1 <?xml version=
"1.0" encoding=
"ISO-8859-1"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/'
>
4 <title>Petter Reinholdtsen - Entries from April
2010</title>
5 <description>Entries from April
2010</description>
6 <link>http://www.hungry.com/~pere/blog/
</link>
10 <title>Thoughts on roaming laptop setup for Debian Edu
</title>
11 <link>http://www.hungry.com/~pere/blog/Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html
</link>
12 <guid isPermaLink=
"true">http://www.hungry.com/~pere/blog/Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html
</guid>
13 <pubDate>Wed,
28 Apr
2010 20:
40:
00 +
0200</pubDate>
14 <description><p
>For some years now, I have wondered how we should handle laptops in
15 Debian Edu. The Debian Edu infrastructure is mostly designed to
16 handle stationary computers, and less suited for computers that come
19 <p
>Now I finally believe I have an sensible idea on how to adjust
20 Debian Edu for laptops, by introducing a new profile for them, for
21 example called Roaming Workstations. Here are my thought on this.
22 The setup would consist of the following:
</p
>
26 <li
>During installation, the user name of the owner / primary user of
27 the laptop is requested and a local home directory is set up for
28 the user, with uid and gid information fetched from the LDAP
29 server. This allow the user to work also when offline. The
30 central home directory can be available in a subdirectory on
31 request, for example mounted via CIFS. It could be mounted
32 automatically when a user log in while on the Debian Edu network,
33 and unmounted when the machine is taken away (network down,
34 hibernate, etc), it can be set up to do automatic mounting on
35 request (using autofs), or perhaps some GUI button on the desktop
36 can be used to access it when needed. Perhaps it is enough to use
37 the fish protocol in KDE?
</li
>
39 <li
>Password checking is set up to use LDAP or Kerberos
40 authentication when the machine is on the Debian Edu network, and
41 to cache the password for offline checking when the machine unable
42 to reach the LDAP or Kerberos server. This can be done using
43 <a href=
"http://www.padl.com/OSS/pam_ccreds.html
">libpam-ccreds
</a
>
44 or the Fedora developed
45 <a href=
"https://fedoraproject.org/wiki/Features/SSSD
">System
46 Security Services Daemon
</a
> packages.
</li
>
48 <li
>File synchronisation with the central home directory is set up
49 using a shared directory in both the local and the central home
50 directory, using unison.
</li
>
52 <li
>Printing should be set up to print to all printers broadcasting
53 their existence on the local network, and should then work out of
54 the box with CUPS. For sites needing accurate printer quotas, some
55 system with Kerberos authentication or printing via ssh could be
56 implemented.
</li
>
58 <li
>For users that should have local root access to their laptop,
59 sudo should be used to allow this to the local user.
</li
>
61 <li
>It would be nice if user and group information from LDAP is
62 cached on the client, but given that there are entries for the
63 local user and primary group in /etc/, it should not be needed.
</li
>
67 <p
>I believe all the pieces to implement this are in Debian/testing at
68 the moment. If we work quickly, we should be able to get this ready
69 in time for the Squeeze release to freeze. Some of the pieces need
70 tweaking, like libpam-ccreds should get support for pam-auth-update
71 (
<a href=
"http://bugs.debian.org/
566718">#
566718</a
>) and nslcd (or
72 perhaps debian-edu-config) should get some integration code to stop
73 its daemon when the LDAP server is unavailable to avoid long timeouts
74 when disconnected from the net. If we get Kerberos enabled, we need
75 to make sure we avoid long timeouts there too.
</p
>
77 <p
>If you want to help out with implementing this for Debian Edu,
78 please contact us on debian-edu@lists.debian.org.
</p
>
83 <title>Great book:
"Content: Selected Essays on Technology, Creativity, Copyright, and the Future of the Future
"</title>
84 <link>http://www.hungry.com/~pere/blog/Great_book___Content__Selected_Essays_on_Technology__Creativity__Copyright__and_the_Future_of_the_Future_.html
</link>
85 <guid isPermaLink=
"true">http://www.hungry.com/~pere/blog/Great_book___Content__Selected_Essays_on_Technology__Creativity__Copyright__and_the_Future_of_the_Future_.html
</guid>
86 <pubDate>Mon,
19 Apr
2010 17:
10:
00 +
0200</pubDate>
87 <description><p
>The last few weeks i have had the pleasure of reading a
88 thought-provoking collection of essays by Cory Doctorow, on topics
89 touching copyright, virtual worlds, the future of man when the
90 conscience mind can be duplicated into a computer and many more. The
91 book titled
"Content: Selected Essays on Technology, Creativity,
92 Copyright, and the Future of the Future
" is available with few
93 restrictions on the web, for example from
94 <a href=
"http://craphound.com/content/
">his own site
</a
>. I read the
96 <a href=
"http://www.feedbooks.com/book/
2883">feedbooks
</a
> using
97 <a href=
"http://www.fbreader.org/
">fbreader
</a
> and my N810. I
98 strongly recommend this book.
</p
>
103 <title>Kerberos for Debian Edu/Squeeze?
</title>
104 <link>http://www.hungry.com/~pere/blog/Kerberos_for_Debian_Edu_Squeeze_.html
</link>
105 <guid isPermaLink=
"true">http://www.hungry.com/~pere/blog/Kerberos_for_Debian_Edu_Squeeze_.html
</guid>
106 <pubDate>Wed,
14 Apr
2010 17:
20:
00 +
0200</pubDate>
107 <description><p
><a href=
"http://www.nuug.no/aktiviteter/
20100413-kerberos/
">Yesterdays
108 NUUG presentation
</a
> about Kerberos was inspiring, and reminded me
109 about the need to start using Kerberos in Skolelinux. Setting up a
110 Kerberos server seem to be straight forward, and if we get this in
111 place a long time before the Squeeze version of Debian freezes, we
112 have a chance to migrate Skolelinux away from NFSv3 for the home
113 directories, and over to an architecture where the infrastructure do
114 not have to trust IP addresses and machines, and instead can trust
115 users and cryptographic keys instead.
</p
>
117 <p
>A challenge will be integration and administration. Is there a
118 Kerberos implementation for Debian where one can control the
119 administration access in Kerberos using LDAP groups? With it, the
120 school administration will have to maintain access control using flat
121 files on the main server, which give a huge potential for errors.
</p
>
123 <p
>A related question I would like to know is how well Kerberos and
124 pam-ccreds (offline password check) work together. Anyone know?
</p
>
126 <p
>Next step will be to use Kerberos for access control in Lwat and
127 Nagios. I have no idea how much work that will be to implement. We
128 would also need to document how to integrate with Windows AD, as such
129 shared network will require two Kerberos realms that need to cooperate
130 to work properly.
</p
>
132 <p
>I believe a good start would be to start using Kerberos on the
133 skolelinux.no machines, and this way get ourselves experience with
134 configuration and integration. A natural starting point would be
135 setting up ldap.skolelinux.no as the Kerberos server, and migrate the
136 rest of the machines from PAM via LDAP to PAM via Kerberos one at the
139 <p
>If you would like to contribute to get this working in Skolelinux,
140 I recommend you to see the video recording from yesterdays NUUG
141 presentation, and start using Kerberos at home. The video show show
142 up in a few days.
</p
>
projects / homepage.git / blob