Bug#1051841: debian-edu-testsuite reports errors

To: 1051841@bugs.debian.org
Subject: Bug#1051841: debian-edu-testsuite reports errors
From: Guido Berhoerster <guido@berhoerster.name>
Date: Thu, 14 Sep 2023 14:17:31 +0200
Message-id: <[🔎] 69b9aa7e-2651-2517-9304-c4589fcb4e7b@berhoerster.name>
Reply-to: Guido Berhoerster <guido@berhoerster.name>, 1051841@bugs.debian.org
In-reply-to: <[🔎] sa68r99gmir.fsf@hjemme.reinholdtsen.name>
References: <[🔎] a1d2c8f6-f4bf-3f5f-09d3-5a71c8adcb8b@berhoerster.name> <[🔎] a1d2c8f6-f4bf-3f5f-09d3-5a71c8adcb8b@berhoerster.name> <[🔎] a1d2c8f6-f4bf-3f5f-09d3-5a71c8adcb8b@berhoerster.name> <[🔎] ca437fa3-bea9-5da9-38c2-da74ddd43453@berhoerster.name> <[🔎] sa68r99gmir.fsf@hjemme.reinholdtsen.name> <[🔎] sa68r99gmir.fsf@hjemme.reinholdtsen.name> <[🔎] a1d2c8f6-f4bf-3f5f-09d3-5a71c8adcb8b@berhoerster.name>

On Thu, 14 Sep 2023 10:57:32 +0200 Petter Reinholdtsen <pere@hungry.com> wrote:
> [Guido Berhoerster]
> >> error: ./ldap-client: Not only one PAM module of krb5, ldap and sss is enabled
> >
> > /etc/pam.d/common-auth contains:
> >
> >     …
> >     auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
> >     auth    [success=2 default=ignore]      pam_unix.so nullok try_first_pass
> >     auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 use_first_pass
> >     …
> >
> > So PAM tries them in the given order until one succeeds, I'm not sure
> > what is wrong with that. The git history of testsuite/ldap-client is
> > not helpful either why this was added.
> 
> The pam_ldap.so line should be removed.  The LDAP authentication send
> the password over to the LDAP server for verification, hopefully via an
> TLS channel, allowing a rouge server to collect user passwords, while
> Kerberos only send an encrypted timestamp to the server.  Because of
> this Debian Edu do not want LDAP authentication enabled, and uses
> Kerberos exclusively over the network.

OK, digging into history shows that this has been a problem before
(#591773) which had a workaround via cfengine. However, that was removed
in
https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/3a2cb02332e0dea3bb1dae1847de1a7fe542b1c6
well before bullseye and in bullseye libpam-ldapd does not get pulled in
on non-roaming installs.

The dependency chain in bookworm is education-networked-common -> nslcd 
-> libpam-ldapd and nslcd still has "libpam-ldapd | libpam-ldap |
libpam-krb5 | libpam-heimdal | libpam-sss" but
education-networked-common also directly recommends libpam-ldapd which
seems to be the culprit.

The following commit introduced the dependency:

https://salsa.debian.org/debian-edu/debian-edu/-/commit/16307694c2a24b13a5a910c7cbcacafc8bf6abec


> >> error: ./rdp-server: xrdp service is not listening on 3389/tcp.'
> >
> > This can be probably be ignored as I have set up FAI on top of my LTSP 
> > setup.
> 
> I do not understand what you mean here.  How is this relevant?

It's a quirk on my local system, I shouldn't have included it in the
report.

-- 
Guido Berhoerster

Reply to:

References:
- Bug#1051841: debian-edu-testsuite reports errors
  - From: Guido Berhoerster <guido@berhoerster.name>
- Bug#1051841: debian-edu-testsuite reports errors
  - From: Guido Berhoerster <guido@berhoerster.name>
- Bug#1051841: debian-edu-testsuite reports errors
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Processed: Bug#926388 marked as pending in debian-edu-config
Next by Date: Workshop about FUSS
Previous by thread: Bug#1051841: debian-edu-testsuite reports errors
Next by thread: Workshop about FUSS
Index(es):
- Date
- Thread