1 <?xml version=
"1.0" encoding=
"utf-8"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/' xmlns:
atom=
"http://www.w3.org/2005/Atom">
4 <title>Petter Reinholdtsen
</title>
5 <description></description>
7 <atom:link href=
"index.rss" rel=
"self" type=
"application/rss+xml" />
10 <title>Forcing new users to change their password on first login
</title>
11 <link>Forcing_new_users_to_change_their_password_on_first_login.html
</link>
12 <guid isPermaLink=
"true">Forcing_new_users_to_change_their_password_on_first_login.html
</guid>
13 <pubDate>Sun,
2 May
2010 13:
47:
00 +
0200</pubDate>
15 <p
>One interesting feature in Active Directory, is the ability to
16 create a new user with an expired password, and thus force the user to
17 change the password on the first login attempt.
</p
>
19 <p
>I
'm not quite sure how to do that with the LDAP setup in Debian
20 Edu, but did some initial testing with a local account. The account
21 and password aging information is available in /etc/shadow, but
22 unfortunately, it is not possible to specify an expiration time for
23 passwords, only a maximum age for passwords.
</p
>
25 <p
>A freshly created account (using adduser test) will have these
26 settings in /etc/shadow:
</p
>
28 <blockquote
><pre
>
29 root@tjener:~# chage -l test
30 Last password change : May
02,
2010
31 Password expires : never
32 Password inactive : never
33 Account expires : never
34 Minimum number of days between password change :
0
35 Maximum number of days between password change :
99999
36 Number of days of warning before password expires :
7
38 </pre
></blockquote
>
40 <p
>The only way I could come up with to create a user with an expired
41 account, is to change the date of the last password change to the
42 lowest value possible (January
1th
1970), and the maximum password age
43 to the difference in days between that date and today. To make it
44 simple, I went for
30 years (
30 *
365 =
10950) and January
2th (to
45 avoid testing if
0 is a valid value).
</p
>
47 <p
>After using these commands to set it up, it seem to work as
50 <blockquote
><pre
>
51 root@tjener:~# chage -d
1 test; chage -M
10950 test
52 root@tjener:~# chage -l test
53 Last password change : Jan
02,
1970
54 Password expires : never
55 Password inactive : never
56 Account expires : never
57 Minimum number of days between password change :
0
58 Maximum number of days between password change :
10950
59 Number of days of warning before password expires :
7
61 </pre
></blockquote
>
63 <p
>So far I have tested this with ssh and console, and kdm (in
64 Squeeze) login, and all ask for a new password before login in the
65 user (with ssh, I was thrown out and had to log in again).
</p
>
67 <p
>Perhaps we should set up something similar for Debian Edu, to make
68 sure only the user itself have the account password?
</p
>
70 <p
>If you want to comment on or help out with implementing this for
71 Debian Edu, please contact us on debian-edu@lists.debian.org.
</p
>
73 <p
>Update
2010-
05-
02 17:
20: Paul Tötterman tells me on IRC that the
74 shadow(
8) page in Debian/testing now state that setting the date of
75 last password change to zero (
0) will force the password to be changed
76 on the first login. This was not mentioned in the manual in Lenny, so
77 I did not notice this in my initial testing. I have tested it on
78 Squeeze, and
'<tt
>chage -d
0 username
</tt
>' do work there. I have not
79 tested it on Lenny yet.
</p
>
84 <title>Thoughts on roaming laptop setup for Debian Edu
</title>
85 <link>Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html
</link>
86 <guid isPermaLink=
"true">Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html
</guid>
87 <pubDate>Wed,
28 Apr
2010 20:
40:
00 +
0200</pubDate>
89 <p
>For some years now, I have wondered how we should handle laptops in
90 Debian Edu. The Debian Edu infrastructure is mostly designed to
91 handle stationary computers, and less suited for computers that come
94 <p
>Now I finally believe I have an sensible idea on how to adjust
95 Debian Edu for laptops, by introducing a new profile for them, for
96 example called Roaming Workstations. Here are my thought on this.
97 The setup would consist of the following:
</p
>
101 <li
>During installation, the user name of the owner / primary user of
102 the laptop is requested and a local home directory is set up for
103 the user, with uid and gid information fetched from the LDAP
104 server. This allow the user to work also when offline. The
105 central home directory can be available in a subdirectory on
106 request, for example mounted via CIFS. It could be mounted
107 automatically when a user log in while on the Debian Edu network,
108 and unmounted when the machine is taken away (network down,
109 hibernate, etc), it can be set up to do automatic mounting on
110 request (using autofs), or perhaps some GUI button on the desktop
111 can be used to access it when needed. Perhaps it is enough to use
112 the fish protocol in KDE?
</li
>
114 <li
>Password checking is set up to use LDAP or Kerberos
115 authentication when the machine is on the Debian Edu network, and
116 to cache the password for offline checking when the machine unable
117 to reach the LDAP or Kerberos server. This can be done using
118 <a href=
"http://www.padl.com/OSS/pam_ccreds.html
">libpam-ccreds
</a
>
119 or the Fedora developed
120 <a href=
"https://fedoraproject.org/wiki/Features/SSSD
">System
121 Security Services Daemon
</a
> packages.
</li
>
123 <li
>File synchronisation with the central home directory is set up
124 using a shared directory in both the local and the central home
125 directory, using unison.
</li
>
127 <li
>Printing should be set up to print to all printers broadcasting
128 their existence on the local network, and should then work out of
129 the box with CUPS. For sites needing accurate printer quotas, some
130 system with Kerberos authentication or printing via ssh could be
131 implemented.
</li
>
133 <li
>For users that should have local root access to their laptop,
134 sudo should be used to allow this to the local user.
</li
>
136 <li
>It would be nice if user and group information from LDAP is
137 cached on the client, but given that there are entries for the
138 local user and primary group in /etc/, it should not be needed.
</li
>
142 <p
>I believe all the pieces to implement this are in Debian/testing at
143 the moment. If we work quickly, we should be able to get this ready
144 in time for the Squeeze release to freeze. Some of the pieces need
145 tweaking, like libpam-ccreds should get support for pam-auth-update
146 (
<a href=
"http://bugs.debian.org/
566718">#
566718</a
>) and nslcd (or
147 perhaps debian-edu-config) should get some integration code to stop
148 its daemon when the LDAP server is unavailable to avoid long timeouts
149 when disconnected from the net. If we get Kerberos enabled, we need
150 to make sure we avoid long timeouts there too.
</p
>
152 <p
>If you want to help out with implementing this for Debian Edu,
153 please contact us on debian-edu@lists.debian.org.
</p
>
158 <title>Great book:
"Content: Selected Essays on Technology, Creativity, Copyright, and the Future of the Future
"</title>
159 <link>Great_book___Content__Selected_Essays_on_Technology__Creativity__Copyright__and_the_Future_of_the_Future_.html
</link>
160 <guid isPermaLink=
"true">Great_book___Content__Selected_Essays_on_Technology__Creativity__Copyright__and_the_Future_of_the_Future_.html
</guid>
161 <pubDate>Mon,
19 Apr
2010 17:
10:
00 +
0200</pubDate>
163 <p
>The last few weeks i have had the pleasure of reading a
164 thought-provoking collection of essays by Cory Doctorow, on topics
165 touching copyright, virtual worlds, the future of man when the
166 conscience mind can be duplicated into a computer and many more. The
167 book titled
"Content: Selected Essays on Technology, Creativity,
168 Copyright, and the Future of the Future
" is available with few
169 restrictions on the web, for example from
170 <a href=
"http://craphound.com/content/
">his own site
</a
>. I read the
172 <a href=
"http://www.feedbooks.com/book/
2883">feedbooks
</a
> using
173 <a href=
"http://www.fbreader.org/
">fbreader
</a
> and my N810. I
174 strongly recommend this book.
</p
>
179 <title>Kerberos for Debian Edu/Squeeze?
</title>
180 <link>Kerberos_for_Debian_Edu_Squeeze_.html
</link>
181 <guid isPermaLink=
"true">Kerberos_for_Debian_Edu_Squeeze_.html
</guid>
182 <pubDate>Wed,
14 Apr
2010 17:
20:
00 +
0200</pubDate>
184 <p
><a href=
"http://www.nuug.no/aktiviteter/
20100413-kerberos/
">Yesterdays
185 NUUG presentation
</a
> about Kerberos was inspiring, and reminded me
186 about the need to start using Kerberos in Skolelinux. Setting up a
187 Kerberos server seem to be straight forward, and if we get this in
188 place a long time before the Squeeze version of Debian freezes, we
189 have a chance to migrate Skolelinux away from NFSv3 for the home
190 directories, and over to an architecture where the infrastructure do
191 not have to trust IP addresses and machines, and instead can trust
192 users and cryptographic keys instead.
</p
>
194 <p
>A challenge will be integration and administration. Is there a
195 Kerberos implementation for Debian where one can control the
196 administration access in Kerberos using LDAP groups? With it, the
197 school administration will have to maintain access control using flat
198 files on the main server, which give a huge potential for errors.
</p
>
200 <p
>A related question I would like to know is how well Kerberos and
201 pam-ccreds (offline password check) work together. Anyone know?
</p
>
203 <p
>Next step will be to use Kerberos for access control in Lwat and
204 Nagios. I have no idea how much work that will be to implement. We
205 would also need to document how to integrate with Windows AD, as such
206 shared network will require two Kerberos realms that need to cooperate
207 to work properly.
</p
>
209 <p
>I believe a good start would be to start using Kerberos on the
210 skolelinux.no machines, and this way get ourselves experience with
211 configuration and integration. A natural starting point would be
212 setting up ldap.skolelinux.no as the Kerberos server, and migrate the
213 rest of the machines from PAM via LDAP to PAM via Kerberos one at the
216 <p
>If you would like to contribute to get this working in Skolelinux,
217 I recommend you to see the video recording from yesterdays NUUG
218 presentation, and start using Kerberos at home. The video show show
219 up in a few days.
</p
>
224 <title>På vegne av vanvitting mange, Aftenposten!
</title>
225 <link>P___vegne_av_vanvitting_mange__Aftenposten_.html
</link>
226 <guid isPermaLink=
"true">P___vegne_av_vanvitting_mange__Aftenposten_.html
</guid>
227 <pubDate>Sat,
6 Mar
2010 21:
15:
00 +
0100</pubDate>
229 <p
><a href=
"http://fotball.aftenposten.no/incoming/article163000.ece
">Aftenposten
230 melder
</a
> på forsiden av webavisen sin at de tror Erling Fossen
231 provoserer nordlendinger med sine uttalelser på
232 fotballtinget. Jeg er utflyttet nordlending, og må innrømme at jeg
233 ikke kjennet så mye som et snev av provokasjon fra denne litt morsomme
234 uttalelsen til Hr. Fossen. Lurer på om Aftenposten har noen kilder
235 utenom redaksjonen for sin påstand om at nordledinger er provosert av
236 Hr. Fossen. Må innrømme at jeg tviler på det.
</p
>
238 <p
>Det hele bringer tankene tilbake til Sture Hansen i Hallo i Uken.
</p
>
243 <title>After
6 years of waiting, the Xreset.d feature is implemented
</title>
244 <link>After_6_years_of_waiting__the_Xreset_d_feature_is_implemented.html
</link>
245 <guid isPermaLink=
"true">After_6_years_of_waiting__the_Xreset_d_feature_is_implemented.html
</guid>
246 <pubDate>Sat,
6 Mar
2010 18:
15:
00 +
0100</pubDate>
248 <p
>6 years ago, as part of the Debian Edu development I am involved
249 in, I asked for a hook in the kdm and gdm setup to run scripts as root
250 when the user log out. A bug was submitted against the xfree86-common
251 package in
2004 (
<a href=
"http://bugs.debian.org/
230422">#
230422</a
>),
252 and revisited every time Debian Edu was working on a new release.
253 Today, this finally paid off.
</p
>
255 <p
>The framework for this feature was today commited to the git
256 repositry for the xorg package, and the git repository for xdm has
257 been updated to use this framework. Next on my agenda is to make sure
258 kdm and gdm also add code to use this framework.
</p
>
260 <p
>In Debian Edu, we want to ability to run commands as root when the
261 user log out, to get rid of runaway processes and do general cleanup
262 after a user. With this framework in place, we finally can do that in
263 a generic way that work with all display managers using this
264 framework. My goal is to get all display managers in Debian use it,
265 similar to how they use the Xsession.d framework today.
<p
>
270 <title>Digitale bøker uten digitale restriksjonsmekanismer (DRM) bør få mva-fritak
</title>
271 <link>Digitale_b__ker_uten_digitale_restriksjonsmekanismer__DRM__b__r_f___mva_fritak.html
</link>
272 <guid isPermaLink=
"true">Digitale_b__ker_uten_digitale_restriksjonsmekanismer__DRM__b__r_f___mva_fritak.html
</guid>
273 <pubDate>Wed,
3 Mar
2010 19:
00:
00 +
0100</pubDate>
275 <p
>Den norske bokbransjen har
276 <a href=
"http://www.digi.no/
823912/nei-til-moms-paa-e-boker
">bedt om at
277 digitale bøker må få mva-fritak
</a
> slik papirbøker har det, og
278 <a href=
"http://www.digi.no/
836875/moms-paa-alt-digitalt-innhold
">finansdepartementet
279 har sagt nei
</a
>. Det er et interessant spørsmål om digitale bøker
280 bør ha mva-fritak eller ikke, og svaret er ikke så enkelt som et ja
282 <a href=
"http://www.digi.no/
836925/norske-e-boker-truet-av-moms
">Enkelte
283 medlemmer
</a
> av bokbransjen truer med å droppe den planlagte
284 lanseringen av norske digitale bøker med digitale restriksjonsmekanismer
285 (DRM) som de har snakket om å gjennomføre nå i vår, og det må de
286 gjerne gjøre for min del.
</p
>
288 <p
>Papirbøker har mva-fritak pga. at de fremmer kultur- og
289 kunnskapsspredning. Digitale bøker uten digitale
290 restriksjonsmekanismer (DRM) fremmer kultur- og kunnskapsspredning,
291 mens digitale bøker med DRM hindrer kultur og kunnskapsspredning.
292 Digitale bøker uten DRM bør få mva-fritak da det er salg av bøker på
293 lik linje med salg av papirbøker, mens digitale bøker med DRM ikke bør
294 få det da det er utleie av bøker og ikke salg.
</p
>
296 <p
>Jeg foretrekker å kjøpe bøker, og velger dermed å la være å bruke
297 DRM-belastede digitale bøker. Vet ikke helt hva jeg ville være villig
298 til å betale for å leie en bok, men tror ikke det er mange kronene.
299 Heldigvis er det mye bøker tilgjengelig uten slike restriksjoner, og
300 de som vil ha tak i engelske bøker kan laste ned bøker som er
301 tilgjengelig uten bruksbegresninger fra
<a href=
"http://www.archive.org/
">The
302 Internet Archive
</a
>. Der er det pr. i dag
1 889 313 bøker
303 tilgjengelig. De er tilgjengelig i flere formater. Besøk
304 <a href=
"http://www.archive.org/details/texts
">oversikten over tekster
305 der
</a
> for å se hva de har.
310 <title>Debian Edu / Skolelinux based on Lenny released, work continues
</title>
311 <link>Debian_Edu___Skolelinux_based_on_Lenny_released__work_continues.html
</link>
312 <guid isPermaLink=
"true">Debian_Edu___Skolelinux_based_on_Lenny_released__work_continues.html
</guid>
313 <pubDate>Thu,
11 Feb
2010 17:
15:
00 +
0100</pubDate>
315 <p
>On Tuesday, the Debian/Lenny based version of
316 <a href=
"http://www.skolelinux.org/
">Skolelinux
</a
> was finally
317 shipped. This was a major leap forward for the project, and I am very
318 pleased that we finally got the release wrapped up. Work on the first
319 point release starts imediately, as we plan to get that one out a
320 month after the major release, to include all fixes for bugs we found
321 and fixed too late in the release process to include last Tuesday.
</p
>
323 <p
>Perhaps it even is time for some partying?
</p
>
325 <p
>After this first point release, my plan is to focus again on the
326 next major release, based on Squeeze. We will try to get as many of
327 the fixes we need into the official Debian packages before the freeze,
328 and have just a few weeks or months to make it happen.
</p
>
333 <title>Danmark går for ODF?
</title>
334 <link>Danmark_g__r_for_ODF_.html
</link>
335 <guid isPermaLink=
"true">Danmark_g__r_for_ODF_.html
</guid>
336 <pubDate>Fri,
29 Jan
2010 12:
00:
00 +
0100</pubDate>
338 <p
>Ble nettopp gjort oppmerksom på en
339 <a href=
"http://www.version2.dk/artikel/
13690-breaking-odf-vinder-dokumentformat-krigen
">nyhet fra Version2
</a
>
340 fra Danmark, der det hevdes at Folketinget har vedtatt at ODF skal
341 brukes som dokumentutvekslingsformat i Staten.
</p
>
343 <p
>Hyggelig lesning, spesielt hvis det viser seg at de av vedtatt
344 kravlisten for hva som skal aksepteres som referert i kommentarfeltet
346 <a href=
"http://www.version2.dk/artikel/
13693-er-ooxml-doemt-ude-her-er-kravene-til-en-offentlig-dokumentstandard
">en
347 annen artikkel
</a
> i samme nett-avis. Liker spesielt godt denne:
</p
>
349 <p
><blockquote
> Det skal demonstreres, at standarden i sin helhed kan
350 implementeres af alle direkte i sin helhed på flere
351 platforme.
</blockquote
></p
>
353 <p
>Noe slikt burde være et krav også i Norge.
</p
>
358 <title>Automatic Munin and Nagios configuration
</title>
359 <link>Automatic_Munin_and_Nagios_configuration.html
</link>
360 <guid isPermaLink=
"true">Automatic_Munin_and_Nagios_configuration.html
</guid>
361 <pubDate>Wed,
27 Jan
2010 15:
15:
00 +
0100</pubDate>
363 <p
>One of the new features in the next Debian/Lenny based release of
364 Debian Edu/Skolelinux, which is scheduled for release in the next few
365 days, is automatic configuration of the service monitoring system
366 Nagios. The previous release had automatic configuration of trend
367 analysis using Munin, and this Lenny based release take that a step
370 <p
>When installing a Debian Edu Main-server, it is automatically
371 configured as a Munin and Nagios server. In addition, it is
372 configured to be a server for the
373 <a href=
"http://wiki.debian.org/DebianEdu/HowTo/SiteSummary
">SiteSummary
374 system
</a
> I have written for use in Debian Edu. The SiteSummary
375 system is inspired by a system used by the University of Oslo where I
376 work. In short, the system provide a centralised collector of
377 information about the computers on the network, and a client on each
378 computer submitting information to this collector. This allow for
379 automatic information on which packages are installed on each machine,
380 which kernel the machines are using, what kind of configuration the
381 packages got etc. This also allow us to automatically generate Munin
382 and Nagios configuration.
</p
>
384 <p
>All computers reporting to the sitesummary collector with the
385 munin-node package installed is automatically enabled as a Munin
386 client and graphs from the statistics collected from that machine show
387 up automatically on http://www/munin/ on the Main-server.
</p
>
389 <p
>All non-laptop computers reporting to the sitesummary collector are
390 automatically monitored for network presence (ping and any network
391 services detected). In addition, all computers (also laptops) with
392 the nagios-nrpe-server package installed and configured the way
393 sitesummary would configure it, are monitored for full disks, software
394 raid status, swap free and other checks that need to run locally on
395 the machine.
</p
>
397 <p
>The result is that the administrator on a school using Debian Edu
398 based on Lenny will be able to check the health of his installation
399 with one look at the Nagios settings, without having to spend any time
400 keeping the Nagios configuration up-to-date.
</p
>
402 <p
>The only configuration one need to do to get Nagios up and running
403 is to set the password used to get access via HTTP. The system
404 administrator need to run
"<tt
>htpasswd /etc/nagios3/htpasswd.users
405 nagiosadmin
</tt
>" to create a nagiosadmin user and set a password for
406 it to be able to log into the Nagios web pages. After that,
407 everything is taken care of.
</p
>
projects / homepage.git / blob