Package: debian-edu-config Version: 2.12.14 Severity: importantCurrently, with every edit operation on a GOsa² system, the Host (and nfs) Principal(s) of that host get updated (changed). This is especially problematic if you use krb5i based NFS acrosse a school site from various workstations.
The problem is that whever some admin edits a host in GOsa², this host will loose NFS connectivity to /srv/nfs/home0 until the /etc/krb5.keytab has been updated on that client host. This is hardly maintainable.
The underlying reason is in the gosa-modify-host hook script. The scripts runs add_principal for host/<client> and nfs/<client> after every save operation on a GOsa² system. We need to check here, if those Kerberos principals already exist and only if not, then add those principals.
This has been discussed with Wolfgang Schweer on IRC...22:03 < sunweaver> as mentioned yesterday, I played with krb5i and diskless workstation quite a bit yesterday. 22:03 < sunweaver> I basically managed to get a Debian Edu 10 and 11 DLW (diskless workstation) running against a Debian Edu 11 TJENER.
22:03 < sunweaver> However...22:04 < sunweaver> Whenever I edit either the client or the TJENER in GOsa, the principal gets updated in krb5-ldap and my krb5.keytab becomes invalid.
22:05 < schweer> hm, then the keytab needs to be updated, too.22:05 < sunweaver> This is happening in gosa-modify-host which simply runs an add_principal for that host.
22:05 < schweer> yes.22:05 < sunweaver> I was wondering, if this gosa-modify-host way-of-doing-things is intentional.
22:05 < schweer> yes, intentional, but obviously suboptimal22:05 < sunweaver> because, I'd rather check if the host (and nfs) principals exist in krb5-ldap and only create them if they don't exist.
22:06 < schweer> good idea22:06 < sunweaver> because then, the principals won't change that often as they do now.
22:06 < sunweaver> and krb5.keytab files stay valid 22:06 < sunweaver> I'll propose a patch, then. 22:07 < schweer> feel free to improve gosa-modify-host 22:07 < sunweaver> will do, np. 22:07 < schweer> just commit that change22:07 < sunweaver> (you provided great work, however, I'll do a little QA over the next couple of days, if ok).
22:08 < schweer> very appreciatedI'll propose a patch for this which then will require to be integrated in next Debian 11 point release.
light+love Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpX9V17AssKA.pgp
Description: Digitale PGP-Signatur