1 <?xml version=
"1.0" encoding=
"ISO-8859-1"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/'
>
4 <title>Petter Reinholdtsen - Entries from April
2010</title>
5 <description>Entries from April
2010</description>
6 <link>http://people.skolelinux.org/pere/blog/
</link>
10 <title>Kerberos for Debian Edu/Squeeze?
</title>
11 <link>http://people.skolelinux.org/pere/blog/Kerberos_for_Debian_Edu_Squeeze_.html
</link>
12 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Kerberos_for_Debian_Edu_Squeeze_.html
</guid>
13 <pubDate>Wed,
14 Apr
2010 17:
20:
00 +
0200</pubDate>
15 <p
><a href=
"http://www.nuug.no/aktiviteter/
20100413-kerberos/
">Yesterdays
16 NUUG presentation
</a
> about Kerberos was inspiring, and reminded me
17 about the need to start using Kerberos in Skolelinux. Setting up a
18 Kerberos server seem to be straight forward, and if we get this in
19 place a long time before the Squeeze version of Debian freezes, we
20 have a chance to migrate Skolelinux away from NFSv3 for the home
21 directories, and over to an architecture where the infrastructure do
22 not have to trust IP addresses and machines, and instead can trust
23 users and cryptographic keys instead.
</p
>
25 <p
>A challenge will be integration and administration. Is there a
26 Kerberos implementation for Debian where one can control the
27 administration access in Kerberos using LDAP groups? With it, the
28 school administration will have to maintain access control using flat
29 files on the main server, which give a huge potential for errors.
</p
>
31 <p
>A related question I would like to know is how well Kerberos and
32 pam-ccreds (offline password check) work together. Anyone know?
</p
>
34 <p
>Next step will be to use Kerberos for access control in Lwat and
35 Nagios. I have no idea how much work that will be to implement. We
36 would also need to document how to integrate with Windows AD, as such
37 shared network will require two Kerberos realms that need to cooperate
38 to work properly.
</p
>
40 <p
>I believe a good start would be to start using Kerberos on the
41 skolelinux.no machines, and this way get ourselves experience with
42 configuration and integration. A natural starting point would be
43 setting up ldap.skolelinux.no as the Kerberos server, and migrate the
44 rest of the machines from PAM via LDAP to PAM via Kerberos one at the
47 <p
>If you would like to contribute to get this working in Skolelinux,
48 I recommend you to see the video recording from yesterdays NUUG
49 presentation, and start using Kerberos at home. The video show show
50 up in a few days.
</p
>
55 <title>Great book:
"Content: Selected Essays on Technology, Creativity, Copyright, and the Future of the Future
"</title>
56 <link>http://people.skolelinux.org/pere/blog/Great_book___Content__Selected_Essays_on_Technology__Creativity__Copyright__and_the_Future_of_the_Future_.html
</link>
57 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Great_book___Content__Selected_Essays_on_Technology__Creativity__Copyright__and_the_Future_of_the_Future_.html
</guid>
58 <pubDate>Mon,
19 Apr
2010 17:
10:
00 +
0200</pubDate>
60 <p
>The last few weeks i have had the pleasure of reading a
61 thought-provoking collection of essays by Cory Doctorow, on topics
62 touching copyright, virtual worlds, the future of man when the
63 conscience mind can be duplicated into a computer and many more. The
64 book titled
"Content: Selected Essays on Technology, Creativity,
65 Copyright, and the Future of the Future
" is available with few
66 restrictions on the web, for example from
67 <a href=
"http://craphound.com/content/
">his own site
</a
>. I read the
69 <a href=
"http://www.feedbooks.com/book/
2883">feedbooks
</a
> using
70 <a href=
"http://www.fbreader.org/
">fbreader
</a
> and my N810. I
71 strongly recommend this book.
</p
>
76 <title>Thoughts on roaming laptop setup for Debian Edu
</title>
77 <link>http://people.skolelinux.org/pere/blog/Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html
</link>
78 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html
</guid>
79 <pubDate>Wed,
28 Apr
2010 20:
40:
00 +
0200</pubDate>
81 <p
>For some years now, I have wondered how we should handle laptops in
82 Debian Edu. The Debian Edu infrastructure is mostly designed to
83 handle stationary computers, and less suited for computers that come
86 <p
>Now I finally believe I have an sensible idea on how to adjust
87 Debian Edu for laptops, by introducing a new profile for them, for
88 example called Roaming Workstations. Here are my thought on this.
89 The setup would consist of the following:
</p
>
93 <li
>During installation, the user name of the owner / primary user of
94 the laptop is requested and a local home directory is set up for
95 the user, with uid and gid information fetched from the LDAP
96 server. This allow the user to work also when offline. The
97 central home directory can be available in a subdirectory on
98 request, for example mounted via CIFS. It could be mounted
99 automatically when a user log in while on the Debian Edu network,
100 and unmounted when the machine is taken away (network down,
101 hibernate, etc), it can be set up to do automatic mounting on
102 request (using autofs), or perhaps some GUI button on the desktop
103 can be used to access it when needed. Perhaps it is enough to use
104 the fish protocol in KDE?
</li
>
106 <li
>Password checking is set up to use LDAP or Kerberos
107 authentication when the machine is on the Debian Edu network, and
108 to cache the password for offline checking when the machine unable
109 to reach the LDAP or Kerberos server. This can be done using
110 <a href=
"http://www.padl.com/OSS/pam_ccreds.html
">libpam-ccreds
</a
>
111 or the Fedora developed
112 <a href=
"https://fedoraproject.org/wiki/Features/SSSD
">System
113 Security Services Daemon
</a
> packages.
</li
>
115 <li
>File synchronisation with the central home directory is set up
116 using a shared directory in both the local and the central home
117 directory, using unison.
</li
>
119 <li
>Printing should be set up to print to all printers broadcasting
120 their existence on the local network, and should then work out of
121 the box with CUPS. For sites needing accurate printer quotas, some
122 system with Kerberos authentication or printing via ssh could be
123 implemented.
</li
>
125 <li
>For users that should have local root access to their laptop,
126 sudo should be used to allow this to the local user.
</li
>
128 <li
>It would be nice if user and group information from LDAP is
129 cached on the client, but given that there are entries for the
130 local user and primary group in /etc/, it should not be needed.
</li
>
134 <p
>I believe all the pieces to implement this are in Debian/testing at
135 the moment. If we work quickly, we should be able to get this ready
136 in time for the Squeeze release to freeze. Some of the pieces need
137 tweaking, like libpam-ccreds should get support for pam-auth-update
138 (
<a href=
"http://bugs.debian.org/
566718">#
566718</a
>) and nslcd (or
139 perhaps debian-edu-config) should get some integration code to stop
140 its daemon when the LDAP server is unavailable to avoid long timeouts
141 when disconnected from the net. If we get Kerberos enabled, we need
142 to make sure we avoid long timeouts there too.
</p
>
144 <p
>If you want to help out with implementing this for Debian Edu,
145 please contact us on debian-edu@lists.debian.org.
</p
>
projects / homepage.git / blob