X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/525c8f4d5fe33e5fec2c764cf123c4b2fffeba52..a0a971f55f61855eb0b27b68176b325f2a65995f:/blog/archive/2010/08/index.html diff --git a/blog/archive/2010/08/index.html b/blog/archive/2010/08/index.html index 4596d5a7d4..ddb7124b2b 100644 --- a/blog/archive/2010/08/index.html +++ b/blog/archive/2010/08/index.html @@ -23,48 +23,26 @@
- Debian Edu roaming workstation - at the university of Oslo + Forslag i stortinget om å stoppe elektronisk stemmegiving i Norge
- 3rd August 2010 + 31st August 2010
-

The new roaming workstation profile in Debian Edu/Squeeze is fairly -similar to the laptop setup am I working on using Ubuntu for the -University of Oslo, and just for the heck of it, I tested today how -hard it would be to integrate that profile into the university -infrastructure. In this case, it is the university LDAP server, -Active Directory Kerberos server and SMB mounting from the Netapp file -servers.

- -

I was pleasantly surprised that the only three files needed to be -changed (/etc/sssd/sssd.conf, /etc/ldap.conf and -/etc/mklocaluser.d/20-debian-edu-config) and one file had to be added -(/usr/share/perl5/Debian/Edu_Local.pm), to get the client working. -Most of the changes were to get the client to use the university LDAP -for NSS and Kerberos server for PAM, but one was to change a hard -coded DNS domain name in the mklocaluser hook from .intern to -.uio.no.

- -

This testing was so encouraging, that I went ahead and adjusted the -Debian Edu scripts and setup in subversion to centralise the roaming -workstation setup a bit more and avoid the hardcoded DNS domain name, -so that when I test this tomorrow, I expect to get away with modifying -only /etc/sssd/sssd.conf and /etc/ldap.conf to get it to use the -university servers.

+

Ble tipset i dag om at et forslag om å stoppe forsøkene med +elektronisk stemmegiving utenfor valglokaler er +til +behandling i Stortinget. +Forslaget +er fremmet av Erna Solberg, Michael Tetzschner og Trond Helleland.

-

My goal is to get the clients to have no hardcoded settings and -fetch all their initial setup during installation and first boot, to -allow them to be inserted also into environments where the default -setup in Debian Edu has been changed or as with the university, where -the environment is different but provides the protocols Debian Edu -uses.

+

Håper det får flertall.

- Tags: debian edu, english, nuug. + Tags: norsk, nuug, sikkerhet, valg.
@@ -73,63 +51,35 @@ uses.

- Autodetecting Client setup for roaming workstations in Debian Edu + Broken hard link handling with sshfs
- 7th August 2010 + 30th August 2010
-

A few days ago, I -tried -to install a Roaming workation profile from Debian Edu/Squeeze -while on the university network here at the University of Oslo, and -noticed how much had to change to get it operational using the -university infrastructure. It was fairly easy, but it occured to me -that Debian Edu would improve a lot if I could get the client to -connect without any changes at all, and thus let the client configure -itself during installation and first boot to use the infrastructure -around it. Now I am a huge step further along that road.

- -

With our current squeeze-test packages, I can select the roaming -workstation profile and get a working laptop connecting to the -university LDAP server for user and group and our active directory -servers for Kerberos authentication. All this without any -configuration at all during installation. My users home directory got -a bookmark in the KDE menu to mount it via SMB, with the correct URL. -In short, openldap and sssd is correctly configured. In addition to -this, the client look for http://wpad/wpad.dat to configure a web -proxy, and when it fail to find it no proxy settings are stored in -/etc/environment and /etc/apt/apt.conf. Iceweasel and KDE is -configured to look for the same wpad configuration and also do not use -a proxy when at the university network. If the machine is moved to a -network with such wpad setup, it would automatically use it when DHCP -gave it a IP address.

- -

The LDAP server is located using DNS, by first looking for the DNS -entry ldap.$domain. If this do not exist, it look for the -_ldap._tcp.$domain SRV records and use the first one as the LDAP -server. Next, it connects to the LDAP server and search all -namingContexts entries for posixAccount or posixGroup objects, and -pick the first one as the LDAP base. For Kerberos, a similar -algorithm is used to locate the LDAP server, and the realm is the -uppercase version of $domain.

+

Just got an email from Tobias Gruetzmacher as a followup on my +previous +post about sshfs. He reported another problem with sshfs. It +fail to handle hard links properly. A simple way to spot this is to +look at the . and .. entries in the directory tree. These should have +a link count >1, but on sshfs the count is 1. I just tested to see +what happen when trying to hardlink, and this fail as well:

-

So, what is not working, you might ask. SMB mounting my home -directory do not work. No idea why, but suspected the incorrect -Kerberos settings in /etc/krb5.conf and /etc/samba/smb.conf might be -the cause. These are not properly configured during installation, and -had to be hand-edited to get the correct Kerberos realm and server, -but SMB mounting still do not work. :(

+
+% ln foo bar
+ln: creating hard link `bar' => `foo': Function not implemented
+%
+
-

With this automatic configuration in place, I expect a Debian Edu -roaming profile installation would be able to automatically detect and -connect to any site using LDAP and Kerberos for NSS directory and PAM -authentication. It should also work out of the box in a Active -Directory environment providing posixAccount and posixGroup objects -with UID and GID values.

+

I have not yet found time to implement a test for this in my file +system test code, but believe having working hard links is useful to +avoid surprised unix programs. Not as useful as working file locking +and symlinks, which are required to get a working desktop, but useful +nevertheless. :)

-

If you want to help out with implementing these things for Debian -Edu, please contact us on debian-edu@lists.debian.org.

+

The latest version of the file system test code is available via +git from +http://github.com/gebi/fs-test

@@ -144,211 +94,160 @@ Edu, please contact us on debian-edu@lists.debian.org.

- Testing if a file system can be used for home directories... + Sikkerhetsteateret på flyplassene fortsetter
- 8th August 2010 + 28th August 2010
-

A few years ago, I was involved in a project planning to use -Windows file servers as home directory servers for Debian -Edu/Skolelinux machines. This was thought to be no problem, as the -access would be through the SMB network file system protocol, and we -knew other sites used SMB with unix and samba as the file server to -mount home directories without any problems. But, after months of -struggling, we had to conclude that our goal was impossible.

- -

The reason is simply that while SMB can be used for home -directories when the file server is Samba running on Unix, this only -work because of Samba have some extensions and the fact that the -underlying file system is a unix file system. When using a Windows -file server, the underlying file system do not have POSIX semantics, -and several programs will fail if the users home directory where they -want to store their configuration lack POSIX semantics.

+

Jeg skrev for et halvt år siden hvordan +samfunnet +kaster bort ressurser på sikkerhetstiltak som ikke fungerer. Kom +nettopp over en +historie +fra en pilot fra USA som kommenterer det samme. Jeg mistenker det +kun er uvitenhet og autoritetstro som gjør at så få protesterer. Har +veldig sans for piloten omtalt i Aftenposten 2007-10-23, +og skulle ønske flere rettet oppmerksomhet mot problemet. Det gir +ikke meg trygghetsfølelse på flyplassene når jeg ser at +flyplassadministrasjonen kaster bort folk, penger og tid på tull i +stedet for ting som bidrar til reell økning av sikkerheten. Det +forteller meg jo at vurderingsevnen til de som burde bidra til økt +sikkerhet er svært sviktende, noe som ikke taler godt for de andre +tiltakene.

-

As part of this work, I wrote a small C program I want to share -with you all, to replicate a few of the problematic applications (like -OpenOffice.org and GCompris) and see if the file system was working as -it should. If you find yourself in spooky file system land, it might -help you find your way out again. This is the fs-test.c source:

+

Mon tro hva som skjer hvis det fantes en enkel brosjyre å skrive ut +fra Internet som forklarte hva som er galt med sikkerhetsopplegget på +flyplassene, og folk skrev ut og la en bunke på flyplassene når de +passerte. Kanskje det ville fått flere til å få øynene opp for +problemet.

-
-/*
- * Some tests to check the file system sematics.  Used to verify that
- * CIFS from a windows server do not work properly as a linux home
- * directory.
- * License: GPL v2 or later
- * 
- * needs libsqlite3-dev and build-essential installed
- * compile with: gcc -Wall -lsqlite3 -DTEST_SQLITE fs-test.c -o fs-test
-*/
+
Personlig synes jeg flyopplevelsen er blitt så avskyelig at jeg
+forsøker å klare meg med tog, bil og båt for å slippe ubehaget.  Det
+er dog noe vanskelig i det langstrakte Norge og for å kunne besøke de
+delene av verden jeg ønsker å nå.  Mistenker at flere har det slik, og
+at dette går ut over inntjeningen til flyselskapene.  Det er antagelig
+en god ting sett fra et miljøperspektiv, men det er en annen sak.

 
-#define _FILE_OFFSET_BITS 64
-#define _LARGEFILE_SOURCE 1
-#define _LARGEFILE64_SOURCE 1
+
+
+ + + Tags: norsk, nuug, personvern, sikkerhet. + + +
+
+
+ +
+
+ Skolelinux i Osloskolen +
+
+ 26th August 2010 +
+
+

Denne høsten skal endelig alle Osloskolene få mulighet til å bruke +Skolelinux. Ny IT-løsning +har vært rullet ut i noen måneder nå, og så vidt jeg fikk vite før +sommeren skulle alle skoler ha nytt opplegg på plass før oppstart nå i +høst. På alle skolene skal en kunne velge ved installasjon om en skal +ha Windows eller Skolelinux på maskinene, og en kan i tillegg +PXE-boote maskinene over nett som tynne klienter eller diskløse +arbeidsstasjoner. Jeg er spent på hvor mange skoler som velger å ta i +bruk Skolelinux, og gleder meg til å se hvordan dette utvikler seg. +Løsningen leveres av +Logica med +Skolelinux Drift AS som +underleverandør, og jeg har vært involvert i utviklingen av løsningen +via Skolelinux Drift AS siden prosjektet starter. Jeg synes det er +fantastisk at Skolelinux er kommet så langt siden vi startet i 2001 at +alle elevene i Osloskolene nå skal få mulighet til å bruke +løsningen. Jeg håper de vil sette pris på alle de +fantastiske +brukerprogrammene som er tilgjengelig i Skolelinux.

-#define _GNU_SOURCE /* for asprintf() */ +
+
+ + + Tags: debian edu, norsk. + + +
+
+
+ +
+
+ Broken umask handling with sshfs +
+
+ 26th August 2010 +
+
+

My file system sematics program +presented +a few days ago is very useful to verify that a file system can +work as a unix home directory,and today I had to extend it a bit. I'm +looking into alternatives for home directory access here at the +University of Oslo, and one of the options is sshfs. My friend +Finn-Arne mentioned a while back that they had used sshfs with Debian +Edu, but stopped because of problems. I asked today what the problems +where, and he mentioned that sshfs failed to handle umask properly. +Trying to detect the problem I wrote this addition to my fs testing +script:

-#include <errno.h> -#include <fcntl.h> -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <sys/file.h> -#include <sys/stat.h> -#include <sys/types.h> -#include <unistd.h> - -#ifdef TEST_SQLITE -/* - * Test sqlite open, as done by gcompris require the libsqlite3-dev - * package and linking with -lsqlite3. A more low level test is - * below. - * See also <URL: http://www.sqlite.org./faq.html#q5 >. - */ -#include <sqlite3.h> -#define CREATE_TABLE_USERS \ - "CREATE TABLE users (user_id INT UNIQUE, login TEXT, lastname TEXT, firstname TEXT, birthdate TEXT, class_id INT ); " -int test_sqlite_open(void) { - char *zErrMsg; - char *name = "testsqlite.db"; - sqlite3 *db=NULL; - unlink(name); - int rc = sqlite3_open(name, &db); - if( rc ){ - printf("error: sqlite open of %s failed: %s\n", name, sqlite3_errmsg(db)); - sqlite3_close(db); - return -1; - } - - /* create tables */ - rc = sqlite3_exec(db,CREATE_TABLE_USERS, NULL, 0, &zErrMsg); - if( rc != SQLITE_OK ){ - printf("error: sqlite table create failed: %s\n", zErrMsg); - sqlite3_close(db); - return -1; +
+mode_t touch_get_mode(const char *name, mode_t mode) {
+  mode_t retval = 0;
+  int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE, mode);
+  if (-1 != fd) {
+    unlink(name);
+    struct stat statbuf;
+    if (-1 != fstat(fd, &statbuf)) {
+      retval = statbuf.st_mode & 0x1ff;
+    }
+    close(fd);
   }
-  printf("info: sqlite worked\n");
-  sqlite3_close(db);
-  return 0;
+  return retval;
 }
-#endif /* TEST_SQLITE */
-
-/*
- * Demonstrate locking issue found in gcompris using sqlite3.  This
- * work with ext3, but not with cifs server on Windows 2003.  This is
- * done in the sqlite3 library.
- * See also
- * <URL:http://www.cygwin.com/ml/cygwin/2001-08/msg00854.html> and the
- * POSIX specification
- * <URL:http://www.opengroup.org/onlinepubs/009695399/functions/fcntl.html>.
- */
-int test_gcompris_locking(void) {
-  struct flock fl;
-  char *name = "testsqlite.db";
-  unlink(name);
-  int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE, 0644);
-  printf("info: testing fcntl locking\n");
-
-  fl.l_whence = SEEK_SET;
-  fl.l_pid    = getpid();
-  printf("  Read-locking 1 byte from 1073741824");
-  fl.l_start  = 1073741824;
-  fl.l_len    = 1;
-  fl.l_type   = F_RDLCK;
-  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
-
-  printf("  Read-locking 510 byte from 1073741826");
-  fl.l_start  = 1073741826;
-  fl.l_len    = 510;
-  fl.l_type   = F_RDLCK;
-  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
-
-  printf("  Unlocking 1 byte from 1073741824");
-  fl.l_start  = 1073741824;
-  fl.l_len    = 1;
-  fl.l_type   = F_UNLCK;
-  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
-
-  printf("  Write-locking 1 byte from 1073741824");
-  fl.l_start  = 1073741824;
-  fl.l_len    = 1;
-  fl.l_type   = F_WRLCK;
-  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
-
-  printf("  Write-locking 510 byte from 1073741826");
-  fl.l_start  = 1073741826;
-  fl.l_len    = 510;
-  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
-
-  printf("  Unlocking 2 byte from 1073741824");
-  fl.l_start  = 1073741824;
-  fl.l_len    = 2;
-  fl.l_type   = F_UNLCK;
-  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
 
-  close(fd);
-  return 0;
-}
+/* Try to detect problem discovered using sshfs */
+int test_umask(void) {
+  printf("info: testing umask effect on file creation\n");
 
-/*
- * Test if permissions of freshly created directories allow entries
- * below them.  This was a problem with OpenOffice.org and gcompris.
- * Mounting with option 'sync' seem to solve this problem while
- * slowing down file operations.
- */
-int test_subdirectory_creation(void) {
-#define LEVELS 5
-  char *path = strdup("test");
-  char *dirs[LEVELS];
-  int level;
-  printf("info: testing subdirectory creation\n");
-  for (level = 0; level < LEVELS; level++) {
-    char *newpath = NULL;
-    if (-1 == mkdir(path, 0777)) {
-      printf("  error: Unable to create directory '%s': %s\n",
-	     path, strerror(errno));
-      break;
-    }
-    asprintf(&newpath, "%s/%s", path, "test");
-    free(path);
-    path = newpath;
+  mode_t orig_umask = umask(000);
+  mode_t newmode;
+  if (0666 != (newmode = touch_get_mode("foobar", 0666))) {
+    printf("  error: Wrong file mode %o when creating using mode 666 and umask 000\n",
+           newmode);
+  }
+  umask(007);
+  if (0660 != (newmode = touch_get_mode("foobar", 0666))) {
+    printf("  error: Wrong file mode %o when creating using mode 666 and umask 007\n",
+           newmode);
   }
-  return 0;
-}
 
-/*
- * Test if symlinks can be created.  This was a problem detected with
- * KDE.
- */
-int test_symlinks(void) {
-  printf("info: testing symlink creation\n");
-  unlink("symlink");
-  if (-1 == symlink("file", "symlink"))
-    printf("  error: Unable to create symlink\n");
+  umask (orig_umask);
   return 0;
 }
 
 int main(int argc, char **argv) {
-  printf("Testing POSIX/Unix sematics on file system\n");
-  test_symlinks();
-  test_subdirectory_creation();
-#ifdef TEST_SQLITE
-  test_sqlite_open();
-#endif /* TEST_SQLITE */
-  test_gcompris_locking();
+  [...]
+  test_umask();
   return 0;
 }
-

When everything is working, it should print something like -this:

+

Sure enough. On NFS to a netapp, I get this result:

 Testing POSIX/Unix sematics on file system
 info: testing symlink creation
 info: testing subdirectory creation
-info: sqlite worked
 info: testing fcntl locking
   Read-locking 1 byte from 1073741824
   Read-locking 510 byte from 1073741826
@@ -356,19 +255,34 @@ info: testing fcntl locking
   Write-locking 1 byte from 1073741824
   Write-locking 510 byte from 1073741826
   Unlocking 2 byte from 1073741824
+info: testing umask effect on file creation
-

I do not remember the exact details of the problems we saw, but one -of them was with locking, where if I remember correctly, POSIX allow a -read-only lock to be upgraded to a read-write lock without unlocking -the read-only lock (while Windows do not). Another was a bug in the -CIFS/SMB client implementation in the Linux kernel where directory -meta information would be wrong for a fraction of a second, making -OpenOffice.org fail to create its deep directory tree because it was -not allowed to create files in its freshly created directory.

+

When mounting the same directory using sshfs, I get this +result:

-

Anyway, here is a nice tool for your tool box, might you never need -it. :)

+
+Testing POSIX/Unix sematics on file system
+info: testing symlink creation
+info: testing subdirectory creation
+info: testing fcntl locking
+  Read-locking 1 byte from 1073741824
+  Read-locking 510 byte from 1073741826
+  Unlocking 1 byte from 1073741824
+  Write-locking 1 byte from 1073741824
+  Write-locking 510 byte from 1073741826
+  Unlocking 2 byte from 1073741824
+info: testing umask effect on file creation
+  error: Wrong file mode 644 when creating using mode 666 and umask 000
+  error: Wrong file mode 640 when creating using mode 666 and umask 007
+
+ +

So, I can conclude that sshfs is better than smb to a Netapp or a +Windows server, but not good enough to be used as a home +directory.

+ +

Update 2010-08-26: Reported the issue in +BTS report #594498

Update 2010-08-27: Michael Gebetsroither report that he found the script so useful that he created a GIT repository and stored it in @@ -387,43 +301,227 @@ script so useful that he created a GIT repository and stored it in

- No hardcoded config on Debian Edu clients + Elektronisk stemmegiving er ikke til å stole på - heller ikke i Norge
- 9th August 2010 + 23rd August 2010
-

As reported earlier, the last few days I have looked at how Debian -Edu clients are configured, and tried to get rid of all hardcoded -configuration settings on the clients. I believe the work to be -mostly done, and the clients seem to work just fine with dynamically -generated configuration.

+

I Norge pågår en prosess for å +innføre elektronisk +stemmegiving ved kommune- og stortingsvalg. Dette skal +introduseres i 2011. Det er all grunn til å tro at valg i Norge ikke +vil være til å stole på hvis dette blir gjennomført. Da det hele var +oppe til høring i 2006 forfattet jeg +en +høringsuttalelse fra NUUG (og EFN som hengte seg på) som skisserte +hvilke punkter som må oppfylles for at en skal kunne stole på et valg, +og elektronisk stemmegiving mangler flere av disse. Elektronisk +stemmegiving er for alle praktiske formål å putte ens stemme i en sort +boks under andres kontroll, og satse på at de som har kontroll med +boksen er til å stole på - uten at en har mulighet til å verifisere +dette selv. Det er ikke slik en gjennomfører demokratiske valg.

-

What is the point, you might ask? The point is to allow a Debian -Edu desktop to integrate into an existing network infrastructure -without any manual configuration.

+

Da problemet er fundamentalt med hvordan elektronisk stemmegiving +må fungere for at også ikke-krypografer skal kunne delta, har det vært +mange rapporter om hvordan elektronisk stemmegiving har sviktet i land +etter land. En +liten +samling referanser finnes på NUUGs wiki. Den siste er fra India, +der valgkomisjonen har valgt +å +pusse politiet på en forsker som har dokumentert svakheter i +valgsystemet.

-

This is what happens when installing a Debian Edu client here at -the University of Oslo using PXE. With the PXE installation, I am -asked for language (Norwegian Bokmål), locality (Norway) and keyboard -layout (no-latin1), Debian Edu profile (Roaming Workstation), if I -accept to reformat the hard drive (yes), if I want to submit info to -popcon.debian.org (no) and root password (secret). After answering -these questions, the installer goes ahead and does its thing, and -after around 50 minutes it is done. I press enter to finish the -installation, and the machine reboots into KDE. When the machine is -ready and kdm asks for login information, I enter my university -username and password, am told by kdm that a local home directory has -been created and that I must log in again, and finally log in with the -same username and password to the KDE 4.4 desktop. At no point during -this process did it ask for university specific settings, and all the -required configuration was dynamically detected using information -fetched via DHCP and DNS. The roaming workstation is now ready for -use.

+

Her i Norge har en valgt en annen tilnærming, der en forsøker seg +med teknobabbel for å få befolkningen til å tro at dette skal bli +sikkert. Husk, elektronisk stemmegiving underminerer de demokratiske +valgene i Norge, og bør ikke innføres.

-

How was this done, you might wonder? First of all, here is the -list of things that need to be configured on the client to get it -working properly out of the box:

+

Den offentlige diskusjonen blir litt vanskelig av at media har +valgt å kalle dette "evalg", som kan sies å både gjelde elektronisk +opptelling av valget som Norge har gjort siden 60-tallet og som er en +svært god ide, og elektronisk opptelling som er en svært dårlig ide. +Diskusjonen gir ikke mening hvis en skal diskutere om en er for eller +mot "evalg", og jeg forsøker derfor å være klar på at jeg snakker om +elektronisk stemmegiving og unngå begrepet "evalg".

+ +
+
+ + + Tags: norsk, nuug, sikkerhet, valg. + + +
+
+
+ +
+
+ Robot, reis deg... +
+
+ 21st August 2010 +
+
+

I dag fikk jeg endelig tittet litt på mine nyinnkjøpte roboter, og +har brukt noen timer til å google etter interessante referanser og +aktuell kildekode for bruk på Linux. Det mest lovende så langt er +ispykee, som har en +BSD-lisensiert linux-daemon som står som mellomledd mellom roboter på +lokalnettet og en sentral tjeneste der en iPhone kan koble seg opp for +å fjernstyre roboten. Linux-daemonen implementerer deler av +protokollen som roboten forstår. Etter å ha knotet litt med å oppnå +kontakt med roboten (den oppretter et eget ad-hoc wifi-nett, så jeg +måtte gå av mitt vanlige nett for å få kontakt), og kommet frem til at +den lytter på IP-port 9000 og 9001, gikk jeg i gang med å finne ut +hvordan jeg kunne snakke med roboten vha. disse portene. Robotbiten +av protokollen er publisert av produsenten med GPL-lisens, slik at det +er mulig å se hvordan protokollen fungerer. Det finnes en java-klient +for Android som så ganske snasen ut, men fant ingen kildekode for +denne. Derimot hadde iphone-løsningen kildekode, så jeg tok +utgangspunkt i den.

+ +

Daemonen ville i utgangspunktet forsøke å kontakte den sentrale +tjenesten som iphone-programmet kobler seg til. Jeg skrev dette om +til i stedet å sette opp en nettverkstjeneste på min lokale maskin, +som jeg kan koble meg opp til med telnet og gi kommandoer til roboten +(act, forward, right, left, etc). Det involverte i praksis å bytte ut +socket()/connect() med socket()/bind()/listen()/accept() for å gjøre +klienten om til en tjener.

+ +

Mens jeg har forsøkt å få roboten til å bevege seg har min samboer +skrudd sammen resten av roboten for å få montert kamera og plastpynten +(armer, plastfiber for lys). Nå er det hele montert, og roboten er +klar til bruk. Må få flyttet den over til mitt vanlige trådløsnett +før det blir praktisk, men de bitene av protokollen er ikke +implementert i ispykee-daemonen, så der må jeg enten få tak i en mac +eller en windows-maskin, eller implementere det selv.

+ +

Vi var tre som kjøpte slike roboter, og vi har blitt enige om å +samle notater og referanser på NUUGs wiki. Ta en titt +der hvis du er nysgjerrig.

+ +
+
+ + + Tags: norsk, nuug, robot. + + +
+
+
+ +
+
+ 2 Spykee-roboter i hus, nå skal det lekes +
+
+ 18th August 2010 +
+
+

Jeg kjøpte nettopp to +Spykee-roboter, for test og +leking. Kjøpte to da det var så billige, og gir meg mulighet til å +eksperimentere uten å være veldig redd for å ødelegge alt ved å bytte +ut firmware og slikt. Oppdaget at lekebutikken på Bryn senter hadde +en liten stabel på lager som de ikke hadde klart å selge ut etter +fjorårets juleinnkjøp, og var villig til å selge for en femtedel av +vanlig pris. Jeg, Ronny og Jarle har skaffet oss restbeholdningen, og +det blir morsomt å se hva vi får ut av dette.

+ +

Roboten har belter styrt av to motorer, kamera, høytaler, mikrofon +og wifi-tilkobling. Det hele styrt av en GPL-lisensiert databoks som +jeg mistenker kjører linux. Firmware-kildekoden ble visst publisert i +mai. Eneste utfordringen er at kontroller-programvaren kun finnes til +Windows, men det må en kunne jobbe seg rundt når vi har kildekoden til +firmwaren. :)

+ + + +
+
+ + + Tags: norsk, nuug, robot. + + +
+
+
+ +
+
+ Rob Weir: How to Crush Dissent +
+
+ 15th August 2010 +
+
+

I found the notes from Rob Weir on +how +to crush dissent matching my own thoughts on the matter quite +well. Highly recommended for those wondering which road our society +should go down. In my view we have been heading the wrong way for a +long time.

+ +
+
+ + + Tags: english, lenker, nuug, personvern, sikkerhet. + + +
+
+
+ +
+
+ No hardcoded config on Debian Edu clients +
+
+ 9th August 2010 +
+
+

As reported earlier, the last few days I have looked at how Debian +Edu clients are configured, and tried to get rid of all hardcoded +configuration settings on the clients. I believe the work to be +mostly done, and the clients seem to work just fine with dynamically +generated configuration.

+ +

What is the point, you might ask? The point is to allow a Debian +Edu desktop to integrate into an existing network infrastructure +without any manual configuration.

+ +

This is what happens when installing a Debian Edu client here at +the University of Oslo using PXE. With the PXE installation, I am +asked for language (Norwegian Bokmål), locality (Norway) and keyboard +layout (no-latin1), Debian Edu profile (Roaming Workstation), if I +accept to reformat the hard drive (yes), if I want to submit info to +popcon.debian.org (no) and root password (secret). After answering +these questions, the installer goes ahead and does its thing, and +after around 50 minutes it is done. I press enter to finish the +installation, and the machine reboots into KDE. When the machine is +ready and kdm asks for login information, I enter my university +username and password, am told by kdm that a local home directory has +been created and that I must log in again, and finally log in with the +same username and password to the KDE 4.4 desktop. At no point during +this process did it ask for university specific settings, and all the +required configuration was dynamically detected using information +fetched via DHCP and DNS. The roaming workstation is now ready for +use.

+ +

How was this done, you might wonder? First of all, here is the +list of things that need to be configured on the client to get it +working properly out of the box:

  • IP address/netmask and DNS server.
    • @@ -523,273 +621,211 @@ implement it for Debian Edu. :)

    - Rob Weir: How to Crush Dissent -
    -
    - 15th August 2010 -
    -
    -

    I found the notes from Rob Weir on -how -to crush dissent matching my own thoughts on the matter quite -well. Highly recommended for those wondering which road our society -should go down. In my view we have been heading the wrong way for a -long time.

    - -
    -
    - - - Tags: english, lenker, nuug, personvern, sikkerhet. - - -
    -
    -
    - -
    -
    - 2 Spykee-roboter i hus, nå skal det lekes + Testing if a file system can be used for home directories...
    - 18th August 2010 + 8th August 2010
    -

    Jeg kjøpte nettopp to -Spykee-roboter, for test og -leking. Kjøpte to da det var så billige, og gir meg mulighet til å -eksperimentere uten å være veldig redd for å ødelegge alt ved å bytte -ut firmware og slikt. Oppdaget at lekebutikken på Bryn senter hadde -en liten stabel på lager som de ikke hadde klart å selge ut etter -fjorårets juleinnkjøp, og var villig til å selge for en femtedel av -vanlig pris. Jeg, Ronny og Jarle har skaffet oss restbeholdningen, og -det blir morsomt å se hva vi får ut av dette.

    +

    A few years ago, I was involved in a project planning to use +Windows file servers as home directory servers for Debian +Edu/Skolelinux machines. This was thought to be no problem, as the +access would be through the SMB network file system protocol, and we +knew other sites used SMB with unix and samba as the file server to +mount home directories without any problems. But, after months of +struggling, we had to conclude that our goal was impossible.

    -

    Roboten har belter styrt av to motorer, kamera, høytaler, mikrofon -og wifi-tilkobling. Det hele styrt av en GPL-lisensiert databoks som -jeg mistenker kjører linux. Firmware-kildekoden ble visst publisert i -mai. Eneste utfordringen er at kontroller-programvaren kun finnes til -Windows, men det må en kunne jobbe seg rundt når vi har kildekoden til -firmwaren. :)

    +

    The reason is simply that while SMB can be used for home +directories when the file server is Samba running on Unix, this only +work because of Samba have some extensions and the fact that the +underlying file system is a unix file system. When using a Windows +file server, the underlying file system do not have POSIX semantics, +and several programs will fail if the users home directory where they +want to store their configuration lack POSIX semantics.

    - +

    As part of this work, I wrote a small C program I want to share +with you all, to replicate a few of the problematic applications (like +OpenOffice.org and GCompris) and see if the file system was working as +it should. If you find yourself in spooky file system land, it might +help you find your way out again. This is the fs-test.c source:

    -
    -
    - - - Tags: norsk, nuug, robot. - - -
    -
    -
    - -
    -
    - Robot, reis deg... -
    -
    - 21st August 2010 -
    -
    -

    I dag fikk jeg endelig tittet litt på mine nyinnkjøpte roboter, og -har brukt noen timer til å google etter interessante referanser og -aktuell kildekode for bruk på Linux. Det mest lovende så langt er -ispykee, som har en -BSD-lisensiert linux-daemon som står som mellomledd mellom roboter på -lokalnettet og en sentral tjeneste der en iPhone kan koble seg opp for -å fjernstyre roboten. Linux-daemonen implementerer deler av -protokollen som roboten forstår. Etter å ha knotet litt med å oppnå -kontakt med roboten (den oppretter et eget ad-hoc wifi-nett, så jeg -måtte gå av mitt vanlige nett for å få kontakt), og kommet frem til at -den lytter på IP-port 9000 og 9001, gikk jeg i gang med å finne ut -hvordan jeg kunne snakke med roboten vha. disse portene. Robotbiten -av protokollen er publisert av produsenten med GPL-lisens, slik at det -er mulig å se hvordan protokollen fungerer. Det finnes en java-klient -for Android som så ganske snasen ut, men fant ingen kildekode for -denne. Derimot hadde iphone-løsningen kildekode, så jeg tok -utgangspunkt i den.

    +
    +/*
+ * Some tests to check the file system sematics.  Used to verify that
+ * CIFS from a windows server do not work properly as a linux home
+ * directory.
+ * License: GPL v2 or later
+ * 
+ * needs libsqlite3-dev and build-essential installed
+ * compile with: gcc -Wall -lsqlite3 -DTEST_SQLITE fs-test.c -o fs-test
+*/
 
-
    Daemonen ville i utgangspunktet forsøke å kontakte den sentrale
-tjenesten som iphone-programmet kobler seg til.  Jeg skrev dette om
-til i stedet å sette opp en nettverkstjeneste på min lokale maskin,
-som jeg kan koble meg opp til med telnet og gi kommandoer til roboten
-(act, forward, right, left, etc).  Det involverte i praksis å bytte ut
-socket()/connect() med socket()/bind()/listen()/accept() for å gjøre
-klienten om til en tjener.
    
+#define _FILE_OFFSET_BITS 64
+#define _LARGEFILE_SOURCE 1
+#define _LARGEFILE64_SOURCE 1
 
-
    Mens jeg har forsøkt å få roboten til å bevege seg har min samboer
-skrudd sammen resten av roboten for å få montert kamera og plastpynten
-(armer, plastfiber for lys).  NÃ¥ er det hele montert, og roboten er
-klar til bruk.  Må få flyttet den over til mitt vanlige trådløsnett
-før det blir praktisk, men de bitene av protokollen er ikke
-implementert i ispykee-daemonen, så der må jeg enten få tak i en mac
-eller en windows-maskin, eller implementere det selv.
    
+#define _GNU_SOURCE /* for asprintf() */
 
-
    Vi var tre som kjøpte slike roboter, og vi har blitt enige om å
-samle notater og referanser på NUUGs wiki.  Ta en titt
-der hvis du er nysgjerrig.
    
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/file.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
 
-
    -
    - - - Tags: norsk, nuug, robot. - - -
    -
    -
    - -
    -
    - Elektronisk stemmegiving er ikke til å stole på - heller ikke i Norge -
    -
    - 23rd August 2010 -
    -
    -

    I Norge pågår en prosess for å -innføre elektronisk -stemmegiving ved kommune- og stortingsvalg. Dette skal -introduseres i 2011. Det er all grunn til å tro at valg i Norge ikke -vil være til å stole på hvis dette blir gjennomført. Da det hele var -oppe til høring i 2006 forfattet jeg -en -høringsuttalelse fra NUUG (og EFN som hengte seg på) som skisserte -hvilke punkter som må oppfylles for at en skal kunne stole på et valg, -og elektronisk stemmegiving mangler flere av disse. Elektronisk -stemmegiving er for alle praktiske formål å putte ens stemme i en sort -boks under andres kontroll, og satse på at de som har kontroll med -boksen er til å stole på - uten at en har mulighet til å verifisere -dette selv. Det er ikke slik en gjennomfører demokratiske valg.

    +#ifdef TEST_SQLITE +/* + * Test sqlite open, as done by gcompris require the libsqlite3-dev + * package and linking with -lsqlite3. A more low level test is + * below. + * See also <URL: http://www.sqlite.org./faq.html#q5 >. + */ +#include <sqlite3.h> +#define CREATE_TABLE_USERS \ + "CREATE TABLE users (user_id INT UNIQUE, login TEXT, lastname TEXT, firstname TEXT, birthdate TEXT, class_id INT ); " +int test_sqlite_open(void) { + char *zErrMsg; + char *name = "testsqlite.db"; + sqlite3 *db=NULL; + unlink(name); + int rc = sqlite3_open(name, &db); + if( rc ){ + printf("error: sqlite open of %s failed: %s\n", name, sqlite3_errmsg(db)); + sqlite3_close(db); + return -1; + } -

    Da problemet er fundamentalt med hvordan elektronisk stemmegiving -må fungere for at også ikke-krypografer skal kunne delta, har det vært -mange rapporter om hvordan elektronisk stemmegiving har sviktet i land -etter land. En -liten -samling referanser finnes på NUUGs wiki. Den siste er fra India, -der valgkomisjonen har valgt -å -pusse politiet på en forsker som har dokumentert svakheter i -valgsystemet.

    + /* create tables */ + rc = sqlite3_exec(db,CREATE_TABLE_USERS, NULL, 0, &zErrMsg); + if( rc != SQLITE_OK ){ + printf("error: sqlite table create failed: %s\n", zErrMsg); + sqlite3_close(db); + return -1; + } + printf("info: sqlite worked\n"); + sqlite3_close(db); + return 0; +} +#endif /* TEST_SQLITE */ -

    Her i Norge har en valgt en annen tilnærming, der en forsøker seg -med teknobabbel for å få befolkningen til å tro at dette skal bli -sikkert. Husk, elektronisk stemmegiving underminerer de demokratiske -valgene i Norge, og bør ikke innføres.

    +/* + * Demonstrate locking issue found in gcompris using sqlite3. This + * work with ext3, but not with cifs server on Windows 2003. This is + * done in the sqlite3 library. + * See also + * <URL:http://www.cygwin.com/ml/cygwin/2001-08/msg00854.html> and the + * POSIX specification + * <URL:http://www.opengroup.org/onlinepubs/009695399/functions/fcntl.html>. + */ +int test_gcompris_locking(void) { + struct flock fl; + char *name = "testsqlite.db"; + unlink(name); + int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE, 0644); + printf("info: testing fcntl locking\n"); -

    Den offentlige diskusjonen blir litt vanskelig av at media har -valgt å kalle dette "evalg", som kan sies å både gjelde elektronisk -opptelling av valget som Norge har gjort siden 60-tallet og som er en -svært god ide, og elektronisk opptelling som er en svært dårlig ide. -Diskusjonen gir ikke mening hvis en skal diskutere om en er for eller -mot "evalg", og jeg forsøker derfor å være klar på at jeg snakker om -elektronisk stemmegiving og unngå begrepet "evalg".

    + fl.l_whence = SEEK_SET; + fl.l_pid = getpid(); + printf(" Read-locking 1 byte from 1073741824"); + fl.l_start = 1073741824; + fl.l_len = 1; + fl.l_type = F_RDLCK; + if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n"); -
    -
    - - - Tags: norsk, nuug, sikkerhet, valg. - - -
    -
    -
    - -
    -
    - Broken umask handling with sshfs -
    -
    - 26th August 2010 -
    -
    -

    My file system sematics program -presented -a few days ago is very useful to verify that a file system can -work as a unix home directory,and today I had to extend it a bit. I'm -looking into alternatives for home directory access here at the -University of Oslo, and one of the options is sshfs. My friend -Finn-Arne mentioned a while back that they had used sshfs with Debian -Edu, but stopped because of problems. I asked today what the problems -where, and he mentioned that sshfs failed to handle umask properly. -Trying to detect the problem I wrote this addition to my fs testing -script:

    + printf(" Read-locking 510 byte from 1073741826"); + fl.l_start = 1073741826; + fl.l_len = 510; + fl.l_type = F_RDLCK; + if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n"); -
    -mode_t touch_get_mode(const char *name, mode_t mode) {
-  mode_t retval = 0;
-  int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE, mode);
-  if (-1 != fd) {
-    unlink(name);
-    struct stat statbuf;
-    if (-1 != fstat(fd, &statbuf)) {
-      retval = statbuf.st_mode & 0x1ff;
-    }
-    close(fd);
-  }
-  return retval;
-}
+  printf("  Unlocking 1 byte from 1073741824");
+  fl.l_start  = 1073741824;
+  fl.l_len    = 1;
+  fl.l_type   = F_UNLCK;
+  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
 
-/* Try to detect problem discovered using sshfs */
-int test_umask(void) {
-  printf("info: testing umask effect on file creation\n");
+  printf("  Write-locking 1 byte from 1073741824");
+  fl.l_start  = 1073741824;
+  fl.l_len    = 1;
+  fl.l_type   = F_WRLCK;
+  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
 
-  mode_t orig_umask = umask(000);
-  mode_t newmode;
-  if (0666 != (newmode = touch_get_mode("foobar", 0666))) {
-    printf("  error: Wrong file mode %o when creating using mode 666 and umask 000\n",
-           newmode);
-  }
-  umask(007);
-  if (0660 != (newmode = touch_get_mode("foobar", 0666))) {
-    printf("  error: Wrong file mode %o when creating using mode 666 and umask 007\n",
-           newmode);
+  printf("  Write-locking 510 byte from 1073741826");
+  fl.l_start  = 1073741826;
+  fl.l_len    = 510;
+  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+  printf("  Unlocking 2 byte from 1073741824");
+  fl.l_start  = 1073741824;
+  fl.l_len    = 2;
+  fl.l_type   = F_UNLCK;
+  if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
+
+  close(fd);
+  return 0;
+}
+
+/*
+ * Test if permissions of freshly created directories allow entries
+ * below them.  This was a problem with OpenOffice.org and gcompris.
+ * Mounting with option 'sync' seem to solve this problem while
+ * slowing down file operations.
+ */
+int test_subdirectory_creation(void) {
+#define LEVELS 5
+  char *path = strdup("test");
+  char *dirs[LEVELS];
+  int level;
+  printf("info: testing subdirectory creation\n");
+  for (level = 0; level < LEVELS; level++) {
+    char *newpath = NULL;
+    if (-1 == mkdir(path, 0777)) {
+      printf("  error: Unable to create directory '%s': %s\n",
+	     path, strerror(errno));
+      break;
+    }
+    asprintf(&newpath, "%s/%s", path, "test");
+    free(path);
+    path = newpath;
   }
+  return 0;
+}
 
-  umask (orig_umask);
+/*
+ * Test if symlinks can be created.  This was a problem detected with
+ * KDE.
+ */
+int test_symlinks(void) {
+  printf("info: testing symlink creation\n");
+  unlink("symlink");
+  if (-1 == symlink("file", "symlink"))
+    printf("  error: Unable to create symlink\n");
   return 0;
 }
 
 int main(int argc, char **argv) {
-  [...]
-  test_umask();
+  printf("Testing POSIX/Unix sematics on file system\n");
+  test_symlinks();
+  test_subdirectory_creation();
+#ifdef TEST_SQLITE
+  test_sqlite_open();
+#endif /* TEST_SQLITE */
+  test_gcompris_locking();
   return 0;
 }
    -

    Sure enough. On NFS to a netapp, I get this result:

    - -
    -Testing POSIX/Unix sematics on file system
-info: testing symlink creation
-info: testing subdirectory creation
-info: testing fcntl locking
-  Read-locking 1 byte from 1073741824
-  Read-locking 510 byte from 1073741826
-  Unlocking 1 byte from 1073741824
-  Write-locking 1 byte from 1073741824
-  Write-locking 510 byte from 1073741826
-  Unlocking 2 byte from 1073741824
-info: testing umask effect on file creation
-
    - -

    When mounting the same directory using sshfs, I get this -result:

    +

    When everything is working, it should print something like +this:

     Testing POSIX/Unix sematics on file system
 info: testing symlink creation
 info: testing subdirectory creation
+info: sqlite worked
 info: testing fcntl locking
   Read-locking 1 byte from 1073741824
   Read-locking 510 byte from 1073741826
@@ -797,17 +833,19 @@ info: testing fcntl locking
   Write-locking 1 byte from 1073741824
   Write-locking 510 byte from 1073741826
   Unlocking 2 byte from 1073741824
-info: testing umask effect on file creation
-  error: Wrong file mode 644 when creating using mode 666 and umask 000
-  error: Wrong file mode 640 when creating using mode 666 and umask 007
    -

    So, I can conclude that sshfs is better than smb to a Netapp or a -Windows server, but not good enough to be used as a home -directory.

    +

    I do not remember the exact details of the problems we saw, but one +of them was with locking, where if I remember correctly, POSIX allow a +read-only lock to be upgraded to a read-write lock without unlocking +the read-only lock (while Windows do not). Another was a bug in the +CIFS/SMB client implementation in the Linux kernel where directory +meta information would be wrong for a fraction of a second, making +OpenOffice.org fail to create its deep directory tree because it was +not allowed to create files in its freshly created directory.

    -

    Update 2010-08-26: Reported the issue in -BTS report #594498

    +

    Anyway, here is a nice tool for your tool box, might you never need +it. :)

    Update 2010-08-27: Michael Gebetsroither report that he found the script so useful that he created a GIT repository and stored it in @@ -826,123 +864,63 @@ script so useful that he created a GIT repository and stored it in

    - Skolelinux i Osloskolen -
    -
    - 26th August 2010 -
    -
    -

    Denne høsten skal endelig alle Osloskolene få mulighet til å bruke -Skolelinux. Ny IT-løsning -har vært rullet ut i noen måneder nå, og så vidt jeg fikk vite før -sommeren skulle alle skoler ha nytt opplegg på plass før oppstart nå i -høst. På alle skolene skal en kunne velge ved installasjon om en skal -ha Windows eller Skolelinux på maskinene, og en kan i tillegg -PXE-boote maskinene over nett som tynne klienter eller diskløse -arbeidsstasjoner. Jeg er spent på hvor mange skoler som velger å ta i -bruk Skolelinux, og gleder meg til å se hvordan dette utvikler seg. -Løsningen leveres av -Logica med -Skolelinux Drift AS som -underleverandør, og jeg har vært involvert i utviklingen av løsningen -via Skolelinux Drift AS siden prosjektet starter. Jeg synes det er -fantastisk at Skolelinux er kommet så langt siden vi startet i 2001 at -alle elevene i Osloskolene nå skal få mulighet til å bruke -løsningen. Jeg håper de vil sette pris på alle de -fantastiske -brukerprogrammene som er tilgjengelig i Skolelinux.

    - -
    -
    - - - Tags: debian edu, norsk. - - -
    -
    -
    - -
    -
    - Sikkerhetsteateret på flyplassene fortsetter + Autodetecting Client setup for roaming workstations in Debian Edu
    - 28th August 2010 + 7th August 2010
    -

    Jeg skrev for et halvt år siden hvordan -samfunnet -kaster bort ressurser på sikkerhetstiltak som ikke fungerer. Kom -nettopp over en -historie -fra en pilot fra USA som kommenterer det samme. Jeg mistenker det -kun er uvitenhet og autoritetstro som gjør at så få protesterer. Har -veldig sans for piloten omtalt i Aftenposten 2007-10-23, -og skulle ønske flere rettet oppmerksomhet mot problemet. Det gir -ikke meg trygghetsfølelse på flyplassene når jeg ser at -flyplassadministrasjonen kaster bort folk, penger og tid på tull i -stedet for ting som bidrar til reell økning av sikkerheten. Det -forteller meg jo at vurderingsevnen til de som burde bidra til økt -sikkerhet er svært sviktende, noe som ikke taler godt for de andre -tiltakene.

    - -

    Mon tro hva som skjer hvis det fantes en enkel brosjyre å skrive ut -fra Internet som forklarte hva som er galt med sikkerhetsopplegget på -flyplassene, og folk skrev ut og la en bunke på flyplassene når de -passerte. Kanskje det ville fått flere til å få øynene opp for -problemet.

    +

    A few days ago, I +tried +to install a Roaming workation profile from Debian Edu/Squeeze +while on the university network here at the University of Oslo, and +noticed how much had to change to get it operational using the +university infrastructure. It was fairly easy, but it occured to me +that Debian Edu would improve a lot if I could get the client to +connect without any changes at all, and thus let the client configure +itself during installation and first boot to use the infrastructure +around it. Now I am a huge step further along that road.

    -

    Personlig synes jeg flyopplevelsen er blitt så avskyelig at jeg -forsøker å klare meg med tog, bil og båt for å slippe ubehaget. Det -er dog noe vanskelig i det langstrakte Norge og for å kunne besøke de -delene av verden jeg ønsker å nå. Mistenker at flere har det slik, og -at dette går ut over inntjeningen til flyselskapene. Det er antagelig -en god ting sett fra et miljøperspektiv, men det er en annen sak.

    +

    With our current squeeze-test packages, I can select the roaming +workstation profile and get a working laptop connecting to the +university LDAP server for user and group and our active directory +servers for Kerberos authentication. All this without any +configuration at all during installation. My users home directory got +a bookmark in the KDE menu to mount it via SMB, with the correct URL. +In short, openldap and sssd is correctly configured. In addition to +this, the client look for http://wpad/wpad.dat to configure a web +proxy, and when it fail to find it no proxy settings are stored in +/etc/environment and /etc/apt/apt.conf. Iceweasel and KDE is +configured to look for the same wpad configuration and also do not use +a proxy when at the university network. If the machine is moved to a +network with such wpad setup, it would automatically use it when DHCP +gave it a IP address.

    -
    -
    - - - Tags: norsk, nuug, personvern, sikkerhet. - - -
    -
    -
    - -
    -
    - Broken hard link handling with sshfs -
    -
    - 30th August 2010 -
    -
    -

    Just got an email from Tobias Gruetzmacher as a followup on my -previous -post about sshfs. He reported another problem with sshfs. It -fail to handle hard links properly. A simple way to spot this is to -look at the . and .. entries in the directory tree. These should have -a link count >1, but on sshfs the count is 1. I just tested to see -what happen when trying to hardlink, and this fail as well:

    +

    The LDAP server is located using DNS, by first looking for the DNS +entry ldap.$domain. If this do not exist, it look for the +_ldap._tcp.$domain SRV records and use the first one as the LDAP +server. Next, it connects to the LDAP server and search all +namingContexts entries for posixAccount or posixGroup objects, and +pick the first one as the LDAP base. For Kerberos, a similar +algorithm is used to locate the LDAP server, and the realm is the +uppercase version of $domain.

    -
    -% ln foo bar
-ln: creating hard link `bar' => `foo': Function not implemented
-%
-
    +

    So, what is not working, you might ask. SMB mounting my home +directory do not work. No idea why, but suspected the incorrect +Kerberos settings in /etc/krb5.conf and /etc/samba/smb.conf might be +the cause. These are not properly configured during installation, and +had to be hand-edited to get the correct Kerberos realm and server, +but SMB mounting still do not work. :(

    -

    I have not yet found time to implement a test for this in my file -system test code, but believe having working hard links is useful to -avoid surprised unix programs. Not as useful as working file locking -and symlinks, which are required to get a working desktop, but useful -nevertheless. :)

    +

    With this automatic configuration in place, I expect a Debian Edu +roaming profile installation would be able to automatically detect and +connect to any site using LDAP and Kerberos for NSS directory and PAM +authentication. It should also work out of the box in a Active +Directory environment providing posixAccount and posixGroup objects +with UID and GID values.

    -

    The latest version of the file system test code is available via -git from -http://github.com/gebi/fs-test

    +

    If you want to help out with implementing these things for Debian +Edu, please contact us on debian-edu@lists.debian.org.

    @@ -957,26 +935,48 @@ git from
    - Forslag i stortinget om å stoppe elektronisk stemmegiving i Norge + Debian Edu roaming workstation - at the university of Oslo
    - 31st August 2010 + 3rd August 2010
    -

    Ble tipset i dag om at et forslag om å stoppe forsøkene med -elektronisk stemmegiving utenfor valglokaler er -til -behandling i Stortinget. -Forslaget -er fremmet av Erna Solberg, Michael Tetzschner og Trond Helleland.

    +

    The new roaming workstation profile in Debian Edu/Squeeze is fairly +similar to the laptop setup am I working on using Ubuntu for the +University of Oslo, and just for the heck of it, I tested today how +hard it would be to integrate that profile into the university +infrastructure. In this case, it is the university LDAP server, +Active Directory Kerberos server and SMB mounting from the Netapp file +servers.

    -

    Håper det får flertall.

    +

    I was pleasantly surprised that the only three files needed to be +changed (/etc/sssd/sssd.conf, /etc/ldap.conf and +/etc/mklocaluser.d/20-debian-edu-config) and one file had to be added +(/usr/share/perl5/Debian/Edu_Local.pm), to get the client working. +Most of the changes were to get the client to use the university LDAP +for NSS and Kerberos server for PAM, but one was to change a hard +coded DNS domain name in the mklocaluser hook from .intern to +.uio.no.

    + +

    This testing was so encouraging, that I went ahead and adjusted the +Debian Edu scripts and setup in subversion to centralise the roaming +workstation setup a bit more and avoid the hardcoded DNS domain name, +so that when I test this tomorrow, I expect to get away with modifying +only /etc/sssd/sssd.conf and /etc/ldap.conf to get it to use the +university servers.

    + +

    My goal is to get the clients to have no hardcoded settings and +fetch all their initial setup during installation and first boot, to +allow them to be inserted also into environments where the default +setup in Debian Edu has been changed or as with the university, where +the environment is different but provides the protocols Debian Edu +uses.

    - Tags: norsk, nuug, sikkerhet, valg. + Tags: debian edu, english, nuug.