how to proceed with edu-squeeze changes
there are a couple of changes planed for our debian-edu squeeze
version, and I would like to start a discussion on how to proceed with
what has been done already and what still needs more work or should be
First, let's list some targets that come to my mind:
* roaming workstations/laptops
Petter is implementing the roaming workstations, I cannot comment on
that. (But as Petter is in charge of that I assume it'll work:)).
I mostly worked on the implementation of kerberos and gosa, and would
like to give an overview of what has been done so far.
Gosa and kerberos are closely related, because without the ability do
it gets hard to test any authentication method.
Let's start with kerberos. With current svn d-e-config package you
should get a kerberos KDC out of the box during install. I could not
test this during install, but by running the script
ldap-debian-edu-install from the d-e-config package which configures
the KDC, I tried to test anything as far as possible.
After you have the KDC running, you need some user principals. I used
gosa and its post-create hooks to do that. Unfortunately the gosa
packages are still missing in the debian repos; I was promised on
freenode #gosa irc today that they will be ready mid of next week, but
that's probably something not to rely on too much. (But I think we can
rely on the packages being available sooner or later).
With the package(s) from http://oss.gonicus.de/pub/gosa/debian-lenny/
anything looks and works good enough to get an idea and look out for
things to polish later.
On the way to a perfect user creation I tested the mail
system. Usually, a mail is send to any newly created user. There are
only minor changes necessary to exim4 to send the mail with the
current gosa/kerberos setup, but our imap server courier has no
gssapi authorization available used with kerberos. So after some
feedback/discussion in this tread:
I suggest to replace courier by dovecot. (I already tested a draft
install, it seems to work fine with gssapi (no password needed,
kerberos service ticket is used :), just the permissions/owners of our
/var/mail/foobar maildirs have to be adopted iirc).
So that's the current status from my point of view. What needs to be
done now? I think we have to make one decision, the sooner the better:
Do we want to continue on that path with kerberos/gosa, or are there any
If we decide to move on, then we should try to do some wider testing
during install and make the changes available on the nolocal-dvd.
If testing is positive we need to (aside from minor fixes/improvements):
* implement kerberos user authentication for all machines (probably
minor changes, just some kerberos packages + client config)
* implement nfs4/afs whatever with kerberos
* implement machine principals (in lwat you could add machines to
allow them access to services, with kerberos you need machine
principals and a keytab entry on the machine accessing that service)
* we need something to replace/add netgroups (shutdown-at-night etc.) in gosa
I guess the hardest bit is the distribution of keytabs and the
creation of machine principals. It can be done automatically if you
install via pxe over the network, but adding a machine later might
need to scp a keytab to the specific machine and create the principal
(gosa add-dhcp-machine hook?)...
There's probably some more on the way.
To conclude: All in all it's quite a big step but I think it paves the
way for an improved, easier maintainable and future-oriented
setup. And I do not see any means to achieve the same goal in smaller
What do you think?