Generated.

[homepage.git] / blog / index.html

diff --git a/blog/index.html b/blog/index.html
index 7f47311a631f8c8f6d91cadc93d9fdf158a5cdc1..4f0a93f00b89ec5e766033174003e1d413bd350c 100644 (file)
--- a/blog/index.html
+++ b/blog/index.html
@@ -20,577 +20,1042 @@
 
  
  <div class="entry">
 
  
  <div class="entry">

-  <div class="title"><a href="http://people.skolelinux.org/pere/blog/Parallellized_boot_seem_to_hold_up_well_in_Debian_testing.html">Parallellized boot seem to hold up well in Debian/testing</a></div>
-  <div class="date">2010-05-27 23:55</div>
+  <div class="title"><a href="http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html">Testing if a file system can be used for home directories...</a></div>
+  <div class="date">2010-08-08 21:20</div>

   <div class="body">
   <div class="body">

-<p>A few days ago, parallel booting was enabled in Debian/testing.
-The feature seem to hold up pretty well, but three fairly serious
-issues are known and should be solved:
-
-<p><ul>
-
-<li>The wicd package seen to
-<a href="http://bugs.debian.org/508289">break NFS mounting</a> and
-<a href="http://bugs.debian.org/581586">network setup</a> when
-parallel booting is enabled.  No idea why, but the wicd maintainer
-seem to be on the case.</li>
-
-<li>The nvidia X driver seem to
-<a href="http://bugs.debian.org/583312">have a race condition</a>
-triggered more easily when parallel booting is in effect.  The
-maintainer is on the case.</li>
-
-<li>The sysv-rc package fail to properly enable dependency based boot
-sequencing (the shutdown is broken) when old file-rc users
-<a href="http://bugs.debian.org/575080">try to switch back</a> to
-sysv-rc.  One way to solve it would be for file-rc to create
-/etc/init.d/.legacy-bootordering, and another is to try to make
-sysv-rc more robust.  Will investigate some more and probably upload a
-workaround in sysv-rc to help those trying to move from file-rc to
-sysv-rc get a working shutdown.</li>
-
-</ul></p>
-
-<p>All in all not many surprising issues, and all of them seem
-solvable before Squeeze is released.  In addition to these there are
-some packages with bugs in their dependencies and run level settings,
-which I expect will be fixed in a reasonable time span.</p>
-
-<p>If you report any problems with dependencies in init.d scripts to
-the BTS, please usertag the report to get it to show up at
-<a href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=initscripts-ng-devel@lists.alioth.debian.org">the
-list of usertagged bugs related to this</a>.</p>
+<p>A few years ago, I was involved in a project planning to use
+Windows file servers as home directory servers for Debian
+Edu/Skolelinux machines.  This was thought to be no problem, as the
+access would be through the SMB network file system protocol, and we
+knew other sites used SMB with unix and samba as the file server to
+mount home directories without any problems.  But, after months of
+struggling, we had to conclude that our goal was impossible.</p>
+
+<p>The reason is simply that while SMB can be used for home
+directories when the file server is Samba running on Unix, this only
+work because of Samba have some extensions and the fact that the
+underlying file system is a unix file system.  When using a Windows
+file server, the underlying file system do not have POSIX semantics,
+and several programs will fail if the users home directory where they
+want to store their configuration lack POSIX semantics.</p>
+
+<p>As part of this work, I wrote a small C program I want to share
+with you all, to replicate a few of the problematic applications (like
+OpenOffice.org and GCompris) and see if the file system was working as
+it should.  If you find yourself in spooky file system land, it might
+help you find your way out again.  This is the fs-test.c source:</p>
+
+<pre>
+/*
+ * Some tests to check the file system sematics.  Used to verify that
+ * CIFS from a windows server do not work properly as a linux home
+ * directory.
+ * License: GPL v2 or later
+ * 
+ * needs libsqlite3-dev and build-essential installed
+ * compile with: gcc -Wall -lsqlite3 -DTEST_SQLITE fs-test.c -o fs-test
+*/
+
+#define _FILE_OFFSET_BITS 64
+#define _LARGEFILE_SOURCE 1
+#define _LARGEFILE64_SOURCE 1
+
+#define _GNU_SOURCE /* for asprintf() */
+
+#include &lt;errno.h>
+#include &lt;fcntl.h>
+#include &lt;stdio.h>
+#include &lt;string.h>
+#include &lt;stdlib.h>
+#include &lt;sys/file.h>
+#include &lt;sys/stat.h>
+#include &lt;sys/types.h>
+#include &lt;unistd.h>
+
+#ifdef TEST_SQLITE
+/*
+ * Test sqlite open, as done by gcompris require the libsqlite3-dev
+ * package and linking with -lsqlite3.  A more low level test is
+ * below.
+ * See also &lt;URL: http://www.sqlite.org./faq.html#q5 >.
+ */
+#include &lt;sqlite3.h>
+#define CREATE_TABLE_USERS                                              \
+  "CREATE TABLE users (user_id INT UNIQUE, login TEXT, lastname TEXT, firstname TEXT, birthdate TEXT, class_id INT ); "
+int test_sqlite_open(void) {
+  char *zErrMsg;
+  char *name = "testsqlite.db";
+  sqlite3 *db=NULL;
+  unlink(name);
+  int rc = sqlite3_open(name, &db);
+  if( rc ){
+    printf("error: sqlite open of %s failed: %s\n", name, sqlite3_errmsg(db));
+    sqlite3_close(db);
+    return -1;
+  }
+
+  /* create tables */
+  rc = sqlite3_exec(db,CREATE_TABLE_USERS, NULL,  0, &zErrMsg);
+  if( rc != SQLITE_OK ){
+    printf("error: sqlite table create failed: %s\n", zErrMsg);
+    sqlite3_close(db);
+    return -1;
+  }
+  printf("info: sqlite worked\n");
+  sqlite3_close(db);
+  return 0;
+}
+#endif /* TEST_SQLITE */
+
+/*
+ * Demonstrate locking issue found in gcompris using sqlite3.  This
+ * work with ext3, but not with cifs server on Windows 2003.  This is
+ * done in the sqlite3 library.
+ * See also
+ * &lt;URL:http://www.cygwin.com/ml/cygwin/2001-08/msg00854.html> and the
+ * POSIX specification
+ * &lt;URL:http://www.opengroup.org/onlinepubs/009695399/functions/fcntl.html>.
+ */
+int test_gcompris_locking(void) {
+  struct flock fl;
+  char *name = "testsqlite.db";
+  unlink(name);
+  int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE, 0644);
+  printf("info: testing fcntl locking\n");
+
+  fl.l_whence = SEEK_SET;
+  fl.l_pid    = getpid();
+  printf("  Read-locking 1 byte from 1073741824");
+  fl.l_start  = 1073741824;
+  fl.l_len    = 1;
+  fl.l_type   = F_RDLCK;
+  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+  printf("  Read-locking 510 byte from 1073741826");
+  fl.l_start  = 1073741826;
+  fl.l_len    = 510;
+  fl.l_type   = F_RDLCK;
+  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+  printf("  Unlocking 1 byte from 1073741824");
+  fl.l_start  = 1073741824;
+  fl.l_len    = 1;
+  fl.l_type   = F_UNLCK;
+  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+  printf("  Write-locking 1 byte from 1073741824");
+  fl.l_start  = 1073741824;
+  fl.l_len    = 1;
+  fl.l_type   = F_WRLCK;
+  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+  printf("  Write-locking 510 byte from 1073741826");
+  fl.l_start  = 1073741826;
+  fl.l_len    = 510;
+  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+  printf("  Unlocking 2 byte from 1073741824");
+  fl.l_start  = 1073741824;
+  fl.l_len    = 2;
+  fl.l_type   = F_UNLCK;
+  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+  close(fd);
+  return 0;
+}
+
+/*
+ * Test if permissions of freshly created directories allow entries
+ * below them.  This was a problem with OpenOffice.org and gcompris.
+ * Mounting with option 'sync' seem to solve this problem while
+ * slowing down file operations.
+ */
+int test_subdirectory_creation(void) {
+#define LEVELS 5
+  char *path = strdup("test");
+  char *dirs[LEVELS];
+  int level;
+  printf("info: testing subdirectory creation\n");
+  for (level = 0; level &lt; LEVELS; level++) {
+    char *newpath = NULL;
+    if (-1 == mkdir(path, 0777)) {
+      printf("  error: Unable to create directory '%s': %s\n",
+            path, strerror(errno));
+      break;
+    }
+    asprintf(&newpath, "%s/%s", path, "test");
+    free(path);
+    path = newpath;
+  }
+  return 0;
+}
+
+/*
+ * Test if symlinks can be created.  This was a problem detected with
+ * KDE.
+ */
+int test_symlinks(void) {
+  printf("info: testing symlink creation\n");
+  unlink("symlink");
+  if (-1 == symlink("file", "symlink"))
+    printf("  error: Unable to create symlink\n");
+  return 0;
+}
+
+int main(int argc, char **argv) {
+  printf("Testing POSIX/Unix sematics on file system\n");
+  test_symlinks();
+  test_subdirectory_creation();
+#ifdef TEST_SQLITE
+  test_sqlite_open();
+#endif /* TEST_SQLITE */
+  test_gcompris_locking();
+  return 0;
+}
+</pre>
+
+<p>When everything is working, it should print something like
+this:</p>
+
+<pre>
+Testing POSIX/Unix sematics on file system
+info: testing symlink creation
+info: testing subdirectory creation
+info: sqlite worked
+info: testing fcntl locking
+  Read-locking 1 byte from 1073741824
+  Read-locking 510 byte from 1073741826
+  Unlocking 1 byte from 1073741824
+  Write-locking 1 byte from 1073741824
+  Write-locking 510 byte from 1073741826
+  Unlocking 2 byte from 1073741824
+</pre>
+
+<p>I do not remember the exact details of the problems we saw, but one
+of them was with locking, where if I remember correctly, POSIX allow a
+read-only lock to be upgraded to a read-write lock without unlocking
+the read-only lock (while Windows do not).  Another was a bug in the
+CIFS/SMB client implementation in the Linux kernel where directory
+meta information would be wrong for a fraction of a second, making
+OpenOffice.org fail to create its deep directory tree because it was
+not allowed to create files in its freshly created directory.</p>
+
+<p>Anyway, here is a nice tool for your tool box, might you never need
+it. :)</p>

 </div>
   <div class="tags">
    
 
    
 </div>
   <div class="tags">
    
 
    

-   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>. 
+   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>. 

   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">
   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">

-  <div class="title"><a href="http://people.skolelinux.org/pere/blog/More_flexible_firmware_handling_in_debian_installer.html">More flexible firmware handling in debian-installer</a></div>
-  <div class="date">2010-05-22 21:30</div>
+  <div class="title"><a href="http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html">Autodetecting Client setup for roaming workstations in Debian Edu</a></div>
+  <div class="date">2010-08-07 14:45</div>

   <div class="body">
   <div class="body">

-<p>After a long break from debian-installer development, I finally
-found time today to return to the project.  Having to spend less time
-working dependency based boot in debian, as it is almost complete now,
-definitely helped freeing some time.</p>
-
-<p>A while back, I ran into a problem while working on Debian Edu.  We
-include some firmware packages on the Debian Edu CDs, those needed to
-get disk and network controllers working.  Without having these
-firmware packages available during installation, it is impossible to
-install Debian Edu on the given machine, and because our target group
-are non-technical people, asking them to provide firmware packages on
-an external medium is a support pain.  Initially, I expected it to be
-enough to include the firmware packages on the CD to get
-debian-installer to find and use them.  This proved to be wrong.
-Next, I hoped it was enough to symlink the relevant firmware packages
-to some useful location on the CD (tried /cdrom/ and
-/cdrom/firmware/).  This also proved to not work, and at this point I
-found time to look at the debian-installer code to figure out what was
-going to work.</p>
-
-<p>The firmware loading code is in the hw-detect package, and a closer
-look revealed that it would only look for firmware packages outside
-the installation media, so the CD was never checked for firmware
-packages.  It would only check USB sticks, floppies and other
-"external" media devices.  Today I changed it to also look in the
-/cdrom/firmware/ directory on the mounted CD or DVD, which should
-solve the problem I ran into with Debian edu.  I also changed it to
-look in /firmware/, to make sure the installer also find firmware
-provided in the initrd when booting the installer via PXE, to allow us
-to provide the same feature in the PXE setup included in Debian
-Edu.</p>
-
-<p>To make sure firmware deb packages with a license questions are not
-activated without asking if the license is accepted, I extended
-hw-detect to look for preinst scripts in the firmware packages, and
-run these before activating the firmware during installation.  The
-license question is asked using debconf in the preinst, so this should
-solve the issue for the firmware packages I have looked at so far.</p>
-
-<p>If you want to discuss the details of these features, please
-contact us on debian-boot@lists.debian.org.</p>
+<p>A few days ago, I
+<a href="http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html">tried
+to install</a> a Roaming workation profile from Debian Edu/Squeeze
+while on the university network here at the University of Oslo, and
+noticed how much had to change to get it operational using the
+university infrastructure.  It was fairly easy, but it occured to me
+that Debian Edu would improve a lot if I could get the client to
+connect without any changes at all, and thus let the client configure
+itself during installation and first boot to use the infrastructure
+around it.  Now I am a huge step further along that road.</p>
+
+<p>With our current squeeze-test packages, I can select the roaming
+workstation profile and get a working laptop connecting to the
+university LDAP server for user and group and our active directory
+servers for Kerberos authentication.  All this without any
+configuration at all during installation.  My users home directory got
+a bookmark in the KDE menu to mount it via SMB, with the correct URL.
+In short, openldap and sssd is correctly configured.  In addition to
+this, the client look for http://wpad/wpad.dat to configure a web
+proxy, and when it fail to find it no proxy settings are stored in
+/etc/environment and /etc/apt/apt.conf.  Iceweasel and KDE is
+configured to look for the same wpad configuration and also do not use
+a proxy when at the university network.  If the machine is moved to a
+network with such wpad setup, it would automatically use it when DHCP
+gave it a IP address.</p>
+
+<p>The LDAP server is located using DNS, by first looking for the DNS
+entry ldap.$domain.  If this do not exist, it look for the
+_ldap._tcp.$domain SRV records and use the first one as the LDAP
+server.  Next, it connects to the LDAP server and search all
+namingContexts entries for posixAccount or posixGroup objects, and
+pick the first one as the LDAP base.  For Kerberos, a similar
+algorithm is used to locate the LDAP server, and the realm is the
+uppercase version of $domain.</p>
+
+<p>So, what is not working, you might ask.  SMB mounting my home
+directory do not work.  No idea why, but suspected the incorrect
+Kerberos settings in /etc/krb5.conf and /etc/samba/smb.conf might be
+the cause.  These are not properly configured during installation, and
+had to be hand-edited to get the correct Kerberos realm and server,
+but SMB mounting still do not work. :(</p>
+
+<p>With this automatic configuration in place, I expect a Debian Edu
+roaming profile installation would be able to automatically detect and
+connect to any site using LDAP and Kerberos for NSS directory and PAM
+authentication.  It should also work out of the box in a Active
+Directory environment providing posixAccount and posixGroup objects
+with UID and GID values.</p>
+
+<p>If you want to help out with implementing these things for Debian
+Edu, please contact us on debian-edu@lists.debian.org.</p>

 </div>
   <div class="tags">
    
 
    
 </div>
   <div class="tags">
    
 
    

-   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>. 
+   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>. 

   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">
   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">

-  <div class="title"><a href="http://people.skolelinux.org/pere/blog/Magnetstripeinnhold_i_billetter_fra_Flytoget_og_Hurtigruten.html">Magnetstripeinnhold i billetter fra Flytoget og Hurtigruten</a></div>
-  <div class="date">2010-05-21 16:00</div>
+  <div class="title"><a href="http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html">Debian Edu roaming workstation - at the university of Oslo</a></div>
+  <div class="date">2010-08-03 23:30</div>

   <div class="body">
   <div class="body">

-<p>For en stund tilbake kjøpte jeg en magnetkortleser for å kunne
-titte på hva som er skrevet inn på magnetstripene til ulike kort.  Har
-ikke hatt tid til å analysere mange kort så langt, men tenkte jeg
-skulle dele innholdet på to kort med mine lesere.</p>
-
-<p>For noen dager siden tok jeg flyet til Harstad og Hurtigruten til
-Bergen.  Flytoget fra Oslo S til flyplassen ga meg en billett med
-magnetstripe.  Påtrykket finner jeg følgende informasjon:</p>
-
-<pre>
-Flytoget Airport Express Train
-
-Fra - Til        : Oslo Sentralstasjon
-Kategori         : Voksen
-Pris             : Nok 170,00
-Herav mva. 8,00% : NOK 12,59
-Betaling         : Kontant
-Til - Fra        : Oslo Lufthavn
-Utstedt:         : 08.05.10
-Gyldig Fra-Til   : 08.05.10-07.11.10
-Billetttype      : Enkeltbillett
-
-102-1015-100508-48382-01-08
-</pre>
-
-<p>På selve magnetstripen er innholdet
-<tt>;E?+900120011=23250996541068112619257138248441708433322932704083389389062603279671261502492655?</tt>.
-Aner ikke hva innholdet representerer, og det er lite overlapp mellom
-det jeg ser trykket på billetten og det jeg ser av tegn i
-magnetstripen.  Håper det betyr at de bruker kryptografiske metoder
-for å gjøre det vanskelig å forfalske billetter.</p>
-
-<p>Den andre billetten er fra Hurtigruten, der jeg mistenker at
-strekkoden på fronten er mer brukt enn magnetstripen (det var i hvert
-fall den biten vi stakk inn i dørlåsen).</p>
-
-<p>Påtrykket forsiden er følgende:</p>
-
-<pre>
-Romnummer 727
-Hurtigruten
-Midnatsol
-Reinholdtsen
-Petter
-Bookingno: SAX69   0742193
-Harstad-Bergen
-Dep: 09.05.2010 Arr: 12.05.2010
-Lugar fra Risøyhamn
-Kost: FRO=4
-</pre>
-
-<p>På selve magnetstripen er innholdet
-<tt>;1316010007421930=00000000000000000000?+E?</tt>.  Heller ikke her
-ser jeg mye korrespondanse mellom påtrykk og magnetstripe.</p>
+<p>The new roaming workstation profile in Debian Edu/Squeeze is fairly
+similar to the laptop setup am I working on using Ubuntu for the
+University of Oslo, and just for the heck of it, I tested today how
+hard it would be to integrate that profile into the university
+infrastructure.  In this case, it is the university LDAP server,
+Active Directory Kerberos server and SMB mounting from the Netapp file
+servers.</p>
+
+<p>I was pleasantly surprised that the only three files needed to be
+changed (/etc/sssd/sssd.conf, /etc/ldap.conf and
+/etc/mklocaluser.d/20-debian-edu-config) and one file had to be added
+(/usr/share/perl5/Debian/Edu_Local.pm), to get the client working.
+Most of the changes were to get the client to use the university LDAP
+for NSS and Kerberos server for PAM, but one was to change a hard
+coded DNS domain name in the mklocaluser hook from .intern to
+.uio.no.</p>
+
+<p>This testing was so encouraging, that I went ahead and adjusted the
+Debian Edu scripts and setup in subversion to centralise the roaming
+workstation setup a bit more and avoid the hardcoded DNS domain name,
+so that when I test this tomorrow, I expect to get away with modifying
+only /etc/sssd/sssd.conf and /etc/ldap.conf to get it to use the
+university servers.</p>
+
+<p>My goal is to get the clients to have no hardcoded settings and
+fetch all their initial setup during installation and first boot, to
+allow them to be inserted also into environments where the default
+setup in Debian Edu has been changed or as with the university, where
+the environment is different but provides the protocols Debian Edu
+uses.</p>

 </div>
   <div class="tags">
    
 
    
 </div>
   <div class="tags">
    
 
    

-   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>, <a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>. 
+   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>. 

   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">
   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">

-  <div class="title"><a href="http://people.skolelinux.org/pere/blog/Pieces_of_the_roaming_laptop_puzzle_in_Debian.html">Pieces of the roaming laptop puzzle in Debian</a></div>
-  <div class="date">2010-05-19 19:00</div>
+  <div class="title"><a href="http://people.skolelinux.org/pere/blog/Circular_package_dependencies_harms_apt_recovery.html">Circular package dependencies harms apt recovery</a></div>
+  <div class="date">2010-07-27 23:50</div>

   <div class="body">
   <div class="body">

-<p>Today, the last piece of the puzzle for roaming laptops in Debian
-Edu finally entered the Debian archive.  Today, the new
-<a href="http://packages.qa.debian.org/libp/libpam-mklocaluser.html">libpam-mklocaluser</a>
-package was accepted.  Two days ago, two other pieces was accepted
-into unstable.  The
-<a href="http://packages.qa.debian.org/p/pam-python.html">pam-python</a>
-package needed by libpam-mklocaluser, and the
-<a href="http://packages.qa.debian.org/s/sssd.html">sssd</a> package
-passed NEW on Monday.  In addition, the
-<a href="http://packages.qa.debian.org/libp/libpam-ccreds.html">libpam-ccreds</a>
-package we need is in experimental (version 10-4) since Saturday, and
-hopefully will be moved to unstable soon.</p>
-
-<p>This collection of packages allow for two different setups for
-roaming laptops.  The traditional setup would be using libpam-ccreds,
-nscd and libpam-mklocaluser with LDAP or Kerberos authentication,
-which should work out of the box if the configuration changes proposed
-for nscd in <a href="http://bugs.debian.org/485282">BTS report
-#485282</a> is implemented.  The alternative setup is to use sssd with
-libpam-mklocaluser to connect to LDAP or Kerberos and let sssd take
-care of the caching of passwords and group information.</p>
-
-<p>I have so far been unable to get sssd to work with the LDAP server
-at the University, but suspect the issue is some SSL/GnuTLS related
-problem with the server certificate.  I plan to update the Debian
-package to version 1.2, which is scheduled for next week, and hope to
-find time to make sure the next release will include both the
-Debian/Ubuntu specific patches.  Upstream is friendly and responsive,
-and I am sure we will find a good solution.</p>
-
-<p>The idea is to set up the roaming laptops to authenticate using
-LDAP or Kerberos and create a local user with home directory in /home/
-when a usre in LDAP logs in via KDM or GDM for the first time, and
-cache the password for offline checking, as well as caching group
-memberhips and other relevant LDAP information.  The
-libpam-mklocaluser package was created to make sure the local home
-directory is in /home/, instead of /site/server/directory/ which would
-be the home directory if pam_mkhomedir was used.  To avoid confusion
-with support requests and configuration, we do not want local laptops
-to have users in a path that is used for the same users home directory
-on the home directory servers.</p>
-
-<p>One annoying problem with gdm is that it do not show the PAM
-message passed to the user from libpam-mklocaluser when the local user
-is created.  Instead gdm simply reject the login with some generic
-message.  The message is shown in kdm, ssh and login, so I guess it is
-a bug in gdm.  Have not investigated if there is some other message
-type that can be used instead to get gdm to also show the message.</p>
+<p>I discovered this while doing
+<a href="http://people.skolelinux.org/pere/blog/Automatic_upgrade_testing_from_Lenny_to_Squeeze.html">automated
+testing of upgrades from Debian Lenny to Squeeze</a>.  A few packages
+in Debian still got circular dependencies, and it is often claimed
+that apt and aptitude should be able to handle this just fine, but
+some times these dependency loops causes apt to fail.</p>
+
+<p>An example is from todays
+<a href="http://people.skolelinux.org/~pere/debian-upgrade-testing//test-20100727-lenny-squeeze-kde-aptitude.txt">upgrade
+of KDE using aptitude</a>.  In it, a bug in kdebase-workspace-data
+causes perl-modules to fail to upgrade.  The cause is simple.  If a
+package fail to unpack, then only part of packages with the circular
+dependency might end up being unpacked when unpacking aborts, and the
+ones already unpacked will fail to configure in the recovery phase
+because its dependencies are unavailable.</p>
+
+<p>In this log, the problem manifest itself with this error:</p>

 
 

-<p>If you want to help out with implementing this for Debian Edu,
-please contact us on debian-edu@lists.debian.org.</p>
+<blockquote><pre>
+dpkg: dependency problems prevent configuration of perl-modules:
+ perl-modules depends on perl (>= 5.10.1-1); however:
+  Version of perl on system is 5.10.0-19lenny2.
+dpkg: error processing perl-modules (--configure):
+ dependency problems - leaving unconfigured
+</pre></blockquote>
+
+<p>The perl/perl-modules circular dependency is already
+<a href="http://bugs.debian.org/527917">reported as a bug</a>, and will
+hopefully be solved as soon as possible, but it is not the only one,
+and each one of these loops in the dependency tree can cause similar
+failures.  Of course, they only occur when there are bugs in other
+packages causing the unpacking to fail, but it is rather nasty when
+the failure of one package causes the problem to become worse because
+of dependency loops.</p>
+
+<p>Thanks to
+<a href="http://lists.debian.org/debian-devel/2010/06/msg00116.html">the
+tireless effort by Bill Allombert</a>, the number of circular
+dependencies
+<a href="http://debian.semistable.com/debgraph.out.html">left in Debian
+is dropping</a>, and perhaps it will reach zero one day. :)</p>
+
+<p>Todays testing also exposed a bug in
+<a href="http://bugs.debian.org/590605">update-notifier</a> and
+<a href="http://bugs.debian.org/590604">different behaviour</a> between
+apt-get and aptitude, the latter possibly caused by some circular
+dependency.  Reported both to BTS to try to get someone to look at
+it.</p>

 </div>
   <div class="tags">
    
 
    
 </div>
   <div class="tags">
    
 
    

-   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>. 
+   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>. 

   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">
   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">

-  <div class="title"><a href="http://people.skolelinux.org/pere/blog/Parallellized_boot_is_now_the_default_in_Debian_unstable.html">Parallellized boot is now the default in Debian/unstable</a></div>
-  <div class="date">2010-05-14 22:40</div>
+  <div class="title"><a href="http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html">First Debian Edu test release (alpha0) based on Squeeze is released</a></div>
+  <div class="date">2010-07-27 17:45</div>

   <div class="body">
   <div class="body">

-<p>Since this evening, parallel booting is the default in
-Debian/unstable for machines using dependency based boot sequencing.
-Apparently the testing of concurrent booting has been wider than
-expected, if I am to believe the
-<a href="http://lists.debian.org/debian-devel/2010/05/msg00122.html">input
-on debian-devel@</a>, and I concluded a few days ago to move forward
-with the feature this weekend, to give us some time to detect any
-remaining problems before Squeeze is frozen.  If serious problems are
-detected, it is simple to change the default back to sequential boot.
-The upload of the new sysvinit package also activate a new upstream
-version.</p>
-
-More information about
-<a href="http://wiki.debian.org/LSBInitScripts/DependencyBasedBoot">dependency
-based boot sequencing</a> is available from the Debian wiki.  It is
-currently possible to disable parallel booting when one run into
-problems caused by it, by adding this line to /etc/default/rcS:</p>
+<p>I just posted this announcement culminating several months of work
+with the next Debian Edu release.  Not nearly done, but one major step
+completed.</p>
+
+<blockquote>
+<p>This is the first test release based on Squeeze. The focus of this
+release is to test the user application selection. To have a look,
+install the standalone profile and let the developers know if the set
+of installed packages i.e. applications should be modified. If some
+user application is missing, or if there are some applications that no
+longer make sense to be included in Debian Edu, please let us know.
+Also, if a useful application is missing the translation for your
+language of choice, please let us know too.</p>
+
+<p>In addition, feedback and help to polish the desktop (menus,
+artwork, starters, etc.) is appreciated. We would like to ship a nice
+and handy KDE4 desktop targeted for schools out of the box.</p>
+
+<p>The other profiles should be installable, but there is a lot more
+work left to be done before they are ready, so do not expect to
+much.</p>
+
+<p>Changes compared to the lenny based version</p>

 
 

-<blockquote><pre>
-CONCURRENCY=none
-</pre></blockquote>
+<ul>
+<li>Everything from Debian Squeeze
+<ul>
+  <li>Desktop environment KDE 4.4 => the new KDE desktop in
+         combination with some new artwork
+  <li>Web browser Iceweasel 3.5
+  <li>OpenOffice.org 3.2
+  <li>Educational toolbox GCompris 9.3
+  <li>Music creator Rosegarden 10.04.2
+  <li>Image editor Gimp 2.6.10
+  <li>Virtual universe Celestia 1.6.0
+  <li>Virtual stargazer Stellarium 0.10.4
+  <li>3D modeler Blender 2.49.2 (new application)
+  <li>Video editor Kdenlive 0.7.7 (new application)
+</ul></li>
+<li>Now using Kerberos for password checking (migration not finished).
+    Enabled for:
+<ul>
+  <li>PAM
+  <li>LDAP
+  <li>IMAP
+  <li>SMTP (sender verification)
+</ul>
+</li>
+<li>New experimental roaming workstation profile for laptops.</li>
+<li>Show welcome page to users when they first log in. The URL is
+    fetched from LDAP.</li>
+<li>New LXDE desktop option, in addition to KDE (default) and Gnome.</li>
+<li>General cleanup (not finished)</li>
+</ul>
+<p>The following features are not working as they should</p>
+
+<ul>
+<li>No web based administration tool for creating users and groups. The
+    scripts ldap-createuser-krb and ldap-add-user-to-group can be used
+    for testing.</li>
+<li>DVD installs are missing debian-installer images for the PXE boot,
+    and do not set up the PXE menu on eth0 because of this. LTSP
+    clients should still boot from eth1 on thin client servers.</li>
+<li>The restructured KDE menu is not implemented.</li>
+<li>The LDAP server setup need to be reviewed for security.</li>
+<li>The LDAP directory structure need to be reworked.</li>
+<li>Different sets of packages are installed when using the DVD and the
+    netinst CD. More packages are installed using the netinst CD.</li>
+<li>The jackd package fail to install. This is believed to be caused by
+    some ongoing transition, and hopefully should be solved soon. The
+    jackd1 package can be installed manually for those that need it.</li>
+<li>Some packages lack translations. See
+    http://wiki.debian.org/DebianEdu/Status/Squeeze for updated status,
+    and help out with translations.</li>
+</ul>
+
+<p>To download this multiarch netinstall release you can use</p>
+
+<ul>
+<li><a href="ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso">ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso</a></li>
+<li><a href="http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso">http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso</a></li>
+<li>rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso</li>
+</ul>
+<p>To download this multiarch dvd release you can use</p>
+
+<ul>
+<li><a href="ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso">ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso</a></li>
+<li><a href="http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso">http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso</a></li>
+<li>rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso</li>
+</ul>
+
+<p>There is no source DVD available yet. It will be prepared when we
+get closer to the final release.</p>
+
+<p>The MD5SUM of these images are</p>
+
+<ul>
+<li>3dbf45d59f42a53518b6e3c9ec3b5eb6 debian-edu-6.0.0+edua0-CD.iso</li>
+<li>22f2cbfce281d1c6e478be452638675d debian-edu-6.0.0+edua0-DVD.iso</li>
+</ul>
+
+<p>The SHA1SUM of these images are</p>
+<ul>
+<li>c53d1b69b40cf37cd27aefaf33f6f6a3821bedf0 debian-edu-6.0.0+edua0-CD.iso</li>
+<li>2ec29d7db676d59d32197b05c277ffe16348376c debian-edu-6.0.0+edua0-DVD.iso</li>
+</ul>
+<p>How to report bugs:
+http://wiki.debian.org/DebianEdu/HowTo/ReportBugsInBugzilla</p>

 
 

-<p>If you report any problems with dependencies in init.d scripts to
-the BTS, please usertag the report to get it to show up at
-<a href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=initscripts-ng-devel@lists.alioth.debian.org">the
-list of usertagged bugs related to this</a>.</p>
+<p>Please direct replies to debian-edu@lists.debian.org</p>
+</blockquote>

 </div>
   <div class="tags">
    
 
    
 </div>
   <div class="tags">
    
 
    

-   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>. 
+   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>. 

   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">
   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">

-  <div class="title"><a href="http://people.skolelinux.org/pere/blog/Sitesummary_tip__Listing_MAC_address_of_all_clients.html">Sitesummary tip: Listing MAC address of all clients</a></div>
-  <div class="date">2010-05-14 21:10</div>
+  <div class="title"><a href="http://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html">One step closer to single signon in Debian Edu</a></div>
+  <div class="date">2010-07-25 10:00</div>

   <div class="body">
   <div class="body">

-<p>In the recent Debian Edu versions, the
-<a href="http://wiki.debian.org/DebianEdu/HowTo/SiteSummary">sitesummary
-system</a> is used to keep track of the machines in the school
-network.  Each machine will automatically report its status to the
-central server after boot and once per night.  The network setup is
-also reported, and using this information it is possible to get the
-MAC address of all network interfaces in the machines.  This is useful
-to update the DHCP configuration.</p>
-
-<p>To give some idea how to use sitesummary, here is a one-liner to
-ist all MAC addresses of all machines reporting to sitesummary.  Run
-this on the collector host:</p>
-
-<blockquote><pre>
-perl -MSiteSummary -e 'for_all_hosts(sub { print join(" ", get_macaddresses(shift)), "\n"; });'
-</pre></blockquote>
-
-<p>This will list all MAC addresses assosiated with all machine, one
-line per machine and with space between the MAC addresses.</p>
-
-<p>To allow system administrators easier job at adding static DHCP
-addresses for hosts, it would be possible to extend this to fetch
-machine information from sitesummary and update the DHCP and DNS
-tables in LDAP using this information.  Such tool is unfortunately not
-written yet.</p>
+<p>The last few months me and the other Debian Edu developers have
+been working hard to get the Debian/Squeeze based version of Debian
+Edu/Skolelinux into shape.  This future version will use Kerberos for
+authentication, and services are slowly migrated to single signon,
+getting rid of password questions one at the time.</p>
+
+<p>It will also feature a roaming workstation profile with local home
+directory, for laptops that are only some times on the Skolelinux
+network, and for this profile a shortcut is created in Gnome and KDE
+to gain access to the users home directory on the file server.  This
+shortcut uses SMB at the moment, and yesterday I had time to test if
+SMB mounting had started working in KDE after we added the cifs-utils
+package.  I was pleasantly surprised how well it worked.</p>
+
+<p>Thanks to the recent changes to our samba configuration to get it
+to use Kerberos for authentication, there were no question about user
+password when mounting the SMB volume.  A simple click on the shortcut
+in the KDE menu, and a window with the home directory popped
+up. :)</p>
+
+<p>One step closer to a single signon solution out of the box in
+Debian Edu.  We already had PAM, LDAP, IMAP and SMTP in place, and now
+also Samba.  Next step is Cups and hopefully also NFS.</p>
+
+<p>We had planned a alpha0 release of Debian Edu for today, but thanks
+to the autobuilder administrators for some architectures being slow to
+sign packages, we are still missing the fixed LTSP package we need for
+the release.  It was uploaded three days ago with urgency=high, and if
+it had entered testing yesterday we would have been able to test it in
+time for a alpha0 release today.  As the binaries for ia64 and powerpc
+still not uploaded to the Debian archive, we need to delay the alpha
+release another day.</p>
+
+<p>If you want to help out with implementing Kerberos for Debian Edu,
+please contact us on debian-edu@lists.debian.org.</p>

 </div>
   <div class="tags">
    
 
    
 </div>
   <div class="tags">
    
 
    

-   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/sitesummary">sitesummary</a>. 
+   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>, <a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>. 

   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">
   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">

-  <div class="title"><a href="http://people.skolelinux.org/pere/blog/systemd__an_interesting_alternative_to_upstart.html">systemd, an interesting alternative to upstart</a></div>
-  <div class="date">2010-05-13 22:20</div>
+  <div class="title"><a href="http://people.skolelinux.org/pere/blog/Digitale_restriksjonsmekanismer_fikk_meg_til____slutte____kj__pe_musikk.html">Digitale restriksjonsmekanismer fikk meg til å slutte å kjøpe musikk</a></div>
+  <div class="date">2010-07-22 23:50</div>

   <div class="body">
   <div class="body">

-<p>The last few days a new boot system called
-<a href="http://www.freedesktop.org/wiki/Software/systemd">systemd</a>
-has been
-<a href="http://0pointer.de/blog/projects/systemd.html">introduced</a>
-
-to the free software world.  I have not yet had time to play around
-with it, but it seem to be a very interesting alternative to
-<a href="http://upstart.ubuntu.com/">upstart</a>, and might prove to be
-a good alternative for Debian when we are able to switch to an event
-based boot system.  Tollef is
-<a href="http://bugs.debian.org/580814">in the process</a> of getting
-systemd into Debian, and I look forward to seeing how well it work.  I
-like the fact that systemd handles init.d scripts with dependency
-information natively, allowing them to run in parallel where upstart
-at the moment do not.</p>
-
-<p>Unfortunately do systemd have the same problem as upstart regarding
-platform support.  It only work on recent Linux kernels, and also need
-some new kernel features enabled to function properly.  This means
-kFreeBSD and Hurd ports of Debian will need a port or a different boot
-system.  Not sure how that will be handled if systemd proves to be the
-way forward.</p>
-
-<p>In the mean time, based on the
-<a href="http://lists.debian.org/debian-devel/2010/05/msg00122.html">input
-on debian-devel@</a> regarding parallel booting in Debian, I have
-decided to enable full parallel booting as the default in Debian as
-soon as possible (probably this weekend or early next week), to see if
-there are any remaining serious bugs in the init.d dependencies.  A
-new version of the sysvinit package implementing this change is
-already in experimental.  If all go well, Squeeze will be released
-with parallel booting enabled by default.</p>
+<p>For mange år siden slutte jeg å kjøpe musikk-CDer. Årsaken var at
+musikkbransjen var godt i gang med å selge platene sine med DRM som
+gjorde at jeg ikke fikk spilt av musikken jeg kjøpte på utstyret jeg
+hadde tilgjengelig, dvs. min datamaskin. Det var umulig å se på en
+plate om den var ødelagt eller ikke, og jeg hadde jo allerede en
+anseelig samling med plater, så jeg bestemme meg for å slutte å gi
+penger til en bransje som åpenbart ikke respekterte meg.</p>
+
+<p>Jeg har mange titalls dager med musikk på CD i dag. Det meste er
+lagt i et stort arkiv som kan spilles av fra husets datamaskiner (har
+ikke rukket rippe alt). Jeg ser dermed ikke behovet for å skaffe mer
+musikk. De fleste av mine favoritter er i hus, og jeg er dermed godt
+fornøyd.</p>
+
+<p>Hvis musikkbransjen ønsker mine penger, så må de demonstrere at de
+setter pris på meg som kunde, og ikke skremme meg bort med DRM og
+antydninger om at kundene er kriminelle.</p>
+
+<p>Filmbransjen er like ille, men mens musikk gjerne varer lenge, er
+filmer mer ferskvare. Har dermed ikke helt sluttet å kjøpe filmer, men
+holder meg til DVD-filmer som kan spilles av på mine Linuxbokser.
+Kommer neppe til å ta i bruk Blueray, og ei heller de nye DRM-greiene
+«Ultraviolet» som be annonsert her om dagen.</p>

 </div>
   <div class="tags">
    
 
    
 </div>
   <div class="tags">
    
 
    

-   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>. 
+   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/fildeling">fildeling</a>, <a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>, <a href="http://people.skolelinux.org/pere/blog/tags/opphavsrett">opphavsrett</a>, <a href="http://people.skolelinux.org/pere/blog/tags/personvern">personvern</a>. 

   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">
   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">

-  <div class="title"><a href="http://people.skolelinux.org/pere/blog/Parallellizing_the_boot_in_Debian_Squeeze___ready_for_wider_testing.html">Parallellizing the boot in Debian Squeeze - ready for wider testing</a></div>
-  <div class="date">2010-05-06 23:25</div>
+  <div class="title"><a href="http://people.skolelinux.org/pere/blog/OpenStreetmap_one_step_closer_to_having_routing_on_its_front_page.html">OpenStreetmap one step closer to having routing on its front page</a></div>
+  <div class="date">2010-07-18 16:45</div>

   <div class="body">
   <div class="body">

-<p>These days, the init.d script dependencies in Squeeze are quite
-complete, so complete that it is actually possible to run all the
-init.d scripts in parallell based on these dependencies.  If you want
-to test your Squeeze system, make sure
-<a href="http://wiki.debian.org/LSBInitScripts/DependencyBasedBoot">dependency
-based boot sequencing</a> is enabled, and add this line to
-/etc/default/rcS:</p>
-
-<blockquote><pre>
-CONCURRENCY=makefile
-</pre></blockquote>
-
-<p>That is it.  It will cause sysv-rc to use the startpar tool to run
-scripts in parallel using the dependency information stored in
-/etc/init.d/.depend.boot, /etc/init.d/.depend.start and
-/etc/init.d/.depend.stop to order the scripts.  Startpar is configured
-to try to start the kdm and gdm scripts as early as possible, and will
-start the facilities required by kdm or gdm as early as possible to
-make this happen.</p>
-
-<p>Give it a try, and see if you like the result.  If some services
-fail to start properly, it is most likely because they have incomplete
-init.d script dependencies in their startup script (or some of their
-dependent scripts have incomplete dependencies).  Report bugs and get
-the package maintainers to fix it. :)</p>
-
-<p>Running scripts in parallel could be the default in Debian when we
-manage to get the init.d script dependencies complete and correct.  I
-expect we will get there in Squeeze+1, if we get manage to test and
-fix the remaining issues.</p>
-
-<p>If you report any problems with dependencies in init.d scripts to
-the BTS, please usertag the report to get it to show up at
-<a href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=initscripts-ng-devel@lists.alioth.debian.org">the
-list of usertagged bugs related to this</a>.</p>
+<p>Thanks to
+<a href="http://feedproxy.google.com/~r/Opengeodata/~3/wUTCzDZk3lc/project-of-the-week-which-way-home">todays
+opengeodata blog entry</a>, I just discovered that the
+OpenStreetmap.org site have gotten
+<a href="http://nroets.dev.openstreetmap.org/demo/index.html?layers=B000FTFTT">support
+for calculating routes</a>.  The support is still experimental and
+only available from the development server, until more experience is
+gathered on the user interface and any scalability issues.</p>
+
+<p>Earlier, the routing I knew about using the OpenStreetmap.org data
+was provided by <a href="http://maps.cloudmade.com/">Cloudmade</a>,
+but having it on the main page is required to make everyone aware of
+the issue.  I've had people reject Openstreetmap.org as a viable
+alternative for them because the front page lacked routing support,
+and I hope their needs will be catered for when routing show up on the
+www.openstreetmap.org front page.</p>

 </div>
   <div class="tags">
    
 
    
 </div>
   <div class="tags">
    
 
    

-   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>. 
+   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/kart">kart</a>, <a href="http://people.skolelinux.org/pere/blog/tags/web">web</a>. 

   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">
   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">

-  <div class="title"><a href="http://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html">Forcing new users to change their password on first login</a></div>
-  <div class="date">2010-05-02 13:47</div>
+  <div class="title"><a href="http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html">What are they searching for - PowerDNS and ISC DHCP in LDAP</a></div>
+  <div class="date">2010-07-17 21:00</div>

   <div class="body">
   <div class="body">

-<p>One interesting feature in Active Directory, is the ability to
-create a new user with an expired password, and thus force the user to
-change the password on the first login attempt.</p>
+<p>This is a
+<a href="http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html">followup</a>
+on my
+<a href="http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html">previous
+work</a> on
+<a href="http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html">merging
+all</a> the computer related LDAP objects in Debian Edu.</p>
+
+<p>As a step to try to see if it possible to merge the DNS and DHCP
+LDAP objects, I have had a look at how the packages pdns-backend-ldap
+and dhcp3-server-ldap in Debian use the LDAP server.  The two
+implementations are quite different in how they use LDAP.</p>
+
+To get this information, I started slapd with debugging enabled and
+dumped the debug output to a file to get the LDAP searches performed
+on a Debian Edu main-server.  Here is a summary.
+
+<p><strong>powerdns</strong></p>
+
+<a href="http://www.linuxnetworks.de/doc/index.php/PowerDNS_LDAP_Backend">Clues
+on how to</a> set up PowerDNS to use a LDAP backend is available on
+the web.
+
+<p>PowerDNS have two modes of operation using LDAP as its backend.
+One "strict" mode where the forward and reverse DNS lookups are done
+using the same LDAP objects, and a "tree" mode where the forward and
+reverse entries are in two different subtrees in LDAP with a structure
+based on the DNS names, as in tjener.intern and
+2.2.0.10.in-addr.arpa.</p>
+
+<p>In tree mode, the server is set up to use a LDAP subtree as its
+base, and uses a "base" scoped search for the DNS name by adding
+"dc=tjener,dc=intern," to the base with a filter for
+"(associateddomain=tjener.intern)" for the forward entry and
+"dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa," with a filter for
+"(associateddomain=2.2.0.10.in-addr.arpa)" for the reverse entry.  For
+forward entries, it is looking for attributes named dnsttl, arecord,
+nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, mxrecord,
+txtrecord, rprecord, afsdbrecord, keyrecord, aaaarecord, locrecord,
+srvrecord, naptrrecord, kxrecord, certrecord, dsrecord, sshfprecord,
+ipseckeyrecord, rrsigrecord, nsecrecord, dnskeyrecord, dhcidrecord,
+spfrecord and modifytimestamp.  For reverse entries it is looking for
+the attributes dnsttl, arecord, nsrecord, cnamerecord, soarecord,
+ptrrecord, hinforecord, mxrecord, txtrecord, rprecord, aaaarecord,
+locrecord, srvrecord, naptrrecord and modifytimestamp.  The equivalent
+ldapsearch commands could look like this:</p>
+
+<blockquote><pre>
+ldapsearch -h ldap \
+  -b dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no \
+  -s base -x '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \
+  cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
+  rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
+  nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
+  rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp
+
+ldapsearch -h ldap \
+  -b dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no \
+  -s base -x '(associateddomain=2.2.0.10.in-addr.arpa)'
+  dnsttl, arecord, nsrecord, cnamerecord soarecord ptrrecord \
+  hinforecord mxrecord txtrecord rprecord aaaarecord locrecord \
+  srvrecord naptrrecord modifytimestamp
+</pre></blockquote>
+
+<p>In Debian Edu/Lenny, the PowerDNS tree mode is used with
+ou=hosts,dc=skole,dc=skolelinux,dc=no as the base, and these are two
+example LDAP objects used there.  In addition to these objects, the
+parent objects all th way up to ou=hosts,dc=skole,dc=skolelinux,dc=no
+also exist.</p>
+
+<blockquote><pre>
+dn: dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no
+objectclass: top
+objectclass: dnsdomain
+objectclass: domainrelatedobject
+dc: tjener
+arecord: 10.0.2.2
+associateddomain: tjener.intern
+
+dn: dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no
+objectclass: top
+objectclass: dnsdomain2
+objectclass: domainrelatedobject
+dc: 2
+ptrrecord: tjener.intern
+associateddomain: 2.2.0.10.in-addr.arpa
+</pre></blockquote>
+
+<p>In strict mode, the server behaves differently.  When looking for
+forward DNS entries, it is doing a "subtree" scoped search with the
+same base as in the tree mode for a object with filter
+"(associateddomain=tjener.intern)" and requests the attributes dnsttl,
+arecord, nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord,
+mxrecord, txtrecord, rprecord, aaaarecord, locrecord, srvrecord,
+naptrrecord and modifytimestamp.  For reverse entires it also do a
+subtree scoped search but this time the filter is "(arecord=10.0.2.2)"
+and the requested attributes are associateddomain, dnsttl and
+modifytimestamp.  In short, in strict mode the objects with ptrrecord
+go away, and the arecord attribute in the forward object is used
+instead.</p>
+
+<p>The forward and reverse searches can be simulated using ldapsearch
+like this:</p>
+
+<blockquote><pre>
+ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
+  '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \
+  cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
+  rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
+  nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
+  rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp
+
+ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
+  '(arecord=10.0.2.2)' associateddomain dnsttl modifytimestamp
+</pre></blockquote>
+
+<p>In addition to the forward and reverse searches , there is also a
+search for SOA records, which behave similar to the forward and
+reverse lookups.</p>
+
+<p>A thing to note with the PowerDNS behaviour is that it do not
+specify any objectclass names, and instead look for the attributes it
+need to generate a DNS reply.  This make it able to work with any
+objectclass that provide the needed attributes.</p>
+
+<p>The attributes are normally provided in the cosine (RFC 1274) and
+dnsdomain2 schemas.  The latter is used for reverse entries like
+ptrrecord and recent DNS additions like aaaarecord and srvrecord.</p>
+
+<p>In Debian Edu, we have created DNS objects using the object classes
+dcobject (for dc), dnsdomain or dnsdomain2 (structural, for the DNS
+attributes) and domainrelatedobject (for associatedDomain).  The use
+of structural object classes make it impossible to combine these
+classes with the object classes used by DHCP.</p>
+
+<p>There are other schemas that could be used too, for example the
+dnszone structural object class used by Gosa and bind-sdb for the DNS
+attributes combined with the domainrelatedobject object class, but in
+this case some unused attributes would have to be included as well
+(zonename and relativedomainname).</p>
+
+<p>My proposal for Debian Edu would be to switch PowerDNS to strict
+mode and not use any of the existing objectclasses (dnsdomain,
+dnsdomain2 and dnszone) when one want to combine the DNS information
+with DHCP information, and instead create a auxiliary object class
+defined something like this (using the attributes defined for
+dnsdomain and dnsdomain2 or dnszone):</p>
+
+<blockquote><pre>
+objectclass ( some-oid NAME 'dnsDomainAux'
+    SUP top
+    AUXILIARY
+    MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $
+          DNSTTL $ DNSClass $ PTRRecord $ HINFORecord $ MINFORecord $
+          TXTRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCRecord $
+          NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
+          A6Record $ DNAMERecord
+    ))
+</pre></blockquote>
+
+<p>This will allow any object to become a DNS entry when combined with
+the domainrelatedobject object class, and allow any entity to include
+all the attributes PowerDNS wants.  I've sent an email to the PowerDNS
+developers asking for their view on this schema and if they are
+interested in providing such schema with PowerDNS, and I hope my
+message will be accepted into their mailing list soon.</p>
+
+<p><strong>ISC dhcp</strong></p>
+
+<p>The DHCP server searches for specific objectclass and requests all
+the object attributes, and then uses the attributes it want.  This
+make it harder to figure out exactly what attributes are used, but
+thanks to the working example in Debian Edu I can at least get an idea
+what is needed without having to read the source code.</p>

 
 

-<p>I'm not quite sure how to do that with the LDAP setup in Debian
-Edu, but did some initial testing with a local account.  The account
-and password aging information is available in /etc/shadow, but
-unfortunately, it is not possible to specify an expiration time for
-passwords, only a maximum age for passwords.</p>
+<p>In the DHCP server configuration, the LDAP base to use and the
+search filter to use to locate the correct dhcpServer entity is
+stored.  These are the relevant entries from
+/etc/dhcp3/dhcpd.conf:</p>
+
+<blockquote><pre>
+ldap-base-dn "dc=skole,dc=skolelinux,dc=no";
+ldap-dhcp-server-cn "dhcp";
+</pre></blockquote>

 
 

-<p>A freshly created account (using adduser test) will have these
-settings in /etc/shadow:</p>
+<p>The DHCP server uses this information to nest all the DHCP
+configuration it need.  The cn "dhcp" is located using the given LDAP
+base and the filter "(&(objectClass=dhcpServer)(cn=dhcp))".  The
+search result is this entry:</p>

 
 <blockquote><pre>
 
 <blockquote><pre>

-root@tjener:~# chage -l test
-Last password change                                    : May 02, 2010
-Password expires                                        : never
-Password inactive                                       : never
-Account expires                                         : never
-Minimum number of days between password change          : 0
-Maximum number of days between password change          : 99999
-Number of days of warning before password expires       : 7
-root@tjener:~#
+dn: cn=dhcp,dc=skole,dc=skolelinux,dc=no
+cn: dhcp
+objectClass: top
+objectClass: dhcpServer
+dhcpServiceDN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no

 </pre></blockquote>
 
 </pre></blockquote>
 

-<p>The only way I could come up with to create a user with an expired
-account, is to change the date of the last password change to the
-lowest value possible (January 1th 1970), and the maximum password age
-to the difference in days between that date and today.  To make it
-simple, I went for 30 years (30 * 365 = 10950) and January 2th (to
-avoid testing if 0 is a valid value).</p>
+<p>The content of the dhcpServiceDN attribute is next used to locate the
+subtree with DHCP configuration.  The DHCP configuration subtree base
+is located using a base scope search with base "cn=DHCP
+Config,dc=skole,dc=skolelinux,dc=no" and filter
+"(&(objectClass=dhcpService)(|(dhcpPrimaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)(dhcpSecondaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)))".
+The search result is this entry:</p>

 
 

-<p>After using these commands to set it up, it seem to work as
-intended:</p>
+<blockquote><pre>
+dn: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+cn: DHCP Config
+objectClass: top
+objectClass: dhcpService
+objectClass: dhcpOptions
+dhcpPrimaryDN: cn=dhcp, dc=skole,dc=skolelinux,dc=no
+dhcpStatements: ddns-update-style none
+dhcpStatements: authoritative
+dhcpOption: smtp-server code 69 = array of ip-address
+dhcpOption: www-server code 72 = array of ip-address
+dhcpOption: wpad-url code 252 = text
+</pre></blockquote>
+
+<p>Next, the entire subtree is processed, one level at the time.  When
+all the DHCP configuration is loaded, it is ready to receive requests.
+The subtree in Debian Edu contain objects with object classes
+top/dhcpService/dhcpOptions, top/dhcpSharedNetwork/dhcpOptions,
+top/dhcpSubnet, top/dhcpGroup and top/dhcpHost.  These provide options
+and information about netmasks, dynamic range etc.  Leaving out the
+details here because it is not relevant for the focus of my
+investigation, which is to see if it is possible to merge dns and dhcp
+related computer objects.</p>
+
+<p>When a DHCP request come in, LDAP is searched for the MAC address
+of the client (00:00:00:00:00:00 in this example), using a subtree
+scoped search with "cn=DHCP Config,dc=skole,dc=skolelinux,dc=no" as
+the base and "(&(objectClass=dhcpHost)(dhcpHWAddress=ethernet
+00:00:00:00:00:00))" as the filter.  This is what a host object look
+like:</p>

 
 <blockquote><pre>
 
 <blockquote><pre>

-root@tjener:~# chage -d 1 test; chage -M 10950 test
-root@tjener:~# chage -l test
-Last password change                                    : Jan 02, 1970
-Password expires                                        : never
-Password inactive                                       : never
-Account expires                                         : never
-Minimum number of days between password change          : 0
-Maximum number of days between password change          : 10950
-Number of days of warning before password expires       : 7
-root@tjener:~#  
+dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+cn: hostname
+objectClass: top
+objectClass: dhcpHost
+dhcpHWAddress: ethernet 00:00:00:00:00:00
+dhcpStatements: fixed-address hostname

 </pre></blockquote>
 
 </pre></blockquote>
 

-<p>So far I have tested this with ssh and console, and kdm (in
-Squeeze) login, and all ask for a new password before login in the
-user (with ssh, I was thrown out and had to log in again).</p>
+<p>There is less flexiblity in the way LDAP searches are done here.
+The object classes need to have fixed names, and the configuration
+need to be stored in a fairly specific LDAP structure.  On the
+positive side, the invidiual dhcpHost entires can be anywhere without
+the DN pointed to by the dhcpServer entries.  The latter should make
+it possible to group all host entries in a subtree next to the
+configuration entries, and this subtree can also be shared with the
+DNS server if the schema proposed above is combined with the dhcpHost
+structural object class.
+
+<p><strong>Conclusion</strong></p>
+
+<p>The PowerDNS implementation seem to be very flexible when it come
+to which LDAP schemas to use.  While its "tree" mode is rigid when it
+come to the the LDAP structure, the "strict" mode is very flexible,
+allowing DNS objects to be stored anywhere under the base cn specified
+in the configuration.</p>
+
+<p>The DHCP implementation on the other hand is very inflexible, both
+regarding which LDAP schemas to use and which LDAP structure to use.
+I guess one could implement ones own schema, as long as the
+objectclasses and attributes have the names used, but this do not
+really help when the DHCP subtree need to have a fairly fixed
+structure.</p>
+
+<p>Based on the observed behaviour, I suspect a LDAP structure like
+this might work for Debian Edu:</p>

 
 

-<p>Perhaps we should set up something similar for Debian Edu, to make
-sure only the user itself have the account password?</p>
+<blockquote><pre>
+ou=services
+  cn=machine-info (dhcpService) - dhcpServiceDN points here
+    cn=dhcp (dhcpServer)
+    cn=dhcp-internal (dhcpSharedNetwork/dhcpOptions)
+      cn=10.0.2.0 (dhcpSubnet)
+        cn=group1 (dhcpGroup/dhcpOptions)
+    cn=dhcp-thinclients (dhcpSharedNetwork/dhcpOptions)
+      cn=192.168.0.0 (dhcpSubnet)
+        cn=group1 (dhcpGroup/dhcpOptions)
+    ou=machines - PowerDNS base points here
+      cn=hostname (dhcpHost/domainrelatedobject/dnsDomainAux)
+</pre></blockquote>

 
 

-<p>If you want to comment on or help out with implementing this for
-Debian Edu, please contact us on debian-edu@lists.debian.org.</p>
+<P>This is not tested yet.  If the DHCP server require the dhcpHost
+entries to be in the dhcpGroup subtrees, the entries can be stored
+there instead of a common machines subtree, and the PowerDNS base
+would have to be moved one level up to the machine-info subtree.</p>

 
 

-<p>Update 2010-05-02 17:20: Paul Tötterman tells me on IRC that the
-shadow(8) page in Debian/testing now state that setting the date of
-last password change to zero (0) will force the password to be changed
-on the first login.  This was not mentioned in the manual in Lenny, so
-I did not notice this in my initial testing.  I have tested it on
-Squeeze, and '<tt>chage -d 0 username</tt>' do work there.  I have not
-tested it on Lenny yet.</p>
+<p>The combined object under the machines subtree would look something
+like this:</p>
+    
+<blockquote><pre>
+dn: dc=hostname,ou=machines,cn=machine-info,dc=skole,dc=skolelinux,dc=no
+dc: hostname
+objectClass: top
+objectClass: dhcpHost
+objectclass: domainrelatedobject
+objectclass: dnsDomainAux
+associateddomain: hostname.intern
+arecord: 10.11.12.13
+dhcpHWAddress: ethernet 00:00:00:00:00:00
+dhcpStatements: fixed-address hostname.intern
+</pre></blockquote>

 
 

-<p>Update 2010-05-02-19:05: Jim Paris tells me via email that an
-equivalent command to expire a password is '<tt>passwd -e
-username</tt>', which insert zero into the date of the last password
-change.</p>
+</p>One could even add the LTSP configuration associated with a given
+machine, as long as the required attributes are available in a
+auxiliary object class.</p>

 </div>
   <div class="tags">
    
 
    
 </div>
   <div class="tags">
    
 
    

-   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>, <a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>. 
+   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>. 

   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">
   
   </div>
  </div>
  <div class="padding"></div>
  
  <div class="entry">

-  <div class="title"><a href="http://people.skolelinux.org/pere/blog/Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html">Thoughts on roaming laptop setup for Debian Edu</a></div>
-  <div class="date">2010-04-28 20:40</div>
+  <div class="title"><a href="http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html">Combining PowerDNS and ISC DHCP LDAP objects</a></div>
+  <div class="date">2010-07-14 23:45</div>

   <div class="body">
   <div class="body">

-<p>For some years now, I have wondered how we should handle laptops in
-Debian Edu.  The Debian Edu infrastructure is mostly designed to
-handle stationary computers, and less suited for computers that come
-and go.</p>
-
-<p>Now I finally believe I have an sensible idea on how to adjust
-Debian Edu for laptops, by introducing a new profile for them, for
-example called Roaming Workstations.  Here are my thought on this.
-The setup would consist of the following:</p>
-
-<ul>
+<p>For a while now, I have wanted to find a way to change the DNS and
+DHCP services in Debian Edu to use the same LDAP objects for a given
+computer, to avoid the possibility of having a inconsistent state for
+a computer in LDAP (as in DHCP but no DNS entry or the other way
+around) and make it easier to add computers to LDAP.</p>
+
+<p>I've looked at how powerdns and dhcpd is using LDAP, and using this
+information finally found a solution that seem to work.</p>
+
+<p>The old setup required three LDAP objects for a given computer.
+One forward DNS entry, one reverse DNS entry and one DHCP entry.  If
+we switch powerdns to use its strict LDAP method (ldap-method=strict
+in pdns-debian-edu.conf), the forward and reverse DNS entries are
+merged into one while making it impossible to transfer the reverse map
+to a slave DNS server.</p>
+
+<p>If we also replace the object class used to get the DNS related
+attributes to one allowing these attributes to be combined with the
+dhcphost object class, we can merge the DNS and DHCP entries into one.
+I've written such object class in the dnsdomainaux.schema file (need
+proper OIDs, but that is a minor issue), and tested the setup.  It
+seem to work.</p>
+
+<p>With this test setup in place, we can get away with one LDAP object
+for both DNS and DHCP, and even the LTSP configuration I suggested in
+an earlier email.  The combined LDAP object will look something like
+this:</p>

 
 

- <li>During installation, the user name of the owner / primary user of
-   the laptop is requested and a local home directory is set up for
-   the user, with uid and gid information fetched from the LDAP
-   server.  This allow the user to work also when offline.  The
-   central home directory can be available in a subdirectory on
-   request, for example mounted via CIFS.  It could be mounted
-   automatically when a user log in while on the Debian Edu network,
-   and unmounted when the machine is taken away (network down,
-   hibernate, etc), it can be set up to do automatic mounting on
-   request (using autofs), or perhaps some GUI button on the desktop
-   can be used to access it when needed.  Perhaps it is enough to use
-   the fish protocol in KDE?</li>
-
- <li>Password checking is set up to use LDAP or Kerberos
-   authentication when the machine is on the Debian Edu network, and
-   to cache the password for offline checking when the machine unable
-   to reach the LDAP or Kerberos server.  This can be done using
-   <a href="http://www.padl.com/OSS/pam_ccreds.html">libpam-ccreds</a>
-   or the Fedora developed
-   <a href="https://fedoraproject.org/wiki/Features/SSSD">System
-   Security Services Daemon</a> packages.</li>
-
- <li>File synchronisation with the central home directory is set up
-   using a shared directory in both the local and the central home
-   directory, using unison.</li>
-
- <li>Printing should be set up to print to all printers broadcasting
-   their existence on the local network, and should then work out of
-   the box with CUPS.  For sites needing accurate printer quotas, some
-   system with Kerberos authentication or printing via ssh could be
-   implemented.</li>
-
- <li>For users that should have local root access to their laptop,
-   sudo should be used to allow this to the local user.</li>
-
- <li>It would be nice if user and group information from LDAP is
-   cached on the client, but given that there are entries for the
-   local user and primary group in /etc/, it should not be needed.</li>
+<blockquote><pre>
+  dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+  cn: hostname
+  objectClass: dhcphost
+  objectclass: domainrelatedobject
+  objectclass: dnsdomainaux
+  associateddomain: hostname.intern
+  arecord: 10.11.12.13
+  dhcphwaddress: ethernet 00:00:00:00:00:00
+  dhcpstatements: fixed-address hostname
+  ldapconfigsound: Y
+</pre></blockquote>

 
 

-</ul>
+<p>The DNS server uses the associateddomain and arecord entries, while
+the DHCP server uses the dhcphwaddress and dhcpstatements entries
+before asking DNS to resolve the fixed-adddress.  LTSP will use
+dhcphwaddress or associateddomain and the ldapconfig* attributes.</p>

 
 

-<p>I believe all the pieces to implement this are in Debian/testing at
-the moment.  If we work quickly, we should be able to get this ready
-in time for the Squeeze release to freeze.  Some of the pieces need
-tweaking, like libpam-ccreds should get support for pam-auth-update
-(<a href="http://bugs.debian.org/566718">#566718</a>) and nslcd (or
-perhaps debian-edu-config) should get some integration code to stop
-its daemon when the LDAP server is unavailable to avoid long timeouts
-when disconnected from the net.  If we get Kerberos enabled, we need
-to make sure we avoid long timeouts there too.</p>
+<p>I am not yet sure if I can get the DHCP server to look for its
+dhcphost in a different location, to allow us to put the objects
+outside the "DHCP Config" subtree, but hope to figure out a way to do
+that.  If I can't figure out a way to do that, we can still get rid of
+the hosts subtree and move all its content into the DHCP Config tree
+(which probably should be renamed to be more related to the new
+content.  I suspect cn=dnsdhcp,ou=services or something like that
+might be a good place to put it.</p>

 
 <p>If you want to help out with implementing this for Debian Edu,
 please contact us on debian-edu@lists.debian.org.</p>
 
 <p>If you want to help out with implementing this for Debian Edu,
 please contact us on debian-edu@lists.debian.org.</p>


@@ -599,7 +1064,7 @@ please contact us on debian-edu@lists.debian.org.</p>
    
 
    
    
 
    

-   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>. 
+   Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>. 

   
   </div>
  </div>
   
   </div>
  </div>


@@ -629,6 +1094,12 @@ please contact us on debian-edu@lists.debian.org.</p>
 
 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/05/">May (9)</a></li>
 
 
 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/05/">May (9)</a></li>
 

+<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/06/">June (14)</a></li>
+
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/07/">July (12)</a></li>
+
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/08/">August (3)</a></li>
+

 </ul></li>
 
 <li>2009
 </ul></li>
 
 <li>2009


@@ -682,17 +1153,21 @@ please contact us on debian-edu@lists.debian.org.</p>
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/aros">aros (1)</a></li>
 
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/aros">aros (1)</a></li>
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/debian">debian (20)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/bootsystem">bootsystem (10)</a></li>
+
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/debian">debian (35)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu (20)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu (39)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/english">english (31)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/english">english (54)</a></li>

 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/fiksgatami">fiksgatami (1)</a></li>
 
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/fiksgatami">fiksgatami (1)</a></li>
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/fildeling">fildeling (6)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/fildeling">fildeling (8)</a></li>
+
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/kart">kart (3)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/kart">kart (2)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap (8)</a></li>

 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/lenker">lenker (1)</a></li>
 
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/lenker">lenker (1)</a></li>
 


@@ -700,23 +1175,23 @@ please contact us on debian-edu@lists.debian.org.</p>
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/multimedia">multimedia (5)</a></li>
 
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/multimedia">multimedia (5)</a></li>
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk (65)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk (71)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug (74)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug (91)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/opphavsrett">opphavsrett (12)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/opphavsrett">opphavsrett (14)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/personvern">personvern (11)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/personvern">personvern (14)</a></li>

 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/reprap">reprap (10)</a></li>
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/rss">rss (1)</a></li>
 
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/reprap">reprap (10)</a></li>
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/rss">rss (1)</a></li>
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet (8)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet (10)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/sitesummary">sitesummary (1)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/sitesummary">sitesummary (3)</a></li>

 
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/standard">standard (11)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/standard">standard (13)</a></li>

 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/stavekontroll">stavekontroll (1)</a></li>
 
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/stavekontroll">stavekontroll (1)</a></li>
 


@@ -724,7 +1199,7 @@ please contact us on debian-edu@lists.debian.org.</p>
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/vitenskap">vitenskap (1)</a></li>
 
 
  <li><a href="http://people.skolelinux.org/pere/blog/tags/vitenskap">vitenskap (1)</a></li>
 

- <li><a href="http://people.skolelinux.org/pere/blog/tags/web">web (6)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/web">web (7)</a></li>

 
 </ul>
 
 
 </ul>