Control: close -1 Control: fixed -1 2.12.16 Hi, On Di 21 Dez 2021 15:15:29 CET, Mike Gabriel wrote:
Hi all, hi esp. Wolfgang, On Mo 20 Dez 2021 15:22:26 CET, Mike Gabriel wrote:Package: debian-edu-config Severity: wishlist Version: 2.12.14On a Debian Edu 11 network, NFS home mounts are only allowed via NFSv4 + sec=krb5i. For this, the user and the host need to acquire valid Kerberos ticket.While the user can acquire their ticket via login (pam_krb5.so), the host needs to obtain two tickets (a host and a service ticket) elsewhere. This is normally done via two key entries in /etc/krb5.keytab.Those host / service key entries are tied to the hostname of the machine, which is problematic on diskless machines (because the same system (chroot / squashfs image) can be used on several hosts on the network, with different hostnames.The idea here is to deploy a specific (optional) hack on the Debian Edu network that will allow us to boot diskless workstations with support for NFSv4 and krb5i.The idea outline for this is this: * add a "diskless-workstation-hosts" NIS netgroup to LDAP * let the admins put all their DLW hosts into that NIS netgroup * on host modification, gosa-modify-host will update a file e.g. /var/lib/debian/krb5.keytab_dlw; this file contains all host/<client> and nfs/<client> principal keys for all known diskless workstations * on DLW boot, root@DLW will be able to SSH into tjener (as unprivileged user with access to /var/lib/debian/krb5.keytab_dlw and copy that file onto the DLW as /etc/krb5.keytab at runtime). * on the DLW some more permission adjustments are required root:root:0600 for /etc/krb5.keytab) * with this, NFS krb5i should work on DLWs just fine and we don't expose any information to non-root users on the network light+love MikeI have the above approach up and running and it works like charme. Finally, we (Debian Edu, my customers) have krb5i based NFS homes for DLWs!!!
I forgot to close this bug with upload of d-e-c 2.12.16. I will add the closure post upload to d/changelog.
In d/changelog, these changes in release 2.12.16 resolve this issue: * Support krb5i on Diskless Workstations (aka LTSP FAT Clients):- ldap-bootstrap/netgroup.ldif: Add diskless-workstation-hosts NIS netgroup
during LDAP bootstrap.
- debian/debian-edu-config.{postinst,postrm}: Create non-privileged
debian-edu system user account on Debian Edu mainserver (for
distribution
of host keytabs to diskless workstations aka LTSP fat clients).
- share/debian-edu-config/tools/: Add new update-dlw-krb5-keytabs
script and
call it (with delay) from gosa-modify-host and gosa-remove-host hook
scripts.
- (Closes: #613167).
Greets,
Mike
--
DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgp_rdAmgzGT6.pgp
Description: Digitale PGP-Signatur