1 <!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Strict//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
5 <title>Petter Reinholdtsen: entries from August
2010</title>
6 <link rel=
"stylesheet" type=
"text/css" media=
"screen" href=
"http://people.skolelinux.org/pere/blog/style.css">
7 <link rel=
"alternate" title=
"RSS Feed" href=
"08.rss" type=
"application/rss+xml">
14 <a href=
"http://people.skolelinux.org/pere/blog/">Petter Reinholdtsen
</a>
20 <p>Entries from August
2010.
</p>
25 <a href=
"http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html">Debian Edu roaming workstation - at the university of Oslo
</a>
33 <p>The new roaming workstation profile in Debian Edu/Squeeze is fairly
34 similar to the laptop setup am I working on using Ubuntu for the
35 University of Oslo, and just for the heck of it, I tested today how
36 hard it would be to integrate that profile into the university
37 infrastructure. In this case, it is the university LDAP server,
38 Active Directory Kerberos server and SMB mounting from the Netapp file
41 <p>I was pleasantly surprised that the only three files needed to be
42 changed (/etc/sssd/sssd.conf, /etc/ldap.conf and
43 /etc/mklocaluser.d/
20-debian-edu-config) and one file had to be added
44 (/usr/share/perl5/Debian/Edu_Local.pm), to get the client working.
45 Most of the changes were to get the client to use the university LDAP
46 for NSS and Kerberos server for PAM, but one was to change a hard
47 coded DNS domain name in the mklocaluser hook from .intern to
50 <p>This testing was so encouraging, that I went ahead and adjusted the
51 Debian Edu scripts and setup in subversion to centralise the roaming
52 workstation setup a bit more and avoid the hardcoded DNS domain name,
53 so that when I test this tomorrow, I expect to get away with modifying
54 only /etc/sssd/sssd.conf and /etc/ldap.conf to get it to use the
55 university servers.
</p>
57 <p>My goal is to get the clients to have no hardcoded settings and
58 fetch all their initial setup during installation and first boot, to
59 allow them to be inserted also into environments where the default
60 setup in Debian Edu has been changed or as with the university, where
61 the environment is different but provides the protocols Debian Edu
69 Tags:
<a href=
"http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu
</a>,
<a href=
"http://people.skolelinux.org/pere/blog/tags/english">english
</a>,
<a href=
"http://people.skolelinux.org/pere/blog/tags/nuug">nuug
</a>.
73 <div class=
"padding"></div>
77 <a href=
"http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html">Autodetecting Client setup for roaming workstations in Debian Edu
</a>
86 <a href=
"http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html">tried
87 to install
</a> a Roaming workation profile from Debian Edu/Squeeze
88 while on the university network here at the University of Oslo, and
89 noticed how much had to change to get it operational using the
90 university infrastructure. It was fairly easy, but it occured to me
91 that Debian Edu would improve a lot if I could get the client to
92 connect without any changes at all, and thus let the client configure
93 itself during installation and first boot to use the infrastructure
94 around it. Now I am a huge step further along that road.
</p>
96 <p>With our current squeeze-test packages, I can select the roaming
97 workstation profile and get a working laptop connecting to the
98 university LDAP server for user and group and our active directory
99 servers for Kerberos authentication. All this without any
100 configuration at all during installation. My users home directory got
101 a bookmark in the KDE menu to mount it via SMB, with the correct URL.
102 In short, openldap and sssd is correctly configured. In addition to
103 this, the client look for http://wpad/wpad.dat to configure a web
104 proxy, and when it fail to find it no proxy settings are stored in
105 /etc/environment and /etc/apt/apt.conf. Iceweasel and KDE is
106 configured to look for the same wpad configuration and also do not use
107 a proxy when at the university network. If the machine is moved to a
108 network with such wpad setup, it would automatically use it when DHCP
109 gave it a IP address.
</p>
111 <p>The LDAP server is located using DNS, by first looking for the DNS
112 entry ldap.$domain. If this do not exist, it look for the
113 _ldap._tcp.$domain SRV records and use the first one as the LDAP
114 server. Next, it connects to the LDAP server and search all
115 namingContexts entries for posixAccount or posixGroup objects, and
116 pick the first one as the LDAP base. For Kerberos, a similar
117 algorithm is used to locate the LDAP server, and the realm is the
118 uppercase version of $domain.
</p>
120 <p>So, what is not working, you might ask. SMB mounting my home
121 directory do not work. No idea why, but suspected the incorrect
122 Kerberos settings in /etc/krb5.conf and /etc/samba/smb.conf might be
123 the cause. These are not properly configured during installation, and
124 had to be hand-edited to get the correct Kerberos realm and server,
125 but SMB mounting still do not work. :(
</p>
127 <p>With this automatic configuration in place, I expect a Debian Edu
128 roaming profile installation would be able to automatically detect and
129 connect to any site using LDAP and Kerberos for NSS directory and PAM
130 authentication. It should also work out of the box in a Active
131 Directory environment providing posixAccount and posixGroup objects
132 with UID and GID values.
</p>
134 <p>If you want to help out with implementing these things for Debian
135 Edu, please contact us on debian-edu@lists.debian.org.
</p>
142 Tags:
<a href=
"http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu
</a>,
<a href=
"http://people.skolelinux.org/pere/blog/tags/english">english
</a>,
<a href=
"http://people.skolelinux.org/pere/blog/tags/nuug">nuug
</a>.
146 <div class=
"padding"></div>
150 <a href=
"http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html">Testing if a file system can be used for home directories...
</a>
158 <p>A few years ago, I was involved in a project planning to use
159 Windows file servers as home directory servers for Debian
160 Edu/Skolelinux machines. This was thought to be no problem, as the
161 access would be through the SMB network file system protocol, and we
162 knew other sites used SMB with unix and samba as the file server to
163 mount home directories without any problems. But, after months of
164 struggling, we had to conclude that our goal was impossible.
</p>
166 <p>The reason is simply that while SMB can be used for home
167 directories when the file server is Samba running on Unix, this only
168 work because of Samba have some extensions and the fact that the
169 underlying file system is a unix file system. When using a Windows
170 file server, the underlying file system do not have POSIX semantics,
171 and several programs will fail if the users home directory where they
172 want to store their configuration lack POSIX semantics.
</p>
174 <p>As part of this work, I wrote a small C program I want to share
175 with you all, to replicate a few of the problematic applications (like
176 OpenOffice.org and GCompris) and see if the file system was working as
177 it should. If you find yourself in spooky file system land, it might
178 help you find your way out again. This is the fs-test.c source:
</p>
182 * Some tests to check the file system sematics. Used to verify that
183 * CIFS from a windows server do not work properly as a linux home
185 * License: GPL v2 or later
187 * needs libsqlite3-dev and build-essential installed
188 * compile with: gcc -Wall -lsqlite3 -DTEST_SQLITE fs-test.c -o fs-test
191 #define _FILE_OFFSET_BITS
64
192 #define _LARGEFILE_SOURCE
1
193 #define _LARGEFILE64_SOURCE
1
195 #define _GNU_SOURCE /* for asprintf() */
202 #include
<sys/file.h
>
203 #include
<sys/stat.h
>
204 #include
<sys/types.h
>
209 * Test sqlite open, as done by gcompris require the libsqlite3-dev
210 * package and linking with -lsqlite3. A more low level test is
212 * See also
<URL: http://www.sqlite.org./faq.html#q5
>.
215 #define CREATE_TABLE_USERS \
216 "CREATE TABLE users (user_id INT UNIQUE, login TEXT, lastname TEXT, firstname TEXT, birthdate TEXT, class_id INT ); "
217 int test_sqlite_open(void) {
219 char *name = "testsqlite.db";
222 int rc = sqlite3_open(name, &db);
224 printf("error: sqlite open of %s failed: %s\n", name, sqlite3_errmsg(db));
230 rc = sqlite3_exec(db,CREATE_TABLE_USERS, NULL,
0, &zErrMsg);
231 if( rc != SQLITE_OK ){
232 printf("error: sqlite table create failed: %s\n", zErrMsg);
236 printf("info: sqlite worked\n");
240 #endif /* TEST_SQLITE */
243 * Demonstrate locking issue found in gcompris using sqlite3. This
244 * work with ext3, but not with cifs server on Windows
2003. This is
245 * done in the sqlite3 library.
247 *
<URL:http://www.cygwin.com/ml/cygwin/
2001-
08/msg00854.html
> and the
248 * POSIX specification
249 *
<URL:http://www.opengroup.org/onlinepubs/
009695399/functions/fcntl.html
>.
251 int test_gcompris_locking(void) {
253 char *name = "testsqlite.db";
255 int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE,
0644);
256 printf("info: testing fcntl locking\n");
258 fl.l_whence = SEEK_SET;
260 printf(" Read-locking
1 byte from
1073741824");
261 fl.l_start =
1073741824;
264 if (
0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
266 printf(" Read-locking
510 byte from
1073741826");
267 fl.l_start =
1073741826;
270 if (
0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
272 printf(" Unlocking
1 byte from
1073741824");
273 fl.l_start =
1073741824;
276 if (
0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
278 printf(" Write-locking
1 byte from
1073741824");
279 fl.l_start =
1073741824;
282 if (
0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
284 printf(" Write-locking
510 byte from
1073741826");
285 fl.l_start =
1073741826;
287 if (
0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
289 printf(" Unlocking
2 byte from
1073741824");
290 fl.l_start =
1073741824;
293 if (
0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n");
300 * Test if permissions of freshly created directories allow entries
301 * below them. This was a problem with OpenOffice.org and gcompris.
302 * Mounting with option 'sync' seem to solve this problem while
303 * slowing down file operations.
305 int test_subdirectory_creation(void) {
307 char *path = strdup("test");
310 printf("info: testing subdirectory creation\n");
311 for (level =
0; level < LEVELS; level++) {
312 char *newpath = NULL;
313 if (-
1 == mkdir(path,
0777)) {
314 printf(" error: Unable to create directory '%s': %s\n",
315 path, strerror(errno));
318 asprintf(&newpath, "%s/%s", path, "test");
326 * Test if symlinks can be created. This was a problem detected with
329 int test_symlinks(void) {
330 printf("info: testing symlink creation\n");
332 if (-
1 == symlink("file", "symlink"))
333 printf(" error: Unable to create symlink\n");
337 int main(int argc, char **argv) {
338 printf("Testing POSIX/Unix sematics on file system\n");
340 test_subdirectory_creation();
343 #endif /* TEST_SQLITE */
344 test_gcompris_locking();
349 <p>When everything is working, it should print something like
353 Testing POSIX/Unix sematics on file system
354 info: testing symlink creation
355 info: testing subdirectory creation
357 info: testing fcntl locking
358 Read-locking
1 byte from
1073741824
359 Read-locking
510 byte from
1073741826
360 Unlocking
1 byte from
1073741824
361 Write-locking
1 byte from
1073741824
362 Write-locking
510 byte from
1073741826
363 Unlocking
2 byte from
1073741824
366 <p>I do not remember the exact details of the problems we saw, but one
367 of them was with locking, where if I remember correctly, POSIX allow a
368 read-only lock to be upgraded to a read-write lock without unlocking
369 the read-only lock (while Windows do not). Another was a bug in the
370 CIFS/SMB client implementation in the Linux kernel where directory
371 meta information would be wrong for a fraction of a second, making
372 OpenOffice.org fail to create its deep directory tree because it was
373 not allowed to create files in its freshly created directory.
</p>
375 <p>Anyway, here is a nice tool for your tool box, might you never need
383 Tags:
<a href=
"http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu
</a>,
<a href=
"http://people.skolelinux.org/pere/blog/tags/english">english
</a>,
<a href=
"http://people.skolelinux.org/pere/blog/tags/nuug">nuug
</a>.
387 <div class=
"padding"></div>
389 <p style=
"text-align: right;"><a href=
"08.rss"><img src=
"http://people.skolelinux.org/pere/blog/xml.gif" alt=
"RSS Feed" width=
"36" height=
"14"></a></p>
401 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/01/">January (
2)
</a></li>
403 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/02/">February (
1)
</a></li>
405 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/03/">March (
3)
</a></li>
407 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/04/">April (
3)
</a></li>
409 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/05/">May (
9)
</a></li>
411 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/06/">June (
14)
</a></li>
413 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/07/">July (
12)
</a></li>
415 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/08/">August (
3)
</a></li>
422 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/01/">January (
8)
</a></li>
424 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/02/">February (
8)
</a></li>
426 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/03/">March (
12)
</a></li>
428 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/04/">April (
10)
</a></li>
430 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/05/">May (
9)
</a></li>
432 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/06/">June (
3)
</a></li>
434 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/07/">July (
4)
</a></li>
436 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/08/">August (
3)
</a></li>
438 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/09/">September (
1)
</a></li>
440 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/10/">October (
2)
</a></li>
442 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/11/">November (
3)
</a></li>
444 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/12/">December (
3)
</a></li>
451 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2008/11/">November (
5)
</a></li>
453 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2008/12/">December (
7)
</a></li>
464 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/3d-printer">3d-printer (
11)
</a></li>
466 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/amiga">amiga (
1)
</a></li>
468 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/aros">aros (
1)
</a></li>
470 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/bootsystem">bootsystem (
10)
</a></li>
472 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/debian">debian (
35)
</a></li>
474 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu (
39)
</a></li>
476 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/english">english (
54)
</a></li>
478 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/fiksgatami">fiksgatami (
1)
</a></li>
480 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/fildeling">fildeling (
8)
</a></li>
482 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/kart">kart (
3)
</a></li>
484 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/ldap">ldap (
8)
</a></li>
486 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/lenker">lenker (
1)
</a></li>
488 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/ltsp">ltsp (
1)
</a></li>
490 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/multimedia">multimedia (
5)
</a></li>
492 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/norsk">norsk (
71)
</a></li>
494 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/nuug">nuug (
91)
</a></li>
496 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/opphavsrett">opphavsrett (
14)
</a></li>
498 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/personvern">personvern (
14)
</a></li>
500 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/reprap">reprap (
10)
</a></li>
502 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/rss">rss (
1)
</a></li>
504 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet (
10)
</a></li>
506 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/sitesummary">sitesummary (
3)
</a></li>
508 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/standard">standard (
13)
</a></li>
510 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/stavekontroll">stavekontroll (
1)
</a></li>
512 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/video">video (
10)
</a></li>
514 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/vitenskap">vitenskap (
1)
</a></li>
516 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/web">web (
7)
</a></li>