Re: Thoughts on roaming laptop setup for Debian Edu
[Petter Reinholdtsen]
> I believe all the pieces to implement this are in Debian/testing at
> the moment.
I started on this, and here is a draft (untested) patch to implement
the new profile option, ask for username and create a local user for
it based on information found in LDAP, and set up libpam-ccreds and
sudo. I hope to find time to test it the next few days, and find
solutions for the missing pieces. If you want to help out, please
join me on IRC. :)
Index: debian/debian-edu-profile-udeb.templates
===================================================================
--- debian/debian-edu-profile-udeb.templates (revision 63786)
+++ debian/debian-edu-profile-udeb.templates (working copy)
@@ -5,7 +5,7 @@
Template: debian-edu-install/profile
Type: multiselect
-__Choices: Main-Server, Workstation, Thin-Client-Server, Standalone
+__Choices: Main-Server, Workstation, Roaming workstation, Thin-Client-Server, Standalone
_Description: Profile(s) to apply to this machine:
Profiles determine how the machine can be used out-of-the-box:
.
@@ -14,6 +14,8 @@
should only be one such server on a Debian Edu
network.
- Workstation: for normal machines on the Debian Edu network.
+ - Roaming-Workstation: for single user machines on the Debian Edu
+ network which some times travel outside the network.
- Thin-Client-Server:
includes 'Workstation' and requires two network
cards.
@@ -25,7 +27,7 @@
Type: multiselect
#flag:translate!:6
#__Choices: Main-Server, Workstation, Thin-Client-Server, Standalone, Minimal, Sugar
-__Choices: Main-Server, Workstation, Thin-Client-Server, Standalone, Minimal
+__Choices: Main-Server, Workstation, Roaming-workstation, Thin-Client-Server, Standalone, Minimal
#flag:comment:3
## Translators, do not translate "Sugar"
_Description: Profile(s) to apply to this machine:
@@ -36,6 +38,8 @@
should only be one such server on a Debian Edu
network.
- Workstation: for normal machines on the Debian Edu network.
+ - Roaming-Workstation: for single user machines on the Debian Edu
+ network which some times travel outside the network.
- Thin-Client-Server:
includes 'Workstation' and requires two network
cards.
@@ -89,6 +93,12 @@
Type: text
_Description: Participate in the package usage survey?
+Template: debian-edu-install/primary-user
+Type: text
+_Description: User name of local user:
+ The roaming workstation profile is tied to a network user which is
+ given a local user .
+
Template: debian-edu-install/participate-popcon
Type: boolean
_Description: Participate in the package usage survey?
Index: debian-edu-profile
===================================================================
--- debian-edu-profile (revision 63786)
+++ debian-edu-profile (working copy)
@@ -93,10 +93,24 @@
fi
}
+ask_for_primary_user() {
+ RET=""
+ db_input critical "debian-edu-install/primary-user" || true
+ log "Fetch primary user name"
+ db_go || true
+ db_get "debian-edu-install/primary-user" || true
+ if test "$RET" ; then
+ log "username $RET"
+ elif test "$RET" = false ; then
+ log "no username specified!"
+ fi
+}
+
check_profiles() {
preseed=
#if a value is unset it breaks the case esac later on
workstation=false
+ roaming=false
ltspserver=false
server=false
networked=false
@@ -111,6 +125,12 @@
workstation=true
log "Added task '$value'"
;;
+ Roaming-Workstation)
+ networked=true
+ workstation=true
+ roaming=true
+ log "Added task '$value'"
+ ;;
Thin-Client-Server)
networked=true
workstation=true
@@ -177,6 +197,12 @@
check_profiles
done
+if test true = "$roaming ; then
+ ask_for_primary_user
+else
+ db_set "debian-edu-install/primary-user" ""
+fi
+
# Make sure the default values have this priority, with lower number
# priority overriding higher number
# 1 main-server
Index: pre-pkgsel
===================================================================
--- pre-pkgsel (revision 63786)
+++ pre-pkgsel (working copy)
@@ -89,3 +89,60 @@
# Clean up file added in base-installer-late, now that
# debian-edu-config is installed (pulled in via debian-edu-install).
rm -f /target/etc/apt/apt.conf.d/90squid-di
+
+edu-etcvcs commit
+
+if db_get debian-edu-install/primary-user && [ "$RET" ] ; then
+ # Roaming profile enabled. Look up primary user in LDAP, create
+ # it and give it sudo acces.
+ PRIMARYUSER="$RET"
+ apt-install ldap-utils libpam-ccreds sudo
+
+ ldapbase="dc=skole,dc=skolelinux,dc=no"
+ ldapserver=ldap
+ ldifuser=/tmp/primary-user-ldap.ldif
+ ldifgroup=/tmp/primary-group-ldap.ldif
+ # Can not use in-target, because it redirects stdout to the syslog
+ chroot /target ldapsearch -x -b $ldapbase -h $ldapserver \
+ "(&(objectClass=posixAccount)(uid=$PRIMARYUSER))" > $ldifuser
+ uid="$(grep '^uidNumber:' $ldifuser | cut -d: -f2 | sed 's/^ //')"
+ gid="$(grep '^gidNumber:' $ldifuser | cut -d: -f2 | sed 's/^ //')"
+ gecos="$(grep '^gecos:' $ldifuser | cut -d: -f2 | sed 's/^ //')"
+ remotehome="$(grep '^homeDirectory:' $ldifuser | cut -d: -f2 | sed 's/^ //')"
+
+ chroot /target ldapsearch -x -b $ldapbase -h $ldapserver \
+ "(&(objectClass=posixGroup)(gidNumber=$gid))" > $ldifgroup
+ groupname="$(grep '^cn:' $ldifgroup | cut -d: -f2 | sed 's/^ //')"
+
+ in-target addgroup --gid "$gid" "$groupname"
+ in-target adduser --uid "$uid" --gid "$gid" --gecos "$gecos" \
+ --disabled-password "$PRIMARYUSER"
+
+ echo "$PRIMARYUSER ALL=(ALL) ALL" >> /target/etc/sudoers.d/primaryuser
+
+ # Activate cached credentials (offline password checking) while we
+ # wait for #566718 to be fixed.
+ cat > /target/usr/share/pam-configs/ccreds-check <<EOF
+Name: Ccreds credential caching - password checking
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+ [success=end default=ignore] pam_ccreds.so action=validate use_first_pass
+ [default=ignore] pam_ccreds.so action=update
+EOF
+EOF
+ cat > /target/usr/share/pam-configs/ccreds-save <<EOF
+Name: Ccreds credential caching - password saving
+Default: yes
+Priority: 512
+Auth-Type: Additional
+Auth:
+ optional pam_ccreds.so action=store
+EOF
+
+ # Update PAM configuration
+ in-target pam-auth-update --package
+
+ edu-etcvcs commit
+fi
Happy hacking,
--
Petter Reinholdtsen
Reply to: