X-Git-Url: https://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/525c8f4d5fe33e5fec2c764cf123c4b2fffeba52..a0a971f55f61855eb0b27b68176b325f2a65995f:/blog/archive/2010/07/index.html diff --git a/blog/archive/2010/07/index.html b/blog/archive/2010/07/index.html index d53790c840..9bb3f8e47f 100644 --- a/blog/archive/2010/07/index.html +++ b/blog/archive/2010/07/index.html @@ -23,216 +23,66 @@
- Caching password, user and group on a roaming Debian laptop + Circular package dependencies harms apt recovery
- 1st July 2010 + 27th July 2010
-

For a laptop, centralized user directories and password checking is -a bit troubling. Laptops are typically used also when not connected -to the network, and it is vital for a user to be able to log in or -unlock the screen saver also when a central server is unavailable. -This is possible by caching passwords and directory information (user -and group attributes) locally, and the packages to do so are available -in Debian. Here follow two recipes to set this up in Debian/Squeeze. -It is also possible to set up in Debian/Lenny, but require more manual -setup there because pam-auth-update is missing in Lenny.

- -

LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir

- -This is the traditional method with a twist. The password caching is -provided by libpam-ccreds (version 10-4 or later is needed on -Squeeze), and the directory caching is done by nscd. The directory -lookup and password checking is done using LDAP. If one want to use -Kerberos for password checking the libpam-ldapd package can be -replaced with libpam-krb5 or libpam-heimdal. If one is happy having a -local home directory with the path listed in LDAP, one can use the -pam_mkhomedir module from pam-modules to make this happen instead of -using libpam-mklocaluser. A setup for pam-auth-update to enable -pam_mkhomedir will have to be written until a fix for -bug #568577 is in the -archive. Because I believe it is a bad idea to have local home -directories using misleading paths like /site/server/partition/, I -prefer to create a local user with the home directory in /home/. This -is done using the libpam-mklocaluser package.

- -

These packages need to be installed and configured

- -
-libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
-
- -

The ldapd packages will ask for LDAP connection information, and -one have to fill in the values that fits ones own site. Make sure the -PAM part uses encrypted connections, to make sure the password is not -sent in clear text to the LDAP server. I've been unable to get TLS -certificate checking for a self signed certificate working, which make -LDAP authentication unsafe for Debian Edu (nslcd is not checking if it -is talking to the correct LDAP server), and very much welcome feedback -on how to get this working.

- -

Because nscd do not have a default configuration fit for offline -caching until bug #485282 -is fixed, this configuration should be used instead of the one -currently in /etc/nscd.conf. The changes are in the fields -reload-count and positive-time-to-live, and is based on the -instructions I found in the -LDAP for Mobile Laptops -instructions by Flyn Computing.

- -
-	debug-level		0
-	reload-count		unlimited
-	paranoia		no
-
-	enable-cache		passwd		yes
-	positive-time-to-live	passwd		2592000
-	negative-time-to-live	passwd		20
-	suggested-size		passwd		211
-	check-files		passwd		yes
-	persistent		passwd		yes
-	shared			passwd		yes
-	max-db-size		passwd		33554432
-	auto-propagate		passwd		yes
-
-	enable-cache		group		yes
-	positive-time-to-live	group		2592000
-	negative-time-to-live	group		20
-	suggested-size		group		211
-	check-files		group		yes
-	persistent		group		yes
-	shared			group		yes
-	max-db-size		group		33554432
-	auto-propagate		group		yes
-
-	enable-cache		hosts		no
-	positive-time-to-live	hosts		2592000
-	negative-time-to-live	hosts		20
-	suggested-size		hosts		211
-	check-files		hosts		yes
-	persistent		hosts		yes
-	shared			hosts		yes
-	max-db-size		hosts		33554432
-
-	enable-cache		services	yes
-	positive-time-to-live	services	2592000
-	negative-time-to-live	services	20
-	suggested-size		services	211
-	check-files		services	yes
-	persistent		services	yes
-	shared			services	yes
-	max-db-size		services	33554432
-
- -

While we wait for a mechanism to update /etc/nsswitch.conf -automatically like the one provided in -bug #496915, the file -content need to be manually replaced to ensure LDAP is used as the -directory service on the machine. /etc/nsswitch.conf should normally -look like this:

- -
-passwd:         files ldap
-group:          files ldap
-shadow:         files ldap
-hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
-networks:       files
-protocols:      files
-services:       files
-ethers:         files
-rpc:            files
-netgroup:       files ldap
-
- -

The important parts are that ldap is listed last for passwd, group, -shadow and netgroup.

- -

With these changes in place, any user in LDAP will be able to log -in locally on the machine using for example kdm, get a local home -directory created and have the password as well as user and group -attributes cached. - -

LDAP/Kerberos + nss-updatedb + libpam-ccreds + - libpam-mklocaluser/pam_mkhomedir

- -

Because nscd have had its share of problems, and seem to have -problems doing proper caching, I've seen suggestions and recipes to -use nss-updatedb to copy parts of the LDAP database locally when the -LDAP database is available. I have not tested such setup, because I -discovered sssd.

- -

LDAP/Kerberos + sssd + libpam-mklocaluser

- -

A more flexible and robust setup than the nscd combination -mentioned earlier that has shown up recently, is the -sssd package from Redhat. -It is part of the FreeIPA project -to provide a Active Directory like directory service for Linux -machines. The sssd system combines the caching of passwords and user -information into one package, and remove the need for nscd and -libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version -1.2 do not support netgroups, but it is said that it will support this -in version 1.5 expected to show up later in 2010. Because the -sssd package -was missing in Debian, I ended up co-maintaining it with Werner, and -version 1.2 is now in testing. - -

These packages need to be installed and configured to get the -roaming setup I want

+

I discovered this while doing +automated +testing of upgrades from Debian Lenny to Squeeze. A few packages +in Debian still got circular dependencies, and it is often claimed +that apt and aptitude should be able to handle this just fine, but +some times these dependency loops causes apt to fail.

-
-libpam-sss libnss-sss libpam-mklocaluser
-
+

An example is from todays +upgrade +of KDE using aptitude. In it, a bug in kdebase-workspace-data +causes perl-modules to fail to upgrade. The cause is simple. If a +package fail to unpack, then only part of packages with the circular +dependency might end up being unpacked when unpacking aborts, and the +ones already unpacked will fail to configure in the recovery phase +because its dependencies are unavailable.

-The complete setup of sssd is done by editing/creating -/etc/sssd/sssd.conf. +

In this log, the problem manifest itself with this error:

-[sssd]
-config_file_version = 2
-reconnection_retries = 3
-sbus_timeout = 30
-services = nss, pam
-domains = INTERN
-
-[nss]
-filter_groups = root
-filter_users = root
-reconnection_retries = 3
-
-[pam]
-reconnection_retries = 3
-
-[domain/INTERN]
-enumerate = false
-cache_credentials = true
-
-id_provider = ldap
-auth_provider = ldap
-chpass_provider = ldap
-
-ldap_uri = ldap://ldap
-ldap_search_base = dc=skole,dc=skolelinux,dc=no
-ldap_tls_reqcert = never
-ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
+dpkg: dependency problems prevent configuration of perl-modules:
+ perl-modules depends on perl (>= 5.10.1-1); however:
+  Version of perl on system is 5.10.0-19lenny2.
+dpkg: error processing perl-modules (--configure):
+ dependency problems - leaving unconfigured
-

I got the same problem here with certificate checking. Had to set -"ldap_tls_reqcert = never" to get it working.

+

The perl/perl-modules circular dependency is already +reported as a bug, and will +hopefully be solved as soon as possible, but it is not the only one, +and each one of these loops in the dependency tree can cause similar +failures. Of course, they only occur when there are bugs in other +packages causing the unpacking to fail, but it is rather nasty when +the failure of one package causes the problem to become worse because +of dependency loops.

-

With the libnss-sss package in testing at the moment, the -nsswitch.conf file is update automatically, so there is no need to -modify it manually.

+

Thanks to +the +tireless effort by Bill Allombert, the number of circular +dependencies +left in Debian +is dropping, and perhaps it will reach zero one day. :)

-

If you want to help out with implementing this for Debian Edu, -please contact us on debian-edu@lists.debian.org.

+

Todays testing also exposed a bug in +update-notifier and +different behaviour between +apt-get and aptitude, the latter possibly caused by some circular +dependency. Reported both to BTS to try to get someone to look at +it.

- Tags: debian edu, english, ldap, nuug. + Tags: debian, english, nuug.
@@ -241,184 +91,129 @@ please contact us on debian-edu@lists.debian.org.

- Lenny->Squeeze upgrades, apt vs aptitude with the Gnome desktop + First Debian Edu test release (alpha0) based on Squeeze is released
- 3rd July 2010 + 27th July 2010
-

Here is a short update on my my -Debian Lenny->Squeeze upgrade testing. Here is a summary of the -difference for Gnome when it is upgraded by apt-get and aptitude. I'm -not reporting the status for KDE, because the upgrade crashes when -aptitude try because of missing conflicts -(#584861 and -#585716).

+

I just posted this announcement culminating several months of work +with the next Debian Edu release. Not nearly done, but one major step +completed.

-

At the end of the upgrade test script, dpkg -l is executed to get a -complete list of the installed packages. Based on this I see these -differences when I did a test run today. As usual, I do not really -know what the correct set of packages would be, but thought it best to -publish the difference.

+
+

This is the first test release based on Squeeze. The focus of this +release is to test the user application selection. To have a look, +install the standalone profile and let the developers know if the set +of installed packages i.e. applications should be modified. If some +user application is missing, or if there are some applications that no +longer make sense to be included in Debian Edu, please let us know. +Also, if a useful application is missing the translation for your +language of choice, please let us know too.

-

Installed using apt-get, missing with aptitude

+

In addition, feedback and help to polish the desktop (menus, +artwork, starters, etc.) is appreciated. We would like to ship a nice +and handy KDE4 desktop targeted for schools out of the box.

-

- at-spi cpp-4.3 finger gnome-spell gstreamer0.10-gnomevfs - libatspi1.0-0 libcupsys2 libeel2-data libgail-common libgdl-1-common - libgnomeprint2.2-data libgnomeprintui2.2-common libgnomevfs2-bin - libgtksourceview-common libpt-1.10.10-plugins-alsa - libpt-1.10.10-plugins-v4l libservlet2.4-java libxalan2-java - libxerces2-java openoffice.org-writer2latex openssl-blacklist p7zip - python-4suite-xml python-eggtrayicon python-gtkhtml2 - python-gtkmozembed svgalibg1 xserver-xephyr zip -

+

The other profiles should be installable, but there is a lot more +work left to be done before they are ready, so do not expect to +much.

-

Installed using apt-get, removed with aptitude

+

Changes compared to the lenny based version

-

- bluez-utils dhcdbd djvulibre-desktop epiphany-gecko - gnome-app-install gnome-mount gnome-vfs-obexftp gnome-volume-manager - libao2 libavahi-compat-libdnssd1 libavahi-core5 libbind9-50 - libbluetooth2 libcamel1.2-11 libcdio7 libcucul0 libcurl3 - libdirectfb-1.0-0 libdvdread3 libedata-cal1.2-6 libedataserver1.2-9 - libeel2-2.20 libepc-1.0-1 libepc-ui-1.0-1 libexchange-storage1.2-3 - libfaad0 libgd2-noxpm libgda3-3 libgda3-common libggz2 libggzcore9 - libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0 libgnome-desktop-2 - libgnome-pilot2 libgnomecups1.0-1 libgnomeprint2.2-0 - libgnomeprintui2.2-0 libgpod3 libgraphviz4 libgtkhtml2-0 - libgtksourceview1.0-0 libgucharmap6 libhesiod0 libicu38 libisccc50 - libisccfg50 libiw29 libkpathsea4 libltdl3 liblwres50 libmagick++10 - libmagick10 libmalaga7 libmtp7 libmysqlclient15off libnautilus-burn4 - libneon27 libnm-glib0 libnm-util0 libopal-2.2 libosp5 - libparted1.8-10 libpisock9 libpisync1 libpoppler-glib3 libpoppler3 - libpt-1.10.10 libraw1394-8 libsensors3 libsmbios2 libsoup2.2-8 - libssh2-1 libsuitesparse-3.1.0 libswfdec-0.6-90 libtalloc1 - libtotem-plparser10 libtrackerclient0 libvoikko1 libxalan2-java-gcj - libxerces2-java-gcj libxklavier12 libxtrap6 libxxf86misc1 libzephyr3 - mysql-common swfdec-gnome totem-gstreamer wodim -

+
    +
  • Everything from Debian Squeeze +
      +
    • Desktop environment KDE 4.4 => the new KDE desktop in + combination with some new artwork +
    • Web browser Iceweasel 3.5 +
    • OpenOffice.org 3.2 +
    • Educational toolbox GCompris 9.3 +
    • Music creator Rosegarden 10.04.2 +
    • Image editor Gimp 2.6.10 +
    • Virtual universe Celestia 1.6.0 +
    • Virtual stargazer Stellarium 0.10.4 +
    • 3D modeler Blender 2.49.2 (new application) +
    • Video editor Kdenlive 0.7.7 (new application) +
    • +
  • Now using Kerberos for password checking (migration not finished). + Enabled for: +
      +
    • PAM +
    • LDAP +
    • IMAP +
    • SMTP (sender verification) +
    +
    • +
  • New experimental roaming workstation profile for laptops.
    • +
  • Show welcome page to users when they first log in. The URL is + fetched from LDAP.
    • +
  • New LXDE desktop option, in addition to KDE (default) and Gnome.
    • +
  • General cleanup (not finished)
    • +
+

The following features are not working as they should

-

Installed using aptitude, missing with apt-get

+
    +
  • No web based administration tool for creating users and groups. The + scripts ldap-createuser-krb and ldap-add-user-to-group can be used + for testing.
    • +
  • DVD installs are missing debian-installer images for the PXE boot, + and do not set up the PXE menu on eth0 because of this. LTSP + clients should still boot from eth1 on thin client servers.
    • +
  • The restructured KDE menu is not implemented.
    • +
  • The LDAP server setup need to be reviewed for security.
    • +
  • The LDAP directory structure need to be reworked.
    • +
  • Different sets of packages are installed when using the DVD and the + netinst CD. More packages are installed using the netinst CD.
    • +
  • The jackd package fail to install. This is believed to be caused by + some ongoing transition, and hopefully should be solved soon. The + jackd1 package can be installed manually for those that need it.
    • +
  • Some packages lack translations. See + http://wiki.debian.org/DebianEdu/Status/Squeeze for updated status, + and help out with translations.
    • +
-

- gnome gnome-desktop-environment hamster-applet python-gnomeapplet - python-gnomekeyring python-wnck rhythmbox-plugins xorg - xserver-xorg-input-all xserver-xorg-input-evdev - xserver-xorg-input-kbd xserver-xorg-input-mouse - xserver-xorg-input-synaptics xserver-xorg-video-all - xserver-xorg-video-apm xserver-xorg-video-ark xserver-xorg-video-ati - xserver-xorg-video-chips xserver-xorg-video-cirrus - xserver-xorg-video-dummy xserver-xorg-video-fbdev - xserver-xorg-video-glint xserver-xorg-video-i128 - xserver-xorg-video-i740 xserver-xorg-video-mach64 - xserver-xorg-video-mga xserver-xorg-video-neomagic - xserver-xorg-video-nouveau xserver-xorg-video-nv - xserver-xorg-video-r128 xserver-xorg-video-radeon - xserver-xorg-video-radeonhd xserver-xorg-video-rendition - xserver-xorg-video-s3 xserver-xorg-video-s3virge - xserver-xorg-video-savage xserver-xorg-video-siliconmotion - xserver-xorg-video-sis xserver-xorg-video-sisusb - xserver-xorg-video-tdfx xserver-xorg-video-tga - xserver-xorg-video-trident xserver-xorg-video-tseng - xserver-xorg-video-vesa xserver-xorg-video-vmware - xserver-xorg-video-voodoo -

+

To download this multiarch netinstall release you can use

-

Installed using aptitude, removed with apt-get

+ +

To download this multiarch dvd release you can use

-

- deskbar-applet xserver-xorg xserver-xorg-core - xserver-xorg-input-wacom xserver-xorg-video-intel - xserver-xorg-video-openchrome -

+ -

I was told on IRC that the xorg-xserver package was -changed -in git today to try to get apt-get to not remove xorg completely. -No idea when it hits Squeeze, but when it does I hope it will reduce -the difference somewhat. +

There is no source DVD available yet. It will be prepared when we +get closer to the final release.

-
-
- - - Tags: debian, debian edu, english. - - -
-
-
- -
-
- MS Word krøller det til for politiet? -
-
- 8th July 2010 -
-
-

De siste dagene har Aftenposten -fortalt -hvordan -politet har brukt skriveverktøy som ikke håndterer arabisk tekst og -tekst som skal skrives fra høyre mot venstre når de har laget -løpeseddel for å be om informasjon fra publikum. Resultatet har vært -en uleselig arabisk-bit på løpeseddelen. Feilen har oppstått når -teksten har blitt "kopiert inn i programvare som ikke har støtte for -språk som skrives fra høyre mot venstre", og jeg er ganske sikker på -at det er snakk om Microsoft Office i dette tilfellet. Er det slik at -MS Office i norsk språkdrakt ikke har støtte for tekst som skal -skrives fra høyre mot venstre? Jeg tror alle utgaver av -OpenOffice.org har slik støtte, og det er jo ikke veldig vanskelig å -la slik støtte finnes i alle utgaver av et program hvis støtten først -er utviklet. Aftenpostens melding får meg til å undre om problemet -ville vært unngått hvis politiet brukte OpenOffice.org i stedet for MS -Office.

+

The MD5SUM of these images are

-

Mon tro om det er flere eksempler på at MS Office har ødelagt for -offentlig myndighet?

+
    +
  • 3dbf45d59f42a53518b6e3c9ec3b5eb6 debian-edu-6.0.0+edua0-CD.iso
    • +
  • 22f2cbfce281d1c6e478be452638675d debian-edu-6.0.0+edua0-DVD.iso
    • +
-
-
- - - Tags: norsk. - - -
-
-
- -
-
- jXplorer, a very nice LDAP GUI -
-
- 9th July 2010 -
-
-

Since -my -last post about available LDAP tools in Debian, I was told about a -LDAP GUI that is even better than luma. The java application -jXplorer is claimed to be capable of -moving LDAP objects and subtrees using drag-and-drop, and can -authenticate using Kerberos. I have only tested the Kerberos -authentication, but do not have a LDAP setup allowing me to rewrite -LDAP with my test user yet. It is -available in -Debian testing and unstable at the moment. The only problem I -have with it is how it handle errors. If something go wrong, its -non-intuitive behaviour require me to go through some query work list -and remove the failing query. Nothing big, but very annoying.

+

The SHA1SUM of these images are

+
    +
  • c53d1b69b40cf37cd27aefaf33f6f6a3821bedf0 debian-edu-6.0.0+edua0-CD.iso
    • +
  • 2ec29d7db676d59d32197b05c277ffe16348376c debian-edu-6.0.0+edua0-DVD.iso
    • +
+

How to report bugs: +http://wiki.debian.org/DebianEdu/HowTo/ReportBugsInBugzilla

+ +

Please direct replies to debian-edu@lists.debian.org

+
- Tags: debian, debian edu, english, ldap, nuug. + Tags: debian edu, english, nuug.
@@ -427,92 +222,53 @@ and remove the failing query. Nothing big, but very annoying.

- Idea for storing LTSP configuration in LDAP + One step closer to single signon in Debian Edu
- 11th July 2010 + 25th July 2010
-

Vagrant mentioned on IRC today that ltsp_config now support -sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin -clients, and that this can be used to fetch configuration from LDAP if -Debian Edu choose to store configuration there.

- -

Armed with this information, I got inspired and wrote a test module -to get configuration from LDAP. The idea is to look up the MAC -address of the client in LDAP, and look for attributes on the form -ltspconfigsetting=value, and use this to export SETTING=value to the -LTSP clients.

- -

The goal is to be able to store the LTSP configuration attributes -in a "computer" LDAP object used by both DNS and DHCP, and thus -allowing us to store all information about a computer in one place.

+

The last few months me and the other Debian Edu developers have +been working hard to get the Debian/Squeeze based version of Debian +Edu/Skolelinux into shape. This future version will use Kerberos for +authentication, and services are slowly migrated to single signon, +getting rid of password questions one at the time.

-

This is a untested draft implementation, and I welcome feedback on -this approach. A real LDAP schema for the ltspClientAux objectclass -need to be written. Comments, suggestions, etc?

+

It will also feature a roaming workstation profile with local home +directory, for laptops that are only some times on the Skolelinux +network, and for this profile a shortcut is created in Gnome and KDE +to gain access to the users home directory on the file server. This +shortcut uses SMB at the moment, and yesterday I had time to test if +SMB mounting had started working in KDE after we added the cifs-utils +package. I was pleasantly surprised how well it worked.

-
-# Store in /opt/ltsp/$arch/usr/share/ltsp/ltsp_config.d/ldap-config
-#
-# Fetch LTSP client settings from LDAP based on MAC address
-#
-# Uses ethernet address as stored in the dhcpHost objectclass using
-# the dhcpHWAddress attribute or ethernet address stored in the
-# ieee802Device objectclass with the macAddress attribute.
-#
-# This module is written to be schema agnostic, and only depend on the
-# existence of attribute names.
-#
-# The LTSP configuration variables are saved directly using a
-# ltspConfig prefix and uppercasing the rest of the attribute name.
-# To set the SERVER variable, set the ltspConfigServer attribute.
-#
-# Some LDAP schema should be created with all the relevant
-# configuration settings.  Something like this should work:
-# 
-# objectclass ( 1.1.2.2 NAME 'ltspClientAux'
-#     SUP top
-#     AUXILIARY
-#     MAY ( ltspConfigServer $ ltsConfigSound $ ... )
+
Thanks to the recent changes to our samba configuration to get it
+to use Kerberos for authentication, there were no question about user
+password when mounting the SMB volume.  A simple click on the shortcut
+in the KDE menu, and a window with the home directory popped
+up. :)

 
-LDAPSERVER=$(debian-edu-ldapserver)
-if [ "$LDAPSERVER" ] ; then
-    LDAPBASE=$(debian-edu-ldapserver -b)
-    for MAC in $(LANG=C ifconfig |grep -i hwaddr| awk '{print $5}'|sort -u) ; do
-	filter="(|(dhcpHWAddress=ethernet $MAC)(macAddress=$MAC))"
-	ldapsearch -h "$LDAPSERVER" -b "$LDAPBASE" -v -x "$filter" | \
-	    grep '^ltspConfig' | while read attr value ; do
-	    # Remove prefix and convert to upper case
-	    attr=$(echo $attr | sed 's/^ltspConfig//i' | tr a-z A-Z)
-	    # bass value on to clients
-	    eval "$attr=$value; export $attr"
-	done
-    done
-fi
-
+

One step closer to a single signon solution out of the box in +Debian Edu. We already had PAM, LDAP, IMAP and SMTP in place, and now +also Samba. Next step is Cups and hopefully also NFS.

-

I'm not sure this shell construction will work, because I suspect -the while block might end up in a subshell causing the variables set -there to not show up in ltsp-config, but if that is the case I am sure -the code can be restructured to make sure the variables are passed on. -I expect that can be solved with some testing. :)

+

We had planned a alpha0 release of Debian Edu for today, but thanks +to the autobuilder administrators for some architectures being slow to +sign packages, we are still missing the fixed LTSP package we need for +the release. It was uploaded three days ago with urgency=high, and if +it had entered testing yesterday we would have been able to test it in +time for a alpha0 release today. As the binaries for ia64 and powerpc +still not uploaded to the Debian archive, we need to delay the alpha +release another day.

-

If you want to help out with implementing this for Debian Edu, +

If you want to help out with implementing Kerberos for Debian Edu, please contact us on debian-edu@lists.debian.org.

-

Update 2010-07-17: I am aware of another effort to store LTSP -configuration in LDAP that was created around year 2000 by -PC -Xperience, Inc., 2000. I found its -files on a -personal home page over at redhat.com.

-
- Tags: debian, debian edu, english, ldap, nuug. + Tags: debian edu, english, nuug, sikkerhet.
@@ -521,75 +277,77 @@ personal home page over at redhat.com.

- Combining PowerDNS and ISC DHCP LDAP objects + Digitale restriksjonsmekanismer fikk meg til å slutte å kjøpe musikk
- 14th July 2010 + 22nd July 2010
-

For a while now, I have wanted to find a way to change the DNS and -DHCP services in Debian Edu to use the same LDAP objects for a given -computer, to avoid the possibility of having a inconsistent state for -a computer in LDAP (as in DHCP but no DNS entry or the other way -around) and make it easier to add computers to LDAP.

- -

I've looked at how powerdns and dhcpd is using LDAP, and using this -information finally found a solution that seem to work.

- -

The old setup required three LDAP objects for a given computer. -One forward DNS entry, one reverse DNS entry and one DHCP entry. If -we switch powerdns to use its strict LDAP method (ldap-method=strict -in pdns-debian-edu.conf), the forward and reverse DNS entries are -merged into one while making it impossible to transfer the reverse map -to a slave DNS server.

- -

If we also replace the object class used to get the DNS related -attributes to one allowing these attributes to be combined with the -dhcphost object class, we can merge the DNS and DHCP entries into one. -I've written such object class in the dnsdomainaux.schema file (need -proper OIDs, but that is a minor issue), and tested the setup. It -seem to work.

+

For mange år siden slutte jeg å kjøpe musikk-CDer. Årsaken var at +musikkbransjen var godt i gang med å selge platene sine med DRM som +gjorde at jeg ikke fikk spilt av musikken jeg kjøpte på utstyret jeg +hadde tilgjengelig, dvs. min datamaskin. Det var umulig å se på en +plate om den var ødelagt eller ikke, og jeg hadde jo allerede en +anseelig samling med plater, så jeg bestemme meg for å slutte å gi +penger til en bransje som åpenbart ikke respekterte meg.

-

With this test setup in place, we can get away with one LDAP object -for both DNS and DHCP, and even the LTSP configuration I suggested in -an earlier email. The combined LDAP object will look something like -this:

+

Jeg har mange titalls dager med musikk på CD i dag. Det meste er +lagt i et stort arkiv som kan spilles av fra husets datamaskiner (har +ikke rukket rippe alt). Jeg ser dermed ikke behovet for å skaffe mer +musikk. De fleste av mine favoritter er i hus, og jeg er dermed godt +fornøyd.

-
-  dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-  cn: hostname
-  objectClass: dhcphost
-  objectclass: domainrelatedobject
-  objectclass: dnsdomainaux
-  associateddomain: hostname.intern
-  arecord: 10.11.12.13
-  dhcphwaddress: ethernet 00:00:00:00:00:00
-  dhcpstatements: fixed-address hostname
-  ldapconfigsound: Y
-
+

Hvis musikkbransjen ønsker mine penger, så må de demonstrere at de +setter pris på meg som kunde, og ikke skremme meg bort med DRM og +antydninger om at kundene er kriminelle.

-

The DNS server uses the associateddomain and arecord entries, while -the DHCP server uses the dhcphwaddress and dhcpstatements entries -before asking DNS to resolve the fixed-adddress. LTSP will use -dhcphwaddress or associateddomain and the ldapconfig* attributes.

+

Filmbransjen er like ille, men mens musikk gjerne varer lenge, er +filmer mer ferskvare. Har dermed ikke helt sluttet å kjøpe filmer, men +holder meg til DVD-filmer som kan spilles av på mine Linuxbokser. +Kommer neppe til å ta i bruk Blueray, og ei heller de nye DRM-greiene +«Ultraviolet» som be annonsert her om dagen.

-

I am not yet sure if I can get the DHCP server to look for its -dhcphost in a different location, to allow us to put the objects -outside the "DHCP Config" subtree, but hope to figure out a way to do -that. If I can't figure out a way to do that, we can still get rid of -the hosts subtree and move all its content into the DHCP Config tree -(which probably should be renamed to be more related to the new -content. I suspect cn=dnsdhcp,ou=services or something like that -might be a good place to put it.

+
+
+ + + Tags: fildeling, norsk, nuug, opphavsrett, personvern. + + +
+
+
+ +
+
+ OpenStreetmap one step closer to having routing on its front page +
+
+ 18th July 2010 +
+
+

Thanks to +todays +opengeodata blog entry, I just discovered that the +OpenStreetmap.org site have gotten +support +for calculating routes. The support is still experimental and +only available from the development server, until more experience is +gathered on the user interface and any scalability issues.

-

If you want to help out with implementing this for Debian Edu, -please contact us on debian-edu@lists.debian.org.

+

Earlier, the routing I knew about using the OpenStreetmap.org data +was provided by Cloudmade, +but having it on the main page is required to make everyone aware of +the issue. I've had people reject Openstreetmap.org as a viable +alternative for them because the front page lacked routing support, +and I hope their needs will be catered for when routing show up on the +www.openstreetmap.org front page.

- Tags: debian, debian edu, english, ldap, nuug. + Tags: english, kart, web.
@@ -929,34 +687,75 @@ auxiliary object class.

- OpenStreetmap one step closer to having routing on its front page + Combining PowerDNS and ISC DHCP LDAP objects
- 18th July 2010 + 14th July 2010
-

Thanks to -todays -opengeodata blog entry, I just discovered that the -OpenStreetmap.org site have gotten -support -for calculating routes. The support is still experimental and -only available from the development server, until more experience is -gathered on the user interface and any scalability issues.

+

For a while now, I have wanted to find a way to change the DNS and +DHCP services in Debian Edu to use the same LDAP objects for a given +computer, to avoid the possibility of having a inconsistent state for +a computer in LDAP (as in DHCP but no DNS entry or the other way +around) and make it easier to add computers to LDAP.

-

Earlier, the routing I knew about using the OpenStreetmap.org data -was provided by Cloudmade, -but having it on the main page is required to make everyone aware of -the issue. I've had people reject Openstreetmap.org as a viable -alternative for them because the front page lacked routing support, -and I hope their needs will be catered for when routing show up on the -www.openstreetmap.org front page.

+

I've looked at how powerdns and dhcpd is using LDAP, and using this +information finally found a solution that seem to work.

+ +

The old setup required three LDAP objects for a given computer. +One forward DNS entry, one reverse DNS entry and one DHCP entry. If +we switch powerdns to use its strict LDAP method (ldap-method=strict +in pdns-debian-edu.conf), the forward and reverse DNS entries are +merged into one while making it impossible to transfer the reverse map +to a slave DNS server.

+ +

If we also replace the object class used to get the DNS related +attributes to one allowing these attributes to be combined with the +dhcphost object class, we can merge the DNS and DHCP entries into one. +I've written such object class in the dnsdomainaux.schema file (need +proper OIDs, but that is a minor issue), and tested the setup. It +seem to work.

+ +

With this test setup in place, we can get away with one LDAP object +for both DNS and DHCP, and even the LTSP configuration I suggested in +an earlier email. The combined LDAP object will look something like +this:

+ +
+  dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
+  cn: hostname
+  objectClass: dhcphost
+  objectclass: domainrelatedobject
+  objectclass: dnsdomainaux
+  associateddomain: hostname.intern
+  arecord: 10.11.12.13
+  dhcphwaddress: ethernet 00:00:00:00:00:00
+  dhcpstatements: fixed-address hostname
+  ldapconfigsound: Y
+
+ +

The DNS server uses the associateddomain and arecord entries, while +the DHCP server uses the dhcphwaddress and dhcpstatements entries +before asking DNS to resolve the fixed-adddress. LTSP will use +dhcphwaddress or associateddomain and the ldapconfig* attributes.

+ +

I am not yet sure if I can get the DHCP server to look for its +dhcphost in a different location, to allow us to put the objects +outside the "DHCP Config" subtree, but hope to figure out a way to do +that. If I can't figure out a way to do that, we can still get rid of +the hosts subtree and move all its content into the DHCP Config tree +(which probably should be renamed to be more related to the new +content. I suspect cn=dnsdhcp,ou=services or something like that +might be a good place to put it.

+ +

If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.

- Tags: english, kart, web. + Tags: debian, debian edu, english, ldap, nuug.
@@ -965,41 +764,126 @@ www.openstreetmap.org front page.

- Digitale restriksjonsmekanismer fikk meg til å slutte å kjøpe musikk + Idea for storing LTSP configuration in LDAP
- 22nd July 2010 + 11th July 2010
-

For mange år siden slutte jeg å kjøpe musikk-CDer. Årsaken var at -musikkbransjen var godt i gang med å selge platene sine med DRM som -gjorde at jeg ikke fikk spilt av musikken jeg kjøpte på utstyret jeg -hadde tilgjengelig, dvs. min datamaskin. Det var umulig å se på en -plate om den var ødelagt eller ikke, og jeg hadde jo allerede en -anseelig samling med plater, så jeg bestemme meg for å slutte å gi -penger til en bransje som åpenbart ikke respekterte meg.

+

Vagrant mentioned on IRC today that ltsp_config now support +sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin +clients, and that this can be used to fetch configuration from LDAP if +Debian Edu choose to store configuration there.

-

Jeg har mange titalls dager med musikk på CD i dag. Det meste er -lagt i et stort arkiv som kan spilles av fra husets datamaskiner (har -ikke rukket rippe alt). Jeg ser dermed ikke behovet for å skaffe mer -musikk. De fleste av mine favoritter er i hus, og jeg er dermed godt -fornøyd.

+

Armed with this information, I got inspired and wrote a test module +to get configuration from LDAP. The idea is to look up the MAC +address of the client in LDAP, and look for attributes on the form +ltspconfigsetting=value, and use this to export SETTING=value to the +LTSP clients.

-

Hvis musikkbransjen ønsker mine penger, så må de demonstrere at de -setter pris på meg som kunde, og ikke skremme meg bort med DRM og -antydninger om at kundene er kriminelle.

+

The goal is to be able to store the LTSP configuration attributes +in a "computer" LDAP object used by both DNS and DHCP, and thus +allowing us to store all information about a computer in one place.

-

Filmbransjen er like ille, men mens musikk gjerne varer lenge, er -filmer mer ferskvare. Har dermed ikke helt sluttet å kjøpe filmer, men -holder meg til DVD-filmer som kan spilles av på mine Linuxbokser. -Kommer neppe til å ta i bruk Blueray, og ei heller de nye DRM-greiene -«Ultraviolet» som be annonsert her om dagen.

+

This is a untested draft implementation, and I welcome feedback on +this approach. A real LDAP schema for the ltspClientAux objectclass +need to be written. Comments, suggestions, etc?

+ +
+# Store in /opt/ltsp/$arch/usr/share/ltsp/ltsp_config.d/ldap-config
+#
+# Fetch LTSP client settings from LDAP based on MAC address
+#
+# Uses ethernet address as stored in the dhcpHost objectclass using
+# the dhcpHWAddress attribute or ethernet address stored in the
+# ieee802Device objectclass with the macAddress attribute.
+#
+# This module is written to be schema agnostic, and only depend on the
+# existence of attribute names.
+#
+# The LTSP configuration variables are saved directly using a
+# ltspConfig prefix and uppercasing the rest of the attribute name.
+# To set the SERVER variable, set the ltspConfigServer attribute.
+#
+# Some LDAP schema should be created with all the relevant
+# configuration settings.  Something like this should work:
+# 
+# objectclass ( 1.1.2.2 NAME 'ltspClientAux'
+#     SUP top
+#     AUXILIARY
+#     MAY ( ltspConfigServer $ ltsConfigSound $ ... )
+
+LDAPSERVER=$(debian-edu-ldapserver)
+if [ "$LDAPSERVER" ] ; then
+    LDAPBASE=$(debian-edu-ldapserver -b)
+    for MAC in $(LANG=C ifconfig |grep -i hwaddr| awk '{print $5}'|sort -u) ; do
+	filter="(|(dhcpHWAddress=ethernet $MAC)(macAddress=$MAC))"
+	ldapsearch -h "$LDAPSERVER" -b "$LDAPBASE" -v -x "$filter" | \
+	    grep '^ltspConfig' | while read attr value ; do
+	    # Remove prefix and convert to upper case
+	    attr=$(echo $attr | sed 's/^ltspConfig//i' | tr a-z A-Z)
+	    # bass value on to clients
+	    eval "$attr=$value; export $attr"
+	done
+    done
+fi
+
+ +

I'm not sure this shell construction will work, because I suspect +the while block might end up in a subshell causing the variables set +there to not show up in ltsp-config, but if that is the case I am sure +the code can be restructured to make sure the variables are passed on. +I expect that can be solved with some testing. :)

+ +

If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.

+ +

Update 2010-07-17: I am aware of another effort to store LTSP +configuration in LDAP that was created around year 2000 by +PC +Xperience, Inc., 2000. I found its +files on a +personal home page over at redhat.com.

+ +
+
+ + + Tags: debian, debian edu, english, ldap, nuug. + + +
+
+
+ +
+
+ jXplorer, a very nice LDAP GUI +
+
+ 9th July 2010 +
+
+

Since +my +last post about available LDAP tools in Debian, I was told about a +LDAP GUI that is even better than luma. The java application +jXplorer is claimed to be capable of +moving LDAP objects and subtrees using drag-and-drop, and can +authenticate using Kerberos. I have only tested the Kerberos +authentication, but do not have a LDAP setup allowing me to rewrite +LDAP with my test user yet. It is +available in +Debian testing and unstable at the moment. The only problem I +have with it is how it handle errors. If something go wrong, its +non-intuitive behaviour require me to go through some query work list +and remove the failing query. Nothing big, but very annoying.

- Tags: fildeling, norsk, nuug, opphavsrett, personvern. + Tags: debian, debian edu, english, ldap, nuug.
@@ -1008,53 +892,38 @@ Kommer neppe til å ta i bruk Blueray, og ei heller de nye DRM-greiene
- One step closer to single signon in Debian Edu + MS Word krøller det til for politiet?
- 25th July 2010 + 8th July 2010
-

The last few months me and the other Debian Edu developers have -been working hard to get the Debian/Squeeze based version of Debian -Edu/Skolelinux into shape. This future version will use Kerberos for -authentication, and services are slowly migrated to single signon, -getting rid of password questions one at the time.

- -

It will also feature a roaming workstation profile with local home -directory, for laptops that are only some times on the Skolelinux -network, and for this profile a shortcut is created in Gnome and KDE -to gain access to the users home directory on the file server. This -shortcut uses SMB at the moment, and yesterday I had time to test if -SMB mounting had started working in KDE after we added the cifs-utils -package. I was pleasantly surprised how well it worked.

- -

Thanks to the recent changes to our samba configuration to get it -to use Kerberos for authentication, there were no question about user -password when mounting the SMB volume. A simple click on the shortcut -in the KDE menu, and a window with the home directory popped -up. :)

- -

One step closer to a single signon solution out of the box in -Debian Edu. We already had PAM, LDAP, IMAP and SMTP in place, and now -also Samba. Next step is Cups and hopefully also NFS.

- -

We had planned a alpha0 release of Debian Edu for today, but thanks -to the autobuilder administrators for some architectures being slow to -sign packages, we are still missing the fixed LTSP package we need for -the release. It was uploaded three days ago with urgency=high, and if -it had entered testing yesterday we would have been able to test it in -time for a alpha0 release today. As the binaries for ia64 and powerpc -still not uploaded to the Debian archive, we need to delay the alpha -release another day.

+

De siste dagene har Aftenposten +fortalt +hvordan +politet har brukt skriveverktøy som ikke håndterer arabisk tekst og +tekst som skal skrives fra høyre mot venstre når de har laget +løpeseddel for å be om informasjon fra publikum. Resultatet har vært +en uleselig arabisk-bit på løpeseddelen. Feilen har oppstått når +teksten har blitt "kopiert inn i programvare som ikke har støtte for +språk som skrives fra høyre mot venstre", og jeg er ganske sikker på +at det er snakk om Microsoft Office i dette tilfellet. Er det slik at +MS Office i norsk språkdrakt ikke har støtte for tekst som skal +skrives fra høyre mot venstre? Jeg tror alle utgaver av +OpenOffice.org har slik støtte, og det er jo ikke veldig vanskelig å +la slik støtte finnes i alle utgaver av et program hvis støtten først +er utviklet. Aftenpostens melding får meg til å undre om problemet +ville vært unngått hvis politiet brukte OpenOffice.org i stedet for MS +Office.

-

If you want to help out with implementing Kerberos for Debian Edu, -please contact us on debian-edu@lists.debian.org.

+

Mon tro om det er flere eksempler på at MS Office har ødelagt for +offentlig myndighet?

- Tags: debian edu, english, nuug, sikkerhet. + Tags: norsk.
@@ -1063,129 +932,110 @@ please contact us on debian-edu@lists.debian.org.

- First Debian Edu test release (alpha0) based on Squeeze is released + Lenny->Squeeze upgrades, apt vs aptitude with the Gnome desktop
- 27th July 2010 + 3rd July 2010
-

I just posted this announcement culminating several months of work -with the next Debian Edu release. Not nearly done, but one major step -completed.

- -
-

This is the first test release based on Squeeze. The focus of this -release is to test the user application selection. To have a look, -install the standalone profile and let the developers know if the set -of installed packages i.e. applications should be modified. If some -user application is missing, or if there are some applications that no -longer make sense to be included in Debian Edu, please let us know. -Also, if a useful application is missing the translation for your -language of choice, please let us know too.

- -

In addition, feedback and help to polish the desktop (menus, -artwork, starters, etc.) is appreciated. We would like to ship a nice -and handy KDE4 desktop targeted for schools out of the box.

- -

The other profiles should be installable, but there is a lot more -work left to be done before they are ready, so do not expect to -much.

- -

Changes compared to the lenny based version

- -
    -
  • Everything from Debian Squeeze -
      -
    • Desktop environment KDE 4.4 => the new KDE desktop in - combination with some new artwork -
    • Web browser Iceweasel 3.5 -
    • OpenOffice.org 3.2 -
    • Educational toolbox GCompris 9.3 -
    • Music creator Rosegarden 10.04.2 -
    • Image editor Gimp 2.6.10 -
    • Virtual universe Celestia 1.6.0 -
    • Virtual stargazer Stellarium 0.10.4 -
    • 3D modeler Blender 2.49.2 (new application) -
    • Video editor Kdenlive 0.7.7 (new application) -
    • -
  • Now using Kerberos for password checking (migration not finished). - Enabled for: -
      -
    • PAM -
    • LDAP -
    • IMAP -
    • SMTP (sender verification) -
    -
    • -
  • New experimental roaming workstation profile for laptops.
    • -
  • Show welcome page to users when they first log in. The URL is - fetched from LDAP.
    • -
  • New LXDE desktop option, in addition to KDE (default) and Gnome.
    • -
  • General cleanup (not finished)
    • -
-

The following features are not working as they should

- -
    -
  • No web based administration tool for creating users and groups. The - scripts ldap-createuser-krb and ldap-add-user-to-group can be used - for testing.
    • -
  • DVD installs are missing debian-installer images for the PXE boot, - and do not set up the PXE menu on eth0 because of this. LTSP - clients should still boot from eth1 on thin client servers.
    • -
  • The restructured KDE menu is not implemented.
    • -
  • The LDAP server setup need to be reviewed for security.
    • -
  • The LDAP directory structure need to be reworked.
    • -
  • Different sets of packages are installed when using the DVD and the - netinst CD. More packages are installed using the netinst CD.
    • -
  • The jackd package fail to install. This is believed to be caused by - some ongoing transition, and hopefully should be solved soon. The - jackd1 package can be installed manually for those that need it.
    • -
  • Some packages lack translations. See - http://wiki.debian.org/DebianEdu/Status/Squeeze for updated status, - and help out with translations.
    • -
+

Here is a short update on my my +Debian Lenny->Squeeze upgrade testing. Here is a summary of the +difference for Gnome when it is upgraded by apt-get and aptitude. I'm +not reporting the status for KDE, because the upgrade crashes when +aptitude try because of missing conflicts +(#584861 and +#585716).

-

To download this multiarch netinstall release you can use

+

At the end of the upgrade test script, dpkg -l is executed to get a +complete list of the installed packages. Based on this I see these +differences when I did a test run today. As usual, I do not really +know what the correct set of packages would be, but thought it best to +publish the difference.

- -

To download this multiarch dvd release you can use

+

Installed using apt-get, missing with aptitude

- +

+ at-spi cpp-4.3 finger gnome-spell gstreamer0.10-gnomevfs + libatspi1.0-0 libcupsys2 libeel2-data libgail-common libgdl-1-common + libgnomeprint2.2-data libgnomeprintui2.2-common libgnomevfs2-bin + libgtksourceview-common libpt-1.10.10-plugins-alsa + libpt-1.10.10-plugins-v4l libservlet2.4-java libxalan2-java + libxerces2-java openoffice.org-writer2latex openssl-blacklist p7zip + python-4suite-xml python-eggtrayicon python-gtkhtml2 + python-gtkmozembed svgalibg1 xserver-xephyr zip +

-

There is no source DVD available yet. It will be prepared when we -get closer to the final release.

+

Installed using apt-get, removed with aptitude

-

The MD5SUM of these images are

+

+ bluez-utils dhcdbd djvulibre-desktop epiphany-gecko + gnome-app-install gnome-mount gnome-vfs-obexftp gnome-volume-manager + libao2 libavahi-compat-libdnssd1 libavahi-core5 libbind9-50 + libbluetooth2 libcamel1.2-11 libcdio7 libcucul0 libcurl3 + libdirectfb-1.0-0 libdvdread3 libedata-cal1.2-6 libedataserver1.2-9 + libeel2-2.20 libepc-1.0-1 libepc-ui-1.0-1 libexchange-storage1.2-3 + libfaad0 libgd2-noxpm libgda3-3 libgda3-common libggz2 libggzcore9 + libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0 libgnome-desktop-2 + libgnome-pilot2 libgnomecups1.0-1 libgnomeprint2.2-0 + libgnomeprintui2.2-0 libgpod3 libgraphviz4 libgtkhtml2-0 + libgtksourceview1.0-0 libgucharmap6 libhesiod0 libicu38 libisccc50 + libisccfg50 libiw29 libkpathsea4 libltdl3 liblwres50 libmagick++10 + libmagick10 libmalaga7 libmtp7 libmysqlclient15off libnautilus-burn4 + libneon27 libnm-glib0 libnm-util0 libopal-2.2 libosp5 + libparted1.8-10 libpisock9 libpisync1 libpoppler-glib3 libpoppler3 + libpt-1.10.10 libraw1394-8 libsensors3 libsmbios2 libsoup2.2-8 + libssh2-1 libsuitesparse-3.1.0 libswfdec-0.6-90 libtalloc1 + libtotem-plparser10 libtrackerclient0 libvoikko1 libxalan2-java-gcj + libxerces2-java-gcj libxklavier12 libxtrap6 libxxf86misc1 libzephyr3 + mysql-common swfdec-gnome totem-gstreamer wodim +

-
    -
  • 3dbf45d59f42a53518b6e3c9ec3b5eb6 debian-edu-6.0.0+edua0-CD.iso
    • -
  • 22f2cbfce281d1c6e478be452638675d debian-edu-6.0.0+edua0-DVD.iso
    • -
+

Installed using aptitude, missing with apt-get

-

The SHA1SUM of these images are

-
    -
  • c53d1b69b40cf37cd27aefaf33f6f6a3821bedf0 debian-edu-6.0.0+edua0-CD.iso
    • -
  • 2ec29d7db676d59d32197b05c277ffe16348376c debian-edu-6.0.0+edua0-DVD.iso
    • -
-

How to report bugs: -http://wiki.debian.org/DebianEdu/HowTo/ReportBugsInBugzilla

+

+ gnome gnome-desktop-environment hamster-applet python-gnomeapplet + python-gnomekeyring python-wnck rhythmbox-plugins xorg + xserver-xorg-input-all xserver-xorg-input-evdev + xserver-xorg-input-kbd xserver-xorg-input-mouse + xserver-xorg-input-synaptics xserver-xorg-video-all + xserver-xorg-video-apm xserver-xorg-video-ark xserver-xorg-video-ati + xserver-xorg-video-chips xserver-xorg-video-cirrus + xserver-xorg-video-dummy xserver-xorg-video-fbdev + xserver-xorg-video-glint xserver-xorg-video-i128 + xserver-xorg-video-i740 xserver-xorg-video-mach64 + xserver-xorg-video-mga xserver-xorg-video-neomagic + xserver-xorg-video-nouveau xserver-xorg-video-nv + xserver-xorg-video-r128 xserver-xorg-video-radeon + xserver-xorg-video-radeonhd xserver-xorg-video-rendition + xserver-xorg-video-s3 xserver-xorg-video-s3virge + xserver-xorg-video-savage xserver-xorg-video-siliconmotion + xserver-xorg-video-sis xserver-xorg-video-sisusb + xserver-xorg-video-tdfx xserver-xorg-video-tga + xserver-xorg-video-trident xserver-xorg-video-tseng + xserver-xorg-video-vesa xserver-xorg-video-vmware + xserver-xorg-video-voodoo +

-

Please direct replies to debian-edu@lists.debian.org

-
+

Installed using aptitude, removed with apt-get

+ +

+ deskbar-applet xserver-xorg xserver-xorg-core + xserver-xorg-input-wacom xserver-xorg-video-intel + xserver-xorg-video-openchrome +

+ +

I was told on IRC that the xorg-xserver package was +changed +in git today to try to get apt-get to not remove xorg completely. +No idea when it hits Squeeze, but when it does I hope it will reduce +the difference somewhat.

- Tags: debian edu, english, nuug. + Tags: debian, debian edu, english.
@@ -1194,66 +1044,216 @@ http://wiki.debian.org/DebianEdu/HowTo/ReportBugsInBugzilla

- Circular package dependencies harms apt recovery + Caching password, user and group on a roaming Debian laptop
- 27th July 2010 + 1st July 2010
-

I discovered this while doing -automated -testing of upgrades from Debian Lenny to Squeeze. A few packages -in Debian still got circular dependencies, and it is often claimed -that apt and aptitude should be able to handle this just fine, but -some times these dependency loops causes apt to fail.

+

For a laptop, centralized user directories and password checking is +a bit troubling. Laptops are typically used also when not connected +to the network, and it is vital for a user to be able to log in or +unlock the screen saver also when a central server is unavailable. +This is possible by caching passwords and directory information (user +and group attributes) locally, and the packages to do so are available +in Debian. Here follow two recipes to set this up in Debian/Squeeze. +It is also possible to set up in Debian/Lenny, but require more manual +setup there because pam-auth-update is missing in Lenny.

-

An example is from todays -upgrade -of KDE using aptitude. In it, a bug in kdebase-workspace-data -causes perl-modules to fail to upgrade. The cause is simple. If a -package fail to unpack, then only part of packages with the circular -dependency might end up being unpacked when unpacking aborts, and the -ones already unpacked will fail to configure in the recovery phase -because its dependencies are unavailable.

+

LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir

-

In this log, the problem manifest itself with this error:

+This is the traditional method with a twist. The password caching is +provided by libpam-ccreds (version 10-4 or later is needed on +Squeeze), and the directory caching is done by nscd. The directory +lookup and password checking is done using LDAP. If one want to use +Kerberos for password checking the libpam-ldapd package can be +replaced with libpam-krb5 or libpam-heimdal. If one is happy having a +local home directory with the path listed in LDAP, one can use the +pam_mkhomedir module from pam-modules to make this happen instead of +using libpam-mklocaluser. A setup for pam-auth-update to enable +pam_mkhomedir will have to be written until a fix for +bug #568577 is in the +archive. Because I believe it is a bad idea to have local home +directories using misleading paths like /site/server/partition/, I +prefer to create a local user with the home directory in /home/. This +is done using the libpam-mklocaluser package.

+ +

These packages need to be installed and configured

-dpkg: dependency problems prevent configuration of perl-modules:
- perl-modules depends on perl (>= 5.10.1-1); however:
-  Version of perl on system is 5.10.0-19lenny2.
-dpkg: error processing perl-modules (--configure):
- dependency problems - leaving unconfigured
+libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
-

The perl/perl-modules circular dependency is already -reported as a bug, and will -hopefully be solved as soon as possible, but it is not the only one, -and each one of these loops in the dependency tree can cause similar -failures. Of course, they only occur when there are bugs in other -packages causing the unpacking to fail, but it is rather nasty when -the failure of one package causes the problem to become worse because -of dependency loops.

+

The ldapd packages will ask for LDAP connection information, and +one have to fill in the values that fits ones own site. Make sure the +PAM part uses encrypted connections, to make sure the password is not +sent in clear text to the LDAP server. I've been unable to get TLS +certificate checking for a self signed certificate working, which make +LDAP authentication unsafe for Debian Edu (nslcd is not checking if it +is talking to the correct LDAP server), and very much welcome feedback +on how to get this working.

-

Thanks to -the -tireless effort by Bill Allombert, the number of circular -dependencies -left in Debian -is dropping, and perhaps it will reach zero one day. :)

+

Because nscd do not have a default configuration fit for offline +caching until bug #485282 +is fixed, this configuration should be used instead of the one +currently in /etc/nscd.conf. The changes are in the fields +reload-count and positive-time-to-live, and is based on the +instructions I found in the +LDAP for Mobile Laptops +instructions by Flyn Computing.

-

Todays testing also exposed a bug in -update-notifier and -different behaviour between -apt-get and aptitude, the latter possibly caused by some circular -dependency. Reported both to BTS to try to get someone to look at -it.

+
+	debug-level		0
+	reload-count		unlimited
+	paranoia		no
+
+	enable-cache		passwd		yes
+	positive-time-to-live	passwd		2592000
+	negative-time-to-live	passwd		20
+	suggested-size		passwd		211
+	check-files		passwd		yes
+	persistent		passwd		yes
+	shared			passwd		yes
+	max-db-size		passwd		33554432
+	auto-propagate		passwd		yes
+
+	enable-cache		group		yes
+	positive-time-to-live	group		2592000
+	negative-time-to-live	group		20
+	suggested-size		group		211
+	check-files		group		yes
+	persistent		group		yes
+	shared			group		yes
+	max-db-size		group		33554432
+	auto-propagate		group		yes
+
+	enable-cache		hosts		no
+	positive-time-to-live	hosts		2592000
+	negative-time-to-live	hosts		20
+	suggested-size		hosts		211
+	check-files		hosts		yes
+	persistent		hosts		yes
+	shared			hosts		yes
+	max-db-size		hosts		33554432
+
+	enable-cache		services	yes
+	positive-time-to-live	services	2592000
+	negative-time-to-live	services	20
+	suggested-size		services	211
+	check-files		services	yes
+	persistent		services	yes
+	shared			services	yes
+	max-db-size		services	33554432
+
+ +

While we wait for a mechanism to update /etc/nsswitch.conf +automatically like the one provided in +bug #496915, the file +content need to be manually replaced to ensure LDAP is used as the +directory service on the machine. /etc/nsswitch.conf should normally +look like this:

+ +
+passwd:         files ldap
+group:          files ldap
+shadow:         files ldap
+hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
+networks:       files
+protocols:      files
+services:       files
+ethers:         files
+rpc:            files
+netgroup:       files ldap
+
+ +

The important parts are that ldap is listed last for passwd, group, +shadow and netgroup.

+ +

With these changes in place, any user in LDAP will be able to log +in locally on the machine using for example kdm, get a local home +directory created and have the password as well as user and group +attributes cached. + +

LDAP/Kerberos + nss-updatedb + libpam-ccreds + + libpam-mklocaluser/pam_mkhomedir

+ +

Because nscd have had its share of problems, and seem to have +problems doing proper caching, I've seen suggestions and recipes to +use nss-updatedb to copy parts of the LDAP database locally when the +LDAP database is available. I have not tested such setup, because I +discovered sssd.

+ +

LDAP/Kerberos + sssd + libpam-mklocaluser

+ +

A more flexible and robust setup than the nscd combination +mentioned earlier that has shown up recently, is the +sssd package from Redhat. +It is part of the FreeIPA project +to provide a Active Directory like directory service for Linux +machines. The sssd system combines the caching of passwords and user +information into one package, and remove the need for nscd and +libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version +1.2 do not support netgroups, but it is said that it will support this +in version 1.5 expected to show up later in 2010. Because the +sssd package +was missing in Debian, I ended up co-maintaining it with Werner, and +version 1.2 is now in testing. + +

These packages need to be installed and configured to get the +roaming setup I want

+ +
+libpam-sss libnss-sss libpam-mklocaluser
+
+ +The complete setup of sssd is done by editing/creating +/etc/sssd/sssd.conf. + +
+[sssd]
+config_file_version = 2
+reconnection_retries = 3
+sbus_timeout = 30
+services = nss, pam
+domains = INTERN
+
+[nss]
+filter_groups = root
+filter_users = root
+reconnection_retries = 3
+
+[pam]
+reconnection_retries = 3
+
+[domain/INTERN]
+enumerate = false
+cache_credentials = true
+
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+
+ldap_uri = ldap://ldap
+ldap_search_base = dc=skole,dc=skolelinux,dc=no
+ldap_tls_reqcert = never
+ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
+
+ +

I got the same problem here with certificate checking. Had to set +"ldap_tls_reqcert = never" to get it working.

+ +

With the libnss-sss package in testing at the moment, the +nsswitch.conf file is update automatically, so there is no need to +modify it manually.

+ +

If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.

- Tags: debian, english, nuug. + Tags: debian edu, english, ldap, nuug.