]> pere.pagekite.me Git - homepage.git/blob - blog/archive/2010/08/index.html
Generated.
[homepage.git] / blog / archive / 2010 / 08 / index.html
1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html>
4 <head>
5 <title>Petter Reinholdtsen: entries from August 2010</title>
6 <link rel="stylesheet" type="text/css" media="screen" href="http://people.skolelinux.org/pere/blog/style.css">
7 <link rel="alternate" title="RSS Feed" href="08.rss" type="application/rss+xml">
8 </head>
9 <body>
10 <!-- XML FEED -->
11
12 <div class="title">
13 <h1>
14 <a href="http://people.skolelinux.org/pere/blog/">Petter Reinholdtsen</a>
15
16 </h1>
17
18 </div>
19
20 <p>Entries from August 2010.</p>
21
22
23 <div class="entry">
24 <div class="title">
25 <a href="http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html">Debian Edu roaming workstation - at the university of Oslo</a>
26 </div>
27 <div class="date">
28 2010-08-03 23:30
29 </div>
30
31 <div class="body">
32
33 <p>The new roaming workstation profile in Debian Edu/Squeeze is fairly
34 similar to the laptop setup am I working on using Ubuntu for the
35 University of Oslo, and just for the heck of it, I tested today how
36 hard it would be to integrate that profile into the university
37 infrastructure. In this case, it is the university LDAP server,
38 Active Directory Kerberos server and SMB mounting from the Netapp file
39 servers.</p>
40
41 <p>I was pleasantly surprised that the only three files needed to be
42 changed (/etc/sssd/sssd.conf, /etc/ldap.conf and
43 /etc/mklocaluser.d/20-debian-edu-config) and one file had to be added
44 (/usr/share/perl5/Debian/Edu_Local.pm), to get the client working.
45 Most of the changes were to get the client to use the university LDAP
46 for NSS and Kerberos server for PAM, but one was to change a hard
47 coded DNS domain name in the mklocaluser hook from .intern to
48 .uio.no.</p>
49
50 <p>This testing was so encouraging, that I went ahead and adjusted the
51 Debian Edu scripts and setup in subversion to centralise the roaming
52 workstation setup a bit more and avoid the hardcoded DNS domain name,
53 so that when I test this tomorrow, I expect to get away with modifying
54 only /etc/sssd/sssd.conf and /etc/ldap.conf to get it to use the
55 university servers.</p>
56
57 <p>My goal is to get the clients to have no hardcoded settings and
58 fetch all their initial setup during installation and first boot, to
59 allow them to be inserted also into environments where the default
60 setup in Debian Edu has been changed or as with the university, where
61 the environment is different but provides the protocols Debian Edu
62 uses.</p>
63
64 </div>
65 <div class="tags">
66
67
68
69 Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
70
71 </div>
72 </div>
73 <div class="padding"></div>
74
75 <div class="entry">
76 <div class="title">
77 <a href="http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html">Autodetecting Client setup for roaming workstations in Debian Edu</a>
78 </div>
79 <div class="date">
80 2010-08-07 14:45
81 </div>
82
83 <div class="body">
84
85 <p>A few days ago, I
86 <a href="http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html">tried
87 to install</a> a Roaming workation profile from Debian Edu/Squeeze
88 while on the university network here at the University of Oslo, and
89 noticed how much had to change to get it operational using the
90 university infrastructure. It was fairly easy, but it occured to me
91 that Debian Edu would improve a lot if I could get the client to
92 connect without any changes at all, and thus let the client configure
93 itself during installation and first boot to use the infrastructure
94 around it. Now I am a huge step further along that road.</p>
95
96 <p>With our current squeeze-test packages, I can select the roaming
97 workstation profile and get a working laptop connecting to the
98 university LDAP server for user and group and our active directory
99 servers for Kerberos authentication. All this without any
100 configuration at all during installation. My users home directory got
101 a bookmark in the KDE menu to mount it via SMB, with the correct URL.
102 In short, openldap and sssd is correctly configured. In addition to
103 this, the client look for http://wpad/wpad.dat to configure a web
104 proxy, and when it fail to find it no proxy settings are stored in
105 /etc/environment and /etc/apt/apt.conf. Iceweasel and KDE is
106 configured to look for the same wpad configuration and also do not use
107 a proxy when at the university network. If the machine is moved to a
108 network with such wpad setup, it would automatically use it when DHCP
109 gave it a IP address.</p>
110
111 <p>The LDAP server is located using DNS, by first looking for the DNS
112 entry ldap.$domain. If this do not exist, it look for the
113 _ldap._tcp.$domain SRV records and use the first one as the LDAP
114 server. Next, it connects to the LDAP server and search all
115 namingContexts entries for posixAccount or posixGroup objects, and
116 pick the first one as the LDAP base. For Kerberos, a similar
117 algorithm is used to locate the LDAP server, and the realm is the
118 uppercase version of $domain.</p>
119
120 <p>So, what is not working, you might ask. SMB mounting my home
121 directory do not work. No idea why, but suspected the incorrect
122 Kerberos settings in /etc/krb5.conf and /etc/samba/smb.conf might be
123 the cause. These are not properly configured during installation, and
124 had to be hand-edited to get the correct Kerberos realm and server,
125 but SMB mounting still do not work. :(</p>
126
127 <p>With this automatic configuration in place, I expect a Debian Edu
128 roaming profile installation would be able to automatically detect and
129 connect to any site using LDAP and Kerberos for NSS directory and PAM
130 authentication. It should also work out of the box in a Active
131 Directory environment providing posixAccount and posixGroup objects
132 with UID and GID values.</p>
133
134 <p>If you want to help out with implementing these things for Debian
135 Edu, please contact us on debian-edu@lists.debian.org.</p>
136
137 </div>
138 <div class="tags">
139
140
141
142 Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
143
144 </div>
145 </div>
146 <div class="padding"></div>
147
148 <div class="entry">
149 <div class="title">
150 <a href="http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html">Testing if a file system can be used for home directories...</a>
151 </div>
152 <div class="date">
153 2010-08-08 21:20
154 </div>
155
156 <div class="body">
157
158 <p>A few years ago, I was involved in a project planning to use
159 Windows file servers as home directory servers for Debian
160 Edu/Skolelinux machines. This was thought to be no problem, as the
161 access would be through the SMB network file system protocol, and we
162 knew other sites used SMB with unix and samba as the file server to
163 mount home directories without any problems. But, after months of
164 struggling, we had to conclude that our goal was impossible.</p>
165
166 <p>The reason is simply that while SMB can be used for home
167 directories when the file server is Samba running on Unix, this only
168 work because of Samba have some extensions and the fact that the
169 underlying file system is a unix file system. When using a Windows
170 file server, the underlying file system do not have POSIX semantics,
171 and several programs will fail if the users home directory where they
172 want to store their configuration lack POSIX semantics.</p>
173
174 <p>As part of this work, I wrote a small C program I want to share
175 with you all, to replicate a few of the problematic applications (like
176 OpenOffice.org and GCompris) and see if the file system was working as
177 it should. If you find yourself in spooky file system land, it might
178 help you find your way out again. This is the fs-test.c source:</p>
179
180 <pre>
181 /*
182 * Some tests to check the file system sematics. Used to verify that
183 * CIFS from a windows server do not work properly as a linux home
184 * directory.
185 * License: GPL v2 or later
186 *
187 * needs libsqlite3-dev and build-essential installed
188 * compile with: gcc -Wall -lsqlite3 -DTEST_SQLITE fs-test.c -o fs-test
189 */
190
191 #define _FILE_OFFSET_BITS 64
192 #define _LARGEFILE_SOURCE 1
193 #define _LARGEFILE64_SOURCE 1
194
195 #define _GNU_SOURCE /* for asprintf() */
196
197 #include <errno.h>
198 #include <fcntl.h>
199 #include <stdio.h>
200 #include <string.h>
201 #include <stdlib.h>
202 #include <sys/file.h>
203 #include <sys/stat.h>
204 #include <sys/types.h>
205 #include <unistd.h>
206
207 #ifdef TEST_SQLITE
208 /*
209 * Test sqlite open, as done by gcompris require the libsqlite3-dev
210 * package and linking with -lsqlite3. A more low level test is
211 * below.
212 * See also <URL: http://www.sqlite.org./faq.html#q5 >.
213 */
214 #include <sqlite3.h>
215 #define CREATE_TABLE_USERS \
216 "CREATE TABLE users (user_id INT UNIQUE, login TEXT, lastname TEXT, firstname TEXT, birthdate TEXT, class_id INT ); "
217 int test_sqlite_open(void) {
218 char *zErrMsg;
219 char *name = "testsqlite.db";
220 sqlite3 *db=NULL;
221 unlink(name);
222 int rc = sqlite3_open(name, &db);
223 if( rc ){
224 printf("error: sqlite open of %s failed: %s\n", name, sqlite3_errmsg(db));
225 sqlite3_close(db);
226 return -1;
227 }
228
229 /* create tables */
230 rc = sqlite3_exec(db,CREATE_TABLE_USERS, NULL, 0, &zErrMsg);
231 if( rc != SQLITE_OK ){
232 printf("error: sqlite table create failed: %s\n", zErrMsg);
233 sqlite3_close(db);
234 return -1;
235 }
236 printf("info: sqlite worked\n");
237 sqlite3_close(db);
238 return 0;
239 }
240 #endif /* TEST_SQLITE */
241
242 /*
243 * Demonstrate locking issue found in gcompris using sqlite3. This
244 * work with ext3, but not with cifs server on Windows 2003. This is
245 * done in the sqlite3 library.
246 * See also
247 * <URL:http://www.cygwin.com/ml/cygwin/2001-08/msg00854.html> and the
248 * POSIX specification
249 * <URL:http://www.opengroup.org/onlinepubs/009695399/functions/fcntl.html>.
250 */
251 int test_gcompris_locking(void) {
252 struct flock fl;
253 char *name = "testsqlite.db";
254 unlink(name);
255 int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE, 0644);
256 printf("info: testing fcntl locking\n");
257
258 fl.l_whence = SEEK_SET;
259 fl.l_pid = getpid();
260 printf(" Read-locking 1 byte from 1073741824");
261 fl.l_start = 1073741824;
262 fl.l_len = 1;
263 fl.l_type = F_RDLCK;
264 if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
265
266 printf(" Read-locking 510 byte from 1073741826");
267 fl.l_start = 1073741826;
268 fl.l_len = 510;
269 fl.l_type = F_RDLCK;
270 if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
271
272 printf(" Unlocking 1 byte from 1073741824");
273 fl.l_start = 1073741824;
274 fl.l_len = 1;
275 fl.l_type = F_UNLCK;
276 if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
277
278 printf(" Write-locking 1 byte from 1073741824");
279 fl.l_start = 1073741824;
280 fl.l_len = 1;
281 fl.l_type = F_WRLCK;
282 if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
283
284 printf(" Write-locking 510 byte from 1073741826");
285 fl.l_start = 1073741826;
286 fl.l_len = 510;
287 if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
288
289 printf(" Unlocking 2 byte from 1073741824");
290 fl.l_start = 1073741824;
291 fl.l_len = 2;
292 fl.l_type = F_UNLCK;
293 if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
294
295 close(fd);
296 return 0;
297 }
298
299 /*
300 * Test if permissions of freshly created directories allow entries
301 * below them. This was a problem with OpenOffice.org and gcompris.
302 * Mounting with option 'sync' seem to solve this problem while
303 * slowing down file operations.
304 */
305 int test_subdirectory_creation(void) {
306 #define LEVELS 5
307 char *path = strdup("test");
308 char *dirs[LEVELS];
309 int level;
310 printf("info: testing subdirectory creation\n");
311 for (level = 0; level < LEVELS; level++) {
312 char *newpath = NULL;
313 if (-1 == mkdir(path, 0777)) {
314 printf(" error: Unable to create directory '%s': %s\n",
315 path, strerror(errno));
316 break;
317 }
318 asprintf(&newpath, "%s/%s", path, "test");
319 free(path);
320 path = newpath;
321 }
322 return 0;
323 }
324
325 /*
326 * Test if symlinks can be created. This was a problem detected with
327 * KDE.
328 */
329 int test_symlinks(void) {
330 printf("info: testing symlink creation\n");
331 unlink("symlink");
332 if (-1 == symlink("file", "symlink"))
333 printf(" error: Unable to create symlink\n");
334 return 0;
335 }
336
337 int main(int argc, char **argv) {
338 printf("Testing POSIX/Unix sematics on file system\n");
339 test_symlinks();
340 test_subdirectory_creation();
341 #ifdef TEST_SQLITE
342 test_sqlite_open();
343 #endif /* TEST_SQLITE */
344 test_gcompris_locking();
345 return 0;
346 }
347 </pre>
348
349 <p>When everything is working, it should print something like
350 this:</p>
351
352 <pre>
353 Testing POSIX/Unix sematics on file system
354 info: testing symlink creation
355 info: testing subdirectory creation
356 info: sqlite worked
357 info: testing fcntl locking
358 Read-locking 1 byte from 1073741824
359 Read-locking 510 byte from 1073741826
360 Unlocking 1 byte from 1073741824
361 Write-locking 1 byte from 1073741824
362 Write-locking 510 byte from 1073741826
363 Unlocking 2 byte from 1073741824
364 </pre>
365
366 <p>I do not remember the exact details of the problems we saw, but one
367 of them was with locking, where if I remember correctly, POSIX allow a
368 read-only lock to be upgraded to a read-write lock without unlocking
369 the read-only lock (while Windows do not). Another was a bug in the
370 CIFS/SMB client implementation in the Linux kernel where directory
371 meta information would be wrong for a fraction of a second, making
372 OpenOffice.org fail to create its deep directory tree because it was
373 not allowed to create files in its freshly created directory.</p>
374
375 <p>Anyway, here is a nice tool for your tool box, might you never need
376 it. :)</p>
377
378 </div>
379 <div class="tags">
380
381
382
383 Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>.
384
385 </div>
386 </div>
387 <div class="padding"></div>
388
389 <p style="text-align: right;"><a href="08.rss"><img src="http://people.skolelinux.org/pere/blog/xml.gif" alt="RSS Feed" width="36" height="14"></a></p>
390
391
392
393 <div id="sidebar">
394
395 <h2>Archive</h2>
396 <ul>
397
398 <li>2010
399 <ul>
400
401 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/01/">January (2)</a></li>
402
403 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/02/">February (1)</a></li>
404
405 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/03/">March (3)</a></li>
406
407 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/04/">April (3)</a></li>
408
409 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/05/">May (9)</a></li>
410
411 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/06/">June (14)</a></li>
412
413 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/07/">July (12)</a></li>
414
415 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/08/">August (3)</a></li>
416
417 </ul></li>
418
419 <li>2009
420 <ul>
421
422 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/01/">January (8)</a></li>
423
424 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/02/">February (8)</a></li>
425
426 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/03/">March (12)</a></li>
427
428 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/04/">April (10)</a></li>
429
430 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/05/">May (9)</a></li>
431
432 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/06/">June (3)</a></li>
433
434 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/07/">July (4)</a></li>
435
436 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/08/">August (3)</a></li>
437
438 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/09/">September (1)</a></li>
439
440 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/10/">October (2)</a></li>
441
442 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/11/">November (3)</a></li>
443
444 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/12/">December (3)</a></li>
445
446 </ul></li>
447
448 <li>2008
449 <ul>
450
451 <li><a href="http://people.skolelinux.org/pere/blog/archive/2008/11/">November (5)</a></li>
452
453 <li><a href="http://people.skolelinux.org/pere/blog/archive/2008/12/">December (7)</a></li>
454
455 </ul></li>
456
457 </ul>
458
459
460
461 <h2>Tags</h2>
462 <ul>
463
464 <li><a href="http://people.skolelinux.org/pere/blog/tags/3d-printer">3d-printer (11)</a></li>
465
466 <li><a href="http://people.skolelinux.org/pere/blog/tags/amiga">amiga (1)</a></li>
467
468 <li><a href="http://people.skolelinux.org/pere/blog/tags/aros">aros (1)</a></li>
469
470 <li><a href="http://people.skolelinux.org/pere/blog/tags/bootsystem">bootsystem (10)</a></li>
471
472 <li><a href="http://people.skolelinux.org/pere/blog/tags/debian">debian (35)</a></li>
473
474 <li><a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu (39)</a></li>
475
476 <li><a href="http://people.skolelinux.org/pere/blog/tags/english">english (54)</a></li>
477
478 <li><a href="http://people.skolelinux.org/pere/blog/tags/fiksgatami">fiksgatami (1)</a></li>
479
480 <li><a href="http://people.skolelinux.org/pere/blog/tags/fildeling">fildeling (8)</a></li>
481
482 <li><a href="http://people.skolelinux.org/pere/blog/tags/kart">kart (3)</a></li>
483
484 <li><a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap (8)</a></li>
485
486 <li><a href="http://people.skolelinux.org/pere/blog/tags/lenker">lenker (1)</a></li>
487
488 <li><a href="http://people.skolelinux.org/pere/blog/tags/ltsp">ltsp (1)</a></li>
489
490 <li><a href="http://people.skolelinux.org/pere/blog/tags/multimedia">multimedia (5)</a></li>
491
492 <li><a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk (71)</a></li>
493
494 <li><a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug (91)</a></li>
495
496 <li><a href="http://people.skolelinux.org/pere/blog/tags/opphavsrett">opphavsrett (14)</a></li>
497
498 <li><a href="http://people.skolelinux.org/pere/blog/tags/personvern">personvern (14)</a></li>
499
500 <li><a href="http://people.skolelinux.org/pere/blog/tags/reprap">reprap (10)</a></li>
501
502 <li><a href="http://people.skolelinux.org/pere/blog/tags/rss">rss (1)</a></li>
503
504 <li><a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet (10)</a></li>
505
506 <li><a href="http://people.skolelinux.org/pere/blog/tags/sitesummary">sitesummary (3)</a></li>
507
508 <li><a href="http://people.skolelinux.org/pere/blog/tags/standard">standard (13)</a></li>
509
510 <li><a href="http://people.skolelinux.org/pere/blog/tags/stavekontroll">stavekontroll (1)</a></li>
511
512 <li><a href="http://people.skolelinux.org/pere/blog/tags/video">video (10)</a></li>
513
514 <li><a href="http://people.skolelinux.org/pere/blog/tags/vitenskap">vitenskap (1)</a></li>
515
516 <li><a href="http://people.skolelinux.org/pere/blog/tags/web">web (7)</a></li>
517
518 </ul>
519
520 </div>
521 </body>
522 </html>