1 <?xml version=
"1.0" encoding=
"ISO-8859-1"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/'
>
4 <title>Petter Reinholdtsen - Entries from August
2010</title>
5 <description>Entries from August
2010</description>
6 <link>http://people.skolelinux.org/pere/blog/
</link>
10 <title>Debian Edu roaming workstation - at the university of Oslo
</title>
11 <link>http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html
</link>
12 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html
</guid>
13 <pubDate>Tue,
3 Aug
2010 23:
30:
00 +
0200</pubDate>
15 <p
>The new roaming workstation profile in Debian Edu/Squeeze is fairly
16 similar to the laptop setup am I working on using Ubuntu for the
17 University of Oslo, and just for the heck of it, I tested today how
18 hard it would be to integrate that profile into the university
19 infrastructure. In this case, it is the university LDAP server,
20 Active Directory Kerberos server and SMB mounting from the Netapp file
23 <p
>I was pleasantly surprised that the only three files needed to be
24 changed (/etc/sssd/sssd.conf, /etc/ldap.conf and
25 /etc/mklocaluser.d/
20-debian-edu-config) and one file had to be added
26 (/usr/share/perl5/Debian/Edu_Local.pm), to get the client working.
27 Most of the changes were to get the client to use the university LDAP
28 for NSS and Kerberos server for PAM, but one was to change a hard
29 coded DNS domain name in the mklocaluser hook from .intern to
32 <p
>This testing was so encouraging, that I went ahead and adjusted the
33 Debian Edu scripts and setup in subversion to centralise the roaming
34 workstation setup a bit more and avoid the hardcoded DNS domain name,
35 so that when I test this tomorrow, I expect to get away with modifying
36 only /etc/sssd/sssd.conf and /etc/ldap.conf to get it to use the
37 university servers.
</p
>
39 <p
>My goal is to get the clients to have no hardcoded settings and
40 fetch all their initial setup during installation and first boot, to
41 allow them to be inserted also into environments where the default
42 setup in Debian Edu has been changed or as with the university, where
43 the environment is different but provides the protocols Debian Edu
49 <title>Autodetecting Client setup for roaming workstations in Debian Edu
</title>
50 <link>http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html
</link>
51 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html
</guid>
52 <pubDate>Sat,
7 Aug
2010 14:
45:
00 +
0200</pubDate>
54 <p
>A few days ago, I
55 <a href=
"http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html
">tried
56 to install
</a
> a Roaming workation profile from Debian Edu/Squeeze
57 while on the university network here at the University of Oslo, and
58 noticed how much had to change to get it operational using the
59 university infrastructure. It was fairly easy, but it occured to me
60 that Debian Edu would improve a lot if I could get the client to
61 connect without any changes at all, and thus let the client configure
62 itself during installation and first boot to use the infrastructure
63 around it. Now I am a huge step further along that road.
</p
>
65 <p
>With our current squeeze-test packages, I can select the roaming
66 workstation profile and get a working laptop connecting to the
67 university LDAP server for user and group and our active directory
68 servers for Kerberos authentication. All this without any
69 configuration at all during installation. My users home directory got
70 a bookmark in the KDE menu to mount it via SMB, with the correct URL.
71 In short, openldap and sssd is correctly configured. In addition to
72 this, the client look for http://wpad/wpad.dat to configure a web
73 proxy, and when it fail to find it no proxy settings are stored in
74 /etc/environment and /etc/apt/apt.conf. Iceweasel and KDE is
75 configured to look for the same wpad configuration and also do not use
76 a proxy when at the university network. If the machine is moved to a
77 network with such wpad setup, it would automatically use it when DHCP
78 gave it a IP address.
</p
>
80 <p
>The LDAP server is located using DNS, by first looking for the DNS
81 entry ldap.$domain. If this do not exist, it look for the
82 _ldap._tcp.$domain SRV records and use the first one as the LDAP
83 server. Next, it connects to the LDAP server and search all
84 namingContexts entries for posixAccount or posixGroup objects, and
85 pick the first one as the LDAP base. For Kerberos, a similar
86 algorithm is used to locate the LDAP server, and the realm is the
87 uppercase version of $domain.
</p
>
89 <p
>So, what is not working, you might ask. SMB mounting my home
90 directory do not work. No idea why, but suspected the incorrect
91 Kerberos settings in /etc/krb5.conf and /etc/samba/smb.conf might be
92 the cause. These are not properly configured during installation, and
93 had to be hand-edited to get the correct Kerberos realm and server,
94 but SMB mounting still do not work. :(
</p
>
96 <p
>With this automatic configuration in place, I expect a Debian Edu
97 roaming profile installation would be able to automatically detect and
98 connect to any site using LDAP and Kerberos for NSS directory and PAM
99 authentication. It should also work out of the box in a Active
100 Directory environment providing posixAccount and posixGroup objects
101 with UID and GID values.
</p
>
103 <p
>If you want to help out with implementing these things for Debian
104 Edu, please contact us on debian-edu@lists.debian.org.
</p
>
109 <title>Testing if a file system can be used for home directories...
</title>
110 <link>http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html
</link>
111 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html
</guid>
112 <pubDate>Sun,
8 Aug
2010 21:
20:
00 +
0200</pubDate>
114 <p
>A few years ago, I was involved in a project planning to use
115 Windows file servers as home directory servers for Debian
116 Edu/Skolelinux machines. This was thought to be no problem, as the
117 access would be through the SMB network file system protocol, and we
118 knew other sites used SMB with unix and samba as the file server to
119 mount home directories without any problems. But, after months of
120 struggling, we had to conclude that our goal was impossible.
</p
>
122 <p
>The reason is simply that while SMB can be used for home
123 directories when the file server is Samba running on Unix, this only
124 work because of Samba have some extensions and the fact that the
125 underlying file system is a unix file system. When using a Windows
126 file server, the underlying file system do not have POSIX semantics,
127 and several programs will fail if the users home directory where they
128 want to store their configuration lack POSIX semantics.
</p
>
130 <p
>As part of this work, I wrote a small C program I want to share
131 with you all, to replicate a few of the problematic applications (like
132 OpenOffice.org and GCompris) and see if the file system was working as
133 it should. If you find yourself in spooky file system land, it might
134 help you find your way out again. This is the fs-test.c source:
</p
>
138 * Some tests to check the file system sematics. Used to verify that
139 * CIFS from a windows server do not work properly as a linux home
141 * License: GPL v2 or later
143 * needs libsqlite3-dev and build-essential installed
144 * compile with: gcc -Wall -lsqlite3 -DTEST_SQLITE fs-test.c -o fs-test
147 #define _FILE_OFFSET_BITS
64
148 #define _LARGEFILE_SOURCE
1
149 #define _LARGEFILE64_SOURCE
1
151 #define _GNU_SOURCE /* for asprintf() */
153 #include
<errno.h
>
154 #include
<fcntl.h
>
155 #include
<stdio.h
>
156 #include
<string.h
>
157 #include
<stdlib.h
>
158 #include
<sys/file.h
>
159 #include
<sys/stat.h
>
160 #include
<sys/types.h
>
161 #include
<unistd.h
>
165 * Test sqlite open, as done by gcompris require the libsqlite3-dev
166 * package and linking with -lsqlite3. A more low level test is
168 * See also
<URL: http://www.sqlite.org./faq.html#q5
>.
170 #include
<sqlite3.h
>
171 #define CREATE_TABLE_USERS \
172 "CREATE TABLE users (user_id INT UNIQUE, login TEXT, lastname TEXT, firstname TEXT, birthdate TEXT, class_id INT );
"
173 int test_sqlite_open(void) {
175 char *name =
"testsqlite.db
";
178 int rc = sqlite3_open(name,
&db);
180 printf(
"error: sqlite open of %s failed: %s\n
", name, sqlite3_errmsg(db));
186 rc = sqlite3_exec(db,CREATE_TABLE_USERS, NULL,
0,
&zErrMsg);
187 if( rc != SQLITE_OK ){
188 printf(
"error: sqlite table create failed: %s\n
", zErrMsg);
192 printf(
"info: sqlite worked\n
");
196 #endif /* TEST_SQLITE */
199 * Demonstrate locking issue found in gcompris using sqlite3. This
200 * work with ext3, but not with cifs server on Windows
2003. This is
201 * done in the sqlite3 library.
203 *
<URL:http://www.cygwin.com/ml/cygwin/
2001-
08/msg00854.html
> and the
204 * POSIX specification
205 *
<URL:http://www.opengroup.org/onlinepubs/
009695399/functions/fcntl.html
>.
207 int test_gcompris_locking(void) {
209 char *name =
"testsqlite.db
";
211 int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE,
0644);
212 printf(
"info: testing fcntl locking\n
");
214 fl.l_whence = SEEK_SET;
216 printf(
" Read-locking
1 byte from
1073741824");
217 fl.l_start =
1073741824;
220 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
222 printf(
" Read-locking
510 byte from
1073741826");
223 fl.l_start =
1073741826;
226 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
228 printf(
" Unlocking
1 byte from
1073741824");
229 fl.l_start =
1073741824;
232 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
234 printf(
" Write-locking
1 byte from
1073741824");
235 fl.l_start =
1073741824;
238 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
240 printf(
" Write-locking
510 byte from
1073741826");
241 fl.l_start =
1073741826;
243 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
245 printf(
" Unlocking
2 byte from
1073741824");
246 fl.l_start =
1073741824;
249 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
256 * Test if permissions of freshly created directories allow entries
257 * below them. This was a problem with OpenOffice.org and gcompris.
258 * Mounting with option
'sync
' seem to solve this problem while
259 * slowing down file operations.
261 int test_subdirectory_creation(void) {
263 char *path = strdup(
"test
");
266 printf(
"info: testing subdirectory creation\n
");
267 for (level =
0; level
< LEVELS; level++) {
268 char *newpath = NULL;
269 if (-
1 == mkdir(path,
0777)) {
270 printf(
" error: Unable to create directory
'%s
': %s\n
",
271 path, strerror(errno));
274 asprintf(
&newpath,
"%s/%s
", path,
"test
");
282 * Test if symlinks can be created. This was a problem detected with
285 int test_symlinks(void) {
286 printf(
"info: testing symlink creation\n
");
287 unlink(
"symlink
");
288 if (-
1 == symlink(
"file
",
"symlink
"))
289 printf(
" error: Unable to create symlink\n
");
293 int main(int argc, char **argv) {
294 printf(
"Testing POSIX/Unix sematics on file system\n
");
296 test_subdirectory_creation();
299 #endif /* TEST_SQLITE */
300 test_gcompris_locking();
305 <p
>When everything is working, it should print something like
309 Testing POSIX/Unix sematics on file system
310 info: testing symlink creation
311 info: testing subdirectory creation
313 info: testing fcntl locking
314 Read-locking
1 byte from
1073741824
315 Read-locking
510 byte from
1073741826
316 Unlocking
1 byte from
1073741824
317 Write-locking
1 byte from
1073741824
318 Write-locking
510 byte from
1073741826
319 Unlocking
2 byte from
1073741824
322 <p
>I do not remember the exact details of the problems we saw, but one
323 of them was with locking, where if I remember correctly, POSIX allow a
324 read-only lock to be upgraded to a read-write lock without unlocking
325 the read-only lock (while Windows do not). Another was a bug in the
326 CIFS/SMB client implementation in the Linux kernel where directory
327 meta information would be wrong for a fraction of a second, making
328 OpenOffice.org fail to create its deep directory tree because it was
329 not allowed to create files in its freshly created directory.
</p
>
331 <p
>Anyway, here is a nice tool for your tool box, might you never need