Make it easier to visit my APT repo.

[homepage.git] / blog / No_hardcoded_config_on_Debian_Edu_clients.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
          "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
  <head>
    <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
    <title>Petter Reinholdtsen: No hardcoded config on Debian Edu clients</title>
    <link rel="stylesheet" type="text/css" media="screen" href="http://people.skolelinux.org/pere/blog/style.css" />
    <link rel="stylesheet" type="text/css" media="screen" href="http://people.skolelinux.org/pere/blog/vim.css" />


  </head>
  <body>
    <div class="title">
 <h1>
     <a href="http://people.skolelinux.org/pere/blog/">Petter Reinholdtsen</a>
     
 </h1>
 
</div>


    <div class="entry">
      <div class="title">No hardcoded config on Debian Edu clients</div>
      <div class="date"> 9th August 2010</div>
      <div class="body"><p>As reported earlier, the last few days I have looked at how Debian
Edu clients are configured, and tried to get rid of all hardcoded
configuration settings on the clients.  I believe the work to be
mostly done, and the clients seem to work just fine with dynamically
generated configuration.</p>

<p>What is the point, you might ask?  The point is to allow a Debian
Edu desktop to integrate into an existing network infrastructure
without any manual configuration.</p>

<p>This is what happens when installing a Debian Edu client here at
the University of Oslo using PXE.  With the PXE installation, I am
asked for language (Norwegian Bokmål), locality (Norway) and keyboard
layout (no-latin1), Debian Edu profile (Roaming Workstation), if I
accept to reformat the hard drive (yes), if I want to submit info to
popcon.debian.org (no) and root password (secret).  After answering
these questions, the installer goes ahead and does its thing, and
after around 50 minutes it is done.  I press enter to finish the
installation, and the machine reboots into KDE.  When the machine is
ready and kdm asks for login information, I enter my university
username and password, am told by kdm that a local home directory has
been created and that I must log in again, and finally log in with the
same username and password to the KDE 4.4 desktop.  At no point during
this process did it ask for university specific settings, and all the
required configuration was dynamically detected using information
fetched via DHCP and DNS.  The roaming workstation is now ready for
use.</p>

<p>How was this done, you might wonder?  First of all, here is the
list of things that need to be configured on the client to get it
working properly out of the box:</p>

<ul>
<li>IP address/netmask and DNS server.</li>
<li>Web proxy URL.</li>
<li>LDAP server for NSS directory information (user, group, etc).</li>
<li>Kerberos server for PAM password checking.</li>
<li>SMB mount point to access the network home directory. (*)</li>
<li>Central syslog server to send syslog messages to. (*)</li>
<li>Sitesummary collector URL to submit info to central server. (*)</li>
</ul>

<p>(Hm, did I forget anything?  Let me knew if I did.)</p>

<p>The points marked (*) are not required to be able to use the
machine, but needed to provide central storage and allowing system
administrators to track their machines.  Since yesterday, everything
but the sitesummary collector URL is dynamically discovered at boot
and installation time in the svn version of Debian Edu.</p>

<p>The IP and DNS setup is fetched during boot using DHCP as usual.
When a DHCP update arrives, the proxy setup is updated by looking for
http://wpat/wpad.dat and using the content of this WPAD file to
configure the http and ftp proxy in /etc/environment and
/etc/apt/apt.conf.  I decided to update the proxy setup using a DHCP
hook to ensure that the client stops using the Debian Edu proxy when
it is moved outside the Debian Edu network, and instead uses any local
proxy present on the new network when it moves around.</p>

<p>The DNS names of the LDAP, Kerberos and syslog server and related
configuration are generated using DNS information at boot.  First the
installer looks for a host named ldap in the current DNS domain.  If
not found, it looks for _ldap._tcp SRV records in DNS instead.  If an
LDAP server is found, its root DSE entry is requested and the
attributes namingContexts and defaultNamingContext are used to
determine which LDAP base to use for NSS.  If there are several
namingContexts attibutes and the defaultNamingContext is present, that
LDAP subtree is used as the base.  If defaultNamingContext is missing,
the subtrees listed as namingContexts are searched in sequence for any
object with class posixAccount or posixGroup, and the first one with
such an object is used as the LDAP base.  For Kerberos, a similar
search is done by first looking for a host named kerberos, and then
for the _kerberos._tcp SRV record.  I've been unable to find a way to
look up the Kerberos realm, so for this the upper case string of the
current DNS domain is used.</p>

<p>For the syslog server, the hosts syslog and loghost are searched
for, and the _syslog._udp SRV record is consulted if no such host is
found.  This algorithm works for both Debian Edu and the University of
Oslo.  A similar strategy would work for locating the sitesummary
server, but have not been implemented yet.  I decided to fetch and
save these settings during installation, to make sure moving to a
different network does not change the set of users being allowed to
log in nor the passwords required to log in.  Usernames and passwords
will be cached by sssd when the user logs in on the Debian Edu
network, and will not change as the laptop move around.  For a
non-roaming machine, there is no caching, but given that it is
supposed to stay in place it should not matter much.  Perhaps we
should switch those to use sssd too?</p>

<p>The user's SMB mount point for the network home directory is
located when the user logs in for the first time.  The LDAP server is
consulted to look for the user's LDAP object and the sambaHomePath
attribute is used if found.  If it isn't found, the home directory
path fetched from NSS is used instead.  Assuming the path is of the
form /site/server/directory/username, the second part is looked up in
DNS and used to generate a SMB URL of the form
smb://server.domain/username.  This algorithm works for both Debian
edu and the University of Oslo.  Perhaps there are better attributes
to use or a better algorithm that works for more sites, but this will
do for now. :)</p>

<p>This work should make it easier to integrate the Debian Edu clients
into any LDAP/Kerberos infrastructure, and make the current setup even
more flexible than before.  I suspect it will also work for thin
client servers, allowing one to easily set up LTSP and hook it into a
existing network infrastructure, but I have not had time to test this
yet.</p>

<p>If you want to help out with implementing these things for Debian
Edu, please contact us on debian-edu@lists.debian.org.</p>

<p>Update 2010-08-09: Simon Farnsworth gave me a heads-up on how to
detect Kerberos realm from DNS, by looking for _kerberos TXT entries
before falling back to the upper case DNS domain name.  Will have to
implement it for Debian Edu. :)</p>
</div>
      
      <div class="tags">Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.</div>
      
      
    </div>
    

    

    <div id="sidebar">
      


<h2>Archive</h2>
<ul>

<li>2013
<ul>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2013/01/">January (11)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2013/02/">February (9)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2013/03/">March (9)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2013/04/">April (6)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2013/05/">May (9)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2013/06/">June (10)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2013/07/">July (7)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2013/08/">August (3)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2013/09/">September (2)</a></li>

</ul></li>

<li>2012
<ul>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/01/">January (7)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/02/">February (10)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/03/">March (17)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/04/">April (12)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/05/">May (12)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/06/">June (20)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/07/">July (17)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/08/">August (6)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/09/">September (9)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/10/">October (17)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/11/">November (10)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2012/12/">December (7)</a></li>

</ul></li>

<li>2011
<ul>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/01/">January (16)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/02/">February (6)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/03/">March (6)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/04/">April (7)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/05/">May (3)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/06/">June (2)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/07/">July (7)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/08/">August (6)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/09/">September (4)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/10/">October (2)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/11/">November (3)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2011/12/">December (1)</a></li>

</ul></li>

<li>2010
<ul>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/01/">January (2)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/02/">February (1)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/03/">March (3)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/04/">April (3)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/05/">May (9)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/06/">June (14)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/07/">July (12)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/08/">August (13)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/09/">September (7)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/10/">October (9)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/11/">November (13)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2010/12/">December (12)</a></li>

</ul></li>

<li>2009
<ul>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2009/01/">January (8)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2009/02/">February (8)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2009/03/">March (12)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2009/04/">April (10)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2009/05/">May (9)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2009/06/">June (3)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2009/07/">July (4)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2009/08/">August (3)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2009/09/">September (1)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2009/10/">October (2)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2009/11/">November (3)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2009/12/">December (3)</a></li>

</ul></li>

<li>2008
<ul>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2008/11/">November (5)</a></li>

<li><a href="http://people.skolelinux.org/pere/blog/archive/2008/12/">December (7)</a></li>

</ul></li>

</ul>



<h2>Tags</h2>
<ul>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/3d-printer">3d-printer (13)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/amiga">amiga (1)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/aros">aros (1)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/bankid">bankid (4)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/bitcoin">bitcoin (7)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/bootsystem">bootsystem (12)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/bsa">bsa (2)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/debian">debian (85)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu (139)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/digistan">digistan (10)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/docbook">docbook (10)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/drivstoffpriser">drivstoffpriser (4)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/english">english (214)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/fiksgatami">fiksgatami (21)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/fildeling">fildeling (12)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/freeculture">freeculture (12)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/freedombox">freedombox (1)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/frikanalen">frikanalen (11)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/intervju">intervju (37)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/isenkram">isenkram (7)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/kart">kart (18)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap (8)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/lenker">lenker (6)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/ltsp">ltsp (1)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/multimedia">multimedia (25)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk (235)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug (153)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/offentlig innsyn">offentlig innsyn (8)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/open311">open311 (2)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/opphavsrett">opphavsrett (44)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/personvern">personvern (66)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/raid">raid (1)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/reprap">reprap (11)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/rfid">rfid (2)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/robot">robot (7)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/rss">rss (1)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/ruter">ruter (4)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/scraperwiki">scraperwiki (2)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet (30)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/sitesummary">sitesummary (4)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/skepsis">skepsis (4)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/standard">standard (43)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/stavekontroll">stavekontroll (3)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/stortinget">stortinget (8)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/surveillance">surveillance (17)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/sysadmin">sysadmin (1)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/valg">valg (8)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/video">video (38)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/vitenskap">vitenskap (4)</a></li>

 <li><a href="http://people.skolelinux.org/pere/blog/tags/web">web (27)</a></li>

</ul>


    </div>
    <p style="text-align: right">
 Created by <a href="http://steve.org.uk/Software/chronicle">Chronicle v4.6</a>
</p>

  </body>
</html>