Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
we'd like to update src:debian-edu-changes in jessie with the following
changes, fixing a number of rather important bugs for Debian Edu. The
debian-edu-config package is also only *used* by Debian Edu itself, so
potential harm is limited on us ;-)
The changelog reads:
debian-edu-config (1.818+deb8u1) jessie; urgency=low
[ Petter Reinholdtsen ]
* Translation updates:
- Updated Brazilian Portuguese translation for debconf questions
(Closes: #785467). Translated by Adriano Rafael Gomes.
[ Mike Gabriel ]
* Add quotes around DNs when evoking kadmin.local in gosa-create and
gosa-create-host. (Closes: #792042).
* debian-edu-fsautoresize: Always use mapper names instead of kernel names
when detecting supported mount points. (Closes: #800651). Thanks
to Wolfgang Schweer and Giorgio Pioda.
* gosa-sync: Test if a given user account actually is a Kerberos account. If
not, don't try to set the Kerberos password for this account. (Closes:
#798435).
* gosa-sync: Fix escaping double quotes and semicolons. (Closes: #794000).
* exim4 mainserver configuration: Allow Debian Edu clients on the default
Debian Edu network to directly send mails to the main server (by white-
listing the 10./8 network). This fixes console mailing and system mails
on Debian Edu clients (Closes: #794602).
* Set configVersion="Managed-by-Debian-Edu" in gosa.conf. (Closes: #794189).
This requires gosa (>= 2.7.4+reloaded2-1+deb8u2~) to be installed on the
main server.
* wpad.dat: Use DIRECT connects for URL hosts being in network 127./8 and
for hosts being in the .local domain. (Closes: #803911).
* GOsa: Add POSTLOCK and POSTUNLOCK hooks for GOsa password locking. These
hook scripts (gosa-lock-user, gosa-unlock-user) take care of locking/
unlocking the Kerberos part of user accounts. (Closes: #804207).
* Adapt to a code injection prevention fix in GOsa (starting with Debian
package gosa 2.7.4+reloaded2-1+deb8u2): Don't mention the sambaHashHook
parameter in gosa.conf anymore (as hashed passwords now have to be base64
encoded). Already existing gosa.conf files on deployed servers should drop
the sambaHashHook from the gosa.conf file, as well, once gosa is updated to
the above referenced GOsa version.
* CUPS: Do hostname lookups, so https redirects are done to the FQDN of the
CUPS server instead of to its IP address. (Closes: #805402).
* Improve gosa-lock-user, gosa-unlock-user: When logging success/failure,
differentiate between non-existent and non-kerberized accounts.
* Don't create home dir and Kerberos principal for GOsa user template
account. (Closes: #815040).
[ Wolfgang Schweer ]
* Adjust tools/subnet-change for squid3. (Closes: #800654)
* Fix XML syntax error in gosa.conf. (Closes: #820551).
* Add script sbin/debian-edu-nscd-netgroup-cache (workaround for #791562).
-- Holger Levsen <holger@debian.org> Wed, 25 May 2016 00:21:53 +0200
The diffstat is:
$ debdiff debian-edu-config_1.818.dsc debian-edu-config_1.818+deb8u1.dsc | diffstat
Makefile | 3 +
debian/changelog | 49 +++++++++++++++++++++++++
debian/po/pt_BR.po | 31 +++++++++++----
etc/cups/cupsd-debian-edu.conf | 2 -
etc/exim4/exim-ldap-server-v4.conf | 5 +-
etc/gosa/gosa.conf | 9 ++--
ldap-bootstrap/sudo.ldif | 2 +
sbin/debian-edu-fsautoresize | 8 ++++
sbin/debian-edu-nscd-netgroup-cache | 32 ++++++++++++++++
share/debian-edu-config/tools/gosa-create | 4 +-
share/debian-edu-config/tools/gosa-create-host | 2 -
share/debian-edu-config/tools/gosa-lock-user | 48 ++++++++++++++++++++++++
share/debian-edu-config/tools/gosa-sync | 15 +++++++
share/debian-edu-config/tools/gosa-unlock-user | 48 ++++++++++++++++++++++++
share/debian-edu-config/tools/subnet-change | 2 -
www/wpad.dat | 9 +++-
16 files changed, 246 insertions(+), 23 deletions(-)
The full diff is attached. I haven't uploading to jessie yet, should you be
unhappy with a change. I have however prepared the packages for upload.
The changes have been tested by various Debian Edu developers in the
last weeks and months.
Please acceept debian-edu-config/1.818+deb8u1 into jessie.
Thanks for your work on Jessie 8.5!
--
cheers,
Holger
diff -Nru debian-edu-config-1.818/debian/changelog debian-edu-config-1.818+deb8u1/debian/changelog
--- debian-edu-config-1.818/debian/changelog 2015-04-14 19:49:38.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/debian/changelog 2016-05-25 00:24:13.000000000 +0200
@@ -1,3 +1,52 @@
+debian-edu-config (1.818+deb8u1) jessie; urgency=low
+
+ [ Petter Reinholdtsen ]
+ * Translation updates:
+ - Updated Brazilian Portuguese translation for debconf questions
+ (Closes: #785467). Translated by Adriano Rafael Gomes.
+
+ [ Mike Gabriel ]
+ * Add quotes around DNs when evoking kadmin.local in gosa-create and
+ gosa-create-host. (Closes: #792042).
+ * debian-edu-fsautoresize: Always use mapper names instead of kernel names
+ when detecting supported mount points. (Closes: #800651). Thanks
+ to Wolfgang Schweer and Giorgio Pioda.
+ * gosa-sync: Test if a given user account actually is a Kerberos account. If
+ not, don't try to set the Kerberos password for this account. (Closes:
+ #798435).
+ * gosa-sync: Fix escaping double quotes and semicolons. (Closes: #794000).
+ * exim4 mainserver configuration: Allow Debian Edu clients on the default
+ Debian Edu network to directly send mails to the main server (by white-
+ listing the 10./8 network). This fixes console mailing and system mails
+ on Debian Edu clients (Closes: #794602).
+ * Set configVersion="Managed-by-Debian-Edu" in gosa.conf. (Closes: #794189).
+ This requires gosa (>= 2.7.4+reloaded2-1+deb8u2~) to be installed on the
+ main server.
+ * wpad.dat: Use DIRECT connects for URL hosts being in network 127./8 and
+ for hosts being in the .local domain. (Closes: #803911).
+ * GOsa: Add POSTLOCK and POSTUNLOCK hooks for GOsa password locking. These
+ hook scripts (gosa-lock-user, gosa-unlock-user) take care of locking/
+ unlocking the Kerberos part of user accounts. (Closes: #804207).
+ * Adapt to a code injection prevention fix in GOsa (starting with Debian
+ package gosa 2.7.4+reloaded2-1+deb8u2): Don't mention the sambaHashHook
+ parameter in gosa.conf anymore (as hashed passwords now have to be base64
+ encoded). Already existing gosa.conf files on deployed servers should drop
+ the sambaHashHook from the gosa.conf file, as well, once gosa is updated to
+ the above referenced GOsa version.
+ * CUPS: Do hostname lookups, so https redirects are done to the FQDN of the
+ CUPS server instead of to its IP address. (Closes: #805402).
+ * Improve gosa-lock-user, gosa-unlock-user: When logging success/failure,
+ differentiate between non-existent and non-kerberized accounts.
+ * Don't create home dir and Kerberos principal for GOsa user template
+ account. (Closes: #815040).
+
+ [ Wolfgang Schweer ]
+ * Adjust tools/subnet-change for squid3. (Closes: #800654)
+ * Fix XML syntax error in gosa.conf. (Closes: #820551).
+ * Add script sbin/debian-edu-nscd-netgroup-cache (workaround for #791562).
+
+ -- Holger Levsen <holger@debian.org> Wed, 25 May 2016 00:21:53 +0200
+
debian-edu-config (1.818) unstable; urgency=high
[ Holger Levsen ]
diff -Nru debian-edu-config-1.818/debian/po/pt_BR.po debian-edu-config-1.818+deb8u1/debian/po/pt_BR.po
--- debian-edu-config-1.818/debian/po/pt_BR.po 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/debian/po/pt_BR.po 2016-05-18 19:44:48.000000000 +0200
@@ -5,14 +5,16 @@
#
# Priscila Gutierres <priscila.gutierres@gmail.com>, 2007.
# Felipe Augusto van de Wiel (faw) <faw@debian.org>, 2008.
+# Albino B Neto (binoanb) <binoanb@binoanb.eti.br>, 2013.
+# Adriano Rafael Gomes <adrianorg@arg.eti.br>, 2014-2015.
#
msgid ""
msgstr ""
-"Project-Id-Version: debian-edu-config_0.409_templates\n"
+"Project-Id-Version: debian-edu-config 1.818\n"
"Report-Msgid-Bugs-To: debian-edu-config@packages.debian.org\n"
"POT-Creation-Date: 2013-05-22 15:09+0200\n"
-"PO-Revision-Date: 2008-10-09 22:48-0300\n"
-"Last-Translator: Felipe Augusto van de Wiel (faw) <faw@debian.org>\n"
+"PO-Revision-Date: 2015-05-16 14:07-0300\n"
+"Last-Translator: Adriano Rafael Gomes <adrianorg@arg.eti.br>\n"
"Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian."
"org>\n"
"Language: pt_BR\n"
@@ -47,7 +49,7 @@
#. Description
#: ../debian-edu-config.templates:4001
msgid "Enter the Kerberos KDC master key:"
-msgstr ""
+msgstr "Digite a chave principal Kerberos KDC:"
#. Type: password
#. Description
@@ -57,6 +59,9 @@
"You can use your root password or type something else. Make sure you "
"remember the password."
msgstr ""
+"Uma senha é necessária como chave principal do Kerberos e para todos os "
+"padrões principais. Você pode usar a sua senha de root ou digitar outra. "
+"Tenha certeza de que você se lembra da senha."
#. Type: password
#. Description
@@ -64,7 +69,7 @@
#. Description
#: ../debian-edu-config.templates:4001 ../debian-edu-config.templates:9001
msgid "Note that you will not be able to see the password as you type it."
-msgstr ""
+msgstr "Note que não será possível ver a senha enquanto você a digita."
#. Type: password
#. Description
@@ -72,7 +77,7 @@
#. Description
#: ../debian-edu-config.templates:5001 ../debian-edu-config.templates:10001
msgid "Re-enter password to verify:"
-msgstr ""
+msgstr "Digite novamente a senha para verificação:"
#. Type: password
#. Description
@@ -83,6 +88,8 @@
"Please enter the same password again to verify that you have typed it "
"correctly."
msgstr ""
+"Por favor, digite a mesma senha novamente para verificar se você a digitou "
+"corretamente."
#. Type: error
#. Description
@@ -90,7 +97,7 @@
#. Description
#: ../debian-edu-config.templates:6001 ../debian-edu-config.templates:11001
msgid "Password input error"
-msgstr ""
+msgstr "Erro ao digitar a senha"
#. Type: error
#. Description
@@ -99,6 +106,7 @@
#: ../debian-edu-config.templates:6001 ../debian-edu-config.templates:11001
msgid "The two passwords you entered were not the same. Please try again."
msgstr ""
+"As duas senhas que você digitou não são iguais. Por favor, tente novamente."
#. Type: error
#. Description
@@ -106,7 +114,7 @@
#. Description
#: ../debian-edu-config.templates:7001 ../debian-edu-config.templates:12001
msgid "Empty password"
-msgstr ""
+msgstr "Senha em branco"
#. Type: error
#. Description
@@ -117,12 +125,14 @@
"You entered an empty password, which is not allowed. Please choose a non-"
"empty password."
msgstr ""
+"Você digitou uma senha em branco, o que não é permitido. Por favor, escolha "
+"uma senha que não seja em branco."
#. Type: password
#. Description
#: ../debian-edu-config.templates:9001
msgid "Enter the LDAP super-admin password:"
-msgstr ""
+msgstr "Digite a senha do super-admin do LDAP:"
#. Type: password
#. Description
@@ -132,3 +142,6 @@
"You can use your root password or type something else. Make sure you "
"remember the password."
msgstr ""
+"Uma senha é usada como senha inicial para o usuário super-admin do GOsa². "
+"Você pode usar a sua senha de root ou digitar outra. Tenha certeza de que "
+"você se lembra da senha."
diff -Nru debian-edu-config-1.818/etc/cups/cupsd-debian-edu.conf debian-edu-config-1.818+deb8u1/etc/cups/cupsd-debian-edu.conf
--- debian-edu-config-1.818/etc/cups/cupsd-debian-edu.conf 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/etc/cups/cupsd-debian-edu.conf 2016-05-18 19:44:48.000000000 +0200
@@ -221,7 +221,7 @@
# fully-qualified hostname. This defaults to Off for performance reasons...
#
-#HostNameLookups Off
+HostNameLookups On
#
# KeepAlive: whether or not to support the Keep-Alive connection
diff -Nru debian-edu-config-1.818/etc/exim4/exim-ldap-server-v4.conf debian-edu-config-1.818+deb8u1/etc/exim4/exim-ldap-server-v4.conf
--- debian-edu-config-1.818/etc/exim4/exim-ldap-server-v4.conf 2014-10-12 12:51:32.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/etc/exim4/exim-ldap-server-v4.conf 2016-05-18 19:44:48.000000000 +0200
@@ -192,14 +192,15 @@
# Make sure users can not fake sender address vis SMTP. Reject
# unauthenticated connections and check that the sender is the same
# as the Kerberos ID.
+ accept hosts = :
+ accept hosts = +relay_hosts
+
deny !authenticated = *
message = SMTP server requires authentication. Check your SMTP client configuration.
deny condition = ${if eq{$authenticated_id}{$sender_address_local_part@INTERN}{false}{true}}
message = Sender address $sender_address conflicts with authentication $authenticated_id.
- accept hosts = :
accept domains = +local_domains
- accept hosts = +relay_hosts
deny message = relay not permitted
# ACL that is used after the DATA command
diff -Nru debian-edu-config-1.818/etc/gosa/gosa.conf debian-edu-config-1.818+deb8u1/etc/gosa/gosa.conf
--- debian-edu-config-1.818/etc/gosa/gosa.conf 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/etc/gosa/gosa.conf 2016-05-24 18:00:30.000000000 +0200
@@ -1,5 +1,5 @@
<?xml version="1.0"?>
-<conf configVersion="edb33ed1745798da76048582c2f16a48">
+<conf configVersion="Managed-by-Debian-Edu">
<!-- GOsa menu definition **************************************************
@@ -76,7 +76,9 @@
<pathMenu>
<plugin acl="users/netatalk:self,users/environment:self,users/posixAccount:self,users/kolabAccount:self,users/phpscheduleitAccount:self,users/oxchangeAccount:self,users/proxyAccount:self,users/connectivity:self,users/pureftpdAccount:self,users/phpgwAccount:self,users/opengwAccount:self,users/pptpAccount:self,users/intranetAccount:self, users/webdavAccount:self,users/nagiosAccount:self,users/sambaAccount:self,users/mailAccount:self,users/groupware, users/user:self,users/scalixAccount:self,users/gofaxAccount:self,users/phoneAccount:self,users/Groupware:self" class="MyAccount" />
<plugin acl="users/password:self" class="password"
- postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"/>
+ postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"
+ postlock="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-lock-user %dn"
+ postunlock="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-unlock-user %dn" />
</pathMenu>
@@ -387,8 +389,7 @@
debugLevel="0"
passwordMinLength="5"
passwordMinDiffer="2"
- passwordHook=""
- sambaHashHook='perl -MCrypt::SmbHash -e "print join(q[:], ntlmgen %password), $/;"'>
+ passwordHook="">
<!-- Location definition -->
<location name="Debian Edu"
diff -Nru debian-edu-config-1.818/ldap-bootstrap/sudo.ldif debian-edu-config-1.818+deb8u1/ldap-bootstrap/sudo.ldif
--- debian-edu-config-1.818/ldap-bootstrap/sudo.ldif 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/ldap-bootstrap/sudo.ldif 2016-05-18 19:44:48.000000000 +0200
@@ -25,6 +25,8 @@
sudoCommand: /usr/share/debian-edu-config/tools/gosa-remove
sudoCommand: /usr/share/debian-edu-config/tools/gosa-create
sudoCommand: /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
+sudoCommand: /usr/share/debian-edu-config/tools/gosa-lock-user
+sudoCommand: /usr/share/debian-edu-config/tools/gosa-unlock-user
dn: cn=root,ou=sudoers,dc=skole,dc=skolelinux,dc=no
objectClass: top
diff -Nru debian-edu-config-1.818/Makefile debian-edu-config-1.818+deb8u1/Makefile
--- debian-edu-config-1.818/Makefile 2015-04-14 19:48:30.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/Makefile 2016-05-24 18:00:30.000000000 +0200
@@ -13,6 +13,7 @@
debian-edu-hwsetup \
debian-edu-ltsp \
debian-edu-ltsp-audiodivert \
+ debian-edu-nscd-netgroup-cache \
debian-edu-pxeinstall \
debian-edu-restart-services \
debian-edu-test-install \
@@ -357,9 +358,11 @@
share/debian-edu-config/tools/get-default-homepage \
share/debian-edu-config/tools/gosa-create \
share/debian-edu-config/tools/gosa-create-host \
+ share/debian-edu-config/tools/gosa-lock-user \
share/debian-edu-config/tools/gosa-remove \
share/debian-edu-config/tools/gosa-sync \
share/debian-edu-config/tools/gosa-sync-dns-nfs \
+ share/debian-edu-config/tools/gosa-unlock-user \
share/debian-edu-config/tools/iceweasel-plugin-support \
share/debian-edu-config/tools/kerberos-kdc-init \
share/debian-edu-config/tools/ldap2bind-updatezonelist \
diff -Nru debian-edu-config-1.818/sbin/debian-edu-fsautoresize debian-edu-config-1.818+deb8u1/sbin/debian-edu-fsautoresize
--- debian-edu-config-1.818/sbin/debian-edu-fsautoresize 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/sbin/debian-edu-fsautoresize 2016-05-18 19:34:49.000000000 +0200
@@ -14,6 +14,7 @@
use Getopt::Std;
use Sys::Syslog qw(openlog syslog closelog LOG_NOTICE);
+use File::Basename;
# Using this module (instead of Filesys::DiskSpace) to get a version
# providing the device size, and not only free and used.
@@ -194,6 +195,13 @@
chomp;
my @f = split(/\s+/);
my $device = $f[0];
+ # Always use mapper names instead of kernel ones.
+ if (index ($f[0], "/dev/dm-") != -1) {
+ for my $mapdevice (glob "/dev/mapper/*") {
+ my $dmdevice = basename(readlink $mapdevice) if -l $mapdevice;
+ $device = $mapdevice if defined($dmdevice) && $dmdevice =~ basename($f[0]);
+ }
+ }
my $mountpoint = $f[1];
my $typename = $f[2];
next unless (exists $fsops{$typename});
diff -Nru debian-edu-config-1.818/sbin/debian-edu-nscd-netgroup-cache debian-edu-config-1.818+deb8u1/sbin/debian-edu-nscd-netgroup-cache
--- debian-edu-config-1.818/sbin/debian-edu-nscd-netgroup-cache 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-1.818+deb8u1/sbin/debian-edu-nscd-netgroup-cache 2016-05-23 13:13:48.000000000 +0200
@@ -0,0 +1,32 @@
+#!/bin/bash -e
+# debian-edu-nscd-netgroup-cache
+#
+# 2016-23-05, workaround for bug #791562
+
+if [ -z $1 ] ; then
+ echo "usage: $0 (disable|enable)"
+ exit 0
+fi
+
+# Get profile.
+. /etc/debian-edu/config
+
+# Disable/enable nscd netgroup caching.
+if echo "$PROFILE" | grep -q 'Main-Server' ; then
+ systemctl stop nscd.service
+ sleep 1
+ case "$1" in
+ disable)
+ if [ -e /var/cache/nscd/netgroup ] ; then
+ rm /var/cache/nscd/netgroup
+ fi
+ sed -i '/netgroup/ s=yes=no=' /etc/nscd.conf
+ ;;
+ enable)
+ sed -i '/netgroup/ s=no=yes=' /etc/nscd.conf
+ ;;
+ esac
+ systemctl start nscd.service
+fi
+
+# Further information: https://wiki.debian.org/DebianEdu/Status/Jessie
diff -Nru debian-edu-config-1.818/share/debian-edu-config/tools/gosa-create debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-create
--- debian-edu-config-1.818/share/debian-edu-config/tools/gosa-create 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-create 2016-05-24 18:00:30.000000000 +0200
@@ -19,7 +19,7 @@
# One ide might be to look for objects without the krbPasswordExpiration attributes.
## lookup user and create home directory and principal:
-ldapsearch -xLLL "(&(uid=$USERID)(objectClass=posixAccount))" \
+ldapsearch -xLLL "(&(uid=$USERID)(objectClass=posixAccount)(!(objectClass=gosaUserTemplate)))" \
cn homeDirectory gidNumber 2>/dev/null | perl -p0e 's/\n //g' | \
while read KEY VALUE ; do
case "$KEY" in
@@ -39,7 +39,7 @@
nscd -i group || true
fi
chown -R $USERID:$GROUPID $HOMEDIR
- kadmin.local -q "add_principal -policy users -randkey -x $USERDN $USERID"
+ kadmin.local -q "add_principal -policy users -randkey -x \"$USERDN\" $USERID"
logger -t gosa-create -p notice Home directory \'$HOMEDIR\' and principal \'$USERID\' created.
## send a welcome-email:
cat << EOF | /usr/lib/sendmail $USERID
diff -Nru debian-edu-config-1.818/share/debian-edu-config/tools/gosa-create-host debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-create-host
--- debian-edu-config-1.818/share/debian-edu-config/tools/gosa-create-host 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-create-host 2016-05-24 18:00:30.000000000 +0200
@@ -44,7 +44,7 @@
macAddress:) MAC="$VALUE" ;;
"")
FQDN=`find_fqdn $HOSTNAME $IP`
- test -n $FQDN && kadmin.local -q "add_principal -policy hosts -randkey -x $HOSTDN host/$FQDN" && logger -t gosa-create-host -p notice Krb5 principal \'host/$FQDN\' created.
+ test -n $FQDN && kadmin.local -q "add_principal -policy hosts -randkey -x \"$HOSTDN\" host/$FQDN" && logger -t gosa-create-host -p notice Krb5 principal \'host/$FQDN\' created.
;;
esac
done
diff -Nru debian-edu-config-1.818/share/debian-edu-config/tools/gosa-lock-user debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-lock-user
--- debian-edu-config-1.818/share/debian-edu-config/tools/gosa-lock-user 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-lock-user 2016-05-18 19:44:48.000000000 +0200
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+set -e
+
+## This script is run by www-data using sudo. Keep that in mind!
+## Make sure that malicious execution cannot hurt.
+##
+## This script creates the home directories and principals for users
+## added with gosa. There are some tests that make sure only
+## non-existent home directories are created. Malicious execution
+## cannot hurt, because either the user is missing in ldap or his home
+## directory already exists. In both cases nothing should happen.
+
+USERDN="$1"
+USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`
+USEROU=`echo "$USERDN" | sed "s/^uid=[^,]*,\(.*\)$/\1/"`
+
+# test if user ID exists
+set +e
+LANG=C ldapsearch -x "(&(uid=$USERID)(objectClass=gosaAccount))" -b "${USEROU}" | tail -n1 | grep -q -E "^# numEntries: 1$"
+ret=$?
+set -e
+if [ "x$ret" = "x0" ]; then
+ set +e
+ LANG=C ldapsearch -x "(&(uid=$USERID)(objectClass=gosaAccount)(objectClass=krbPrincipalAux))" -b "${USEROU}" | tail -n1 | grep -q -E "^# numEntries: 1$"
+ ret=$?
+ set -e
+ if [ "x$ret" = "x0" ]; then
+ set +e
+ success=$(LANG=C kadmin.local -q "modify_principal -allow_tix $USERID" | grep -E "^Principal\ .*@.*\ modified.$")
+ set -e
+ if [ -n "$success" ]; then
+ logger -t gosa-lock-user -p notice "Kerberos account of user '$USERID' (DN: $USERDN) has been locked."
+ else
+ OUT="Locking Kerberos account of user '$USERID' (DN: $USERDN) failed."
+ echo "$OUT"
+ logger -t gosa-lock-user -p warning "$OUT"
+ fi
+ else
+ logger -t gosa-lock-user -p notice "User account '$USERID' (DN: $USERDN) is not a Kerberos-enabled account. (Thus, skipping...)."
+ fi
+else
+ OUT="User account '$USERID' (DN: $USERDN) does not exist."
+ echo "$OUT"
+ logger -t gosa-lock-user -p warning "$OUT"
+fi
+
+exit 0
diff -Nru debian-edu-config-1.818/share/debian-edu-config/tools/gosa-sync debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-sync
--- debian-edu-config-1.818/share/debian-edu-config/tools/gosa-sync 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-sync 2016-05-18 19:44:48.000000000 +0200
@@ -17,6 +17,15 @@
USERDN="$1"
USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`
+# check if the given user account has the Kerberos principal objectClass set...
+is_krbprincipal=`ldapsearch -LLL -x "(&(uid=${USERID})(objectClass=krbPrincipalAux))"`
+if [ -z "$is_krbprincipal" ]; then
+
+ # if not, simply bail out here without noise...
+ exit 0
+
+fi
+
## The new user password is in environment, $USERPASSWORD.
## Check if provided password corresponds to hash saved in ldap database:
@@ -27,10 +36,14 @@
$USERPASSWORD
EOF
+# remove escapes from the password added by GOsa²...
+sed -i $TMPFILE -e 's/\\//g'
+
+# check the password in $TMPfile against LDAP...
IAM=`ldapwhoami -x -Z -y "$TMPFILE" -D "$USERDN" 2>/dev/null || true`
# Escapes " because kadmin needs to use double quotes:
-EUSERPASSWORD="$(cat $TMPFILE | sed -e 's/\"/\"\"/g')"
+EUSERPASSWORD="$(cat $TMPFILE | sed -e 's/\"/\\\"/g')"
if [ "$IAM" = "dn:$USERDN" ] ; then
cat > "$TMPFILE" <<EOF
diff -Nru debian-edu-config-1.818/share/debian-edu-config/tools/gosa-unlock-user debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-unlock-user
--- debian-edu-config-1.818/share/debian-edu-config/tools/gosa-unlock-user 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/gosa-unlock-user 2016-05-18 19:44:48.000000000 +0200
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+set -e
+
+## This script is run by www-data using sudo. Keep that in mind!
+## Make sure that malicious execution cannot hurt.
+##
+## This script creates the home directories and principals for users
+## added with gosa. There are some tests that make sure only
+## non-existent home directories are created. Malicious execution
+## cannot hurt, because either the user is missing in ldap or his home
+## directory already exists. In both cases nothing should happen.
+
+USERDN="$1"
+USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`
+USEROU=`echo "$USERDN" | sed "s/^uid=[^,]*,\(.*\)$/\1/"`
+
+# test if user ID exists
+set +e
+LANG=C ldapsearch -x "(&(uid=$USERID)(objectClass=gosaAccount))" -b "${USEROU}" | tail -n1 | grep -q -E "^# numEntries: 1$"
+ret=$?
+set -e
+if [ "x$ret" = "x0" ]; then
+ set +e
+ LANG=C ldapsearch -x "(&(uid=$USERID)(objectClass=gosaAccount)(objectClass=krbPrincipalAux))" -b "${USEROU}" | tail -n1 | grep -q -E "^# numEntries: 1$"
+ ret=$?
+ set -e
+ if [ "x$ret" = "x0" ]; then
+ set +e
+ success=$(LANG=C kadmin.local -q "modify_principal +allow_tix $USERID" | grep -E "^Principal\ .*@.*\ modified.$")
+ set -e
+ if [ -n "$success" ]; then
+ logger -t gosa-unlock-user -p notice "Kerberos account of user '$USERID' (DN: $USERDN) has been unlocked."
+ else
+ OUT="Unlocking Kerberos account of user '$USERID' (DN: $USERDN) failed."
+ echo "$OUT"
+ logger -t gosa-unlock-user -p warning $OUT
+ fi
+ else
+ logger -t gosa-unlock-user -p notice "User account '$USERID' (DN: $USERDN) is not a Kerberos-enabled account. (Thus, skipping...)."
+ fi
+else
+ OUT="User account '$USERID' (DN: $USERDN) does not exist."
+ echo "$OUT"
+ logger -t gosa-lock-user -p warning "$OUT"
+fi
+
+exit 0
diff -Nru debian-edu-config-1.818/share/debian-edu-config/tools/subnet-change debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/subnet-change
--- debian-edu-config-1.818/share/debian-edu-config/tools/subnet-change 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/share/debian-edu-config/tools/subnet-change 2016-05-24 18:00:30.000000000 +0200
@@ -117,7 +117,7 @@
replace_exports_ip("/etc/exports", $oldsubnet, $newsubnet);
replace_interfaces_ip("/etc/network/interfaces", $oldsubnet, $newsubnet);
replace_ips("/etc/samba/smb-debian-edu.conf", $oldsubnet, $newsubnet);
-replace_ips("/etc/squid/squid.conf", $oldsubnet, $newsubnet);
+replace_ips("/etc/squid3/squid-debian-edu.conf", $oldsubnet, $newsubnet);
change_muninnode("/etc/munin/debian-edu-munin-node.conf", $oldsubnet,
$newsubnet);
change_hostallow("/etc/hosts.allow", $oldsubnet, $newsubnet);
diff -Nru debian-edu-config-1.818/www/wpad.dat debian-edu-config-1.818+deb8u1/www/wpad.dat
--- debian-edu-config-1.818/www/wpad.dat 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-1.818+deb8u1/www/wpad.dat 2016-05-18 19:44:48.000000000 +0200
@@ -2,8 +2,13 @@
{
if (!isResolvable(host) ||
isPlainHostName(host) ||
- dnsDomainIs(host, ".intern"))
+ isInNet(host,"127.0.0.1","255.0.0.0") ||
+ dnsDomainIs(host, ".intern") ||
+ dnsDomainIs(host, ".local"))
+ {
return "DIRECT";
- else
+ }
+ else {
return "PROXY webcache:3128; DIRECT";
+ }
}
Attachment:
signature.asc
Description: Digital signature