X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/c6843e8ebe94cbe6bb66c2ab3045a69fba681de1..c34a3c4ed42580eae32bcf7205825db0651ff50b:/blog/index.rss
diff --git a/blog/index.rss b/blog/index.rss
index c932f6644f..961899c3d6 100644
--- a/blog/index.rss
+++ b/blog/index.rss
@@ -7,528 +7,652 @@
-
- Parallellized boot seem to hold up well in Debian/testing
- http://people.skolelinux.org/pere/blog/Parallellized_boot_seem_to_hold_up_well_in_Debian_testing.html
- http://people.skolelinux.org/pere/blog/Parallellized_boot_seem_to_hold_up_well_in_Debian_testing.html
- Thu, 27 May 2010 23:55:00 +0200
+ Idea for storing LTSP configuration in LDAP
+ http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html
+ http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html
+ Sun, 11 Jul 2010 22:00:00 +0200
-<p>A few days ago, parallel booting was enabled in Debian/testing.
-The feature seem to hold up pretty well, but three fairly serious
-issues are known and should be solved:
-
-<p><ul>
-
-<li>The wicd package seen to
-<a href="http://bugs.debian.org/508289">break NFS mounting</a> and
-<a href="http://bugs.debian.org/581586">network setup</a> when
-parallel booting is enabled. No idea why, but the wicd maintainer
-seem to be on the case.</li>
-
-<li>The nvidia X driver seem to
-<a href="http://bugs.debian.org/583312">have a race condition</a>
-triggered more easily when parallel booting is in effect. The
-maintainer is on the case.</li>
-
-<li>The sysv-rc package fail to properly enable dependency based boot
-sequencing (the shutdown is broken) when old file-rc users
-<a href="http://bugs.debian.org/575080">try to switch back</a> to
-sysv-rc. One way to solve it would be for file-rc to create
-/etc/init.d/.legacy-bootordering, and another is to try to make
-sysv-rc more robust. Will investigate some more and probably upload a
-workaround in sysv-rc to help those trying to move from file-rc to
-sysv-rc get a working shutdown.</li>
-
-</ul></p>
-
-<p>All in all not many surprising issues, and all of them seem
-solvable before Squeeze is released. In addition to these there are
-some packages with bugs in their dependencies and run level settings,
-which I expect will be fixed in a reasonable time span.</p>
-
-<p>If you report any problems with dependencies in init.d scripts to
-the BTS, please usertag the report to get it to show up at
-<a href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=initscripts-ng-devel@lists.alioth.debian.org">the
-list of usertagged bugs related to this</a>.</p>
+<p>Vagrant mentioned on IRC today that ltsp_config now support
+sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin
+clients, and that this can be used to fetch configuration from LDAP if
+Debian Edu choose to store configuration there.</p>
+
+<p>Armed with this information, I got inspired and wrote a test module
+to get configuration from LDAP. The idea is to look up the MAC
+address of the client in LDAP, and look for attributes on the form
+ltspconfigsetting=value, and use this to export SETTING=value to the
+LTSP clients.</p>
+
+<p>The goal is to be able to store the LTSP configuration attributes
+in a "computer" LDAP object used by both DNS and DHCP, and thus
+allowing us to store all information about a computer in one place.</p>
+
+<p>This is a untested draft implementation, and I welcome feedback on
+this approach. A real LDAP schema for the ltspClientAux objectclass
+need to be written. Comments, suggestions, etc?</p>
+
+<blockquote><pre>
+# Store in /opt/ltsp/$arch/usr/share/ltsp/ltsp_config.d/ldap-config
+#
+# Fetch LTSP client settings from LDAP based on MAC address
+#
+# Uses ethernet address as stored in the dhcpHost objectclass using
+# the dhcpHWAddress attribute or ethernet address stored in the
+# ieee802Device objectclass with the macAddress attribute.
+#
+# This module is written to be schema agnostic, and only depend on the
+# existence of attribute names.
+#
+# The LTSP configuration variables are saved directly using a
+# ltspConfig prefix and uppercasing the rest of the attribute name.
+# To set the SERVER variable, set the ltspConfigServer attribute.
+#
+# Some LDAP schema should be created with all the relevant
+# configuration settings. Something like this should work:
+#
+# objectclass ( 1.1.2.2 NAME 'ltspClientAux'
+# SUP top
+# AUXILIARY
+# MAY ( ltspConfigServer $ ltsConfigSound $ ... )
+
+LDAPSERVER=$(debian-edu-ldapserver)
+if [ "$LDAPSERVER" ] ; then
+ LDAPBASE=$(debian-edu-ldapserver -b)
+ for MAC in $(LANG=C ifconfig |grep -i hwaddr| awk '{print $5}'|sort -u) ; do
+ filter="(|(dhcpHWAddress=ethernet $MAC)(macAddress=$MAC))"
+ ldapsearch -h "$LDAPSERVER" -b "$LDAPBASE" -v -x "$filter" | \
+ grep '^ltspConfig' | while read attr value ; do
+ # Remove prefix and convert to upper case
+ attr=$(echo $attr | sed 's/^ltspConfig//i' | tr a-z A-Z)
+ # bass value on to clients
+ eval "$attr=$value; export $attr"
+ done
+ done
+fi
+</pre></blockquote>
+
+<p>I'm not sure this shell construction will work, because I suspect
+the while block might end up in a subshell causing the variables set
+there to not show up in ltsp-config, but if that is the case I am sure
+the code can be restructured to make sure the variables are passed on.
+I expect that can be solved with some testing. :)</p>
+
+<p>If you want to help out with implementing this for Debian Edu,
+please contact us on debian-edu@lists.debian.org.</p>
-
- More flexible firmware handling in debian-installer
- http://people.skolelinux.org/pere/blog/More_flexible_firmware_handling_in_debian_installer.html
- http://people.skolelinux.org/pere/blog/More_flexible_firmware_handling_in_debian_installer.html
- Sat, 22 May 2010 21:30:00 +0200
+ jXplorer, a very nice LDAP GUI
+ http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html
+ http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html
+ Fri, 9 Jul 2010 12:55:00 +0200
-<p>After a long break from debian-installer development, I finally
-found time today to return to the project. Having to spend less time
-working dependency based boot in debian, as it is almost complete now,
-definitely helped freeing some time.</p>
-
-<p>A while back, I ran into a problem while working on Debian Edu. We
-include some firmware packages on the Debian Edu CDs, those needed to
-get disk and network controllers working. Without having these
-firmware packages available during installation, it is impossible to
-install Debian Edu on the given machine, and because our target group
-are non-technical people, asking them to provide firmware packages on
-an external medium is a support pain. Initially, I expected it to be
-enough to include the firmware packages on the CD to get
-debian-installer to find and use them. This proved to be wrong.
-Next, I hoped it was enough to symlink the relevant firmware packages
-to some useful location on the CD (tried /cdrom/ and
-/cdrom/firmware/). This also proved to not work, and at this point I
-found time to look at the debian-installer code to figure out what was
-going to work.</p>
-
-<p>The firmware loading code is in the hw-detect package, and a closer
-look revealed that it would only look for firmware packages outside
-the installation media, so the CD was never checked for firmware
-packages. It would only check USB sticks, floppies and other
-"external" media devices. Today I changed it to also look in the
-/cdrom/firmware/ directory on the mounted CD or DVD, which should
-solve the problem I ran into with Debian edu. I also changed it to
-look in /firmware/, to make sure the installer also find firmware
-provided in the initrd when booting the installer via PXE, to allow us
-to provide the same feature in the PXE setup included in Debian
-Edu.</p>
-
-<p>To make sure firmware deb packages with a license questions are not
-activated without asking if the license is accepted, I extended
-hw-detect to look for preinst scripts in the firmware packages, and
-run these before activating the firmware during installation. The
-license question is asked using debconf in the preinst, so this should
-solve the issue for the firmware packages I have looked at so far.</p>
-
-<p>If you want to discuss the details of these features, please
-contact us on debian-boot@lists.debian.org.</p>
+<p>Since
+<a href="http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html">my
+last post</a> about available LDAP tools in Debian, I was told about a
+LDAP GUI that is even better than luma. The java application
+<a href="http://jxplorer.org/">jXplorer</a> is claimed to be capable of
+moving LDAP objects and subtrees using drag-and-drop, and can
+authenticate using Kerberos. I have only tested the Kerberos
+authentication, but do not have a LDAP setup allowing me to rewrite
+LDAP with my test user yet. It is
+<a href="http://packages.qa.debian.org/j/jxplorer.html">available in
+Debian</a> testing and unstable at the moment. The only problem I
+have with it is how it handle errors. If something go wrong, its
+non-intuitive behaviour require me to go through some query work list
+and remove the failing query. Nothing big, but very annoying.</p>
-
- Magnetstripeinnhold i billetter fra Flytoget og Hurtigruten
- http://people.skolelinux.org/pere/blog/Magnetstripeinnhold_i_billetter_fra_Flytoget_og_Hurtigruten.html
- http://people.skolelinux.org/pere/blog/Magnetstripeinnhold_i_billetter_fra_Flytoget_og_Hurtigruten.html
- Fri, 21 May 2010 16:00:00 +0200
+ MS Word krøller det til for politiet?
+ http://people.skolelinux.org/pere/blog/MS_Word_kr__ller_det_til_for_politiet_.html
+ http://people.skolelinux.org/pere/blog/MS_Word_kr__ller_det_til_for_politiet_.html
+ Thu, 8 Jul 2010 14:00:00 +0200
-<p>For en stund tilbake kjøpte jeg en magnetkortleser for å kunne
-titte på hva som er skrevet inn på magnetstripene til ulike kort. Har
-ikke hatt tid til å analysere mange kort så langt, men tenkte jeg
-skulle dele innholdet på to kort med mine lesere.</p>
-
-<p>For noen dager siden tok jeg flyet til Harstad og Hurtigruten til
-Bergen. Flytoget fra Oslo S til flyplassen ga meg en billett med
-magnetstripe. Påtrykket finner jeg følgende informasjon:</p>
-
-<pre>
-Flytoget Airport Express Train
-
-Fra - Til : Oslo Sentralstasjon
-Kategori : Voksen
-Pris : Nok 170,00
-Herav mva. 8,00% : NOK 12,59
-Betaling : Kontant
-Til - Fra : Oslo Lufthavn
-Utstedt: : 08.05.10
-Gyldig Fra-Til : 08.05.10-07.11.10
-Billetttype : Enkeltbillett
-
-102-1015-100508-48382-01-08
-</pre>
-
-<p>PÃ¥ selve magnetstripen er innholdet
-<tt>;E?+900120011=23250996541068112619257138248441708433322932704083389389062603279671261502492655?</tt>.
-Aner ikke hva innholdet representerer, og det er lite overlapp mellom
-det jeg ser trykket på billetten og det jeg ser av tegn i
-magnetstripen. HÃ¥per det betyr at de bruker kryptografiske metoder
-for å gjøre det vanskelig å forfalske billetter.</p>
-
-<p>Den andre billetten er fra Hurtigruten, der jeg mistenker at
-strekkoden på fronten er mer brukt enn magnetstripen (det var i hvert
-fall den biten vi stakk inn i dørlåsen).</p>
-
-<p>Påtrykket forsiden er følgende:</p>
-
-<pre>
-Romnummer 727
-Hurtigruten
-Midnatsol
-Reinholdtsen
-Petter
-Bookingno: SAX69 0742193
-Harstad-Bergen
-Dep: 09.05.2010 Arr: 12.05.2010
-Lugar fra Risøyhamn
-Kost: FRO=4
-</pre>
-
-<p>PÃ¥ selve magnetstripen er innholdet
-<tt>;1316010007421930=00000000000000000000?+E?</tt>. Heller ikke her
-ser jeg mye korrespondanse mellom påtrykk og magnetstripe.</p>
+<p>De siste dagene har Aftenposten
+<a href="http://www.aftenposten.no/nyheter/iriks/article3718597.ece">fortalt</a>
+<a href="http://www.aftenposten.no/nyheter/iriks/article3724249.ece">hvordan</a>
+politet har brukt skriveverktøy som ikke håndterer arabisk tekst og
+tekst som skal skrives fra høyre mot venstre når de har laget
+løpeseddel for å be om informasjon fra publikum. Resultatet har vært
+en uleselig arabisk-bit på løpeseddelen. Feilen har oppstått når
+teksten har blitt "kopiert inn i programvare som ikke har støtte for
+språk som skrives fra høyre mot venstre", og jeg er ganske sikker på
+at det er snakk om Microsoft Office i dette tilfellet. Er det slik at
+MS Office i norsk språkdrakt ikke har støtte for tekst som skal
+skrives fra høyre mot venstre? Jeg tror alle utgaver av
+OpenOffice.org har slik støtte, og det er jo ikke veldig vanskelig å
+la slik støtte finnes i alle utgaver av et program hvis støtten først
+er utviklet. Aftenpostens melding får meg til å undre om problemet
+ville vært unngått hvis politiet brukte OpenOffice.org i stedet for MS
+Office.</p>
+
+<p>Mon tro om det er flere eksempler på at MS Office har ødelagt for
+offentlig myndighet?</p>
-
- Pieces of the roaming laptop puzzle in Debian
- http://people.skolelinux.org/pere/blog/Pieces_of_the_roaming_laptop_puzzle_in_Debian.html
- http://people.skolelinux.org/pere/blog/Pieces_of_the_roaming_laptop_puzzle_in_Debian.html
- Wed, 19 May 2010 19:00:00 +0200
+ Lenny->Squeeze upgrades, apt vs aptitude with the Gnome desktop
+ http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__apt_vs_aptitude_with_the_Gnome_desktop.html
+ http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__apt_vs_aptitude_with_the_Gnome_desktop.html
+ Sat, 3 Jul 2010 23:55:00 +0200
-<p>Today, the last piece of the puzzle for roaming laptops in Debian
-Edu finally entered the Debian archive. Today, the new
-<a href="http://packages.qa.debian.org/libp/libpam-mklocaluser.html">libpam-mklocaluser</a>
-package was accepted. Two days ago, two other pieces was accepted
-into unstable. The
-<a href="http://packages.qa.debian.org/p/pam-python.html">pam-python</a>
-package needed by libpam-mklocaluser, and the
-<a href="http://packages.qa.debian.org/s/sssd.html">sssd</a> package
-passed NEW on Monday. In addition, the
-<a href="http://packages.qa.debian.org/libp/libpam-ccreds.html">libpam-ccreds</a>
-package we need is in experimental (version 10-4) since Saturday, and
-hopefully will be moved to unstable soon.</p>
-
-<p>This collection of packages allow for two different setups for
-roaming laptops. The traditional setup would be using libpam-ccreds,
-nscd and libpam-mklocaluser with LDAP or Kerberos authentication,
-which should work out of the box if the configuration changes proposed
-for nscd in <a href="http://bugs.debian.org/485282">BTS report
-#485282</a> is implemented. The alternative setup is to use sssd with
-libpam-mklocaluser to connect to LDAP or Kerberos and let sssd take
-care of the caching of passwords and group information.</p>
-
-<p>I have so far been unable to get sssd to work with the LDAP server
-at the University, but suspect the issue is some SSL/GnuTLS related
-problem with the server certificate. I plan to update the Debian
-package to version 1.2, which is scheduled for next week, and hope to
-find time to make sure the next release will include both the
-Debian/Ubuntu specific patches. Upstream is friendly and responsive,
-and I am sure we will find a good solution.</p>
-
-<p>The idea is to set up the roaming laptops to authenticate using
-LDAP or Kerberos and create a local user with home directory in /home/
-when a usre in LDAP logs in via KDM or GDM for the first time, and
-cache the password for offline checking, as well as caching group
-memberhips and other relevant LDAP information. The
-libpam-mklocaluser package was created to make sure the local home
-directory is in /home/, instead of /site/server/directory/ which would
-be the home directory if pam_mkhomedir was used. To avoid confusion
-with support requests and configuration, we do not want local laptops
-to have users in a path that is used for the same users home directory
-on the home directory servers.</p>
-
-<p>One annoying problem with gdm is that it do not show the PAM
-message passed to the user from libpam-mklocaluser when the local user
-is created. Instead gdm simply reject the login with some generic
-message. The message is shown in kdm, ssh and login, so I guess it is
-a bug in gdm. Have not investigated if there is some other message
-type that can be used instead to get gdm to also show the message.</p>
-
-<p>If you want to help out with implementing this for Debian Edu,
-please contact us on debian-edu@lists.debian.org.</p>
+<p>Here is a short update on my <a
+href="http://people.skolelinux.org/~pere/debian-upgrade-testing/">my
+Debian Lenny->Squeeze upgrade testing</a>. Here is a summary of the
+difference for Gnome when it is upgraded by apt-get and aptitude. I'm
+not reporting the status for KDE, because the upgrade crashes when
+aptitude try because of missing conflicts
+(<a href="http://bugs.debian.org/584861">#584861</a> and
+<a href="http://bugs.debian.org/585716">#585716</a>).</p>
+
+<p>At the end of the upgrade test script, dpkg -l is executed to get a
+complete list of the installed packages. Based on this I see these
+differences when I did a test run today. As usual, I do not really
+know what the correct set of packages would be, but thought it best to
+publish the difference.</p>
+
+<p>Installed using apt-get, missing with aptitude</p>
+
+<blockquote><p>
+ at-spi cpp-4.3 finger gnome-spell gstreamer0.10-gnomevfs
+ libatspi1.0-0 libcupsys2 libeel2-data libgail-common libgdl-1-common
+ libgnomeprint2.2-data libgnomeprintui2.2-common libgnomevfs2-bin
+ libgtksourceview-common libpt-1.10.10-plugins-alsa
+ libpt-1.10.10-plugins-v4l libservlet2.4-java libxalan2-java
+ libxerces2-java openoffice.org-writer2latex openssl-blacklist p7zip
+ python-4suite-xml python-eggtrayicon python-gtkhtml2
+ python-gtkmozembed svgalibg1 xserver-xephyr zip
+</p></blockquote>
+
+<p>Installed using apt-get, removed with aptitude</p>
+
+<blockquote><p>
+ bluez-utils dhcdbd djvulibre-desktop epiphany-gecko
+ gnome-app-install gnome-mount gnome-vfs-obexftp gnome-volume-manager
+ libao2 libavahi-compat-libdnssd1 libavahi-core5 libbind9-50
+ libbluetooth2 libcamel1.2-11 libcdio7 libcucul0 libcurl3
+ libdirectfb-1.0-0 libdvdread3 libedata-cal1.2-6 libedataserver1.2-9
+ libeel2-2.20 libepc-1.0-1 libepc-ui-1.0-1 libexchange-storage1.2-3
+ libfaad0 libgd2-noxpm libgda3-3 libgda3-common libggz2 libggzcore9
+ libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0 libgnome-desktop-2
+ libgnome-pilot2 libgnomecups1.0-1 libgnomeprint2.2-0
+ libgnomeprintui2.2-0 libgpod3 libgraphviz4 libgtkhtml2-0
+ libgtksourceview1.0-0 libgucharmap6 libhesiod0 libicu38 libisccc50
+ libisccfg50 libiw29 libkpathsea4 libltdl3 liblwres50 libmagick++10
+ libmagick10 libmalaga7 libmtp7 libmysqlclient15off libnautilus-burn4
+ libneon27 libnm-glib0 libnm-util0 libopal-2.2 libosp5
+ libparted1.8-10 libpisock9 libpisync1 libpoppler-glib3 libpoppler3
+ libpt-1.10.10 libraw1394-8 libsensors3 libsmbios2 libsoup2.2-8
+ libssh2-1 libsuitesparse-3.1.0 libswfdec-0.6-90 libtalloc1
+ libtotem-plparser10 libtrackerclient0 libvoikko1 libxalan2-java-gcj
+ libxerces2-java-gcj libxklavier12 libxtrap6 libxxf86misc1 libzephyr3
+ mysql-common swfdec-gnome totem-gstreamer wodim
+</p></blockquote>
+
+<p>Installed using aptitude, missing with apt-get</p>
+
+<blockquote><p>
+ gnome gnome-desktop-environment hamster-applet python-gnomeapplet
+ python-gnomekeyring python-wnck rhythmbox-plugins xorg
+ xserver-xorg-input-all xserver-xorg-input-evdev
+ xserver-xorg-input-kbd xserver-xorg-input-mouse
+ xserver-xorg-input-synaptics xserver-xorg-video-all
+ xserver-xorg-video-apm xserver-xorg-video-ark xserver-xorg-video-ati
+ xserver-xorg-video-chips xserver-xorg-video-cirrus
+ xserver-xorg-video-dummy xserver-xorg-video-fbdev
+ xserver-xorg-video-glint xserver-xorg-video-i128
+ xserver-xorg-video-i740 xserver-xorg-video-mach64
+ xserver-xorg-video-mga xserver-xorg-video-neomagic
+ xserver-xorg-video-nouveau xserver-xorg-video-nv
+ xserver-xorg-video-r128 xserver-xorg-video-radeon
+ xserver-xorg-video-radeonhd xserver-xorg-video-rendition
+ xserver-xorg-video-s3 xserver-xorg-video-s3virge
+ xserver-xorg-video-savage xserver-xorg-video-siliconmotion
+ xserver-xorg-video-sis xserver-xorg-video-sisusb
+ xserver-xorg-video-tdfx xserver-xorg-video-tga
+ xserver-xorg-video-trident xserver-xorg-video-tseng
+ xserver-xorg-video-vesa xserver-xorg-video-vmware
+ xserver-xorg-video-voodoo
+</p></blockquote>
+
+<p>Installed using aptitude, removed with apt-get</p>
+
+<blockquote><p>
+ deskbar-applet xserver-xorg xserver-xorg-core
+ xserver-xorg-input-wacom xserver-xorg-video-intel
+ xserver-xorg-video-openchrome
+</p></blockquote>
+
+<p>I was told on IRC that the xorg-xserver package was
+<a href="http://git.debian.org/?p=pkg-xorg/xserver/xorg-server.git;a=commit;h=9c8080d06c457932d3bfec021c69ac000aa60120">changed
+in git</a> today to try to get apt-get to not remove xorg completely.
+No idea when it hits Squeeze, but when it does I hope it will reduce
+the difference somewhat.
-
- Parallellized boot is now the default in Debian/unstable
- http://people.skolelinux.org/pere/blog/Parallellized_boot_is_now_the_default_in_Debian_unstable.html
- http://people.skolelinux.org/pere/blog/Parallellized_boot_is_now_the_default_in_Debian_unstable.html
- Fri, 14 May 2010 22:40:00 +0200
+ Caching password, user and group on a roaming Debian laptop
+ http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html
+ http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html
+ Thu, 1 Jul 2010 11:40:00 +0200
-<p>Since this evening, parallel booting is the default in
-Debian/unstable for machines using dependency based boot sequencing.
-Apparently the testing of concurrent booting has been wider than
-expected, if I am to believe the
-<a href="http://lists.debian.org/debian-devel/2010/05/msg00122.html">input
-on debian-devel@</a>, and I concluded a few days ago to move forward
-with the feature this weekend, to give us some time to detect any
-remaining problems before Squeeze is frozen. If serious problems are
-detected, it is simple to change the default back to sequential boot.
-The upload of the new sysvinit package also activate a new upstream
-version.</p>
-
-More information about
-<a href="http://wiki.debian.org/LSBInitScripts/DependencyBasedBoot">dependency
-based boot sequencing</a> is available from the Debian wiki. It is
-currently possible to disable parallel booting when one run into
-problems caused by it, by adding this line to /etc/default/rcS:</p>
+<p>For a laptop, centralized user directories and password checking is
+a bit troubling. Laptops are typically used also when not connected
+to the network, and it is vital for a user to be able to log in or
+unlock the screen saver also when a central server is unavailable.
+This is possible by caching passwords and directory information (user
+and group attributes) locally, and the packages to do so are available
+in Debian. Here follow two recipes to set this up in Debian/Squeeze.
+It is also possible to set up in Debian/Lenny, but require more manual
+setup there because pam-auth-update is missing in Lenny.</p>
+
+<h2>LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir</h2>
+
+This is the traditional method with a twist. The password caching is
+provided by libpam-ccreds (version 10-4 or later is needed on
+Squeeze), and the directory caching is done by nscd. The directory
+lookup and password checking is done using LDAP. If one want to use
+Kerberos for password checking the libpam-ldapd package can be
+replaced with libpam-krb5 or libpam-heimdal. If one is happy having a
+local home directory with the path listed in LDAP, one can use the
+pam_mkhomedir module from pam-modules to make this happen instead of
+using libpam-mklocaluser. A setup for pam-auth-update to enable
+pam_mkhomedir will have to be written until a fix for
+<a href="http://bugs.debian.org/568577">bug #568577</a> is in the
+archive. Because I believe it is a bad idea to have local home
+directories using misleading paths like /site/server/partition/, I
+prefer to create a local user with the home directory in /home/. This
+is done using the libpam-mklocaluser package.</p>
+
+<p>These packages need to be installed and configured</p>
<blockquote><pre>
-CONCURRENCY=none
+libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
</pre></blockquote>
-<p>If you report any problems with dependencies in init.d scripts to
-the BTS, please usertag the report to get it to show up at
-<a href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=initscripts-ng-devel@lists.alioth.debian.org">the
-list of usertagged bugs related to this</a>.</p>
-
-
-
- -
- Sitesummary tip: Listing MAC address of all clients
- http://people.skolelinux.org/pere/blog/Sitesummary_tip__Listing_MAC_address_of_all_clients.html
- http://people.skolelinux.org/pere/blog/Sitesummary_tip__Listing_MAC_address_of_all_clients.html
- Fri, 14 May 2010 21:10:00 +0200
-
-<p>In the recent Debian Edu versions, the
-<a href="http://wiki.debian.org/DebianEdu/HowTo/SiteSummary">sitesummary
-system</a> is used to keep track of the machines in the school
-network. Each machine will automatically report its status to the
-central server after boot and once per night. The network setup is
-also reported, and using this information it is possible to get the
-MAC address of all network interfaces in the machines. This is useful
-to update the DHCP configuration.</p>
-
-<p>To give some idea how to use sitesummary, here is a one-liner to
-ist all MAC addresses of all machines reporting to sitesummary. Run
-this on the collector host:</p>
+<p>The ldapd packages will ask for LDAP connection information, and
+one have to fill in the values that fits ones own site. Make sure the
+PAM part uses encrypted connections, to make sure the password is not
+sent in clear text to the LDAP server. I've been unable to get TLS
+certificate checking for a self signed certificate working, which make
+LDAP authentication unsafe for Debian Edu (nslcd is not checking if it
+is talking to the correct LDAP server), and very much welcome feedback
+on how to get this working.</p>
+
+<p>Because nscd do not have a default configuration fit for offline
+caching until <a href="http://bugs.debian.org/485282">bug #485282</a>
+is fixed, this configuration should be used instead of the one
+currently in /etc/nscd.conf. The changes are in the fields
+reload-count and positive-time-to-live, and is based on the
+instructions I found in the
+<a href="http://www.flyn.org/laptopldap/">LDAP for Mobile Laptops</a>
+instructions by Flyn Computing.</p>
+
+<blockquote><pre>
+ debug-level 0
+ reload-count unlimited
+ paranoia no
+
+ enable-cache passwd yes
+ positive-time-to-live passwd 2592000
+ negative-time-to-live passwd 20
+ suggested-size passwd 211
+ check-files passwd yes
+ persistent passwd yes
+ shared passwd yes
+ max-db-size passwd 33554432
+ auto-propagate passwd yes
+
+ enable-cache group yes
+ positive-time-to-live group 2592000
+ negative-time-to-live group 20
+ suggested-size group 211
+ check-files group yes
+ persistent group yes
+ shared group yes
+ max-db-size group 33554432
+ auto-propagate group yes
+
+ enable-cache hosts no
+ positive-time-to-live hosts 2592000
+ negative-time-to-live hosts 20
+ suggested-size hosts 211
+ check-files hosts yes
+ persistent hosts yes
+ shared hosts yes
+ max-db-size hosts 33554432
+
+ enable-cache services yes
+ positive-time-to-live services 2592000
+ negative-time-to-live services 20
+ suggested-size services 211
+ check-files services yes
+ persistent services yes
+ shared services yes
+ max-db-size services 33554432
+</pre></blockquote>
+
+<p>While we wait for a mechanism to update /etc/nsswitch.conf
+automatically like the one provided in
+<a href="http://bugs.debian.org/496915">bug #496915</a>, the file
+content need to be manually replaced to ensure LDAP is used as the
+directory service on the machine. /etc/nsswitch.conf should normally
+look like this:</p>
<blockquote><pre>
-perl -MSiteSummary -e 'for_all_hosts(sub { print join(" ", get_macaddresses(shift)), "\n"; });'
+passwd: files ldap
+group: files ldap
+shadow: files ldap
+hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
+networks: files
+protocols: files
+services: files
+ethers: files
+rpc: files
+netgroup: files ldap
</pre></blockquote>
-<p>This will list all MAC addresses assosiated with all machine, one
-line per machine and with space between the MAC addresses.</p>
+<p>The important parts are that ldap is listed last for passwd, group,
+shadow and netgroup.</p>
+
+<p>With these changes in place, any user in LDAP will be able to log
+in locally on the machine using for example kdm, get a local home
+directory created and have the password as well as user and group
+attributes cached.
+
+<h2>LDAP/Kerberos + nss-updatedb + libpam-ccreds +
+ libpam-mklocaluser/pam_mkhomedir</h2>
+
+<p>Because nscd have had its share of problems, and seem to have
+problems doing proper caching, I've seen suggestions and recipes to
+use nss-updatedb to copy parts of the LDAP database locally when the
+LDAP database is available. I have not tested such setup, because I
+discovered sssd.</p>
+
+<h2>LDAP/Kerberos + sssd + libpam-mklocaluser</h2>
+
+<p>A more flexible and robust setup than the nscd combination
+mentioned earlier that has shown up recently, is the
+<a href="https://fedorahosted.org/sssd/">sssd</a> package from Redhat.
+It is part of the <a href="http://www.freeipa.org/">FreeIPA</A> project
+to provide a Active Directory like directory service for Linux
+machines. The sssd system combines the caching of passwords and user
+information into one package, and remove the need for nscd and
+libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version
+1.2 do not support netgroups, but it is said that it will support this
+in version 1.5 expected to show up later in 2010. Because the
+<a href="http://packages.qa.debian.org/s/sssd.html">sssd package</a>
+was missing in Debian, I ended up co-maintaining it with Werner, and
+version 1.2 is now in testing.
+
+<p>These packages need to be installed and configured to get the
+roaming setup I want</p>
-<p>To allow system administrators easier job at adding static DHCP
-addresses for hosts, it would be possible to extend this to fetch
-machine information from sitesummary and update the DHCP and DNS
-tables in LDAP using this information. Such tool is unfortunately not
-written yet.</p>
+<blockquote><pre>
+libpam-sss libnss-sss libpam-mklocaluser
+</pre></blockquote>
+
+The complete setup of sssd is done by editing/creating
+<tt>/etc/sssd/sssd.conf</tt>.
+
+<blockquote><pre>
+[sssd]
+config_file_version = 2
+reconnection_retries = 3
+sbus_timeout = 30
+services = nss, pam
+domains = INTERN
+
+[nss]
+filter_groups = root
+filter_users = root
+reconnection_retries = 3
+
+[pam]
+reconnection_retries = 3
+
+[domain/INTERN]
+enumerate = false
+cache_credentials = true
+
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+
+ldap_uri = ldap://ldap
+ldap_search_base = dc=skole,dc=skolelinux,dc=no
+ldap_tls_reqcert = never
+ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
+</pre></blockquote>
+
+<p>I got the same problem here with certificate checking. Had to set
+"ldap_tls_reqcert = never" to get it working.</p>
+
+<p>With the libnss-sss package in testing at the moment, the
+nsswitch.conf file is update automatically, so there is no need to
+modify it manually.</p>
+
+<p>If you want to help out with implementing this for Debian Edu,
+please contact us on debian-edu@lists.debian.org.</p>
-
- systemd, an interesting alternative to upstart
- http://people.skolelinux.org/pere/blog/systemd__an_interesting_alternative_to_upstart.html
- http://people.skolelinux.org/pere/blog/systemd__an_interesting_alternative_to_upstart.html
- Thu, 13 May 2010 22:20:00 +0200
+ LUMA, a very nice LDAP GUI
+ http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html
+ http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html
+ Mon, 28 Jun 2010 00:30:00 +0200
-<p>The last few days a new boot system called
-<a href="http://www.freedesktop.org/wiki/Software/systemd">systemd</a>
-has been
-<a href="http://0pointer.de/blog/projects/systemd.html">introduced</a>
-
-to the free software world. I have not yet had time to play around
-with it, but it seem to be a very interesting alternative to
-<a href="http://upstart.ubuntu.com/">upstart</a>, and might prove to be
-a good alternative for Debian when we are able to switch to an event
-based boot system. Tollef is
-<a href="http://bugs.debian.org/580814">in the process</a> of getting
-systemd into Debian, and I look forward to seeing how well it work. I
-like the fact that systemd handles init.d scripts with dependency
-information natively, allowing them to run in parallel where upstart
-at the moment do not.</p>
-
-<p>Unfortunately do systemd have the same problem as upstart regarding
-platform support. It only work on recent Linux kernels, and also need
-some new kernel features enabled to function properly. This means
-kFreeBSD and Hurd ports of Debian will need a port or a different boot
-system. Not sure how that will be handled if systemd proves to be the
-way forward.</p>
-
-<p>In the mean time, based on the
-<a href="http://lists.debian.org/debian-devel/2010/05/msg00122.html">input
-on debian-devel@</a> regarding parallel booting in Debian, I have
-decided to enable full parallel booting as the default in Debian as
-soon as possible (probably this weekend or early next week), to see if
-there are any remaining serious bugs in the init.d dependencies. A
-new version of the sysvinit package implementing this change is
-already in experimental. If all go well, Squeeze will be released
-with parallel booting enabled by default.</p>
+<p>The last few days I have been looking into the status of the LDAP
+directory in Debian Edu, and in the process I started to miss a GUI
+tool to browse the LDAP tree. The only one I was able to find in
+Debian/Squeeze and Lenny is
+<a href="http://luma.sourceforge.net/">LUMA</a>, which has proved to
+be a great tool to get a overview of the current LDAP directory
+populated by default in Skolelinux. Thanks to it, I have been able to
+find empty and obsolete subtrees, misplaced objects and duplicate
+objects. It will be installed by default in Debian/Squeeze. If you
+are working with LDAP, give it a go. :)</p>
+
+<p>I did notice one problem with it I have not had time to report to
+the BTS yet. There is no .desktop file in the package, so the tool do
+not show up in the Gnome and KDE menus, but only deep down in in the
+Debian submenu in KDE. I hope that can be fixed before Squeeze is
+released.</p>
+
+<p>I have not yet been able to get it to modify the tree yet. I would
+like to move objects and remove subtrees directly in the GUI, but have
+not found a way to do that with LUMA yet. So in the mean time, I use
+<a href="http://www.lichteblau.com/ldapvi/">ldapvi</a> for that.</p>
+
+<p>If you have tips on other GUI tools for LDAP that might be useful
+in Debian Edu, please contact us on debian-edu@lists.debian.org.</p>
+
+<p>Update 2010-06-29: Ross Reedstrom tipped us about the
+<a href="http://packages.qa.debian.org/g/gq.html">gq</a> package as a
+useful GUI alternative. It seem like a good tool, but is unmaintained
+in Debian and got a RC bug keeping it out of Squeeze. Unless that
+changes, it will not be an option for Debian Edu based on Squeeze.</p>
-
- Parallellizing the boot in Debian Squeeze - ready for wider testing
- http://people.skolelinux.org/pere/blog/Parallellizing_the_boot_in_Debian_Squeeze___ready_for_wider_testing.html
- http://people.skolelinux.org/pere/blog/Parallellizing_the_boot_in_Debian_Squeeze___ready_for_wider_testing.html
- Thu, 6 May 2010 23:25:00 +0200
+ Idea for a change to LDAP schemas allowing DNS and DHCP info to be combined into one object
+ http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html
+ http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html
+ Thu, 24 Jun 2010 00:35:00 +0200
-<p>These days, the init.d script dependencies in Squeeze are quite
-complete, so complete that it is actually possible to run all the
-init.d scripts in parallell based on these dependencies. If you want
-to test your Squeeze system, make sure
-<a href="http://wiki.debian.org/LSBInitScripts/DependencyBasedBoot">dependency
-based boot sequencing</a> is enabled, and add this line to
-/etc/default/rcS:</p>
+<p>A while back, I
+<a href="http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html">complained
+about the fact</a> that it is not possible with the provided schemas
+for storing DNS and DHCP information in LDAP to combine the two sets
+of information into one LDAP object representing a computer.</p>
+
+<p>In the mean time, I discovered that a simple fix would be to make
+the dhcpHost object class auxiliary, to allow it to be combined with
+the dNSDomain object class, and thus forming one object for one
+computer when storing both DHCP and DNS information in LDAP.</p>
+
+<p>If I understand this correctly, it is not safe to do this change
+without also changing the assigned number for the object class, and I
+do not know enough about LDAP schema design to do that properly for
+Debian Edu.</p>
+
+<p>Anyway, for future reference, this is how I believe we could change
+the
+<a href="http://tools.ietf.org/html/draft-ietf-dhc-ldap-schema-00">DHCP
+schema</a> to solve at least part of the problem with the LDAP schemas
+available today from IETF.</p>
-<blockquote><pre>
-CONCURRENCY=makefile
-</pre></blockquote>
+<pre>
+--- dhcp.schema (revision 65192)
++++ dhcp.schema (working copy)
+@@ -376,7 +376,7 @@
+ objectclass ( 2.16.840.1.113719.1.203.6.6
+ NAME 'dhcpHost'
+ DESC 'This represents information about a particular client'
+- SUP top
++ SUP top AUXILIARY
+ MUST cn
+ MAY (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption)
+ X-NDS_CONTAINMENT ('dhcpService' 'dhcpSubnet' 'dhcpGroup') )
+</pre>
+
+<p>I very much welcome clues on how to do this properly for Debian
+Edu/Squeeze. We provide the DHCP schema in our debian-edu-config
+package, and should thus be free to rewrite it as we see fit.</p>
-<p>That is it. It will cause sysv-rc to use the startpar tool to run
-scripts in parallel using the dependency information stored in
-/etc/init.d/.depend.boot, /etc/init.d/.depend.start and
-/etc/init.d/.depend.stop to order the scripts. Startpar is configured
-to try to start the kdm and gdm scripts as early as possible, and will
-start the facilities required by kdm or gdm as early as possible to
-make this happen.</p>
-
-<p>Give it a try, and see if you like the result. If some services
-fail to start properly, it is most likely because they have incomplete
-init.d script dependencies in their startup script (or some of their
-dependent scripts have incomplete dependencies). Report bugs and get
-the package maintainers to fix it. :)</p>
-
-<p>Running scripts in parallel could be the default in Debian when we
-manage to get the init.d script dependencies complete and correct. I
-expect we will get there in Squeeze+1, if we get manage to test and
-fix the remaining issues.</p>
-
-<p>If you report any problems with dependencies in init.d scripts to
-the BTS, please usertag the report to get it to show up at
-<a href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=initscripts-ng-devel@lists.alioth.debian.org">the
-list of usertagged bugs related to this</a>.</p>
+<p>If you want to help out with implementing this for Debian Edu,
+please contact us on debian-edu@lists.debian.org.</p>
-
- Forcing new users to change their password on first login
- http://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html
- http://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html
- Sun, 2 May 2010 13:47:00 +0200
+ Calling tasksel like the installer, while still getting useful output
+ http://people.skolelinux.org/pere/blog/Calling_tasksel_like_the_installer__while_still_getting_useful_output.html
+ http://people.skolelinux.org/pere/blog/Calling_tasksel_like_the_installer__while_still_getting_useful_output.html
+ Wed, 16 Jun 2010 14:55:00 +0200
-<p>One interesting feature in Active Directory, is the ability to
-create a new user with an expired password, and thus force the user to
-change the password on the first login attempt.</p>
-
-<p>I'm not quite sure how to do that with the LDAP setup in Debian
-Edu, but did some initial testing with a local account. The account
-and password aging information is available in /etc/shadow, but
-unfortunately, it is not possible to specify an expiration time for
-passwords, only a maximum age for passwords.</p>
-
-<p>A freshly created account (using adduser test) will have these
-settings in /etc/shadow:</p>
+<p>A few times I have had the need to simulate the way tasksel
+installs packages during the normal debian-installer run. Until now,
+I have ended up letting tasksel do the work, with the annoying problem
+of not getting any feedback at all when something fails (like a
+conffile question from dpkg or a download that fails), using code like
+this:
<blockquote><pre>
-root@tjener:~# chage -l test
-Last password change : May 02, 2010
-Password expires : never
-Password inactive : never
-Account expires : never
-Minimum number of days between password change : 0
-Maximum number of days between password change : 99999
-Number of days of warning before password expires : 7
-root@tjener:~#
+export DEBIAN_FRONTEND=noninteractive
+tasksel --new-install
</pre></blockquote>
-<p>The only way I could come up with to create a user with an expired
-account, is to change the date of the last password change to the
-lowest value possible (January 1th 1970), and the maximum password age
-to the difference in days between that date and today. To make it
-simple, I went for 30 years (30 * 365 = 10950) and January 2th (to
-avoid testing if 0 is a valid value).</p>
+This would invoke tasksel, let its automatic task selection pick the
+tasks to install, and continue to install the requested tasks without
+any output what so ever.
-<p>After using these commands to set it up, it seem to work as
-intended:</p>
+Recently I revisited this problem while working on the automatic
+package upgrade testing, because tasksel would some times hang without
+any useful feedback, and I want to see what is going on when it
+happen. Then it occured to me, I can parse the output from tasksel
+when asked to run in test mode, and use that aptitude command line
+printed by tasksel then to simulate the tasksel run. I ended up using
+code like this:
<blockquote><pre>
-root@tjener:~# chage -d 1 test; chage -M 10950 test
-root@tjener:~# chage -l test
-Last password change : Jan 02, 1970
-Password expires : never
-Password inactive : never
-Account expires : never
-Minimum number of days between password change : 0
-Maximum number of days between password change : 10950
-Number of days of warning before password expires : 7
-root@tjener:~#
+export DEBIAN_FRONTEND=noninteractive
+cmd="$(in_target tasksel -t --new-install | sed 's/debconf-apt-progress -- //')"
+$cmd
</pre></blockquote>
-<p>So far I have tested this with ssh and console, and kdm (in
-Squeeze) login, and all ask for a new password before login in the
-user (with ssh, I was thrown out and had to log in again).</p>
-
-<p>Perhaps we should set up something similar for Debian Edu, to make
-sure only the user itself have the account password?</p>
-
-<p>If you want to comment on or help out with implementing this for
-Debian Edu, please contact us on debian-edu@lists.debian.org.</p>
-
-<p>Update 2010-05-02 17:20: Paul Tötterman tells me on IRC that the
-shadow(8) page in Debian/testing now state that setting the date of
-last password change to zero (0) will force the password to be changed
-on the first login. This was not mentioned in the manual in Lenny, so
-I did not notice this in my initial testing. I have tested it on
-Squeeze, and '<tt>chage -d 0 username</tt>' do work there. I have not
-tested it on Lenny yet.</p>
-
-<p>Update 2010-05-02-19:05: Jim Paris tells me via email that an
-equivalent command to expire a password is '<tt>passwd -e
-username</tt>', which insert zero into the date of the last password
-change.</p>
+<p>The content of $cmd is typically something like "<tt>aptitude -q
+--without-recommends -o APT::Install-Recommends=no -y install
+~t^desktop$ ~t^gnome-desktop$ ~t^laptop$ ~pstandard ~prequired
+~pimportant</tt>", which will install the gnome desktop task, the
+laptop task and all packages with priority standard , required and
+important, just like tasksel would have done it during
+installation.</p>
+
+<p>A better approach is probably to extend tasksel to be able to
+install packages without using debconf-apt-progress, for use cases
+like this.</p>
-
- Thoughts on roaming laptop setup for Debian Edu
- http://people.skolelinux.org/pere/blog/Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html
- http://people.skolelinux.org/pere/blog/Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html
- Wed, 28 Apr 2010 20:40:00 +0200
+ Vinmonopolet bryter loven åpenlyst - og flere planlegger å gjøre det samme
+ http://people.skolelinux.org/pere/blog/Vinmonopolet_bryter_loven___penlyst___og_flere_planlegger____gj__re_det_samme.html
+ http://people.skolelinux.org/pere/blog/Vinmonopolet_bryter_loven___penlyst___og_flere_planlegger____gj__re_det_samme.html
+ Wed, 16 Jun 2010 11:00:00 +0200
-<p>For some years now, I have wondered how we should handle laptops in
-Debian Edu. The Debian Edu infrastructure is mostly designed to
-handle stationary computers, and less suited for computers that come
-and go.</p>
-
-<p>Now I finally believe I have an sensible idea on how to adjust
-Debian Edu for laptops, by introducing a new profile for them, for
-example called Roaming Workstations. Here are my thought on this.
-The setup would consist of the following:</p>
-
-<ul>
-
- <li>During installation, the user name of the owner / primary user of
- the laptop is requested and a local home directory is set up for
- the user, with uid and gid information fetched from the LDAP
- server. This allow the user to work also when offline. The
- central home directory can be available in a subdirectory on
- request, for example mounted via CIFS. It could be mounted
- automatically when a user log in while on the Debian Edu network,
- and unmounted when the machine is taken away (network down,
- hibernate, etc), it can be set up to do automatic mounting on
- request (using autofs), or perhaps some GUI button on the desktop
- can be used to access it when needed. Perhaps it is enough to use
- the fish protocol in KDE?</li>
-
- <li>Password checking is set up to use LDAP or Kerberos
- authentication when the machine is on the Debian Edu network, and
- to cache the password for offline checking when the machine unable
- to reach the LDAP or Kerberos server. This can be done using
- <a href="http://www.padl.com/OSS/pam_ccreds.html">libpam-ccreds</a>
- or the Fedora developed
- <a href="https://fedoraproject.org/wiki/Features/SSSD">System
- Security Services Daemon</a> packages.</li>
-
- <li>File synchronisation with the central home directory is set up
- using a shared directory in both the local and the central home
- directory, using unison.</li>
-
- <li>Printing should be set up to print to all printers broadcasting
- their existence on the local network, and should then work out of
- the box with CUPS. For sites needing accurate printer quotas, some
- system with Kerberos authentication or printing via ssh could be
- implemented.</li>
-
- <li>For users that should have local root access to their laptop,
- sudo should be used to allow this to the local user.</li>
-
- <li>It would be nice if user and group information from LDAP is
- cached on the client, but given that there are entries for the
- local user and primary group in /etc/, it should not be needed.</li>
-
-</ul>
-
-<p>I believe all the pieces to implement this are in Debian/testing at
-the moment. If we work quickly, we should be able to get this ready
-in time for the Squeeze release to freeze. Some of the pieces need
-tweaking, like libpam-ccreds should get support for pam-auth-update
-(<a href="http://bugs.debian.org/566718">#566718</a>) and nslcd (or
-perhaps debian-edu-config) should get some integration code to stop
-its daemon when the LDAP server is unavailable to avoid long timeouts
-when disconnected from the net. If we get Kerberos enabled, we need
-to make sure we avoid long timeouts there too.</p>
-
-<p>If you want to help out with implementing this for Debian Edu,
-please contact us on debian-edu@lists.debian.org.</p>
+<p><a href="http://www.dagbladet.no/2010/06/16/nyheter/innenriks/streik/arbeidsliv/12157858/">Dagbladet
+melder</a> at Vinmonopolet med bakgrunn i vekterstreiken som pågår i
+Norge for tiden, har bestemt seg for med vitende og vilje å bryte
+sentralbanklovens paragraf 14 ved å nekte folk å betale med
+kontanter, og at flere butikker planlegger å følge deres eksempel.
+Jeg synes det er hårreisende hvis de slipper unna med et slikt
+soleklart lovbrudd, og lurer på hva slags muligheter jeg vil ha hvis
+jeg blir nektet å handle med kontanter. Jeg handler i hovedsak med
+kontanter selv, da jeg anser det som en borgerrett å kunne handle
+anonymt uten at det blir registrert. For meg er det et angrep på mitt
+personvern å nekte å ta imot kontant betaling.</p>
+
+<p><a href="http://www.lovdata.no/all/tl-19850524-028-003.html#14">Paragrafen
+i sentralbankloven</a> lyder:</p>
+
+<blockquote>
+<p>§ 14. Tvungent betalingsmiddel</p>
+
+<p>Bankens sedler og mynter er tvungent betalingsmiddel i Norge. Ingen
+er pliktig til i én betaling å ta imot mer enn femogtyve mynter av
+hver enhet.</p>
+
+<p>Sterkt skadde sedler og mynter er ikke tvungent
+betalingsmiddel. Banken gir nærmere forskrifter om erstatning for
+bortkomne, brente eller skadde sedler og mynter.</p>
+
+<p>Selv om en avtale inneholder klausul om betaling av en
+pengeforpliktelse i gullverdi, kan skyldneren frigjøre seg med tvungne
+betalingsmidler uten hensyn til denne klausul.</p>
+</blockquote>
+
+<p>Det er med bakgrunn i denne lovet ikke tillatt å nekte å ta imot
+kontakt betaling. Det er en lov jeg har sans for, og som jeg mener må
+håndheves strengt.</p>
+
+
+
+ -
+ Officeshots taking shape
+ http://people.skolelinux.org/pere/blog/Officeshots_taking_shape.html
+ http://people.skolelinux.org/pere/blog/Officeshots_taking_shape.html
+ Sun, 13 Jun 2010 11:40:00 +0200
+
+<p>For those of us caring about document exchange and
+interoperability, <a href="http://www.officeshots.org/">OfficeShots</a>
+is a great service. It is to ODF documents what
+<a href="http://browsershots.org/">BrowserShots</a> is for web
+pages.</p>
+
+<p>A while back, I was contacted by Knut Yrvin at the part of Nokia
+that used to be Trolltech, who wanted to help the OfficeShots project
+and wondered if the University of Oslo where I work would be
+interested in supporting the project. I helped him to navigate his
+request to the right people at work, and his request was answered with
+a spot in the machine room with power and network connected, and Knut
+arranged funding for a machine to fill the spot. The machine is
+administrated by the OfficeShots people, so I do not have daily
+contact with its progress, and thus from time to time check back to
+see how the project is doing.</p>
+
+<p>Today I had a look, and was happy to see that the Dell box in our
+machine room now is the host for several virtual machines running as
+OfficeShots factories, and the project is able to render ODF documents
+in 17 different document processing implementation on Linux and
+Windows. This is great.</p>