-<p>Jeg ble glad da regjeringen
-<a href="http://www.digi.no/817635/her-er-statens-nye-it-standarder">annonserte</a>
-versjon 2 av
-<a href="http://www.regjeringen.no/upload/FAD/Vedlegg/IKT-politikk/Referansekatalogen_versjon2.pdf">statens
-referansekatalog over standarder</a>, men trist da jeg leste hva som
-faktisk var vedtatt etter
-<a href="http://www.regjeringen.no/nb/dep/fad/dok/horinger/horingsdokumenter/2009/horing---referansekatalog-versjon-2.html">høringen</a>.
-De fleste av de valgte åpne standardene er gode og vil bidra til at
-alle kan delta på like vilkår i å lage løsninger for staten, men
-noen av dem blokkerer for de som ikke har anledning til å benytte
-spesifikasjoner som krever betaling for bruk (såkalt
-royalty-betaling). Det gjelder spesifikt for H.264 for video og MP3
-for lyd. Så lenge bruk av disse var valgfritt mens Ogg Theora og Ogg
-Vorbis var påkrevd, kunne alle som ønsket å spille av video og lyd
-fra statens websider gjøre dette uten å måtte bruke programmer der
-betaling for bruk var nødvendig. Når det nå er gjort valgfritt for
-de statlige etatene å bruke enten H.264 eller Theora (og MP3 eler
-Vorbis), så vil en bli tvunget til å forholde seg til
-royalty-belastede standarder for å få tilgang til videoen og
-lyden.</p>
-
-<p>Det gjør meg veldig trist at regjeringen har forlatt prinsippet om
-at alle standarder som ble valgt til å være påkrevd i katalogen skulle
-være uten royalty-betaling. Jeg håper det ikke betyr at en har mistet
-all forståelse for hvilke prinsipper som må følges for å oppnå
-likeverdig konkurranse mellom aktørene i IT-bransjen. NUUG advarte
-mot dette i
-<a href="http://wiki.nuug.no/uttalelser/200901-standardkatalog-v2">sin
-høringsuttalelse</a>, men ser ut til å ha blitt ignorert.</p>
+<p>Today, the last piece of the puzzle for roaming laptops in Debian
+Edu finally entered the Debian archive. Today, the new
+<a href="http://packages.qa.debian.org/libp/libpam-mklocaluser.html">libpam-mklocaluser</a>
+package was accepted. Two days ago, two other pieces was accepted
+into unstable. The
+<a href="http://packages.qa.debian.org/p/pam-python.html">pam-python</a>
+package needed by libpam-mklocaluser, and the
+<a href="http://packages.qa.debian.org/s/sssd.html">sssd</a> package
+passed NEW on Monday. In addition, the
+<a href="http://packages.qa.debian.org/libp/libpam-ccreds.html">libpam-ccreds</a>
+package we need is in experimental (version 10-4) since Saturday, and
+hopefully will be moved to unstable soon.</p>
+
+<p>This collection of packages allow for two different setups for
+roaming laptops. The traditional setup would be using libpam-ccreds,
+nscd and libpam-mklocaluser with LDAP or Kerberos authentication,
+which should work out of the box if the configuration changes proposed
+for nscd in <a href="http://bugs.debian.org/485282">BTS report
+#485282</a> is implemented. The alternative setup is to use sssd with
+libpam-mklocaluser to connect to LDAP or Kerberos and let sssd take
+care of the caching of passwords and group information.</p>
+
+<p>I have so far been unable to get sssd to work with the LDAP server
+at the University, but suspect the issue is some SSL/GnuTLS related
+problem with the server certificate. I plan to update the Debian
+package to version 1.2, which is scheduled for next week, and hope to
+find time to make sure the next release will include both the
+Debian/Ubuntu specific patches. Upstream is friendly and responsive,
+and I am sure we will find a good solution.</p>
+
+<p>The idea is to set up the roaming laptops to authenticate using
+LDAP or Kerberos and create a local user with home directory in /home/
+when a usre in LDAP logs in via KDM or GDM for the first time, and
+cache the password for offline checking, as well as caching group
+memberhips and other relevant LDAP information. The
+libpam-mklocaluser package was created to make sure the local home
+directory is in /home/, instead of /site/server/directory/ which would
+be the home directory if pam_mkhomedir was used. To avoid confusion
+with support requests and configuration, we do not want local laptops
+to have users in a path that is used for the same users home directory
+on the home directory servers.</p>
+
+<p>One annoying problem with gdm is that it do not show the PAM
+message passed to the user from libpam-mklocaluser when the local user
+is created. Instead gdm simply reject the login with some generic
+message. The message is shown in kdm, ssh and login, so I guess it is
+a bug in gdm. Have not investigated if there is some other message
+type that can be used instead to get gdm to also show the message.</p>
+
+<p>If you want to help out with implementing this for Debian Edu,
+please contact us on debian-edu@lists.debian.org.</p>
projects / homepage.git / blobdiff