-<p>There are two software projects that have had huge influence on the
-quality of free software, and I wanted to mention both in case someone
-do not yet know them.</p>
-
-<p>The first one is <a href="http://valgrind.org/">valgrind</a>, a
-tool to detect and expose errors in the memory handling of programs.
-It is easy to use, all one need to do is to run 'valgrind program',
-and it will report any problems on stdout. It is even better if the
-program include debug information. With debug information, it is able
-to report the source file name and line number where the problem
-occurs. It can report things like 'reading past memory block in file
-X line N, the memory block was allocated in file Y, line M', and
-'using uninitialised value in control logic'. This tool has made it
-trivial to investigate reproducible crash bugs in programs, and have
-reduced the number of this kind of bugs in free software a lot.
-
-<p>The second one is
-<a href="http://en.wikipedia.org/wiki/Coverity">Coverity</a> which is
-a source code checker. It is able to process the source of a program
-and find problems in the logic without running the program. It
-started out as the Stanford Checker and became well known when it was
-used to find bugs in the Linux kernel. It is now a commercial tool
-and the company behind it is running
-<a href="http://www.scan.coverity.com/">a community service</a> for the
-free software community, where a lot of free software projects get
-their source checked for free. Several thousand defects have been
-found and fixed so far. It can find errors like 'lock L taken in file
-X line N is never released if exiting in line M', or 'the code in file
-Y lines O to P can never be executed'. The projects included in the
-community service project have managed to get rid of a lot of
-reliability problems thanks to Coverity.</p>
-
-<p>I believe tools like this, that are able to automatically find
-errors in the source, are vital to improve the quality of software and
-make sure we can get rid of the crashing and failing software we are
-surrounded by today.</p>
+<p>Today, the last piece of the puzzle for roaming laptops in Debian
+Edu finally entered the Debian archive. Today, the new
+<a href="http://packages.qa.debian.org/libp/libpam-mklocaluser.html">libpam-mklocaluser</a>
+package was accepted. Two days ago, two other pieces was accepted
+into unstable. The
+<a href="http://packages.qa.debian.org/p/pam-python.html">pam-python</a>
+package needed by libpam-mklocaluser, and the
+<a href="http://packages.qa.debian.org/s/sssd.html">sssd</a> package
+passed NEW on Monday. In addition, the
+<a href="http://packages.qa.debian.org/libp/libpam-ccreds.html">libpam-ccreds</a>
+package we need is in experimental (version 10-4) since Saturday, and
+hopefully will be moved to unstable soon.</p>
+
+<p>This collection of packages allow for two different setups for
+roaming laptops. The traditional setup would be using libpam-ccreds,
+nscd and libpam-mklocaluser with LDAP or Kerberos authentication,
+which should work out of the box if the configuration changes proposed
+for nscd in <a href="http://bugs.debian.org/485282">BTS report
+#485282</a> is implemented. The alternative setup is to use sssd with
+libpam-mklocaluser to connect to LDAP or Kerberos and let sssd take
+care of the caching of passwords and group information.</p>
+
+<p>I have so far been unable to get sssd to work with the LDAP server
+at the University, but suspect the issue is some SSL/GnuTLS related
+problem with the server certificate. I plan to update the Debian
+package to version 1.2, which is scheduled for next week, and hope to
+find time to make sure the next release will include both the
+Debian/Ubuntu specific patches. Upstream is friendly and responsive,
+and I am sure we will find a good solution.</p>
+
+<p>The idea is to set up the roaming laptops to authenticate using
+LDAP or Kerberos and create a local user with home directory in /home/
+when a usre in LDAP logs in via KDM or GDM for the first time, and
+cache the password for offline checking, as well as caching group
+memberhips and other relevant LDAP information. The
+libpam-mklocaluser package was created to make sure the local home
+directory is in /home/, instead of /site/server/directory/ which would
+be the home directory if pam_mkhomedir was used. To avoid confusion
+with support requests and configuration, we do not want local laptops
+to have users in a path that is used for the same users home directory
+on the home directory servers.</p>
+
+<p>One annoying problem with gdm is that it do not show the PAM
+message passed to the user from libpam-mklocaluser when the local user
+is created. Instead gdm simply reject the login with some generic
+message. The message is shown in kdm, ssh and login, so I guess it is
+a bug in gdm. Have not investigated if there is some other message
+type that can be used instead to get gdm to also show the message.</p>
+
+<p>If you want to help out with implementing this for Debian Edu,
+please contact us on debian-edu@lists.debian.org.</p>
projects / homepage.git / blobdiff