]> pere.pagekite.me Git - homepage.git/blob - blog/index.rss
Generated.
[homepage.git] / blog / index.rss
1 <?xml version="1.0" encoding="utf-8"?>
2 <rss version='2.0' xmlns:lj='http://www.livejournal.org/rss/lj/1.0/' xmlns:atom="http://www.w3.org/2005/Atom">
3 <channel>
4 <title>Petter Reinholdtsen</title>
5 <description></description>
6 <link>http://people.skolelinux.org/pere/blog/</link>
7 <atom:link href="http://people.skolelinux.org/pere/blog/index.rss" rel="self" type="application/rss+xml" />
8
9 <item>
10 <title>Sikkerhetsteateret på flyplassene fortsetter</title>
11 <link>http://people.skolelinux.org/pere/blog/Sikkerhetsteateret_p___flyplassene_fortsetter.html</link>
12 <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Sikkerhetsteateret_p___flyplassene_fortsetter.html</guid>
13 <pubDate>Sat, 28 Aug 2010 10:40:00 +0200</pubDate>
14 <description>
15 &lt;p&gt;Jeg skrev for et halvt år siden hvordan
16 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/Sikkerhet__teater__og_hvordan_gj__re_verden_sikrere.html&quot;&gt;samfunnet
17 kaster bort ressurser på sikkerhetstiltak som ikke fungerer&lt;/a&gt;. Kom
18 nettopp over en
19 &lt;a href=&quot;http://www.askthepilot.com/essays-and-stories/terrorism-tweezers-and-terminal-madness-an-essay-on-security/&quot;&gt;historie
20 fra en pilot fra USA&lt;/a&gt; som kommenterer det samme. Jeg mistenker det
21 kun er uvitenhet og autoritesttro som gjør at så få protesterer. Har
22 veldig sans for piloten omtalt i &lt;a
23 href=&quot;http://www.aftenposten.no/nyheter/iriks/article2057501.ece&quot;&gt;Aftenposten&lt;/a&gt; 2007-10-23,
24 og skulle ønske flere rettet oppmerksomhet mot problemet. Det gir
25 ikke meg trygghetsfølelse på flyplassene når jeg ser at
26 flyplassadministrasjonen kaster bort folk, penger og tid på tull i
27 stedet for ting som bidrar til reell økning av sikkerheten. Det
28 forteller meg jo at vurderingsevnen til de som burde bidra til økt
29 sikkerhet er svært sviktende, noe som ikke taler godt for de andre
30 tiltakene.&lt;/p&gt;
31
32 &lt;p&gt;Mon tro hva som skjer hvis det fantes en enkel brosjyre å skrive ut
33 fra Internet som forklarte hva som er galt med sikkerhetsopplegget på
34 flyplassene, og folk skrev ut og la en bunke på flyplassene når de
35 passerte. Kanskje det ville fått flere til å få øynene opp for
36 problemet.&lt;/p&gt;
37
38 &lt;p&gt;Personlig synes jeg flyopplevelsen er blitt så avskyelig at jeg
39 forsøker å klare meg med tog, bil og båt for å slippe ubehaget. Det
40 er dog noe vanskelig i det langstrakte Norge og for å kunne besøke de
41 delene av verden jeg ønsker å nå. Mistenker at flere har det slik, og
42 at dette går ut over inntjeningen til flyselskapene. Det er antagelig
43 en god ting sett fra et miljøperspektiv, men det er en annen sak.&lt;/p&gt;
44 </description>
45 </item>
46
47 <item>
48 <title>Skolelinux i Osloskolen</title>
49 <link>http://people.skolelinux.org/pere/blog/Skolelinux_i_Osloskolen.html</link>
50 <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Skolelinux_i_Osloskolen.html</guid>
51 <pubDate>Thu, 26 Aug 2010 22:25:00 +0200</pubDate>
52 <description>
53 &lt;p&gt;Denne høsten skal endelig alle Osloskolene få mulighet til å bruke
54 &lt;a href=&quot;http://www.skolelinux.org/&quot;&gt;Skolelinux&lt;/a&gt;. Ny IT-løsning
55 har vært rullet ut i noen måneder nå, og så vidt jeg fikk vite før
56 sommeren skulle alle skoler ha nytt opplegg på plass før oppstart nå i
57 høst. På alle skolene skal en kunne velge ved installasjon om en skal
58 ha Windows eller Skolelinux på maskinene, og en kan i tillegg
59 PXE-boote maskinene over nett som tynne klienter eller diskløse
60 arbeidsstasjoner. Jeg er spent på hvor mange skoler som velger å ta i
61 bruk Skolelinux, og gleder meg til å se hvordan dette utvikler seg.
62 Løsningen leveres av
63 &lt;a href=&quot;http://www.logica.no/&quot;&gt;Logica&lt;/a&gt; med
64 &lt;a href=&quot;http://www.slxdrift.no/&quot;&gt;Skolelinux Drift AS&lt;/a&gt; som
65 underleverandør, og jeg har vært involvert i utviklingen av løsningen
66 via Skolelinux Drift AS siden prosjektet starter. Jeg synes det er
67 fantastisk at Skolelinux er kommet så langt siden vi startet i 2001 at
68 alle elevene i Osloskolene nå skal få mulighet til å bruke
69 løsningen. Jeg håper de vil sette pris på alle de
70 &lt;a href=&quot;http://www.skolelinux.no/linux-signpost/&quot;&gt;fantastiske
71 brukerprogrammene&lt;/a&gt; som er tilgjengelig i Skolelinux.&lt;/p&gt;
72 </description>
73 </item>
74
75 <item>
76 <title>Broken umask handling with sshfs</title>
77 <link>http://people.skolelinux.org/pere/blog/Broken_umask_handling_with_sshfs.html</link>
78 <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Broken_umask_handling_with_sshfs.html</guid>
79 <pubDate>Thu, 26 Aug 2010 13:30:00 +0200</pubDate>
80 <description>
81 &lt;p&gt;My file system sematics program
82 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html&quot;&gt;presented
83 a few days ago&lt;/a&gt; is very useful to verify that a file system can
84 work as a unix home directory,and today I had to extend it a bit. I&#39;m
85 looking into alternatives for home directory access here at the
86 University of Oslo, and one of the options is sshfs. My friend
87 Finn-Arne mentioned a while back that they had used sshfs with Debian
88 Edu, but stopped because of problems. I asked today what the problems
89 where, and he mentioned that sshfs failed to handle umask properly.
90 Trying to detect the problem I wrote this addition to my fs testing
91 script:&lt;/p&gt;
92
93 &lt;pre&gt;
94 mode_t touch_get_mode(const char *name, mode_t mode) {
95 mode_t retval = 0;
96 int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE, mode);
97 if (-1 != fd) {
98 unlink(name);
99 struct stat statbuf;
100 if (-1 != fstat(fd, &amp;statbuf)) {
101 retval = statbuf.st_mode &amp; 0x1ff;
102 }
103 close(fd);
104 }
105 return retval;
106 }
107
108 /* Try to detect problem discovered using sshfs */
109 int test_umask(void) {
110 printf(&quot;info: testing umask effect on file creation\n&quot;);
111
112 mode_t orig_umask = umask(000);
113 mode_t newmode;
114 if (0666 != (newmode = touch_get_mode(&quot;foobar&quot;, 0666))) {
115 printf(&quot; error: Wrong file mode %o when creating using mode 666 and umask 000\n&quot;,
116 newmode);
117 }
118 umask(007);
119 if (0660 != (newmode = touch_get_mode(&quot;foobar&quot;, 0666))) {
120 printf(&quot; error: Wrong file mode %o when creating using mode 666 and umask 007\n&quot;,
121 newmode);
122 }
123
124 umask (orig_umask);
125 return 0;
126 }
127
128 int main(int argc, char **argv) {
129 [...]
130 test_umask();
131 return 0;
132 }
133 &lt;/pre&gt;
134
135 &lt;p&gt;Sure enough. On NFS to a netapp, I get this result:&lt;/p&gt;
136
137 &lt;pre&gt;
138 Testing POSIX/Unix sematics on file system
139 info: testing symlink creation
140 info: testing subdirectory creation
141 info: testing fcntl locking
142 Read-locking 1 byte from 1073741824
143 Read-locking 510 byte from 1073741826
144 Unlocking 1 byte from 1073741824
145 Write-locking 1 byte from 1073741824
146 Write-locking 510 byte from 1073741826
147 Unlocking 2 byte from 1073741824
148 info: testing umask effect on file creation
149 &lt;/pre&gt;
150
151 &lt;p&gt;When mounting the same directory using sshfs, I get this
152 result:&lt;/p&gt;
153
154 &lt;pre&gt;
155 Testing POSIX/Unix sematics on file system
156 info: testing symlink creation
157 info: testing subdirectory creation
158 info: testing fcntl locking
159 Read-locking 1 byte from 1073741824
160 Read-locking 510 byte from 1073741826
161 Unlocking 1 byte from 1073741824
162 Write-locking 1 byte from 1073741824
163 Write-locking 510 byte from 1073741826
164 Unlocking 2 byte from 1073741824
165 info: testing umask effect on file creation
166 error: Wrong file mode 644 when creating using mode 666 and umask 000
167 error: Wrong file mode 640 when creating using mode 666 and umask 007
168 &lt;/pre&gt;
169
170 &lt;p&gt;So, I can conclude that sshfs is better than smb to a Netapp or a
171 Windows server, but not good enough to be used as a home
172 directory.&lt;/p&gt;
173
174 &lt;p&gt;Update 2010-08-26: Reported the issue in
175 &lt;a href=&quot;http://bugs.debian.org/594498&quot;&gt;BTS report #594498&lt;/a&gt;&lt;/p&gt;
176
177 &lt;p&gt;Update 2010-08-27: Michael Gebetsroither report that he found the
178 script so useful that he created a GIT repository and stored it in
179 &lt;a href=&quot;http://github.com/gebi/fs-test&quot;&gt;http://github.com/gebi/fs-test&lt;/a&gt;.&lt;/p&gt;
180 </description>
181 </item>
182
183 <item>
184 <title>Elektronisk stemmegiving er ikke til å stole på - heller ikke i Norge</title>
185 <link>http://people.skolelinux.org/pere/blog/Elektronisk_stemmegiving_er_ikke_til____stole_p_____heller_ikke_i_Norge.html</link>
186 <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Elektronisk_stemmegiving_er_ikke_til____stole_p_____heller_ikke_i_Norge.html</guid>
187 <pubDate>Mon, 23 Aug 2010 19:30:00 +0200</pubDate>
188 <description>
189 &lt;p&gt;I Norge pågår en prosess for å
190 &lt;a href=&quot;http://www.e-valg.dep.no/&quot;&gt;innføre elektronisk
191 stemmegiving&lt;/a&gt; ved kommune- og stortingsvalg. Dette skal
192 introduseres i 2011. Det er all grunn til å tro at valg i Norge ikke
193 vil være til å stole på hvis dette blir gjennomført. Da det hele var
194 oppe til høring i 2006 forfattet jeg
195 &lt;a href=&quot;http://www.nuug.no/dokumenter/valg-horing-2006-09.pdf&quot;&gt;en
196 høringsuttalelse fra NUUG&lt;/a&gt; (og EFN som hengte seg på) som skisserte
197 hvilke punkter som må oppfylles for at en skal kunne stole på et valg,
198 og elektronisk stemmegiving mangler flere av disse. Elektronisk
199 stemmegiving er for alle praktiske formål å putte ens stemme i en sort
200 boks under andres kontroll, og satse på at de som har kontroll med
201 boksen er til å stole på - uten at en har mulighet til å verifisere
202 dette selv. Det er ikke slik en gjennomfører demokratiske valg.&lt;/p&gt;
203
204 &lt;p&gt;Da problemet er fundamentalt med hvordan elektronisk stemmegiving
205 må fungere for at også ikke-krypografer skal kunne delta, har det vært
206 mange rapporter om hvordan elektronisk stemmegiving har sviktet i land
207 etter land. En
208 &lt;a href=&quot;http://wiki.nuug.no/uttalelser/2006-elektronisk-stemmegiving&quot;&gt;liten
209 samling referanser&lt;/a&gt; finnes på NUUGs wiki. Den siste er fra India,
210 der valgkomisjonen har valgt
211 &lt;a href=&quot;http://www.freedom-to-tinker.com/blog/jhalderm/electronic-voting-researcher-arrested-over-anonymous-source&quot;&gt;å
212 pusse politiet på en forsker&lt;/a&gt; som har dokumentert svakheter i
213 valgsystemet.&lt;/p&gt;
214
215 &lt;p&gt;Her i Norge har en valgt en annen tilnærming, der en forsøker seg
216 med teknobabbel for å få befolkningen til å tro at dette skal bli
217 sikkert. Husk, elektronisk stemmegiving underminerer de demokratiske
218 valgene i Norge, og bør ikke innføres.&lt;/p&gt;
219
220 &lt;p&gt;Den offentlige diskusjonen blir litt vanskelig av at media har
221 valgt å kalle dette &quot;evalg&quot;, som kan sies å både gjelde elektronisk
222 opptelling av valget som Norge har gjort siden 60-tallet og som er en
223 svært god ide, og elektronisk opptelling som er en svært dårlig ide.
224 Diskusjonen gir ikke mening hvis en skal diskutere om en er for eller
225 mot &quot;evalg&quot;, og jeg forsøker derfor å være klar på at jeg snakker om
226 elektronisk stemmegiving og unngå begrepet &quot;evalg&quot;.&lt;/p&gt;
227 </description>
228 </item>
229
230 <item>
231 <title>Robot, reis deg...</title>
232 <link>http://people.skolelinux.org/pere/blog/Robot__reis_deg___.html</link>
233 <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Robot__reis_deg___.html</guid>
234 <pubDate>Sat, 21 Aug 2010 22:10:00 +0200</pubDate>
235 <description>
236 &lt;p&gt;I dag fikk jeg endelig tittet litt på mine nyinnkjøpte roboter, og
237 har brukt noen timer til å google etter interessante referanser og
238 aktuell kildekode for bruk på Linux. Det mest lovende så langt er
239 &lt;a href=&quot;http://ispykee.toyz.org/&quot;&gt;ispykee&lt;/a&gt;, som har en
240 BSD-lisensiert linux-daemon som står som mellomledd mellom roboter på
241 lokalnettet og en sentral tjeneste der en iPhone kan koble seg opp for
242 å fjernstyre roboten. Linux-daemonen implementerer deler av
243 protokollen som roboten forstår. Etter å ha knotet litt med å oppnå
244 kontakt med roboten (den oppretter et eget ad-hoc wifi-nett, så jeg
245 måtte gå av mitt vanlige nett for å få kontakt), og kommet frem til at
246 den lytter på IP-port 9000 og 9001, gikk jeg i gang med å finne ut
247 hvordan jeg kunne snakke med roboten vha. disse portene. Robotbiten
248 av protokollen er publisert av produsenten med GPL-lisens, slik at det
249 er mulig å se hvordan protokollen fungerer. Det finnes en java-klient
250 for Android som så ganske snasen ut, men fant ingen kildekode for
251 denne. Derimot hadde iphone-løsningen kildekode, så jeg tok
252 utgangspunkt i den.&lt;/p&gt;
253
254 &lt;p&gt;Daemonen ville i utgangspunktet forsøke å kontakte den sentrale
255 tjenesten som iphone-programmet kobler seg til. Jeg skrev dette om
256 til i stedet å sette opp en nettverkstjeneste på min lokale maskin,
257 som jeg kan koble meg opp til med telnet og gi kommandoer til roboten
258 (act, forward, right, left, etc). Det involverte i praksis å bytte ut
259 socket()/connect() med socket()/bind()/listen()/accept() for å gjøre
260 klienten om til en tjener.&lt;/p&gt;
261
262 &lt;p&gt;Mens jeg har forsøkt å få roboten til å bevege seg har min samboer
263 skrudd sammen resten av roboten for å få montert kamera og plastpynten
264 (armer, plastfiber for lys). Nå er det hele montert, og roboten er
265 klar til bruk. Må få flyttet den over til mitt vanlige trådløsnett
266 før det blir praktisk, men de bitene av protokollen er ikke
267 implementert i ispykee-daemonen, så der må jeg enten få tak i en mac
268 eller en windows-maskin, eller implementere det selv.&lt;/p&gt;
269
270 &lt;p&gt;Vi var tre som kjøpte slike roboter, og vi har blitt enige om å
271 samle notater og referanser på &lt;a
272 href=&quot;http://wiki.nuug.no/grupper/robot/&quot;&gt;NUUGs wiki&lt;/a&gt;. Ta en titt
273 der hvis du er nysgjerrig.&lt;/p&gt;
274 </description>
275 </item>
276
277 <item>
278 <title>2 Spykee-roboter i hus, nå skal det lekes</title>
279 <link>http://people.skolelinux.org/pere/blog/2_Spykee_roboter_i_hus__n___skal_det_lekes.html</link>
280 <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/2_Spykee_roboter_i_hus__n___skal_det_lekes.html</guid>
281 <pubDate>Wed, 18 Aug 2010 13:30:00 +0200</pubDate>
282 <description>
283 &lt;p&gt;Jeg kjøpte nettopp to
284 &lt;a href=&quot;http://www.spykee-robot.com/&quot;&gt;Spykee&lt;/a&gt;-roboter, for test og
285 leking. Kjøpte to da det var så billige, og gir meg mulighet til å
286 eksperimentere uten å være veldig redd for å ødelegge alt ved å bytte
287 ut firmware og slikt. Oppdaget at lekebutikken på Bryn senter hadde
288 en liten stabel på lager som de ikke hadde klart å selge ut etter
289 fjorårets juleinnkjøp, og var villig til å selge for en femtedel av
290 vanlig pris. Jeg, Ronny og Jarle har skaffet oss restbeholdningen, og
291 det blir morsomt å se hva vi får ut av dette.&lt;/p&gt;
292
293 &lt;p&gt;Roboten har belter styrt av to motorer, kamera, høytaler, mikrofon
294 og wifi-tilkobling. Det hele styrt av en GPL-lisensiert databoks som
295 jeg mistenker kjører linux. Firmware-kildekoden ble visst publisert i
296 mai. Eneste utfordringen er at kontroller-programvaren kun finnes til
297 Windows, men det må en kunne jobbe seg rundt når vi har kildekoden til
298 firmwaren. :)&lt;/p&gt;
299
300 &lt;ul&gt;
301 &lt;li&gt;&lt;a href=&quot;http://en.wikipedia.org/wiki/Spykee&quot;&gt;Wikipedia-oppføring&lt;/a&gt;&lt;/li&gt;
302 &lt;li&gt;&lt;a href=http://www.spykeeworld.com/spykee/US/freeSoftware.html&quot;&gt;Nedlasting av firmware-kilden&lt;/a&gt;&lt;/li&gt;
303 &lt;li&gt;&lt;a href=&quot;http://wiki.nuug.no/grupper/robot&quot;&gt;prosjektwiki hos NUUG&lt;/a&gt;&lt;/li&gt;
304 &lt;/ul&gt;
305 </description>
306 </item>
307
308 <item>
309 <title>Rob Weir: How to Crush Dissent</title>
310 <link>http://people.skolelinux.org/pere/blog/Rob_Weir__How_to_Crush_Dissent.html</link>
311 <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Rob_Weir__How_to_Crush_Dissent.html</guid>
312 <pubDate>Sun, 15 Aug 2010 22:20:00 +0200</pubDate>
313 <description>
314 &lt;p&gt;I found the notes from Rob Weir on
315 &lt;a href=&quot;http://feedproxy.google.com/~r/robweir/antic-atom/~3/VGb23-kta8c/how-to-crush-dissent.html&quot;&gt;how
316 to crush dissent&lt;/a&gt; matching my own thoughts on the matter quite
317 well. Highly recommended for those wondering which road our society
318 should go down. In my view we have been heading the wrong way for a
319 long time.&lt;/p&gt;
320 </description>
321 </item>
322
323 <item>
324 <title>No hardcoded config on Debian Edu clients</title>
325 <link>http://people.skolelinux.org/pere/blog/No_hardcoded_config_on_Debian_Edu_clients.html</link>
326 <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/No_hardcoded_config_on_Debian_Edu_clients.html</guid>
327 <pubDate>Mon, 9 Aug 2010 20:15:00 +0200</pubDate>
328 <description>
329 &lt;p&gt;As reported earlier, the last few days I have looked at how Debian
330 Edu clients are configured, and tried to get rid of all hardcoded
331 configuration settings on the clients. I believe the work to be
332 mostly done, and the clients seem to work just fine with dynamically
333 generated configuration.&lt;/p&gt;
334
335 &lt;p&gt;What is the point, you might ask? The point is to allow a Debian
336 Edu desktop to integrate into an existing network infrastructure
337 without any manual configuration.&lt;/p&gt;
338
339 &lt;p&gt;This is what happens when installing a Debian Edu client here at
340 the University of Oslo using PXE. With the PXE installation, I am
341 asked for language (Norwegian Bokmål), locality (Norway) and keyboard
342 layout (no-latin1), Debian Edu profile (Roaming Workstation), if I
343 accept to reformat the hard drive (yes), if I want to submit info to
344 popcon.debian.org (no) and root password (secret). After answering
345 these questions, the installer goes ahead and does its thing, and
346 after around 50 minutes it is done. I press enter to finish the
347 installation, and the machine reboots into KDE. When the machine is
348 ready and kdm asks for login information, I enter my university
349 username and password, am told by kdm that a local home directory has
350 been created and that I must log in again, and finally log in with the
351 same username and password to the KDE 4.4 desktop. At no point during
352 this process did it ask for university specific settings, and all the
353 required configuration was dynamically detected using information
354 fetched via DHCP and DNS. The roaming workstation is now ready for
355 use.&lt;/p&gt;
356
357 &lt;p&gt;How was this done, you might wonder? First of all, here is the
358 list of things that need to be configured on the client to get it
359 working properly out of the box:&lt;/p&gt;
360
361 &lt;ul&gt;
362 &lt;li&gt;IP address/netmask and DNS server.&lt;/li&gt;
363 &lt;li&gt;Web proxy URL.&lt;/li&gt;
364 &lt;li&gt;LDAP server for NSS directory information (user, group, etc).&lt;/li&gt;
365 &lt;li&gt;Kerberos server for PAM password checking.&lt;/li&gt;
366 &lt;li&gt;SMB mount point to access the network home directory. (*)&lt;/li&gt;
367 &lt;li&gt;Central syslog server to send syslog messages to. (*)&lt;/li&gt;
368 &lt;li&gt;Sitesummary collector URL to submit info to central server. (*)&lt;/li&gt;
369 &lt;/ul&gt;
370
371 &lt;p&gt;(Hm, did I forget anything? Let me knew if I did.)&lt;/p&gt;
372
373 &lt;p&gt;The points marked (*) are not required to be able to use the
374 machine, but needed to provide central storage and allowing system
375 administrators to track their machines. Since yesterday, everything
376 but the sitesummary collector URL is dynamically discovered at boot
377 and installation time in the svn version of Debian Edu.&lt;/p&gt;
378
379 &lt;p&gt;The IP and DNS setup is fetched during boot using DHCP as usual.
380 When a DHCP update arrives, the proxy setup is updated by looking for
381 http://wpat/wpad.dat and using the content of this WPAD file to
382 configure the http and ftp proxy in /etc/environment and
383 /etc/apt/apt.conf. I decided to update the proxy setup using a DHCP
384 hook to ensure that the client stops using the Debian Edu proxy when
385 it is moved outside the Debian Edu network, and instead uses any local
386 proxy present on the new network when it moves around.&lt;/p&gt;
387
388 &lt;p&gt;The DNS names of the LDAP, Kerberos and syslog server and related
389 configuration are generated using DNS information at boot. First the
390 installer looks for a host named ldap in the current DNS domain. If
391 not found, it looks for _ldap._tcp SRV records in DNS instead. If an
392 LDAP server is found, its root DSE entry is requested and the
393 attributes namingContexts and defaultNamingContext are used to
394 determine which LDAP base to use for NSS. If there are several
395 namingContexts attibutes and the defaultNamingContext is present, that
396 LDAP subtree is used as the base. If defaultNamingContext is missing,
397 the subtrees listed as namingContexts are searched in sequence for any
398 object with class posixAccount or posixGroup, and the first one with
399 such an object is used as the LDAP base. For Kerberos, a similar
400 search is done by first looking for a host named kerberos, and then
401 for the _kerberos._tcp SRV record. I&#39;ve been unable to find a way to
402 look up the Kerberos realm, so for this the upper case string of the
403 current DNS domain is used.&lt;/p&gt;
404
405 &lt;p&gt;For the syslog server, the hosts syslog and loghost are searched
406 for, and the _syslog._udp SRV record is consulted if no such host is
407 found. This algorithm works for both Debian Edu and the University of
408 Oslo. A similar strategy would work for locating the sitesummary
409 server, but have not been implemented yet. I decided to fetch and
410 save these settings during installation, to make sure moving to a
411 different network does not change the set of users being allowed to
412 log in nor the passwords required to log in. Usernames and passwords
413 will be cached by sssd when the user logs in on the Debian Edu
414 network, and will not change as the laptop move around. For a
415 non-roaming machine, there is no caching, but given that it is
416 supposed to stay in place it should not matter much. Perhaps we
417 should switch those to use sssd too?&lt;/p&gt;
418
419 &lt;p&gt;The user&#39;s SMB mount point for the network home directory is
420 located when the user logs in for the first time. The LDAP server is
421 consulted to look for the user&#39;s LDAP object and the sambaHomePath
422 attribute is used if found. If it isn&#39;t found, the home directory
423 path fetched from NSS is used instead. Assuming the path is of the
424 form /site/server/directory/username, the second part is looked up in
425 DNS and used to generate a SMB URL of the form
426 smb://server.domain/username. This algorithm works for both Debian
427 edu and the University of Oslo. Perhaps there are better attributes
428 to use or a better algorithm that works for more sites, but this will
429 do for now. :)&lt;/p&gt;
430
431 &lt;p&gt;This work should make it easier to integrate the Debian Edu clients
432 into any LDAP/Kerberos infrastructure, and make the current setup even
433 more flexible than before. I suspect it will also work for thin
434 client servers, allowing one to easily set up LTSP and hook it into a
435 existing network infrastructure, but I have not had time to test this
436 yet.&lt;/p&gt;
437
438 &lt;p&gt;If you want to help out with implementing these things for Debian
439 Edu, please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
440
441 &lt;p&gt;Update 2010-08-09: Simon Farnsworth gave me a heads-up on how to
442 detect Kerberos realm from DNS, by looking for _kerberos TXT entries
443 before falling back to the upper case DNS domain name. Will have to
444 implement it for Debian Edu. :)&lt;/p&gt;
445 </description>
446 </item>
447
448 <item>
449 <title>Testing if a file system can be used for home directories...</title>
450 <link>http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html</link>
451 <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html</guid>
452 <pubDate>Sun, 8 Aug 2010 21:20:00 +0200</pubDate>
453 <description>
454 &lt;p&gt;A few years ago, I was involved in a project planning to use
455 Windows file servers as home directory servers for Debian
456 Edu/Skolelinux machines. This was thought to be no problem, as the
457 access would be through the SMB network file system protocol, and we
458 knew other sites used SMB with unix and samba as the file server to
459 mount home directories without any problems. But, after months of
460 struggling, we had to conclude that our goal was impossible.&lt;/p&gt;
461
462 &lt;p&gt;The reason is simply that while SMB can be used for home
463 directories when the file server is Samba running on Unix, this only
464 work because of Samba have some extensions and the fact that the
465 underlying file system is a unix file system. When using a Windows
466 file server, the underlying file system do not have POSIX semantics,
467 and several programs will fail if the users home directory where they
468 want to store their configuration lack POSIX semantics.&lt;/p&gt;
469
470 &lt;p&gt;As part of this work, I wrote a small C program I want to share
471 with you all, to replicate a few of the problematic applications (like
472 OpenOffice.org and GCompris) and see if the file system was working as
473 it should. If you find yourself in spooky file system land, it might
474 help you find your way out again. This is the fs-test.c source:&lt;/p&gt;
475
476 &lt;pre&gt;
477 /*
478 * Some tests to check the file system sematics. Used to verify that
479 * CIFS from a windows server do not work properly as a linux home
480 * directory.
481 * License: GPL v2 or later
482 *
483 * needs libsqlite3-dev and build-essential installed
484 * compile with: gcc -Wall -lsqlite3 -DTEST_SQLITE fs-test.c -o fs-test
485 */
486
487 #define _FILE_OFFSET_BITS 64
488 #define _LARGEFILE_SOURCE 1
489 #define _LARGEFILE64_SOURCE 1
490
491 #define _GNU_SOURCE /* for asprintf() */
492
493 #include &amp;lt;errno.h&gt;
494 #include &amp;lt;fcntl.h&gt;
495 #include &amp;lt;stdio.h&gt;
496 #include &amp;lt;string.h&gt;
497 #include &amp;lt;stdlib.h&gt;
498 #include &amp;lt;sys/file.h&gt;
499 #include &amp;lt;sys/stat.h&gt;
500 #include &amp;lt;sys/types.h&gt;
501 #include &amp;lt;unistd.h&gt;
502
503 #ifdef TEST_SQLITE
504 /*
505 * Test sqlite open, as done by gcompris require the libsqlite3-dev
506 * package and linking with -lsqlite3. A more low level test is
507 * below.
508 * See also &amp;lt;URL: http://www.sqlite.org./faq.html#q5 &gt;.
509 */
510 #include &amp;lt;sqlite3.h&gt;
511 #define CREATE_TABLE_USERS \
512 &quot;CREATE TABLE users (user_id INT UNIQUE, login TEXT, lastname TEXT, firstname TEXT, birthdate TEXT, class_id INT ); &quot;
513 int test_sqlite_open(void) {
514 char *zErrMsg;
515 char *name = &quot;testsqlite.db&quot;;
516 sqlite3 *db=NULL;
517 unlink(name);
518 int rc = sqlite3_open(name, &amp;db);
519 if( rc ){
520 printf(&quot;error: sqlite open of %s failed: %s\n&quot;, name, sqlite3_errmsg(db));
521 sqlite3_close(db);
522 return -1;
523 }
524
525 /* create tables */
526 rc = sqlite3_exec(db,CREATE_TABLE_USERS, NULL, 0, &amp;zErrMsg);
527 if( rc != SQLITE_OK ){
528 printf(&quot;error: sqlite table create failed: %s\n&quot;, zErrMsg);
529 sqlite3_close(db);
530 return -1;
531 }
532 printf(&quot;info: sqlite worked\n&quot;);
533 sqlite3_close(db);
534 return 0;
535 }
536 #endif /* TEST_SQLITE */
537
538 /*
539 * Demonstrate locking issue found in gcompris using sqlite3. This
540 * work with ext3, but not with cifs server on Windows 2003. This is
541 * done in the sqlite3 library.
542 * See also
543 * &amp;lt;URL:http://www.cygwin.com/ml/cygwin/2001-08/msg00854.html&gt; and the
544 * POSIX specification
545 * &amp;lt;URL:http://www.opengroup.org/onlinepubs/009695399/functions/fcntl.html&gt;.
546 */
547 int test_gcompris_locking(void) {
548 struct flock fl;
549 char *name = &quot;testsqlite.db&quot;;
550 unlink(name);
551 int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE, 0644);
552 printf(&quot;info: testing fcntl locking\n&quot;);
553
554 fl.l_whence = SEEK_SET;
555 fl.l_pid = getpid();
556 printf(&quot; Read-locking 1 byte from 1073741824&quot;);
557 fl.l_start = 1073741824;
558 fl.l_len = 1;
559 fl.l_type = F_RDLCK;
560 if (0 != fcntl(fd, F_SETLK, &amp;fl) ) printf(&quot; - error!\n&quot;); else printf(&quot;\n&quot;);
561
562 printf(&quot; Read-locking 510 byte from 1073741826&quot;);
563 fl.l_start = 1073741826;
564 fl.l_len = 510;
565 fl.l_type = F_RDLCK;
566 if (0 != fcntl(fd, F_SETLK, &amp;fl) ) printf(&quot; - error!\n&quot;); else printf(&quot;\n&quot;);
567
568 printf(&quot; Unlocking 1 byte from 1073741824&quot;);
569 fl.l_start = 1073741824;
570 fl.l_len = 1;
571 fl.l_type = F_UNLCK;
572 if (0 != fcntl(fd, F_SETLK, &amp;fl) ) printf(&quot; - error!\n&quot;); else printf(&quot;\n&quot;);
573
574 printf(&quot; Write-locking 1 byte from 1073741824&quot;);
575 fl.l_start = 1073741824;
576 fl.l_len = 1;
577 fl.l_type = F_WRLCK;
578 if (0 != fcntl(fd, F_SETLK, &amp;fl) ) printf(&quot; - error!\n&quot;); else printf(&quot;\n&quot;);
579
580 printf(&quot; Write-locking 510 byte from 1073741826&quot;);
581 fl.l_start = 1073741826;
582 fl.l_len = 510;
583 if (0 != fcntl(fd, F_SETLK, &amp;fl) ) printf(&quot; - error!\n&quot;); else printf(&quot;\n&quot;);
584
585 printf(&quot; Unlocking 2 byte from 1073741824&quot;);
586 fl.l_start = 1073741824;
587 fl.l_len = 2;
588 fl.l_type = F_UNLCK;
589 if (0 != fcntl(fd, F_SETLK, &amp;fl) ) printf(&quot; - error!\n&quot;); else printf(&quot;\n&quot;);
590
591 close(fd);
592 return 0;
593 }
594
595 /*
596 * Test if permissions of freshly created directories allow entries
597 * below them. This was a problem with OpenOffice.org and gcompris.
598 * Mounting with option &#39;sync&#39; seem to solve this problem while
599 * slowing down file operations.
600 */
601 int test_subdirectory_creation(void) {
602 #define LEVELS 5
603 char *path = strdup(&quot;test&quot;);
604 char *dirs[LEVELS];
605 int level;
606 printf(&quot;info: testing subdirectory creation\n&quot;);
607 for (level = 0; level &amp;lt; LEVELS; level++) {
608 char *newpath = NULL;
609 if (-1 == mkdir(path, 0777)) {
610 printf(&quot; error: Unable to create directory &#39;%s&#39;: %s\n&quot;,
611 path, strerror(errno));
612 break;
613 }
614 asprintf(&amp;newpath, &quot;%s/%s&quot;, path, &quot;test&quot;);
615 free(path);
616 path = newpath;
617 }
618 return 0;
619 }
620
621 /*
622 * Test if symlinks can be created. This was a problem detected with
623 * KDE.
624 */
625 int test_symlinks(void) {
626 printf(&quot;info: testing symlink creation\n&quot;);
627 unlink(&quot;symlink&quot;);
628 if (-1 == symlink(&quot;file&quot;, &quot;symlink&quot;))
629 printf(&quot; error: Unable to create symlink\n&quot;);
630 return 0;
631 }
632
633 int main(int argc, char **argv) {
634 printf(&quot;Testing POSIX/Unix sematics on file system\n&quot;);
635 test_symlinks();
636 test_subdirectory_creation();
637 #ifdef TEST_SQLITE
638 test_sqlite_open();
639 #endif /* TEST_SQLITE */
640 test_gcompris_locking();
641 return 0;
642 }
643 &lt;/pre&gt;
644
645 &lt;p&gt;When everything is working, it should print something like
646 this:&lt;/p&gt;
647
648 &lt;pre&gt;
649 Testing POSIX/Unix sematics on file system
650 info: testing symlink creation
651 info: testing subdirectory creation
652 info: sqlite worked
653 info: testing fcntl locking
654 Read-locking 1 byte from 1073741824
655 Read-locking 510 byte from 1073741826
656 Unlocking 1 byte from 1073741824
657 Write-locking 1 byte from 1073741824
658 Write-locking 510 byte from 1073741826
659 Unlocking 2 byte from 1073741824
660 &lt;/pre&gt;
661
662 &lt;p&gt;I do not remember the exact details of the problems we saw, but one
663 of them was with locking, where if I remember correctly, POSIX allow a
664 read-only lock to be upgraded to a read-write lock without unlocking
665 the read-only lock (while Windows do not). Another was a bug in the
666 CIFS/SMB client implementation in the Linux kernel where directory
667 meta information would be wrong for a fraction of a second, making
668 OpenOffice.org fail to create its deep directory tree because it was
669 not allowed to create files in its freshly created directory.&lt;/p&gt;
670
671 &lt;p&gt;Anyway, here is a nice tool for your tool box, might you never need
672 it. :)&lt;/p&gt;
673
674 &lt;p&gt;Update 2010-08-27: Michael Gebetsroither report that he found the
675 script so useful that he created a GIT repository and stored it in
676 &lt;a href=&quot;http://github.com/gebi/fs-test&quot;&gt;http://github.com/gebi/fs-test&lt;/a&gt;.&lt;/p&gt;
677 </description>
678 </item>
679
680 <item>
681 <title>Autodetecting Client setup for roaming workstations in Debian Edu</title>
682 <link>http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html</link>
683 <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html</guid>
684 <pubDate>Sat, 7 Aug 2010 14:45:00 +0200</pubDate>
685 <description>
686 &lt;p&gt;A few days ago, I
687 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html&quot;&gt;tried
688 to install&lt;/a&gt; a Roaming workation profile from Debian Edu/Squeeze
689 while on the university network here at the University of Oslo, and
690 noticed how much had to change to get it operational using the
691 university infrastructure. It was fairly easy, but it occured to me
692 that Debian Edu would improve a lot if I could get the client to
693 connect without any changes at all, and thus let the client configure
694 itself during installation and first boot to use the infrastructure
695 around it. Now I am a huge step further along that road.&lt;/p&gt;
696
697 &lt;p&gt;With our current squeeze-test packages, I can select the roaming
698 workstation profile and get a working laptop connecting to the
699 university LDAP server for user and group and our active directory
700 servers for Kerberos authentication. All this without any
701 configuration at all during installation. My users home directory got
702 a bookmark in the KDE menu to mount it via SMB, with the correct URL.
703 In short, openldap and sssd is correctly configured. In addition to
704 this, the client look for http://wpad/wpad.dat to configure a web
705 proxy, and when it fail to find it no proxy settings are stored in
706 /etc/environment and /etc/apt/apt.conf. Iceweasel and KDE is
707 configured to look for the same wpad configuration and also do not use
708 a proxy when at the university network. If the machine is moved to a
709 network with such wpad setup, it would automatically use it when DHCP
710 gave it a IP address.&lt;/p&gt;
711
712 &lt;p&gt;The LDAP server is located using DNS, by first looking for the DNS
713 entry ldap.$domain. If this do not exist, it look for the
714 _ldap._tcp.$domain SRV records and use the first one as the LDAP
715 server. Next, it connects to the LDAP server and search all
716 namingContexts entries for posixAccount or posixGroup objects, and
717 pick the first one as the LDAP base. For Kerberos, a similar
718 algorithm is used to locate the LDAP server, and the realm is the
719 uppercase version of $domain.&lt;/p&gt;
720
721 &lt;p&gt;So, what is not working, you might ask. SMB mounting my home
722 directory do not work. No idea why, but suspected the incorrect
723 Kerberos settings in /etc/krb5.conf and /etc/samba/smb.conf might be
724 the cause. These are not properly configured during installation, and
725 had to be hand-edited to get the correct Kerberos realm and server,
726 but SMB mounting still do not work. :(&lt;/p&gt;
727
728 &lt;p&gt;With this automatic configuration in place, I expect a Debian Edu
729 roaming profile installation would be able to automatically detect and
730 connect to any site using LDAP and Kerberos for NSS directory and PAM
731 authentication. It should also work out of the box in a Active
732 Directory environment providing posixAccount and posixGroup objects
733 with UID and GID values.&lt;/p&gt;
734
735 &lt;p&gt;If you want to help out with implementing these things for Debian
736 Edu, please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
737 </description>
738 </item>
739
740 </channel>
741 </rss>