1 <?xml version=
"1.0" encoding=
"ISO-8859-1"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/'
>
4 <title>Petter Reinholdtsen - Entries from April
2010</title>
5 <description>Entries from April
2010</description>
6 <link>http://people.skolelinux.org/pere/blog/
</link>
10 <title>Kerberos for Debian Edu/Squeeze?
</title>
11 <link>http://people.skolelinux.org/pere/blog/Kerberos_for_Debian_Edu_Squeeze_.html
</link>
12 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Kerberos_for_Debian_Edu_Squeeze_.html
</guid>
13 <pubDate>Wed,
14 Apr
2010 17:
20:
00 +
0200</pubDate>
14 <description><p
><a href=
"http://www.nuug.no/aktiviteter/
20100413-kerberos/
">Yesterdays
15 NUUG presentation
</a
> about Kerberos was inspiring, and reminded me
16 about the need to start using Kerberos in Skolelinux. Setting up a
17 Kerberos server seem to be straight forward, and if we get this in
18 place a long time before the Squeeze version of Debian freezes, we
19 have a chance to migrate Skolelinux away from NFSv3 for the home
20 directories, and over to an architecture where the infrastructure do
21 not have to trust IP addresses and machines, and instead can trust
22 users and cryptographic keys instead.
</p
>
24 <p
>A challenge will be integration and administration. Is there a
25 Kerberos implementation for Debian where one can control the
26 administration access in Kerberos using LDAP groups? With it, the
27 school administration will have to maintain access control using flat
28 files on the main server, which give a huge potential for errors.
</p
>
30 <p
>A related question I would like to know is how well Kerberos and
31 pam-ccreds (offline password check) work together. Anyone know?
</p
>
33 <p
>Next step will be to use Kerberos for access control in Lwat and
34 Nagios. I have no idea how much work that will be to implement. We
35 would also need to document how to integrate with Windows AD, as such
36 shared network will require two Kerberos realms that need to cooperate
37 to work properly.
</p
>
39 <p
>I believe a good start would be to start using Kerberos on the
40 skolelinux.no machines, and this way get ourselves experience with
41 configuration and integration. A natural starting point would be
42 setting up ldap.skolelinux.no as the Kerberos server, and migrate the
43 rest of the machines from PAM via LDAP to PAM via Kerberos one at the
46 <p
>If you would like to contribute to get this working in Skolelinux,
47 I recommend you to see the video recording from yesterdays NUUG
48 presentation, and start using Kerberos at home. The video show show
49 up in a few days.
</p
>
54 <title>Great book:
"Content: Selected Essays on Technology, Creativity, Copyright, and the Future of the Future
"</title>
55 <link>http://people.skolelinux.org/pere/blog/Great_book___Content__Selected_Essays_on_Technology__Creativity__Copyright__and_the_Future_of_the_Future_.html
</link>
56 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Great_book___Content__Selected_Essays_on_Technology__Creativity__Copyright__and_the_Future_of_the_Future_.html
</guid>
57 <pubDate>Mon,
19 Apr
2010 17:
10:
00 +
0200</pubDate>
58 <description><p
>The last few weeks i have had the pleasure of reading a
59 thought-provoking collection of essays by Cory Doctorow, on topics
60 touching copyright, virtual worlds, the future of man when the
61 conscience mind can be duplicated into a computer and many more. The
62 book titled
"Content: Selected Essays on Technology, Creativity,
63 Copyright, and the Future of the Future
" is available with few
64 restrictions on the web, for example from
65 <a href=
"http://craphound.com/content/
">his own site
</a
>. I read the
67 <a href=
"http://www.feedbooks.com/book/
2883">feedbooks
</a
> using
68 <a href=
"http://www.fbreader.org/
">fbreader
</a
> and my N810. I
69 strongly recommend this book.
</p
>
74 <title>Thoughts on roaming laptop setup for Debian Edu
</title>
75 <link>http://people.skolelinux.org/pere/blog/Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html
</link>
76 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html
</guid>
77 <pubDate>Wed,
28 Apr
2010 20:
40:
00 +
0200</pubDate>
78 <description><p
>For some years now, I have wondered how we should handle laptops in
79 Debian Edu. The Debian Edu infrastructure is mostly designed to
80 handle stationary computers, and less suited for computers that come
83 <p
>Now I finally believe I have an sensible idea on how to adjust
84 Debian Edu for laptops, by introducing a new profile for them, for
85 example called Roaming Workstations. Here are my thought on this.
86 The setup would consist of the following:
</p
>
90 <li
>During installation, the user name of the owner / primary user of
91 the laptop is requested and a local home directory is set up for
92 the user, with uid and gid information fetched from the LDAP
93 server. This allow the user to work also when offline. The
94 central home directory can be available in a subdirectory on
95 request, for example mounted via CIFS. It could be mounted
96 automatically when a user log in while on the Debian Edu network,
97 and unmounted when the machine is taken away (network down,
98 hibernate, etc), it can be set up to do automatic mounting on
99 request (using autofs), or perhaps some GUI button on the desktop
100 can be used to access it when needed. Perhaps it is enough to use
101 the fish protocol in KDE?
</li
>
103 <li
>Password checking is set up to use LDAP or Kerberos
104 authentication when the machine is on the Debian Edu network, and
105 to cache the password for offline checking when the machine unable
106 to reach the LDAP or Kerberos server. This can be done using
107 <a href=
"http://www.padl.com/OSS/pam_ccreds.html
">libpam-ccreds
</a
>
108 or the Fedora developed
109 <a href=
"https://fedoraproject.org/wiki/Features/SSSD
">System
110 Security Services Daemon
</a
> packages.
</li
>
112 <li
>File synchronisation with the central home directory is set up
113 using a shared directory in both the local and the central home
114 directory, using unison.
</li
>
116 <li
>Printing should be set up to print to all printers broadcasting
117 their existence on the local network, and should then work out of
118 the box with CUPS. For sites needing accurate printer quotas, some
119 system with Kerberos authentication or printing via ssh could be
120 implemented.
</li
>
122 <li
>For users that should have local root access to their laptop,
123 sudo should be used to allow this to the local user.
</li
>
125 <li
>It would be nice if user and group information from LDAP is
126 cached on the client, but given that there are entries for the
127 local user and primary group in /etc/, it should not be needed.
</li
>
131 <p
>I believe all the pieces to implement this are in Debian/testing at
132 the moment. If we work quickly, we should be able to get this ready
133 in time for the Squeeze release to freeze. Some of the pieces need
134 tweaking, like libpam-ccreds should get support for pam-auth-update
135 (
<a href=
"http://bugs.debian.org/
566718">#
566718</a
>) and nslcd (or
136 perhaps debian-edu-config) should get some integration code to stop
137 its daemon when the LDAP server is unavailable to avoid long timeouts
138 when disconnected from the net. If we get Kerberos enabled, we need
139 to make sure we avoid long timeouts there too.
</p
>
141 <p
>If you want to help out with implementing this for Debian Edu,
142 please contact us on debian-edu@lists.debian.org.
</p
>
projects / homepage.git / blob