]> pere.pagekite.me Git - homepage.git/blob - blog/index.html
Generated.
[homepage.git] / blog / index.html
1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html>
4 <head>
5 <title>Petter Reinholdtsen</title>
6 <link rel="stylesheet" type="text/css" media="screen" href="http://people.skolelinux.org/pere/blog/style.css">
7 <link rel="alternate" title="RSS Feed" href="http://people.skolelinux.org/pere/blog/index.rss" type="application/rss+xml">
8
9 </head>
10 <body>
11
12 <div class="title">
13 <h1>
14 <a href="http://people.skolelinux.org/pere/blog/">Petter Reinholdtsen</a>
15
16 </h1>
17
18 </div>
19
20
21
22 <div class="entry">
23 <div class="title"><a href="http://people.skolelinux.org/pere/blog/Sikkerhetsteateret_p___flyplassene_fortsetter.html">Sikkerhetsteateret på flyplassene fortsetter</a></div>
24 <div class="date">2010-08-28 10:40</div>
25 <div class="body">
26 <p>Jeg skrev for et halvt år siden hvordan
27 <a href="http://people.skolelinux.org/pere/blog/Sikkerhet__teater__og_hvordan_gj__re_verden_sikrere.html">samfunnet
28 kaster bort ressurser på sikkerhetstiltak som ikke fungerer</a>. Kom
29 nettopp over en
30 <a href="http://www.askthepilot.com/essays-and-stories/terrorism-tweezers-and-terminal-madness-an-essay-on-security/">historie
31 fra en pilot fra USA</a> som kommenterer det samme. Jeg mistenker det
32 kun er uvitenhet og autoritesttro som gjør at så få protesterer. Har
33 veldig sans for piloten omtalt i <a
34 href="http://www.aftenposten.no/nyheter/iriks/article2057501.ece">Aftenposten</a> 2007-10-23,
35 og skulle ønske flere rettet oppmerksomhet mot problemet. Det gir
36 ikke meg trygghetsfølelse på flyplassene når jeg ser at
37 flyplassadministrasjonen kaster bort folk, penger og tid på tull i
38 stedet for ting som bidrar til reell økning av sikkerheten. Det
39 forteller meg jo at vurderingsevnen til de som burde bidra til økt
40 sikkerhet er svært sviktende, noe som ikke taler godt for de andre
41 tiltakene.</p>
42
43 <p>Mon tro hva som skjer hvis det fantes en enkel brosjyre å skrive ut
44 fra Internet som forklarte hva som er galt med sikkerhetsopplegget på
45 flyplassene, og folk skrev ut og la en bunke på flyplassene når de
46 passerte. Kanskje det ville fått flere til å få øynene opp for
47 problemet.</p>
48
49 <p>Personlig synes jeg flyopplevelsen er blitt så avskyelig at jeg
50 forsøker å klare meg med tog, bil og båt for å slippe ubehaget. Det
51 er dog noe vanskelig i det langstrakte Norge og for å kunne besøke de
52 delene av verden jeg ønsker å nå. Mistenker at flere har det slik, og
53 at dette går ut over inntjeningen til flyselskapene. Det er antagelig
54 en god ting sett fra et miljøperspektiv, men det er en annen sak.</p>
55 </div>
56 <div class="tags">
57
58
59
60 Tags: <a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>, <a href="http://people.skolelinux.org/pere/blog/tags/personvern">personvern</a>, <a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>.
61
62 </div>
63 </div>
64 <div class="padding"></div>
65
66 <div class="entry">
67 <div class="title"><a href="http://people.skolelinux.org/pere/blog/Skolelinux_i_Osloskolen.html">Skolelinux i Osloskolen</a></div>
68 <div class="date">2010-08-26 22:25</div>
69 <div class="body">
70 <p>Denne høsten skal endelig alle Osloskolene få mulighet til å bruke
71 <a href="http://www.skolelinux.org/">Skolelinux</a>. Ny IT-løsning
72 har vært rullet ut i noen måneder nå, og så vidt jeg fikk vite før
73 sommeren skulle alle skoler ha nytt opplegg på plass før oppstart nå i
74 høst. På alle skolene skal en kunne velge ved installasjon om en skal
75 ha Windows eller Skolelinux på maskinene, og en kan i tillegg
76 PXE-boote maskinene over nett som tynne klienter eller diskløse
77 arbeidsstasjoner. Jeg er spent på hvor mange skoler som velger å ta i
78 bruk Skolelinux, og gleder meg til å se hvordan dette utvikler seg.
79 Løsningen leveres av
80 <a href="http://www.logica.no/">Logica</a> med
81 <a href="http://www.slxdrift.no/">Skolelinux Drift AS</a> som
82 underleverandør, og jeg har vært involvert i utviklingen av løsningen
83 via Skolelinux Drift AS siden prosjektet starter. Jeg synes det er
84 fantastisk at Skolelinux er kommet så langt siden vi startet i 2001 at
85 alle elevene i Osloskolene nå skal få mulighet til å bruke
86 løsningen. Jeg håper de vil sette pris på alle de
87 <a href="http://www.skolelinux.no/linux-signpost/">fantastiske
88 brukerprogrammene</a> som er tilgjengelig i Skolelinux.</p>
89 </div>
90 <div class="tags">
91
92
93
94 Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk</a>.
95
96 </div>
97 </div>
98 <div class="padding"></div>
99
100 <div class="entry">
101 <div class="title"><a href="http://people.skolelinux.org/pere/blog/Broken_umask_handling_with_sshfs.html">Broken umask handling with sshfs</a></div>
102 <div class="date">2010-08-26 13:30</div>
103 <div class="body">
104 <p>My file system sematics program
105 <a href="http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html">presented
106 a few days ago</a> is very useful to verify that a file system can
107 work as a unix home directory,and today I had to extend it a bit. I'm
108 looking into alternatives for home directory access here at the
109 University of Oslo, and one of the options is sshfs. My friend
110 Finn-Arne mentioned a while back that they had used sshfs with Debian
111 Edu, but stopped because of problems. I asked today what the problems
112 where, and he mentioned that sshfs failed to handle umask properly.
113 Trying to detect the problem I wrote this addition to my fs testing
114 script:</p>
115
116 <pre>
117 mode_t touch_get_mode(const char *name, mode_t mode) {
118 mode_t retval = 0;
119 int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE, mode);
120 if (-1 != fd) {
121 unlink(name);
122 struct stat statbuf;
123 if (-1 != fstat(fd, &statbuf)) {
124 retval = statbuf.st_mode & 0x1ff;
125 }
126 close(fd);
127 }
128 return retval;
129 }
130
131 /* Try to detect problem discovered using sshfs */
132 int test_umask(void) {
133 printf("info: testing umask effect on file creation\n");
134
135 mode_t orig_umask = umask(000);
136 mode_t newmode;
137 if (0666 != (newmode = touch_get_mode("foobar", 0666))) {
138 printf(" error: Wrong file mode %o when creating using mode 666 and umask 000\n",
139 newmode);
140 }
141 umask(007);
142 if (0660 != (newmode = touch_get_mode("foobar", 0666))) {
143 printf(" error: Wrong file mode %o when creating using mode 666 and umask 007\n",
144 newmode);
145 }
146
147 umask (orig_umask);
148 return 0;
149 }
150
151 int main(int argc, char **argv) {
152 [...]
153 test_umask();
154 return 0;
155 }
156 </pre>
157
158 <p>Sure enough. On NFS to a netapp, I get this result:</p>
159
160 <pre>
161 Testing POSIX/Unix sematics on file system
162 info: testing symlink creation
163 info: testing subdirectory creation
164 info: testing fcntl locking
165 Read-locking 1 byte from 1073741824
166 Read-locking 510 byte from 1073741826
167 Unlocking 1 byte from 1073741824
168 Write-locking 1 byte from 1073741824
169 Write-locking 510 byte from 1073741826
170 Unlocking 2 byte from 1073741824
171 info: testing umask effect on file creation
172 </pre>
173
174 <p>When mounting the same directory using sshfs, I get this
175 result:</p>
176
177 <pre>
178 Testing POSIX/Unix sematics on file system
179 info: testing symlink creation
180 info: testing subdirectory creation
181 info: testing fcntl locking
182 Read-locking 1 byte from 1073741824
183 Read-locking 510 byte from 1073741826
184 Unlocking 1 byte from 1073741824
185 Write-locking 1 byte from 1073741824
186 Write-locking 510 byte from 1073741826
187 Unlocking 2 byte from 1073741824
188 info: testing umask effect on file creation
189 error: Wrong file mode 644 when creating using mode 666 and umask 000
190 error: Wrong file mode 640 when creating using mode 666 and umask 007
191 </pre>
192
193 <p>So, I can conclude that sshfs is better than smb to a Netapp or a
194 Windows server, but not good enough to be used as a home
195 directory.</p>
196
197 <p>Update 2010-08-26: Reported the issue in
198 <a href="http://bugs.debian.org/594498">BTS report #594498</a></p>
199
200 <p>Update 2010-08-27: Michael Gebetsroither report that he found the
201 script so useful that he created a GIT repository and stored it in
202 <a href="http://github.com/gebi/fs-test">http://github.com/gebi/fs-test</a>.</p>
203 </div>
204 <div class="tags">
205
206
207
208 Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
209
210 </div>
211 </div>
212 <div class="padding"></div>
213
214 <div class="entry">
215 <div class="title"><a href="http://people.skolelinux.org/pere/blog/Elektronisk_stemmegiving_er_ikke_til____stole_p_____heller_ikke_i_Norge.html">Elektronisk stemmegiving er ikke til å stole på - heller ikke i Norge</a></div>
216 <div class="date">2010-08-23 19:30</div>
217 <div class="body">
218 <p>I Norge pågår en prosess for å
219 <a href="http://www.e-valg.dep.no/">innføre elektronisk
220 stemmegiving</a> ved kommune- og stortingsvalg. Dette skal
221 introduseres i 2011. Det er all grunn til å tro at valg i Norge ikke
222 vil være til å stole på hvis dette blir gjennomført. Da det hele var
223 oppe til høring i 2006 forfattet jeg
224 <a href="http://www.nuug.no/dokumenter/valg-horing-2006-09.pdf">en
225 høringsuttalelse fra NUUG</a> (og EFN som hengte seg på) som skisserte
226 hvilke punkter som må oppfylles for at en skal kunne stole på et valg,
227 og elektronisk stemmegiving mangler flere av disse. Elektronisk
228 stemmegiving er for alle praktiske formål å putte ens stemme i en sort
229 boks under andres kontroll, og satse på at de som har kontroll med
230 boksen er til å stole på - uten at en har mulighet til å verifisere
231 dette selv. Det er ikke slik en gjennomfører demokratiske valg.</p>
232
233 <p>Da problemet er fundamentalt med hvordan elektronisk stemmegiving
234 må fungere for at også ikke-krypografer skal kunne delta, har det vært
235 mange rapporter om hvordan elektronisk stemmegiving har sviktet i land
236 etter land. En
237 <a href="http://wiki.nuug.no/uttalelser/2006-elektronisk-stemmegiving">liten
238 samling referanser</a> finnes på NUUGs wiki. Den siste er fra India,
239 der valgkomisjonen har valgt
240 <a href="http://www.freedom-to-tinker.com/blog/jhalderm/electronic-voting-researcher-arrested-over-anonymous-source">å
241 pusse politiet på en forsker</a> som har dokumentert svakheter i
242 valgsystemet.</p>
243
244 <p>Her i Norge har en valgt en annen tilnærming, der en forsøker seg
245 med teknobabbel for å få befolkningen til å tro at dette skal bli
246 sikkert. Husk, elektronisk stemmegiving underminerer de demokratiske
247 valgene i Norge, og bør ikke innføres.</p>
248
249 <p>Den offentlige diskusjonen blir litt vanskelig av at media har
250 valgt å kalle dette "evalg", som kan sies å både gjelde elektronisk
251 opptelling av valget som Norge har gjort siden 60-tallet og som er en
252 svært god ide, og elektronisk opptelling som er en svært dårlig ide.
253 Diskusjonen gir ikke mening hvis en skal diskutere om en er for eller
254 mot "evalg", og jeg forsøker derfor å være klar på at jeg snakker om
255 elektronisk stemmegiving og unngå begrepet "evalg".</p>
256 </div>
257 <div class="tags">
258
259
260
261 Tags: <a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>, <a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>.
262
263 </div>
264 </div>
265 <div class="padding"></div>
266
267 <div class="entry">
268 <div class="title"><a href="http://people.skolelinux.org/pere/blog/Robot__reis_deg___.html">Robot, reis deg...</a></div>
269 <div class="date">2010-08-21 22:10</div>
270 <div class="body">
271 <p>I dag fikk jeg endelig tittet litt på mine nyinnkjøpte roboter, og
272 har brukt noen timer til å google etter interessante referanser og
273 aktuell kildekode for bruk på Linux. Det mest lovende så langt er
274 <a href="http://ispykee.toyz.org/">ispykee</a>, som har en
275 BSD-lisensiert linux-daemon som står som mellomledd mellom roboter på
276 lokalnettet og en sentral tjeneste der en iPhone kan koble seg opp for
277 å fjernstyre roboten. Linux-daemonen implementerer deler av
278 protokollen som roboten forstår. Etter å ha knotet litt med å oppnå
279 kontakt med roboten (den oppretter et eget ad-hoc wifi-nett, så jeg
280 måtte gå av mitt vanlige nett for å få kontakt), og kommet frem til at
281 den lytter på IP-port 9000 og 9001, gikk jeg i gang med å finne ut
282 hvordan jeg kunne snakke med roboten vha. disse portene. Robotbiten
283 av protokollen er publisert av produsenten med GPL-lisens, slik at det
284 er mulig å se hvordan protokollen fungerer. Det finnes en java-klient
285 for Android som så ganske snasen ut, men fant ingen kildekode for
286 denne. Derimot hadde iphone-løsningen kildekode, så jeg tok
287 utgangspunkt i den.</p>
288
289 <p>Daemonen ville i utgangspunktet forsøke å kontakte den sentrale
290 tjenesten som iphone-programmet kobler seg til. Jeg skrev dette om
291 til i stedet å sette opp en nettverkstjeneste på min lokale maskin,
292 som jeg kan koble meg opp til med telnet og gi kommandoer til roboten
293 (act, forward, right, left, etc). Det involverte i praksis å bytte ut
294 socket()/connect() med socket()/bind()/listen()/accept() for å gjøre
295 klienten om til en tjener.</p>
296
297 <p>Mens jeg har forsøkt å få roboten til å bevege seg har min samboer
298 skrudd sammen resten av roboten for å få montert kamera og plastpynten
299 (armer, plastfiber for lys). Nå er det hele montert, og roboten er
300 klar til bruk. Må få flyttet den over til mitt vanlige trådløsnett
301 før det blir praktisk, men de bitene av protokollen er ikke
302 implementert i ispykee-daemonen, så der må jeg enten få tak i en mac
303 eller en windows-maskin, eller implementere det selv.</p>
304
305 <p>Vi var tre som kjøpte slike roboter, og vi har blitt enige om å
306 samle notater og referanser på <a
307 href="http://wiki.nuug.no/grupper/robot/">NUUGs wiki</a>. Ta en titt
308 der hvis du er nysgjerrig.</p>
309 </div>
310 <div class="tags">
311
312
313
314 Tags: <a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>, <a href="http://people.skolelinux.org/pere/blog/tags/robot">robot</a>.
315
316 </div>
317 </div>
318 <div class="padding"></div>
319
320 <div class="entry">
321 <div class="title"><a href="http://people.skolelinux.org/pere/blog/2_Spykee_roboter_i_hus__n___skal_det_lekes.html">2 Spykee-roboter i hus, nå skal det lekes</a></div>
322 <div class="date">2010-08-18 13:30</div>
323 <div class="body">
324 <p>Jeg kjøpte nettopp to
325 <a href="http://www.spykee-robot.com/">Spykee</a>-roboter, for test og
326 leking. Kjøpte to da det var så billige, og gir meg mulighet til å
327 eksperimentere uten å være veldig redd for å ødelegge alt ved å bytte
328 ut firmware og slikt. Oppdaget at lekebutikken på Bryn senter hadde
329 en liten stabel på lager som de ikke hadde klart å selge ut etter
330 fjorårets juleinnkjøp, og var villig til å selge for en femtedel av
331 vanlig pris. Jeg, Ronny og Jarle har skaffet oss restbeholdningen, og
332 det blir morsomt å se hva vi får ut av dette.</p>
333
334 <p>Roboten har belter styrt av to motorer, kamera, høytaler, mikrofon
335 og wifi-tilkobling. Det hele styrt av en GPL-lisensiert databoks som
336 jeg mistenker kjører linux. Firmware-kildekoden ble visst publisert i
337 mai. Eneste utfordringen er at kontroller-programvaren kun finnes til
338 Windows, men det må en kunne jobbe seg rundt når vi har kildekoden til
339 firmwaren. :)</p>
340
341 <ul>
342 <li><a href="http://en.wikipedia.org/wiki/Spykee">Wikipedia-oppføring</a></li>
343 <li><a href=http://www.spykeeworld.com/spykee/US/freeSoftware.html">Nedlasting av firmware-kilden</a></li>
344 <li><a href="http://wiki.nuug.no/grupper/robot">prosjektwiki hos NUUG</a></li>
345 </ul>
346 </div>
347 <div class="tags">
348
349
350
351 Tags: <a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>, <a href="http://people.skolelinux.org/pere/blog/tags/robot">robot</a>.
352
353 </div>
354 </div>
355 <div class="padding"></div>
356
357 <div class="entry">
358 <div class="title"><a href="http://people.skolelinux.org/pere/blog/Rob_Weir__How_to_Crush_Dissent.html">Rob Weir: How to Crush Dissent</a></div>
359 <div class="date">2010-08-15 22:20</div>
360 <div class="body">
361 <p>I found the notes from Rob Weir on
362 <a href="http://feedproxy.google.com/~r/robweir/antic-atom/~3/VGb23-kta8c/how-to-crush-dissent.html">how
363 to crush dissent</a> matching my own thoughts on the matter quite
364 well. Highly recommended for those wondering which road our society
365 should go down. In my view we have been heading the wrong way for a
366 long time.</p>
367 </div>
368 <div class="tags">
369
370
371
372 Tags: <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/lenker">lenker</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>, <a href="http://people.skolelinux.org/pere/blog/tags/personvern">personvern</a>, <a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>.
373
374 </div>
375 </div>
376 <div class="padding"></div>
377
378 <div class="entry">
379 <div class="title"><a href="http://people.skolelinux.org/pere/blog/No_hardcoded_config_on_Debian_Edu_clients.html">No hardcoded config on Debian Edu clients</a></div>
380 <div class="date">2010-08-09 20:15</div>
381 <div class="body">
382 <p>As reported earlier, the last few days I have looked at how Debian
383 Edu clients are configured, and tried to get rid of all hardcoded
384 configuration settings on the clients. I believe the work to be
385 mostly done, and the clients seem to work just fine with dynamically
386 generated configuration.</p>
387
388 <p>What is the point, you might ask? The point is to allow a Debian
389 Edu desktop to integrate into an existing network infrastructure
390 without any manual configuration.</p>
391
392 <p>This is what happens when installing a Debian Edu client here at
393 the University of Oslo using PXE. With the PXE installation, I am
394 asked for language (Norwegian Bokmål), locality (Norway) and keyboard
395 layout (no-latin1), Debian Edu profile (Roaming Workstation), if I
396 accept to reformat the hard drive (yes), if I want to submit info to
397 popcon.debian.org (no) and root password (secret). After answering
398 these questions, the installer goes ahead and does its thing, and
399 after around 50 minutes it is done. I press enter to finish the
400 installation, and the machine reboots into KDE. When the machine is
401 ready and kdm asks for login information, I enter my university
402 username and password, am told by kdm that a local home directory has
403 been created and that I must log in again, and finally log in with the
404 same username and password to the KDE 4.4 desktop. At no point during
405 this process did it ask for university specific settings, and all the
406 required configuration was dynamically detected using information
407 fetched via DHCP and DNS. The roaming workstation is now ready for
408 use.</p>
409
410 <p>How was this done, you might wonder? First of all, here is the
411 list of things that need to be configured on the client to get it
412 working properly out of the box:</p>
413
414 <ul>
415 <li>IP address/netmask and DNS server.</li>
416 <li>Web proxy URL.</li>
417 <li>LDAP server for NSS directory information (user, group, etc).</li>
418 <li>Kerberos server for PAM password checking.</li>
419 <li>SMB mount point to access the network home directory. (*)</li>
420 <li>Central syslog server to send syslog messages to. (*)</li>
421 <li>Sitesummary collector URL to submit info to central server. (*)</li>
422 </ul>
423
424 <p>(Hm, did I forget anything? Let me knew if I did.)</p>
425
426 <p>The points marked (*) are not required to be able to use the
427 machine, but needed to provide central storage and allowing system
428 administrators to track their machines. Since yesterday, everything
429 but the sitesummary collector URL is dynamically discovered at boot
430 and installation time in the svn version of Debian Edu.</p>
431
432 <p>The IP and DNS setup is fetched during boot using DHCP as usual.
433 When a DHCP update arrives, the proxy setup is updated by looking for
434 http://wpat/wpad.dat and using the content of this WPAD file to
435 configure the http and ftp proxy in /etc/environment and
436 /etc/apt/apt.conf. I decided to update the proxy setup using a DHCP
437 hook to ensure that the client stops using the Debian Edu proxy when
438 it is moved outside the Debian Edu network, and instead uses any local
439 proxy present on the new network when it moves around.</p>
440
441 <p>The DNS names of the LDAP, Kerberos and syslog server and related
442 configuration are generated using DNS information at boot. First the
443 installer looks for a host named ldap in the current DNS domain. If
444 not found, it looks for _ldap._tcp SRV records in DNS instead. If an
445 LDAP server is found, its root DSE entry is requested and the
446 attributes namingContexts and defaultNamingContext are used to
447 determine which LDAP base to use for NSS. If there are several
448 namingContexts attibutes and the defaultNamingContext is present, that
449 LDAP subtree is used as the base. If defaultNamingContext is missing,
450 the subtrees listed as namingContexts are searched in sequence for any
451 object with class posixAccount or posixGroup, and the first one with
452 such an object is used as the LDAP base. For Kerberos, a similar
453 search is done by first looking for a host named kerberos, and then
454 for the _kerberos._tcp SRV record. I've been unable to find a way to
455 look up the Kerberos realm, so for this the upper case string of the
456 current DNS domain is used.</p>
457
458 <p>For the syslog server, the hosts syslog and loghost are searched
459 for, and the _syslog._udp SRV record is consulted if no such host is
460 found. This algorithm works for both Debian Edu and the University of
461 Oslo. A similar strategy would work for locating the sitesummary
462 server, but have not been implemented yet. I decided to fetch and
463 save these settings during installation, to make sure moving to a
464 different network does not change the set of users being allowed to
465 log in nor the passwords required to log in. Usernames and passwords
466 will be cached by sssd when the user logs in on the Debian Edu
467 network, and will not change as the laptop move around. For a
468 non-roaming machine, there is no caching, but given that it is
469 supposed to stay in place it should not matter much. Perhaps we
470 should switch those to use sssd too?</p>
471
472 <p>The user's SMB mount point for the network home directory is
473 located when the user logs in for the first time. The LDAP server is
474 consulted to look for the user's LDAP object and the sambaHomePath
475 attribute is used if found. If it isn't found, the home directory
476 path fetched from NSS is used instead. Assuming the path is of the
477 form /site/server/directory/username, the second part is looked up in
478 DNS and used to generate a SMB URL of the form
479 smb://server.domain/username. This algorithm works for both Debian
480 edu and the University of Oslo. Perhaps there are better attributes
481 to use or a better algorithm that works for more sites, but this will
482 do for now. :)</p>
483
484 <p>This work should make it easier to integrate the Debian Edu clients
485 into any LDAP/Kerberos infrastructure, and make the current setup even
486 more flexible than before. I suspect it will also work for thin
487 client servers, allowing one to easily set up LTSP and hook it into a
488 existing network infrastructure, but I have not had time to test this
489 yet.</p>
490
491 <p>If you want to help out with implementing these things for Debian
492 Edu, please contact us on debian-edu@lists.debian.org.</p>
493
494 <p>Update 2010-08-09: Simon Farnsworth gave me a heads-up on how to
495 detect Kerberos realm from DNS, by looking for _kerberos TXT entries
496 before falling back to the upper case DNS domain name. Will have to
497 implement it for Debian Edu. :)</p>
498 </div>
499 <div class="tags">
500
501
502
503 Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
504
505 </div>
506 </div>
507 <div class="padding"></div>
508
509 <div class="entry">
510 <div class="title"><a href="http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html">Testing if a file system can be used for home directories...</a></div>
511 <div class="date">2010-08-08 21:20</div>
512 <div class="body">
513 <p>A few years ago, I was involved in a project planning to use
514 Windows file servers as home directory servers for Debian
515 Edu/Skolelinux machines. This was thought to be no problem, as the
516 access would be through the SMB network file system protocol, and we
517 knew other sites used SMB with unix and samba as the file server to
518 mount home directories without any problems. But, after months of
519 struggling, we had to conclude that our goal was impossible.</p>
520
521 <p>The reason is simply that while SMB can be used for home
522 directories when the file server is Samba running on Unix, this only
523 work because of Samba have some extensions and the fact that the
524 underlying file system is a unix file system. When using a Windows
525 file server, the underlying file system do not have POSIX semantics,
526 and several programs will fail if the users home directory where they
527 want to store their configuration lack POSIX semantics.</p>
528
529 <p>As part of this work, I wrote a small C program I want to share
530 with you all, to replicate a few of the problematic applications (like
531 OpenOffice.org and GCompris) and see if the file system was working as
532 it should. If you find yourself in spooky file system land, it might
533 help you find your way out again. This is the fs-test.c source:</p>
534
535 <pre>
536 /*
537 * Some tests to check the file system sematics. Used to verify that
538 * CIFS from a windows server do not work properly as a linux home
539 * directory.
540 * License: GPL v2 or later
541 *
542 * needs libsqlite3-dev and build-essential installed
543 * compile with: gcc -Wall -lsqlite3 -DTEST_SQLITE fs-test.c -o fs-test
544 */
545
546 #define _FILE_OFFSET_BITS 64
547 #define _LARGEFILE_SOURCE 1
548 #define _LARGEFILE64_SOURCE 1
549
550 #define _GNU_SOURCE /* for asprintf() */
551
552 #include &lt;errno.h>
553 #include &lt;fcntl.h>
554 #include &lt;stdio.h>
555 #include &lt;string.h>
556 #include &lt;stdlib.h>
557 #include &lt;sys/file.h>
558 #include &lt;sys/stat.h>
559 #include &lt;sys/types.h>
560 #include &lt;unistd.h>
561
562 #ifdef TEST_SQLITE
563 /*
564 * Test sqlite open, as done by gcompris require the libsqlite3-dev
565 * package and linking with -lsqlite3. A more low level test is
566 * below.
567 * See also &lt;URL: http://www.sqlite.org./faq.html#q5 >.
568 */
569 #include &lt;sqlite3.h>
570 #define CREATE_TABLE_USERS \
571 "CREATE TABLE users (user_id INT UNIQUE, login TEXT, lastname TEXT, firstname TEXT, birthdate TEXT, class_id INT ); "
572 int test_sqlite_open(void) {
573 char *zErrMsg;
574 char *name = "testsqlite.db";
575 sqlite3 *db=NULL;
576 unlink(name);
577 int rc = sqlite3_open(name, &db);
578 if( rc ){
579 printf("error: sqlite open of %s failed: %s\n", name, sqlite3_errmsg(db));
580 sqlite3_close(db);
581 return -1;
582 }
583
584 /* create tables */
585 rc = sqlite3_exec(db,CREATE_TABLE_USERS, NULL, 0, &zErrMsg);
586 if( rc != SQLITE_OK ){
587 printf("error: sqlite table create failed: %s\n", zErrMsg);
588 sqlite3_close(db);
589 return -1;
590 }
591 printf("info: sqlite worked\n");
592 sqlite3_close(db);
593 return 0;
594 }
595 #endif /* TEST_SQLITE */
596
597 /*
598 * Demonstrate locking issue found in gcompris using sqlite3. This
599 * work with ext3, but not with cifs server on Windows 2003. This is
600 * done in the sqlite3 library.
601 * See also
602 * &lt;URL:http://www.cygwin.com/ml/cygwin/2001-08/msg00854.html> and the
603 * POSIX specification
604 * &lt;URL:http://www.opengroup.org/onlinepubs/009695399/functions/fcntl.html>.
605 */
606 int test_gcompris_locking(void) {
607 struct flock fl;
608 char *name = "testsqlite.db";
609 unlink(name);
610 int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE, 0644);
611 printf("info: testing fcntl locking\n");
612
613 fl.l_whence = SEEK_SET;
614 fl.l_pid = getpid();
615 printf(" Read-locking 1 byte from 1073741824");
616 fl.l_start = 1073741824;
617 fl.l_len = 1;
618 fl.l_type = F_RDLCK;
619 if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
620
621 printf(" Read-locking 510 byte from 1073741826");
622 fl.l_start = 1073741826;
623 fl.l_len = 510;
624 fl.l_type = F_RDLCK;
625 if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
626
627 printf(" Unlocking 1 byte from 1073741824");
628 fl.l_start = 1073741824;
629 fl.l_len = 1;
630 fl.l_type = F_UNLCK;
631 if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
632
633 printf(" Write-locking 1 byte from 1073741824");
634 fl.l_start = 1073741824;
635 fl.l_len = 1;
636 fl.l_type = F_WRLCK;
637 if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
638
639 printf(" Write-locking 510 byte from 1073741826");
640 fl.l_start = 1073741826;
641 fl.l_len = 510;
642 if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
643
644 printf(" Unlocking 2 byte from 1073741824");
645 fl.l_start = 1073741824;
646 fl.l_len = 2;
647 fl.l_type = F_UNLCK;
648 if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
649
650 close(fd);
651 return 0;
652 }
653
654 /*
655 * Test if permissions of freshly created directories allow entries
656 * below them. This was a problem with OpenOffice.org and gcompris.
657 * Mounting with option 'sync' seem to solve this problem while
658 * slowing down file operations.
659 */
660 int test_subdirectory_creation(void) {
661 #define LEVELS 5
662 char *path = strdup("test");
663 char *dirs[LEVELS];
664 int level;
665 printf("info: testing subdirectory creation\n");
666 for (level = 0; level &lt; LEVELS; level++) {
667 char *newpath = NULL;
668 if (-1 == mkdir(path, 0777)) {
669 printf(" error: Unable to create directory '%s': %s\n",
670 path, strerror(errno));
671 break;
672 }
673 asprintf(&newpath, "%s/%s", path, "test");
674 free(path);
675 path = newpath;
676 }
677 return 0;
678 }
679
680 /*
681 * Test if symlinks can be created. This was a problem detected with
682 * KDE.
683 */
684 int test_symlinks(void) {
685 printf("info: testing symlink creation\n");
686 unlink("symlink");
687 if (-1 == symlink("file", "symlink"))
688 printf(" error: Unable to create symlink\n");
689 return 0;
690 }
691
692 int main(int argc, char **argv) {
693 printf("Testing POSIX/Unix sematics on file system\n");
694 test_symlinks();
695 test_subdirectory_creation();
696 #ifdef TEST_SQLITE
697 test_sqlite_open();
698 #endif /* TEST_SQLITE */
699 test_gcompris_locking();
700 return 0;
701 }
702 </pre>
703
704 <p>When everything is working, it should print something like
705 this:</p>
706
707 <pre>
708 Testing POSIX/Unix sematics on file system
709 info: testing symlink creation
710 info: testing subdirectory creation
711 info: sqlite worked
712 info: testing fcntl locking
713 Read-locking 1 byte from 1073741824
714 Read-locking 510 byte from 1073741826
715 Unlocking 1 byte from 1073741824
716 Write-locking 1 byte from 1073741824
717 Write-locking 510 byte from 1073741826
718 Unlocking 2 byte from 1073741824
719 </pre>
720
721 <p>I do not remember the exact details of the problems we saw, but one
722 of them was with locking, where if I remember correctly, POSIX allow a
723 read-only lock to be upgraded to a read-write lock without unlocking
724 the read-only lock (while Windows do not). Another was a bug in the
725 CIFS/SMB client implementation in the Linux kernel where directory
726 meta information would be wrong for a fraction of a second, making
727 OpenOffice.org fail to create its deep directory tree because it was
728 not allowed to create files in its freshly created directory.</p>
729
730 <p>Anyway, here is a nice tool for your tool box, might you never need
731 it. :)</p>
732
733 <p>Update 2010-08-27: Michael Gebetsroither report that he found the
734 script so useful that he created a GIT repository and stored it in
735 <a href="http://github.com/gebi/fs-test">http://github.com/gebi/fs-test</a>.</p>
736 </div>
737 <div class="tags">
738
739
740
741 Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
742
743 </div>
744 </div>
745 <div class="padding"></div>
746
747 <div class="entry">
748 <div class="title"><a href="http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html">Autodetecting Client setup for roaming workstations in Debian Edu</a></div>
749 <div class="date">2010-08-07 14:45</div>
750 <div class="body">
751 <p>A few days ago, I
752 <a href="http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html">tried
753 to install</a> a Roaming workation profile from Debian Edu/Squeeze
754 while on the university network here at the University of Oslo, and
755 noticed how much had to change to get it operational using the
756 university infrastructure. It was fairly easy, but it occured to me
757 that Debian Edu would improve a lot if I could get the client to
758 connect without any changes at all, and thus let the client configure
759 itself during installation and first boot to use the infrastructure
760 around it. Now I am a huge step further along that road.</p>
761
762 <p>With our current squeeze-test packages, I can select the roaming
763 workstation profile and get a working laptop connecting to the
764 university LDAP server for user and group and our active directory
765 servers for Kerberos authentication. All this without any
766 configuration at all during installation. My users home directory got
767 a bookmark in the KDE menu to mount it via SMB, with the correct URL.
768 In short, openldap and sssd is correctly configured. In addition to
769 this, the client look for http://wpad/wpad.dat to configure a web
770 proxy, and when it fail to find it no proxy settings are stored in
771 /etc/environment and /etc/apt/apt.conf. Iceweasel and KDE is
772 configured to look for the same wpad configuration and also do not use
773 a proxy when at the university network. If the machine is moved to a
774 network with such wpad setup, it would automatically use it when DHCP
775 gave it a IP address.</p>
776
777 <p>The LDAP server is located using DNS, by first looking for the DNS
778 entry ldap.$domain. If this do not exist, it look for the
779 _ldap._tcp.$domain SRV records and use the first one as the LDAP
780 server. Next, it connects to the LDAP server and search all
781 namingContexts entries for posixAccount or posixGroup objects, and
782 pick the first one as the LDAP base. For Kerberos, a similar
783 algorithm is used to locate the LDAP server, and the realm is the
784 uppercase version of $domain.</p>
785
786 <p>So, what is not working, you might ask. SMB mounting my home
787 directory do not work. No idea why, but suspected the incorrect
788 Kerberos settings in /etc/krb5.conf and /etc/samba/smb.conf might be
789 the cause. These are not properly configured during installation, and
790 had to be hand-edited to get the correct Kerberos realm and server,
791 but SMB mounting still do not work. :(</p>
792
793 <p>With this automatic configuration in place, I expect a Debian Edu
794 roaming profile installation would be able to automatically detect and
795 connect to any site using LDAP and Kerberos for NSS directory and PAM
796 authentication. It should also work out of the box in a Active
797 Directory environment providing posixAccount and posixGroup objects
798 with UID and GID values.</p>
799
800 <p>If you want to help out with implementing these things for Debian
801 Edu, please contact us on debian-edu@lists.debian.org.</p>
802 </div>
803 <div class="tags">
804
805
806
807 Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
808
809 </div>
810 </div>
811 <div class="padding"></div>
812
813 <p style="text-align: right;"><a href="index.rss"><img src="http://people.skolelinux.org/pere/blog/xml.gif" alt="RSS feed" width="36" height="14"></a></p>
814
815 <div id="sidebar">
816
817
818
819
820
821 <h2>Archive</h2>
822 <ul>
823
824 <li>2010
825 <ul>
826
827 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/01/">January (2)</a></li>
828
829 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/02/">February (1)</a></li>
830
831 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/03/">March (3)</a></li>
832
833 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/04/">April (3)</a></li>
834
835 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/05/">May (9)</a></li>
836
837 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/06/">June (14)</a></li>
838
839 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/07/">July (12)</a></li>
840
841 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/08/">August (11)</a></li>
842
843 </ul></li>
844
845 <li>2009
846 <ul>
847
848 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/01/">January (8)</a></li>
849
850 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/02/">February (8)</a></li>
851
852 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/03/">March (12)</a></li>
853
854 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/04/">April (10)</a></li>
855
856 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/05/">May (9)</a></li>
857
858 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/06/">June (3)</a></li>
859
860 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/07/">July (4)</a></li>
861
862 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/08/">August (3)</a></li>
863
864 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/09/">September (1)</a></li>
865
866 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/10/">October (2)</a></li>
867
868 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/11/">November (3)</a></li>
869
870 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/12/">December (3)</a></li>
871
872 </ul></li>
873
874 <li>2008
875 <ul>
876
877 <li><a href="http://people.skolelinux.org/pere/blog/archive/2008/11/">November (5)</a></li>
878
879 <li><a href="http://people.skolelinux.org/pere/blog/archive/2008/12/">December (7)</a></li>
880
881 </ul></li>
882
883 </ul>
884
885
886
887 <h2>Tags</h2>
888 <ul>
889
890 <li><a href="http://people.skolelinux.org/pere/blog/tags/3d-printer">3d-printer (11)</a></li>
891
892 <li><a href="http://people.skolelinux.org/pere/blog/tags/amiga">amiga (1)</a></li>
893
894 <li><a href="http://people.skolelinux.org/pere/blog/tags/aros">aros (1)</a></li>
895
896 <li><a href="http://people.skolelinux.org/pere/blog/tags/bootsystem">bootsystem (10)</a></li>
897
898 <li><a href="http://people.skolelinux.org/pere/blog/tags/debian">debian (35)</a></li>
899
900 <li><a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu (42)</a></li>
901
902 <li><a href="http://people.skolelinux.org/pere/blog/tags/english">english (57)</a></li>
903
904 <li><a href="http://people.skolelinux.org/pere/blog/tags/fiksgatami">fiksgatami (1)</a></li>
905
906 <li><a href="http://people.skolelinux.org/pere/blog/tags/fildeling">fildeling (8)</a></li>
907
908 <li><a href="http://people.skolelinux.org/pere/blog/tags/kart">kart (3)</a></li>
909
910 <li><a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap (8)</a></li>
911
912 <li><a href="http://people.skolelinux.org/pere/blog/tags/lenker">lenker (2)</a></li>
913
914 <li><a href="http://people.skolelinux.org/pere/blog/tags/ltsp">ltsp (1)</a></li>
915
916 <li><a href="http://people.skolelinux.org/pere/blog/tags/multimedia">multimedia (5)</a></li>
917
918 <li><a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk (76)</a></li>
919
920 <li><a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug (98)</a></li>
921
922 <li><a href="http://people.skolelinux.org/pere/blog/tags/opphavsrett">opphavsrett (14)</a></li>
923
924 <li><a href="http://people.skolelinux.org/pere/blog/tags/personvern">personvern (16)</a></li>
925
926 <li><a href="http://people.skolelinux.org/pere/blog/tags/reprap">reprap (10)</a></li>
927
928 <li><a href="http://people.skolelinux.org/pere/blog/tags/robot">robot (2)</a></li>
929
930 <li><a href="http://people.skolelinux.org/pere/blog/tags/rss">rss (1)</a></li>
931
932 <li><a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet (13)</a></li>
933
934 <li><a href="http://people.skolelinux.org/pere/blog/tags/sitesummary">sitesummary (3)</a></li>
935
936 <li><a href="http://people.skolelinux.org/pere/blog/tags/standard">standard (13)</a></li>
937
938 <li><a href="http://people.skolelinux.org/pere/blog/tags/stavekontroll">stavekontroll (1)</a></li>
939
940 <li><a href="http://people.skolelinux.org/pere/blog/tags/video">video (10)</a></li>
941
942 <li><a href="http://people.skolelinux.org/pere/blog/tags/vitenskap">vitenskap (1)</a></li>
943
944 <li><a href="http://people.skolelinux.org/pere/blog/tags/web">web (7)</a></li>
945
946 </ul>
947
948 </div>
949
950 <p style="text-align: right">
951 Created by <a href="http://steve.org.uk/Software/chronicle">Chronicle v3.7</a>
952 </p>
953 </body>
954 </html>