Bug#656296: Patch for password syncing between LDAP/Kerberos/Samba in Debian Edu

[Mike Gabriel <mike.gabriel@das-netzwerkteam.de>]

tags 656296 patch
thanks

Hi Debian Edu Developers,

here in Kiel the lack of a genuine password sync in Debian Edu has  
really become some sort of an issue.

I took some time to come up with a solution for Windows and Linux.

Windows solution: make password sync work fully in smb.conf
Linux solution: dpkg-divert original password tool and replace by a  
wrapper that points the user to using http://www/gosa

Patch is attached. I will wait for feedback by one other D-E developer  
before committing it to the Debian Edu squeeze branch (=trunk) in  
Debian Edu SVN.

Greets,
Mike

--

DAS-NETZWERKTEAM
mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

Index: debian/debian-edu-config.postrm
===================================================================
--- debian/debian-edu-config.postrm	(Revision 0)
+++ debian/debian-edu-config.postrm	(Revision 0)
@@ -0,0 +1,38 @@
+#! /bin/sh
+# postrm script for debian-edu-config
+#
+# see: dh_installdeb(1)
+# summary of how this script can be called:
+#        * <postrm> `remove'
+#        * <postrm> `purge'
+#        * <old-postrm> `upgrade' <new-version>
+#        * <new-postrm> `failed-upgrade' <old-version>
+#        * <new-postrm> `abort-install'
+#        * <new-postrm> `abort-install' <old-version>
+#        * <new-postrm> `abort-upgrade' <old-version>
+#        * <disappearer's-postrm> `disappear' <r>overwrit>r> <new-version>
+# for details, see /usr/share/doc/packaging-manual/
+
+set -e
+
+
+case "$1" in
+	purge|remove)
+		if ! dpkg-divert --list | grep passwd.wrapped-by-debian-edu 1>/dev/null 2>/dev/null; then
+			dpkg-divert --package debian-edu-config --remove /usr/bin/passwd
+		fi
+		;;
+	upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+		;;
+	*)
+		echo "postrm called with unknown argument \`$1'" >&2
+		exit 0
+		;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
Index: debian/debian-edu-config.preinst
===================================================================
--- debian/debian-edu-config.preinst	(Revision 78303)
+++ debian/debian-edu-config.preinst	(Arbeitskopie)
@@ -223,6 +223,10 @@
 	rm_conffile debian-edu-config /etc/init.d/open-backdoor
     fi
 
+    # wrap around Debian's default passwd tool to point LDAP/Kerberos users to GOsa² as passwd tool
+    if ! dpkg-divert --list | grep passwd.wrapped-by-debian-edu 1>/dev/null 2>/dev/null; then
+	dpkg-divert --add --rename --package debian-edu-config --divert /usr/bin/passwd.wrapped-by-debian-edu /usr/bin/passwd
+    fi
     ;;
 esac
 
Index: debian/changelog
===================================================================
--- debian/changelog	(Revision 78303)
+++ debian/changelog	(Arbeitskopie)
@@ -10,6 +10,8 @@
     erase entries of attribute type "memberNisNetgroup" from the NIS netgroup
     object. Closes: #687256.
   * Fix smbaddclient.sh, use ,,set +e'' instead of non-bash-syntax ,,unset -e''.
+  * Fix passwd sync in Samba, point users to using GOsa² for password changes.
+    (Closes: #656296).
 
  -- Mike Gabriel <mike.gabriel@das-netzwerkteam.de>  Mon, 20 Aug 2012 12:31:31 +0200
 
Index: bin/passwd
===================================================================
--- bin/passwd	(Revision 0)
+++ bin/passwd	(Revision 0)
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+if [ `id -u` -ge 1000 ]; then
+	echo "Please visit https://www/gosa to set your network password for Debian Edu / Skolelinux. THANKS!"
+else
+	passwd.wrapped-by-debian-edu $@
+fi
+
+exit 0

Eigenschaftsänderungen: bin/passwd
___________________________________________________________________
Hinzugefügt: svn:executable
   + *

Index: etc/samba/smb-debian-edu.conf
===================================================================
--- etc/samba/smb-debian-edu.conf	(Revision 78303)
+++ etc/samba/smb-debian-edu.conf	(Arbeitskopie)
@@ -95,6 +95,18 @@
 # PAM setup
    obey pam restrictions = no 
 
+# passwd sync
+
+   # sync LDAP password
+   ldap passwd sync = yes 
+
+   # sync Kerberos password via kadmin.local
+   unix password sync = yes
+   passwd program = /usr/sbin/kadmin.local -q 'cpw %u'
+   passwd chat = "Authenticating as principal*"\n"Enter password for principal *"%u"*:*" %n\n \n"Re-enter password for principal *"%u"*:*" %n\n \n"Password for *"%u"@* changed."\n
+   # dangerous: reveals clear text password in Samba log files...
+   passwd chat debug = no
+
 # Printer settings
 
    load printers = yes
@@ -182,10 +194,6 @@
    read raw = yes
    write raw = yes
 
-   # make sure samba password changes reach NT+LM hashes, userPassword and Kerberos 
-   pam password change = yes
-   unix password sync = no
-
    # no offline cache of shares
    csc policy = disable
 
Index: Makefile
===================================================================
--- Makefile	(Revision 78303)
+++ Makefile	(Arbeitskopie)
@@ -4,7 +4,8 @@
 	debian-edu-ldapserver \
 	debconf-set-selections-edu \
 	ltsp-arch-debian-edu \
-	update-ini-file
+	update-ini-file \
+	passwd
 
 SPROGS = cfengine-debian-edu \
 	debian-edu-fsautoresize \

Attachment: pgpZPxH8eRfyc.pgp
Description: Digitale PGP-Unterschrift