X-Git-Url: https://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/abc2ffcb5964f76af5a70d73721e6310adf2052a..e13115f1c3ad45cccad9905c6eb693f4368bae0a:/blog/index.html diff --git a/blog/index.html b/blog/index.html index 6d6b6eb4e4..7297bb9eff 100644 --- a/blog/index.html +++ b/blog/index.html @@ -19,6 +19,132 @@ +
+
First Debian Edu test release (alpha0) based on Squeeze is released
+
2010-07-27 17:45
+
+

I just posted this announcement culminating several months of work +with the next Debian Edu release. Not nearly done, but one major step +completed.

+ +
+

This is the first test release based on Squeeze. The focus of this +release is to test the user application selection. To have a look, +install the standalone profile and let the developers know if the set +of installed packages i.e. applications should be modified. If some +user application is missing, or if there are some applications that no +longer make sense to be included in Debian Edu, please let us know. +Also, if a useful application is missing the translation for your +language of choice, please let us know too.

+ +

In addition, feedback and help to polish the desktop (menus, +artwork, starters, etc.) is appreciated. We would like to ship a nice +and handy KDE4 desktop targeted for schools out of the box.

+ +

The other profiles should be installable, but there is a lot more +work left to be done before they are ready, so do not expect to +much.

+ +

Changes compared to the lenny based version

+ +
    +
  • Everything from Debian Squeeze +
      +
    • Desktop environment KDE 4.4 => the new KDE desktop in + combination with some new artwork +
    • Web browser Iceweasel 3.5 +
    • OpenOffice.org 3.2 +
    • Educational toolbox GCompris 9.3 +
    • Music creator Rosegarden 10.04.2 +
    • Image editor Gimp 2.6.10 +
    • Virtual universe Celestia 1.6.0 +
    • Virtual stargazer Stellarium 0.10.4 +
    • 3D modeler Blender 2.49.2 (new application) +
    • Video editor Kdenlive 0.7.7 (new application) +
    • +
  • Now using Kerberos for password checking (migration not finished). + Enabled for: +
      +
    • PAM +
    • LDAP +
    • IMAP +
    • SMTP (sender verification) +
    +
    • +
  • New experimental roaming workstation profile for laptops.
    • +
  • Show welcome page to users when they first log in. The URL is + fetched from LDAP.
    • +
  • New LXDE desktop option, in addition to KDE (default) and Gnome.
    • +
  • General cleanup (not finished)
    • +
+

The following features are not working as they should

+ +
    +
  • No web based administration tool for creating users and groups. The + scripts ldap-createuser-krb and ldap-add-user-to-group can be used + for testing.
    • +
  • DVD installs are missing debian-installer images for the PXE boot, + and do not set up the PXE menu on eth0 because of this. LTSP + clients should still boot from eth1 on thin client servers.
    • +
  • The restructured KDE menu is not implemented.
    • +
  • The LDAP server setup need to be reviewed for security.
    • +
  • The LDAP directory structure need to be reworked.
    • +
  • Different sets of packages are installed when using the DVD and the + netinst CD. More packages are installed using the netinst CD.
    • +
  • The jackd package fail to install. This is believed to be caused by + some ongoing transition, and hopefully should be solved soon. The + jackd1 package can be installed manually for those that need it.
    • +
  • Some packages lack translations. See + http://wiki.debian.org/DebianEdu/Status/Squeeze for updated status, + and help out with translations.
    • +
+ +

To download this multiarch netinstall release you can use

+ + +

To download this multiarch dvd release you can use

+ + + +

There is no source DVD available yet. It will be prepared when we +get closer to the final release.

+ +

The MD5SUM of these images are

+ +
    +
  • 3dbf45d59f42a53518b6e3c9ec3b5eb6 debian-edu-6.0.0+edua0-CD.iso
    • +
  • 22f2cbfce281d1c6e478be452638675d debian-edu-6.0.0+edua0-DVD.iso
    • +
+ +

The SHA1SUM of these images are

+
    +
  • c53d1b69b40cf37cd27aefaf33f6f6a3821bedf0 debian-edu-6.0.0+edua0-CD.iso
    • +
  • 2ec29d7db676d59d32197b05c277ffe16348376c debian-edu-6.0.0+edua0-DVD.iso
    • +
+

How to report bugs: +http://wiki.debian.org/DebianEdu/HowTo/ReportBugsInBugzilla

+ +

Please direct replies to debian-edu@lists.debian.org

+
+
+
+ + + + Tags: debian edu, english, nuug. + +
+
+
+
One step closer to single signon in Debian Edu
2010-07-25 10:00
@@ -796,219 +922,6 @@ the difference somewhat.
-
-
Caching password, user and group on a roaming Debian laptop
-
2010-07-01 11:40
-
-

For a laptop, centralized user directories and password checking is -a bit troubling. Laptops are typically used also when not connected -to the network, and it is vital for a user to be able to log in or -unlock the screen saver also when a central server is unavailable. -This is possible by caching passwords and directory information (user -and group attributes) locally, and the packages to do so are available -in Debian. Here follow two recipes to set this up in Debian/Squeeze. -It is also possible to set up in Debian/Lenny, but require more manual -setup there because pam-auth-update is missing in Lenny.

- -

LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir

- -This is the traditional method with a twist. The password caching is -provided by libpam-ccreds (version 10-4 or later is needed on -Squeeze), and the directory caching is done by nscd. The directory -lookup and password checking is done using LDAP. If one want to use -Kerberos for password checking the libpam-ldapd package can be -replaced with libpam-krb5 or libpam-heimdal. If one is happy having a -local home directory with the path listed in LDAP, one can use the -pam_mkhomedir module from pam-modules to make this happen instead of -using libpam-mklocaluser. A setup for pam-auth-update to enable -pam_mkhomedir will have to be written until a fix for -bug #568577 is in the -archive. Because I believe it is a bad idea to have local home -directories using misleading paths like /site/server/partition/, I -prefer to create a local user with the home directory in /home/. This -is done using the libpam-mklocaluser package.

- -

These packages need to be installed and configured

- -
-libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
-
- -

The ldapd packages will ask for LDAP connection information, and -one have to fill in the values that fits ones own site. Make sure the -PAM part uses encrypted connections, to make sure the password is not -sent in clear text to the LDAP server. I've been unable to get TLS -certificate checking for a self signed certificate working, which make -LDAP authentication unsafe for Debian Edu (nslcd is not checking if it -is talking to the correct LDAP server), and very much welcome feedback -on how to get this working.

- -

Because nscd do not have a default configuration fit for offline -caching until bug #485282 -is fixed, this configuration should be used instead of the one -currently in /etc/nscd.conf. The changes are in the fields -reload-count and positive-time-to-live, and is based on the -instructions I found in the -LDAP for Mobile Laptops -instructions by Flyn Computing.

- -
-	debug-level		0
-	reload-count		unlimited
-	paranoia		no
-
-	enable-cache		passwd		yes
-	positive-time-to-live	passwd		2592000
-	negative-time-to-live	passwd		20
-	suggested-size		passwd		211
-	check-files		passwd		yes
-	persistent		passwd		yes
-	shared			passwd		yes
-	max-db-size		passwd		33554432
-	auto-propagate		passwd		yes
-
-	enable-cache		group		yes
-	positive-time-to-live	group		2592000
-	negative-time-to-live	group		20
-	suggested-size		group		211
-	check-files		group		yes
-	persistent		group		yes
-	shared			group		yes
-	max-db-size		group		33554432
-	auto-propagate		group		yes
-
-	enable-cache		hosts		no
-	positive-time-to-live	hosts		2592000
-	negative-time-to-live	hosts		20
-	suggested-size		hosts		211
-	check-files		hosts		yes
-	persistent		hosts		yes
-	shared			hosts		yes
-	max-db-size		hosts		33554432
-
-	enable-cache		services	yes
-	positive-time-to-live	services	2592000
-	negative-time-to-live	services	20
-	suggested-size		services	211
-	check-files		services	yes
-	persistent		services	yes
-	shared			services	yes
-	max-db-size		services	33554432
-
- -

While we wait for a mechanism to update /etc/nsswitch.conf -automatically like the one provided in -bug #496915, the file -content need to be manually replaced to ensure LDAP is used as the -directory service on the machine. /etc/nsswitch.conf should normally -look like this:

- -
-passwd:         files ldap
-group:          files ldap
-shadow:         files ldap
-hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
-networks:       files
-protocols:      files
-services:       files
-ethers:         files
-rpc:            files
-netgroup:       files ldap
-
- -

The important parts are that ldap is listed last for passwd, group, -shadow and netgroup.

- -

With these changes in place, any user in LDAP will be able to log -in locally on the machine using for example kdm, get a local home -directory created and have the password as well as user and group -attributes cached. - -

LDAP/Kerberos + nss-updatedb + libpam-ccreds + - libpam-mklocaluser/pam_mkhomedir

- -

Because nscd have had its share of problems, and seem to have -problems doing proper caching, I've seen suggestions and recipes to -use nss-updatedb to copy parts of the LDAP database locally when the -LDAP database is available. I have not tested such setup, because I -discovered sssd.

- -

LDAP/Kerberos + sssd + libpam-mklocaluser

- -

A more flexible and robust setup than the nscd combination -mentioned earlier that has shown up recently, is the -sssd package from Redhat. -It is part of the FreeIPA project -to provide a Active Directory like directory service for Linux -machines. The sssd system combines the caching of passwords and user -information into one package, and remove the need for nscd and -libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version -1.2 do not support netgroups, but it is said that it will support this -in version 1.5 expected to show up later in 2010. Because the -sssd package -was missing in Debian, I ended up co-maintaining it with Werner, and -version 1.2 is now in testing. - -

These packages need to be installed and configured to get the -roaming setup I want

- -
-libpam-sss libnss-sss libpam-mklocaluser
-
- -The complete setup of sssd is done by editing/creating -/etc/sssd/sssd.conf. - -
-[sssd]
-config_file_version = 2
-reconnection_retries = 3
-sbus_timeout = 30
-services = nss, pam
-domains = INTERN
-
-[nss]
-filter_groups = root
-filter_users = root
-reconnection_retries = 3
-
-[pam]
-reconnection_retries = 3
-
-[domain/INTERN]
-enumerate = false
-cache_credentials = true
-
-id_provider = ldap
-auth_provider = ldap
-chpass_provider = ldap
-
-ldap_uri = ldap://ldap
-ldap_search_base = dc=skole,dc=skolelinux,dc=no
-ldap_tls_reqcert = never
-ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
-
- -

I got the same problem here with certificate checking. Had to set -"ldap_tls_reqcert = never" to get it working.

- -

With the libnss-sss package in testing at the moment, the -nsswitch.conf file is update automatically, so there is no need to -modify it manually.

- -

If you want to help out with implementing this for Debian Edu, -please contact us on debian-edu@lists.debian.org.

-
-
- - - - Tags: debian edu, english, ldap, nuug. - -
-
-
-

RSS feed