Generated.

[homepage.git] / blog / archive / 2010 / 08 / 08.rss

<?xml version="1.0" encoding="ISO-8859-1"?>
<rss version='2.0' xmlns:lj='http://www.livejournal.org/rss/lj/1.0/'>
        <channel>
                <title>Petter Reinholdtsen - Entries from August 2010</title>
                <description>Entries from August 2010</description>
                <link>http://people.skolelinux.org/pere/blog/</link>

        
        <item>
                <title>Debian Edu roaming workstation - at the university of Oslo</title>
                <link>http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html</guid>
                <pubDate>Tue, 3 Aug 2010 23:30:00 +0200</pubDate>
                <description>
&lt;p&gt;The new roaming workstation profile in Debian Edu/Squeeze is fairly
similar to the laptop setup am I working on using Ubuntu for the
University of Oslo, and just for the heck of it, I tested today how
hard it would be to integrate that profile into the university
infrastructure.  In this case, it is the university LDAP server,
Active Directory Kerberos server and SMB mounting from the Netapp file
servers.&lt;/p&gt;

&lt;p&gt;I was pleasantly surprised that the only three files needed to be
changed (/etc/sssd/sssd.conf, /etc/ldap.conf and
/etc/mklocaluser.d/20-debian-edu-config) and one file had to be added
(/usr/share/perl5/Debian/Edu_Local.pm), to get the client working.
Most of the changes were to get the client to use the university LDAP
for NSS and Kerberos server for PAM, but one was to change a hard
coded DNS domain name in the mklocaluser hook from .intern to
.uio.no.&lt;/p&gt;

&lt;p&gt;This testing was so encouraging, that I went ahead and adjusted the
Debian Edu scripts and setup in subversion to centralise the roaming
workstation setup a bit more and avoid the hardcoded DNS domain name,
so that when I test this tomorrow, I expect to get away with modifying
only /etc/sssd/sssd.conf and /etc/ldap.conf to get it to use the
university servers.&lt;/p&gt;

&lt;p&gt;My goal is to get the clients to have no hardcoded settings and
fetch all their initial setup during installation and first boot, to
allow them to be inserted also into environments where the default
setup in Debian Edu has been changed or as with the university, where
the environment is different but provides the protocols Debian Edu
uses.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Autodetecting Client setup for roaming workstations in Debian Edu</title>
                <link>http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html</guid>
                <pubDate>Sat, 7 Aug 2010 14:45:00 +0200</pubDate>
                <description>
&lt;p&gt;A few days ago, I
&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html&quot;&gt;tried
to install&lt;/a&gt; a Roaming workation profile from Debian Edu/Squeeze
while on the university network here at the University of Oslo, and
noticed how much had to change to get it operational using the
university infrastructure.  It was fairly easy, but it occured to me
that Debian Edu would improve a lot if I could get the client to
connect without any changes at all, and thus let the client configure
itself during installation and first boot to use the infrastructure
around it.  Now I am a huge step further along that road.&lt;/p&gt;

&lt;p&gt;With our current squeeze-test packages, I can select the roaming
workstation profile and get a working laptop connecting to the
university LDAP server for user and group and our active directory
servers for Kerberos authentication.  All this without any
configuration at all during installation.  My users home directory got
a bookmark in the KDE menu to mount it via SMB, with the correct URL.
In short, openldap and sssd is correctly configured.  In addition to
this, the client look for http://wpad/wpad.dat to configure a web
proxy, and when it fail to find it no proxy settings are stored in
/etc/environment and /etc/apt/apt.conf.  Iceweasel and KDE is
configured to look for the same wpad configuration and also do not use
a proxy when at the university network.  If the machine is moved to a
network with such wpad setup, it would automatically use it when DHCP
gave it a IP address.&lt;/p&gt;

&lt;p&gt;The LDAP server is located using DNS, by first looking for the DNS
entry ldap.$domain.  If this do not exist, it look for the
_ldap._tcp.$domain SRV records and use the first one as the LDAP
server.  Next, it connects to the LDAP server and search all
namingContexts entries for posixAccount or posixGroup objects, and
pick the first one as the LDAP base.  For Kerberos, a similar
algorithm is used to locate the LDAP server, and the realm is the
uppercase version of $domain.&lt;/p&gt;

&lt;p&gt;So, what is not working, you might ask.  SMB mounting my home
directory do not work.  No idea why, but suspected the incorrect
Kerberos settings in /etc/krb5.conf and /etc/samba/smb.conf might be
the cause.  These are not properly configured during installation, and
had to be hand-edited to get the correct Kerberos realm and server,
but SMB mounting still do not work. :(&lt;/p&gt;

&lt;p&gt;With this automatic configuration in place, I expect a Debian Edu
roaming profile installation would be able to automatically detect and
connect to any site using LDAP and Kerberos for NSS directory and PAM
authentication.  It should also work out of the box in a Active
Directory environment providing posixAccount and posixGroup objects
with UID and GID values.&lt;/p&gt;

&lt;p&gt;If you want to help out with implementing these things for Debian
Edu, please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Testing if a file system can be used for home directories...</title>
                <link>http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html</guid>
                <pubDate>Sun, 8 Aug 2010 21:20:00 +0200</pubDate>
                <description>
&lt;p&gt;A few years ago, I was involved in a project planning to use
Windows file servers as home directory servers for Debian
Edu/Skolelinux machines.  This was thought to be no problem, as the
access would be through the SMB network file system protocol, and we
knew other sites used SMB with unix and samba as the file server to
mount home directories without any problems.  But, after months of
struggling, we had to conclude that our goal was impossible.&lt;/p&gt;

&lt;p&gt;The reason is simply that while SMB can be used for home
directories when the file server is Samba running on Unix, this only
work because of Samba have some extensions and the fact that the
underlying file system is a unix file system.  When using a Windows
file server, the underlying file system do not have POSIX semantics,
and several programs will fail if the users home directory where they
want to store their configuration lack POSIX semantics.&lt;/p&gt;

&lt;p&gt;As part of this work, I wrote a small C program I want to share
with you all, to replicate a few of the problematic applications (like
OpenOffice.org and GCompris) and see if the file system was working as
it should.  If you find yourself in spooky file system land, it might
help you find your way out again.  This is the fs-test.c source:&lt;/p&gt;

&lt;pre&gt;
/*
 * Some tests to check the file system sematics.  Used to verify that
 * CIFS from a windows server do not work properly as a linux home
 * directory.
 * License: GPL v2 or later
 * 
 * needs libsqlite3-dev and build-essential installed
 * compile with: gcc -Wall -lsqlite3 -DTEST_SQLITE fs-test.c -o fs-test
*/

#define _FILE_OFFSET_BITS 64
#define _LARGEFILE_SOURCE 1
#define _LARGEFILE64_SOURCE 1

#define _GNU_SOURCE /* for asprintf() */

#include &lt;errno.h&gt;
#include &lt;fcntl.h&gt;
#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;sys/file.h&gt;
#include &lt;sys/stat.h&gt;
#include &lt;sys/types.h&gt;
#include &lt;unistd.h&gt;

#ifdef TEST_SQLITE
/*
 * Test sqlite open, as done by gcompris require the libsqlite3-dev
 * package and linking with -lsqlite3.  A more low level test is
 * below.
 * See also &lt;URL: http://www.sqlite.org./faq.html#q5 &gt;.
 */
#include &lt;sqlite3.h&gt;
#define CREATE_TABLE_USERS                                              \
  &quot;CREATE TABLE users (user_id INT UNIQUE, login TEXT, lastname TEXT, firstname TEXT, birthdate TEXT, class_id INT ); &quot;
int test_sqlite_open(void) {
  char *zErrMsg;
  char *name = &quot;testsqlite.db&quot;;
  sqlite3 *db=NULL;
  unlink(name);
  int rc = sqlite3_open(name, &amp;db);
  if( rc ){
    printf(&quot;error: sqlite open of %s failed: %s\n&quot;, name, sqlite3_errmsg(db));
    sqlite3_close(db);
    return -1;
  }

  /* create tables */
  rc = sqlite3_exec(db,CREATE_TABLE_USERS, NULL,  0, &amp;zErrMsg);
  if( rc != SQLITE_OK ){
    printf(&quot;error: sqlite table create failed: %s\n&quot;, zErrMsg);
    sqlite3_close(db);
    return -1;
  }
  printf(&quot;info: sqlite worked\n&quot;);
  sqlite3_close(db);
  return 0;
}
#endif /* TEST_SQLITE */

/*
 * Demonstrate locking issue found in gcompris using sqlite3.  This
 * work with ext3, but not with cifs server on Windows 2003.  This is
 * done in the sqlite3 library.
 * See also
 * &lt;URL:http://www.cygwin.com/ml/cygwin/2001-08/msg00854.html&gt; and the
 * POSIX specification
 * &lt;URL:http://www.opengroup.org/onlinepubs/009695399/functions/fcntl.html&gt;.
 */
int test_gcompris_locking(void) {
  struct flock fl;
  char *name = &quot;testsqlite.db&quot;;
  unlink(name);
  int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE, 0644);
  printf(&quot;info: testing fcntl locking\n&quot;);

  fl.l_whence = SEEK_SET;
  fl.l_pid    = getpid();
  printf(&quot;  Read-locking 1 byte from 1073741824&quot;);
  fl.l_start  = 1073741824;
  fl.l_len    = 1;
  fl.l_type   = F_RDLCK;
  if (0 != fcntl(fd, F_SETLK, &amp;fl) ) printf(&quot; - error!\n&quot;); else printf(&quot;\n&quot;);

  printf(&quot;  Read-locking 510 byte from 1073741826&quot;);
  fl.l_start  = 1073741826;
  fl.l_len    = 510;
  fl.l_type   = F_RDLCK;
  if (0 != fcntl(fd, F_SETLK, &amp;fl) ) printf(&quot; - error!\n&quot;); else printf(&quot;\n&quot;);

  printf(&quot;  Unlocking 1 byte from 1073741824&quot;);
  fl.l_start  = 1073741824;
  fl.l_len    = 1;
  fl.l_type   = F_UNLCK;
  if (0 != fcntl(fd, F_SETLK, &amp;fl) ) printf(&quot; - error!\n&quot;); else printf(&quot;\n&quot;);

  printf(&quot;  Write-locking 1 byte from 1073741824&quot;);
  fl.l_start  = 1073741824;
  fl.l_len    = 1;
  fl.l_type   = F_WRLCK;
  if (0 != fcntl(fd, F_SETLK, &amp;fl) ) printf(&quot; - error!\n&quot;); else printf(&quot;\n&quot;);

  printf(&quot;  Write-locking 510 byte from 1073741826&quot;);
  fl.l_start  = 1073741826;
  fl.l_len    = 510;
  if (0 != fcntl(fd, F_SETLK, &amp;fl) ) printf(&quot; - error!\n&quot;); else printf(&quot;\n&quot;);

  printf(&quot;  Unlocking 2 byte from 1073741824&quot;);
  fl.l_start  = 1073741824;
  fl.l_len    = 2;
  fl.l_type   = F_UNLCK;
  if (0 != fcntl(fd, F_SETLK, &amp;fl) ) printf(&quot; - error!\n&quot;); else printf(&quot;\n&quot;);

  close(fd);
  return 0;
}

/*
 * Test if permissions of freshly created directories allow entries
 * below them.  This was a problem with OpenOffice.org and gcompris.
 * Mounting with option &#39;sync&#39; seem to solve this problem while
 * slowing down file operations.
 */
int test_subdirectory_creation(void) {
#define LEVELS 5
  char *path = strdup(&quot;test&quot;);
  char *dirs[LEVELS];
  int level;
  printf(&quot;info: testing subdirectory creation\n&quot;);
  for (level = 0; level &lt; LEVELS; level++) {
    char *newpath = NULL;
    if (-1 == mkdir(path, 0777)) {
      printf(&quot;  error: Unable to create directory &#39;%s&#39;: %s\n&quot;,
             path, strerror(errno));
      break;
    }
    asprintf(&amp;newpath, &quot;%s/%s&quot;, path, &quot;test&quot;);
    free(path);
    path = newpath;
  }
  return 0;
}

/*
 * Test if symlinks can be created.  This was a problem detected with
 * KDE.
 */
int test_symlinks(void) {
  printf(&quot;info: testing symlink creation\n&quot;);
  unlink(&quot;symlink&quot;);
  if (-1 == symlink(&quot;file&quot;, &quot;symlink&quot;))
    printf(&quot;  error: Unable to create symlink\n&quot;);
  return 0;
}

int main(int argc, char **argv) {
  printf(&quot;Testing POSIX/Unix sematics on file system\n&quot;);
  test_symlinks();
  test_subdirectory_creation();
#ifdef TEST_SQLITE
  test_sqlite_open();
#endif /* TEST_SQLITE */
  test_gcompris_locking();
  return 0;
}
&lt;/pre&gt;

&lt;p&gt;When everything is working, it should print something like
this:&lt;/p&gt;

&lt;pre&gt;
Testing POSIX/Unix sematics on file system
info: testing symlink creation
info: testing subdirectory creation
info: sqlite worked
info: testing fcntl locking
  Read-locking 1 byte from 1073741824
  Read-locking 510 byte from 1073741826
  Unlocking 1 byte from 1073741824
  Write-locking 1 byte from 1073741824
  Write-locking 510 byte from 1073741826
  Unlocking 2 byte from 1073741824
&lt;/pre&gt;

&lt;p&gt;I do not remember the exact details of the problems we saw, but one
of them was with locking, where if I remember correctly, POSIX allow a
read-only lock to be upgraded to a read-write lock without unlocking
the read-only lock (while Windows do not).  Another was a bug in the
CIFS/SMB client implementation in the Linux kernel where directory
meta information would be wrong for a fraction of a second, making
OpenOffice.org fail to create its deep directory tree because it was
not allowed to create files in its freshly created directory.&lt;/p&gt;

&lt;p&gt;Anyway, here is a nice tool for your tool box, might you never need
it. :)&lt;/p&gt;
</description>
        </item>
        
        </channel>
</rss>