Bug#1008166: bullseye-pu: package debian-edu-config/2.11.56+deb11u4
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debian-edu@lists.debian.org
[ Reason ]
While setting up a new Debian Edu school in Dec/Jan 2021/2022 several
issues popped up in Debian Edu 11 that have now been resolved in Debian
Edu testing/unstable and many of the fixes we would love to see available
in Debian Edu 11, as well.
[ Impact ]
For Debian Edu, the proposed 2.11.56+deb11u4 version of debian-edu-config
will provide many problem solutions for issues that have been encountered
with the current version of debian-edu-config (main package for Debian
Edu 11).
[ Tests ]
(What automated or manual tests cover the affected code?)
[ Risks ]
For non-Debian-Edu users there will be no risk, at all. For Debian Edu
users new issues may be introduced (hopefully not!), esp. due to the
large number of fixes provided / code changes shipped in 2.11.56+deb11u4.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
+ [ Wolfgang Schweer ]
+ * etc/exim4/exim-ldap-server-v4.conf: Accept incoming mail from internal
+ network sent to root@<mynetwork-names>. (Closes: #1003727).
-> TJENER's mainserver is configured as a local MTA collecting system mails
from Debian Edu clients. Such mails have been refused by TJENER's exim
configuration before (since Debian Edu 11).
+ * Use mktemp instead of deprecated tempfile, adjust:
+ - etc/X11/Xsession-debian-edu
+ - sbin/debian-edu-update-netblock
+ - share/debian-edu-config/tools/gosa-sync
+ - testsuite/postoffice
+ (Closes: #1005352).
-> The 'tempfile' executable produces warning messages about being
deprecated when used. The 'mktemp' file does not.
+ [ Mike Gabriel ]
+ * share/d-e-c/tools/gosa-modify-host: Only create Kerberos host and service
+ principals if they don't yet exist. (Closes: #1002014).
-> The above issue has been critical for Debian Edu 11 setups and was
only spotted recently. Whenever a system entry in GOsa² was edited, the
Krb5 principal would change. This lead to login failures on Debian Edu
clients (after a GOsa² edit of the system entry in LDAP).
+ * share/d-e-c/tools/gosa-create-host: Fix copy+paste flaw in comment.
-> Well, maybe not release critical, but comment mentioned stuff about
user accounts while this script is for host accounts.
+ * share/debian-edu-config/tools/setup-freeradius-server: Fix integer
+ comparison in run-by-root check. Script was not executable fully (not even
+ as root).
-> Make the setup-freeradius-server usable without manual editing of the
script before usage.
+ * debian/debian-edu-config.fetch-ldap-cert: Drop retrieval of
+ Debian-Edu_rootCA from this script. This now is the task of the
+ fetch-rootca-cert script. (Closes: #971780).
-> fetch-ldap-cert init script and fetch-rootca-cert script had some common
functionality (retrieval of the .intern domain's rootCA by clients).
After fetch-rootca-cert was added, we failed to reduce functionality of
fetch-ldap-cert.
On Debian Edu clients, these two scripts were actually interfering with
one another.
+ * debian/debian-edu-config.fetch-rootca-cert: Ensure proper symlinking of
+ Debian-Edu_rootCA.crt in /usr/local/share/ca-certificates/ to
+ Debian-Edu_rootCA.crt in /etc/ssl/ca-certificates. Forced symlinking is
+ required, because earlier versions of the fetch-ldap-cert init script put
+ Debian-Edu_rootCA.crt into /etc/ssl/ca-certificates/ as a file. Forced
+ symlinking replaces files by the wanted symlink. The -n option (no-
+ dereference) is required to make sure we don't follow any already existing
+ symlink. (This relates to #971780).
-> Fix an issue resulting from fetch-ldap-cert performing the rootCA
download differently from fetch-rootca-cert in previous versions of
debian-edu-config. With the change explained above, the transition of
Debian Edu client based on debian-edu-config 2.11.56+deb11u3 (and
earlier) to debian-edu-config 2.11.56+deb11u4 should be smooth.
+ * share/debian-edu-config/tools/update-proxy-from-wpad:
+ - Fix typo (wrong protocol) in APT proxy config creation.
+ - Create a Debian Edu specific proxy configuration in /etc/apt/apt.conf.d/
+ named 03debian-edu-config rather than meddling with /etc/apt/apt.conf
+ directly. Clean up any earlier meddling from apt.conf, as well. (Closes:
+ #1003560).
-> Stop meddling with /etc/apt/apt.conf directly, use a debian-edu-config
namespace file instead. Also, this allows deployment of Debian Edu
systems using FAI (and let FAI's default http proxy configuration
superceded Debian Edu's proxy configuration).
+ * share/debian-edu-config/tools/{update-proxy-from-wpad,wpad-extra}:
+ - Don't fail if proxy update is not possible, only send warnings to stderr
+ and syslog. Don't source wpad-extra script, execute it instead and capture
+ stdout. (Closes: #1008067).
-> update-proxy-from-wpad is used in ifupdown as post-up hook. We don't
want to exit with error when doing the proxy update, because then
ifupdown will also fail with error.
+ * sbin/update-hostname-from-ip:
+ - Simply if-then-else-clauses, reduce number of exit calls, don't exit with
+ non-zero exitcode. Improve syslog messages if things fail. (Closes:
+ #1006604).
-> update-hostname-from-ip is (also) used in ifupdown as post-up hook. We
don't want to exit with error when doing the hostname update, because then
ifupdown will also fail with error.
+ * share/debian-edu-config/tools/setup-roaming: Assure libsss-sudo is installed
+ on Roaming Workstation. (Closes: #1004605).
-> sudo for LDAP users is broken on roaming workstations without this...
+ * share/debian-edu-config/tools/gosa-remove: Capture removals of GOsa² user
+ templates and ignore them. (Closes: #815042).
-> user templates in GOsa² normally don't have a Kerberos account nor do
they have a home directory. The gosa-remove takes care of the removal of
both, so this goes down the drain if we don't bail out early for user
templates.
+ * ldap-schemas/: Update schema files from Debian's latest GOsa² list of
+ schemas.
-> Debian Edu ships its own LDAP schema files for GOsa² (why the hack!).
They should be at least of the same version as found in src:pkg gosa.
In fact, there was one issues fixed in src:pkg in the schema files. This
fix is now available to Debian Edu with this change:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989096
+ * share/debian-edu-config/tools/clean-up-host-keytabs: Don't fail
+ on Kerberos principal removal.
-> sometimes (for whatever reason) systems in GOsa² lack a Kerberos host
principal. When we remove such a system from LDAP via GOsa² we want to
ignore those missing Kerberos information.
+ * etc/cups/cups-browsed-debian-edu.conf:
+ - Let TJENER's print queues appear on Debian Edu clients, use same
+ print queue names on clients as on TJENER. (Closes: #1005841).
-> This change has been requested for Debian Edu earlier, but failed to be
really testable due to apparmor block loading of
/etc/cups/cups-browsed-debian-edu.conf. Unfortunately, this blockage was
also missed during Debian Edu testing for the Debian Edu 11 release.
The wanted behaviour is that print queues on Debian Edu clients have the
same name as the corresponding print queue on TJENER (aka ipp.intern).
The introduced change does exactly that.
+ * sbin/debian-edu-pxeinstall:
+ - Don't append 'ipappend 2' to the kernel boot cmdline anymore as it
+ confuses systemd when booting into the installed system. This resolves
+ the graphical.target not coming up on Debian Edu workstations that got
+ installed via the PXE/network based Debian Installer method. (Closes:
+ #1006362).
-> Debian Edu workstations installed via PXE would not come up with a
graphical system before this change got introduced.
+ - Silence stderr output if the artwork theme lacks a plymouth subfolder.
+ This can be silently ignored and should not trouble Debian Edu admins.
-> Don't report warnings/errors that can be ignored.
+ * Support krb5i on Diskless Workstations (aka LTSP FAT Clients):
+ - ldap-bootstrap/netgroup.ldif: Add diskless-workstation-hosts NIS netgroup
+ during LDAP bootstrap.
+ - debian/debian-edu-config.{postinst,postrm}: Create non-privileged
+ debian-edu system user account on Debian Edu mainserver (for distribution
+ of host keytabs to diskless workstations aka LTSP fat clients).
+ - share/debian-edu-config/tools/: Add update-dlw-krb5-keytabs script and
+ call it (with delay) from gosa-modify-host hook script. (Closes: #613167,
+ #1002018).
-> This whole block is more of a functionality backport than an error
fix. For years we have been thinking about secure NFS mounting of NFS
shares on diskless workstations (aka LTSP fat clients). The solution for this now
is:
- provide a folder with .keytab files for each host that is meant to be
a diskless workstation
- make this folder available to a non-privileged user "debian-edu"
- during LTSP fat client boot, use scp debian-edu@tjener:/<path>/<keytabfile>
to copy over this client host's .keytabfile and use it as /etc/krb5.keytab
The above changelog block describes the required steps in debian-edu-config to
provide this feature on the Debian Edu mainserver (aka TJENER).
+ * Move /etc/debian-edu/host-keytabs/* to /var/lib/debian-edu/host-keytabs/
+ and replace directory /etc/debian-edu/host-keytabs by a symlink. (Closes:
+ #1002019).
-> In Debian Edu 11 there was a design flaw regarding the storage of
Kerberos <host>.keytab files. As a place for storing those files
/etc/debian/host-keytabs was used in the first design approach.
Using /etc for dynamic data is never a good idea, esp. if a tool like
etckeeper is used (which we do in Debian Edu by default).
A better place now has been discussed in Debian Edu team:
/var/lib/debian/host-keytabs. This version of debian-edu-config will
migrate existing .keytab files to this new location and provide a symlink
at the old location.
+ * share/debian-edu-config/squid.conf:
+ - Prefer DNSv4 lookups over DNSv6. Debian Edu does not yet fully support
+ IPv6 and many schools still use IPv4 primarily. This gives a great
+ performance boost to squid installations if IPv6 internet is not fully
+ available for whatever reason. (Closes: #1006375).
-> Performance boost for squid if IPv6 has not been set-up properly.
(Something that we observed more than once in a school network).
+ * share/debian-edu-config/tools/list-gosa-systems:
+ - Drop immature list-gosa-systems script again that got sneaked in via
+ upload of 2.11.56+deb11u3. We apologize for the noise.
-> Ouch! The list-gosa-system was lying around in my (Mike's) working copy of
Debian Edu, not yet added to Git. When working on the previous bullseye-security
upload, this script sneaked into the debian-edu-config src:pkg. It was not
installed to the debian-edu-config bin:pkg, though. So, we now remove it again...
[ Other info ]
This bullseye-pu is presented to the SRM as a joint effort by the Debian
Edu team. Thanks for taking the time for looking into all the changes
provided via the attached .debdiff.
diff -Nru debian-edu-config-2.11.56+deb11u3/debian/changelog debian-edu-config-2.11.56+deb11u4/debian/changelog
--- debian-edu-config-2.11.56+deb11u3/debian/changelog 2022-02-04 13:19:51.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/changelog 2022-03-23 12:28:00.000000000 +0100
@@ -1,3 +1,89 @@
+debian-edu-config (2.11.56+deb11u4) bullseye; urgency=medium
+
+ [ Wolfgang Schweer ]
+ * etc/exim4/exim-ldap-server-v4.conf: Accept incoming mail from internal
+ network sent to root@<mynetwork-names>. (Closes: #1003727).
+ * Use mktemp instead of deprecated tempfile, adjust:
+ - etc/X11/Xsession-debian-edu
+ - sbin/debian-edu-update-netblock
+ - share/debian-edu-config/tools/gosa-sync
+ - testsuite/postoffice
+ (Closes: #1005352).
+
+ [ Mike Gabriel ]
+ * share/d-e-c/tools/gosa-modify-host: Only create Kerberos host and service
+ principals if they don't yet exist. (Closes: #1002014).
+ * share/d-e-c/tools/gosa-create-host: Fix copy+paste flaw in comment.
+ * share/debian-edu-config/tools/setup-freeradius-server: Fix integer
+ comparison in run-by-root check. Script was not executable fully (not even
+ as root).
+ * debian/debian-edu-config.fetch-ldap-cert: Drop retrieval of
+ Debian-Edu_rootCA from this script. This now is the task of the
+ fetch-rootca-cert script. (Closes: #971780).
+ * debian/debian-edu-config.fetch-rootca-cert: Ensure proper symlinking of
+ Debian-Edu_rootCA.crt in /usr/local/share/ca-certificates/ to
+ Debian-Edu_rootCA.crt in /etc/ssl/ca-certificates. Forced symlinking is
+ required, because earlier versions of the fetch-ldap-cert init script put
+ Debian-Edu_rootCA.crt into /etc/ssl/ca-certificates/ as a file. Forced
+ symlinking replaces files by the wanted symlink. The -n option (no-
+ dereference) is required to make sure we don't follow any already existing
+ symlink. (This relates to #971780).
+ * share/debian-edu-config/tools/update-proxy-from-wpad:
+ - Fix typo (wrong protocol) in APT proxy config creation.
+ - Create a Debian Edu specific proxy configuration in /etc/apt/apt.conf.d/
+ named 03debian-edu-config rather than meddling with /etc/apt/apt.conf
+ directly. Clean up any earlier meddling from apt.conf, as well. (Closes:
+ #1003560).
+ * share/debian-edu-config/tools/{update-proxy-from-wpad,wpad-extra}:
+ - Don't fail if proxy update is not possible, only send warnings to stderr
+ and syslog. Don't source wpad-extra script, execute it instead and capture
+ stdout. (Closes: #1008067).
+ * sbin/update-hostname-from-ip:
+ - Simply if-then-else-clauses, reduce number of exit calls, don't exit with
+ non-zero exitcode. Improve syslog messages if things fail. (Closes:
+ #1006604).
+ * share/debian-edu-config/tools/setup-roaming: Assure libsss-sudo is installed
+ on Roaming Workstation. (Closes: #1004605).
+ * share/debian-edu-config/tools/gosa-remove: Capture removals of GOsa² user
+ templates and ignore them. (Closes: #815042).
+ * ldap-schemas/: Update schema files from Debian's latest GOsa² list of
+ schemas.
+ * share/debian-edu-config/tools/clean-up-host-keytabs: Don't fail
+ on Kerberos principal removal.
+ * etc/cups/cups-browsed-debian-edu.conf:
+ - Let TJENER's print queues appear on Debian Edu clients, use same
+ print queue names on clients as on TJENER. (Closes: #1005841).
+ * sbin/debian-edu-pxeinstall:
+ - Don't append 'ipappend 2' to the kernel boot cmdline anymore as it
+ confuses systemd when booting into the installed system. This resolves
+ the graphical.target not coming up on Debian Edu workstations that got
+ installed via the PXE/network based Debian Installer method. (Closes:
+ #1006362).
+ - Silence stderr output if the artwork theme lacks a plymouth subfolder.
+ This can be silently ignored and should not trouble Debian Edu admins.
+ * Support krb5i on Diskless Workstations (aka LTSP FAT Clients):
+ - ldap-bootstrap/netgroup.ldif: Add diskless-workstation-hosts NIS netgroup
+ during LDAP bootstrap.
+ - debian/debian-edu-config.{postinst,postrm}: Create non-privileged
+ debian-edu system user account on Debian Edu mainserver (for distribution
+ of host keytabs to diskless workstations aka LTSP fat clients).
+ - share/debian-edu-config/tools/: Add update-dlw-krb5-keytabs script and
+ call it (with delay) from gosa-modify-host hook script. (Closes: #613167,
+ #1002018).
+ * Move /etc/debian-edu/host-keytabs/* to /var/lib/debian-edu/host-keytabs/
+ and replace directory /etc/debian-edu/host-keytabs by a symlink. (Closes:
+ #1002019).
+ * share/debian-edu-config/squid.conf:
+ - Prefer DNSv4 lookups over DNSv6. Debian Edu does not yet fully support
+ IPv6 and many schools still use IPv4 primarily. This gives a great
+ performance boost to squid installations if IPv6 internet is not fully
+ available for whatever reason. (Closes: #1006375).
+ * share/debian-edu-config/tools/list-gosa-systems:
+ - Drop immature list-gosa-systems script again that got sneaked in via
+ upload of 2.11.56+deb11u3. We apologize for the noise.
+
+ -- Mike Gabriel <sunweaver@debian.org> Wed, 23 Mar 2022 12:28:00 +0100
+
debian-edu-config (2.11.56+deb11u3) bullseye-security; urgency=medium
* etc/apache2/mods-available/debian-edu-userdir.conf:
diff -Nru debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.fetch-ldap-cert debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.fetch-ldap-cert
--- debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.fetch-ldap-cert 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.fetch-ldap-cert 2022-03-21 15:18:05.000000000 +0100
@@ -16,14 +16,25 @@
#
# Author: Petter Reinholdtsen <pere@hungry.com>
# Date: 2007-06-09
+#
+# Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+# Date: 2022-01-06
+
+###
+### FIXME: Legacy init script for Debian Edu clients.
+###
+### --- Remove for Debian Edu bookworm+1 ---
+###
+### Warning: Removing this script will drop support for clients running
+### against Debian Edu main servers based on Debian Edu stretch and
+### earlier.
+###
set -e
. /lib/lsb/init-functions
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
-BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
-ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
do_start() {
@@ -33,7 +44,7 @@
ERROR=false
###
- ### PHASE 1: RootCA / bundle-cert / LDAP server cert retrieval
+ ### PHASE 1: LDAP server cert retrieval
###
if ( [ ! -f $CERTFILE ] || [ ! -f $ROOTCACRT ] ) && [ -f /etc/nslcd.conf ] &&
@@ -50,116 +61,21 @@
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
- # do an openssl connect to the LDAP server, and check whether its certificate
- # has been issued by the "Debian Edu RootCA", if not we are likely dealing with a
- # pre-Debian Edu 10 (aka buster) TJENER or with some other non-Debian-Edu LDAP
- # server.
- if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep -q "Debian Edu RootCA" ; then
-
- # Since Debian Edu 10, the LDAP certificate (or the RootCA file) is distributed
- # over http (always via the host serving www.intern, by default: TJENER)
- #
- # We do an availability check for the webserver first, to provide proper
- # error reporting (see below). So, the following check merely discovers,
- # if the webserver is online at all.
- if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
-
- # Now let's see if the webserver has the "Debian Edu RootCA" file.
- # This has been the case for Debian Edu main servers (TJENER) since
- # Debian Edu 10.1.
- if curl -fk https://www.intern/Debian-Edu_rootCA.crt 1> $ROOTCACRT 2>/dev/null && \
-
- grep -q CERTIFICATE $ROOTCACRT ; then
-
- # Obtained a RootCA-verified version of the LDAP server's server certificate.
- gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null 1>/dev/null 2>/dev/null
- logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern."
-
- # If the host previously had got the BUNDLECERT file installed,
- # we make sure here to have it removed. From now on, the LTSP chroot
- # can operate on the ROOTCACRT file and the BUNDLECERT will never get
- # update anymore once the ROOTCACRT is available on www.intern.
- rm -f $BUNDLECRT
- else
-
- # If there is no Debian Edu RootCA available on www.intern, fallback to
- # debian-edu-bundle.crt download (an approach done by a Debian Edu 10.0
- # main server (aka TJENER) only and changed to RootCA provisioning in
- # in Debian Edu 10.1.
-
- # Drop the ROOTCACRT file, as it probably only contains some 404 http
- # error message in html.
- rm -f $ROOTCACRT
-
- # So, now let's see if the webserver has the "debian-edu-bundle.crt"
- # file. If so (and no Debian Edu RootCA file), then we are likely dealing
- # with a Debian Edu 10.0 main server.
- if curl -fk https://www.intern/debian-edu-bundle.crt 1> $BUNDLECRT 2>/dev/null && \
- grep -q CERTIFICATE $BUNDLECRT ; then
-
- # Obtained a self-verified version of the LDAP server's server certificate.
- # (The BUNDLECERT file should already contain the LDAP server's certificate,
- # so having this cert file should allow us to successfully and "verified'ly"
- # connect to the LDAP server and let us retrieve that very same certificate).
- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null 1>/dev/null 2>/dev/null
- logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
- else
-
- # We should never get here... If we do anyway, then something went
- # terribly wrong or the www.intern servicing server is misconfigured.
-
- # Drop the ROOTCACRT file, as it probably only contains some 404 http
- # error message in html.
- rm -f $BUNDLECRT
-
- logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern."
- fi
-
- fi
-
- else
-
- # Report an error, if www.intern is down http-wise. This can happen and is probably
- # a temporary problem that needs an admin to fix it.
- log_action_end_msg 1
- logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down."
- ERROR=true
-
- fi
-
- else
-
- # Fallback: Fetch LDAP certificate from a pre-Debian-Edu-10 (aka buster) LDAP server
- # (or some non-Debian-Edu LDAP server)
- /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
- chmod 644 $CERTFILE.new
- logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate."
-
- # FIXME: Add some error handling here:
- # - LDAP server down
- # - what-not-else...
-
- fi
+ # Fetch LDAP certificate from the Debian Edu main server (i.e. from the LDAP server)
+ /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
+ chmod 644 $CERTFILE.new
- # By now, we should have obtained the LDAP server's CERTFILE (verified in two cases (10.0 or 10.1 TJENER),
- # simply downloaded from the LDAP server itself in the third case (pre-10.0 TJENER)
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
- if [ -f $BUNDLECRT ] || [ -f $ROOTCACRT ] ; then
- logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
- else
- logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
- fi
+ logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
else
-
- # We obviously have failed in some other way, if the CERTFILE.new is empty (zero size)
- # Again, something went awfully wrong, if we end up here...
+ # We obviously have failed in some way if the CERTFILE.new is empty (zero size).
+ # Something went wrong, if we end up here...
rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
ERROR=true
-
fi
fi
@@ -168,7 +84,7 @@
### PHASE 2: Deploy the obtained CERTFILE to LTSP chroots, if any are present.
###
- if [ -d /opt/ltsp ] ; then
+ if [ -d /opt/ltsp ] && [ "$ERROR" = "false" ]; then
# Loop over all to be found LTSP chroots...
for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
@@ -195,58 +111,10 @@
fi
fi
- if [ ! -f $ltsp_chroot$ROOTCACRT ]; then
-
- if test -e $ROOTCACRT; then
-
- # If we retrieved it, we also copy the obtained ROOTCACRT into the LTSP chroot
- # (containing the self-built rootCA of the Debian Edu site).
- log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot "
- if test -s $ROOTCACRT; then
-
- # If the chroot previously had got the BUNDLECERT file installed,
- # we should make sure here to have it removed. From now on, the LTSP chroot
- # can operate on the ROOTCACRT file and the BUNDLECERT will never get
- # update anymore once the ROOTCACRT is available on www.intern.
- rm -f $ltsp_chroot$BUNDLECRT
- cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
- [ "$VERBOSE" != no ] && log_action_end_msg 0
-
- else
- log_action_end_msg 1
- ERROR=true
- fi
-
- fi
-
- fi
-
- if [ ! -f $ltsp_chroot$BUNDLECRT ] && [ ! -f $ltsp_chroot$ROOTCACRT ]; then
-
- if test -e $BUNDLECRT; then
- # If we talked to a Debian Edu 10.0 main server (aka TJENER) above, then we
- # don't have the ROOTCACRT. We copy the BUNDLECRT file into the LTSP chroot
- # instead (containing all certificates ever issued for the Debian Edu site).
- # This is just a fallback, in fact, we need the Debian Edu RootCA.
-
- # If you end up here, then please upgrade your Debian Edu 10.0 server to a
- # a newer version (Debian Edu 10.1 and beyond).
- log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot "
- if test -s $BUNDLECRT; then
- cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
- [ "$VERBOSE" != no ] && log_action_end_msg 0
- else
- log_action_end_msg 1
- ERROR=true
- fi
- fi
-
- fi
-
done
fi
- if $ERROR; then
+ if [ "$ERROR" = "true" ]; then
return 1
fi
}
@@ -263,4 +131,5 @@
echo "Usage: $0 {start|stop|restart|force-reload}"
exit 2
esac
+
exit 0
diff -Nru debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.fetch-rootca-cert debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.fetch-rootca-cert
--- debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.fetch-rootca-cert 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.fetch-rootca-cert 2022-03-21 15:18:05.000000000 +0100
@@ -53,7 +53,7 @@
if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
grep -q CERTIFICATE $LOCALCACRT ; then
# Make rootCA certificate available in /etc/ssl/certs/
- ln -s $LOCALCACRT $ROOTCACRT
+ ln -nsf $LOCALCACRT $ROOTCACRT
# Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
update-ca-certificates
logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
diff -Nru debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.links debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.links
--- debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.links 2022-01-30 21:44:00.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.links 2022-03-22 09:14:06.000000000 +0100
@@ -1,3 +1,2 @@
usr/share/debian-edu-config/tools/ldapdump.sh etc/slbackup/pre.d/ldapdump.sh
etc/debian-edu/www/index.html.nb-no etc/debian-edu/www/index.html.no
-
diff -Nru debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.maintscript debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.maintscript
--- debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.maintscript 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.maintscript 2022-03-23 12:26:34.000000000 +0100
@@ -4,4 +4,4 @@
rm_conffile /etc/apt/apt.conf.d/90squid 2.10.36
rm_conffile /etc/ltspfs/mounter.d/edu-notify 2.11.16
rm_conffile /etc/cfengine3/debian-edu/cf.tftpd 2.11.16
-
+dir_to_symlink /etc/debian-edu/host-keytabs /var/lib/debian-edu/host-keytabs 2.11.56+deb11u3
diff -Nru debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.postinst debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.postinst
--- debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.postinst 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.postinst 2022-03-23 12:26:34.000000000 +0100
@@ -178,6 +178,32 @@
fi
fi
+ # On Debian Edu main servers create a debian-edu system user account with
+ # limited privileges for publishing host keytabs to diskless workstations (this
+ # is the initial use case, further use cases might pop up later).
+ if [ -s /etc/debian-edu/config ] && grep -Eq "(Main-Server)" /etc/debian-edu/config ; then
+
+ if ! getent 'passwd' 'debian-edu' >'/dev/null'; then
+ echo 'Creating debian-edu user.' >&2
+ adduser --system --home /var/lib/debian-edu \
+ --disabled-password --shell /bin/sh \
+ --group debian-edu
+ else
+ echo 'User debian-edu already exists.' >&2
+ # make sure all settings are appropriate
+ if [ "$(id -gn 'debian-edu')" != 'debian-edu' ]; then
+ usermod --gid 'debian-edu' 'debian-edu'
+ fi
+ fi
+
+ # Assure that permissions of /var/lib/debian-edu/ are appropriate
+ if [ -d /var/lib/debian-edu/ ]; then
+ chown debian-edu:debian-edu /var/lib/debian-edu/
+ chmod 0755 /var/lib/debian-edu/
+ fi
+
+ fi
+
# silence dovecot's message: if you have trouble with authentication failures,
# enable auth_debug setting. See http://wiki.dovecot.org/WhyDoesItNotWork
# This message goes away after the first successful login.
@@ -266,6 +292,14 @@
fi
fi
+# On the main-server, point from the old keytab location /etc/debian-edu/host-keytabs to the new
+# keytab location at /var/lib/debian-edu/host-keytabs...
+if grep -q Main-Server /etc/debian-edu/config; then
+ if [ ! -e /etc/debian-edu/host-keytabs ] && [ -d /var/lib/debian-edu/host-keytabs ]; then
+ ln -s /var/lib/debian-edu/host-keytabs /etc/debian-edu/host-keytabs
+ fi
+fi
+
# Register all changes done by this postinst script
if which etckeeper > /dev/null ; then
etckeeper commit "end of debian-edu-config postinst" || true
diff -Nru debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.postrm debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.postrm
--- debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.postrm 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.postrm 2022-03-23 12:26:34.000000000 +0100
@@ -25,6 +25,11 @@
fi
;;
purge)
+ # remove user/group debian-edu from system
+ getent passwd debian-edu 1>/dev/null && deluser debian-edu
+ getent group debian-edu 1>/dev/null && delgroup debian-edu
+ rm -Rf /var/lib/debian-edu
+
# Generated in the postinst
rm -f /etc/default/enable-nat
if [ ! -s /var/lib/dovecot/auth_success ] ; then
diff -Nru debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.preinst debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.preinst
--- debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.preinst 2022-01-30 21:44:00.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.preinst 2022-03-23 12:26:34.000000000 +0100
@@ -44,6 +44,21 @@
if dpkg --compare-versions "$2" le "2.11.16" ; then
rm -rf /etc/ltspfs
fi
+
+ # Move .keytab files from /etc/debian-edu/host-keytabs to
+ # /var/lib/debian-edu/host-keytabs before dpkg-maintscript-helper moves
+ # the /etc/debian-edu/host-keytabs dir and replaces it by a symlink...
+ # We have to move the .keytab files manually, because they are not owned
+ # by debian-edu-config.
+ if dpkg --compare-versions "$2" le "2.11.56+deb11u4"; then
+ if [ -d /etc/debian-edu/host-keytabs ] && \
+ [ ! -h /etc/debian-edu/host-keytabs ] && \
+ find /etc/debian-edu/host-keytabs/* 1>/dev/null 2>/dev/null; then
+ mkdir -p /var/lib/debian-edu/host-keytabs/
+ mv /etc/debian-edu/host-keytabs/*.keytab /var/lib/debian-edu/host-keytabs/
+ fi
+ fi
+
;;
esac
diff -Nru debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.prerm debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.prerm
--- debian-edu-config-2.11.56+deb11u3/debian/debian-edu-config.prerm 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/debian-edu-config.prerm 2022-03-23 12:26:34.000000000 +0100
@@ -16,6 +16,11 @@
rm /usr/share/pam-configs/edu-nopwdchange
fi
pam-auth-update --package --remove edu-group edu-umask
+
+ # drop /etc/debian-edu/host-keytabs symlink
+ if [ -h /etc/debian-edu/host-keytabs ]; then
+ rm /etc/debian-edu/host-keytabs
+ fi
;;
esac
diff -Nru debian-edu-config-2.11.56+deb11u3/debian/dirs debian-edu-config-2.11.56+deb11u4/debian/dirs
--- debian-edu-config-2.11.56+deb11u3/debian/dirs 2022-01-30 21:44:00.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/debian/dirs 2022-03-21 20:42:07.000000000 +0100
@@ -6,7 +6,6 @@
etc/cron.d
etc/cups
etc/debian-edu
-etc/debian-edu/host-keytabs
etc/default
etc/exports.d
etc/firefox-esr
@@ -26,3 +25,4 @@
usr/share/doc/debian-edu-config
usr/share/man
usr/share/man/man8
+var/lib/debian-edu/host-keytabs
diff -Nru debian-edu-config-2.11.56+deb11u3/etc/cups/cups-browsed-debian-edu.conf debian-edu-config-2.11.56+deb11u4/etc/cups/cups-browsed-debian-edu.conf
--- debian-edu-config-2.11.56+deb11u3/etc/cups/cups-browsed-debian-edu.conf 2022-01-30 21:44:00.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/etc/cups/cups-browsed-debian-edu.conf 2022-03-21 15:18:05.000000000 +0100
@@ -28,5 +28,5 @@
# to "No".
CreateIPPPrinterQueues No
-CreateRemoteCUPSPrinterQueues No
-
+CreateRemoteCUPSPrinterQueues Yes
+LocalQueueNamingRemoteCUPS RemoteName
diff -Nru debian-edu-config-2.11.56+deb11u3/etc/exim4/exim-ldap-server-v4.conf debian-edu-config-2.11.56+deb11u4/etc/exim4/exim-ldap-server-v4.conf
--- debian-edu-config-2.11.56+deb11u3/etc/exim4/exim-ldap-server-v4.conf 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/etc/exim4/exim-ldap-server-v4.conf 2022-03-21 15:18:05.000000000 +0100
@@ -204,6 +204,7 @@
# ACL that is used after the RCPT command
acl_check_rcpt:
accept local_parts = postmaster
+ accept local_parts = root
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
diff -Nru debian-edu-config-2.11.56+deb11u3/etc/X11/Xsession-debian-edu debian-edu-config-2.11.56+deb11u4/etc/X11/Xsession-debian-edu
--- debian-edu-config-2.11.56+deb11u3/etc/X11/Xsession-debian-edu 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/etc/X11/Xsession-debian-edu 2022-02-11 21:40:55.000000000 +0100
@@ -70,7 +70,7 @@
# attempt to create an error file; abort if we cannot
if touch $ERRFILE 2> /dev/null && [ -w $ERRFILE ]; then
chmod 600 "$ERRFILE"
-elif ERRFILE=$(tempfile 2> /dev/null); then
+elif ERRFILE=$(mktemp 2> /dev/null); then
if ! ln -sf "$ERRFILE" "${TMPDIR:=/tmp}/xsession-$USER"; then
message "Xsession: unable to symlink \"$TMPDIR/xsession-$USER\" to" \
"\"$ERRFILE\"."
diff -Nru debian-edu-config-2.11.56+deb11u3/ldap-bootstrap/netgroup.ldif debian-edu-config-2.11.56+deb11u4/ldap-bootstrap/netgroup.ldif
--- debian-edu-config-2.11.56+deb11u3/ldap-bootstrap/netgroup.ldif 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/ldap-bootstrap/netgroup.ldif 2022-03-23 11:49:36.000000000 +0100
@@ -15,6 +15,12 @@
description: All workstations
cn: workstation-hosts
+dn: cn=diskless-workstation-hosts,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+description: All diskless workstations
+cn: diskless-workstation-hosts
+
dn: cn=ltsp-server-hosts,ou=netgroup,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: nisNetgroup
diff -Nru debian-edu-config-2.11.56+deb11u3/ldap-schemas/gofon.schema debian-edu-config-2.11.56+deb11u4/ldap-schemas/gofon.schema
--- debian-edu-config-2.11.56+deb11u3/ldap-schemas/gofon.schema 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/ldap-schemas/gofon.schema 2022-03-21 15:18:05.000000000 +0100
@@ -285,29 +285,29 @@
# objectclass
objectclass (1.3.6.1.4.1.10098.1.2.3.11 NAME 'goFonAccount' SUP top AUXILIARY
- DESC 'GOFon Account objectclass (v1.0)'
+ DESC 'GOFon Account objectclass (v2.7)'
MUST ( goFonDeliveryMode $ telephoneNumber $ uid )
MAY ( goFonFormat $ goFonForwarding $ goFonHardware $ goFonPIN $ goFonVoicemailPIN $ goFonMacro $ goFonHomeServer ))
objectclass (1.3.6.1.4.1.10098.1.2.3.12 NAME 'goFonHardware' SUP top STRUCTURAL
- DESC 'defines a telephone (v1.0)'
+ DESC 'defines a telephone (v2.7)'
MUST ( cn $ macAddress $ ipHostNumber )
MAY (description $ goFonType $ goFonDmtfMode $ goFonHost $ goFonDefaultIP $
goFonQualify $ goFonAuth $ goFonSecret $ goFonInkeys $ goFonOutkey $
goFonTrunk $ goFonAccountCode $ goFonMSN $ goFonPermit $ goFonDeny ) )
objectclass (1.3.6.1.4.1.10098.1.2.3.13 NAME 'goFonPickupGroup' SUP top AUXILIARY
- DESC 'Additive for posixGroups (v1.0)'
+ DESC 'Additive for posixGroups (v2.7)'
MUST ( cn $ gidNumber ) )
objectclass (1.3.6.1.4.1.10098.1.2.3.14 NAME 'goFonMacro' SUP top STRUCTURAL
- DESC 'Macro definitions for asterisk machines (v1.0)'
+ DESC 'Macro definitions for asterisk machines (v2.7)'
MUST ( cn )
MAY ( goFonMacroVisible $ displayName $ goFonMacroContent $ description $
goFonMacroParameter ))
objectclass (1.3.6.1.4.1.10098.1.2.3.15 NAME 'goFonQueue' SUP top AUXILIARY
- DESC 'Queue definitions for asterisk machines (v1.0)'
+ DESC 'Queue definitions for asterisk machines (v2.7)'
MUST ( cn )
MAY ( goFonTimeOut $ goFonMaxLen $ goFonAnnounceFrequency $ goFonDialOption $
goFonMusiconHold $ goFonWelcomeMusic $ goFonQueueReportHold $
@@ -317,7 +317,7 @@
goFonQueueRetry $ goFonQueueLessThan $ goFonHomeServer ))
objectclass (1.3.6.1.4.1.10098.1.2.3.16 NAME 'goFonConference' SUP top STRUCTURAL
- DESC 'Conference definitions for asterisk machines (v1.0)'
+ DESC 'Conference definitions for asterisk machines (v2.7)'
MUST ( cn )
MAY ( description $ goFonConferenceOption $ goFonConferenceTimeout $ goFonPIN $
goFonConferenceOwner $ telephoneNumber $ goFonHomeServer))
diff -Nru debian-edu-config-2.11.56+deb11u3/ldap-schemas/gosa-samba3.schema debian-edu-config-2.11.56+deb11u4/ldap-schemas/gosa-samba3.schema
--- debian-edu-config-2.11.56+deb11u3/ldap-schemas/gosa-samba3.schema 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/ldap-schemas/gosa-samba3.schema 2022-03-21 15:18:05.000000000 +0100
@@ -272,6 +272,10 @@
DESC 'A user defined filter'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+attributetype ( 1.3.6.1.4.1.10098.1.1.12.48 NAME 'gosaWebDAVQuota'
+ DESC 'Webdav share quota in KB'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
attributetype ( 1.3.6.1.4.1.10098.1.1.6.2 NAME 'academicTitle'
DESC 'Field to represent the academic title'
EQUALITY caseIgnoreMatch
@@ -298,34 +302,42 @@
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+# alias used to provide alternative rfc822 email addresses for kolab users
+attributetype ( 1.3.6.1.4.1.19414.2.1.3
+ NAME 'alias'
+ DESC 'RFC1274: RFC822 Mailbox'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+
# Classes
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.1 NAME 'gosaObject' SUP top AUXILIARY
- DESC 'Class for GOsa settings (v2.6.1)'
+ DESC 'Class for GOsa settings (v2.7)'
MUST ( gosaSubtreeACL ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.2 NAME 'gosaLockEntry' SUP top STRUCTURAL
- DESC 'Class for GOsa locking (v2.6.1)'
+ DESC 'Class for GOsa locking (v2.7)'
MUST ( gosaUser $ gosaObject $ cn ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.3 NAME 'gosaCacheEntry' SUP top STRUCTURAL
- DESC 'Class for GOsa caching (v2.6.1)'
+ DESC 'Class for GOsa caching (v2.7)'
MAY ( gosaUser )
MUST ( cn ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.4 NAME 'gosaDepartment' SUP top AUXILIARY
- DESC 'Class to mark Departments for GOsa (v2.6.1)'
+ DESC 'Class to mark Departments for GOsa (v2.7)'
MUST ( ou $ description )
MAY ( manager ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.5 NAME 'gosaMailAccount' SUP top AUXILIARY
- DESC 'Class to mark MailAccounts for GOsa (v2.6.1)'
+ DESC 'Class to mark MailAccounts for GOsa (v2.7)'
MUST ( mail $ gosaMailServer $ gosaMailDeliveryMode)
- MAY ( gosaMailQuota $ gosaMailAlternateAddress $ gosaMailForwardingAddress $
+ MAY ( alias $ gosaMailQuota $ gosaMailAlternateAddress $ gosaMailForwardingAddress $
gosaMailMaxSize $ gosaSpamSortLevel $ gosaSpamMailbox $
gosaVacationMessage $ gosaVacationStart $ gosaVacationStop $ gosaSharedFolderTarget $ acl))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.6 NAME 'gosaAccount' SUP top AUXILIARY
- DESC 'Class for GOsa Accounts (v2.6.6)'
+ DESC 'Class for GOsa Accounts (v2.7)'
MUST ( uid )
MAY ( sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ gosaDefaultPrinter $
gosaDefaultLanguage $ academicTitle $ personalTitle $ gosaHostACL $ dateOfBirth $
@@ -333,88 +345,89 @@
gotoLastSystemLogin $ gotoLastSystem $ gosaLoginRestriction ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.7 NAME 'gosaHost' SUP top AUXILIARY
- DESC 'Class for GOsa Hosts (v2.6.1)'
+ DESC 'Class for GOsa Hosts (v2.7)'
MUST ( cn )
MAY ( description $ gosaService ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.8 NAME 'gosaProxyAccount' SUP top AUXILIARY
- DESC 'Class for GOsa Proxy settings (v2.6.1)'
+ DESC 'Class for GOsa Proxy settings (v2.7)'
MUST ( gosaProxyAcctFlags )
MAY ( gosaProxyID $ gosaProxyWorkingStart $ gosaProxyWorkingStop $ gosaProxyQuota $
gosaProxyQuotaPeriod ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.9 NAME 'gosaApplication' SUP top STRUCTURAL
- DESC 'Class for GOsa applications (v2.6.1)'
+ DESC 'Class for GOsa applications (v2.7)'
MUST ( cn $ gosaApplicationExecute )
MAY ( gosaApplicationName $ gosaApplicationIcon $ gosaApplicationFlags $ gosaApplicationMimeType $
gosaApplicationParameter $ gotoLogonScript $ description $ gosaApplicationCategory ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.10 NAME 'gosaApplicationGroup' SUP top AUXILIARY
- DESC 'Class for GOsa application groups (v2.6.1)'
+ DESC 'Class for GOsa application groups (v2.7)'
MUST ( cn )
MAY ( gosaMemberApplication $ gosaApplicationParameter ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.11 NAME 'gosaUserTemplate' SUP top AUXILIARY
- DESC 'Class for GOsa User Templates (v2.6.1)'
+ DESC 'Class for GOsa User Templates (v2.7)'
MUST ( cn ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.12 NAME 'gosaGroupOfNames'
- DESC 'GOsa object grouping (v2.6.1)'
+ DESC 'GOsa object grouping (v2.7)'
SUP top STRUCTURAL
MUST ( cn $ gosaGroupObjects ) MAY ( member $ description ) )
-objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.13 NAME 'gosaWebdavAccount'
- DESC 'GOsa webdav enabling account (v2.6.1)'
+objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.13 NAME 'gosaWebDAVAccount'
+ DESC 'GOsa webdav enabling account (v2.7)'
SUP top AUXILIARY
- MUST ( cn $ uid ))
+ MUST ( cn $ uid )
+ MAY ( gosaWebDAVQuota ) )
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.14 NAME 'gosaIntranetAccount'
- DESC 'GOsa Inatrent enabling account (v2.6.1)'
+ DESC 'GOsa Inatrent enabling account (v2.7)'
SUP top AUXILIARY
MUST ( cn $ uid )
MAY ( gosaDefaultLanguage ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.15 NAME 'gosaAdministrativeUnit'
- DESC 'Marker for administrational units (v2.6.1)'
+ DESC 'Marker for administrational units (v2.7)'
SUP top AUXILIARY
MUST ( gosaUnitTag ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.16 NAME 'gosaAdministrativeUnitTag'
- DESC 'Marker for objects below administrational units (v2.6.1)'
+ DESC 'Marker for objects below administrational units (v2.7)'
SUP top AUXILIARY
MUST ( gosaUnitTag ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.17 NAME 'gosaRole'
- DESC 'ACL container to define roles (v2.6.1)' SUP top STRUCTURAL
+ DESC 'ACL container to define roles (v2.7)' SUP top STRUCTURAL
MUST ( gosaAclTemplate $ cn )
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.18 NAME 'gosaAcl'
- DESC 'ACL container to define single ACLs (v2.6.1)' SUP top AUXILIARY
+ DESC 'ACL container to define single ACLs (v2.7)' SUP top AUXILIARY
MUST ( gosaAclEntry ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.19 NAME 'gosaSnapshotObject'
- DESC 'Container object for undo and snapshot data (v2.6.1)' SUP top STRUCTURAL
+ DESC 'Container object for undo and snapshot data (v2.7)' SUP top STRUCTURAL
MUST ( gosaSnapshotType $ gosaSnapshotTimestamp $ gosaSnapshotDN $ gosaSnapshotData )
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.20 NAME 'gosaConfig'
- DESC 'Settings for gosa. Replaces parts of the gosa.conf. (v2.6)' SUP top STRUCTURAL
+ DESC 'Settings for gosa. Replaces parts of the gosa.conf. (v2.7)' SUP top STRUCTURAL
MUST ( cn )
MAY ( gosaSetting ) )
-# GOto submenu entries
+# GOto submenu entry
objectclass (1.3.6.1.4.1.10098.1.2.1.43 NAME 'gotoSubmenuEntry'
- DESC 'GOto - contains environment settings (v2.6)' SUP top STRUCTURAL
+ DESC 'GOto - contains environment settings (v2.7)' SUP top STRUCTURAL
MUST ( cn )
MAY ( gosaApplicationIcon $ gosaApplicationPriority ) )
-# GOto menu entries
+# GOto menu entry
objectclass (1.3.6.1.4.1.10098.1.2.1.44 NAME 'gotoMenuEntry'
- DESC 'GOto - defines a menu entry (v2.6)' SUP top STRUCTURAL
+ DESC 'GOto - defines a menu entry (v2.7)' SUP top STRUCTURAL
MUST ( cn )
MAY ( gosaApplicationParameter $ gosaApplicationPriority ) )
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.21 NAME 'gosaProperties' SUP top AUXILIARY
- DESC 'Class for GOsa Properties, stores for example user filters (v2.6.8)'
- MAY ( gosaUserDefinedFilter ) )
+ DESC 'Store GOsa properties (v2.7)'
+ MAY ( gosaUserDefinedFilter ) )
diff -Nru debian-edu-config-2.11.56+deb11u3/ldap-schemas/goserver.schema debian-edu-config-2.11.56+deb11u4/ldap-schemas/goserver.schema
--- debian-edu-config-2.11.56+deb11u3/ldap-schemas/goserver.schema 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/ldap-schemas/goserver.schema 2022-03-21 15:18:05.000000000 +0100
@@ -473,86 +473,86 @@
# Terminal Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.16 NAME 'goTerminalServer' SUP top AUXILIARY
- DESC 'Terminal server description (v2.6.1)'
+ DESC 'Terminal server description (v2.7)'
MUST ( cn $ goXdmcpIsEnabled )
- MAY ( description $ goTerminalServerStatus $ gotoSessionType ))
+ MAY ( description $ goTerminalServerStatus $ gotoSessionType $ goFontPath ))
# NFS Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.19 NAME 'goNfsServer' SUP top AUXILIARY
- DESC 'NFS server description (v2.6.1)'
+ DESC 'NFS server description (v2.7)'
MUST ( cn )
MAY ( goExportEntry $ description $ goNfsServerStatus ))
# Time Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.20 NAME 'goNtpServer' SUP top AUXILIARY
- DESC 'Time server description (v2.6.1)'
+ DESC 'Time server description (v2.7)'
MUST ( cn )
MAY ( goTimeSource $ description $ goNtpServerStatus ))
# Syslog Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.21 NAME 'goSyslogServer' SUP top AUXILIARY
- DESC 'Syslog server description (v2.6.1)'
+ DESC 'Syslog server description (v2.7)'
MUST ( cn )
MAY ( goSyslogSection $ description $ goSyslogServerStatus ))
# LDAP Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.22 NAME 'goLdapServer' SUP top AUXILIARY
- DESC 'LDAP server description (v2.6.1)'
+ DESC 'LDAP server description (v2.7)'
MUST ( cn )
MAY ( goLdapBase $ description $ goLdapServerStatus ))
# CUPS Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.23 NAME 'goCupsServer' SUP top AUXILIARY
- DESC 'CUPS server description (v2.6.1)'
+ DESC 'CUPS server description (v2.7)'
MUST ( cn )
MAY ( description $ goCupsServerStatus ))
# IMAP Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.24 NAME 'goImapServer' SUP top AUXILIARY
- DESC 'IMAP server description (v2.6.1)'
+ DESC 'IMAP server description (v2.7)'
MUST ( cn $ goImapName $ goImapConnect $ goImapAdmin $ goImapPassword )
MAY ( goImapSieveServer $ goImapSievePort $ description $ goImapServerStatus $
cyrusImap $ cyrusImapSSL $ cyrusPop3 $ cyrusPop3SSL ))
# Kerberos Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.25 NAME 'goKrbServer' SUP top AUXILIARY
- DESC 'Kerberos server description (v2.6.1)'
+ DESC 'Kerberos server description (v2.7)'
MUST ( cn $ goKrbRealm )
MAY ( description $ goKrbServerStatus ))
# Fax Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.26 NAME 'goFaxServer' SUP top AUXILIARY
- DESC 'Fax server description (v2.6.1)'
+ DESC 'Fax server description (v2.7)'
MUST ( cn $ goFaxAdmin $ goFaxPassword )
MAY ( description $ goFaxServerStatus ))
# Common server class
objectclass (1.3.6.1.4.1.10098.1.2.1.27 NAME 'goServer' SUP top AUXILIARY
- DESC 'Server description (v2.6.1)'
+ DESC 'Server description (v2.7)'
MUST ( cn )
MAY ( description $ macAddress $ ipHostNumber ))
# LogDB Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.28 NAME 'goLogDBServer' SUP top AUXILIARY
- DESC 'Log DB server description (v2.6.1)'
+ DESC 'Log DB server description (v2.7)'
MUST ( cn $ gosaLogDB $ goLogAdmin $ goLogPassword )
MAY ( goLogDBServerStatus ))
# Fon Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.29 NAME 'goFonServer' SUP top AUXILIARY
- DESC 'Fon server description (v2.6.1)'
+ DESC 'Fon server description (v2.7)'
MUST ( cn $ goFonAdmin $ goFonPassword $ goFonAreaCode $ goFonCountryCode )
MAY ( description $ goFonServerStatus ))
# Share Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.33 NAME 'goShareServer' SUP top AUXILIARY
- DESC 'Share server description (v2.6.1)'
+ DESC 'Share server description (v2.7)'
MUST ( cn )
MAY ( description $ goExportEntry $ goShareServerStatus ))
# Mail Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.36 NAME 'goMailServer' SUP top AUXILIARY
- DESC 'Mail server definition (v2.6.1)'
+ DESC 'Mail server definition (v2.7)'
MUST ( cn )
MAY ( description $ goMailServerStatus $ postfixHeaderSizeLimit $
postfixMailboxSizeLimit $ postfixMessageSizeLimit $
@@ -562,20 +562,20 @@
# Glpi Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.37 NAME 'goGlpiServer' SUP top AUXILIARY
- DESC 'Glpi server definition (v2.6.1)'
+ DESC 'Glpi server definition (v2.7)'
MUST ( cn $ goGlpiAdmin $ goGlpiDatabase)
MAY ( description $ goGlpiPassword $ goGlpiServerStatus ) )
# Spamassassin definitions
objectclass (1.3.6.1.4.1.10098.1.2.1.38 NAME 'goSpamServer' SUP top AUXILIARY
- DESC 'Spam server definition (v2.6.1)'
+ DESC 'Spam server definition (v2.7)'
MUST ( cn )
MAY ( saRewriteHeader $ saTrustedNetworks $ saRequiredScore $ saFlags $
saRule $ saStatus ) )
# Clamav definitions
objectclass (1.3.6.1.4.1.10098.1.2.1.39 NAME 'goVirusServer' SUP top AUXILIARY
- DESC 'Virus server definition (v2.6.1)'
+ DESC 'Virus server definition (v2.7)'
MUST ( cn )
MAY ( avMaxThreads $ avMaxDirectoryRecursions $ avUser $ avFlags $
avArchiveMaxFileSize $ avArchiveMaxRecursion $ avArchiveMaxCompressionRatio $
@@ -583,12 +583,12 @@
# LogDB Server description
objectclass (1.3.6.1.4.1.10098.1.2.1.40 NAME 'gosaLogServer' SUP top AUXILIARY
- DESC 'GOsa log server (v2.6)'
+ DESC 'GOsa log server (v2.7)'
MUST ( cn $ goLogDB $ goLogDBUser $ goLogDBPassword ))
# Environment Server
objectclass (1.3.6.1.4.1.10098.1.2.1.41 NAME 'goEnvironmentServer' SUP top AUXILIARY
- DESC 'Environment server definition (v2.6)'
+ DESC 'Environment server definition (v2.7)'
MUST ( cn )
MAY ( gotoKioskProfile ) )
diff -Nru debian-edu-config-2.11.56+deb11u3/ldap-schemas/gosystem.schema debian-edu-config-2.11.56+deb11u4/ldap-schemas/gosystem.schema
--- debian-edu-config-2.11.56+deb11u3/ldap-schemas/gosystem.schema 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/ldap-schemas/gosystem.schema 2022-03-21 15:18:05.000000000 +0100
@@ -333,7 +333,7 @@
# objectclass for Hardware definitions
objectclass (1.3.6.1.4.1.10098.1.2.1.3 NAME 'GOhard'
- DESC 'Gonicus Hardware definitions, objectclass (v2.6.1)' SUP top STRUCTURAL
+ DESC 'Gonicus Hardware definitions, objectclass (v2.7)' SUP top STRUCTURAL
MUST ( cn )
MAY ( ghGfxAdapter $ ghNetNic $ ghSoundAdapter $ ghIdeDev $ ghScsiDev $
macAddress $ ghUsbSupport $ ghMemSize $ ghCpuType $ ghInventoryNumber $
diff -Nru debian-edu-config-2.11.56+deb11u3/ldap-schemas/goto-mime.schema debian-edu-config-2.11.56+deb11u4/ldap-schemas/goto-mime.schema
--- debian-edu-config-2.11.56+deb11u3/ldap-schemas/goto-mime.schema 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/ldap-schemas/goto-mime.schema 2022-03-21 15:18:05.000000000 +0100
@@ -40,7 +40,7 @@
# E: show in external viewer
# O: take settings from global mime group
# These fields are taken as OR. Additionally you can add a
-# Q: to ask wether a question should pop up - to save it to
+# Q: to ask whether a question should pop up - to save it to
# the local disc or not.
attributetype ( 1.3.6.1.4.1.10098.1.1.14.5 NAME 'gotoMimeLeftClickAction'
DESC 'GOto - Gonicus Terminal Concept, PPD data'
@@ -54,7 +54,7 @@
SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 SINGLE-VALUE)
objectclass (1.3.6.1.4.1.10098.1.2.4.1 NAME 'gotoMimeType'
- DESC 'Class to represent global mime types (v2.6.1)' SUP top STRUCTURAL
+ DESC 'Class to represent global mime types (v2.7)' SUP top STRUCTURAL
MUST ( cn $ gotoMimeFilePattern $ gotoMimeGroup )
MAY ( description $ gotoMimeIcon $ gotoMimeApplication $
gotoMimeEmbeddedApplication $ gotoMimeLeftClickAction ))
diff -Nru debian-edu-config-2.11.56+deb11u3/ldap-schemas/goto.schema debian-edu-config-2.11.56+deb11u4/ldap-schemas/goto.schema
--- debian-edu-config-2.11.56+deb11u3/ldap-schemas/goto.schema 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/ldap-schemas/goto.schema 2022-03-21 15:18:05.000000000 +0100
@@ -89,32 +89,32 @@
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
objectclass (1.3.6.1.4.1.10098.1.2.1.1 NAME 'gotoTerminal'
- DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.6.1)' SUP top AUXILIARY
+ DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.7)' SUP top AUXILIARY
MUST ( cn )
MAY ( description $ macAddress $ ipHostNumber $ gotoShare $ goFonHardware ))
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.30 NAME 'gotoWorkstation'
- DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.6.1)' SUP top AUXILIARY
+ DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.7)' SUP top AUXILIARY
MUST ( cn )
MAY ( description $ macAddress $ ipHostNumber $ gotoShare $ goFonHardware ))
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.31 NAME 'gotoPrinter'
- DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.2)' SUP top STRUCTURAL
+ DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.7)' SUP top STRUCTURAL
MUST ( cn )
MAY ( labeledURI $ description $ l $ gotoPrinterPPD $ macAddress $ ipHostNumber $ gotoUserPrinter $
gotoUserAdminPrinter $ gotoGroupPrinter $ gotoGroupAdminPrinter ) )
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.32 NAME 'gotoEnvironment'
- DESC 'GOto - contains environment settings (v2.2)' SUP top AUXILIARY
+ DESC 'GOto - contains environment settings (v2.7)' SUP top AUXILIARY
MAY ( gotoProfileServer $ gotoProfileFlags $ gotoXResolution $ gotoShare $ gotoLogonScript $
gotoKioskProfile $ gotoHotplugDevice $ gotoProfileQuota $ gotoHotplugDeviceDN ) )
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.34 NAME 'gotoWorkstationTemplate'
- DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.6.1)' SUP top AUXILIARY
+ DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.7)' SUP top AUXILIARY
MUST ( cn )
MAY ( description $ gotoShare $ goFonHardware $
ghGfxAdapter $ ghNetNic $ ghSoundAdapter $ ghIdeDev $ ghScsiDev $
@@ -131,7 +131,7 @@
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.35 NAME 'gotoTerminalTemplate'
- DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.6.1)' SUP top AUXILIARY
+ DESC 'GOto - Gonicus Terminal Concept, objectclass (v2.7)' SUP top AUXILIARY
MUST ( cn )
MAY ( description $ gotoShare $ goFonHardware $
ghGfxAdapter $ ghNetNic $ ghSoundAdapter $ ghIdeDev $ ghScsiDev $
@@ -148,7 +148,7 @@
# objectclass for the Terminal Conecept
objectclass (1.3.6.1.4.1.10098.1.2.1.42 NAME 'gotoDevice'
- DESC 'GOto - contains environment settings (v2.6)' SUP top STRUCTURAL
+ DESC 'GOto - contains environment settings (v2.7)' SUP top STRUCTURAL
MUST ( cn )
MAY ( gotoHotplugDevice $ description ) )
diff -Nru debian-edu-config-2.11.56+deb11u3/Makefile debian-edu-config-2.11.56+deb11u4/Makefile
--- debian-edu-config-2.11.56+deb11u3/Makefile 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/Makefile 2022-03-23 12:26:34.000000000 +0100
@@ -309,6 +309,7 @@
share/debian-edu-config/tools/squid-update-cachedir \
share/debian-edu-config/tools/subnet-change \
share/debian-edu-config/tools/update-cert-dbs \
+ share/debian-edu-config/tools/update-dlw-krb5-keytabs \
share/debian-edu-config/tools/update-firefox-homepage \
share/debian-edu-config/tools/update-chromium-homepage \
share/debian-edu-config/tools/update-proxy-from-wpad \
diff -Nru debian-edu-config-2.11.56+deb11u3/sbin/debian-edu-pxeinstall debian-edu-config-2.11.56+deb11u4/sbin/debian-edu-pxeinstall
--- debian-edu-config-2.11.56+deb11u3/sbin/debian-edu-pxeinstall 2022-01-30 21:44:00.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/sbin/debian-edu-pxeinstall 2022-03-21 15:18:05.000000000 +0100
@@ -64,7 +64,7 @@
[ "$mydesktop" ] || mydesktop=xfce
[ "$graphicdi" ] || graphicdi=false
[ "$dailydi" ] || dailydi=false
-[ "$theme" ] || theme="$(ls -L /etc/alternatives/desktop-theme/plymouth | grep script | cut -d'.' -f 1)"
+[ "$theme" ] || theme="$(ls -L /etc/alternatives/desktop-theme/plymouth 2>/dev/null | grep script | cut -d'.' -f 1)"
# Not hardcoded to allow PXE installation of a main-server without a
# proxy set
#[ "$http_proxy" ] || http_proxy=http://webcache:3128
@@ -268,7 +268,7 @@
# Based upon locale, keymap and desktop values used during main-server installation; auto URL added.
:$arch
-set params auto url=http://www/debian-edu-install.dat hostname=$hostname domain=$domain $installconfig $gtkvideo --- quiet ipappend 2
+set params auto url=http://www/debian-edu-install.dat hostname=$hostname domain=$domain $installconfig $gtkvideo --- quiet
kernel /debian-installer/$arch/linux initrd=initrd.gz \${params}
initrd /debian-installer/$arch/initrd.gz
boot || goto failed
diff -Nru debian-edu-config-2.11.56+deb11u3/sbin/debian-edu-update-netblock debian-edu-config-2.11.56+deb11u4/sbin/debian-edu-update-netblock
--- debian-edu-config-2.11.56+deb11u3/sbin/debian-edu-update-netblock 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/sbin/debian-edu-update-netblock 2022-02-11 21:40:55.000000000 +0100
@@ -55,7 +55,7 @@
modprobe ip_tables
modprobe iptable_filter
- filterfile=$(tempfile)
+ filterfile=$(mktemp)
# We are the only filter firewall that should be in operation,
# so we flush all existing rules first. ... add others after
diff -Nru debian-edu-config-2.11.56+deb11u3/sbin/update-hostname-from-ip debian-edu-config-2.11.56+deb11u4/sbin/update-hostname-from-ip
--- debian-edu-config-2.11.56+deb11u3/sbin/update-hostname-from-ip 2020-01-30 17:34:29.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/sbin/update-hostname-from-ip 2022-03-23 11:33:39.000000000 +0100
@@ -14,6 +14,10 @@
DNSDOMAIN=intern
+### IMPORTANT: We don't want this script to fail with a non-zero exitcode.
+### All problems should be reported as warnings, not errors.
+### See https://bugs.debian.org/1006604 for details.
+
log() {
$QUIET "$2"
logger -t update-hostname-from-ip "$1"
@@ -56,8 +60,8 @@
echo $hostname > /etc/hostname
log "info: changing hostname to $hostname based on $namesource"
else
- log "error: unable to set hostname to $hostname."
- exit 1
+ log "warning: unable to set hostname to $hostname."
+ return -1
fi
}
@@ -108,11 +112,6 @@
if [ "$IP" ] ; then
HOSTNAME=$(ip2hostname $IP)
SOURCE="reverse DNS of $IP"
-elif $USEMAC ; then
- HOSTNAME=$(ether2hostname $MAC)
- SOURCE="hardware MAC address"
-else
- exit 1
fi
if $USEMAC && [ -z "$HOSTNAME" ] ; then
@@ -123,7 +122,6 @@
if [ "$HOSTNAME" ]; then
if $onlyprint ; then
echo $HOSTNAME
- exit 0
else
# Already got the correct host name?
if [ "$HOSTNAME" != "$(uname -n)" ] ; then
@@ -131,7 +129,7 @@
fi
fi
else
- exit 1
+ log "warning: failed to detect (and set) hostname from IP or MAC address"
fi
exit 0
diff -Nru debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/squid.conf debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/squid.conf
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/squid.conf 2020-01-30 17:34:29.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/squid.conf 2022-03-23 11:27:58.000000000 +0100
@@ -6,6 +6,11 @@
# - Appends .intern to hostnames without any dots in them.
append_domain .intern
+# Currently, Debian Edu does not support IPv6 on the internal network
+# thus, we should try to use DNSv4 preferrably for the http proxy.
+# See https://bugs.debian.org/1006375
+dns_v4_first on
+
# Adjust cache size to fit size of /var/spool/squid, the initial capacity value
# is dynamically updated using
# /usr/share/debian-edu-config/tools/squid-update-cachedir
diff -Nru debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/clean-up-host-keytabs debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/clean-up-host-keytabs
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/clean-up-host-keytabs 2021-12-21 12:52:57.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/clean-up-host-keytabs 2022-03-23 12:26:34.000000000 +0100
@@ -18,7 +18,7 @@
# Free Software Foundation, Inc.,
# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
-# This script cleans up /etc/debian-edu/host-keytabs/. It looks into TJENER's
+# This script cleans up /var/lib/debian-edu/host-keytabs/. It looks into TJENER's
# LDAP tree (objectClass=dhcpHost) and removes all keytab files (and host
# principals) that don't have a dhcpHost object (anymore).
#
@@ -47,12 +47,12 @@
printf -v hosts_str -- ',,%q' "${hosts[@]}"
hosts_str=$(echo $hosts_str | tr 'A-Z' 'a-z')
-for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed 's#.intern.keytab##') ; do
+for i in $(basename -a /var/lib/debian-edu/host-keytabs/* | sed 's#.intern.keytab##') ; do
match_value=$(echo $i | tr 'A-Z' 'a-z')
if [[ ! "${hosts_str},," =~ ",,$match_value,," ]]; then
- kadmin.local delprinc host/$i.intern@INTERN
- kadmin.local delprinc nfs/$i.intern@INTERN
- rm /etc/debian-edu/host-keytabs/$i.intern.keytab
+ kadmin.local delprinc host/$i.intern@INTERN || true
+ kadmin.local delprinc nfs/$i.intern@INTERN || true
+ rm /var/lib/debian-edu/host-keytabs/$i.intern.keytab
fi
done
diff -Nru debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/copy-host-keytab debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/copy-host-keytab
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/copy-host-keytab 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/copy-host-keytab 2022-03-23 12:26:34.000000000 +0100
@@ -1,4 +1,4 @@
#!/bin/sh
set -e
kinit
-scp tjener:/etc/debian-edu/host-keytabs/$(hostname -s).intern.keytab /etc/krb5.keytab
+scp tjener:/var/lib/debian-edu/host-keytabs/$(hostname -s).intern.keytab /etc/krb5.keytab
diff -Nru debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/edu-ldap-from-scratch debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/edu-ldap-from-scratch
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/edu-ldap-from-scratch 2022-01-30 21:44:00.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/edu-ldap-from-scratch 2022-03-21 20:42:07.000000000 +0100
@@ -53,7 +53,7 @@
if [ -e /etc/krb5kdc/stash ] ; then
rm /etc/krb5kdc/stash
rm /etc/krb5.keyt*
- rm -f /etc/debian-edu/host-keytabs/*.*
+ rm -f /var/lib/debian-edu/host-keytabs/*.*
fi
ldap-debian-edu-install
# send mail to first user (initialize /var/mail/<first-user uid>);
diff -Nru debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-create-host debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-create-host
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-create-host 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-create-host 2022-03-21 20:42:07.000000000 +0100
@@ -33,7 +33,7 @@
}
}
-## lookup user and create home directory and principal:
+## lookup host and create host/<host> and nfs/<host> Krb5 principals:
ldapsearch -xLLL "(&(cn=$HOSTNAME)(|(objectClass=GOHard)(|(objectClass=ipHost))))" \
cn ipHostNumber macAddress 2>/dev/null | perl -p00e 's/\r?\n //g' | \
while read KEY VALUE ; do
@@ -49,15 +49,24 @@
logger -t gosa-create-host -p notice Krb5 principal \'host/$FQDN\' created.
kadmin.local -q "add_principal -policy hosts -randkey nfs/$FQDN"
logger -t gosa-create-host -p notice Krb5 principal \'nfs/$FQDN\' created.
- kadmin.local -q "ktadd -k /etc/debian-edu/host-keytabs/$FQDN.keytab host/$FQDN"
- kadmin.local -q "ktadd -k /etc/debian-edu/host-keytabs/$FQDN.keytab nfs/$FQDN"
+ kadmin.local -q "ktadd -k /var/lib/debian-edu/host-keytabs/$FQDN.keytab host/$FQDN"
+ kadmin.local -q "ktadd -k /var/lib/debian-edu/host-keytabs/$FQDN.keytab nfs/$FQDN"
logger -t gosa-create-host -p notice Krb5 keytab file for \'$FQDN\' created.
fi
;;
esac
done
+# During creation of a host, we should ideally call update-dlw-krb5-keytabs
+# here already. However, it is not possible to add a NIS netgroup tab to a
+# GOsa² system before the system object (and the additional DNS bits) has/have
+# been created. So, calling the update-dlw-krb5-keytabs script
+# makes no sense here...
+
+# FIXME: And: it would be really helpful to have POST-action hooks available for
+# NIS netgroups... In case people don't edit hosts individually, but prefer
+# mass-adding hosts to the diskless-workstation-hosts NIS netgroup.
+
/usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
exit 0
-
diff -Nru debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-modify-host debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-modify-host
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-modify-host 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-modify-host 2022-03-21 20:42:07.000000000 +0100
@@ -7,11 +7,24 @@
HOST="$1"
-kadmin.local -q "add_principal -policy hosts -randkey host/$HOST.intern"
-kadmin.local -q "ktadd -k /etc/debian-edu/host-keytabs/$HOST.intern.keytab host/$HOST.intern"
-kadmin.local -q "add_principal -policy hosts -randkey nfs/$HOST.intern"
-kadmin.local -q "ktadd -k /etc/debian-edu/host-keytabs/$HOST.intern.keytab nfs/$HOST.intern"
-logger -t gosa-modify-host -p notice Krb5 principals and keytab file for host \'$HOST\' created.
+# This is only for kerberizing host entries in LDAP stemming from earlier installations
+# of Debian Edu... Normally, host and service principals should have been created
+# by the gosa-host-create hook script.
+if ! LANG=C kadmin.local -q "get_principal host/$HOST.intern" 2>/dev/null | grep -q "^Principal: host/$HOST.intern@.*"; then
+ kadmin.local -q "add_principal -policy hosts -randkey host/$HOST.intern"
+ kadmin.local -q "ktadd -k /var/lib/debian-edu/host-keytabs/$HOST.intern.keytab host/$HOST.intern"
+ logger -t gosa-modify-host -p notice Krb5 host principal \'host/$HOST.intern\' created and added to host-specific keytab file.
+fi
+if ! LANG=C kadmin.local -q "get_principal nfs/$HOST.intern" 2>/dev/null | grep -q "^Principal: nfs/$HOST.intern@.*"; then
+ kadmin.local -q "add_principal -policy hosts -randkey nfs/$HOST.intern"
+ kadmin.local -q "ktadd -k /var/lib/debian-edu/host-keytabs/$HOST.intern.keytab nfs/$HOST.intern"
+ logger -t gosa-modify-host -p notice Krb5 service principal \'nfs/$HOST.intern\' created and added to host-specific keytab file.
+fi
+
+# call DLW keytabs' update script (delay execution for 2s because GOsa² needs
+# to write the NIS netgroup information first (this hook gets called between
+# saving the host object to LDAP, but before updating the NIS netgroup settings).
+( sleep 2; /usr/share/debian-edu-config/tools/update-dlw-krb5-keytabs ${@} 1>/dev/null 2>/dev/null) &
# update services:
/usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
diff -Nru debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-remove debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-remove
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-remove 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-remove 2022-03-21 15:18:05.000000000 +0100
@@ -29,6 +29,12 @@
PREFIX=/skole
HOSTNAME=$(hostname -s)
+
+# Obviously a user template was removed. Ignoring.
+echo "$HOMEDIR" | egrep -q "^$PREFIX/$HOSTNAME.*/%uid" && exit 0
+
+# An LDAP user that did not have their home at a place we manage with this script
+# has been removed. This should not happen. Exiting with error.
echo "$HOMEDIR" | egrep -q "^$PREFIX/$HOSTNAME.*$USERID" || exit 1
## move mail directory to home directory
diff -Nru debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-remove-host debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-remove-host
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-remove-host 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-remove-host 2022-03-23 12:26:36.000000000 +0100
@@ -6,7 +6,7 @@
## Make sure that malicious execution cannot hurt.
##
## This script removes the host and nfs principals for hosts removed with gosa.
-## It also removes the host specific keytab file (tjener:/etc/$fqdn.keytab).
+## It also removes the host specific keytab file (tjener:/var/lib/debian-edu/host-keytabs/$fqdn.keytab).
HOST="$1"
@@ -16,7 +16,7 @@
for i in $(kadmin.local listprincs | grep $HOST) ; do
kadmin.local delprinc $i
done
- rm /etc/debian-edu/host-keytabs/$(ls -l /etc/debian-edu/host-keytabs | grep $HOST | awk '{print $9}')
+ rm /var/lib/debian-edu/host-keytabs/$(ls -l /var/lib/debian-edu/host-keytabs | grep $HOST | awk '{print $9}')
logger -t gosa-remove-host -p notice Krb5 principals and keytab file for host \'$HOST\' removed.
fi
#
@@ -24,4 +24,8 @@
# update services:
/usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
+# Call DLW keytabs' update script for cleaning up
+# the DLW krb5 keytab collection for this host
+/usr/share/debian-edu-config/tools/update-dlw-krb5-keytabs ${@}
+
exit 0
diff -Nru debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-sync debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-sync
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/gosa-sync 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/gosa-sync 2022-02-11 21:40:55.000000000 +0100
@@ -30,7 +30,7 @@
## The new user password is in environment, $USERPASSWORD.
## Check if provided password corresponds to hash saved in ldap database:
-TMPFILE=$(tempfile)
+TMPFILE=$(mktemp)
trap "rm -f $TMPFILE" ERR SIGHUP SIGINT SIGTERM
cat <<EOF | tr -d "\n" > "$TMPFILE"
diff -Nru debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/list-gosa-systems debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/list-gosa-systems
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/list-gosa-systems 2022-01-07 07:41:34.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/list-gosa-systems 1970-01-01 01:00:00.000000000 +0100
@@ -1,42 +0,0 @@
-#!/bin/bash
-
-set -e
-
-# Copyright (C) 2017 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-# FIXME: MAKE THIS MORE GENERIC BEFORE PUSHING!!!!
-
-ldapsearch -xLLL "(&(cn=*)(|(objectClass=ipHost)(objectClass=GOHard)))" \
- cn ipHostNumber macAddress description 2>/dev/null | perl -p0e 's/\n //g' | \
-while read KEY VALUE ; do
- case "$KEY" in
- dn:)
- HOSTNAME= ; IP= ; MAC= ; DESC= ; DN=${VALUE}
- OU=$(echo $DN | sed -r -e 's/cn=[^,]+,ou=[^,]+,ou=[^,]+,ou=([^,]+),.*/\1/' | sed -r -e 's/cn=[^,]+,ou=[^,]+,ou=[^,]+,dc=.*/Servers/g')
- ;;
- cn:) HOSTNAME="${VALUE}";;
- ipHostNumber:) IP="${VALUE}";;
- macAddress:) MAC="${VALUE}";;
- description:) DESC="${VALUE}";;
- "")
- if [ -n "$DESC" ]; then DESC="\"${DESC}\""; fi
- echo "${OU},${HOSTNAME},${IP},${MAC},${DESC}"
- ;;
- esac
-done
-
-exit 0
diff -Nru debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/setup-freeradius-server debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/setup-freeradius-server
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/setup-freeradius-server 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/setup-freeradius-server 2022-03-21 15:18:05.000000000 +0100
@@ -28,7 +28,7 @@
fi
# Check execute permission.
-if [ ! -d $DIRNAME ] && [ $(id -u) > 0 ]; then
+if [ ! -d $DIRNAME ] && [ $(id -u) -gt 0 ]; then
echo "Please run $0 as root or use sudo, exiting."
exit 0
fi
diff -Nru debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/setup-roaming debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/setup-roaming
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/setup-roaming 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/setup-roaming 2022-03-21 15:18:05.000000000 +0100
@@ -13,7 +13,7 @@
apt-get install -y host ldap-utils
apt-get install -y libpam-mklocaluser
-apt-get install -y libpam-sss libnss-sss
+apt-get install -y libpam-sss libnss-sss libsss-sudo
# Make sure the NSS module refered below always is installed
apt-get install -y libnss-myhostname libnss-mdns libnss-ldapd
diff -Nru debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/update-dlw-krb5-keytabs debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/update-dlw-krb5-keytabs
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/update-dlw-krb5-keytabs 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/update-dlw-krb5-keytabs 2022-03-21 15:18:05.000000000 +0100
@@ -0,0 +1,168 @@
+#!/bin/bash
+
+set -e
+
+# Copyright (C) 2016 by Mike Gabriel <mike.gabriel@it-zukunft-schule.de>
+
+# This script is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This script is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the
+# Free Software Foundation, Inc.,
+# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# This script updates the krb5 host keytabs for a list of given hosts
+# in /var/lib/debian-edu/dlw-keytabs for all hosts that are members
+# in the NIS netgroup 'diskless-workstation-hosts'.
+#
+# The host keytab files are stored with read permissions for the
+# debian-edu system user.
+#
+# In a diskless workstation chroot (aka LTSP fat client), make sure
+# that the diskless system can copy over its own host keytab file
+# via
+#
+# scp debian-edu@tjener.intern:/var/lib/debian-edu/dlw-keytabs/$HOSTNAME.keytab /etc/krb5.keytab
+#
+# This line can be put into /etc/rc.local, for exmample. SSH private
+# and public key files need to be in place correctly to make this
+# work.
+#
+# This provides the possibility to use NFSv4 and Kerberos krb5i
+# authentication from a diskless machine against the NFS server
+# on the Debian Edu mainserver.
+
+DOMAIN="intern"
+
+SPECIAL_USER="debian-edu"
+SPECIAL_GROUP="${SPECIAL_USER}"
+
+DLW_KRB5_KEYTABS_DIR="/var/lib/debian-edu/dlw-keytabs"
+
+# Clear caching daemon's NIS netgroup cache (this assures an LDAP re-lookup).
+nscd -i netgroup
+DLW_HOSTS_NETGROUP=$(netgroup diskless-workstation-hosts | grep -E "\.${DOMAIN}$")
+
+# Do some sanity checks...
+if [ "$(id -u)" != "0" ]; then
+ echo "ERROR: This script must be run as super-user root"
+ exit 1
+elif ! getent passwd ${SPECIALUSER} 1>/dev/null; then
+ echo "ERROR: This script requires the debian-edu system user account"
+ exit 1
+elif ! getent group ${SPECIAL_GROUP} 1>/dev/null; then
+ echo "ERROR: This script requires the debian-edu system group"
+ exit 1
+elif [ -z "${DLW_HOSTS_NETGROUP}" ]; then
+
+ # FIXME: differentiate between diskless-workstation-hosts not present or empty!
+
+ echo "NOTICE: NIS netgroup 'diskless-workstation-hosts' not found. Nothing to do."
+ exit 0
+fi
+
+DLW_HOSTS=""
+
+# obtain DLW_HOSTS from NIS Netgroup or from the command line
+if [ -z "${1}" ]; then
+ DLW_HOSTS="${DLW_HOSTS_NETGROUP}"
+else
+ logger -t update-dlw-krb5-keytabs -p notice "Called with command line: ${@}"
+
+ while [ -n "${1}" ]; do
+ if echo ${DLW_HOSTS_NETGROUP} | grep -q "${1}.${DOMAIN}"; then
+ DLW_HOSTS="${DLW_HOSTS} ${1}.${DOMAIN}"
+ else
+ echo "WARNING: Host ${1} not a diskless workstation"
+ logger -t update-dlw-krb5-keytabs -p warning "Host '${1}' is not a diskless workstation."
+ fi
+ shift
+ done
+fi
+
+mkdir -p "${DLW_KRB5_KEYTABS_DIR}"
+chown "root:${SPECIAL_USER}" "${DLW_KRB5_KEYTABS_DIR}"
+chmod 0710 "${DLW_KRB5_KEYTABS_DIR}"
+
+for dlw_host in ${DLW_HOSTS}; do
+
+ DLW_KRB5_KEYTAB="${DLW_KRB5_KEYTABS_DIR}/${dlw_host}.keytab"
+
+ host_found="false"
+ ldap_cn=$(echo ${dlw_host} | cut -d"." -f1)
+
+ ldap_host=""
+
+ while read KEY VALUE; do
+ case "$KEY" in
+ dn:)
+ ldap_host=""
+ ;;
+ cn:)
+ ldap_host="$VALUE"
+ if [ "${ldap_host}.${DOMAIN}" = "${dlw_host}" ]; then
+ host_found="true"
+ else
+ continue
+ fi
+
+ if LANG=C kadmin.local -q "get_principal host/${dlw_host}" 2>/dev/null | grep -q "^Principal: host/${dlw_host}@.*" &&
+ LANG=C kadmin.local -q "get_principal nfs/${dlw_host}" 2>/dev/null | grep -q "^Principal: nfs/${dlw_host}@.*" ; then
+
+ kadmin.local -q "ktadd -k ${DLW_KRB5_KEYTAB}.new host/${dlw_host}"
+ kadmin.local -q "ktadd -k ${DLW_KRB5_KEYTAB}.new nfs/${dlw_host}"
+
+ chown "root:${SPECIAL_USER}" "${DLW_KRB5_KEYTAB}.new"
+ chmod 0640 "${DLW_KRB5_KEYTAB}.new"
+ mv -v "${DLW_KRB5_KEYTAB}.new" "${DLW_KRB5_KEYTAB}"
+ cp -av "${DLW_KRB5_KEYTAB}" "${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
+ else
+ echo "WARNING: Diskless workstation '${dlw_host}' is missing a host (host/${dlw_host}) or service (nfs/${dlw_host}) principal in the Kerberos database."
+ logger -t update-dlw-krb5-keytabs -p warning "Diskless workstation '${dlw_host}' is missing a host (host/${dlw_host}) or service (nfs/${dlw_host}) principal in the Kerberos database."
+ fi
+ break
+ ;;
+ *)
+ ;;
+ esac
+ done <<< `ldapsearch -xLLL "(&(cn=$ldap_cn)(|(objectClass=GOHard)(objectClass=ipHost)))" cn 2>/dev/null | perl -p00e 's/\r?\n //g'`
+
+ if [ "$host_found" != "true" ]; then
+
+ # if we land here, three things might have happened:
+ #
+ # 1. this script is called from gosa-remove-host (and we need to clean up the keytab file)
+ # 2. this script has been called with a wrong hostname (one that does not exist in LDAP)
+ # 3. this script has found a DLW entry in NIS netgroup 'diskless-workstation-hosts' that
+ # does not exist in LDAP (any more). Manual tidying up is required in that case.
+
+ if [ -f "${DLW_KRB5_KEYTAB}" ]; then
+ logger -t update-dlw-krb5-keytabs -p info "Cleaning up DLW keytab file of host '${dlw_host}'."
+ rm -v "${DLW_KRB5_KEYTAB}"
+ rm -v "${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
+ elif [ -f "${DLW_KRB5_KEYTAB/.${DOMAIN}/}" ]; then
+ logger -t update-dlw-krb5-keytabs -p info "Cleaning up leftover DLW keytab file of host '${dlw_host}' (without domain part)."
+ rm -v "${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
+ else
+
+ echo "WARNING: Hostname '${dlw_host}' listed in NIS netgorup 'diskless-workstation-hosts', but not found as a host entry in Debian Edu LDAP."
+ logger -t update-dlw-krb5-keytabs -p warning "Hostname '${dlw_host}' listed in NIS netgorup 'diskless-workstation-hosts', but not found as a host entry in Debian Edu LDAP."
+
+ fi
+
+ fi
+
+done
+
+# FIXME: count updated files / hosts
+logger -t update-dlw-krb5-keytabs -p notice "Diskless workstation Krb5 keytab files updated."
+
+exit 0
diff -Nru debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/update-proxy-from-wpad debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/update-proxy-from-wpad
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/update-proxy-from-wpad 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/update-proxy-from-wpad 2022-03-23 12:26:34.000000000 +0100
@@ -9,11 +9,11 @@
logger -t update-proxy-from-wpad "$@"
}
-error() {
- if [ -t 1 ] ; then # Only print errors when stdout is a tty
- echo "error: $@"
+warning() {
+ if [ -t 1 ] ; then # Only print warnings when stdout is a tty
+ echo "warning: $@" 1>/dev/stderr
fi
- logger -t update-proxy-from-wpad "error: $@"
+ logger -t update-proxy-from-wpad "warning: $@"
}
append_if_missing() {
@@ -27,6 +27,18 @@
fi
}
+remove_if_matches() {
+ file="$1"
+ shift
+ regexp="$@"
+ if [ -e "$file" ] ; then
+ if grep -qE "$regexp" "$file" ; then
+ log "Removing line matching '$regexp' from $file."
+ sed -i $file -e "/$regexp/d"
+ fi
+ fi
+}
+
# Update /etc/environment with the current proxy settings extracted
# from the WPAD file
update_etc_environment() {
@@ -54,7 +66,7 @@
# /etc/apt/apt.conf is created by debian-installer if a proxy was used
# during installation, so we update this file.
update_apt_conf() {
- file=/etc/apt/apt.conf
+ file=/etc/apt/apt.conf.d/03debian-edu-config
touch $file
chmod a+r $file
sed -e "s%^Acquire::http::Proxy .*%Acquire::http::Proxy \"$http_proxy\";%" \
@@ -71,7 +83,17 @@
fi
append_if_missing $file "Acquire::http::Proxy \"$http_proxy\";"
append_if_missing $file "Acquire::ftp::Proxy \"$ftp_proxy\";"
- append_if_missing $file "Acquire::ftp::Proxy \"$https_proxy\";"
+ append_if_missing $file "Acquire::https::Proxy \"$https_proxy\";"
+
+ # Fix main /etc/apt/apt.conf file (which we used until Debian Edu bullseye).
+ #
+ # FIXME: This code portion can be removed in the bookworm+1 release cycle
+ previously_used_file=/etc/apt/apt.conf
+ if [ -e $previously_used_file ]; then
+ remove_if_matches $previously_used_file ".*Acquire::http::Proxy\ .*;"
+ remove_if_matches $previously_used_file ".*Acquire::ftp::Proxy\ .*;"
+ remove_if_matches $previously_used_file ".*Acquire::https::Proxy\ .*;"
+ fi
}
if [ -r /etc/debian-edu/config ] ; then
@@ -81,9 +103,14 @@
# Make sure to fetch the wpad file without proxy settings, to behave
# like browsers who need to get their proxy settings without using a
# proxy.
-http_proxy=
+http_proxy=$(/usr/share/debian-edu-config/tools/wpad-extract 2>/dev/null || true)
+
+if [ -z "$http_proxy" ]; then
+
+ warning "Failed to extract proxy host from WPAD data. Not configuring proxy usage."
+
+else
-. /usr/share/debian-edu-config/tools/wpad-extract >/dev/null || exit 1
ftp_proxy=$http_proxy
https_proxy=$http_proxy
@@ -96,3 +123,4 @@
else
update_etc_environment
fi
+fi
diff -Nru debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/wpad-extract debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/wpad-extract
--- debian-edu-config-2.11.56+deb11u3/share/debian-edu-config/tools/wpad-extract 2020-01-30 17:34:29.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/share/debian-edu-config/tools/wpad-extract 2022-03-23 11:36:06.000000000 +0100
@@ -13,8 +13,7 @@
-u http://130.89.148.14 | awk '{print $2}' | cut -d';' -f1)
if [ "$proxy_url" ]; then
- http_proxy=http://$proxy_url
- echo http_proxy=$http_proxy
+ echo "http://$proxy_url";
else
- return 1
+ exit 1
fi
diff -Nru debian-edu-config-2.11.56+deb11u3/testsuite/postoffice debian-edu-config-2.11.56+deb11u4/testsuite/postoffice
--- debian-edu-config-2.11.56+deb11u3/testsuite/postoffice 2022-02-04 13:18:16.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/testsuite/postoffice 2022-02-11 21:40:55.000000000 +0100
@@ -42,7 +42,7 @@
EOF
-tmpfile=$(tempfile)
+tmpfile=$(mktemp)
smtpserver=postoffice.intern
if swaks --to postmaster@postoffice.intern --server $smtpserver > $tmpfile; then
echo "success: $0: SMTP to $smtpserver worked, email to postmaster sent."
diff -Nru debian-edu-config-2.11.56+deb11u3/testsuite/webcache debian-edu-config-2.11.56+deb11u4/testsuite/webcache
--- debian-edu-config-2.11.56+deb11u3/testsuite/webcache 2020-01-30 17:34:29.000000000 +0100
+++ debian-edu-config-2.11.56+deb11u4/testsuite/webcache 2022-03-23 11:36:06.000000000 +0100
@@ -69,8 +69,8 @@
# Subshell to avoid leaking http_proxy and ftp_proxy variables to
# the rest of this script
(
- . /usr/share/debian-edu-config/tools/wpad-extract >/dev/null
- if [ "$http_proxy" ] ; then
+ http_proxy=$(/usr/share/debian-edu-config/tools/wpad-extract 2>/dev/null || true)
+ if [ -n "$http_proxy" ] ; then
echo "success: $0: WPAD file '$url' includes HTTP proxy info."
else
echo "error: $0: WPAD file '$url' is missing HTTP proxy info. (#644373?)"
Reply to: