Your message dated Mon, 28 Mar 2016 18:49:03 +0000 with message-id <E1akcDn-0007K8-NJ@franck.debian.org> and subject line Bug#798435: fixed in debian-edu-config 1.819 has caused the Debian Bug report #798435, regarding gosa-sync breaks password changes on non-Kerberized accounts to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 798435: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798435 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: gosa-sync breaks password changes on non-Kerberized accounts
- From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
- Date: Wed, 09 Sep 2015 10:27:18 +0000
- Message-id: <20150909102718.Horde.caSdBEtAwxc5joZsAoRcyA1@mail.das-netzwerkteam.de>
Package: debian-edu-config Severity: important Version: 1.818 Tags: patch Hi all,we have started creating non-POSIX / non-Kerberos accounts on a Debian Edu main server and stumble over a slight flaw debian-edu-config's gosa-sync script (password change hook).The hook scripts tries to change the password of the underlying Kerberos principal. It does this always, even if the account to-be-updated is not a Kerberos account.By default, we only turn POSIX accounts into Kerberos accounts (which is a sensible default). This should be honoured by the gosa-sync script as seen in the below patch (also attached to this mail):""" --- gosa-sync.orig 2015-09-09 11:41:11.000000000 +0200 +++ gosa-sync 2015-09-09 12:19:36.703718246 +0200 @@ -17,6 +17,15 @@ USERDN="$1" USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`+# check if the given user account has the Kerberos principal objectClass set... +is_krbprincipal=`ldapsearch -LLL -x "(&(uid=${USERID})(objectClass=krbPrincipalAux))"`+if [ -z "$is_krbprincipal" ]; then + + # if not, simply bail out here without noise... + exit 0 + +fi + ## The new user password is in environment, $USERPASSWORD. ## Check if provided password corresponds to hash saved in ldap database: """ It would be nice to get this fixed in Debian Edu jessie... Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb--- gosa-sync.orig 2015-09-09 11:41:11.000000000 +0200 +++ gosa-sync 2015-09-09 12:19:36.703718246 +0200 @@ -17,6 +17,15 @@ USERDN="$1" USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"` +# check if the given user account is has the Kerberos principal objectClass set... +is_krbprincipal=`ldapsearch -LLL -x "(&(uid=${USERID})(objectClass=krbPrincipalAux))"` +if [ -z "$is_krbprincipal" ]; then + + # if not, simply bail out here without noise... + exit 0 + +fi + ## The new user password is in environment, $USERPASSWORD. ## Check if provided password corresponds to hash saved in ldap database:Attachment: pgpNWKwc6I9fT.pgp
Description: Digitale PGP-Signatur
--- End Message ---
--- Begin Message ---
- To: 798435-close@bugs.debian.org
- Subject: Bug#798435: fixed in debian-edu-config 1.819
- From: Petter Reinholdtsen <pere@debian.org>
- Date: Mon, 28 Mar 2016 18:49:03 +0000
- Message-id: <E1akcDn-0007K8-NJ@franck.debian.org>
Source: debian-edu-config Source-Version: 1.819 We believe that the bug you reported is fixed in the latest version of debian-edu-config, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 798435@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Petter Reinholdtsen <pere@debian.org> (supplier of updated debian-edu-config package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 28 Mar 2016 18:26:23 +0000 Source: debian-edu-config Binary: debian-edu-config Architecture: source Version: 1.819 Distribution: unstable Urgency: medium Maintainer: Debian Edu Developers <debian-edu@lists.debian.org> Changed-By: Petter Reinholdtsen <pere@debian.org> Description: debian-edu-config - Configuration files for Skolelinux systems Closes: 621787 722937 766192 785467 792042 793678 794000 794189 794602 798435 800651 801741 803911 804207 805402 815040 Changes: debian-edu-config (1.819) unstable; urgency=medium . [ Petter Reinholdtsen ] * Translation updates: - Updated Brazilian Portuguese translation for debconf questions (Closes: #785467). Translated by Adriano Rafael Gomes. * Remove workaround for bug #585966 in init.d/fetch-ldap-cert, now that we no longer use pdns. * Replace 'jessie' with 'stretch' everywhere to prepare for the next release. * Split the setup of the diskless workstation envionment in LTSP into three parts to get some more progress bar movement during installation. . [ Mike Gabriel ] * Add quotes around DNs when evoking kadmin.local in gosa-create and gosa-create-host. (Closes: #792042). * WoL for Debian Edu clients: Make shutdown and wake-up procedure of Debian Edu clients configurable separately. (Closes: #801741). We now have four NIS netgroups available that allow configuration of wake-up and shutdown behaviour: - shutdown-at-night-hosts: hosts to wake-up and shutdown. - no-shutdown-at-night-hosts: blacklist of hosts not to wake-up nor to shutdown. - wakeup-in-the-morning-hosts: hosts to wake-up in the morning, overrides hostlist given via shutdown-at-night-hosts NIS netgroup, this also expects host blacklisting to be handled via the below NIS netgroup. - no-wakeup-in-the-morning-hosts: blacklist of hosts that are not to be woken up in the morning. * shutdown-at-night/client-generator: Use same NIS netgroup "namespace" for all shutdown-at-night NIS netgroups: - shutdown-at-night-hosts (unchanged) - shutdown-at-night-hosts-blacklist (renamed) - shutdown-at-night-wakeup-hosts (renamed) - shutdown-at-night-wakeup-hosts-blacklist (renamed) * Chmod a+x on all scripts in share/debian-edu-config/tools/. * debian-edu-fsautoresize: Always use mapper names instead of kernel names when detecting supported mount points. (Closes: #800651). Thanks to Wolfgang Schweer and Giorgio Pioda. * gosa-sync: Test if a given user account actually is a Kerberos account. If not, don't try to set the Kerberos password for this account. (Closes: #798435). * gosa-sync: Fix escaping double quotes and semicolons. (Closes: #794000). * Drop deprecated README.ldap file. (Closes: #621787). * exim4 mainserver configuration: Allow Debian Edu clients on the default Debian Edu network to directly send mails to the main server (by white- listing the 10./8 network). This fixes console mailing and system mails on Debian Edu clients (Closes: #794602). * Following Holger Levsen's suggestion about dropping share/debian-edu-config/tools/qemu-test-network. (Closes: #766192). * Remove qemu-test-network from Makefile. Fix FTBFS of d-e-c. * debian/debian-edu-config.postrm: + Remove directory /var/lib/dovecot (which we create in d-e-c.postinst), if empty (Closes: #722937). * Set configVersion="Managed-by-Debian-Edu" in gosa.conf. (Closes: #794189). This requires gosa (>= 2.7.4+reloaded2-1+deb8u2~) to be installed on the main server. * Add LDAP posixGroup "printer-admins" to LDAP bootstrap and make this group the system group in CUPS. (Closes: #793678). * Apache2+LDAP: Add /etc/apache2/include/debian-edu-ldapauth.inc containing a working include block that eases setting up LDAP authentication in Apache2. * Create shutdown-at-night-wakeup-hosts-blacklist NIS netgroup during LDAP bootstrap. * etc/gosa/gosa.conf: Typo fix in comment. * LDAP bootstrap: Create generic host (CNAME record for tjener) ipp.intern. * wpad.dat: Use DIRECT connects for URL hosts being in network 127./8 and for hosts being in the .local domain. (Closes: #803911). * GOsa: Add POSTLOCK and POSTUNLOCK hooks for GOsa password locking. These hook scripts (gosa-lock-user, gosa-unlock-user) take care of locking/ unlocking the Kerberos part of user accounts. (Closes: #804207). * Adapt to a code injection prevention fix in GOsa (starting with Debian package gosa 2.7.4+reloaded2-1+deb8u2): Don't mention the sambaHashHook parameter in gosa.conf anymore (as hashed passwords now have to be base64 encoded). Already existing gosa.conf files on deployed servers should drop the sambaHashHook from the gosa.conf file, as well, once gosa is updated to the above referenced GOsa version. * CUPS: Do hostname lookups, so https redirects are done to the FQDN of the CUPS server instead of to its IP address. (Closes: #805402). * Improve gosa-lock-user, gosa-unlock-user: When logging success/failure, differentiate between non-existent and non-kerberized accounts. * Don't create home dir and Kerberos principal for GOsa user template account. (Closes: #815040). * shutdown-at-night/clients-generator: Empty NIS netgroups for s-a-n-wakeup-hosts and s-a-n-wakeup-hosts-blacklists are now recognized as empty lists. Thus, all systems can be blocked from waking-up by placing an empty NIS netgroup s-a-n-wakeup-hosts into LDAP. Checksums-Sha1: 009993d1a8e6349952e97b875f8c7583abb0ef10 1901 debian-edu-config_1.819.dsc 394cdab1455137dad9ef8aa1e0493cff4b1c6fb2 500732 debian-edu-config_1.819.tar.gz Checksums-Sha256: 6feea0fa3667de32ce1fadbdfad6dd042dde2c5191ee08133c240071bd623db3 1901 debian-edu-config_1.819.dsc 5102a97d4a03c7b87630d9590e56cb470ec88454fe754b5808033917f9e0918a 500732 debian-edu-config_1.819.tar.gz Files: 36209b951badab02b7c0ab1901eab714 1901 misc extra debian-edu-config_1.819.dsc f753860ba4e5b1deac7a2c8f043d6c88 500732 misc extra debian-edu-config_1.819.tar.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJW+Xr5AAoJEIEoCqCHuvsO+roQAKC/adDFpwdBEZZvyA935UYJ CZEC7Hk3rSCx+3BBQR6+d3C9/n8UjK6/ZCHjgUdhOV5q+5krMcPN68gMArtOUYFn CWy32wmnB/+ELTl+Ga0emSFGGdJOQ6g9WcawUar9jfHkVkMfwpLGubxe2LkWWKRO 3mPZhRNocAQzB+WcVb9d6pu6AkjTtHAoRNFpLkKN7GeQl+p1RdPydi4AqDXaL7YF kK7uCD2LKZCiK1m36RIJy68nzI/7fzmQDDzuzwlXvINrqa09REQf/hAgnxn45bCm JNKlso7hbuHcYELKbbFGvWk3p0NZYhSnyt2q9IuA/jMeNg+UNbnYSF+YDYxSb4yK KJeDzpuFprsThYhMaxwaz1/coD+arEpcq6316SLY7AlsDIRTH7tRtrpa5XKGrARk b2WVwONCzDQ/Ch1EYNNMR1XDKMPHSG3rsxTl2bmL8EeL4X1ueUU5YyA3vcKNm4zC kzkIhPQ8kX3WRV49PLNdHDoKCgItTRV13NI1ST4R+HwVGfJqzbfeLyaG0YUuNV4V 69Tm8xh9SO2TF2HJ5KLJa2zQ2uHHPa79QsCNkzSV4w0hl8mcNDnqpmzZiL3npYZa 513yiYAegNHLffX8uYg+YsVe9qefuy8VMVniyYouos+29tc3u4NA7VFZepy7JKqF Vb8FIjqcnIZNsn9kCJVb =Ktun -----END PGP SIGNATURE-----
--- End Message ---