tags 656296 patch thanks Hi Debian Edu Developers,here in Kiel the lack of a genuine password sync in Debian Edu has really become some sort of an issue.
I took some time to come up with a solution for Windows and Linux. Windows solution: make password sync work fully in smb.confLinux solution: dpkg-divert original password tool and replace by a wrapper that points the user to using http://www/gosa
Patch is attached. I will wait for feedback by one other D-E developer before committing it to the Debian Edu squeeze branch (=trunk) in Debian Edu SVN.
Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, rothenstein 5, 24214 neudorf-bornstein fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Index: debian/debian-edu-config.postrm =================================================================== --- debian/debian-edu-config.postrm (Revision 0) +++ debian/debian-edu-config.postrm (Revision 0) @@ -0,0 +1,38 @@ +#! /bin/sh +# postrm script for debian-edu-config +# +# see: dh_installdeb(1) +# summary of how this script can be called: +# * <postrm> `remove' +# * <postrm> `purge' +# * <old-postrm> `upgrade' <new-version> +# * <new-postrm> `failed-upgrade' <old-version> +# * <new-postrm> `abort-install' +# * <new-postrm> `abort-install' <old-version> +# * <new-postrm> `abort-upgrade' <old-version> +# * <disappearer's-postrm> `disappear' <r>overwrit>r> <new-version> +# for details, see /usr/share/doc/packaging-manual/ + +set -e + + +case "$1" in + purge|remove) + if ! dpkg-divert --list | grep passwd.wrapped-by-debian-edu 1>/dev/null 2>/dev/null; then + dpkg-divert --package debian-edu-config --remove /usr/bin/passwd + fi + ;; + upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 0 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 Index: debian/debian-edu-config.preinst =================================================================== --- debian/debian-edu-config.preinst (Revision 78303) +++ debian/debian-edu-config.preinst (Arbeitskopie) @@ -223,6 +223,10 @@ rm_conffile debian-edu-config /etc/init.d/open-backdoor fi + # wrap around Debian's default passwd tool to point LDAP/Kerberos users to GOsa² as passwd tool + if ! dpkg-divert --list | grep passwd.wrapped-by-debian-edu 1>/dev/null 2>/dev/null; then + dpkg-divert --add --rename --package debian-edu-config --divert /usr/bin/passwd.wrapped-by-debian-edu /usr/bin/passwd + fi ;; esac Index: debian/changelog =================================================================== --- debian/changelog (Revision 78303) +++ debian/changelog (Arbeitskopie) @@ -10,6 +10,8 @@ erase entries of attribute type "memberNisNetgroup" from the NIS netgroup object. Closes: #687256. * Fix smbaddclient.sh, use ,,set +e'' instead of non-bash-syntax ,,unset -e''. + * Fix passwd sync in Samba, point users to using GOsa² for password changes. + (Closes: #656296). -- Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Mon, 20 Aug 2012 12:31:31 +0200 Index: bin/passwd =================================================================== --- bin/passwd (Revision 0) +++ bin/passwd (Revision 0) @@ -0,0 +1,9 @@ +#!/bin/bash + +if [ `id -u` -ge 1000 ]; then + echo "Please visit https://www/gosa to set your network password for Debian Edu / Skolelinux. THANKS!" +else + passwd.wrapped-by-debian-edu $@ +fi + +exit 0 Eigenschaftsänderungen: bin/passwd ___________________________________________________________________ Hinzugefügt: svn:executable + * Index: etc/samba/smb-debian-edu.conf =================================================================== --- etc/samba/smb-debian-edu.conf (Revision 78303) +++ etc/samba/smb-debian-edu.conf (Arbeitskopie) @@ -95,6 +95,18 @@ # PAM setup obey pam restrictions = no +# passwd sync + + # sync LDAP password + ldap passwd sync = yes + + # sync Kerberos password via kadmin.local + unix password sync = yes + passwd program = /usr/sbin/kadmin.local -q 'cpw %u' + passwd chat = "Authenticating as principal*"\n"Enter password for principal *"%u"*:*" %n\n \n"Re-enter password for principal *"%u"*:*" %n\n \n"Password for *"%u"@* changed."\n + # dangerous: reveals clear text password in Samba log files... + passwd chat debug = no + # Printer settings load printers = yes @@ -182,10 +194,6 @@ read raw = yes write raw = yes - # make sure samba password changes reach NT+LM hashes, userPassword and Kerberos - pam password change = yes - unix password sync = no - # no offline cache of shares csc policy = disable Index: Makefile =================================================================== --- Makefile (Revision 78303) +++ Makefile (Arbeitskopie) @@ -4,7 +4,8 @@ debian-edu-ldapserver \ debconf-set-selections-edu \ ltsp-arch-debian-edu \ - update-ini-file + update-ini-file \ + passwd SPROGS = cfengine-debian-edu \ debian-edu-fsautoresize \
Attachment:
pgpZPxH8eRfyc.pgp
Description: Digitale PGP-Unterschrift