<div class="entry">
- <div class="title"><a href="http://people.skolelinux.org/pere/blog/Vinmonopolet_bryter_loven___penlyst___og_flere_planlegger____gj__re_det_samme.html">Vinmonopolet bryter loven åpenlyst - og flere planlegger å gjøre det samme</a></div>
- <div class="date">2010-06-16 11:00</div>
+ <div class="title"><a href="http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html">Testing if a file system can be used for home directories...</a></div>
+ <div class="date">2010-08-08 21:20</div>
<div class="body">
-<p><a href="http://www.dagbladet.no/2010/06/16/nyheter/innenriks/streik/arbeidsliv/12157858/">Dagbladet
-melder</a> at Vinmonopolet med bakgrunn i vekterstreiken som pågår i
-Norge for tiden, har bestemt seg for med vitende og vilje å bryte
-sentralbanklovens paragraf 14</a> ved å nekte folk å betale med
-kontanter, og at flere butikker planlegger å følge deres eksempel.
-Jeg synes det er hårreisende hvis de slipper unna med et slikt
-soleklart lovbrudd, og lurer på hva slags muligheter jeg vil ha hvis
-jeg blir nektet å handle med kontakter. Jeg handler i hovedsak med
-kontanter selv, da jeg anser det som en borgerrett å kunne handle
-anonymt uten at det blir registrert.
-
-<p><a href="http://www.lovdata.no/all/tl-19850524-028-003.html#14">Paragrafen
-i sentralbankloven</a> lyder:</p>
-
-<blockquote>
-<p>§ 14. Tvungent betalingsmiddel</p>
-
-<p>Bankens sedler og mynter er tvungent betalingsmiddel i Norge. Ingen
-er pliktig til i én betaling å ta imot mer enn femogtyve mynter av
-hver enhet.
+<p>A few years ago, I was involved in a project planning to use
+Windows file servers as home directory servers for Debian
+Edu/Skolelinux machines. This was thought to be no problem, as the
+access would be through the SMB network file system protocol, and we
+knew other sites used SMB with unix and samba as the file server to
+mount home directories without any problems. But, after months of
+struggling, we had to conclude that our goal was impossible.</p>
+
+<p>The reason is simply that while SMB can be used for home
+directories when the file server is Samba running on Unix, this only
+work because of Samba have some extensions and the fact that the
+underlying file system is a unix file system. When using a Windows
+file server, the underlying file system do not have POSIX semantics,
+and several programs will fail if the users home directory where they
+want to store their configuration lack POSIX semantics.</p>
+
+<p>As part of this work, I wrote a small C program I want to share
+with you all, to replicate a few of the problematic applications (like
+OpenOffice.org and GCompris) and see if the file system was working as
+it should. If you find yourself in spooky file system land, it might
+help you find your way out again. This is the fs-test.c source:</p>
+
+<pre>
+/*
+ * Some tests to check the file system sematics. Used to verify that
+ * CIFS from a windows server do not work properly as a linux home
+ * directory.
+ * License: GPL v2 or later
+ *
+ * needs libsqlite3-dev and build-essential installed
+ * compile with: gcc -Wall -lsqlite3 -DTEST_SQLITE fs-test.c -o fs-test
+*/
+
+#define _FILE_OFFSET_BITS 64
+#define _LARGEFILE_SOURCE 1
+#define _LARGEFILE64_SOURCE 1
+
+#define _GNU_SOURCE /* for asprintf() */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/file.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#ifdef TEST_SQLITE
+/*
+ * Test sqlite open, as done by gcompris require the libsqlite3-dev
+ * package and linking with -lsqlite3. A more low level test is
+ * below.
+ * See also <URL: http://www.sqlite.org./faq.html#q5 >.
+ */
+#include <sqlite3.h>
+#define CREATE_TABLE_USERS \
+ "CREATE TABLE users (user_id INT UNIQUE, login TEXT, lastname TEXT, firstname TEXT, birthdate TEXT, class_id INT ); "
+int test_sqlite_open(void) {
+ char *zErrMsg;
+ char *name = "testsqlite.db";
+ sqlite3 *db=NULL;
+ unlink(name);
+ int rc = sqlite3_open(name, &db);
+ if( rc ){
+ printf("error: sqlite open of %s failed: %s\n", name, sqlite3_errmsg(db));
+ sqlite3_close(db);
+ return -1;
+ }
+
+ /* create tables */
+ rc = sqlite3_exec(db,CREATE_TABLE_USERS, NULL, 0, &zErrMsg);
+ if( rc != SQLITE_OK ){
+ printf("error: sqlite table create failed: %s\n", zErrMsg);
+ sqlite3_close(db);
+ return -1;
+ }
+ printf("info: sqlite worked\n");
+ sqlite3_close(db);
+ return 0;
+}
+#endif /* TEST_SQLITE */
+
+/*
+ * Demonstrate locking issue found in gcompris using sqlite3. This
+ * work with ext3, but not with cifs server on Windows 2003. This is
+ * done in the sqlite3 library.
+ * See also
+ * <URL:http://www.cygwin.com/ml/cygwin/2001-08/msg00854.html> and the
+ * POSIX specification
+ * <URL:http://www.opengroup.org/onlinepubs/009695399/functions/fcntl.html>.
+ */
+int test_gcompris_locking(void) {
+ struct flock fl;
+ char *name = "testsqlite.db";
+ unlink(name);
+ int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE, 0644);
+ printf("info: testing fcntl locking\n");
+
+ fl.l_whence = SEEK_SET;
+ fl.l_pid = getpid();
+ printf(" Read-locking 1 byte from 1073741824");
+ fl.l_start = 1073741824;
+ fl.l_len = 1;
+ fl.l_type = F_RDLCK;
+ if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+ printf(" Read-locking 510 byte from 1073741826");
+ fl.l_start = 1073741826;
+ fl.l_len = 510;
+ fl.l_type = F_RDLCK;
+ if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+ printf(" Unlocking 1 byte from 1073741824");
+ fl.l_start = 1073741824;
+ fl.l_len = 1;
+ fl.l_type = F_UNLCK;
+ if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+ printf(" Write-locking 1 byte from 1073741824");
+ fl.l_start = 1073741824;
+ fl.l_len = 1;
+ fl.l_type = F_WRLCK;
+ if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+ printf(" Write-locking 510 byte from 1073741826");
+ fl.l_start = 1073741826;
+ fl.l_len = 510;
+ if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+ printf(" Unlocking 2 byte from 1073741824");
+ fl.l_start = 1073741824;
+ fl.l_len = 2;
+ fl.l_type = F_UNLCK;
+ if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+ close(fd);
+ return 0;
+}
-<p>Sterkt skadde sedler og mynter er ikke tvungent
-betalingsmiddel. Banken gir nærmere forskrifter om erstatning for
-bortkomne, brente eller skadde sedler og mynter.</p>
+/*
+ * Test if permissions of freshly created directories allow entries
+ * below them. This was a problem with OpenOffice.org and gcompris.
+ * Mounting with option 'sync' seem to solve this problem while
+ * slowing down file operations.
+ */
+int test_subdirectory_creation(void) {
+#define LEVELS 5
+ char *path = strdup("test");
+ char *dirs[LEVELS];
+ int level;
+ printf("info: testing subdirectory creation\n");
+ for (level = 0; level < LEVELS; level++) {
+ char *newpath = NULL;
+ if (-1 == mkdir(path, 0777)) {
+ printf(" error: Unable to create directory '%s': %s\n",
+ path, strerror(errno));
+ break;
+ }
+ asprintf(&newpath, "%s/%s", path, "test");
+ free(path);
+ path = newpath;
+ }
+ return 0;
+}
-<p>Selv om en avtale inneholder klausul om betaling av en
-pengeforpliktelse i gullverdi, kan skyldneren frigjøre seg med tvungne
-betalingsmidler uten hensyn til denne klausul.</p>
-</blockquote>
+/*
+ * Test if symlinks can be created. This was a problem detected with
+ * KDE.
+ */
+int test_symlinks(void) {
+ printf("info: testing symlink creation\n");
+ unlink("symlink");
+ if (-1 == symlink("file", "symlink"))
+ printf(" error: Unable to create symlink\n");
+ return 0;
+}
-<p>Det er med bakgrunn i denne lovet ikke tillatt å nekte å ta imot
-kontakt betaling. Det er en lov jeg har sans for, og som jeg mener må
-håndheves strengt.</p>
+int main(int argc, char **argv) {
+ printf("Testing POSIX/Unix sematics on file system\n");
+ test_symlinks();
+ test_subdirectory_creation();
+#ifdef TEST_SQLITE
+ test_sqlite_open();
+#endif /* TEST_SQLITE */
+ test_gcompris_locking();
+ return 0;
+}
+</pre>
+
+<p>When everything is working, it should print something like
+this:</p>
+
+<pre>
+Testing POSIX/Unix sematics on file system
+info: testing symlink creation
+info: testing subdirectory creation
+info: sqlite worked
+info: testing fcntl locking
+ Read-locking 1 byte from 1073741824
+ Read-locking 510 byte from 1073741826
+ Unlocking 1 byte from 1073741824
+ Write-locking 1 byte from 1073741824
+ Write-locking 510 byte from 1073741826
+ Unlocking 2 byte from 1073741824
+</pre>
+
+<p>I do not remember the exact details of the problems we saw, but one
+of them was with locking, where if I remember correctly, POSIX allow a
+read-only lock to be upgraded to a read-write lock without unlocking
+the read-only lock (while Windows do not). Another was a bug in the
+CIFS/SMB client implementation in the Linux kernel where directory
+meta information would be wrong for a fraction of a second, making
+OpenOffice.org fail to create its deep directory tree because it was
+not allowed to create files in its freshly created directory.</p>
+
+<p>Anyway, here is a nice tool for your tool box, might you never need
+it. :)</p>
</div>
<div class="tags">
- Tags: <a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk</a>, <a href="http://people.skolelinux.org/pere/blog/tags/personvern">personvern</a>.
+ Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
</div>
</div>
<div class="padding"></div>
<div class="entry">
- <div class="title"><a href="http://people.skolelinux.org/pere/blog/Officeshots_taking_shape.html">Officeshots taking shape</a></div>
- <div class="date">2010-06-13 11:40</div>
+ <div class="title"><a href="http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html">Autodetecting Client setup for roaming workstations in Debian Edu</a></div>
+ <div class="date">2010-08-07 14:45</div>
<div class="body">
-<p>For those of us caring about document exchange and
-interoperability, <a href="http://www.officeshots.org/">OfficeShots</a>
-is a great service. It is to ODF documents what
-<a href="http://browsershots.org/">BrowserShots</a> is for web
-pages.</p>
-
-<p>A while back, I was contacted by Knut Yrvin at the part of Nokia
-that used to be Trolltech, who wanted to help the OfficeShots project
-and wondered if the University of Oslo where I work would be
-interested in supporting the project. I helped him to navigate his
-request to the right people at work, and his request was answered with
-a spot in the machine room with power and network connected, and Knut
-arranged funding for a machine to fill the spot. The machine is
-administrated by the OfficeShots people, so I do not have daily
-contact with its progress, and thus from time to time check back to
-see how the project is doing.</p>
-
-<p>Today I had a look, and was happy to see that the Dell box in our
-machine room now is the host for several virtual machines running as
-OfficeShots factories, and the project is able to render ODF documents
-in 17 different document processing implementation on Linux and
-Windows. This is great.</p>
+<p>A few days ago, I
+<a href="http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html">tried
+to install</a> a Roaming workation profile from Debian Edu/Squeeze
+while on the university network here at the University of Oslo, and
+noticed how much had to change to get it operational using the
+university infrastructure. It was fairly easy, but it occured to me
+that Debian Edu would improve a lot if I could get the client to
+connect without any changes at all, and thus let the client configure
+itself during installation and first boot to use the infrastructure
+around it. Now I am a huge step further along that road.</p>
+
+<p>With our current squeeze-test packages, I can select the roaming
+workstation profile and get a working laptop connecting to the
+university LDAP server for user and group and our active directory
+servers for Kerberos authentication. All this without any
+configuration at all during installation. My users home directory got
+a bookmark in the KDE menu to mount it via SMB, with the correct URL.
+In short, openldap and sssd is correctly configured. In addition to
+this, the client look for http://wpad/wpad.dat to configure a web
+proxy, and when it fail to find it no proxy settings are stored in
+/etc/environment and /etc/apt/apt.conf. Iceweasel and KDE is
+configured to look for the same wpad configuration and also do not use
+a proxy when at the university network. If the machine is moved to a
+network with such wpad setup, it would automatically use it when DHCP
+gave it a IP address.</p>
+
+<p>The LDAP server is located using DNS, by first looking for the DNS
+entry ldap.$domain. If this do not exist, it look for the
+_ldap._tcp.$domain SRV records and use the first one as the LDAP
+server. Next, it connects to the LDAP server and search all
+namingContexts entries for posixAccount or posixGroup objects, and
+pick the first one as the LDAP base. For Kerberos, a similar
+algorithm is used to locate the LDAP server, and the realm is the
+uppercase version of $domain.</p>
+
+<p>So, what is not working, you might ask. SMB mounting my home
+directory do not work. No idea why, but suspected the incorrect
+Kerberos settings in /etc/krb5.conf and /etc/samba/smb.conf might be
+the cause. These are not properly configured during installation, and
+had to be hand-edited to get the correct Kerberos realm and server,
+but SMB mounting still do not work. :(</p>
+
+<p>With this automatic configuration in place, I expect a Debian Edu
+roaming profile installation would be able to automatically detect and
+connect to any site using LDAP and Kerberos for NSS directory and PAM
+authentication. It should also work out of the box in a Active
+Directory environment providing posixAccount and posixGroup objects
+with UID and GID values.</p>
+
+<p>If you want to help out with implementing these things for Debian
+Edu, please contact us on debian-edu@lists.debian.org.</p>
</div>
<div class="tags">
- Tags: <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/standard">standard</a>.
+ Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
</div>
</div>
<div class="padding"></div>
<div class="entry">
- <div class="title"><a href="http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__removals_by_apt_and_aptitude.html">Lenny->Squeeze upgrades, removals by apt and aptitude</a></div>
- <div class="date">2010-06-13 09:05</div>
+ <div class="title"><a href="http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html">Debian Edu roaming workstation - at the university of Oslo</a></div>
+ <div class="date">2010-08-03 23:30</div>
<div class="body">
-<p>My
-<a href="http://people.skolelinux.org/pere/blog/Automatic_upgrade_testing_from_Lenny_to_Squeeze.html">testing
-of Debian upgrades</a> from Lenny to Squeeze continues, and I've
-finally made the upgrade logs available from
-<a href="http://people.skolelinux.org/pere/debian-upgrade-testing/">http://people.skolelinux.org/pere/debian-upgrade-testing/</a>.
-I am now testing dist-upgrade of Gnome and KDE in a chroot using both
-apt and aptitude, and found their differences interesting. This time
-I will only focus on their removal plans.</p>
-
-<p>After installing a Gnome desktop and the laptop task, apt-get wants
-to remove 72 packages when dist-upgrading from Lenny to Squeeze. The
-surprising part is that it want to remove xorg and all
-xserver-xorg-video* drivers. Clearly not a good choice, but I am not
-sure why. When asking aptitude to do the same, it want to remove 129
-packages, but most of them are library packages I suspect are no
-longer needed. Both of them want to remove bluetooth packages, which
-I do not know. Perhaps these bluetooth packages are obsolete?</p>
-
-<p>For KDE, apt-get want to remove 82 packages, among them kdebase
-which seem like a bad idea and xorg the same way as with Gnome. Asking
-aptitude for the same, it wants to remove 192 packages, none which are
-too surprising.</p>
-
-<p>I guess the removal of xorg during upgrades should be investigated
-and avoided, and perhaps others as well. Here are the complete list
-of planned removals. The complete logs is available from the URL
-above. Note if you want to repeat these tests, that the upgrade test
-for kde+apt-get hung in the tasksel setup because of dpkg asking
-conffile questions. No idea why. I worked around it by using
-'<tt>echo >> /proc/<em>pidofdpkg</em>/fd/0</tt>' to tell dpkg to
-continue.</p>
-
-<p><b>apt-get gnome 72</b>
-<br>bluez-gnome cupsddk-drivers deskbar-applet gnome
- gnome-desktop-environment gnome-network-admin gtkhtml3.14
- iceweasel-gnome-support libavcodec51 libdatrie0 libgdl-1-0
- libgnomekbd2 libgnomekbdui2 libmetacity0 libslab0 libxcb-xlib0
- nautilus-cd-burner python-gnome2-desktop python-gnome2-extras
- serpentine swfdec-mozilla update-manager xorg xserver-xorg
- xserver-xorg-core xserver-xorg-input-all xserver-xorg-input-evdev
- xserver-xorg-input-kbd xserver-xorg-input-mouse
- xserver-xorg-input-synaptics xserver-xorg-input-wacom
- xserver-xorg-video-all xserver-xorg-video-apm xserver-xorg-video-ark
- xserver-xorg-video-ati xserver-xorg-video-chips
- xserver-xorg-video-cirrus xserver-xorg-video-cyrix
- xserver-xorg-video-dummy xserver-xorg-video-fbdev
- xserver-xorg-video-glint xserver-xorg-video-i128
- xserver-xorg-video-i740 xserver-xorg-video-imstt
- xserver-xorg-video-intel xserver-xorg-video-mach64
- xserver-xorg-video-mga xserver-xorg-video-neomagic
- xserver-xorg-video-nsc xserver-xorg-video-nv
- xserver-xorg-video-openchrome xserver-xorg-video-r128
- xserver-xorg-video-radeon xserver-xorg-video-radeonhd
- xserver-xorg-video-rendition xserver-xorg-video-s3
- xserver-xorg-video-s3virge xserver-xorg-video-savage
- xserver-xorg-video-siliconmotion xserver-xorg-video-sis
- xserver-xorg-video-sisusb xserver-xorg-video-tdfx
- xserver-xorg-video-tga xserver-xorg-video-trident
- xserver-xorg-video-tseng xserver-xorg-video-v4l
- xserver-xorg-video-vesa xserver-xorg-video-vga
- xserver-xorg-video-vmware xserver-xorg-video-voodoo xulrunner-1.9
- xulrunner-1.9-gnome-support</p>
-
-<p><b>aptitude gnome 129</b>
-
-<br>bluez-gnome bluez-utils cpp-4.3 cupsddk-drivers dhcdbd
- djvulibre-desktop finger gnome-app-install gnome-mount
- gnome-network-admin gnome-spell gnome-vfs-obexftp
- gnome-volume-manager gstreamer0.10-gnomevfs gtkhtml3.14 libao2
- libavahi-compat-libdnssd1 libavahi-core5 libavcodec51 libbluetooth2
- libcamel1.2-11 libcdio7 libcucul0 libcupsys2 libcurl3 libdatrie0
- libdirectfb-1.0-0 libdvdread3 libedataserver1.2-9 libeel2-2.20
- libeel2-data libepc-1.0-1 libepc-ui-1.0-1 libfaad0 libgail-common
- libgd2-noxpm libgda3-3 libgda3-common libgdl-1-0 libgdl-1-common
- libggz2 libggzcore9 libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0
- libgnomecups1.0-1 libgnomekbd2 libgnomekbdui2 libgnomeprint2.2-0
- libgnomeprint2.2-data libgnomeprintui2.2-0 libgnomeprintui2.2-common
- libgnomevfs2-bin libgpod3 libgraphviz4 libgtkhtml2-0
- libgtksourceview-common libgtksourceview1.0-0 libgucharmap6
- libhesiod0 libicu38 libiw29 libkpathsea4 libltdl3 libmagick++10
- libmagick10 libmalaga7 libmetacity0 libmtp7 libmysqlclient15off
- libnautilus-burn4 libneon27 libnm-glib0 libnm-util0 libopal-2.2
- libosp5 libparted1.8-10 libpoppler-glib3 libpoppler3 libpt-1.10.10
- libpt-1.10.10-plugins-alsa libpt-1.10.10-plugins-v4l libraw1394-8
- libsensors3 libslab0 libsmbios2 libsoup2.2-8 libssh2-1
- libsuitesparse-3.1.0 libswfdec-0.6-90 libtalloc1 libtotem-plparser10
- libtrackerclient0 libxalan2-java libxalan2-java-gcj libxcb-xlib0
- libxerces2-java libxerces2-java-gcj libxklavier12 libxtrap6
- libxxf86misc1 libzephyr3 mysql-common nautilus-cd-burner
- openoffice.org-writer2latex openssl-blacklist p7zip
- python-4suite-xml python-eggtrayicon python-gnome2-desktop
- python-gnome2-extras python-gtkhtml2 python-gtkmozembed
- python-numeric python-sexy serpentine svgalibg1 swfdec-gnome
- swfdec-mozilla totem-gstreamer update-manager wodim
- xserver-xorg-video-cyrix xserver-xorg-video-imstt
- xserver-xorg-video-nsc xserver-xorg-video-v4l xserver-xorg-video-vga
- zip</p>
-
-<p><b>apt-get kde 82</b>
-
-<br>cupsddk-drivers karm kaudiocreator kcoloredit kcontrol kde kde-core
- kdeaddons kdeartwork kdebase kdebase-bin kdebase-bin-kde3
- kdebase-kio-plugins kdesktop kdeutils khelpcenter kicker
- kicker-applets knewsticker kolourpaint konq-plugins konqueror korn
- kpersonalizer kscreensaver ksplash libavcodec51 libdatrie0 libkiten1
- libxcb-xlib0 quanta superkaramba texlive-base-bin xorg xserver-xorg
- xserver-xorg-core xserver-xorg-input-all xserver-xorg-input-evdev
- xserver-xorg-input-kbd xserver-xorg-input-mouse
- xserver-xorg-input-synaptics xserver-xorg-input-wacom
- xserver-xorg-video-all xserver-xorg-video-apm xserver-xorg-video-ark
- xserver-xorg-video-ati xserver-xorg-video-chips
- xserver-xorg-video-cirrus xserver-xorg-video-cyrix
- xserver-xorg-video-dummy xserver-xorg-video-fbdev
- xserver-xorg-video-glint xserver-xorg-video-i128
- xserver-xorg-video-i740 xserver-xorg-video-imstt
- xserver-xorg-video-intel xserver-xorg-video-mach64
- xserver-xorg-video-mga xserver-xorg-video-neomagic
- xserver-xorg-video-nsc xserver-xorg-video-nv
- xserver-xorg-video-openchrome xserver-xorg-video-r128
- xserver-xorg-video-radeon xserver-xorg-video-radeonhd
- xserver-xorg-video-rendition xserver-xorg-video-s3
- xserver-xorg-video-s3virge xserver-xorg-video-savage
- xserver-xorg-video-siliconmotion xserver-xorg-video-sis
- xserver-xorg-video-sisusb xserver-xorg-video-tdfx
- xserver-xorg-video-tga xserver-xorg-video-trident
- xserver-xorg-video-tseng xserver-xorg-video-v4l
- xserver-xorg-video-vesa xserver-xorg-video-vga
- xserver-xorg-video-vmware xserver-xorg-video-voodoo xulrunner-1.9</p>
-
-<p><b>aptitude kde 192</b>
-<br>bluez-utils cpp-4.3 cupsddk-drivers cvs dcoprss dhcdbd
- djvulibre-desktop dosfstools eyesapplet fifteenapplet finger gettext
- ghostscript-x imlib-base imlib11 indi kandy karm kasteroids
- kaudiocreator kbackgammon kbstate kcoloredit kcontrol kcron kdat
- kdeadmin-kfile-plugins kdeartwork-misc kdeartwork-theme-window
- kdebase-bin-kde3 kdebase-kio-plugins kdeedu-data
- kdegraphics-kfile-plugins kdelirc kdemultimedia-kappfinder-data
- kdemultimedia-kfile-plugins kdenetwork-kfile-plugins
- kdepim-kfile-plugins kdepim-kio-plugins kdeprint kdesktop kdessh
- kdict kdnssd kdvi kedit keduca kenolaba kfax kfaxview kfouleggs
- kghostview khelpcenter khexedit kiconedit kitchensync klatin
- klickety kmailcvt kmenuedit kmid kmilo kmoon kmrml kodo kolourpaint
- kooka korn kpager kpdf kpercentage kpf kpilot kpoker kpovmodeler
- krec kregexpeditor ksayit ksim ksirc ksirtet ksmiletris ksmserver
- ksnake ksokoban ksplash ksvg ksysv ktip ktnef kuickshow kverbos
- kview kviewshell kvoctrain kwifimanager kwin kwin4 kworldclock
- kxsldbg libakode2 libao2 libarts1-akode libarts1-audiofile
- libarts1-mpeglib libarts1-xine libavahi-compat-libdnssd1
- libavahi-core5 libavc1394-0 libavcodec51 libbluetooth2
- libboost-python1.34.1 libcucul0 libcurl3 libcvsservice0 libdatrie0
- libdirectfb-1.0-0 libdjvulibre21 libdvdread3 libfaad0 libfreebob0
- libgail-common libgd2-noxpm libgraphviz4 libgsmme1c2a libgtkhtml2-0
- libicu38 libiec61883-0 libindex0 libiw29 libk3b3 libkcal2b libkcddb1
- libkdeedu3 libkdepim1a libkgantt0 libkiten1 libkleopatra1 libkmime2
- libkpathsea4 libkpimexchange1 libkpimidentities1 libkscan1
- libksieve0 libktnef1 liblockdev1 libltdl3 libmagick10 libmimelib1c2a
- libmozjs1d libmpcdec3 libneon27 libnm-util0 libopensync0 libpisock9
- libpoppler-glib3 libpoppler-qt2 libpoppler3 libraw1394-8 libsmbios2
- libssh2-1 libsuitesparse-3.1.0 libtalloc1 libtiff-tools
- libxalan2-java libxalan2-java-gcj libxcb-xlib0 libxerces2-java
- libxerces2-java-gcj libxtrap6 mpeglib networkstatus
- openoffice.org-writer2latex pmount poster psutils quanta quanta-data
- superkaramba svgalibg1 tex-common texlive-base texlive-base-bin
- texlive-common texlive-doc-base texlive-fonts-recommended
- xserver-xorg-video-cyrix xserver-xorg-video-imstt
- xserver-xorg-video-nsc xserver-xorg-video-v4l xserver-xorg-video-vga
- xulrunner-1.9</p>
-
+<p>The new roaming workstation profile in Debian Edu/Squeeze is fairly
+similar to the laptop setup am I working on using Ubuntu for the
+University of Oslo, and just for the heck of it, I tested today how
+hard it would be to integrate that profile into the university
+infrastructure. In this case, it is the university LDAP server,
+Active Directory Kerberos server and SMB mounting from the Netapp file
+servers.</p>
+
+<p>I was pleasantly surprised that the only three files needed to be
+changed (/etc/sssd/sssd.conf, /etc/ldap.conf and
+/etc/mklocaluser.d/20-debian-edu-config) and one file had to be added
+(/usr/share/perl5/Debian/Edu_Local.pm), to get the client working.
+Most of the changes were to get the client to use the university LDAP
+for NSS and Kerberos server for PAM, but one was to change a hard
+coded DNS domain name in the mklocaluser hook from .intern to
+.uio.no.</p>
+
+<p>This testing was so encouraging, that I went ahead and adjusted the
+Debian Edu scripts and setup in subversion to centralise the roaming
+workstation setup a bit more and avoid the hardcoded DNS domain name,
+so that when I test this tomorrow, I expect to get away with modifying
+only /etc/sssd/sssd.conf and /etc/ldap.conf to get it to use the
+university servers.</p>
+
+<p>My goal is to get the clients to have no hardcoded settings and
+fetch all their initial setup during installation and first boot, to
+allow them to be inserted also into environments where the default
+setup in Debian Edu has been changed or as with the university, where
+the environment is different but provides the protocols Debian Edu
+uses.</p>
</div>
<div class="tags">
- Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>.
+ Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
</div>
</div>
<div class="padding"></div>
<div class="entry">
- <div class="title"><a href="http://people.skolelinux.org/pere/blog/__pne_tr__dl__snett_er_et_samfunnsgode.html">Åpne trådløsnett er et samfunnsgode</a></div>
- <div class="date">2010-06-12 12:45</div>
+ <div class="title"><a href="http://people.skolelinux.org/pere/blog/Circular_package_dependencies_harms_apt_recovery.html">Circular package dependencies harms apt recovery</a></div>
+ <div class="date">2010-07-27 23:50</div>
<div class="body">
-<p>Veldig glad for å oppdage via
-<a href="http://yro.slashdot.org/story/10/06/11/1841256/Finland-To-Legalize-Use-of-Unsecured-Wi-Fi">Slashdot</a>
-at folk i Finland har forstått at åpne trådløsnett er et samfunnsgode.
-Jeg ser på åpne trådløsnett som et fellesgode på linje med retten til
-ferdsel i utmark og retten til å bevege seg i strandsonen. Jeg har
-glede av åpne trådløsnett når jeg finner dem, og deler gladelig nett
-med andre så lenge de ikke forstyrrer min bruk av eget nett.
-Nettkapasiteten er sjelden en begrensning ved normal browsing og enkel
-SSH-innlogging (som er min vanligste nettbruk), og nett kan brukes til
-så mye positivt og nyttig (som nyhetslesing, sjekke været, kontakte
-slekt og venner, holde seg oppdatert om politiske saker, kontakte
-organisasjoner og politikere, etc), at det for meg er helt urimelig å
-blokkere dette for alle som ikke gjør en flue fortred. De som mener
-at potensialet for misbruk er grunn nok til å hindre all den positive
-og lovlydige bruken av et åpent trådløsnett har jeg dermed ingen
-forståelse for. En kan ikke eksistensen av forbrytere styre hvordan
-samfunnet skal organiseres. Da får en et kontrollsamfunn de færreste
-ønsker å leve i, og det at vi har et samfunn i Norge der tilliten til
-hverandre er høy gjør at samfunnet fungerer ganske godt. Det bør vi
-anstrenge oss for å beholde.</p>
+<p>I discovered this while doing
+<a href="http://people.skolelinux.org/pere/blog/Automatic_upgrade_testing_from_Lenny_to_Squeeze.html">automated
+testing of upgrades from Debian Lenny to Squeeze</a>. A few packages
+in Debian still got circular dependencies, and it is often claimed
+that apt and aptitude should be able to handle this just fine, but
+some times these dependency loops causes apt to fail.</p>
+
+<p>An example is from todays
+<a href="http://people.skolelinux.org/~pere/debian-upgrade-testing//test-20100727-lenny-squeeze-kde-aptitude.txt">upgrade
+of KDE using aptitude</a>. In it, a bug in kdebase-workspace-data
+causes perl-modules to fail to upgrade. The cause is simple. If a
+package fail to unpack, then only part of packages with the circular
+dependency might end up being unpacked when unpacking aborts, and the
+ones already unpacked will fail to configure in the recovery phase
+because its dependencies are unavailable.</p>
+
+<p>In this log, the problem manifest itself with this error:</p>
+
+<blockquote><pre>
+dpkg: dependency problems prevent configuration of perl-modules:
+ perl-modules depends on perl (>= 5.10.1-1); however:
+ Version of perl on system is 5.10.0-19lenny2.
+dpkg: error processing perl-modules (--configure):
+ dependency problems - leaving unconfigured
+</pre></blockquote>
+
+<p>The perl/perl-modules circular dependency is already
+<a href="http://bugs.debian.org/527917">reported as a bug</a>, and will
+hopefully be solved as soon as possible, but it is not the only one,
+and each one of these loops in the dependency tree can cause similar
+failures. Of course, they only occur when there are bugs in other
+packages causing the unpacking to fail, but it is rather nasty when
+the failure of one package causes the problem to become worse because
+of dependency loops.</p>
+
+<p>Thanks to
+<a href="http://lists.debian.org/debian-devel/2010/06/msg00116.html">the
+tireless effort by Bill Allombert</a>, the number of circular
+dependencies
+<a href="http://debian.semistable.com/debgraph.out.html">left in Debian
+is dropping</a>, and perhaps it will reach zero one day. :)</p>
+
+<p>Todays testing also exposed a bug in
+<a href="http://bugs.debian.org/590605">update-notifier</a> and
+<a href="http://bugs.debian.org/590604">different behaviour</a> between
+apt-get and aptitude, the latter possibly caused by some circular
+dependency. Reported both to BTS to try to get someone to look at
+it.</p>
</div>
<div class="tags">
- Tags: <a href="http://people.skolelinux.org/pere/blog/tags/fildeling">fildeling</a>, <a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>, <a href="http://people.skolelinux.org/pere/blog/tags/opphavsrett">opphavsrett</a>, <a href="http://people.skolelinux.org/pere/blog/tags/personvern">personvern</a>, <a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>.
+ Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
</div>
</div>
<div class="padding"></div>
<div class="entry">
- <div class="title"><a href="http://people.skolelinux.org/pere/blog/Automatic_upgrade_testing_from_Lenny_to_Squeeze.html">Automatic upgrade testing from Lenny to Squeeze</a></div>
- <div class="date">2010-06-11 22:50</div>
+ <div class="title"><a href="http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html">First Debian Edu test release (alpha0) based on Squeeze is released</a></div>
+ <div class="date">2010-07-27 17:45</div>
<div class="body">
-<p>The last few days I have done some upgrade testing in Debian, to
-see if the upgrade from Lenny to Squeeze will go smoothly. A few bugs
-have been discovered and reported in the process
-(<a href="http://bugs.debian.org/585410">#585410</a> in nagios3-cgi,
-<a href="http://bugs.debian.org/584879">#584879</a> already fixed in
-enscript and <a href="http://bugs.debian.org/584861">#584861</a> in
-kdebase-workspace-data), and to get a more regular testing going on, I
-am working on a script to automate the test.</p>
-
-<p>The idea is to create a Lenny chroot and use tasksel to install a
-Gnome or KDE desktop installation inside the chroot before upgrading
-it. To ensure no services are started in the chroot, a policy-rc.d
-script is inserted. To make sure tasksel believe it is to install a
-desktop on a laptop, the tasksel tests are replaced in the chroot
-(only acceptable because this is a throw-away chroot).</p>
-
-<p>A naive upgrade from Lenny to Squeeze using aptitude dist-upgrade
-currently always fail because udev refuses to upgrade with the kernel
-in Lenny, so to avoid that problem the file /etc/udev/kernel-upgrade
-is created. The bug report
-<a href="http://bugs.debian.org/566000">#566000</a> make me suspect
-this problem do not trigger in a chroot, but I touch the file anyway
-to make sure the upgrade go well. Testing on virtual and real
-hardware have failed me because of udev so far, and creating this file
-do the trick in such settings anyway. This is a
-<a href="http://www.linuxquestions.org/questions/debian-26/failed-dist-upgrade-due-to-udev-config_sysfs_deprecated-nonsense-804130/">known
-issue</a> and the current udev behaviour is intended by the udev
-maintainer because he lack the resources to rewrite udev to keep
-working with old kernels or something like that. I really wish the
-udev upstream would keep udev backwards compatible, to avoid such
-upgrade problem, but given that they fail to do so, I guess
-documenting the way out of this mess is the best option we got for
-Debian Squeeze.</p>
-
-<p>Anyway, back to the task at hand, testing upgrades. This test
-script, which I call <tt>upgrade-test</tt> for now, is doing the
-trick:</p>
+<p>I just posted this announcement culminating several months of work
+with the next Debian Edu release. Not nearly done, but one major step
+completed.</p>
-<blockquote><pre>
-#!/bin/sh
-set -ex
-
-if [ "$1" ] ; then
- desktop=$1
-else
- desktop=gnome
-fi
-
-from=lenny
-to=squeeze
-
-exec < /dev/null
-unset LANG
-mirror=http://ftp.skolelinux.org/debian
-tmpdir=chroot-$from-upgrade-$to-$desktop
-fuser -mv .
-debootstrap $from $tmpdir $mirror
-chroot $tmpdir aptitude update
-cat > $tmpdir/usr/sbin/policy-rc.d <<EOF
-#!/bin/sh
-exit 101
-EOF
-chmod a+rx $tmpdir/usr/sbin/policy-rc.d
-exit_cleanup() {
- umount $tmpdir/proc
-}
-mount -t proc proc $tmpdir/proc
-# Make sure proc is unmounted also on failure
-trap exit_cleanup EXIT INT
-
-chroot $tmpdir aptitude -y install debconf-utils
-
-# Make sure tasksel autoselection trigger. It need the test scripts
-# to return the correct answers.
-echo tasksel tasksel/desktop multiselect $desktop | \
- chroot $tmpdir debconf-set-selections
-
-# Include the desktop and laptop task
-for test in desktop laptop ; do
- echo > $tmpdir/usr/lib/tasksel/tests/$test <<EOF
-#!/bin/sh
-exit 2
-EOF
- chmod a+rx $tmpdir/usr/lib/tasksel/tests/$test
-done
-
-DEBIAN_FRONTEND=noninteractive
-DEBIAN_PRIORITY=critical
-export DEBIAN_FRONTEND DEBIAN_PRIORITY
-chroot $tmpdir tasksel --new-install
-
-echo deb $mirror $to main > $tmpdir/etc/apt/sources.list
-chroot $tmpdir aptitude update
-touch $tmpdir/etc/udev/kernel-upgrade
-chroot $tmpdir aptitude -y dist-upgrade
-fuser -mv
-</pre></blockquote>
+<blockquote>
+<p>This is the first test release based on Squeeze. The focus of this
+release is to test the user application selection. To have a look,
+install the standalone profile and let the developers know if the set
+of installed packages i.e. applications should be modified. If some
+user application is missing, or if there are some applications that no
+longer make sense to be included in Debian Edu, please let us know.
+Also, if a useful application is missing the translation for your
+language of choice, please let us know too.</p>
+
+<p>In addition, feedback and help to polish the desktop (menus,
+artwork, starters, etc.) is appreciated. We would like to ship a nice
+and handy KDE4 desktop targeted for schools out of the box.</p>
+
+<p>The other profiles should be installable, but there is a lot more
+work left to be done before they are ready, so do not expect to
+much.</p>
+
+<p>Changes compared to the lenny based version</p>
-<p>I suspect it would be useful to test upgrades with both apt-get and
-with aptitude, but I have not had time to look at how they behave
-differently so far. I hope to get a cron job running to do the test
-regularly and post the result on the web. The Gnome upgrade currently
-work, while the KDE upgrade fail because of the bug in
-kdebase-workspace-data</p>
-
-<p>I am not quite sure what kind of extract from the huge upgrade logs
-(KDE 167 KiB, Gnome 516 KiB) it make sense to include in this blog
-post, so I will refrain from trying. I can report that for Gnome,
-aptitude report 760 packages upgraded, 448 newly installed, 129 to
-remove and 1 not upgraded and 1024MB need to be downloaded while for
-KDE the same numbers are 702 packages upgraded, 507 newly installed,
-193 to remove and 0 not upgraded and 1117MB need to be downloaded</p>
-
-<p>I am very happy to notice that the Gnome desktop + laptop upgrade
-is able to migrate to dependency based boot sequencing and parallel
-booting without a hitch. Was unsure if there were still bugs with
-packages failing to clean up their obsolete init.d script during
-upgrades, and no such problem seem to affect the Gnome desktop+laptop
-packages.</p>
+<ul>
+<li>Everything from Debian Squeeze
+<ul>
+ <li>Desktop environment KDE 4.4 => the new KDE desktop in
+ combination with some new artwork
+ <li>Web browser Iceweasel 3.5
+ <li>OpenOffice.org 3.2
+ <li>Educational toolbox GCompris 9.3
+ <li>Music creator Rosegarden 10.04.2
+ <li>Image editor Gimp 2.6.10
+ <li>Virtual universe Celestia 1.6.0
+ <li>Virtual stargazer Stellarium 0.10.4
+ <li>3D modeler Blender 2.49.2 (new application)
+ <li>Video editor Kdenlive 0.7.7 (new application)
+</ul></li>
+<li>Now using Kerberos for password checking (migration not finished).
+ Enabled for:
+<ul>
+ <li>PAM
+ <li>LDAP
+ <li>IMAP
+ <li>SMTP (sender verification)
+</ul>
+</li>
+<li>New experimental roaming workstation profile for laptops.</li>
+<li>Show welcome page to users when they first log in. The URL is
+ fetched from LDAP.</li>
+<li>New LXDE desktop option, in addition to KDE (default) and Gnome.</li>
+<li>General cleanup (not finished)</li>
+</ul>
+<p>The following features are not working as they should</p>
+
+<ul>
+<li>No web based administration tool for creating users and groups. The
+ scripts ldap-createuser-krb and ldap-add-user-to-group can be used
+ for testing.</li>
+<li>DVD installs are missing debian-installer images for the PXE boot,
+ and do not set up the PXE menu on eth0 because of this. LTSP
+ clients should still boot from eth1 on thin client servers.</li>
+<li>The restructured KDE menu is not implemented.</li>
+<li>The LDAP server setup need to be reviewed for security.</li>
+<li>The LDAP directory structure need to be reworked.</li>
+<li>Different sets of packages are installed when using the DVD and the
+ netinst CD. More packages are installed using the netinst CD.</li>
+<li>The jackd package fail to install. This is believed to be caused by
+ some ongoing transition, and hopefully should be solved soon. The
+ jackd1 package can be installed manually for those that need it.</li>
+<li>Some packages lack translations. See
+ http://wiki.debian.org/DebianEdu/Status/Squeeze for updated status,
+ and help out with translations.</li>
+</ul>
+
+<p>To download this multiarch netinstall release you can use</p>
+
+<ul>
+<li><a href="ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso">ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso</a></li>
+<li><a href="http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso">http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso</a></li>
+<li>rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso</li>
+</ul>
+<p>To download this multiarch dvd release you can use</p>
+
+<ul>
+<li><a href="ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso">ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso</a></li>
+<li><a href="http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso">http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso</a></li>
+<li>rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso</li>
+</ul>
+
+<p>There is no source DVD available yet. It will be prepared when we
+get closer to the final release.</p>
+
+<p>The MD5SUM of these images are</p>
+
+<ul>
+<li>3dbf45d59f42a53518b6e3c9ec3b5eb6 debian-edu-6.0.0+edua0-CD.iso</li>
+<li>22f2cbfce281d1c6e478be452638675d debian-edu-6.0.0+edua0-DVD.iso</li>
+</ul>
+
+<p>The SHA1SUM of these images are</p>
+<ul>
+<li>c53d1b69b40cf37cd27aefaf33f6f6a3821bedf0 debian-edu-6.0.0+edua0-CD.iso</li>
+<li>2ec29d7db676d59d32197b05c277ffe16348376c debian-edu-6.0.0+edua0-DVD.iso</li>
+</ul>
+<p>How to report bugs:
+http://wiki.debian.org/DebianEdu/HowTo/ReportBugsInBugzilla</p>
+
+<p>Please direct replies to debian-edu@lists.debian.org</p>
+</blockquote>
</div>
<div class="tags">
- Tags: <a href="http://people.skolelinux.org/pere/blog/tags/bootsystem">bootsystem</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>.
+ Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
</div>
</div>
<div class="padding"></div>
<div class="entry">
- <div class="title"><a href="http://people.skolelinux.org/pere/blog/Skolelinux_er_laget_for_sentraldrifting__naturligvis.html">Skolelinux er laget for sentraldrifting, naturligvis</a></div>
- <div class="date">2010-06-09 12:30</div>
+ <div class="title"><a href="http://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html">One step closer to single signon in Debian Edu</a></div>
+ <div class="date">2010-07-25 10:00</div>
<div class="body">
-<p>Det er merkelig hvordan myter om Skolelinux overlever. En slik
-myte er at Skolelinux ikke kan sentraldriftes og ha sentralt plasserte
-tjenermaskiner. I siste Computerworld Norge er
-<a href="http://www.idg.no/computerworld/article169432.ece">IT-sjef
-Viggo Billdal i Steinkjer intervjuet</a>, og forteller uten
-blygsel:</p>
-
-<blockquote><p>Vi hadde Skolelinux, men det har vi sluttet med. Vi testet
-om det lønte seg med Microsoft eller en åpen plattform. Vi fant ut at
-Microsoft egentlig var totalt sett bedre egnet. Det var store
-driftskostnader med Skolelinux, blant annet på grunn av
-desentraliserte servere. Det var komplisert, så vi gikk vekk fra det
-og bruker nå bare Windows.</p></blockquote>
-
-<p>En <a
-href="https://init.linpro.no/pipermail/skolelinux.no/bruker/2010-June/009101.html">rask
-sjekk</a> mot den norske brukerlista i Skolelinuxprosjektet forteller
-at Steinkjers forsøk foregikk fram til 2004/2005, og at Røysing skole
-i Steinkjer skal ha vært svært fornøyd med Skolelinux men at kommunen
-overkjørte skolen og krevde at de gikk over til Windows. Et søk på
-nettet sendte meg til
-<a href="http://www.dn.no/multimedia/archive/00090/Dagens_it_nr__18_90826a.pdf">Dagens
-IT nr. 18 2005</a> hvor en kan lese på side 18:</p>
-
-<blockquote><p>Inge Tømmerås ved Røysing skole i Steinkjer kjører ennå
-Microsoft, men forteller at kompetanseutfordringen med Skolelinux ikke
-var så stor. Jeg syntes Skolelinux var utrolig lett å drifte uten
-forkunnskaper. Men man må jo selvsagt ha tilgang på ekstern kompetanse
-til installasjoner og maskinvarefeil, sier Tømmerås.</p></blockquote>
-
-<p>Som systemarkitekten bak Skolelinux, kan jeg bare riste på hodet
-over påstanden om at Skolelinux krever desentraliserte tjenere.
-Skolelinux-arkitekturen er laget for sentralisert drift og plassering
-av tjenerne lokalt eller sentralt alt etter behov og nettkapasitet.
-Den er modellert på nettverks- og tjenerløsningen som brukes på
-Universitetet i Tromsø og Oslo, der jeg jobber med utvikling av
-driftstjenester. Dette er det heldigvis noen som har fått med seg, og
-jeg er glad for å kunne sitere fra en kommentar på den overnevnte
-artikkelen. Min venn og gamle kollega Sturle Sunde forteller der:
-
-<blockquote>
-<p>I Flora kommune køyrer vi Skulelinux på skular med alt frå 15 til
-meir enn 500 elevar. Dei store skulane har eigen tenar, for det er
-mest praktisk. Eg, som er driftsansvarleg for heile nettet, ser
-sjeldan dei tenarane fysisk, men at dei står der gjer skulane mindre
-avhengige av eksterne linjer som er trege eller dyre. Dei minste
-skulane har ikkje eigen tenar. Å bruke sentral tenar er heller ikkje
-noko problem. Småskulane klarar seg fint med 1 mbit-linje til ein
-sentral tenar eller tenaren på ein større skule.</p>
-
-<p>Det beste med Skulelinux er halvtjukke klientar. Dei treng ikkje
-harddisk og brukar minimalt med ressursar på tenaren fordi dei køyrer
-programma lokalt. Eit klasserom med 30 sju-åtte år gamle maskiner har
-mykje meir CPU og RAM totalt enn nokon moderne tenar til under
-millionen. Det trengst to kommandoar på den sentrale tenaren for å
-oppdatere alle klientane, både tynne og halvtjukke. Vi har ingen
-problem med diskar som ryk heller, som var eit problem før fordi
-elevane sat og sparka i maskinene. Og dei krev lite bandbreidde i
-nettet, so det er fullt mogleg å køyre slike på småskular med trege
-linjer mot tenaren på ein større skule.</p>
-
-<p>Flora kommune har nesten 800 Linux-maskiner i sitt skulenett, og
-ein person som tek seg av drift av heile nettet, inkludert tenarar,
-klientar, operativsystem, programvare, heimekontorløysing og
-administrasjon av brukarar.</p>
-
-<p>No skal det seiast at vi ikkje køyrer rein Skulelinux ut av
-boksen. Vi har gjort ein del tilpassingar mot noko Novell-greier som
-var der frå før, og som har komplisert installasjonen vår. Etter at
-oppsettet var gjort har løysinga vore stabil og kravd minimalt med
-arbeid.</p>
-</blockquote>
-
-<p>Jeg vet at Narvik, Harstad og Oslo er kommuner der Skolelinux
-sentraldriftes med sentrale tjenere. Det forteller meg at Steinkjers
-IT-sjef neppe bør skylde på Skolelinux-løsningen for sine 5 år gamle
-minner.</p>
+<p>The last few months me and the other Debian Edu developers have
+been working hard to get the Debian/Squeeze based version of Debian
+Edu/Skolelinux into shape. This future version will use Kerberos for
+authentication, and services are slowly migrated to single signon,
+getting rid of password questions one at the time.</p>
+
+<p>It will also feature a roaming workstation profile with local home
+directory, for laptops that are only some times on the Skolelinux
+network, and for this profile a shortcut is created in Gnome and KDE
+to gain access to the users home directory on the file server. This
+shortcut uses SMB at the moment, and yesterday I had time to test if
+SMB mounting had started working in KDE after we added the cifs-utils
+package. I was pleasantly surprised how well it worked.</p>
+
+<p>Thanks to the recent changes to our samba configuration to get it
+to use Kerberos for authentication, there were no question about user
+password when mounting the SMB volume. A simple click on the shortcut
+in the KDE menu, and a window with the home directory popped
+up. :)</p>
+
+<p>One step closer to a single signon solution out of the box in
+Debian Edu. We already had PAM, LDAP, IMAP and SMTP in place, and now
+also Samba. Next step is Cups and hopefully also NFS.</p>
+
+<p>We had planned a alpha0 release of Debian Edu for today, but thanks
+to the autobuilder administrators for some architectures being slow to
+sign packages, we are still missing the fixed LTSP package we need for
+the release. It was uploaded three days ago with urgency=high, and if
+it had entered testing yesterday we would have been able to test it in
+time for a alpha0 release today. As the binaries for ia64 and powerpc
+still not uploaded to the Debian archive, we need to delay the alpha
+release another day.</p>
+
+<p>If you want to help out with implementing Kerberos for Debian Edu,
+please contact us on debian-edu@lists.debian.org.</p>
</div>
<div class="tags">
- Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
+ Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>, <a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>.
</div>
</div>
<div class="padding"></div>
<div class="entry">
- <div class="title"><a href="http://people.skolelinux.org/pere/blog/Upstart_or_sysvinit___as_init_d_scripts_see_it.html">Upstart or sysvinit - as init.d scripts see it</a></div>
- <div class="date">2010-06-06 23:55</div>
+ <div class="title"><a href="http://people.skolelinux.org/pere/blog/Digitale_restriksjonsmekanismer_fikk_meg_til____slutte____kj__pe_musikk.html">Digitale restriksjonsmekanismer fikk meg til å slutte å kjøpe musikk</a></div>
+ <div class="date">2010-07-22 23:50</div>
<div class="body">
-<p>If Debian is to migrate to upstart on Linux, I expect some init.d
-scripts to migrate (some of) their operations to upstart job while
-keeping the init.d for hurd and kfreebsd. The packages with such
-needs will need a way to get their init.d scripts to behave
-differently when used with sysvinit and with upstart. Because of
-this, I had a look at the environment variables set when a init.d
-script is running under upstart, and when it is not.</p>
-
-<p>With upstart, I notice these environment variables are set when a
-script is started from rcS.d/ (ignoring some irrelevant ones like
-COLUMNS):</p>
-
-<blockquote><pre>
-DEFAULT_RUNLEVEL=2
-previous=N
-PREVLEVEL=
-RUNLEVEL=
-runlevel=S
-UPSTART_EVENTS=startup
-UPSTART_INSTANCE=
-UPSTART_JOB=rc-sysinit
-</pre></blockquote>
-
-<p>With sysvinit, these environment variables are set for the same
-script.</p>
-
-<blockquote><pre>
-INIT_VERSION=sysvinit-2.88
-previous=N
-PREVLEVEL=N
-RUNLEVEL=S
-runlevel=S
-</pre></blockquote>
-
-<p>The RUNLEVEL and PREVLEVEL environment variables passed on from
-sysvinit are not set by upstart. Not sure if it is intentional or not
-to not be compatible with sysvinit in this regard.</p>
-
-<p>For scripts needing to behave differently when upstart is used,
-looking for the UPSTART_JOB environment variable seem to be a good
-choice.</p>
+<p>For mange år siden slutte jeg å kjøpe musikk-CDer. Årsaken var at
+musikkbransjen var godt i gang med å selge platene sine med DRM som
+gjorde at jeg ikke fikk spilt av musikken jeg kjøpte på utstyret jeg
+hadde tilgjengelig, dvs. min datamaskin. Det var umulig å se på en
+plate om den var ødelagt eller ikke, og jeg hadde jo allerede en
+anseelig samling med plater, så jeg bestemme meg for å slutte å gi
+penger til en bransje som åpenbart ikke respekterte meg.</p>
+
+<p>Jeg har mange titalls dager med musikk på CD i dag. Det meste er
+lagt i et stort arkiv som kan spilles av fra husets datamaskiner (har
+ikke rukket rippe alt). Jeg ser dermed ikke behovet for å skaffe mer
+musikk. De fleste av mine favoritter er i hus, og jeg er dermed godt
+fornøyd.</p>
+
+<p>Hvis musikkbransjen ønsker mine penger, så må de demonstrere at de
+setter pris på meg som kunde, og ikke skremme meg bort med DRM og
+antydninger om at kundene er kriminelle.</p>
+
+<p>Filmbransjen er like ille, men mens musikk gjerne varer lenge, er
+filmer mer ferskvare. Har dermed ikke helt sluttet å kjøpe filmer, men
+holder meg til DVD-filmer som kan spilles av på mine Linuxbokser.
+Kommer neppe til å ta i bruk Blueray, og ei heller de nye DRM-greiene
+«Ultraviolet» som be annonsert her om dagen.</p>
</div>
<div class="tags">
- Tags: <a href="http://people.skolelinux.org/pere/blog/tags/bootsystem">bootsystem</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>.
+ Tags: <a href="http://people.skolelinux.org/pere/blog/tags/fildeling">fildeling</a>, <a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>, <a href="http://people.skolelinux.org/pere/blog/tags/opphavsrett">opphavsrett</a>, <a href="http://people.skolelinux.org/pere/blog/tags/personvern">personvern</a>.
</div>
</div>
<div class="padding"></div>
<div class="entry">
- <div class="title"><a href="http://people.skolelinux.org/pere/blog/A_manual_for_standards_wars___.html">A manual for standards wars...</a></div>
- <div class="date">2010-06-06 14:15</div>
+ <div class="title"><a href="http://people.skolelinux.org/pere/blog/OpenStreetmap_one_step_closer_to_having_routing_on_its_front_page.html">OpenStreetmap one step closer to having routing on its front page</a></div>
+ <div class="date">2010-07-18 16:45</div>
<div class="body">
-<p>Via the
-<a href="http://feedproxy.google.com/~r/robweir/antic-atom/~3/QzU4RgoAGMg/weekly-links-10.html">blog
-of Rob Weir</a> I came across the very interesting essay named
-<a href="http://faculty.haas.berkeley.edu/shapiro/wars.pdf">The Art of
-Standards Wars</a> (PDF 25 pages). I recommend it for everyone
-following the standards wars of today.</p>
+<p>Thanks to
+<a href="http://feedproxy.google.com/~r/Opengeodata/~3/wUTCzDZk3lc/project-of-the-week-which-way-home">todays
+opengeodata blog entry</a>, I just discovered that the
+OpenStreetmap.org site have gotten
+<a href="http://nroets.dev.openstreetmap.org/demo/index.html?layers=B000FTFTT">support
+for calculating routes</a>. The support is still experimental and
+only available from the development server, until more experience is
+gathered on the user interface and any scalability issues.</p>
+
+<p>Earlier, the routing I knew about using the OpenStreetmap.org data
+was provided by <a href="http://maps.cloudmade.com/">Cloudmade</a>,
+but having it on the main page is required to make everyone aware of
+the issue. I've had people reject Openstreetmap.org as a viable
+alternative for them because the front page lacked routing support,
+and I hope their needs will be catered for when routing show up on the
+www.openstreetmap.org front page.</p>
</div>
<div class="tags">
- Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/standard">standard</a>.
+ Tags: <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/kart">kart</a>, <a href="http://people.skolelinux.org/pere/blog/tags/web">web</a>.
</div>
</div>
<div class="padding"></div>
<div class="entry">
- <div class="title"><a href="http://people.skolelinux.org/pere/blog/Sitesummary_tip__Listing_computer_hardware_models_used_at_site.html">Sitesummary tip: Listing computer hardware models used at site</a></div>
- <div class="date">2010-06-03 12:05</div>
+ <div class="title"><a href="http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html">What are they searching for - PowerDNS and ISC DHCP in LDAP</a></div>
+ <div class="date">2010-07-17 21:00</div>
<div class="body">
-<p>When using sitesummary at a site to track machines, it is possible
-to get a list of the machine types in use thanks to the DMI
-information extracted from each machine. The script to do so is
-included in the sitesummary package, and here is example output from
-the Skolelinux build servers:</p>
+<p>This is a
+<a href="http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html">followup</a>
+on my
+<a href="http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html">previous
+work</a> on
+<a href="http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html">merging
+all</a> the computer related LDAP objects in Debian Edu.</p>
+
+<p>As a step to try to see if it possible to merge the DNS and DHCP
+LDAP objects, I have had a look at how the packages pdns-backend-ldap
+and dhcp3-server-ldap in Debian use the LDAP server. The two
+implementations are quite different in how they use LDAP.</p>
+
+To get this information, I started slapd with debugging enabled and
+dumped the debug output to a file to get the LDAP searches performed
+on a Debian Edu main-server. Here is a summary.
+
+<p><strong>powerdns</strong></p>
+
+<a href="http://www.linuxnetworks.de/doc/index.php/PowerDNS_LDAP_Backend">Clues
+on how to</a> set up PowerDNS to use a LDAP backend is available on
+the web.
+
+<p>PowerDNS have two modes of operation using LDAP as its backend.
+One "strict" mode where the forward and reverse DNS lookups are done
+using the same LDAP objects, and a "tree" mode where the forward and
+reverse entries are in two different subtrees in LDAP with a structure
+based on the DNS names, as in tjener.intern and
+2.2.0.10.in-addr.arpa.</p>
+
+<p>In tree mode, the server is set up to use a LDAP subtree as its
+base, and uses a "base" scoped search for the DNS name by adding
+"dc=tjener,dc=intern," to the base with a filter for
+"(associateddomain=tjener.intern)" for the forward entry and
+"dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa," with a filter for
+"(associateddomain=2.2.0.10.in-addr.arpa)" for the reverse entry. For
+forward entries, it is looking for attributes named dnsttl, arecord,
+nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, mxrecord,
+txtrecord, rprecord, afsdbrecord, keyrecord, aaaarecord, locrecord,
+srvrecord, naptrrecord, kxrecord, certrecord, dsrecord, sshfprecord,
+ipseckeyrecord, rrsigrecord, nsecrecord, dnskeyrecord, dhcidrecord,
+spfrecord and modifytimestamp. For reverse entries it is looking for
+the attributes dnsttl, arecord, nsrecord, cnamerecord, soarecord,
+ptrrecord, hinforecord, mxrecord, txtrecord, rprecord, aaaarecord,
+locrecord, srvrecord, naptrrecord and modifytimestamp. The equivalent
+ldapsearch commands could look like this:</p>
+
+<blockquote><pre>
+ldapsearch -h ldap \
+ -b dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no \
+ -s base -x '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \
+ cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
+ rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
+ nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
+ rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp
+
+ldapsearch -h ldap \
+ -b dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no \
+ -s base -x '(associateddomain=2.2.0.10.in-addr.arpa)'
+ dnsttl, arecord, nsrecord, cnamerecord soarecord ptrrecord \
+ hinforecord mxrecord txtrecord rprecord aaaarecord locrecord \
+ srvrecord naptrrecord modifytimestamp
+</pre></blockquote>
+
+<p>In Debian Edu/Lenny, the PowerDNS tree mode is used with
+ou=hosts,dc=skole,dc=skolelinux,dc=no as the base, and these are two
+example LDAP objects used there. In addition to these objects, the
+parent objects all th way up to ou=hosts,dc=skole,dc=skolelinux,dc=no
+also exist.</p>
+
+<blockquote><pre>
+dn: dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no
+objectclass: top
+objectclass: dnsdomain
+objectclass: domainrelatedobject
+dc: tjener
+arecord: 10.0.2.2
+associateddomain: tjener.intern
+
+dn: dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no
+objectclass: top
+objectclass: dnsdomain2
+objectclass: domainrelatedobject
+dc: 2
+ptrrecord: tjener.intern
+associateddomain: 2.2.0.10.in-addr.arpa
+</pre></blockquote>
+
+<p>In strict mode, the server behaves differently. When looking for
+forward DNS entries, it is doing a "subtree" scoped search with the
+same base as in the tree mode for a object with filter
+"(associateddomain=tjener.intern)" and requests the attributes dnsttl,
+arecord, nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord,
+mxrecord, txtrecord, rprecord, aaaarecord, locrecord, srvrecord,
+naptrrecord and modifytimestamp. For reverse entires it also do a
+subtree scoped search but this time the filter is "(arecord=10.0.2.2)"
+and the requested attributes are associateddomain, dnsttl and
+modifytimestamp. In short, in strict mode the objects with ptrrecord
+go away, and the arecord attribute in the forward object is used
+instead.</p>
+
+<p>The forward and reverse searches can be simulated using ldapsearch
+like this:</p>
+
+<blockquote><pre>
+ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
+ '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \
+ cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
+ rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
+ nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
+ rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp
+
+ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
+ '(arecord=10.0.2.2)' associateddomain dnsttl modifytimestamp
+</pre></blockquote>
+
+<p>In addition to the forward and reverse searches , there is also a
+search for SOA records, which behave similar to the forward and
+reverse lookups.</p>
+
+<p>A thing to note with the PowerDNS behaviour is that it do not
+specify any objectclass names, and instead look for the attributes it
+need to generate a DNS reply. This make it able to work with any
+objectclass that provide the needed attributes.</p>
+
+<p>The attributes are normally provided in the cosine (RFC 1274) and
+dnsdomain2 schemas. The latter is used for reverse entries like
+ptrrecord and recent DNS additions like aaaarecord and srvrecord.</p>
+
+<p>In Debian Edu, we have created DNS objects using the object classes
+dcobject (for dc), dnsdomain or dnsdomain2 (structural, for the DNS
+attributes) and domainrelatedobject (for associatedDomain). The use
+of structural object classes make it impossible to combine these
+classes with the object classes used by DHCP.</p>
+
+<p>There are other schemas that could be used too, for example the
+dnszone structural object class used by Gosa and bind-sdb for the DNS
+attributes combined with the domainrelatedobject object class, but in
+this case some unused attributes would have to be included as well
+(zonename and relativedomainname).</p>
+
+<p>My proposal for Debian Edu would be to switch PowerDNS to strict
+mode and not use any of the existing objectclasses (dnsdomain,
+dnsdomain2 and dnszone) when one want to combine the DNS information
+with DHCP information, and instead create a auxiliary object class
+defined something like this (using the attributes defined for
+dnsdomain and dnsdomain2 or dnszone):</p>
+
+<blockquote><pre>
+objectclass ( some-oid NAME 'dnsDomainAux'
+ SUP top
+ AUXILIARY
+ MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $
+ DNSTTL $ DNSClass $ PTRRecord $ HINFORecord $ MINFORecord $
+ TXTRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCRecord $
+ NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
+ A6Record $ DNAMERecord
+ ))
+</pre></blockquote>
+
+<p>This will allow any object to become a DNS entry when combined with
+the domainrelatedobject object class, and allow any entity to include
+all the attributes PowerDNS wants. I've sent an email to the PowerDNS
+developers asking for their view on this schema and if they are
+interested in providing such schema with PowerDNS, and I hope my
+message will be accepted into their mailing list soon.</p>
+
+<p><strong>ISC dhcp</strong></p>
+
+<p>The DHCP server searches for specific objectclass and requests all
+the object attributes, and then uses the attributes it want. This
+make it harder to figure out exactly what attributes are used, but
+thanks to the working example in Debian Edu I can at least get an idea
+what is needed without having to read the source code.</p>
+
+<p>In the DHCP server configuration, the LDAP base to use and the
+search filter to use to locate the correct dhcpServer entity is
+stored. These are the relevant entries from
+/etc/dhcp3/dhcpd.conf:</p>
<blockquote><pre>
-maintainer:~# /usr/lib/sitesummary/hardware-model-summary
- vendor count
- Dell Computer Corporation 1
- PowerEdge 1750 1
- IBM 1
- eserver xSeries 345 -[8670M1X]- 1
- Intel 2
- [no-dmi-info] 3
-maintainer:~#
+ldap-base-dn "dc=skole,dc=skolelinux,dc=no";
+ldap-dhcp-server-cn "dhcp";
</pre></blockquote>
-<p>The quality of the report depend on the quality of the DMI tables
-provided in each machine. Here there are Intel machines without model
-information listed with Intel as vendor and mo model, and virtual Xen
-machines listed as [no-dmi-info]. One can add -l as a command line
-option to list the individual machines.</p>
-
-<p>A larger list is
-<a href="http://narvikskolen.no/sitesummary/">available from the the
-city of Narvik</a>, which uses Skolelinux on all their shools and also
-provide the basic sitesummary report publicly. In their report there
-are ~1400 machines. I know they use both Ubuntu and Skolelinux on
-their machines, and as sitesummary is available in both distributions,
-it is trivial to get all of them to report to the same central
-collector.</p>
+<p>The DHCP server uses this information to nest all the DHCP
+configuration it need. The cn "dhcp" is located using the given LDAP
+base and the filter "(&(objectClass=dhcpServer)(cn=dhcp))". The
+search result is this entry:</p>
+
+<blockquote><pre>
+dn: cn=dhcp,dc=skole,dc=skolelinux,dc=no
+cn: dhcp
+objectClass: top
+objectClass: dhcpServer
+dhcpServiceDN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+</pre></blockquote>
+
+<p>The content of the dhcpServiceDN attribute is next used to locate the
+subtree with DHCP configuration. The DHCP configuration subtree base
+is located using a base scope search with base "cn=DHCP
+Config,dc=skole,dc=skolelinux,dc=no" and filter
+"(&(objectClass=dhcpService)(|(dhcpPrimaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)(dhcpSecondaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)))".
+The search result is this entry:</p>
+
+<blockquote><pre>
+dn: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+cn: DHCP Config
+objectClass: top
+objectClass: dhcpService
+objectClass: dhcpOptions
+dhcpPrimaryDN: cn=dhcp, dc=skole,dc=skolelinux,dc=no
+dhcpStatements: ddns-update-style none
+dhcpStatements: authoritative
+dhcpOption: smtp-server code 69 = array of ip-address
+dhcpOption: www-server code 72 = array of ip-address
+dhcpOption: wpad-url code 252 = text
+</pre></blockquote>
+
+<p>Next, the entire subtree is processed, one level at the time. When
+all the DHCP configuration is loaded, it is ready to receive requests.
+The subtree in Debian Edu contain objects with object classes
+top/dhcpService/dhcpOptions, top/dhcpSharedNetwork/dhcpOptions,
+top/dhcpSubnet, top/dhcpGroup and top/dhcpHost. These provide options
+and information about netmasks, dynamic range etc. Leaving out the
+details here because it is not relevant for the focus of my
+investigation, which is to see if it is possible to merge dns and dhcp
+related computer objects.</p>
+
+<p>When a DHCP request come in, LDAP is searched for the MAC address
+of the client (00:00:00:00:00:00 in this example), using a subtree
+scoped search with "cn=DHCP Config,dc=skole,dc=skolelinux,dc=no" as
+the base and "(&(objectClass=dhcpHost)(dhcpHWAddress=ethernet
+00:00:00:00:00:00))" as the filter. This is what a host object look
+like:</p>
+
+<blockquote><pre>
+dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+cn: hostname
+objectClass: top
+objectClass: dhcpHost
+dhcpHWAddress: ethernet 00:00:00:00:00:00
+dhcpStatements: fixed-address hostname
+</pre></blockquote>
+
+<p>There is less flexiblity in the way LDAP searches are done here.
+The object classes need to have fixed names, and the configuration
+need to be stored in a fairly specific LDAP structure. On the
+positive side, the invidiual dhcpHost entires can be anywhere without
+the DN pointed to by the dhcpServer entries. The latter should make
+it possible to group all host entries in a subtree next to the
+configuration entries, and this subtree can also be shared with the
+DNS server if the schema proposed above is combined with the dhcpHost
+structural object class.
+
+<p><strong>Conclusion</strong></p>
+
+<p>The PowerDNS implementation seem to be very flexible when it come
+to which LDAP schemas to use. While its "tree" mode is rigid when it
+come to the the LDAP structure, the "strict" mode is very flexible,
+allowing DNS objects to be stored anywhere under the base cn specified
+in the configuration.</p>
+
+<p>The DHCP implementation on the other hand is very inflexible, both
+regarding which LDAP schemas to use and which LDAP structure to use.
+I guess one could implement ones own schema, as long as the
+objectclasses and attributes have the names used, but this do not
+really help when the DHCP subtree need to have a fairly fixed
+structure.</p>
+
+<p>Based on the observed behaviour, I suspect a LDAP structure like
+this might work for Debian Edu:</p>
+
+<blockquote><pre>
+ou=services
+ cn=machine-info (dhcpService) - dhcpServiceDN points here
+ cn=dhcp (dhcpServer)
+ cn=dhcp-internal (dhcpSharedNetwork/dhcpOptions)
+ cn=10.0.2.0 (dhcpSubnet)
+ cn=group1 (dhcpGroup/dhcpOptions)
+ cn=dhcp-thinclients (dhcpSharedNetwork/dhcpOptions)
+ cn=192.168.0.0 (dhcpSubnet)
+ cn=group1 (dhcpGroup/dhcpOptions)
+ ou=machines - PowerDNS base points here
+ cn=hostname (dhcpHost/domainrelatedobject/dnsDomainAux)
+</pre></blockquote>
+
+<P>This is not tested yet. If the DHCP server require the dhcpHost
+entries to be in the dhcpGroup subtrees, the entries can be stored
+there instead of a common machines subtree, and the PowerDNS base
+would have to be moved one level up to the machine-info subtree.</p>
+
+<p>The combined object under the machines subtree would look something
+like this:</p>
+
+<blockquote><pre>
+dn: dc=hostname,ou=machines,cn=machine-info,dc=skole,dc=skolelinux,dc=no
+dc: hostname
+objectClass: top
+objectClass: dhcpHost
+objectclass: domainrelatedobject
+objectclass: dnsDomainAux
+associateddomain: hostname.intern
+arecord: 10.11.12.13
+dhcpHWAddress: ethernet 00:00:00:00:00:00
+dhcpStatements: fixed-address hostname.intern
+</pre></blockquote>
+
+</p>One could even add the LTSP configuration associated with a given
+machine, as long as the required attributes are available in a
+auxiliary object class.</p>
</div>
<div class="tags">
- Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/sitesummary">sitesummary</a>.
+ Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
</div>
</div>
<div class="padding"></div>
<div class="entry">
- <div class="title"><a href="http://people.skolelinux.org/pere/blog/Togsatsing_p___norsk__mot_sykkel.html">Togsatsing på norsk, mot sykkel</a></div>
- <div class="date">2010-06-02 23:45</div>
+ <div class="title"><a href="http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html">Combining PowerDNS and ISC DHCP LDAP objects</a></div>
+ <div class="date">2010-07-14 23:45</div>
<div class="body">
-<p>Det står dårlig til med toget når en finner på å la det
-<a href="http://www.aftenposten.no/nyheter/iriks/article3677060.ece">kappkjøre
-med sykkel</a>... Jeg tror det trengs strukturendringer for å få
-fikset på togproblemene i Norge.</p>
+<p>For a while now, I have wanted to find a way to change the DNS and
+DHCP services in Debian Edu to use the same LDAP objects for a given
+computer, to avoid the possibility of having a inconsistent state for
+a computer in LDAP (as in DHCP but no DNS entry or the other way
+around) and make it easier to add computers to LDAP.</p>
+
+<p>I've looked at how powerdns and dhcpd is using LDAP, and using this
+information finally found a solution that seem to work.</p>
+
+<p>The old setup required three LDAP objects for a given computer.
+One forward DNS entry, one reverse DNS entry and one DHCP entry. If
+we switch powerdns to use its strict LDAP method (ldap-method=strict
+in pdns-debian-edu.conf), the forward and reverse DNS entries are
+merged into one while making it impossible to transfer the reverse map
+to a slave DNS server.</p>
+
+<p>If we also replace the object class used to get the DNS related
+attributes to one allowing these attributes to be combined with the
+dhcphost object class, we can merge the DNS and DHCP entries into one.
+I've written such object class in the dnsdomainaux.schema file (need
+proper OIDs, but that is a minor issue), and tested the setup. It
+seem to work.</p>
+
+<p>With this test setup in place, we can get away with one LDAP object
+for both DNS and DHCP, and even the LTSP configuration I suggested in
+an earlier email. The combined LDAP object will look something like
+this:</p>
-<p>Mon tro hva toglinje mellom Narvik og Tromsø ville hatt slags
-effekt på området der?</p>
+<blockquote><pre>
+ dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+ cn: hostname
+ objectClass: dhcphost
+ objectclass: domainrelatedobject
+ objectclass: dnsdomainaux
+ associateddomain: hostname.intern
+ arecord: 10.11.12.13
+ dhcphwaddress: ethernet 00:00:00:00:00:00
+ dhcpstatements: fixed-address hostname
+ ldapconfigsound: Y
+</pre></blockquote>
+
+<p>The DNS server uses the associateddomain and arecord entries, while
+the DHCP server uses the dhcphwaddress and dhcpstatements entries
+before asking DNS to resolve the fixed-adddress. LTSP will use
+dhcphwaddress or associateddomain and the ldapconfig* attributes.</p>
+
+<p>I am not yet sure if I can get the DHCP server to look for its
+dhcphost in a different location, to allow us to put the objects
+outside the "DHCP Config" subtree, but hope to figure out a way to do
+that. If I can't figure out a way to do that, we can still get rid of
+the hosts subtree and move all its content into the DHCP Config tree
+(which probably should be renamed to be more related to the new
+content. I suspect cn=dnsdhcp,ou=services or something like that
+might be a good place to put it.</p>
+
+<p>If you want to help out with implementing this for Debian Edu,
+please contact us on debian-edu@lists.debian.org.</p>
</div>
<div class="tags">
- Tags: <a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk</a>.
+ Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
</div>
</div>
<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/05/">May (9)</a></li>
-<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/06/">June (11)</a></li>
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/06/">June (14)</a></li>
+
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/07/">July (12)</a></li>
+
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/08/">August (3)</a></li>
</ul></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/bootsystem">bootsystem (10)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/debian">debian (26)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/debian">debian (35)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu (26)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu (39)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/english">english (38)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/english">english (54)</a></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/fiksgatami">fiksgatami (1)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/fildeling">fildeling (7)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/fildeling">fildeling (8)</a></li>
+
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/kart">kart (3)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/kart">kart (2)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap (8)</a></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/lenker">lenker (1)</a></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/multimedia">multimedia (5)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk (69)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk (71)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug (76)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug (91)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/opphavsrett">opphavsrett (13)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/opphavsrett">opphavsrett (14)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/personvern">personvern (13)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/personvern">personvern (14)</a></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/reprap">reprap (10)</a></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/rss">rss (1)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet (9)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet (10)</a></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/sitesummary">sitesummary (3)</a></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/vitenskap">vitenskap (1)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/web">web (6)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/web">web (7)</a></li>
</ul>
projects / homepage.git / blobdiff