1 <?xml version=
"1.0" encoding=
"utf-8"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/' xmlns:
atom=
"http://www.w3.org/2005/Atom">
4 <title>Petter Reinholdtsen
</title>
5 <description></description>
6 <link>http://people.skolelinux.org/pere/blog/
</link>
7 <atom:link href=
"http://people.skolelinux.org/pere/blog/index.rss" rel=
"self" type=
"application/rss+xml" />
10 <title>Elektronisk stemmegiving er ikke til å stole på - heller ikke i Norge
</title>
11 <link>http://people.skolelinux.org/pere/blog/Elektronisk_stemmegiving_er_ikke_til____stole_p_____heller_ikke_i_Norge.html
</link>
12 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Elektronisk_stemmegiving_er_ikke_til____stole_p_____heller_ikke_i_Norge.html
</guid>
13 <pubDate>Mon,
23 Aug
2010 19:
30:
00 +
0200</pubDate>
15 <p
>I Norge pågår en prosess for å
16 <a href=
"http://www.e-valg.dep.no/
">innføre elektronisk
17 stemmegiving
</a
> ved kommune- og stortingsvalg. Dette skal
18 introduseres i
2011. Det er all grunn til å tro at valg i Norge ikke
19 vil være til å stole på hvis dette blir gjennomført. Da det hele var
20 oppe til høring i
2006 forfattet jeg
21 <a href=
"http://www.nuug.no/dokumenter/valg-horing-
2006-
09.pdf
">en
22 høringsuttalelse fra NUUG
</a
> (og EFN som hengte seg på) som skisserte
23 hvilke punkter som må oppfylles for at en skal kunne stole på et valg,
24 og elektronisk stemmegiving mangler flere av disse. Elektronisk
25 stemmegiving er for alle praktiske formål å putte ens stemme i en sort
26 boks under andres kontroll, og satse på at de som har kontroll med
27 boksen er til å stole på - uten at en har mulighet til å verifisere
28 dette selv. Det er ikke slik en gjennomfører demokratiske valg.
</p
>
30 <p
>Da problemet er fundamentalt med hvordan elektronisk stemmegiving
31 må fungere for at også ikke-krypografer skal kunne delta, har det vært
32 mange rapporter om hvordan elektronisk stemmegiving har sviktet i land
34 <a href=
"http://wiki.nuug.no/uttalelser/
2006-elektronisk-stemmegiving
">liten
35 samling referanser
</a
> finnes på NUUGs wiki. Den siste er fra India,
36 der valgkomisjonen har valgt
37 <a href=
"http://www.freedom-to-tinker.com/blog/jhalderm/electronic-voting-researcher-arrested-over-anonymous-source
">å
38 pusse politiet på en forsker
</a
> som har dokumentert svakheter i
39 valgsystemet.
</p
>
41 <p
>Her i Norge har en valgt en annen tilnærming, der en forsøker seg
42 med teknobabbel for å få befolkningen til å tro at dette skal bli
43 sikkert. Husk, elektronisk stemmegiving underminerer de demokratiske
44 valgene i Norge, og bør ikke innføres.
</p
>
46 <p
>Den offentlige diskusjonen blir litt vanskelig av at media har
47 valgt å kalle dette
"evalg
", som kan sies å både gjelde elektronisk
48 opptelling av valget som Norge har gjort siden
60-tallet og som er en
49 svært god ide, og elektronisk opptelling som er en svært dårlig ide.
50 Diskusjonen gir ikke mening hvis en skal diskutere om en er for eller
51 mot
"evalg
", og jeg forsøker derfor å være klar på at jeg snakker om
52 elektronisk stemmegiving og unngå begrepet
"evalg
".
</p
>
57 <title>Robot, reis deg...
</title>
58 <link>http://people.skolelinux.org/pere/blog/Robot__reis_deg___.html
</link>
59 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Robot__reis_deg___.html
</guid>
60 <pubDate>Sat,
21 Aug
2010 22:
10:
00 +
0200</pubDate>
62 <p
>I dag fikk jeg endelig tittet litt på mine nyinnkjøpte roboter, og
63 har brukt noen timer til å google etter interessante referanser og
64 aktuell kildekode for bruk på Linux. Det mest lovende så langt er
65 <a href=
"http://ispykee.toyz.org/
">ispykee
</a
>, som har en
66 BSD-lisensiert linux-daemon som står som mellomledd mellom roboter på
67 lokalnettet og en sentral tjeneste der en iPhone kan koble seg opp for
68 å fjernstyre roboten. Linux-daemonen implementerer deler av
69 protokollen som roboten forstår. Etter å ha knotet litt med å oppnå
70 kontakt med roboten (den oppretter et eget ad-hoc wifi-nett, så jeg
71 måtte gå av mitt vanlige nett for å få kontakt), og kommet frem til at
72 den lytter på IP-port
9000 og
9001, gikk jeg i gang med å finne ut
73 hvordan jeg kunne snakke med roboten vha. disse portene. Robotbiten
74 av protokollen er publisert av produsenten med GPL-lisens, slik at det
75 er mulig å se hvordan protokollen fungerer. Det finnes en java-klient
76 for Android som så ganske snasen ut, men fant ingen kildekode for
77 denne. Derimot hadde iphone-løsningen kildekode, så jeg tok
78 utgangspunkt i den.
</p
>
80 <p
>Daemonen ville i utgangspunktet forsøke å kontakte den sentrale
81 tjenesten som iphone-programmet kobler seg til. Jeg skrev dette om
82 til i stedet å sette opp en nettverkstjeneste på min lokale maskin,
83 som jeg kan koble meg opp til med telnet og gi kommandoer til roboten
84 (act, forward, right, left, etc). Det involverte i praksis å bytte ut
85 socket()/connect() med socket()/bind()/listen()/accept() for å gjøre
86 klienten om til en tjener.
</p
>
88 <p
>Mens jeg har forsøkt å få roboten til å bevege seg har min samboer
89 skrudd sammen resten av roboten for å få montert kamera og plastpynten
90 (armer, plastfiber for lys). Nå er det hele montert, og roboten er
91 klar til bruk. Må få flyttet den over til mitt vanlige trådløsnett
92 før det blir praktisk, men de bitene av protokollen er ikke
93 implementert i ispykee-daemonen, så der må jeg enten få tak i en mac
94 eller en windows-maskin, eller implementere det selv.
</p
>
96 <p
>Vi var tre som kjøpte slike roboter, og vi har blitt enige om å
97 samle notater og referanser på
<a
98 href=
"http://wiki.nuug.no/grupper/robot/
">NUUGs wiki
</a
>. Ta en titt
99 der hvis du er nysgjerrig.
</p
>
104 <title>2 Spykee-roboter i hus, nå skal det lekes
</title>
105 <link>http://people.skolelinux.org/pere/blog/
2_Spykee_roboter_i_hus__n___skal_det_lekes.html
</link>
106 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/
2_Spykee_roboter_i_hus__n___skal_det_lekes.html
</guid>
107 <pubDate>Wed,
18 Aug
2010 13:
30:
00 +
0200</pubDate>
109 <p
>Jeg kjøpte nettopp to
110 <a href=
"http://www.spykee-robot.com/
">Spykee
</a
>-roboter, for test og
111 leking. Kjøpte to da det var så billige, og gir meg mulighet til å
112 eksperimentere uten å være veldig redd for å ødelegge alt ved å bytte
113 ut firmware og slikt. Oppdaget at lekebutikken på Bryn senter hadde
114 en liten stabel på lager som de ikke hadde klart å selge ut etter
115 fjorårets juleinnkjøp, og var villig til å selge for en femtedel av
116 vanlig pris. Jeg, Ronny og Jarle har skaffet oss restbeholdningen, og
117 det blir morsomt å se hva vi får ut av dette.
</p
>
119 <p
>Roboten har belter styrt av to motorer, kamera, høytaler, mikrofon
120 og wifi-tilkobling. Det hele styrt av en GPL-lisensiert databoks som
121 jeg mistenker kjører linux. Firmware-kildekoden ble visst publisert i
122 mai. Eneste utfordringen er at kontroller-programvaren kun finnes til
123 Windows, men det må en kunne jobbe seg rundt når vi har kildekoden til
124 firmwaren. :)
</p
>
127 <li
><a href=
"http://en.wikipedia.org/wiki/Spykee
">Wikipedia-oppføring
</a
></li
>
128 <li
><a href=http://www.spykeeworld.com/spykee/US/freeSoftware.html
">Nedlasting av firmware-kilden
</a
></li
>
129 <li
><a href=
"http://wiki.nuug.no/grupper/robot
">prosjektwiki hos NUUG
</a
></li
>
135 <title>Rob Weir: How to Crush Dissent
</title>
136 <link>http://people.skolelinux.org/pere/blog/Rob_Weir__How_to_Crush_Dissent.html
</link>
137 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Rob_Weir__How_to_Crush_Dissent.html
</guid>
138 <pubDate>Sun,
15 Aug
2010 22:
20:
00 +
0200</pubDate>
140 <p
>I found the notes from Rob Weir on
141 <a href=
"http://feedproxy.google.com/~r/robweir/antic-atom/~
3/VGb23-kta8c/how-to-crush-dissent.html
">how
142 to crush dissent
</a
> matching my own thoughts on the matter quite
143 well. Highly recommended for those wondering which road our society
144 should go down. In my view we have been heading the wrong way for a
150 <title>No hardcoded config on Debian Edu clients
</title>
151 <link>http://people.skolelinux.org/pere/blog/No_hardcoded_config_on_Debian_Edu_clients.html
</link>
152 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/No_hardcoded_config_on_Debian_Edu_clients.html
</guid>
153 <pubDate>Mon,
9 Aug
2010 20:
15:
00 +
0200</pubDate>
155 <p
>As reported earlier, the last few days I have looked at how Debian
156 Edu clients are configured, and tried to get rid of all hardcoded
157 configuration settings on the clients. I believe the work to be
158 mostly done, and the clients seem to work just fine with dynamically
159 generated configuration.
</p
>
161 <p
>What is the point, you might ask? The point is to allow a Debian
162 Edu desktop to integrate into an existing network infrastructure
163 without any manual configuration.
</p
>
165 <p
>This is what happens when installing a Debian Edu client here at
166 the University of Oslo using PXE. With the PXE installation, I am
167 asked for language (Norwegian Bokmål), locality (Norway) and keyboard
168 layout (no-latin1), Debian Edu profile (Roaming Workstation), if I
169 accept to reformat the hard drive (yes), if I want to submit info to
170 popcon.debian.org (no) and root password (secret). After answering
171 these questions, the installer goes ahead and does its thing, and
172 after around
50 minutes it is done. I press enter to finish the
173 installation, and the machine reboots into KDE. When the machine is
174 ready and kdm asks for login information, I enter my university
175 username and password, am told by kdm that a local home directory has
176 been created and that I must log in again, and finally log in with the
177 same username and password to the KDE
4.4 desktop. At no point during
178 this process did it ask for university specific settings, and all the
179 required configuration was dynamically detected using information
180 fetched via DHCP and DNS. The roaming workstation is now ready for
183 <p
>How was this done, you might wonder? First of all, here is the
184 list of things that need to be configured on the client to get it
185 working properly out of the box:
</p
>
188 <li
>IP address/netmask and DNS server.
</li
>
189 <li
>Web proxy URL.
</li
>
190 <li
>LDAP server for NSS directory information (user, group, etc).
</li
>
191 <li
>Kerberos server for PAM password checking.
</li
>
192 <li
>SMB mount point to access the network home directory. (*)
</li
>
193 <li
>Central syslog server to send syslog messages to. (*)
</li
>
194 <li
>Sitesummary collector URL to submit info to central server. (*)
</li
>
197 <p
>(Hm, did I forget anything? Let me knew if I did.)
</p
>
199 <p
>The points marked (*) are not required to be able to use the
200 machine, but needed to provide central storage and allowing system
201 administrators to track their machines. Since yesterday, everything
202 but the sitesummary collector URL is dynamically discovered at boot
203 and installation time in the svn version of Debian Edu.
</p
>
205 <p
>The IP and DNS setup is fetched during boot using DHCP as usual.
206 When a DHCP update arrives, the proxy setup is updated by looking for
207 http://wpat/wpad.dat and using the content of this WPAD file to
208 configure the http and ftp proxy in /etc/environment and
209 /etc/apt/apt.conf. I decided to update the proxy setup using a DHCP
210 hook to ensure that the client stops using the Debian Edu proxy when
211 it is moved outside the Debian Edu network, and instead uses any local
212 proxy present on the new network when it moves around.
</p
>
214 <p
>The DNS names of the LDAP, Kerberos and syslog server and related
215 configuration are generated using DNS information at boot. First the
216 installer looks for a host named ldap in the current DNS domain. If
217 not found, it looks for _ldap._tcp SRV records in DNS instead. If an
218 LDAP server is found, its root DSE entry is requested and the
219 attributes namingContexts and defaultNamingContext are used to
220 determine which LDAP base to use for NSS. If there are several
221 namingContexts attibutes and the defaultNamingContext is present, that
222 LDAP subtree is used as the base. If defaultNamingContext is missing,
223 the subtrees listed as namingContexts are searched in sequence for any
224 object with class posixAccount or posixGroup, and the first one with
225 such an object is used as the LDAP base. For Kerberos, a similar
226 search is done by first looking for a host named kerberos, and then
227 for the _kerberos._tcp SRV record. I
've been unable to find a way to
228 look up the Kerberos realm, so for this the upper case string of the
229 current DNS domain is used.
</p
>
231 <p
>For the syslog server, the hosts syslog and loghost are searched
232 for, and the _syslog._udp SRV record is consulted if no such host is
233 found. This algorithm works for both Debian Edu and the University of
234 Oslo. A similar strategy would work for locating the sitesummary
235 server, but have not been implemented yet. I decided to fetch and
236 save these settings during installation, to make sure moving to a
237 different network does not change the set of users being allowed to
238 log in nor the passwords required to log in. Usernames and passwords
239 will be cached by sssd when the user logs in on the Debian Edu
240 network, and will not change as the laptop move around. For a
241 non-roaming machine, there is no caching, but given that it is
242 supposed to stay in place it should not matter much. Perhaps we
243 should switch those to use sssd too?
</p
>
245 <p
>The user
's SMB mount point for the network home directory is
246 located when the user logs in for the first time. The LDAP server is
247 consulted to look for the user
's LDAP object and the sambaHomePath
248 attribute is used if found. If it isn
't found, the home directory
249 path fetched from NSS is used instead. Assuming the path is of the
250 form /site/server/directory/username, the second part is looked up in
251 DNS and used to generate a SMB URL of the form
252 smb://server.domain/username. This algorithm works for both Debian
253 edu and the University of Oslo. Perhaps there are better attributes
254 to use or a better algorithm that works for more sites, but this will
255 do for now. :)
</p
>
257 <p
>This work should make it easier to integrate the Debian Edu clients
258 into any LDAP/Kerberos infrastructure, and make the current setup even
259 more flexible than before. I suspect it will also work for thin
260 client servers, allowing one to easily set up LTSP and hook it into a
261 existing network infrastructure, but I have not had time to test this
264 <p
>If you want to help out with implementing these things for Debian
265 Edu, please contact us on debian-edu@lists.debian.org.
</p
>
267 <p
>Update
2010-
08-
09: Simon Farnsworth gave me a heads-up on how to
268 detect Kerberos realm from DNS, by looking for _kerberos TXT entries
269 before falling back to the upper case DNS domain name. Will have to
270 implement it for Debian Edu. :)
</p
>
275 <title>Testing if a file system can be used for home directories...
</title>
276 <link>http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html
</link>
277 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html
</guid>
278 <pubDate>Sun,
8 Aug
2010 21:
20:
00 +
0200</pubDate>
280 <p
>A few years ago, I was involved in a project planning to use
281 Windows file servers as home directory servers for Debian
282 Edu/Skolelinux machines. This was thought to be no problem, as the
283 access would be through the SMB network file system protocol, and we
284 knew other sites used SMB with unix and samba as the file server to
285 mount home directories without any problems. But, after months of
286 struggling, we had to conclude that our goal was impossible.
</p
>
288 <p
>The reason is simply that while SMB can be used for home
289 directories when the file server is Samba running on Unix, this only
290 work because of Samba have some extensions and the fact that the
291 underlying file system is a unix file system. When using a Windows
292 file server, the underlying file system do not have POSIX semantics,
293 and several programs will fail if the users home directory where they
294 want to store their configuration lack POSIX semantics.
</p
>
296 <p
>As part of this work, I wrote a small C program I want to share
297 with you all, to replicate a few of the problematic applications (like
298 OpenOffice.org and GCompris) and see if the file system was working as
299 it should. If you find yourself in spooky file system land, it might
300 help you find your way out again. This is the fs-test.c source:
</p
>
304 * Some tests to check the file system sematics. Used to verify that
305 * CIFS from a windows server do not work properly as a linux home
307 * License: GPL v2 or later
309 * needs libsqlite3-dev and build-essential installed
310 * compile with: gcc -Wall -lsqlite3 -DTEST_SQLITE fs-test.c -o fs-test
313 #define _FILE_OFFSET_BITS
64
314 #define _LARGEFILE_SOURCE
1
315 #define _LARGEFILE64_SOURCE
1
317 #define _GNU_SOURCE /* for asprintf() */
319 #include
&lt;errno.h
>
320 #include
&lt;fcntl.h
>
321 #include
&lt;stdio.h
>
322 #include
&lt;string.h
>
323 #include
&lt;stdlib.h
>
324 #include
&lt;sys/file.h
>
325 #include
&lt;sys/stat.h
>
326 #include
&lt;sys/types.h
>
327 #include
&lt;unistd.h
>
331 * Test sqlite open, as done by gcompris require the libsqlite3-dev
332 * package and linking with -lsqlite3. A more low level test is
334 * See also
&lt;URL: http://www.sqlite.org./faq.html#q5
>.
336 #include
&lt;sqlite3.h
>
337 #define CREATE_TABLE_USERS \
338 "CREATE TABLE users (user_id INT UNIQUE, login TEXT, lastname TEXT, firstname TEXT, birthdate TEXT, class_id INT );
"
339 int test_sqlite_open(void) {
341 char *name =
"testsqlite.db
";
344 int rc = sqlite3_open(name,
&db);
346 printf(
"error: sqlite open of %s failed: %s\n
", name, sqlite3_errmsg(db));
352 rc = sqlite3_exec(db,CREATE_TABLE_USERS, NULL,
0,
&zErrMsg);
353 if( rc != SQLITE_OK ){
354 printf(
"error: sqlite table create failed: %s\n
", zErrMsg);
358 printf(
"info: sqlite worked\n
");
362 #endif /* TEST_SQLITE */
365 * Demonstrate locking issue found in gcompris using sqlite3. This
366 * work with ext3, but not with cifs server on Windows
2003. This is
367 * done in the sqlite3 library.
369 *
&lt;URL:http://www.cygwin.com/ml/cygwin/
2001-
08/msg00854.html
> and the
370 * POSIX specification
371 *
&lt;URL:http://www.opengroup.org/onlinepubs/
009695399/functions/fcntl.html
>.
373 int test_gcompris_locking(void) {
375 char *name =
"testsqlite.db
";
377 int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE,
0644);
378 printf(
"info: testing fcntl locking\n
");
380 fl.l_whence = SEEK_SET;
382 printf(
" Read-locking
1 byte from
1073741824");
383 fl.l_start =
1073741824;
386 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
388 printf(
" Read-locking
510 byte from
1073741826");
389 fl.l_start =
1073741826;
392 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
394 printf(
" Unlocking
1 byte from
1073741824");
395 fl.l_start =
1073741824;
398 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
400 printf(
" Write-locking
1 byte from
1073741824");
401 fl.l_start =
1073741824;
404 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
406 printf(
" Write-locking
510 byte from
1073741826");
407 fl.l_start =
1073741826;
409 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
411 printf(
" Unlocking
2 byte from
1073741824");
412 fl.l_start =
1073741824;
415 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
422 * Test if permissions of freshly created directories allow entries
423 * below them. This was a problem with OpenOffice.org and gcompris.
424 * Mounting with option
'sync
' seem to solve this problem while
425 * slowing down file operations.
427 int test_subdirectory_creation(void) {
429 char *path = strdup(
"test
");
432 printf(
"info: testing subdirectory creation\n
");
433 for (level =
0; level
&lt; LEVELS; level++) {
434 char *newpath = NULL;
435 if (-
1 == mkdir(path,
0777)) {
436 printf(
" error: Unable to create directory
'%s
': %s\n
",
437 path, strerror(errno));
440 asprintf(
&newpath,
"%s/%s
", path,
"test
");
448 * Test if symlinks can be created. This was a problem detected with
451 int test_symlinks(void) {
452 printf(
"info: testing symlink creation\n
");
453 unlink(
"symlink
");
454 if (-
1 == symlink(
"file
",
"symlink
"))
455 printf(
" error: Unable to create symlink\n
");
459 int main(int argc, char **argv) {
460 printf(
"Testing POSIX/Unix sematics on file system\n
");
462 test_subdirectory_creation();
465 #endif /* TEST_SQLITE */
466 test_gcompris_locking();
471 <p
>When everything is working, it should print something like
475 Testing POSIX/Unix sematics on file system
476 info: testing symlink creation
477 info: testing subdirectory creation
479 info: testing fcntl locking
480 Read-locking
1 byte from
1073741824
481 Read-locking
510 byte from
1073741826
482 Unlocking
1 byte from
1073741824
483 Write-locking
1 byte from
1073741824
484 Write-locking
510 byte from
1073741826
485 Unlocking
2 byte from
1073741824
488 <p
>I do not remember the exact details of the problems we saw, but one
489 of them was with locking, where if I remember correctly, POSIX allow a
490 read-only lock to be upgraded to a read-write lock without unlocking
491 the read-only lock (while Windows do not). Another was a bug in the
492 CIFS/SMB client implementation in the Linux kernel where directory
493 meta information would be wrong for a fraction of a second, making
494 OpenOffice.org fail to create its deep directory tree because it was
495 not allowed to create files in its freshly created directory.
</p
>
497 <p
>Anyway, here is a nice tool for your tool box, might you never need
503 <title>Autodetecting Client setup for roaming workstations in Debian Edu
</title>
504 <link>http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html
</link>
505 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html
</guid>
506 <pubDate>Sat,
7 Aug
2010 14:
45:
00 +
0200</pubDate>
508 <p
>A few days ago, I
509 <a href=
"http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html
">tried
510 to install
</a
> a Roaming workation profile from Debian Edu/Squeeze
511 while on the university network here at the University of Oslo, and
512 noticed how much had to change to get it operational using the
513 university infrastructure. It was fairly easy, but it occured to me
514 that Debian Edu would improve a lot if I could get the client to
515 connect without any changes at all, and thus let the client configure
516 itself during installation and first boot to use the infrastructure
517 around it. Now I am a huge step further along that road.
</p
>
519 <p
>With our current squeeze-test packages, I can select the roaming
520 workstation profile and get a working laptop connecting to the
521 university LDAP server for user and group and our active directory
522 servers for Kerberos authentication. All this without any
523 configuration at all during installation. My users home directory got
524 a bookmark in the KDE menu to mount it via SMB, with the correct URL.
525 In short, openldap and sssd is correctly configured. In addition to
526 this, the client look for http://wpad/wpad.dat to configure a web
527 proxy, and when it fail to find it no proxy settings are stored in
528 /etc/environment and /etc/apt/apt.conf. Iceweasel and KDE is
529 configured to look for the same wpad configuration and also do not use
530 a proxy when at the university network. If the machine is moved to a
531 network with such wpad setup, it would automatically use it when DHCP
532 gave it a IP address.
</p
>
534 <p
>The LDAP server is located using DNS, by first looking for the DNS
535 entry ldap.$domain. If this do not exist, it look for the
536 _ldap._tcp.$domain SRV records and use the first one as the LDAP
537 server. Next, it connects to the LDAP server and search all
538 namingContexts entries for posixAccount or posixGroup objects, and
539 pick the first one as the LDAP base. For Kerberos, a similar
540 algorithm is used to locate the LDAP server, and the realm is the
541 uppercase version of $domain.
</p
>
543 <p
>So, what is not working, you might ask. SMB mounting my home
544 directory do not work. No idea why, but suspected the incorrect
545 Kerberos settings in /etc/krb5.conf and /etc/samba/smb.conf might be
546 the cause. These are not properly configured during installation, and
547 had to be hand-edited to get the correct Kerberos realm and server,
548 but SMB mounting still do not work. :(
</p
>
550 <p
>With this automatic configuration in place, I expect a Debian Edu
551 roaming profile installation would be able to automatically detect and
552 connect to any site using LDAP and Kerberos for NSS directory and PAM
553 authentication. It should also work out of the box in a Active
554 Directory environment providing posixAccount and posixGroup objects
555 with UID and GID values.
</p
>
557 <p
>If you want to help out with implementing these things for Debian
558 Edu, please contact us on debian-edu@lists.debian.org.
</p
>
563 <title>Debian Edu roaming workstation - at the university of Oslo
</title>
564 <link>http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html
</link>
565 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html
</guid>
566 <pubDate>Tue,
3 Aug
2010 23:
30:
00 +
0200</pubDate>
568 <p
>The new roaming workstation profile in Debian Edu/Squeeze is fairly
569 similar to the laptop setup am I working on using Ubuntu for the
570 University of Oslo, and just for the heck of it, I tested today how
571 hard it would be to integrate that profile into the university
572 infrastructure. In this case, it is the university LDAP server,
573 Active Directory Kerberos server and SMB mounting from the Netapp file
576 <p
>I was pleasantly surprised that the only three files needed to be
577 changed (/etc/sssd/sssd.conf, /etc/ldap.conf and
578 /etc/mklocaluser.d/
20-debian-edu-config) and one file had to be added
579 (/usr/share/perl5/Debian/Edu_Local.pm), to get the client working.
580 Most of the changes were to get the client to use the university LDAP
581 for NSS and Kerberos server for PAM, but one was to change a hard
582 coded DNS domain name in the mklocaluser hook from .intern to
585 <p
>This testing was so encouraging, that I went ahead and adjusted the
586 Debian Edu scripts and setup in subversion to centralise the roaming
587 workstation setup a bit more and avoid the hardcoded DNS domain name,
588 so that when I test this tomorrow, I expect to get away with modifying
589 only /etc/sssd/sssd.conf and /etc/ldap.conf to get it to use the
590 university servers.
</p
>
592 <p
>My goal is to get the clients to have no hardcoded settings and
593 fetch all their initial setup during installation and first boot, to
594 allow them to be inserted also into environments where the default
595 setup in Debian Edu has been changed or as with the university, where
596 the environment is different but provides the protocols Debian Edu
602 <title>Circular package dependencies harms apt recovery
</title>
603 <link>http://people.skolelinux.org/pere/blog/Circular_package_dependencies_harms_apt_recovery.html
</link>
604 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Circular_package_dependencies_harms_apt_recovery.html
</guid>
605 <pubDate>Tue,
27 Jul
2010 23:
50:
00 +
0200</pubDate>
607 <p
>I discovered this while doing
608 <a href=
"http://people.skolelinux.org/pere/blog/Automatic_upgrade_testing_from_Lenny_to_Squeeze.html
">automated
609 testing of upgrades from Debian Lenny to Squeeze
</a
>. A few packages
610 in Debian still got circular dependencies, and it is often claimed
611 that apt and aptitude should be able to handle this just fine, but
612 some times these dependency loops causes apt to fail.
</p
>
614 <p
>An example is from todays
615 <a href=
"http://people.skolelinux.org/~pere/debian-upgrade-testing//test-
20100727-lenny-squeeze-kde-aptitude.txt
">upgrade
616 of KDE using aptitude
</a
>. In it, a bug in kdebase-workspace-data
617 causes perl-modules to fail to upgrade. The cause is simple. If a
618 package fail to unpack, then only part of packages with the circular
619 dependency might end up being unpacked when unpacking aborts, and the
620 ones already unpacked will fail to configure in the recovery phase
621 because its dependencies are unavailable.
</p
>
623 <p
>In this log, the problem manifest itself with this error:
</p
>
625 <blockquote
><pre
>
626 dpkg: dependency problems prevent configuration of perl-modules:
627 perl-modules depends on perl (
>=
5.10.1-
1); however:
628 Version of perl on system is
5.10.0-
19lenny
2.
629 dpkg: error processing perl-modules (--configure):
630 dependency problems - leaving unconfigured
631 </pre
></blockquote
>
633 <p
>The perl/perl-modules circular dependency is already
634 <a href=
"http://bugs.debian.org/
527917">reported as a bug
</a
>, and will
635 hopefully be solved as soon as possible, but it is not the only one,
636 and each one of these loops in the dependency tree can cause similar
637 failures. Of course, they only occur when there are bugs in other
638 packages causing the unpacking to fail, but it is rather nasty when
639 the failure of one package causes the problem to become worse because
640 of dependency loops.
</p
>
643 <a href=
"http://lists.debian.org/debian-devel/
2010/
06/msg00116.html
">the
644 tireless effort by Bill Allombert
</a
>, the number of circular
646 <a href=
"http://debian.semistable.com/debgraph.out.html
">left in Debian
647 is dropping
</a
>, and perhaps it will reach zero one day. :)
</p
>
649 <p
>Todays testing also exposed a bug in
650 <a href=
"http://bugs.debian.org/
590605">update-notifier
</a
> and
651 <a href=
"http://bugs.debian.org/
590604">different behaviour
</a
> between
652 apt-get and aptitude, the latter possibly caused by some circular
653 dependency. Reported both to BTS to try to get someone to look at
659 <title>First Debian Edu test release (alpha0) based on Squeeze is released
</title>
660 <link>http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html
</link>
661 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html
</guid>
662 <pubDate>Tue,
27 Jul
2010 17:
45:
00 +
0200</pubDate>
664 <p
>I just posted this announcement culminating several months of work
665 with the next Debian Edu release. Not nearly done, but one major step
669 <p
>This is the first test release based on Squeeze. The focus of this
670 release is to test the user application selection. To have a look,
671 install the standalone profile and let the developers know if the set
672 of installed packages i.e. applications should be modified. If some
673 user application is missing, or if there are some applications that no
674 longer make sense to be included in Debian Edu, please let us know.
675 Also, if a useful application is missing the translation for your
676 language of choice, please let us know too.
</p
>
678 <p
>In addition, feedback and help to polish the desktop (menus,
679 artwork, starters, etc.) is appreciated. We would like to ship a nice
680 and handy KDE4 desktop targeted for schools out of the box.
</p
>
682 <p
>The other profiles should be installable, but there is a lot more
683 work left to be done before they are ready, so do not expect to
686 <p
>Changes compared to the lenny based version
</p
>
689 <li
>Everything from Debian Squeeze
691 <li
>Desktop environment KDE
4.4 =
> the new KDE desktop in
692 combination with some new artwork
693 <li
>Web browser Iceweasel
3.5
694 <li
>OpenOffice.org
3.2
695 <li
>Educational toolbox GCompris
9.3
696 <li
>Music creator Rosegarden
10.04.2
697 <li
>Image editor Gimp
2.6.10
698 <li
>Virtual universe Celestia
1.6.0
699 <li
>Virtual stargazer Stellarium
0.10.4
700 <li
>3D modeler Blender
2.49.2 (new application)
701 <li
>Video editor Kdenlive
0.7.7 (new application)
702 </ul
></li
>
703 <li
>Now using Kerberos for password checking (migration not finished).
709 <li
>SMTP (sender verification)
712 <li
>New experimental roaming workstation profile for laptops.
</li
>
713 <li
>Show welcome page to users when they first log in. The URL is
714 fetched from LDAP.
</li
>
715 <li
>New LXDE desktop option, in addition to KDE (default) and Gnome.
</li
>
716 <li
>General cleanup (not finished)
</li
>
718 <p
>The following features are not working as they should
</p
>
721 <li
>No web based administration tool for creating users and groups. The
722 scripts ldap-createuser-krb and ldap-add-user-to-group can be used
723 for testing.
</li
>
724 <li
>DVD installs are missing debian-installer images for the PXE boot,
725 and do not set up the PXE menu on eth0 because of this. LTSP
726 clients should still boot from eth1 on thin client servers.
</li
>
727 <li
>The restructured KDE menu is not implemented.
</li
>
728 <li
>The LDAP server setup need to be reviewed for security.
</li
>
729 <li
>The LDAP directory structure need to be reworked.
</li
>
730 <li
>Different sets of packages are installed when using the DVD and the
731 netinst CD. More packages are installed using the netinst CD.
</li
>
732 <li
>The jackd package fail to install. This is believed to be caused by
733 some ongoing transition, and hopefully should be solved soon. The
734 jackd1 package can be installed manually for those that need it.
</li
>
735 <li
>Some packages lack translations. See
736 http://wiki.debian.org/DebianEdu/Status/Squeeze for updated status,
737 and help out with translations.
</li
>
740 <p
>To download this multiarch netinstall release you can use
</p
>
743 <li
><a href=
"ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-CD.iso
">ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-CD.iso
</a
></li
>
744 <li
><a href=
"http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-CD.iso
">http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-CD.iso
</a
></li
>
745 <li
>rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-CD.iso
</li
>
747 <p
>To download this multiarch dvd release you can use
</p
>
750 <li
><a href=
"ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-DVD.iso
">ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-DVD.iso
</a
></li
>
751 <li
><a href=
"http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-DVD.iso
">http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-DVD.iso
</a
></li
>
752 <li
>rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-DVD.iso
</li
>
755 <p
>There is no source DVD available yet. It will be prepared when we
756 get closer to the final release.
</p
>
758 <p
>The MD5SUM of these images are
</p
>
761 <li
>3dbf45d59f42a53518b6e3c9ec3b5eb6 debian-edu-
6.0.0+edua0-CD.iso
</li
>
762 <li
>22f2cbfce281d1c6e478be452638675d debian-edu-
6.0.0+edua0-DVD.iso
</li
>
765 <p
>The SHA1SUM of these images are
</p
>
767 <li
>c53d1b69b40cf37cd27aefaf33f6f6a3821bedf0 debian-edu-
6.0.0+edua0-CD.iso
</li
>
768 <li
>2ec29d7db676d59d32197b05c277ffe16348376c debian-edu-
6.0.0+edua0-DVD.iso
</li
>
770 <p
>How to report bugs:
771 http://wiki.debian.org/DebianEdu/HowTo/ReportBugsInBugzilla
</p
>
773 <p
>Please direct replies to debian-edu@lists.debian.org
</p
>