's password, but can also be used to encrypt any connection over the network. There is no way to convert the password hash from Lenny to a Kerberos principal key, so you have to create these from clear text passwords. I am not familliar with the samba stuff however. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130322180127.GA10478@fuzi
Re: "allow_weak_crypto = true" not needed for wheezy
Hi, On Sun, Feb 03, 2013 at 06:24:52PM +0100, Petter Reinholdtsen wrote: > [Andreas B. Mundt] > > > FYI, it looks as if "allow_weak_crypto = true" [1] is not needed > > anymore for wheezy. This is at least the case for debian-lan. > > What was it needed for in the first place? Mounting NFSv4 IIRC. Cf. http://bugs.debian.org/657802 I remember debian-edu needed: permitted_enctypes = ... too, because of pam_sss, which I never used. (http://bugs.debian.org/657802#24) > > Do you have the commit rights needed to update the source with this > change? I would prefer if someone currently running and testing the code would commit it, to make sure it really works in the end also on debian-edu. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130203175038.GA18251@fuzi
"allow_weak_crypto = true" not needed for wheezy
Hi, FYI, it looks as if "allow_weak_crypto = true" [1] is not needed anymore for wheezy. This is at least the case for debian-lan. Best regards, Andi [1] c.f. debian-edu-config/share/debian-edu-config/tools/kerberos-kdc-init -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130202084835.GA3813@fuzi
Re: Wheezy Gosa² setup
Hi, On Tue, Jan 22, 2013 at 05:43:59AM +0100, Mike Gabriel wrote: > Hi Andi, hi Wolfgang, > > On Di 22 Jan 2013 00:38:32 CET Wolfgang Schweer wrote: > > >>In addition, I had to rewrite gosa-sync. > > > >gosa-sync seems to work here without any change. > > In Debian Edu squeeze and GOsa² 2.6 the gosa-sync script does not > report back failures to GOsa², thus, passwords run out of sync. As > we have several OTRS tickets open about this with our customers, > this definitely would be an improvement for squeeze, at least. Are > you really sure that error handling is correct with wheezy and GOsa² > 2.7 (/me doubts it by what is written in this thread). > > Simple way to test gosa-sync failures: e.g. stop kadmind and try to > modify or add a user with GOsa². > I just tried this test, however, even with kadmind stopped, the password can be modified as gosa-sync operates via kadmin.local directly on the database, I guess. The test I used is changing to a password with just a single class of characters, for example "12345". GOsa allows this password, but I use a Kerberos policy that demands 2 character classes: This error is reported in GOsa and the password modification canceled (also within LDAP). Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130122073509.GA17391@fuzi
Re: Wheezy Gosa² setup
Hi, On Sun, Jan 20, 2013 at 05:25:16PM +0100, Wolfgang Schweer wrote: > On Sun, Jan 20, 2013 at 01:38:22PM +0100, Andreas B. Mundt wrote: > > I had to modify the variable name to be send to gosa-sync: > > > > - postmodify="USERPASSWORD=%userPassword /usr/bin/sudo > >/usr/local/sbin/gosa-sync %dn" > > + postmodify="USERPASSWORD=%new_password /usr/bin/sudo > >/usr/local/sbin/gosa-sync %dn" > > Seems to be that this change is required in the administration section > too. Strange, it seems to work here with just one occurrence. Perhaps because I use fewer features. In addition, I had to rewrite gosa-sync. Take a look at: http://anonscm.debian.org/gitweb/?p=collab-maint/debian-lan.git;a=blob;f=fai/config/files/usr/local/sbin/gosa-sync/GOSA> If kadmin.local gives an error, the error message is shown in GOsa and the password change reverted. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130121221737.GA7713@fuzi
Wheezy Gosa² setup
Hi, concerning Wolfgangs work on the GOsa setup for wheezy which I currently do for debian-lan, I found the following which I would like to share to not double debugging. I had to modify the variable name to be send to gosa-sync: If I don't do that, I end up with the hash in the variable making gosa sync fail. If you don't need that, it would be rather interesting to find out why it's needed here. In addition and for your information, I filed http://bugs.debian.org/698544 on the use of SASL instead of ssha as "password hash" in GOsa. Using SASL would allow to authenticate login to gosa with kerberos authentication. The password hashes would only be stored in kerberos and additionally providing the hash in LDAP wouldn't be needed anymore. kpasswd could be used for changes as well as the GOsa interface. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130120123822.GA16810@fuzi
Re: Upgrading Squeeze to Debian-Education?
Hi Bengt, On Sun, Oct 14, 2012 at 10:38:39AM +1100, Bengt Thuree wrote: [...] > > I really wish I can get this to work, but might have to have a second > look at Edubuntu :(, but since everything else is Debian, I am not to > keen on that. > Another possibility you might want to take a look at is Debian-LAN: http://wiki.debian.org/DebianLAN> It shouldn't be a problem to switch to a XEN kernel, there is already a RAID_XEN_VIRTUAL class in the FAI example, which should help with adding the packages needed for XEN. After that, build your CD or install via PXE as described in the wiki. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121014073251.GA32584@fuzi
Re: Userimport (csv), GOSA, homedirectories -> wrong ownership
Hi Mike, On Tue, Aug 21, 2012 at 10:19:00PM +0200, Mike Gabriel wrote: > On Di 21 Aug 2012 22:02:20 CEST "Andreas B. Mundt" wrote: [...] > > > >This could be worth a try: > > > >https://init.linpro.no/pipermail/skolelinux.no/commits/2012-August/119291.html > > [...] > > I have just yesterday committed such a change as you propose: > http://anonscm.debian.org/viewvc/debian-edu?view=revision&revision=77998 > Yes sure, that's where I got it from. :-) I saw the commit in IRC and digged it up in the archive at linpro.no (as I do not have the commit mails). But your link is of course much better. Cheers, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120821211449.GA30830@fuzi
Re: Userimport (csv), GOSA, homedirectories -> wrong ownership
Hi Sebastian, > I've added users via csv-import and most user-accounts are fine, but > some have no acces to their own homedirectory. (The owner is someone > else) Any suggestion how this could happen and/or how to fix it? This could be worth a try: https://init.linpro.no/pipermail/skolelinux.no/commits/2012-August/119291.html Log: In gosa-create script: Invalidate libnss cache before applying chown on new home directories. Fixes multiple failures during mass user import into GOsa Good luck, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120821200220.GA4856@fuzi
Re: Debian Local Area Network' (Debian-LAN): no hardcoded IP addresses left
Hi everybody, I am happy to report that with the last commits there are no specific hardcoded IP addresses left in the config space [1] and it should be possible to use debian-lan in a variety of networks. All network-specific information and used IP addresses are collected in class/SERVER_A.var [2]. The code generating the DHCP and DNS configuration does for sure not work for all possible networks and netmasks, however it should work for standard cases, perhaps with minor modifications. Best regards, Andi [1] debian-lan/fai/config$ rgrep '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' * class/SERVER_A.var:MAINSERVER_IPADDR="10.0.0.1" class/SERVER_A.var:GATEWAY="10.0.0.1" class/SERVER_A.var:BROADCAST="10.0.255.255" class/SERVER_A.var:SUBNET="10.0.0.0" class/SERVER_A.var:NETMASK="255.255.0.0" class/SERVER_A.var:SUBNETMASK="10.0.0.0/16" class/SERVER_A.var:FAINETMASK="10.0.0.0/24" class/SERVER_A.var:RANGE="10.0.1.10 10.0.1.200" files/etc/hosts/diskless:127.0.0.1 localhost files/etc/hosts/diskless:127.0.1.1 host.intern host files/etc/hosts/mainserver:127.0.0.1localhost files/etc/hosts/mainserver:127.0.1.1mainserver.intern mainserver files/etc/networks/FAIBASE:default 0.0.0.0 files/etc/networks/FAIBASE:loopback127.0.0.0 files/etc/networks/FAIBASE:link-local 169.254.0.0 files/etc/fai/grub.cfg/SERVER_A:linux /boot/vmlinuz boot=live FAI_FLAGS="verbose,createvt" FAI_ACTION=sysinfo ip=10.0.1.100:eth0:off hostname=demohost files/etc/fai/grub.cfg/SERVER_A:linux /boot/vmlinuz boot=live FAI_FLAGS="verbose,createvt" FAI_ACTION=install ip=192.168.1.1:eth0:off hostname=demohost files/etc/fai/grub.cfg/SERVER_A:linux /boot/vmlinuz boot=live FAI_FLAGS="verbose,createvt" FAI_ACTION=install ip=192.168.1.1:eth0:off hostname=gnomehost files/etc/fai/grub.cfg/SERVER_A:linux /boot/vmlinuz boot=live FAI_FLAGS="verbose,createvt" FAI_ACTION=install ip=192.168.1.250::192.168.1.254:255.255.255.0::xxx:off hostname=faiserver files/etc/fai/grub.cfg/SERVER_A:linux /boot/vmlinuz boot=live FAI_FLAGS="verbose,createvt" FAI_ACTION=sysinfo ip=192.168.1.1:eth0:off hostname=demohost scripts/NTP_SERVER/10-ntp.conf: ReplaceAll "#broadcast 192.168.123.255" With "broadcast ${BROADCAST}" scripts/NTP_SERVER/10-ntp.conf: AppendIfNoSuchLine "server 127.127.1.0 # local clock" scripts/NTP_SERVER/10-ntp.conf: AppendIfNoSuchLine "fudge 127.127.1.0 stratum 10" scripts/PROXY/10-config: ReplaceAll "#acl localnet src 10.0.0.0/8" With "acl localnet src ${SUBNETMASK}" [2] debian-lan/fai/config$ cat class/SERVER_A.var [...] ## Variables that define the network. If you choose the same IP ## address for mainserver ($MAINSERVER_IPADDR) and gateway ($GATEWAY), ## the mainserver is configured as gateway to the external network. ## You'll need two network cards in that case. MAINSERVER_IPADDR="10.0.0.1" GATEWAY="10.0.0.1" BROADCAST="10.0.255.255" NAMESERVER_IPADDR="" # leave empty to use mainserver's IP address SUBNET="10.0.0.0" NETMASK="255.255.0.0" SUBNETMASK="10.0.0.0/16" ## NETMASK for FAI config space access: FAINETMASK="10.0.0.0/24" ## DHCP range for unknown clients (cf. dhcpd.conf): RANGE="10.0.1.10 10.0.1.200" ## IP address-endings for workstations and diskless machines (the list ## is generated using 'seq $WS_RANGE' respectively 'seq $DL_RANGE'): WS_RANGE="50 149" DL_RANGE="150 249" [...] -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120410092909.GA13118@flashgordon
Re: Debian Local Area Network' (Debian-LAN)
Hi Giorgio and others, On Mon, Apr 09, 2012 at 11:21:37AM +0200, Giorgio Pioda wrote: > In my case is not a matter of randomizing. > > We have an internal 10.x.x.x/23 provided by the > national telecom and we are not able to > change the subnet, otherwise we would collide > with other schools. > I had a look into the issue of modifying the IP addresses. The following files contain an IP address: debian-lan/fai/config$ rgrep -l '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' * files/etc/dhcp/dhcpd.conf/INT_GATEWAY files/etc/dhcp/dhcpd.conf/EXT_GATEWAY files/etc/network/interfaces/INT_GATEWAY files/etc/network/interfaces/EXT_GATEWAY files/etc/hosts/diskless files/etc/hosts/mainserver files/etc/networks/FAIBASE files/etc/fai/grub.cfg/SERVER_A files/etc/bind/db.intern/INT_GATEWAY files/etc/bind/db.intern/EXT_GATEWAY scripts/NTP_SERVER/10-ntp.conf scripts/NFS_SERVER/10-config scripts/PROXY/10-config scripts/FAISERVER/30-exports scripts/DISKLESS_SERVER/10-setup If we remove DNS and DHCP configuration files and files that contain no specific I addresses, we are left with: files/etc/network/interfaces/INT_GATEWAY files/etc/network/interfaces/EXT_GATEWAY scripts/NTP_SERVER/10-ntp.conf scripts/NFS_SERVER/10-config scripts/PROXY/10-config scripts/FAISERVER/30-exports scripts/DISKLESS_SERVER/10-setup So appart from DHCP, DNS and your interface configuration, you are left to modify: scripts/NTP_SERVER/10-ntp.conf: ReplaceAll "#broadcast 192.168.123.255" With "broadcast 10.255.255.255" scripts/NFS_SERVER/10-config: AppendIfNoSuchLine "/srv/nfs4 10.0.0.0/8(sec=krb5p:krb5i:sys,rw,sync,fsid=0,crossmnt,no_subtree_check)" scripts/NFS_SERVER/10-config: AppendIfNoSuchLine "/srv/nfs4/home0 10.0.0.0/8(sec=krb5p:krb5i:sys,rw,sync,no_subtree_check)" scripts/PROXY/10-config: ReplaceAll "#acl localnet src 10.0.0.0/8" With "acl localnet src 10.0.0.0/8" scripts/FAISERVER/30-exports:ainsl $target/etc/exports "/srv/fai/nfsroot 10.0.0.0/24(async,ro,no_subtree_check,no_root_squash)" scripts/FAISERVER/30-exports:ainsl $target/etc/exports "/srv/fai/config 10.0.0.0/24(async,ro,no_subtree_check,no_root_squash)" scripts/DISKLESS_SERVER/10-setup:ainsl $target/etc/exports "/opt 10.0.0.0/8(async,ro,no_subtree_check,no_root_squash)" So that does not look too terrible. The automatic solution would be to generate DNS and DHCP configuration automatically and use variables in the scripts. Best regards, Andi > On Sun, Apr 08, 2012 at 05:15:27PM +0100, Steven Chamberlain wrote: > > Hi, > > > > On 08/04/12 10:13, Giorgio Pioda wrote: > > > 1) Subnet switch to an arbitrary 10.x.x.x/24 or even better 10.x.x.x/23 > > > and > > > also 192.169.x.x networks > > > > I agree, that aspect of Debian Edu's network architecture has always > > bugged me too, but I imagine it's because an address had to be hardcoded > > in some of the configs. > > > > > > Using a randomly-chosen 10.x.x.0/24 subnet means you can link several of > > these subnets together with straightforward routing between gateway > > machines, without resorting to awkward NAT. > > > > It would be easy and very fun to link together neighbouring Debian-LANs > > between homes/offices with wireless meshes and fast wired links. > > > > Randomising as much as you can in network address avoids the chance of a > > collision and having to renumber (and the chance is higher than you > > might think, due to the birthday paradox). > > > > This is similar in principle to RFC4193 unique local IPv6 subnets. > > (Debian-LAN could implement those too!) > > > > > > Or, you can run as many /24's as you need off the same mainserver and it > > can still route traffic between hosts, so I doubt there's a need for a > > /23 subnet or larger. (Unless you really need for a broadcast domain to > > span more than 254 hosts...). > > > > Regards, > > -- > > Steven Chamberlain > > ste...@pyro.eu.org > > -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120409113651.GA11569@flashgordon
Re: Debian Local Area Network' (Debian-LAN)
Hi Giorgio, On Sun, Apr 08, 2012 at 12:01:19PM +0200, Giorgio Pioda wrote: > > > > > Providing a setup without the mainerver acting as gateway ( issue 2) ) > > is planed for Setup_B. > > > > Teased to see it soon :-) > Done. Here it is: http://lists.alioth.debian.org/pipermail/debian-lan-devel/2012q2/77.html http://lists.alioth.debian.org/pipermail/debian-lan-devel/2012q2/78.html I also updated the wiki http://wiki.debian.org/DebianLAN/Setup_A Let me know if you run into problems or something is unclear. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120408143154.GD9680@flashgordon
Re: Debian Local Area Network' (Debian-LAN)
Hi, On Sun, Apr 08, 2012 at 11:13:40AM +0200, Giorgio Pioda wrote: > > Debian LAN is indeed interesting, simpler approach tha Edu. But I see some > blocking missing features. > > 1) Subnet switch to an arbitrary 10.x.x.x/24 or even better 10.x.x.x/23 and > also 192.169.x.x networks > It shouldn't be a problem to grep/sed through the config space and modify that. Providing an 'automatic' implementation (some variables defining the network with automatic creation/modification of files) is of course possible, but will add code and complexity. > 2) The mainserver shouldn't act as gateway. Most plain, small organization > networks > have a dedicated gateway (which often is an ADSL router/gateway) and > the server should live with this. I run the system on exactly such a system, however there is a M$-windows system attached to the same ADSL router/gateway I do not want to interfere with. The only modification of the published setup I need is modifying the external interface in /etc/network/interfaces to read: # The external network interface allow-hotplug eth0 auto eth0 #iface eth0 inet dhcp iface eth0 inet static address 192.168.123.12 <-- available address in the 'router network' netmask 255.255.255.0 broadcast 192.168.123.255 gateway 192.168.123.254 <-- ADSL router IP > Givent that you'll provide such a fix, I'll probably do a test. > Providing a setup without the mainerver acting as gateway ( issue 2) ) is planed for Setup_B. Best regards, Andi > > > -- > Sysadmin SPSE-Tenero > Ufficio: +41 91 735 62 48 > Cellulare: +41 79 629 20 63 > > > -- > To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/20120408091339.ga5...@ticino.com > -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120408095239.GC9680@flashgordon
Debian Local Area Network' (Debian-LAN)
Dear Reader, it is my pleasure to draw your attention to the 'Debian Local Area Network' project (Debian-LAN). The goal of Debian-LAN is to make setting up a local network with centralized user and machine management, intranet, etc. as easy as possible in Debian. To do that, the project aims for providing anything needed for such systems: Documentation, code, whatever. For the time being, the FAI framework [1] is employed to setup the system. However, the project is in general not limited to FAI. FAI's class system allows for great flexibility without loosing control over customization. All modifications are implemented in the config space and thereby documented in a well-structured way. So far, a set of FAI classes and the corresponding config space has been prepared to implement a Debian-LAN: * A mainserver with Kerberos KDC and LDAP including the FAI-server to install clients. * Clients are installed over the network from the mainserver, automounting their kerberized home directories. * Diskless clients are implemented as an option. The system is comparable to the debian-edu network and can be used for schools, small enterprises, associations, (university) work groups and much more. It provides the Gnome and LXDE desktop environment by default on the clients. Depending on your needs, you can easily add a customized package selection. For example the metapackages of a Debian Blend. Everybody is invited to take a look, test, report back and of course contribute. More information can be obtained from the sources listed below [2]. We use a git repository [3] on collab-maint on Alioth. To install the mainserver, prepare a CD image following the instructions in the wiki[4] and get started! Looking forward to comments and ideas, best regards, Andi [1] http://wiki.debian.org/FAI> [2] Please do not hesitate to ask: Documentation: http://wiki.debian.org/DebianLAN/>, Mailing List: http://lists.alioth.debian.org/pipermail/debian-lan-devel/> IRC Channel: #debian-lan on irc.debian.org Alioth Project pages: https://alioth.debian.org/projects/debian-lan/> [3] To clone the repository use: git clone git://git.debian.org/git/collab-maint/debian-lan The repository contains the FAI config space for the provided setup. [4] http://wiki.debian.org/DebianLAN/bootstrap> -- -- A N D R E A S B. M U N D T GPG key: 4096R/617B586D 2010-03-22 Andreas B. Mundt-- Andreas B. Mundt-- signature.asc Description: Digital signature
Bug#664596: User seems to missing ability to login via ssh/console after some days]
Forwarded message, as I forgot to cc the debian-edu list: On Tue, Mar 20, 2012 at 10:00:43PM +0100, Petter Reinholdtsen wrote: > [Andreas B. Mundt] > > Just remove the "-maxlife" option completely. Use something like: > > > > kadmin.local -q "add_policy -minlength 4 -minclasses 2 user" > > What is the default value when -maxlife is not used? > -- I use a "default" policy created by: kadmin.local -q "add_policy -minlength 4 -minclasses 2 default" A user principal foo with this policy shows the following: root@mainserver:~# kadmin.local Authenticating as principal root/admin@INTERN with password. kadmin.local: get_principal foo Principal: foo@INTERN Expiration date: [never] Last password change: Thu Mar 01 20:12:10 CET 2012 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Thu Mar 01 20:12:11 CET 2012 (root/admin@INTERN) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 8 Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, Version 5 Key: vno 1, ArcFour with HMAC/md5, Version 5 Key: vno 1, Triple DES cbc mode with HMAC/sha1, Version 5 Key: vno 1, DES cbc mode with CRC-32, Version 5 Key: vno 1, DES cbc mode with RSA-MD5, Version 4 Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: default kadmin.local: So the default seems to be: Password expiration date: [none] Regards, Andi -- A N D R E A S B. M U N D T GPG key: 4096R/617B586D 2010-03-22 Andreas B. Mundt-- Andreas B. Mundt-- -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120320215612.GB13674@flashgordon
Bug#664596: User seems to missing ability to login via ssh/console after some days
On Tue, Mar 20, 2012 at 10:00:43PM +0100, Petter Reinholdtsen wrote: > [Andreas B. Mundt] > > Just remove the "-maxlife" option completely. Use something like: > > > > kadmin.local -q "add_policy -minlength 4 -minclasses 2 user" > > What is the default value when -maxlife is not used? > -- I use a "default" policy created by: kadmin.local -q "add_policy -minlength 4 -minclasses 2 default" A user principal foo with this policy shows the following: root@mainserver:~# kadmin.local Authenticating as principal root/admin@INTERN with password. kadmin.local: get_principal foo Principal: foo@INTERN Expiration date: [never] Last password change: Thu Mar 01 20:12:10 CET 2012 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Thu Mar 01 20:12:11 CET 2012 (root/admin@INTERN) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 8 Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, Version 5 Key: vno 1, ArcFour with HMAC/md5, Version 5 Key: vno 1, Triple DES cbc mode with HMAC/sha1, Version 5 Key: vno 1, DES cbc mode with CRC-32, Version 5 Key: vno 1, DES cbc mode with RSA-MD5, Version 4 Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: default kadmin.local: So the default seems to be: Password expiration date: [none] Regards, Andi -- A N D R E A S B. M U N D T GPG key: 4096R/617B586D 2010-03-22 Andreas B. Mundt-- Andreas B. Mundt-- -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120320214740.GA13674@flashgordon
Re: Bug#664596: User seems to missing ability to login via ssh/console after some days
Hi, On Tue, Mar 20, 2012 at 09:04:54PM +0100, Petter Reinholdtsen wrote: > [Petter Reinholdtsen] > > Anyone got any ideas how to properly fix this? Just remove the "-maxlife" option completely. Use something like: kadmin.local -q "add_policy -minlength 4 -minclasses 2 user" Regards, Andi > I suspect this patch will solve it for first time installations. We > need to figure out how to fix it for existing installations too. > > Index: share/debian-edu-config/tools/kerberos-kdc-init > === > --- share/debian-edu-config/tools/kerberos-kdc-init (revisjon 77105) > +++ share/debian-edu-config/tools/kerberos-kdc-init (arbeidskopi) > @@ -237,8 +237,9 @@ > kadmin.local -q "ktadd -k /etc/krb5.keytab.smtp smtp/tjener.intern" > chown Debian-exim:Debian-exim /etc/krb5.keytab.smtp > > -# Kerberos policy setup > -kadmin.local -q "addpol -maxlife \"2 days\" -minlength 5 users" > +# Kerberos policy setup. Make sure passwords never expire, as > +# long as LDAP and Samba passwords do not expire. > +kadmin.local -q "addpol -maxlife never -minlength 5 users" > kadmin.local -q "addpol -minclasses 2 hosts" > } > > > Anyone know why the -maxlife "2 days" were there in the first place? > -- > Happy hacking > Petter Reinholdtsen > > > > -- > To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/20120320200454.gf18...@login2.uio.no > -- -- A N D R E A S B. M U N D T GPG key: 4096R/617B586D 2010-03-22 Andreas B. Mundt-- Andreas B. Mundt-- -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120320203517.GB5795@flashgordon
Re: Educlient (still very raw)
Hi, On Sat, Feb 11, 2012 at 09:17:13AM +0100, Giorgio Pioda wrote: [...] > > Now I'm hanging with the autofs question. I have to test again but > it seems that only Ubuntu 1004 have a good implementation; all other > suffers, like debian wheezy, the fact that autofs starts to early > in boot phase and, after not finding LDAP server, hangs and only > a manual restart fix the problem. > > But I have also a terrible dought. I don't know if this behaviour is > qemu related, or if it reproducible on real devices (suche that > for exemple qemu freezes from time to time the virtual network...). > In fact also PXE installation hangs, and I have to type a couple of > times "autoboot" before network boot occours. > > >From time to time, I also observed hanging of autofs also on > plain Edu workstations... > > Would be nice if somebody who have a real testing server could test > my package. Unfortunately I don't have enough hardware to do it. > I observe strange autofs behavior in virtual machines here too. (Guest is squeeze, virt-manager/kvm). On my desktop, anything is fine (host is wheezy) on my laptop (also wheezy) it doesn't work. However, on real hardware I have no issues. The setup is not exactly skolelinux but comparable. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120211211724.GA4994@flashgordon
Re: Problem with sitesummary2ldapdhcp
Hi all, On Fri, Feb 10, 2012 at 10:20:57PM +0100, Petter Reinholdtsen wrote: > > I assume netdevice is for routers and switches, not for Linux hosts. > If this is wrong, please tell me and we can easiliy change this. IIRC I used netdevice for all machines that do not serve any services to the network, so in a standard setup these are all machines except tjener (LTSP servers are independent and not managed by GOsa). Other profiles (Workstation etc.) are only available if you use certain plugins (gosa-fai ?), which we do not use. So if you only want to assign netgroups and DNS/DHCP, the netdevices seem to be the best fit. Regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120211081055.GA30050@fuzi
Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
On Sun, Feb 05, 2012 at 10:51:08PM +0100, Petter Reinholdtsen wrote: > > [Andreas B. Mundt] > > How long? I think entering the username triggers autofs (to read the > > user's configuration, for example which desktop he want's to start by > > default). What if someone takes 15 seconds to enter his password, and > > someone else needs only 3 seconds? > > This do not sound right. Setups using pam_mount work, and I believe PAM > is only invoked after the password is entered. Because of this, I > believe the users home directory isn't accessed before the password is > entered. > I did not say that pam_mount doesn't work. I believe gdm tries to access the home directory. If it doesn't succeed, this is non-fatal. However we don't have to argue about that, it should be easy to check: Login on a terminal on a workstation as root, check if the home directories are not yet mounted and then login on gdm as a user and carefully check when the home directory is accessed/mounted using the terminal. > What are you seeing that make you believe PAM is invoked too late? > Could it be some other pam module called earlier in the stack that > causes the effect? Hm? Are we talking about the same issue, making a diskless workstation work without machine credentials? Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120206075235.GA4158@fuzi
Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
Hi, On Sun, Feb 05, 2012 at 05:25:20PM +0100, Giorgio Pioda wrote: > > The script executed right after authentication copies the user's > > Kerberos ticket to the file krb5cc_diskless which is owned by root. > > This ticket will be picked up by gssd to create the security context > > needed. However, it's needed to restart autofs, I am not exactly sure > > why. It looks like autofs caches failures in mounting a directory > > (which it tries earlier in the login process), and does not try again > > immediately when the ticket is available. > > > > What about setting a delay in autofs? > How long? I think entering the username triggers autofs (to read the user's configuration, for example which desktop he want's to start by default). What if someone takes 15 seconds to enter his password, and someone else needs only 3 seconds? Only if exactly at the right moment where pam gives the OK (i.e. the ticket is available) for login the autofs is triggered it will manage to provide the home directory. Imediatelly after that the user will have / as home (or might not be allowed to login on gdm). So I don't think that will work. Did you have any success with the verify_ap_req_nofail = false stuff? Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120205213507.GA6821@flashgordon
Re: Kerberos TGT and NFS
Hi Giorgio, On Sat, Feb 04, 2012 at 10:17:23AM +0100, Giorgio Pioda wrote: > I got Ubuntu running, nice. But IMHO it shouldn't. I don't understand > the black magic I've produced by myself, about the nfs/client kerberos > granting. > > I didn't copy nor generate any krb5.keytab for the nfs/client and > although this fact nfs works. > > How is the TGT nfs working? Is the keytab stored i ldap? In this latter case > I fear that a MAC spoof would lead to unattended mounting of clients that are > not aknowledged. > > Do you have an explanation, a reference link? > Skolelinux doesn't use kerberized NFSv4 yet. There is no mechanism available to create and copy the keytabs. Perhaps this can be done with a GOsa hook, however then the client needs to be available to scp the keytab ... However, you might be able to switch kerberization on by doing the above manually and remove the sec=sys part in /etc/exports of the mainserver. Regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120204093014.GC5149@fuzi
Re: debian-edu-doc 6.0.3: Please update the PO translation for the package debian-edu-doc
Hi Helge, On Fri, Feb 03, 2012 at 05:36:01PM +0100, Helge Kreutzmann wrote: > On Thu, Jan 19, 2012 at 10:21:27PM -0400, David Prévot wrote: > > You are noted as the last translator of the translation for > > debian-edu-doc. The English template has been changed, and now some messages > > are marked "fuzzy" in your translation or are missing. > > > > I would be grateful if you could take the time and update it. > > Please send the updated file to me, or submit it as a wishlist bug > > against debian-edu-doc. > > are you going to update the translation or should some other > translator take over? If you have resources available it would be great if they could take over. I am rather busy right now and also next week. Unfortunately it's again quite a lot that needs to be translated/unfuzzied. If nobody else is available, I'll try to find some time, but I cannot guarantee that I'll finish it before the deadline closes. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120203191457.GA5044@flashgordon
Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
Hi, On Fri, Jan 27, 2012 at 11:14:04PM +0100, Giorgio Pioda wrote: > > your solution seems more or less an unavoidable hack. > > Nice would be to tell Kerberos to avoid service check and control > only user ID. > > What about this: > > http://docs.oracle.com/cd/E19963-01/html/821-1456/setup-148.html#gihyu > > Maybe could be a solution, but I don't know exactly if it works > as I think it should: > > client # cat /etc/krb5/krb5.conf > [libdefaults] > default_realm = EXAMPLE.COM > verify_ap_req_nofail = false > ... I just tried with verify_ap_req_nofail = false and disabled the ticket copying, unfortunatelly it seems not to work here. I have to think about it, but isn't it necessary to have a ticket available as it is used to encrypt the connection to the NFS server (sec=krb5p)? Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120128094033.GA5120@flashgordon
Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
Hi, On Fri, Jan 27, 2012 at 09:19:21PM +0100, Petter Reinholdtsen wrote: > [Andreas B. Mundt] [...] > > > The script executed right after authentication copies the user's > > Kerberos ticket to the file krb5cc_diskless which is owned by root. > > This ticket will be picked up by gssd to create the security context > > needed. However, it's needed to restart autofs, I am not exactly > > sure why. It looks like autofs caches failures in mounting a > > directory (which it tries earlier in the login process), and does > > not try again immediately when the ticket is available. > > I guess we also need to remove the file when the user log in, to make > sure other users can't use another users ticket to mount? > I think the ticket is used as if it where root's ticket, as the automounter runs under root's ID. If the ticket is removed and the automounter umounts the NFS after some time, accessing the home directory again will fail, because there is no ticket anymore to remount. The trick is a bit dirty, but so far I could not think of any way to misuse the copied ticket, as it's only accessible by root. A user logging in later or in parallel has no access. > > With these modifications fully kerberized NFSv4 mounting should be > > possible on all machines if there are no other issues like those > > reported in http://bugs.debian.org/613167#30> (pending?). I > > did not test LTSP diskless clients but a home-made chroot in > > combination with aufs. > > This approach look really promosing. What about just dropping autofs > and mount the NFS volume in the pam module instead, like pam-mount? I don't know if pam-mount has any disadvantages compared to autofs (umounting after some time of 'silence' on the file system?), but if not, it's probably a good idea to switch. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120127211156.GA9727@flashgordon
Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
Hi everybody! Since quite some time we have been thinking about how to make kerberized NFSv4 mounting of home directories work with diskless clients, where no machine credentials (keytab) are available. It was mentioned [1] that using "-n" for gssd on the diskless client might help, however this seems not to be enough. I finally figured out a way now, which works here and is not too invasive: First, make sure you have the package libpam-script available at the diskless client's chroot. libpam-script allows to run a script after successfull authentication. The script executed can be created by running: #!/bin/sh # set -e FILE=/usr/share/libpam-script/pam_script_auth cat > $FILE < /dev/null 2>&1; then exit 0 fi FILE=/tmp/krb5cc_diskless cp -v /tmp/krb5cc_pam_* \$FILE /etc/init.d/autofs restart > /dev/null exit 0 EOF chmod 0755 $FILE # The script executed right after authentication copies the user's Kerberos ticket to the file krb5cc_diskless which is owned by root. This ticket will be picked up by gssd to create the security context needed. However, it's needed to restart autofs, I am not exactly sure why. It looks like autofs caches failures in mounting a directory (which it tries earlier in the login process), and does not try again immediately when the ticket is available. In addition, add the line RPCGSSDOPTS="-n" to /etc/default/nfs-common and the line authoptional pam_script.so to /etc/pam.d/common-auth. With these modifications fully kerberized NFSv4 mounting should be possible on all machines if there are no other issues like those reported in http://bugs.debian.org/613167#30> (pending?). I did not test LTSP diskless clients but a home-made chroot in combination with aufs. Best regards, Andi [1] http://lists.debian.org/debian-edu/2010/07/msg00065.html -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120127161853.GA17722@flashgordon
Re: r74053 - in trunk/src/debian-edu-config: cf debian etc/bind ldap-bootstrap
Hi Mike, On Sun, Sep 04, 2011 at 09:57:25PM +0200, Mike Gabriel wrote: > > Also: on diskless workstations the preseeding values for krb5-config > do not all ,,arrive'', only the default_realm is set, but not the > INTERN = {} server definitions... That's why I chose > cfengine in the first place... > The INTERN = {} is only needed if you want to use kadmin on that machine. Authentication works fine without, the information is fetched from DNS. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110905085041.GB4333@flashgordon
Re: Bug#613167: Diskless Workstations not using kerberized NFSv4 for homes currently
user debian-edu@lists.debian.org usertag 638157 + debian-edu thanks On Thu, Aug 18, 2011 at 10:52:18AM +0200, Mike Gabriel wrote: > Hi all, > > is it intended that current diskless workstations in Skolelinux do > not use kerberized NFSv4? > Hi, it looks like kerberization does not work with current nfs-utils, see http://bugs.debian.org/638157>. Hopefully this can be fixed in a point release, the patch doesn't look very invasive ... Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110819154100.GA4242@flashgordon
Re: General question on Debian-Edu
Hi Thomas, On Sun, Jul 24, 2011 at 08:10:47PM +0200, Thomas Koch wrote: > the Debian-Edu talk tomorrow on debconf will overlap with the ZSH Skills- > Exchange session... :-( Luckily not tomorrow, but on thursday ... :-) > So I read the documentation and throw out some questions here: > > * Could the base of Debian-Edu also be usable by small companies? At my > former > company for example we had Debian thin-clients for call support staff and > even > for some junior developers/students. No, it's highly specialized for schools. But I propose to work in a direction that allows for a broader user and developer base. > > * Which IMAP server is used? > Dovecot > * Could Debian-Edu be made replicated with automated fail-over of services? > Use case: The network administrator is on holiday, the main server fails, but > everything should continue to just work. Nothing in that direction has been done yet, as far as I know ... > > * Is there a roadmap to update do cfengine3? > Unfortunatelly, I fear there is no roadmap at all :( > * Is there any integration with school administration, so that administrative > changes are automatically reflected in LDAP (addition of pupils, classes, > leaving of pupils, assignements of pupils to classes) No. However, the design of the LDAP tree is flexible, so pupils associated with classes can have their own department (ou) in LDAP. > * Is there a calendaring solution used with Debian-Edu? Kolab, Horde? No. I know that there is a Kolab plugin for GOsa, but never tested that. > * Are there any schools that also have mailing lists for parents? I don't know of any. > * Are there any schools actively using encrypted mails? Same here, I don't know of any. Thomas, let's meet in Banja Luka for a chat. I'll arrive some time on wednesday. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110724183424.GA4099@flashgordon
DebConf Debian-Edu Talks
Hi all, right now I started preparing the slides for the DebConf talks I registered: http://penta.debconf.org/dc11_schedule/events/744.en.html http://penta.debconf.org/dc11_schedule/events/779.en.html The talks are "bof's" i.e. "open discussions" and although I registered both of them, this doesn't mean that they are thought as a 'one man show'. I would be very happy if anybody interested in the topics could contribute with ideas and topics to be discussed, no matter if you can or cannot attend DebConf. Please reply to this mail, I will try to address and fit in all contributions to the discussion. Many thanks, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110718195902.GA6139@flashgordon
Bug#632464: diskless machine probably not added in GOsa
Hi Marius, On Sat, Jul 02, 2011 at 11:06:20PM +0200, Marius Kotsbak wrote: > On 02. juli 2011 15:43, Andreas B. Mundt wrote: > > usually this happens when the home directory cannot be mounted. > > > > Did you add the diskless machine in GOa and run ldap2bind after that? > > You mean ldap2netgroup? No, ldap2bind is correct. It's not in the search path of an ordinary user: /usr/sbin/ldap2bind. > > Whenever I tested that (and added the machine correctly to LDAP), > > things worked fine here. > > > > Nope, the documentation is still lacking such details for GOsa. I tried > though to add the machine under administration->Systems->Net device. I don't have time this month to work on that documentation. > IP: 10.0.2.51 > Base: /Students > MAC: the mac I found using dhcp leases > Enable dhcp & Enable DNS. I never tested with Bases other than /, so if it doesn't work with /Students, try /. > Are there more options that needs to be changed from default? You need to add the machine to the workstation-hosts netgroup (in the NIS Netgroups-tab or in Administration->NIS Netgroups). Cheers, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110703072527.GA13512@flashgordon
Bug#632464: diskless machine probably not added in GOsa
tags 632464 + moreinfo unreproducible thanks Hi, usually this happens when the home directory cannot be mounted. Did you add the diskless machine in GOa and run ldap2bind after that? Whenever I tested that (and added the machine correctly to LDAP), things worked fine here. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110702134322.GA6609@flashgordon
Bug#631357: names seem to have changed
tags 631357 + pending # fixed in svn thanks Looks as if the devices get other names today. Fixed in svn, hopefully there are no other changes necessary, but resizing worked again after applying the fix. -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110623104958.GA3924@flashgordon
Bug#631357: debian-edu-config: debian-edu-fsautoresize does not work
Package: debian-edu-config Severity: normal User: debian-edu@lists.debian.org UserTags: debian-edu Hi, unfortuntelly, it looks like debian-edu-fsautoresize does not work at all for d-e-squeeze: root@tjener:~# debian-edu-fsautoresize -vn Checking / [/dev/mapper/vg_system-root] A: 983704 905648 28088 (0.0285533046526191%) Checking /boot [/dev/sda1] A: 240972 22484 206047 (0.855066148764172%) Checking /opt [/dev/mapper/vg_system-opt] A: 8978360 6365728 2156544 (0.240193532003618%) Checking /skole/backup [/dev/mapper/vg_system-skole+backup] A: 325269 10287 298189 (0.916745831911433%) Checking /skole/tjener/home0 [/dev/mapper/vg_system-skole+tjener+home0] A: 528112 178684 322600 (0.610855273123883%) Checking /usr [/dev/mapper/vg_system-usr] A: 8732600 6533668 1755336 (0.201009550420264%) Checking /var [/dev/mapper/vg_system-var] A: 4305784 476116 3610944 (0.838626368624158%) Checking /var/opt/ltsp/swapfiles [/dev/mapper/vg_system-var+opt+ltsp+swapfiles] A: 729704 17156 675480 (0.925690416936182%) Checking /var/spool/squid [/dev/mapper/vg_system-var+spool+squid] A: 325269 183142 125334 (0.385324147090562%) And that's all :( Cheers, Andi -- System Information: Debian Release: wheezy/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.39-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110623085945.18450.54328.reportbug@flashgordon
Re: browser races
Dear Nigel, On Wed, Jun 22, 2011 at 09:39:20AM +0900, Nigel Barker wrote: > > I have some concerns about browsers that might affect other schools, > [...] > So it seems that browsers are expected to be updated every few months > nowadays! It might not be possible to even complete a school year with > one version and still have everyone's apps/mail/ who knows what > working. How would you manage this kind of thing on a skolelinux > network? Create a local apt repo? Install from testing or unstable? > How would you perform the updates on the individual workstations and > servers all at once? Are you aware of: http://mozilla.debian.net/> Perhaps it's possible to use that archive in your case. Let us know it it is a good (or at least working) solution. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110622065304.GA4409@flashgordon
Bug#630970: added code to trigger disk read/write in svn
Hi, I added some code in svn that starts a process in the background which hopefully creates some entropy by trigering disk read/write: +TMPFILE=`mktemp` + +## Start process in the background: +egrep 'ab' /etc/* >> $TMPFILE 2>&1 & + +# lifetime 10 years $opensslbin req -new -x509 -nodes -sha1 \ -config $certconf -days 3650 \ - -out $privkey -keyout $privkey > /dev/null 2>&1 \ + -out $privkey -keyout $privkey >> $TMPFILE 2>&1 \ || echo "error: problems running openssl." 1>&2 +rm $TMPFILE We have to test if that helps. Cheers, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110621081812.GA26298@flashgordon
remaining errors testsuite
Hi, I tried to find the reason for the remaining errors reported by the testsuite (Terminalserver DVD installation): error: can not find SSL certificate for http://www, error: Unable to download http://ftp.skolelinux.org/debian/dists/squeeze/main/installer-i386/current/images/netboot/netboot.tar.gz, error: ./webserver: Missing /etc/iceweasel/profile/cert_override.txt. I found that one if not the only reason for these errors is, that within the installer, there is no DNS available. The network is available, but hostnames cannot be resolved. I tried to understand why, but /etc/resolv.conf and /target/etc/resolv.conf are rather confusing, a broken link that starts working when rebooting after installation (?!?) and so on. Does anybody have more clue on how the network is managed in the installer? It would be great to fix these remaining errors even if they are not fatal. Any help appreciated, bests regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110616204237.GA12951@flashgordon
Re: cd/dvd status
Hi, On Wed, Jun 15, 2011 at 02:54:40PM +0200, Holger Levsen wrote: > > I had to revert some modifications concerning krb5-config, as it was > > not possible to login at all on other machines. I suggest to postpone > > these modifications until wheezy. The same is valid for NFSv4 with > > sec=krb5p:krb5i:krb5. > > So that means we still use unencrypted nfs3 and machines have to be added > before users can log in?! > No, we use NFSv4, but without added kerberos privacy/integrity/authentication. The machines have to be added to the workstation-netgroup to be able to mount the home directories. It should be possible to switch the features on easily at least for some profiles, but this is not done out of the box yet. (I had other things to fix before looking into that issue.) Cheers, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110615154608.GA4288@flashgordon
Re: cd/dvd status
Hi all, On Tue, Jun 07, 2011 at 01:35:19AM +0200, Holger Levsen wrote: > The big result of the meeting: > > - Beta1 release - codename "no more nice to have" > - known problems: windows clients cannot join the samba domain > > --endquote --- > > afaik the installation also "hangs at the end" and diskless workstations dont > get their hostname - anything else? > > > cheers, > Holger, who has not really read mail today, just skimmed irc > > and who also wants to get beta1 out in the next 12 days!! > After another week of testing, I am happy to report that the latest DVD/CD seems to work. There are left some minor errors after reboot depending on the chosen profile, but the system seems to slowly become usable. I tested Tjener, Tjener+Terminalserver, Terminalserver and Workstation. Thin-Clients and Diskless machines worked too. I had to revert some modifications concerning krb5-config, as it was not possible to login at all on other machines. I suggest to postpone these modifications until wheezy. The same is valid for NFSv4 with sec=krb5p:krb5i:krb5. I did not look into samba. So please test and help fixing the remaining issues, best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110614181553.GA4433@flashgordon
Bug#630389: sitesummary-client: sitesummary client drops config snipplet in /etc/nagios/ but should use /etc/nagios/nrpe.d/
Hi, On Mon, Jun 13, 2011 at 07:36:16PM +0200, Petter Reinholdtsen wrote: > [Andreas B. Mundt] > > check_kernel_status fails with UNKNOWN. This is not due to a newer > > kernel, the lenny stuff works for squeeze, and the script gives the > > correct answer when called on the command line. Modifications in > > the script do not change the warning at all. > > Right. Same I have seen for a while. The error show up for a while > after the first boot, and then disappears after some time without > anything being changed. I have not been able to figure out why it > fail, but it is not related to moving any configuration. > > > However, I don't know where the warning comes from in the first > > place. > > Me neither. I suspect some background job running after installation > is blocking something, and the check start working when this > background job is done. But I have never been able to find such > job. :) When testing again, I found that indeed restarting nagios3 fixed the wrong warning. Perhaps something does not yet work when nagios starts at boot-time. I'll revert the changes in svn. Cheers, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110613192857.GC4107@flashgordon
Bug#630389: sitesummary-client: sitesummary client drops config snipplet in /etc/nagios/ but should use /etc/nagios/nrpe.d/
On Mon, Jun 13, 2011 at 07:14:29PM +0200, Petter Reinholdtsen wrote: > [Andreas B. Mundt] > > An error is reported by nagios although anything is OK. > > Which error? I know of one such error, and its reason is probably not > what you suggested. check_kernel_status fails with UNKNOWN. This is not due to a newer kernel, the lenny stuff works for squeeze, and the script gives the correct answer when called on the command line. Modifications in the script do not change the warning at all. After moving it to /etc/nagios3/ the warning vanished and anything works as expected. However, I don't know where the warning comes from in the first place. Regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110613172332.GB4107@flashgordon
Bug#630389: sitesummary-client: sitesummary client drops config snipplet in /etc/nagios/ but should use /etc/nagios/nrpe.d/
Package: sitesummary-client Severity: important User: debian-edu@lists.debian.org Usertags: debian-edu An error is reported by nagios although anything is OK. The reason seems to be the wrong-placed nagios-nrpe-commands.cfg, (see subject.) From the source of nagios-nrpe-2.12 (debian/patches/03_support_nrpe.d.dpatch, I don't have the final file handy right now): # you can place your config snipplets into nrpe.d/ include_dir=/etc/nagios/nrpe.d/ So I think this is where we should drop sitesummaries nagios-nrpe-commands.cfg. Fixed in SVN. Cheers, Andi -- System Information: Debian Release: wheezy/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110613170536.9724.61005.reportbug@flashgordon
Re: GOsa/LDAP/Samba integration -> GoPDC integration in debian-edu-config
Hi, On Mon, Jun 06, 2011 at 11:11:12PM +0200, Mike Gabriel wrote: > last night I have looked into Samba+LDAP+GOsa. The realization about > that part for Debian Edu/Skolelinux is: if we want flawless und > fluent Windows integration in Debian Edu (yes, we want that!!!) then > there is still a bunch of work to do. [...] > > Any comments, any other ideas? > Can we first bring the current system to a status where the things that worked before the Hamburg meeting work again and the things we "fixed" in Hamburg can be tested? I think of NetworkManager issues, NFS4 and Kerberos, LTSP-CLients, ... Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110606212145.GB8029@flashgordon
Re: the gathering next week in hamburg...
Hi, On Mon, May 30, 2011 at 01:26:16PM +0200, Holger Levsen wrote: > On Montag, 30. Mai 2011, Holger Levsen wrote: > > meet for dinner sounds like a great plan! 20oo? > > I suggest either "frank & frei" which is located close to the city center (S- > Bahn Sternschanze) or the "Schachcafe" which is located directly at the > subway > Station "Alte Wöhr" which very close (800m or so) to the attraktor venue, > where the gathering will take place. > > I'm fine with either. > > http://www.schachcafe-hamburg.de/ > http://www.qype.com/place/19530-Frank-und-Frei-Hamburg > I'm thinking about joining you and getting rid of traveling stress early Friday morning. Would it be possible to spend the night "somewhere'? (Mattress+sleeping-bag is available). Best regards and looking forward to meet you all, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110530183928.GA3542@flashgordon
Re: diskless workstation
Hi Volker, On Tue, May 17, 2011 at 08:10:27PM +0200, Volker Cordes wrote: > Do I have to register the clients somewhere? I changed /etc/exports to > allow mounts from 192.168.0.0/24 because I still haven't installed the > netgroups plugin. > I would expect that if you don't use the netgroups in /etc/exports things should work. Also, if after reboot or 'sometimes' things work fine is an indication that something else happens. No idea what. If you can debug this further it would be great. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110517185257.GA8623@flashgordon
Re: debian-edu squeeze feature complete
Hi all, an update after the latest DVD build: On Mon, May 09, 2011 at 08:40:02PM +0200, Andreas B. Mundt wrote: > > * kdm is missing after the installation. (?!) > kdm is installed and works again. The netgroups plugin is not yet installed by default. Installation steps: > aptitude install subversion > svn co https://oss.gonicus.de/repositories/gosa-contrib/netgroups/trunk > netgroups > cd netgroups/ > update-gosa install plugin.dsc > /etc/init.d/apache2 restart Cheers, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110516200752.GA17258@flashgordon
Re: debian-edu squeeze feature complete
Hi, On Tue, May 10, 2011 at 11:56:22AM +0200, Holger Levsen wrote: > On Montag, 9. Mai 2011, Andreas B. Mundt wrote: > > after installing a debian-edu squeeze tjener from the latest DVD, I am > > happy to announce that it looks like debian-edu is kind of feature > > complete. [...] > > But before that, add the netgroups plugin: > > > > aptitude install subversion > > svn co https://oss.gonicus.de/repositories/gosa-contrib/netgroups/trunk > > netgroups cd netgroups/ > > update-gosa install plugin.dsc > > /etc/init.d/apache2 restart > > > > It should already work, and some more work is underway to make this > > work out of the box: > > https://forge.fusiondirectory.org/issues/238> > > https://forge.fusiondirectory.org/issues/233> > Do you think its feasable to "drop" this into the debian-edu-config package > (somehow+temporarily), so that we neither have to modify the gosa package > that > heavily nor introduce a new package? I thought it would be easiest to drop the netgroups-plugin (which is an extra package, as many GOsa plugins) in our skolelinux repo and install it from there. No further configuration would be necessary. With this approach we could fix bugs with a new package. For wheezy, the plugin should be available in Debian's repositories. However, if it is preferred to install the plugin directly with d-e-c, this should be possible too. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110512202543.GA4080@flashgordon
Re: fresh install problems
Hi Volker, On Tue, May 10, 2011 at 07:32:08PM +0200, Volker Cordes wrote: > I just installed debian edu based on squeeze and need some help with > configuring the things I need. It would be great if you could point > me to some documentation or answer my questions directly. > > So here is how far I got on my own (with help of the german mailing list): > - Installed Tjener, workstation and terminal server > - solved LDAP TLS issue (thanks to the german mailing list) > - disabled netgroups in /etc/exports (granted access to *) > - creating users works, also login on the workstation, TS and ThinClient > > But some problems remain: > - I didn't add the workstation nor the terminal server to LDAP, I > understand that the required gosa modules are missing. Is it > necessary to add the machines? If you use the * in /etc/exports and no netgroup features fs-autoresize etc. it should work without. But it's not much work to add the machines to netgroups. Have a look at: http://lists.debian.org/debian-edu/2011/05/msg00052.html>. and install the netgroups plugin as described. > - I cannot connect my windows xp pro machine to the domain, I get > "Domain not found". Is there a step by step guide for this? Since > there is no lwat anymore the manual doesn't help or can I install > lwat without problems? I don't know anything about the windows stuff. :( > - I would like to have diskless workstations. What do I have to do? Take a look at http://wiki.debian.org/DebianEdu/Documentation/Squeeze/HowTo/NetworkClients#Machine_type_selection_based_on_the_network> (The manual is not yet up to date for squeeze, but most things shouldn't have changed from Lenny): If one wants clients on the 192.168.x.x interface of a thin client server to boot as diskless workstations instead of thin clients, edit /var/lib/tftpboot/ltsp/i386/pxelinux.cfg/default and add a '3' (no quotes) to the end of the line. Please report all issues and problems you run into, so that we can improve things. Good luck! Regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110510195257.GA4662@flashgordon
debian-edu squeeze feature complete
Hi all, after installing a debian-edu squeeze tjener from the latest DVD, I am happy to announce that it looks like debian-edu is kind of feature complete. However, there is still some work to do: * kdm is missing after the installation. (?!) Here is how to test the latest installation. After login from a remote shell (ssh -X root@10.0.2.2): aptitude update aptitude install kdm /etc/init.d/kdm start You cannot login as root anymore, so add a user from the remote shell. But before that, add the netgroups plugin: aptitude install subversion svn co https://oss.gonicus.de/repositories/gosa-contrib/netgroups/trunk netgroups cd netgroups/ update-gosa install plugin.dsc /etc/init.d/apache2 restart It should already work, and some more work is underway to make this work out of the box: https://forge.fusiondirectory.org/issues/238> https://forge.fusiondirectory.org/issues/233> Now fire up iceweasel from remote and point the browser to www/gosa/, login as super-admin with your root password, add a user and after that you are able to login from the kdm screen. It looks as if kdm is missing in the chroot as well. And there is still the mysterious 'Nagios count NUMSVCUNKN is not zero ...'-error which seems to be a fake. Best regards and happy testing, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110509184002.GA22718@flashgordon
Re: debian-edu on debconf11
Hi, On Thu, May 05, 2011 at 10:16:19PM +0200, Holger Levsen wrote: > On Donnerstag, 5. Mai 2011, Andreas B. Mundt wrote: > > Are you going to be there too? Does anybody plan to give a > > presentation about debian-edu? I think we should at least have some > > kind of open discussion like a BoF session to discuss the present > > status and further development. > > sounds like a great idea! > > Andreas, can you please submit an event, I'd suggest exactly what you > suggested :) "plans & challenges for wheezy" 8-) > Done: DebConf11 - submitted Events: Debian-Edu: Current Status and Future Development How can we make Debian even more attractive in education? Event type : bof Track : Language : en Event state : undecided Progress : new Abstract : Debian-Edu/Skolelinux has come a long way: This year we celebrate its 10th anniversary. What are the plans and challenges for wheezy? We would like to discuss the current status, problems, possible solutions and the goals of the future development of Debian-Edu. Everybody interested in a Debian pure blend especially targeted at schools and the area of education is welcome. Please report further ideas/content/changes. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110506144414.GA9014@flashgordon
debian-edu on debconf11
Hi everybody, yesterday I registered for debconf11. Unfortunatelly, I am not able to be there from the beginning, but probably I'll turn up on Wednesday. Are you going to be there too? Does anybody plan to give a presentation about debian-edu? I think we should at least have some kind of open discussion like a BoF session to discuss the present status and further development. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110505180003.GA4582@flashgordon
Re: linux musterlösung vom Landesmedienzentrum BW?
Hi, On Mon, May 02, 2011 at 08:07:25PM +0200, Thomas Koch wrote: > Philipp Huebner: > > On 02/05/11 17:52, Thomas Koch wrote: > > > to be seriously lacking behind Debian releases. > > > > To be honest - so does Debian Edu ;) > Well, I should have made this more clear: They are currently in the release > process of the first version based on Lenny! (AFAIK) > It makes me wonder, if there is some conspiracy to let Linux look old by > purpose. [...] I am working at a school here in Baden-Württemberg, but we have the M$ Musterlösung in my school. When I tried to find out more about the GNU/Linux version (on the web), I got almost exactly that expression: There seems to be neither concern to share ideas and knowledge, nor the interest to promote the System as a true alternative. Perhaps another fig leaf which then ends commented as "we tried it, but _unfortunately_ the users prefer another system". Regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110502184152.GA28676@flashgordon
Re: gosa on installation from cd-squeeze-test-amd64-i386-netinst
Hi, On Thu, Apr 28, 2011 at 09:40:37AM +0200, Frank Weißer wrote: > > I can login to gosa as admin with root-password but don't see any > possibility to add users, groups, machines or anything else. Is my > installation broken or how have i to administrate tjener? > Log in as 'super-admin', not admin. http://wiki.debian.org/DebianEdu/Documentation/Squeeze/GettingStarted> Cheers, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110428112400.GA7511@flashgordon
Re: strange network-configuration on installation from cd-squeeze-test-amd64-i386-netinst
Hi Frank, On Tue, Apr 26, 2011 at 10:33:52PM +0200, Frank Weißer wrote: > I just tried to install a pure tjener from > > ftp://ftp.skolelinux.org/cd-squeeze-test-amd64-i386-netinst/debian-edu-amd64-i386-NETINST-1.iso > > date 17.04.2011 and get 10.0.2.2/255.255.254.0 as its network configuration. > > Having dhcp-clients connected to eth0 i get leases 10.0.2.xxx, but with > Bcast:10.255.255.255 Maske:255.0.0.0 > Unfortunately, the network definition in GOsa allows only the classical A-, B- and C-networks but not the 255.255.254.0 network mask which was used before. (No idea why 255.255.254.0 was chosen in the beginning). So we can either choose 255.255.0.0 or 255.0.0.0 network masks for our setup now. To keep the range of available network addresses as flexible as possible, I decided to use a Class-A network mask. The configuration of the tjener interface wasn't modified to reflect that, as things are not yet settled. Perhaps someone with deeper insights in the reasons why the network was set up the way it is can comment on the issue and help how to proceed with classical network masks best. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110427102911.GA18972@flashgordon
Re: developer meeting in May in Hamburg?
Hi, On Mon, Mar 28, 2011 at 01:01:52PM +0100, Holger Levsen wrote: > I'm wondering who/how many would be joining a developer meeting May in > Hamburg? I am rather busy right now (and probably in May again), but I would try to join you in any case. > The goal I would like to work on is the release of Debian Edu squeeze. > Probably also _only_ work on that? ;) Yes, we should get that out the sooner the better ... > I'm thinking about 6-8th or 13-15th of May, but thats just an idea to get > some > more comments. For me, one weekend earlier (April 29th-May 1st) would be better, because of vacancies (beginning April 22nd, ending May 1st.). > So, comments? Would you be interested to join and make the Debian Edu squeeze > release happen?! Yes, definitely! Cheers, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110330191327.GA4108@flashgordon
Re: /etc/init.d/update-hostname and Networkmanager.
Hi, On Fri, Mar 11, 2011 at 05:20:47PM +0100, Andreas Schockenhoff wrote: > in /etc/init.d/update-hostname we try to set the hostname for the > workstations from DNS Server. > > This can not work because Networkmanager is not started. Strange, it works nicely here (latest DVD installation). The workstation get's the hostname entered in GOsa at tjener (don't forget ldap2bind after adding the machine). However, NetworkManager is doing the job, I could not find a trace of the init script in the logs. What fails here is PXE installations (installer freezes). There are still some errors reported after installation from DVD, however, I am not sure if they are all to be taken seriously: After logging in only about 3 errors remain when running /usr/sbin/debian-edu-test-install on the workstation/ltspserver. Perhaps most of the errors after first boot are related to not as early working network with NetworkManager as without? Remaining errors tjener/terminal-server: error: ./ldap-client: TLS search for cn=admins failed. => not yet investigated error: ./nagios: Nagios count NUMSVCUNKN is not zero but 1. => unclear to me, the script (iirc in sitesummary) that reports the error doesn't report any error when called alone(?!) Remaining errors workstation/terminal-server: error: ./ldap-client: TLS search for cn=admins failed. error: ./ltsp: /etc/iceweasel/profile/cert_override.txt differ inside and outside LTSP error: ./webserver: Missing /etc/iceweasel/profile/cert_override.txt. => none of the above investigated yet Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110311173129.GA6660@flashgordon
isc-dhcp-relay instead of isc-dhcp-server on terminal-servers?
Hi all, while working on the DHCP-setup I accidentally met the isc-dhcp-relay package which can be used to relay DHCP requests. For example, we could use it instead of running dhcp-servers on the terminal-servers. Is there a reason we don't use the relay method but stand-alone dhcp-servers? (Tjener needs to be accessible in both cases, because the configuration is fetched from tjener's ldap anyway). An advantage of the relay method: You don't need to start several dhcp-servers after modifications to the configuration. In a quick test it looks like isc-dhcp-relay works fine. Any opinions/experiences about that? Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110307085743.GA10786@flashgordon
Problem handling thin clients' "subnet" within GOsa (was: Re: DNS for the thin client network should be handlet by Gosa)
Hi all, unfortunatelly it looks like we have a little problem with the DNS/GOsa setup. In skolelinux, we have at least two networks: The 10.0.2.-net called main-net and the 192.168.-nets. However, both networks are part of the "intern" domain. Now we need a zone to handle these networks. I prepared a "intern"-zone, the corresponding reverse zone is 2.0.10.in-addr.arpa. This is a standard setup and it can handle all requests asked concerning machines in the 10.0.2.-net. What happens if I ask for the ltspserver's thin-client interface with associated name ltspserver? Well, I can add an A-record in the intern-zone that translates to 192.168.0.254. So far so good. However, what happens if I ask for the reverse lookup, i.e. host 192.168.0.254? There is no lookup possible, because the reverse zone that corresponds to intern is 2.0.10.in-addr.arpa. and it is not taken into account when asking for an address like 192.168.0.254 not in 10.0.2. So how to solve this? Add a reverse zone for 192.168.0.254 like 168.192.in-addr.arpa.? I tried that, but in GOsa the reverse zone is created automatically from the forward zone. Which means I have to create a zone corresponding to the 192.168.-net. but how should I call this zone? I have to use the same domain i.e. "intern" which is not possible, because there is already the 10.0.2-net with that domain. First I thougth well, the 192.168.-networks are subdomains. But from the old setup I saw that they are no subdomains at all. It's all the same domain "intern". But they are also no subnets in the sense that parts of the host addresses are used for the network address. 10.0.2.- and 192.168.- have no network-part in common. So how can we solve that? I have no idea. The subdomains would be one solution, but I don't know how much changes that brings in the end. A second solution is the inclusion of all machines we want to manage under one domain with real subnets. That domain could be handled in a single zone-file i.e. something like intern and 10.in-addr.arpa. Both 'solutions' look not very attractive in the short run. Any ideas? Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110227195634.GA22274@flashgordon
Re: DNS for the thin client network should be handlet by Gosa (Was: r73056 - in trunk/src/debian-edu-config: . cf debian etc/bind ldap-bootstrap)
Hi Petter, thanks for your comment. On Fri, Feb 25, 2011 at 01:31:19PM +0100, Petter Reinholdtsen wrote: > > * Move DNS resolution of 'ltspserver' from ldap to static files, as > > the thin clients' subnet is not a subdomain that should be managed > > in GOsa. > > Eh, of course it should. All hosts on the thin client network should > have names, and it should be possible to put them in netgroups to get > them to turn themselves automatically off during the night, as well as > group them based on location. Right, this is a good point and I am not sure how to implement that. If the 192.168.0.-network is a subdomain, then the second terminal server serves the 192.168.1.-network? And the third one serves the 192.168.2.-network and so on? This would be different from the Figure in http://wiki.debian.org/DebianEdu/Documentation/Squeeze/Architecture>, where from my understanding it's impossible to deduce from a given IP in the 192.168.0.-networks the corresponding machine. However, when we install a terminal-server, how does the installer know which 192.168.X.-network to implement? Is this correct? If we define subdomains we would have for the terminal-servers something like: ltspserver.subnet01.intern. ltspserver.subnet02.intern. and so on. This also wouldn't be a problem. Do we have names for these subdomains? Any help is appreciated, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110225125745.GA7684@flashgordon
Can we get rid of network-manager?
Hi, when installing the workstation profile (I tested this in combination with the ltsp-server-profile), the network-manager package seems to spoil the installed system. First, it removes the dhcp interface by adding '#NetworkManager#' in front of the relevant line in /etc/network/interfaces: auto eth0 #NetworkManager#iface eth0 inet dhcp Cf. #530024, #612247 and http://wiki.debian.org/NetworkManager for more information. I tried to add the interface again. However, from the log messages I concluded that NetworkManager was still very active for reasons I'm not sure they make sense, because the machine failed to accept the name offered by dhcp and other faiures. I removed networkmanager now (see aptitude log below) and a whole bunch of other packages we don't want on a workstation could be removed too, because they had no dependencies left (libnss-mdns was installed). After these changes, the machine seems to work. Can we make sure that NetworkManager isn't installed from the beginning? IIRC we already had discussions about that issue, but I don't remember the final conclusions (if any). To me it looks as if NetworkManager is unnecessary and only causes unforeseeable problems and complications. Any hints or ideas? Best regards, Andi >From the sucessive aptitude runs: Aptitude 0.6.3: log report Wed, Feb 23 2011 19:57:56 +0100 [...] Will install 1 packages, and remove 3 packages. 5,431 kB of disk space will be freed === [REMOVE, DEPENDENCIES] knm-runtime [REMOVE, DEPENDENCIES] plasma-widget-networkmanagement [INSTALL] libnss-mdns [REMOVE] network-manager === Log complete. Aptitude 0.6.3: log report Wed, Feb 23 2011 19:59:46 +0100 [...] Will install 0 packages, and remove 18 packages. 21.4 MB of disk space will be freed === [REMOVE, NOT USED] dnsmasq-base [REMOVE, NOT USED] libnm-glib-vpn1 [REMOVE, NOT USED] libpcsclite1 [REMOVE, NOT USED] libpkcs11-helper1 [REMOVE, NOT USED] modemmanager [REMOVE, NOT USED] network-manager-openvpn [REMOVE, NOT USED] network-manager-pptp [REMOVE, NOT USED] network-manager-vpnc [REMOVE, NOT USED] openssl-blacklist [REMOVE, NOT USED] openvpn [REMOVE, NOT USED] openvpn-blacklist [REMOVE, NOT USED] ppp [REMOVE, NOT USED] pptp-linux [REMOVE, NOT USED] tcl [REMOVE, NOT USED] usb-modeswitch [REMOVE, NOT USED] usb-modeswitch-data [REMOVE, NOT USED] vpnc [REMOVE, NOT USED] wpasupplicant === -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110223194829.GA12780@flashgordon
Re: workstation problem is a ldap problem?
Hi all, a short update from my side: On Sat, Feb 19, 2011 at 06:22:54PM +0100, Andreas Schockenhoff wrote: > a new hint. dns seams to works also on a workstation now. > > ldapsearch -xZWD > 'uid=super-admin,ou=People,dc=skole,dc=skolelinux,dc=no' > > Works on tjener and on the diskless workstation but not on the extra > installed workstation. > > ldapsearch -xZWD 'uid=super-admin,ou=People,dc=skole,dc=skolelinux,dc=no' > ldap_start_tls: Connect error (-11) > Enter LDAP Password: > ldap_result: Can't contact LDAP server (-1) > > I also see some log messages that says "can not connect LDAP server". Update on the latest fixes/problems (from debian-edu-changelog): (http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/?op=log&rev=0&sc=1&isdir=1>) * Rename cf.ldap2bind to cf.bind. Add rule to switch off IPv6 for bind to silence IPv6 lookup failure messages. ==> less error messages in the syslog from named * Fix bug in debian-edu-ldapserver that inhibits the fallback to 'ldap' as ldap server. State the cause of failure precisely in the log. ==> this makes the "can not connect LDAP server" messages vanish and many things start to work * Add mail alias for bind pointing to root. * Allow users of group 'bind' to write in /etc/bind/. Needed to make ldap2bind chronjob work. ==> this should make cronjob ldap2bind work * Add 'current_directory = /' to exim's rootmail transport configuration to make mail services to root work again. ==> this should solve the exim-no-mail problem These fixes will probably be uploaded tomorrow and should work as soon as the DVD is rebuilt after that. New observations: * After installation (workstation), I found one interface commented out in /etc/network/interfaces by NetworkManager (I remember that I have seen something like that before). After reactivation, (and with aboves fix to find 'ldap'), almost anything seems to work on my workstation. * Workstation log messages do not appear on tjener (works on diskless). For me diskless workstations work, but there are warnings/errors when booting and it's rather slow. So if someone could have a look into that, it would be great. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110219200506.GA3289@flashgordon
Re: exim brocken in test debian-edu-squeeze?
Hi, On Sat, Feb 19, 2011 at 12:33:33PM +0100, Andreas Schockenhoff wrote: > Hi, > > On Sat, 2011-02-19 at 12:21 +0100, Andreas B. Mundt wrote: > > > But exim seems to be broken no mail delivery to root. > > > > Right. Hmm. Permissins on /root seem not to allow the transport of > > mail to root's mbox. Where is root's mail usually being delivered to? > > Perhaps we have to change that location if we want to keep the > > restrictive permissions. > exim I have figured out like to deliver mail to /var/mail/mail instead of > root on other systems. Also if root stands in /etc/alias. No idea > why exim do this or if this is our problem. > Hm, in the exim config I have for the rootmail transport: rootmail: driver = appendfile delivery_date_add envelope_to_add file = /var/mail/root no_maildir_format mode = 0600 no_mode_fail_narrower return_path_add user = mail No idea why this is ignored. :( Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110219120940.GA29109@flashgordon
Re: cron for ldap2bind and exim brocken in test debian-edu-squeeze?
Hello, On Sat, Feb 19, 2011 at 08:42:04AM +0100, Andreas Schockenhoff wrote: > On Fri, 2011-02-18 at 23:39 +0100, Andreas B. Mundt wrote: > > > May be it is a gosa to ldap problem because tjeners dns seams to be OK. > > > > See above, ldap2bind ?! (A cron job does this every hour and at boot). > OK thanks thats helps. > > But exim seems to be broken no mail delivery to root. Right. Hmm. Permissins on /root seem not to allow the transport of mail to root's mbox. Where is root's mail usually being delivered to? Perhaps we have to change that location if we want to keep the restrictive permissions. > Also in cron:ldap2bind we use user bind. This seams to have not the > rights to do his job. Thanks! Fixed in svn by giving group members of 'bind' write acess to /etc/bind. Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110219112153.GA25468@flashgordon
Re: SRV records can't point to CNAMEs
Hi, On Sat, Feb 19, 2011 at 08:14:03AM +0100, Petter Reinholdtsen wrote: > [Andreas B. Mundt] > > Hmm, I don't know how to fix this. To me it looks a bit like > > sacrificing a clear and common DNS setup in favor of a very special > > setup (for which I don't know how to get Kerberos working). This > > tuned setup works out of the box at the University of Oslo in a > > special environment, but causes hassle and confusion probably > > everywhere else. > > Note that as far as I can tell, the university of Oslo is not a > special environment, and the script is written to handle the common > way to set up Kerberos and LDAP on unix in a mixed AD/Unix network. > It allow Windows and AD clients to get their separate setup without > one leaking into the other unless it is the indended behaviour. The > script also generate what seem to be a working setup for mit.edu, and > I would very much welcome info on other environments (DNS-domains) > where I can test it. :) > > There were many considerations to take when writing the code to > dynamically set up all clients during installation based on DNS, and I > believe I ended up with the most sensible way to do it. > Well I don't know. But I wonder when asking for the domain's ldap server in the basic setup right now (and not the mixed Windows AD setup): root@localhost:~# nslookup -type=srv _ldap._tcp.intern Server: 127.0.0.1 Address:127.0.0.1#53 _ldap._tcp.intern service = 100 0 389 tjener.intern. I get the correct answer: LDAP is currently provided by tjener.intern. This is what I expect. But if I use the script debian-edu-ldapserver which I would think has exactly the same job, to tell me the ldap server, it fails. Hopefully this is fixed now with the latest commit. It fixes a bug that prevented the fallback to 'ldap' in debian-edu-ldapserver to work. Let's see how far we get with that now. But if a function called 'find_ldap_server' does not find the ldapserver which is clearly announced by its service record in the domain, I'm not sure if that function works as intended. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110219083648.GB12790@flashgordon
Re: DVD works again: please test, report and contribute to debian-edu-squeeze
Hi, On Fri, Feb 18, 2011 at 11:24:44PM +0100, Andreas Schockenhoff wrote: > On Fri, 2011-02-18 at 16:46 +0100, Andreas B. Mundt wrote: > > I installed a combined server and a workstation. I can start a > > diskless machine and log in. The hostname is like the one I set in > > GOsa. > The disk less terminals works here in 10er and 192er net. They have > there name static00 like I set this in gosa. IP > The disk less boots works but shows a lot of errors. > > But disk less workstations need the netgroup hack. > > I can not install over the network: partman hangs. May be a VirtualBox > problem? I don't have the partion/partitioning errors (with KVM). > > If I start the workstation, there is no way to log in, the hostname is > > not set and other stuff fails too. So this is an issue. > I can log in as root. :-) No DNS for hosts that I put with gosa in ldap. > Also on tjener himself. host static00 not found. Did you run ldap2bind after adding the machine? > Disk less clients and workstations seams to get the name over DHCP? Yes. I just expored that problem a bit more. Most if not all of the DNS related errors after installation correspond to the failure of debian-edu-ldapserver and/or the removeal of the multiple A-records: cf. http://lists.debian.org/debian-edu/2011/02/msg00179.html> We can either change some scripts that expect multiple A-records or make Kerberos work with this multiplicity. > > I plan the following: > > > > 1) It would be great if someone can have a look at the DNS and DHCP > >setup. (Related is the SRV-record/A-record problem: > >http://lists.debian.org/debian-edu/2011/02/msg00160.html>) > > > > 2) Then of course we have to find the reasons for the error messages > >after installation. (If still there). > May be it is a gosa to ldap problem because tjeners dns seams to be OK. See above, ldap2bind ?! (A cron job does this every hour and at boot). Good night, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110218223920.GA4013@flashgordon
Re: SRV records can't point to CNAMEs
Hi Petter, thanks for your reply: On Fri, Feb 18, 2011 at 07:54:42PM +0100, Petter Reinholdtsen wrote: > [Andreas B. Mundt] > > Can you elaborate a bit on the scripts that provide this > > configurations? > > See the postinst of the sssd package. > > > Would it be possible to modify debian-edu-ldapserver and perhaps > > corresponding tools to work with the provided SRV-records? > > Sure, but it would break on sites where windows control the SRV > records (required by Windows AD), and unix should not use AD as its > LDAP server. This is the setup at the University of Oslo, where > debian-edu-ldapserver and friends work out of the box. Hmm, I don't know how to fix this. To me it looks a bit like sacrificing a clear and common DNS setup in favor of a very special setup (for which I don't know how to get Kerberos working). This tuned setup works out of the box at the University of Oslo in a special environment, but causes hassle and confusion probably everywhere else. Any ideas how to solve that and continue? Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110218212955.GA29678@flashgordon
migrate users to debian-edu squeeze (was: Re: ldap: ou=group versus ou=groups)
Hi, On Tue, Feb 15, 2011 at 11:18:05PM +0100, Christian Kuelker wrote: > On 02/15/2011 07:31 PM, Andreas B. Mundt wrote: > > I think the best way to do the migration is completely independent of > > all changes I proposed: > > > * Prepare a list (csv) of all user for every category you use: > > students, teachers, etc. > > Yes? At some schools the default database are indeed an external > one. There this might be possible. > > However, for universities or large companies - where the users > seldom change and large changes can be seen in LDAP, I always used > the LDAP database as authoritative choice. Sure, but it should be not too complicated to create a list of all users from ldap. > Are you really suggesting to build a CSV file from a LDAP server to > re-import that? Which LDAP attributes should be considered for the > CVS file? The simplest one is: UID, GIVENNAME, SURNAME, PASSWD one line per user. (You may create a random password for the last column, print the list on paper, cut strips and hand every strip to the corresponding user for the first login). Now with this list, you use the LDAP-manager in GOsa. You are free to add other attributes and you are able to choose which column has which meaning. In addition, choose or prepare a template. The data is applied to that template when imported. > > * Prepare a (GOsa-) template for each category. > > Could you elaborate more on this? A template in GOsa is a predefined 'user' which defines attributes that are the same for all users. Currently there is a student and a teacher template. They differ in group membership. To add a student, the only thing you have to do is add his given- and family name. The uid is created (you can use %name etc. variables to fill some attributes currently for the uid idGenerator="{%givenName[3-6]}{%sn[3-6]}" is used. Common attributes for all users of one category (like default shell) are taken from the template. > > * Mass-create all users from the lists. For each category use the > > corresponding template. > > Yes, that's it. Shouldn't be too much hassle. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110218204927.GA28750@flashgordon
Re: SRV records can't point to CNAMEs
Hi Petter, I guess your help is needed on this issue ... On Fri, Feb 18, 2011 at 12:09:04PM +0100, Petter Reinholdtsen wrote: > [Andreas B. Mundt] > > Is there a problem with that I've missed? > > I might be mistaken, but I believe the sssd setup script will actually > look up the SRV entry and store the value it points to in its config > file. Thus it do not help to change the SRV entry in DNS after sssd > has been configured, as the sssd client will continue to use the old > value. > > The value is copied to ensure that the client try to talk to the same > servers even if it move to a different network. > Can you elaborate a bit on the scripts that provide this configurations? I had a quick look on the find_ldap_server function in share/perl5/Debian/Edu.pm (debian-edu-config) which is used in debian-edu-ldapserver and fails on my workstation to provide the correct ldap server (resulting in an almost complete failure of the system). However, when I enter (on the workstation): root@localhost:~# nslookup -type=srv _ldap._tcp.intern Server: 127.0.0.1 Address:127.0.0.1#53 _ldap._tcp.intern service = 100 0 389 tjener.intern. I get the correct answer: LDAP is currently provided by tjener.intern. Would it be possible to modify debian-edu-ldapserver and perhaps corresponding tools to work with the provided SRV-records? Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110218171204.GA14204@flashgordon
Re: Bug#613167: /etc/hosts on Diskless Clients
X-Debbugs-Cc: vagr...@debian.org Hi, On Wed, Feb 16, 2011 at 09:59:44PM +0100, Wolfgang Schweer wrote: > On Mi, 16 Feb 2011, Andreas B. Mundt wrote: > > > to get Diskless Clients work with Kerberos we first have to find a way > > to modify the entires in /etc/hosts. > > > > Currently, there is an entry: > > > > 10.0.2.2 server > > This entry is supposed to be written by /usr/share/ltsp/screen.d/ldm > (inside the chroot - by default /opt/ltsp/i386) Thanks for the pointer. With its help I found the following: The 'server' looks like being hardcoded in the function configure_resolver() defined in: /opt/ltsp/i386/usr/share/ltsp/ltsp-init-common Any ideas how to modify that entry easily? Regards Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110218160347.GB7303@flashgordon
Re: DVD works again: please test, report and contribute to debian-edu-squeeze
Hi, first, thanks for starting the tests! On Fri, Feb 18, 2011 at 10:00:55AM +0100, Andreas Schockenhoff wrote: > On Wed, 2011-02-16 at 23:10 +0100, Andreas B. Mundt wrote: > > I am happy to report that the latest test-DVD of our forthcoming > > debian-edu-squeeze release is ready for testing. It includes Kerberos > > user (and mail) authorization, GOsa as LDAP admin tool and bind as > > DNS. The home directory is distributed via NFSv4. [...] > I can log in as root get the web page log into gosa as admin. There I > stops because only a menu for this user occurs. I can not add > workstations or user. > GOSA Error message: > Cannot find a suitable password method for the current hash! IIRC someone already replied: use 'super-admin' and the root password. I plan to add a 'admin' account with slightly limited permissions (only user/group and machine management and less confusing options i.e. no sudo-stuff etc). > - > This message come up after installing tjener or combi-server: > error: Unable to calculate size of partition for /var/spool/squid, > error: ./dnsd: Unable to look up '192.168.0.254' on server > 'localhost' ('' != 'ltspserver')., error: ./dnsd: Unable to look up > '10.0.2.2' on server 'localhost' ('ldap.intern, error: ./filesystems: > Using ext2 on /boot, error: ./filesystems: No lost+found > in /skole/tjener/home0/. Blocked by autofs?, error: ./nagios: Nagios > count NUMSVCCRIT is not zero but 1., error: ./network: > > Consider reporting them to the Debian Edu developers. > - Right, I also got some error reports. We have to check the origin, no idea yet. > I get the message on workstation and combi-server that Cerberus has > expired. Correct. If you lock in as (local) root, you don't use Kerberos. However, you can fetch a ticket by entering 'kinit' after login. > A stand alone terminal server has problems in the partition tools: "To > many primary partitions" Combi server seams to install. > > -- > So please tell us what we should test first to help you. > > I think tjener with normal workstations may be the first target. Or > the combi server? Also the gosa menus? What is important? > I installed a combined server and a workstation. I can start a diskless machine and log in. The hostname is like the one I set in GOsa. If I start the workstation, there is no way to log in, the hostname is not set and other stuff fails too. So this is an issue. I plan the following: 1) It would be great if someone can have a look at the DNS and DHCP setup. (Related is the SRV-record/A-record problem: http://lists.debian.org/debian-edu/2011/02/msg00160.html>) 2) Then of course we have to find the reasons for the error messages after installation. (If still there). 3) Polishing GOsa 4) Try to get NFSv4 with Kerberos work on diskless clients. (http://lists.debian.org/debian-edu/2011/02/msg00137.html>) > I do not like to file bugs in this stage of testing any better ideas? I think for now reporting 'unknown' failures to the list is enough. The bug reporting causes too much overhead at this early stage. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110218154648.GA7303@flashgordon
Re: SRV records can't point to CNAMEs (Was: r73002 - in trunk/src/debian-edu-config: debian etc/bind ldap-bootstrap)
On Thu, Feb 17, 2011 at 06:03:02PM +0100, Petter Reinholdtsen wrote: > > [Andreas B. Mundt] > > Remove duplicate A-records from DNS configuration to make sure the > > reverse address mapping needed for reliably issuing a Kerberos service > > ticket works. To move services to another machine, add the machine to > > DNS, remove the CNAME-record(s) and modify the service record(s) to > > point to that new machine. > > (Cf. http://lists.debian.org/debian-edu/2011/01/msg00041.html> and > > tread). > > DNS do not allow SRV records to point to CNAME entries. To avoid > breaking the DNS specification, a different solution is needed. > That's why I changed them pointing to tjener.intern, the machine where the service is actually running after the default installation. To move services to other machines, these pointers have to be changed accordingly. (With multiple A-records in place, you have to modify the A-records and PTR-records to correspond to the new machine. In that case you can leave the SRV-records untouched. Now you have to add the PTR- and A-record to the new machine, remove the CNAME and modify the SRV-record to point to that new machine.) Is there a problem with that I've missed? Regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110217191331.GA30460@flashgordon
DVD works again: please test, report and contribute to debian-edu-squeeze
Hi all, I am happy to report that the latest test-DVD of our forthcoming debian-edu-squeeze release is ready for testing. It includes Kerberos user (and mail) authorization, GOsa as LDAP admin tool and bind as DNS. The home directory is distributed via NFSv4. You can rsync your DVD with: rsync -avzP ftp.skolelinux.org::cd-squeeze-test-dvd/debian-edu-amd64-i386-DVD-1.iso debian-edu-DVD-1-squeeze.iso It's the first time that all these components work together in our setup, so don't expect a perfect system yet. However, please test and report issues, in order to make polishing the setup easier. To work around the (yet) missing netgroup support, modify /etc/exports to allow all hosts (replace @ by a *) if you need home directories mounted. If all goes well, we hopefully can prepare a release candidate soon, perhaps with netgroup support and Kerberos NFSv4. Happy testing, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110216221048.GA14862@flashgordon
Bug#613167: /etc/hosts on Diskless Clients
Hi, to get Diskless Clients work with Kerberos we first have to find a way to modify the entires in /etc/hosts. Currently, there is an entry: 10.0.2.2 server which spoils Kerberos (error messages about for example ldap/server@INTERN service tickets not being available). I tried to find a way to change this by editing a variable in lts.conf, but without success (the same after considering 'man lts.conf'). Any help or pointers are appreciated, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110216144632.GA17555@flashgordon
Bug#602859: netgroup support for gosa
Hey, concerning the netgroups in GOsa, here's a collections of stuff that might help as a starter: Very basic draft patch (no creation of any netgroups, just adding machines to existig ones): http://lists.debian.org/debian-edu/2010/04/msg00124.html> Comment from Cajus: https://oss.gonicus.de/pipermail/gosa/2010-May/004547.html> Perhaps it's possible to cooperate with the GOsa people, Benoit (on freenode irc 'gosa') might know if there are already activities/how to contribute etc. . IIRC they also have a repository for contributions. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110216124329.GA8534@flashgordon
Re: ldap: ou=group versus ou=groups
Hi again, some more (and partially general) thoughts ... On Tue, Feb 15, 2011 at 12:40:31PM +0100, Christian Kuelker wrote: > On 02/15/2011 11:18 AM, Petter Reinholdtsen wrote: > > I believe we should leave it unchanged unless we have a good reason to > > change it. > > Every change in an LDAP DIT causes drain of human man power. Admins > or maintenance contractors have to work more for using continuously > Skolelinux. Migration scripts have to written any way, but the "s" > add some extra minutes of writing, testing, verifying ... Which > leads to demotivation and less acceptance. I think the best way to do the migration is completely independent of all changes I proposed: * Prepare a list (csv) of all user for every category you use: students, teachers, etc. * Prepare a (GOsa-) template for each category. * Mass-create all users from the lists. For each category use the corresponding template. I cannot imagine a more efficient way to do that, and if we want to avoid that way and have it simpler we need to revert all the 'new stuff' (Kerberos, GOsa) which has been developed since lenny. > If a change is nessessary due to technical reasons, this unavoidable > drain of man power is mostly accepted. > > However if the cause is just a normative rule (that plural looks > better) it is hardly to justify to use man power for a Debian Pure > Blend that is not respecting the time of others. Well, where do you draw the line? It is now the chance to make these changes (and in my opinion without extra minutes for the 's'). This chance will not come again soon (hopefully). The missing 's' will be missing "forever". If every second school in the world uses debian-edu ;-) it will be too late, but the missing 's' will be still annoying (at least to some). It's clear that backwards compatibility is important. You have to compare what you gain with the work you create (especially for others). My point of view is for sure the one of a developer not being the one who has to do the migration (but maybe this changes soon...). But I think (and made the experience when working on debian-edu), that after quite some years since the beginning of skolelinux, here and there cruft has built up. It's time to refurbish some things. This may cause a bit more work for now (not the 's'), but will in the end lead to a more attractive and better maintainable system. And this is true for maintainers, developers as well as for our users in the schools. If you are too conservative, the "next generation" will one day overtake you. Best Regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110215183157.GA9023@flashgordon
Re: Is this package relevant for Debian-edu Squeeze?: slapd-smbk5pwd
Hi Jonas, On Mon, Feb 14, 2011 at 09:33:12PM +0100, Jonas Smedegaard wrote: > Just stumbled across the package slapd-smbk5pwd, which is also > available in Debian Squeeze. > > Could those of you knowledgeable in Samba and Kerberos check it out? > > Seems potentially beneficial to use (and disable similar routines in > high-level tools like GoSA and CipUX!) to have passwords in sync > always, not only when using high-level admin tools. > Yes, the package is well-known. However, it is for Heimdal Kerberos (which was missing other features when I compared Heimdal to MIT Kerberos). Currently MIT Kerberos is used in debian-edu. Veli-Matti Lintu prepared something comparable for MIT Kerberos IIRC, but it is not (yet?) available in Debian. Regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110215170023.GA4704@flashgordon
Re: ldap: ou=group versus ou=groups
On Tue, Feb 15, 2011 at 11:18:25AM +0100, Petter Reinholdtsen wrote: > [Andreas B. Mundt] > > I don't know why ou=group was chosen, > > It was selected because it is the proposal in the only known document > proposing a standardized LDAP structure, the draft available from > http://tools.ietf.org/html/draft-howard-rfc2307bis-02>. I saw no > need to divert from this proposal. Yeah, I looked into that too, but I think it's really just an example. I don't think using ou=group or ou=groups is of any technical relevance. > > I cannot imagine that using ou=group or ou=groups makes any > > difference for storing our possix groups, but from what I have seen, > > it looks as if using ou=groups is more common and the linguistic > > correct form. > > How do you determine that ou=groups is more common? >From books, mails, examples: > At the University of Oslo, cn=filegroups and cn=netgroups are used. :) cn=filegroups and cn=netgroups , both with the plural 's' ... > The former represent the cn=group subtree in Skolelinux. In > db.debian.org, file groups are stored in the ou=users subtree. ... ou=user_s_ Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110215105622.GA10981@flashgordon
ldap: ou=group versus ou=groups
Hi, in the process of overhauling the ldap tree, I am thinking about renaming ou=group to ou=groups in order to better reflect the plural form. I don't know why ou=group was chosen, perhaps because the expired and in the meantime deleted RFC2307bis used ou=group in an example. I cannot imagine that using ou=group or ou=groups makes any difference for storing our possix groups, but from what I have seen, it looks as if using ou=groups is more common and the linguistic correct form. The change is not worth an argument, but I think as we need to make some changes in ldap with the upcoming release anyway, we should use that chance to also improve that little thing. Neither using ou=groups nor ou=group is a big deal, but we have to live for some (hopefully long) time with what we choose now ... What do you think? Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110215095811.GA4282@flashgordon
Re: NFS4 and Kerberos (next steps)
Hi Mike, On Tue, Jan 11, 2011 at 11:20:15PM +0100, Mike Gabriel wrote: > On So 09 Jan 2011 10:29:52 CET "Andreas B. Mundt" wrote: > >On Sat, Jan 08, 2011 at 11:41:42PM +0100, Mike Gabriel wrote: > >[...] > >>Here is what I will do next: > >> > >>1) > >> > >> o I have a Debian server setup in the cloud for my ,,company'' > >>with a working > >>NFSv4+Kerberos server setup > >> o I have installed a Debian SID in the cloud today that I will > >>integrate as > >>NFSv4 client with sec=krb5p > >> o I will document all steps needed, this would be pure Debian then... > > > >OK. > > here are the test results for attaching a new NFS4+Krb5 client to a > working server: > > o standard Debian squeeze install > o extra packages: nfs-common krb5-user libnss-ldapd nslcd > o during install of the above packages... > - libnss/LDAP gets configured > - use LDAP for libnss services: passwd, group (not shadow) > - libpam/LDAP gets configured (not needed for pure NFSv4+Krb5) > - krb5.conf gets configured > o krb5.conf > - add ,,allow_weak_crypt = true'' under [libdefaults] > - add ,,default_domain'' option to the realm definition (section > [realms]): > > INTERN = { > kdc = tjener.intern > default_domain = intern > admin_server = tjener.intern > } > > - add domain2realm mapping to section [domain_realm] > > .intern = INTERN > intern = INTERN > > - add section ,,logging'' (I quite like that): > > [logging] > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmin.log > default = FILE:/var/log/krb5lib.log > OK, so far it looks like we do the same ... > o /etc/default/nfs-common: > > NEED_IDMAPD=yes > NEED_GSSD=yes > That's the stuff we will see with the next d-e-c package upload. > o idmapd.conf: replace line > > Domain = localdomain > > for Skolelinux replace with domain name ,,intern'' > > Domain = intern > ^ Not yet imlemented iirc, is this really needed? > o Make sure time between KDC and NFS client is in sync (ntp)! > o DNS Resolve of NFS Client FQDN: > > ;; ANSWER SECTION: > dhcp001.intern. 83684 IN A 10.0.2.101 > > o Reverse DNS Resolve of NFS Client IP > > 101.2.0.10.in-addr.arpa domain name pointer dhcp001.intern. > > o For the KDC server / NFS Server DNS (Rev)Resolve must function in the same > way... > > These were the preparations... Now we come to the mount process and > its preparations... > > > ALL STEPS TAKE PLACE ON THE CLIENT AS USER ROOT > > 1. > make sure NFS idmapd has read its new config: > /etc/init.d/nfs-common restart > > 2. > create and add the NFS service principal to local krb5.keytab file > (on the client dhcp001.intern), on my server I have a Kerberos > policy called ,,service''... > > kinit admin/admin > kadmin -q "add_principal -policy service -randkey nfs/dhcp001.intern" > kadmin -q "ktadd -k /etc/krb5.keytab nfs/dhcp001.intern" > > -> ein host/dhcp001.intern principal wird nicht benötigt!!! > > -> kadmin unterstützt die Option ,,-t keytabfile''. Damit könnte man > die Passwortabfrage von kadmin umgehen. > > 3. > Als root ein Testmount: > mount -tnfs4 -o sec=krb5p tjener.intern:/skole/tjener/home0 /mnt > > 4. > Try > > ls -al /mnt -> should show home directories (with correct user id and group > id mapppings) > cd /mnt/ -> will fail... (Access denied) > > Then do (as root...): > > su - > kinit > > Now try (as , still in su shell): > > cd /mnt/ -> should work > ls -al /mnt/ -> should also work > Ok, that's where I'm currently stuck. I think this procedure works already here (but have to check systematically again). What makes problems right now afaics is: 1) the combination with the automounter (worked/stopped working, strange things, not clear what changed, etc. => check systematically, only gave it a first try so far). 2) login from kdm/gdm: The home dir is mounted (automounter) but not writable yet (not the case for sec=sys), so for (sec=krb5X) processes that try to write files complain and the user logging
Re: DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)
Hi Petter, I don't want to discuss the technical points, but: On Sun, Jan 09, 2011 at 10:40:18PM +0100, Petter Reinholdtsen wrote: > [Andreas B. Mundt] > > So I conclude, that the current DNS setup, as a mixture of ldap > > objects prepared for bind with extra attributes to make powerDNS > > (sort of) work, is broken. > > It is not quite as you expect it to be, but I would not go as far as > claiming it is broken. It was broken and the installation failed > completely (DNS failed to look up any info in LDAP) after you replaced > the original powerdns tree with the gosa dns setup tree, but as you > have noticed, I adjusted the gosa tree to get it to work again with > powerdns. > I have the greatest respect for your work and experience, and all the time you have devoted to debian-edu. Without that, skolelinux would not be where and what it is today. By calling the setup "broken", I did in no way want to decry the quality of your work. However, you blame me here for breaking stuff and caring a shit about it. The changes you probably mean can be found here, committed on 2010-11-10: http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/ldap-tools/?rev=71084&sc=1 Two days before that commit, on 2010-11-09, we had an irc meeting where we discussed how to proceed. http://lists.debian.org/debian-edu/2010/11/msg00090.html (The discussion/decision that we continue with GOsa was even earlier around 2010-10-20). In the meeting I clearly stated: "and1bm I do not have the time to work on the pdns issue (and I am not sure if it's that easy)." Already on 2010-10-29, about two weeks before the commit, I provided the solution to solve the DNS problem with packages available in Debian and minimal modifications as repeated yesterday: http://lists.debian.org/debian-edu/2010/10/msg00209.html What should I have done instead of committing the changes? Waiting for the implementation of powerDNS in general? Doesn't the commit also pave the way to start with the powerDNS implementation on the problem itself and on other improvements? [...] > > With such a system, it's extremely hard to stay motivated, because > > you waist your time fixing things that are "known not to work > > properly" instead of really being able to test new things. > > Yes, but I managed to stay motivated anyway, even if you broke the > installation by inserting a DNS LDAP tree that did not work with the > packages we install. If this is taken as an argument, I hope debian-edu does not evolve into some kind of "intellectual masochism-club". Please compare with my comment above. The solution was provided way in advance. If it's not acceptable and technical arguments are not really convincing (at least not for the temporary solution, if not at all), I don't see it as my job (and I clearly expressed that, see also above) to provide the solution that suits you. > I hope you will manage the same, and keep up > your good work while testing changes and ensuring that the > installation keep working. Well, I have to say that in my daily work (that started today again, btw), I have already a sufficiently high frustration potential, and I don't think it's a good idea to further increase that in my spare time. (It's already above the point where it can be seen as a good exercise to push that level). [...] > Part of the reason we went with powerdns is that it fetches > information directly from LDAP, so changes done to LDAP take effect > imediately. A reason we moved the DNS from files to LDAP is to allow > dynamic updates of DNS information without having to edit other > packages conffiles to easy upgrades and stay within the Debian policy > requirements. I don't see the need for immediate updates. In most schools the system will be set up and not changed that often. The Debian Policy is a rather funny argument. There is a directory full of cf-rules that violates this policy. But we pick probably one of the minest issues (adding a line in a config-file that includes another file; isn't that almost .d-directory-like?) and use it to promote source-code modification of packages. Or the use of modified extra packages not in Debian. I whished we could use the time and energy spent for these discussions to work on technical problems the violation of Debian Policy (and that's the reason for the Policy) causes. However, I am looking forward to the time where powerDNS works nicely in combination with GOsa. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110110191208.ga7...@flashgordon
DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)
Hi again, concerning the strange results which I accused to multiple A-records, I found something new. I started to doubt our powerdns setup and modifying it in ldap got annoying, so I switched on to bind instead[1]. After that, asking for DNS lookups changed. PowerDNS: r...@tjener:~# host 10.0.2.2 2.2.0.10.in-addr.arpa domain name pointer tjener.intern. 2.2.0.10.in-addr.arpa domain name pointer kerberos.intern. 2.2.0.10.in-addr.arpa domain name pointer ldap.intern. 2.2.0.10.in-addr.arpa domain name pointer domain.intern. 2.2.0.10.in-addr.arpa domain name pointer postoffice.intern. 2.2.0.10.in-addr.arpa domain name pointer syslog.intern. With bind: r...@workstation01:~# host 10.0.2.2 2.2.0.10.in-addr.arpa domain name pointer tjener.intern. r...@workstation01:~# host ldap ldap.intern has address 10.0.2.2 r...@workstation01:~# host www www.intern is an alias for tjener.intern. tjener.intern has address 10.0.2.2 As you see, ldap is an A-record as before (I double checked in /etc/bind/db.intern), however host 10.0.2.2 is resolved to only tjener. So I conclude, that the current DNS setup, as a mixture of ldap objects prepared for bind with extra attributes to make powerDNS (sort of) work, is broken. In addition, there is absolutely no use of GOsa with regard to DNS, as modifications are not accepted by GOsa with the added powerDNS attributes. With such a system, it's extremely hard to stay motivated, because you waist your time fixing things that are "known not to work properly" instead of really being able to test new things. I propose three choices: 1) We move powerDNS to its own tree (as before) and switch of the "systems"-stuff in GOsa. This means we don't have a GUI to make changes, but hopefully a working DNS again that doesn't block all other activities. 2) We drop powerDNS and give bind a try. This means merely installing bind instead of powerDNS, appending a line to a configuration file and touching another one [1]. Regarding the simplicity, it could also be considered as an intermediate solution until we have something else. 3) Someone has time and volunteers to cooperate with Alejandro (http://lists.debian.org/debian-edu/2010/12/msg00117.html>) to implement powerDNS in GOsa properly. This should happen soon, because the current broken system only leads to frustration. So please comment on the issue. I think we should have other problems than wasting time getting adventurous powerDNS/bind combinations running, and the current situation is not acceptable. Best regards, Andi [1] It's almost nothing that has to be done to use bind with the current setup: aptitude install bind9 aptitude install ldap2zone # bind configuration: echo 'include "/etc/bind/named.conf.ldap2zone";' >> /etc/bind/named.conf.local touch /etc/bind/named.conf.ldap2zone ldap2bind # check if anything makes sense: less /etc/bind/db.intern less /etc/bind/db.2.0.10.in-addr.arpa. If anything is fine, switch off pdns (in /etc/default): --- a/default/pdns-recursor +++ b/default/pdns-recursor @@ -1,5 +1,5 @@ # Variables for PowerDNS recursor # # Set START to yes to start the pdns-recursor -START=yes +START=no --- a/default/pdns +++ b/default/pdns @@ -1,5 +1,5 @@ # Variables for PowerDNS # # Whether you want to start PowerDNS automatically. -START=yes +START=no http://lists.debian.org/debian-edu/2010/10/msg00209.html -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110109205430.ga17...@flashgordon
Re: Testing changes to Debian Edu SVN
Hi, On Sun, Jan 09, 2011 at 12:15:34AM +0100, Mike Gabriel wrote: > I have a question about testing Debian Edu squeeze, esp. changes to > Debian Edu SVN that concern the installation process of Debian Edu. > > Currently, if I want to test changes to Debian Edu, esp. the > installation process, I have to download another daily built ISO > (4.4G or 600M for the NETINST image) and re-install my system. This > feels rather archaic... Is there a smarter way? > > Hints and ideas are very welcome, > Mike > What I do is rsyncing the DVD image. This happens usually in an acceptable time frame. However, the installation of a Workstation (especially with LTSP) takes another couple of hours. Sooner or later we should perhaps think about ways to reduce that, absolutely. (http://lists.debian.org/debian-edu/2010/12/msg00139.html>) Perhaps providing a base version without any educational packages as install option? Another really good thing for testing: With the command: etckeeper vcs diff You can figure out what you changed when modifying the system (but no ldap entries etc. of course). Cheers, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110109094534.gb3...@flashgordon