--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package debian-edu-config/2.12.40~deb12u1
- From: Mike Gabriel <sunweaver@debian.org>
- Date: Thu, 30 Nov 2023 08:51:26 +0100
- Message-id: <170133068668.14229.3777053359439101807.reportbug@sunobo.fritz.box>
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debian-edu-config@packages.debian.org, debian-edu@lists.debian.org
Control: affects -1 + src:debian-edu-config
This uploads provides debian-edu-config for Debian bookworm.
Unfortunately, our development is quite delayed, getting Debian Edu 12
released requires this package to be accepted into Debian bookworm.
[ Reason ]
Over the past months Guido Berhörster at Fre(i)e Software GmbH has
dedicated many hours to getting Debian Edu fixed / ready for the Debian
Edu 12 release.
The adaptations / changes in this upload compared to debian-edu-config
2.12.32 are massive but most of them are required. (Only a few are
nice-to-have). The d/changelog file documents all changes in depth (see
below).
[ Impact ]
No Debian Edu 12, if this upload gets rejected.
[ Tests ]
Manually. Also via post-installation test-suite (which also got fixed
where needed).
[ Risks ]
Only for Debian Edu users.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
+debian-edu-config (2.12.40~deb12u1) bookworm; urgency=medium
+
+ * Upload to bookworm.
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 30 Nov 2023 08:36:15 +0100
+
+debian-edu-config (2.12.40) unstable; urgency=medium
+
+ * share/debian-edu-config/gosa.conf.template:
+ + Deploy GOsæ² based on its classic theming, the Materialize CSS theme is
+ too immature to be used in production.
-> We (company staff + myself) just finished a GOsa² development project
where we developed a plugin and provided Materialize CSS theming for the
plugin. While doing this, we came to the conclusion that the new default
theming in GOsa² is too immature for Debian Edu.
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 30 Nov 2023 08:32:34 +0100
+
+debian-edu-config (2.12.39) unstable; urgency=medium
+
+ * ldap-bootstrap/root.ldif: Fix gosaAclEntry of BaseDN object.
+
+ -- Mike Gabriel <sunweaver@debian.org> Sun, 19 Nov 2023 09:56:39 +0100
+
+debian-edu-config (2.12.38) unstable; urgency=medium
+
+ [ Wolfgang Schweer ]
+ * Fix main server network setup. Closes: #1055647.
+
+ -- Holger Levsen <holger@debian.org> Fri, 10 Nov 2023 16:42:11 +0100
+
+debian-edu-config (2.12.37) unstable; urgency=medium
+
+ [ Guido Berhoerster ]
+ * Discard excessive nullmailer logging.
+ Filter out log messages coming from a client running nullmailer since it is
+ very verbose and can easily fill up the filesystem under /var/log.
+ (Closes: #1003728).
+ * ldap-createuser-krb5: fix password prompt.
+ * Disable cfengine3 systemd service.
+ Disabling only cf-execd in 75b4e3f7 (see #1041323) did not work as it gets
+ pulled in as a dependency of cfengine3. Thus disable the cfengine3 service
+ instead.
+ * Rewrite testsuite/filesystems, add exception for /boot
+ Rewrite for clarity and robustness. Add exception for /boot which may use
+ ext2.
+ * testsuite/ldap-{server,client}: Fix invocation of ldapsearch.
+ The -h command line option has been removed, ldapsearch now only accepts a
+ LDAP URI via the -H option.
+ Also do not use the deprecated egrep and get rid of unnecessary wc.
+ Use dig and awk instead of host and interpret the SRV record properly.
+ * testsuite/ldap-client: Improve error message on PAM modules.
+ * Fix remaining invocations of ldapsearch.
+ * Disable using the LDAP PAM module (we use pam_krb5.so instead).
+ * setup-freeradius-server: Set commonName and subjectAltNames on the server
+ cert.
+ (Closes: #1010159).
+ * setup-freeradius-server: Improve robustness
+ Use update-ini-file for OpenSSL config files.
+ Use more precise sed substitutions which do not rely on example values.
+ Increase password length from 8 to 16 characters.
+ * Change minimum UID/GID for LDAP user to 2000 (Closes: #1003192)
+ With this change local user accounts now use the UID/GID range 1000-1999
+ instead of 500-999 whereas LDAP user accounts use 2000-59999 instead of
+ 1000-59999. This is to reserve UID/GID 0-999 for system users which is the
+ default in Debian and not conforming to it is increasingly problematic as
+ packages are beginning to use systemd-sysusers for creating system user
+ accounts which does not obey /etc/addusers.conf or /etc/login.defs by default.
+ The first user account created during installation now has UID/GID 2000 instead
+ of 1000.
+ Configure gosa and adjust ldap-createuser-krb5 accordingly.
+
+ -- Mike Gabriel <sunweaver@debian.org> Wed, 27 Sep 2023 09:57:06 +0200
+
+debian-edu-config (2.12.36) unstable; urgency=medium
+
+ [ Mike Gabriel ]
+ * ldap-bootstrap/gosa.ldif:
+ + Provide ou=incoming potentially used by GOsa²'s class 'newArpDevice'.
+ This is esp. to silence GOsa² error messages but might be useful at a
+ later point of time.
+
+ [ Guido Berhoerster ]
+ * Update proxy settings in dconf.
+ This adds support in update-proxy-from-wpad for setting the proxy default
+ values in dconf (used by e.g. GNOME components). The values are added to
+ a site database, it also packages an empty local database in order to
+ obviate the need to modify the user profile. (Closes: #955702)
+ * Remove use of obsolete grep aliases. These have been obsolete forever and
+ have been removed from GNU grep upstream.
+ * Use command -v builtin over external which command
+ * Do not solely rely on the presence of init scripts in maintainer scripts.
+ Check also for systemd service files.
+ * Remove direct invocation of wlan init script. This no longer exists in
+ Debian.
+ * Replace invocation of fetch-ldap-cert init script in DHCP hooks and rename.
+ dhclient hook in Makefile.
+ This has been replaced by fetch-rootca-cert (see #971780).
+ * Silence exim4 warnings in logfile.
+ The lack of keep_environment in the exim4 configuration for clients leads to
+ continuous warnings in the logfile:
+ 'Warning: purging the environment. Suggested action: use keep_environment.'
+ Setting it to an empty value (which is the default) silences that.
+ * Ship PAM group.conf for workstations. LDAP users should be members of
+ several system groups on networked (roaming) workstations.
+ * Add missing dependency on iptables
+ This is required by debian-edu-update-netblock (Closes: #1051446).
+
+ -- Mike Gabriel <sunweaver@debian.org> Sat, 09 Sep 2023 23:04:46 +0200
+
+debian-edu-config (2.12.35) unstable; urgency=medium
+
+ [ Guido Berhoerster ]
+ * Remove configure-edu-gateway. (Closes: #1043407).
+ The script is obsoleted by the more sophisticated configuration
+ abilities provided by the debian-edu-router-config package.
+ * Do not hardcode X2Go desktop to Xfce. (Closes: #1049396).
+ Add a commandline option --x2go_desktop for specifying the default desktop
+ and make a best effort finding a usable desktop if none is specified.
+ * Disable cf-execd on installation. (Closes: #1041323).
+ Currently cf-execd is enabled by default if systemd is used (see #1043353)
+ but the agent should only be run on installation.
+ * Do not attempt to fetch the rootCA cert outside of a DebianEdu network
+ An error should only be reported if the machine is inside a DebianEdu
+ network, i.e. www.intern is resolvable, but the download fails. (Closes:
+ #1008599).
+
+ [ Mike Gabriel ]
+ * debian/tests/control: Remove configure-edu-gateway from list of tests.
+ Script and testscript are now gone. (Related to closure of #1043407, see
+ above).
+ * Silence lintian warnings of type 'bash-term-in-posix-shell' by using
+ variable names that lintian can't confuse with bash-only pre-set
+ variables (e.g. $HOSTNAME or $UID).
+
+ -- Mike Gabriel <sunweaver@debian.org> Sat, 19 Aug 2023 17:00:36 +0200
+
+debian-edu-config (2.12.34) unstable; urgency=medium
+
+ [ Mike Gabriel ]
+ * Start 2.12.34 development.
+ * debian/debian-edu-config.lintian-overrides:
+ + Update existing overrides (line numbers and such).
+ + Drop missing-systemd-service-for-init.d-script overrides. Systemd service
+ files are now provided.
+ + Drop init.d-script-does-not-implement-status-option override for
+ fetch-ldap-cert. Init script is now gone.
+ * testsuite: Install to pkglibexecdir rather than libexecdir. Thanks lintian.
+ * Makefile: Adjust white-spacing in variable declarations.
+ * Makefile: Use $(NULL) variable at end of file lists. Allow for better git-
+ patch readability.
+ * Convert CRON configuration to systemd timers.
+ * sbin/*-for-netgroup-hosts: Some noop + white-spacing beautifications.
+ * Move d-e-c-*-for-netgroup-hosts scripts to pkglibexecdir.
+ * debian/debian-edu-config.postinst:
+ + Assure runlevel de-registering of init script fetch-ldap-cert.
+ * debian/debian-edu-config.maintscript:
+ + Assure removal of /etc/init.d/fetch-ldap-cert conffile.
+ * debian/debian-edu-config.cron.*:
+ + Only run scripts if they exist. Thanks piuparts.
+
+ [ Daniel Teichmann ]
+ * etc/dhcp/dhcp-debian-edu.conf:
+ + ldap-server. 'ldap' -> 'ldap.intern'. (Closes: #1039966).
+ * share/debian-edu-config/tools/gosa-remove:
+ + Fix kadmin.local, Use '-force' to disable interaction via stdin.
+
+ [ Guido Berhoerster ]
+ * ldap-tools/ldap-createuser-krb5:
+ + Fix user creation. (Closes: #1042456).
+ Remove Samba NT4 domain support, add samba user using smbpasswd.
+ Add root CA for new users (copied from gosa-create).
+ + Fix new UID/GID selection.
+ Exclude special users (UID/GID >= 10000) when looking for the highest
+ UID/GID.
+ + Add CLI options for uid/gid/department.
+ Also ensure script is run as root.
+ + Add additional attributes based on template users.
+ + Add support for additional groups.
+ + Send welcome email in order to create maildir.
+ Without this the maildir in /var/mail/<user> will not exist and Dovecot
+ will refuse to let the user log in as it cannot create this directory.
+ + Set LDAP password when creating users.
+ This allows users to use GOsa² to change their password.
+ * Add systemd services for configuring Chromium/Firefox from LDAP.
+ Factor out logic from init script into separate script which are then called
+ from both the init script and systemd services.
+ * Add systemd service enabling NAT for thin clients.
+ * Add systemd service for fetching the RootCA file from the main server.
+ * Drop init script for fetching LDAP SSL public key from legacy main servers.
+ This drops support for clients running behind a main server based on Debian
+ Edu stretch. (Closes: #1030116).
+ * Update debian/rules for init scripts and systemd services. (Closes:
+ #1039166).
+ * Generate a random password for the icinga/icingaweb databases.
+ (Closes: #1040015).
+ * update-dlw-krb5-keytabs: Handle missing/empty diskless-workstation-hosts.
+ * Followup fixes for ntpsec transition.
+ * Add systemd support to debian-edu-restart-services: This uses a list
+ of service units which was compiled on a main server + ltsp
+ installation. Uses stop and start to force restart
+ reverse-dependencies. It also makes sure that drop in files are
+ recognized. (Closes: #1042940).
+ * Configure gosa not to use STARTTLS since TLS is already used. ldapTLS
+ configures the use of STARTTLS, not TLS per se which is enabled by the
+ use of ldaps: protocol in URLs. (Closes: #1041322).
+ * Allow root access to cups via SystemGroups. 'root' access is allowed in
+ the default configuration and e.g. necessary for services like
+ debian-edu-cups-queue-autoflush.service to work. (Closes: #1043397).
+ * cf3/promises.cf: fix typo and allow connections from localhost and network.
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 10 Aug 2023 16:47:59 +0200
+
+debian-edu-config (2.12.33) unstable; urgency=medium
+
+ [ Guido Berhoerster ]
+ * Adapt ntp configuration for ntpsec. Closes: #1038881.
+ ntpsec has replaced ntp in bookworm, adapt configuration and add a
+ drop-in file instead of editing the configuration file. Drop insserv
+ overrides for ntp, the ntpsec systemd unit has an ordering dependency
+ on nss-lookup.target equivalent to the "$named" facility.
+ * Set up database for icingaweb2
+ Starting with version 2.11 user preferences must be stored in the DB.
+ * Fix permissions issue preventing icingaweb2 from reading the backend config
+ The /etc/icingaweb2/modules directory ends up with "drwxrwSrwx" permissions,
+ missing the "x" bit preventing icingaweb2 from reading the monitoring backend
+ configuration in /etc/icingaweb2/modules/monitoring/. Instead of adjusting
+ single files and directories, enforce sensible permissions on all directories
+ and configuration files. Closes: #1039475.
+
+ -- Mike Gabriel <sunweaver@debian.org> Sat, 01 Jul 2023 05:41:56 +0200
[ Other info ]
As mentioned above, having this upload accepted to bookworm is crucial for the upcoming Debian Edu 12 release.
diff -Nru debian-edu-config-2.12.32/cf3/cf.adduser debian-edu-config-2.12.40~deb12u1/cf3/cf.adduser
--- debian-edu-config-2.12.32/cf3/cf.adduser 2019-02-15 11:58:02.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/cf3/cf.adduser 2023-09-27 22:34:54.000000000 +0200
@@ -17,10 +17,8 @@
replace_patterns:
- "FIRST_UID=1000" replace_with => value("FIRST_UID=500");
- "LAST_UID=59999" replace_with => value("LAST_UID=999");
- "FIRST_GID=1000" replace_with => value("FIRST_GID=500");
- "LAST_GID=59999" replace_with => value("LAST_GID=999");
+ "LAST_UID=59999" replace_with => value("LAST_UID=1999");
+ "LAST_GID=59999" replace_with => value("LAST_GID=1999");
"DIR_MODE=0755" replace_with => value("DIR_MODE=0700");
}
diff -Nru debian-edu-config-2.12.32/cf3/cf.cfengine3 debian-edu-config-2.12.40~deb12u1/cf3/cf.cfengine3
--- debian-edu-config-2.12.32/cf3/cf.cfengine3 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/cf3/cf.cfengine3 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,15 @@
+bundle agent cfengine3
+{
+# Disable cfengine3 services which are enabled by default when systemd is used (#1043353)
+
+services:
+
+ debian.systemd.(server|ltspserver).installation::
+
+ "cfengine3.service"
+ service_policy => "stop";
+
+ "cfengine3.service"
+ service_policy => "disable";
+
+}
diff -Nru debian-edu-config-2.12.32/cf3/cf.ldapclient debian-edu-config-2.12.40~deb12u1/cf3/cf.ldapclient
--- debian-edu-config-2.12.32/cf3/cf.ldapclient 2019-02-15 11:58:02.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/cf3/cf.ldapclient 2023-09-27 22:34:54.000000000 +0200
@@ -8,6 +8,12 @@
"/usr/share/debian-edu-config/tools/setup-roaming"
contain => in_shell;
+
+# remove PAM LDAP module
+ debian.!roaming.installation::
+
+ "/usr/sbin/pam-auth-update --disable ldap"
+ contain => in_shell;
}
bundle agent editline_ldapclient
diff -Nru debian-edu-config-2.12.32/cf3/cf.ntp debian-edu-config-2.12.40~deb12u1/cf3/cf.ntp
--- debian-edu-config-2.12.32/cf3/cf.ntp 2021-12-02 16:12:39.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/cf3/cf.ntp 2023-09-27 22:34:54.000000000 +0200
@@ -2,10 +2,10 @@
{
# Use custom ntp configuration for networked clients (package systemd-timesyncd
# is installed by default). On the internal ntp server (default: 'tjener'), the
-# ntp package is installed.
+# ntpsec package is installed.
# Keep systemd-timesyncd default settings for roaming workstations.
-# Note: In case the ntp package is installed, the conflicting systemd-timesyncd
-# package gets removed (but not purged).
+# Note: In case the ntpsec package is installed, the conflicting
+# systemd-timesyncd package gets removed (but not purged).
vars:
@@ -24,30 +24,10 @@
commands:
- # Make sure ntp gets installed
+ # Make sure ntpsec gets installed
debian.server.installation::
- "/usr/bin/apt-get install -y ntp"
+ "/usr/bin/apt-get install -y ntpsec"
contain => in_shell;
}
-
-bundle agent editline_ntp
-{
-
-vars:
-
- "ntp_conf" slist => { "server 127.127.1.0 #local clock as fallback",
- "fudge 127.127.1.0 stratum 10 #not disciplined",};
-
-files:
-
- # Add local clock on the main-server to ensure clients can sync with
- # the main-server even when Internet connection is missing.
-
- debian.server.installation::
-
- "/etc/ntp.conf"
- edit_line => append_if_no_line( @(ntp_conf) );
-}
-
diff -Nru debian-edu-config-2.12.32/cf3/cf.pam debian-edu-config-2.12.40~deb12u1/cf3/cf.pam
--- debian-edu-config-2.12.32/cf3/cf.pam 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/cf3/cf.pam 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,14 @@
+bundle agent editline_pam_group
+{
+vars:
+
+ "default_groups" string => "*;*;*;Al0000-2400;audio,bluetooth,cdrom,dip,floppy,netdev,plugdev,scanner,video";
+
+files:
+
+ debian.(workstation|roaming).installation::
+
+ "/etc/security/group.conf"
+ create => "true",
+ edit_line => append_if_no_line("$(default_groups)");
+}
diff -Nru debian-edu-config-2.12.32/cf3/cf.samba debian-edu-config-2.12.40~deb12u1/cf3/cf.samba
--- debian-edu-config-2.12.32/cf3/cf.samba 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/cf3/cf.samba 2023-09-27 22:34:54.000000000 +0200
@@ -9,9 +9,13 @@
debian.server.installation::
+ # GID 10004 is the "students" group, the group name cannot be used here
+ # since slapd is not running when this bundle is evaluated during
+ # installation, the GID must be to be kept in sync with
+ # ldap-bootstrap/{samba.ldif,gosa.ldif}
"$(usershares_file)"
create => "true",
- perms => mog("1770","root","students");
+ perms => mog("1770","root","10004");
"/etc/samba/smb.conf"
link_from => ln_s("/etc/samba/smb-debian-edu.conf"),
diff -Nru debian-edu-config-2.12.32/cf3/cf.syslog debian-edu-config-2.12.40~deb12u1/cf3/cf.syslog
--- debian-edu-config-2.12.32/cf3/cf.syslog 2019-02-15 11:58:02.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/cf3/cf.syslog 2023-09-27 22:34:54.000000000 +0200
@@ -20,6 +20,10 @@
"/etc/rsyslog.d/debian-edu-collector.conf"
link_from => ln_s("/usr/share/debian-edu-config/rsyslog-collector"),
move_obstructions => "true";
+
+ "/etc/rsyslog.d/debian-edu-filters.conf"
+ link_from => ln_s("/usr/share/debian-edu-config/rsyslog-filters"),
+ move_obstructions => "true";
}
bundle agent editline_syslog
diff -Nru debian-edu-config-2.12.32/cf3/promises.cf debian-edu-config-2.12.40~deb12u1/cf3/promises.cf
--- debian-edu-config-2.12.32/cf3/promises.cf 2021-12-02 16:12:39.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/cf3/promises.cf 2023-09-27 22:34:54.000000000 +0200
@@ -8,9 +8,9 @@
body server control
# Debian Edu specific
{
- allowconnects => { "10.0.0.0.0/8" };
- allowallconnects => { "10.0.0.0.0/8" };
- trustkeysfrom => { "10.0.0.0.0/8" };
+ allowconnects => { "127.0.0.1", "::1", "10.0.0.0/8" };
+ allowallconnects => { "127.0.0.1", "::1", "10.0.0.0/8" };
+ trustkeysfrom => { "127.0.0.1", "::1", "10.0.0.0/8" };
maxconnections => "15";
denybadclocks => "false";
allowusers => { "root" };
@@ -28,11 +28,13 @@
bundlesequence => {
edu,
+ cfengine3,
permission_homes,
editline_homes,
editline_bind,
editline_ldapserver,
editline_ldapclient,
+ editline_pam_group,
editline_syslog,
adduser,
apache2,
@@ -53,7 +55,6 @@
ldapclient,
desktop,
ntp,
- editline_ntp,
squid,
sshd,
syslog,
@@ -71,9 +72,11 @@
"lib/common.cf",
"lib/commands.cf",
"lib/files.cf",
+ "lib/services.cf",
"debian-edu/cf.adduser",
"debian-edu/cf.apache2",
"debian-edu/cf.bind",
+ "debian-edu/cf.cfengine3",
"debian-edu/cf.chromium",
"debian-edu/cf.cups",
"debian-edu/cf.samba",
@@ -91,6 +94,7 @@
"debian-edu/cf.ldapserver",
"debian-edu/cf.ldapclient",
"debian-edu/cf.ntp",
+ "debian-edu/cf.pam",
"debian-edu/cf.pxeinstall",
"debian-edu/cf.squid",
"debian-edu/cf.sshd",
diff -Nru debian-edu-config-2.12.32/debian/changelog debian-edu-config-2.12.40~deb12u1/debian/changelog
--- debian-edu-config-2.12.32/debian/changelog 2023-03-27 20:40:47.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/debian/changelog 2023-11-30 08:36:15.000000000 +0100
@@ -1,3 +1,231 @@
+debian-edu-config (2.12.40~deb12u1) bookworm; urgency=medium
+
+ * Upload to bookworm.
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 30 Nov 2023 08:36:15 +0100
+
+debian-edu-config (2.12.40) unstable; urgency=medium
+
+ * share/debian-edu-config/gosa.conf.template:
+ + Deploy GOsæ² based on its classic theming, the Materialize CSS theme is
+ too immature to be used in production.
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 30 Nov 2023 08:32:34 +0100
+
+debian-edu-config (2.12.39) unstable; urgency=medium
+
+ * ldap-bootstrap/root.ldif: Fix gosaAclEntry of BaseDN object.
+
+ -- Mike Gabriel <sunweaver@debian.org> Sun, 19 Nov 2023 09:56:39 +0100
+
+debian-edu-config (2.12.38) unstable; urgency=medium
+
+ [ Wolfgang Schweer ]
+ * Fix main server network setup. Closes: #1055647.
+
+ -- Holger Levsen <holger@debian.org> Fri, 10 Nov 2023 16:42:11 +0100
+
+debian-edu-config (2.12.37) unstable; urgency=medium
+
+ [ Guido Berhoerster ]
+ * Discard excessive nullmailer logging.
+ Filter out log messages coming from a client running nullmailer since it is
+ very verbose and can easily fill up the filesystem under /var/log.
+ (Closes: #1003728).
+ * ldap-createuser-krb5: fix password prompt.
+ * Disable cfengine3 systemd service.
+ Disabling only cf-execd in 75b4e3f7 (see #1041323) did not work as it gets
+ pulled in as a dependency of cfengine3. Thus disable the cfengine3 service
+ instead.
+ * Rewrite testsuite/filesystems, add exception for /boot
+ Rewrite for clarity and robustness. Add exception for /boot which may use
+ ext2.
+ * testsuite/ldap-{server,client}: Fix invocation of ldapsearch.
+ The -h command line option has been removed, ldapsearch now only accepts a
+ LDAP URI via the -H option.
+ Also do not use the deprecated egrep and get rid of unnecessary wc.
+ Use dig and awk instead of host and interpret the SRV record properly.
+ * testsuite/ldap-client: Improve error message on PAM modules.
+ * Fix remaining invocations of ldapsearch.
+ * Disable using the LDAP PAM module (we use pam_krb5.so instead).
+ * setup-freeradius-server: Set commonName and subjectAltNames on the server
+ cert.
+ (Closes: #1010159).
+ * setup-freeradius-server: Improve robustness
+ Use update-ini-file for OpenSSL config files.
+ Use more precise sed substitutions which do not rely on example values.
+ Increase password length from 8 to 16 characters.
+ * Change minimum UID/GID for LDAP user to 2000 (Closes: #1003192)
+ With this change local user accounts now use the UID/GID range 1000-1999
+ instead of 500-999 whereas LDAP user accounts use 2000-59999 instead of
+ 1000-59999. This is to reserve UID/GID 0-999 for system users which is the
+ default in Debian and not conforming to it is increasingly problematic as
+ packages are beginning to use systemd-sysusers for creating system user
+ accounts which does not obey /etc/addusers.conf or /etc/login.defs by default.
+ The first user account created during installation now has UID/GID 2000 instead
+ of 1000.
+ Configure gosa and adjust ldap-createuser-krb5 accordingly.
+
+ -- Mike Gabriel <sunweaver@debian.org> Wed, 27 Sep 2023 09:57:06 +0200
+
+debian-edu-config (2.12.36) unstable; urgency=medium
+
+ [ Mike Gabriel ]
+ * ldap-bootstrap/gosa.ldif:
+ + Provide ou=incoming potentially used by GOsa²'s class 'newArpDevice'.
+ This is esp. to silence GOsa² error messages but might be useful at a
+ later point of time.
+
+ [ Guido Berhoerster ]
+ * Update proxy settings in dconf.
+ This adds support in update-proxy-from-wpad for setting the proxy default
+ values in dconf (used by e.g. GNOME components). The values are added to
+ a site database, it also packages an empty local database in order to
+ obviate the need to modify the user profile. (Closes: #955702)
+ * Remove use of obsolete grep aliases. These have been obsolete forever and
+ have been removed from GNU grep upstream.
+ * Use command -v builtin over external which command
+ * Do not solely rely on the presence of init scripts in maintainer scripts.
+ Check also for systemd service files.
+ * Remove direct invocation of wlan init script. This no longer exists in
+ Debian.
+ * Replace invocation of fetch-ldap-cert init script in DHCP hooks and rename.
+ dhclient hook in Makefile.
+ This has been replaced by fetch-rootca-cert (see #971780).
+ * Silence exim4 warnings in logfile.
+ The lack of keep_environment in the exim4 configuration for clients leads to
+ continuous warnings in the logfile:
+ 'Warning: purging the environment. Suggested action: use keep_environment.'
+ Setting it to an empty value (which is the default) silences that.
+ * Ship PAM group.conf for workstations. LDAP users should be members of
+ several system groups on networked (roaming) workstations.
+ * Add missing dependency on iptables
+ This is required by debian-edu-update-netblock (Closes: #1051446).
+
+ -- Mike Gabriel <sunweaver@debian.org> Sat, 09 Sep 2023 23:04:46 +0200
+
+debian-edu-config (2.12.35) unstable; urgency=medium
+
+ [ Guido Berhoerster ]
+ * Remove configure-edu-gateway. (Closes: #1043407).
+ The script is obsoleted by the more sophisticated configuration
+ abilities provided by the debian-edu-router-config package.
+ * Do not hardcode X2Go desktop to Xfce. (Closes: #1049396).
+ Add a commandline option --x2go_desktop for specifying the default desktop
+ and make a best effort finding a usable desktop if none is specified.
+ * Disable cf-execd on installation. (Closes: #1041323).
+ Currently cf-execd is enabled by default if systemd is used (see #1043353)
+ but the agent should only be run on installation.
+ * Do not attempt to fetch the rootCA cert outside of a DebianEdu network
+ An error should only be reported if the machine is inside a DebianEdu
+ network, i.e. www.intern is resolvable, but the download fails. (Closes:
+ #1008599).
+
+ [ Mike Gabriel ]
+ * debian/tests/control: Remove configure-edu-gateway from list of tests.
+ Script and testscript are now gone. (Related to closure of #1043407, see
+ above).
+ * Silence lintian warnings of type 'bash-term-in-posix-shell' by using
+ variable names that lintian can't confuse with bash-only pre-set
+ variables (e.g. $HOSTNAME or $UID).
+
+ -- Mike Gabriel <sunweaver@debian.org> Sat, 19 Aug 2023 17:00:36 +0200
+
+debian-edu-config (2.12.34) unstable; urgency=medium
+
+ [ Mike Gabriel ]
+ * Start 2.12.34 development.
+ * debian/debian-edu-config.lintian-overrides:
+ + Update existing overrides (line numbers and such).
+ + Drop missing-systemd-service-for-init.d-script overrides. Systemd service
+ files are now provided.
+ + Drop init.d-script-does-not-implement-status-option override for
+ fetch-ldap-cert. Init script is now gone.
+ * testsuite: Install to pkglibexecdir rather than libexecdir. Thanks lintian.
+ * Makefile: Adjust white-spacing in variable declarations.
+ * Makefile: Use $(NULL) variable at end of file lists. Allow for better git-
+ patch readability.
+ * Convert CRON configuration to systemd timers.
+ * sbin/*-for-netgroup-hosts: Some noop + white-spacing beautifications.
+ * Move d-e-c-*-for-netgroup-hosts scripts to pkglibexecdir.
+ * debian/debian-edu-config.postinst:
+ + Assure runlevel de-registering of init script fetch-ldap-cert.
+ * debian/debian-edu-config.maintscript:
+ + Assure removal of /etc/init.d/fetch-ldap-cert conffile.
+ * debian/debian-edu-config.cron.*:
+ + Only run scripts if they exist. Thanks piuparts.
+
+ [ Daniel Teichmann ]
+ * etc/dhcp/dhcp-debian-edu.conf:
+ + ldap-server. 'ldap' -> 'ldap.intern'. (Closes: #1039966).
+ * share/debian-edu-config/tools/gosa-remove:
+ + Fix kadmin.local, Use '-force' to disable interaction via stdin.
+
+ [ Guido Berhoerster ]
+ * ldap-tools/ldap-createuser-krb5:
+ + Fix user creation. (Closes: #1042456).
+ Remove Samba NT4 domain support, add samba user using smbpasswd.
+ Add root CA for new users (copied from gosa-create).
+ + Fix new UID/GID selection.
+ Exclude special users (UID/GID >= 10000) when looking for the highest
+ UID/GID.
+ + Add CLI options for uid/gid/department.
+ Also ensure script is run as root.
+ + Add additional attributes based on template users.
+ + Add support for additional groups.
+ + Send welcome email in order to create maildir.
+ Without this the maildir in /var/mail/<user> will not exist and Dovecot
+ will refuse to let the user log in as it cannot create this directory.
+ + Set LDAP password when creating users.
+ This allows users to use GOsa² to change their password.
+ * Add systemd services for configuring Chromium/Firefox from LDAP.
+ Factor out logic from init script into separate script which are then called
+ from both the init script and systemd services.
+ * Add systemd service enabling NAT for thin clients.
+ * Add systemd service for fetching the RootCA file from the main server.
+ * Drop init script for fetching LDAP SSL public key from legacy main servers.
+ This drops support for clients running behind a main server based on Debian
+ Edu stretch. (Closes: #1030116).
+ * Update debian/rules for init scripts and systemd services. (Closes:
+ #1039166).
+ * Generate a random password for the icinga/icingaweb databases.
+ (Closes: #1040015).
+ * update-dlw-krb5-keytabs: Handle missing/empty diskless-workstation-hosts.
+ * Followup fixes for ntpsec transition.
+ * Add systemd support to debian-edu-restart-services: This uses a list
+ of service units which was compiled on a main server + ltsp
+ installation. Uses stop and start to force restart
+ reverse-dependencies. It also makes sure that drop in files are
+ recognized. (Closes: #1042940).
+ * Configure gosa not to use STARTTLS since TLS is already used. ldapTLS
+ configures the use of STARTTLS, not TLS per se which is enabled by the
+ use of ldaps: protocol in URLs. (Closes: #1041322).
+ * Allow root access to cups via SystemGroups. 'root' access is allowed in
+ the default configuration and e.g. necessary for services like
+ debian-edu-cups-queue-autoflush.service to work. (Closes: #1043397).
+ * cf3/promises.cf: fix typo and allow connections from localhost and network.
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 10 Aug 2023 16:47:59 +0200
+
+debian-edu-config (2.12.33) unstable; urgency=medium
+
+ [ Guido Berhoerster ]
+ * Adapt ntp configuration for ntpsec. Closes: #1038881.
+ ntpsec has replaced ntp in bookworm, adapt configuration and add a
+ drop-in file instead of editing the configuration file. Drop insserv
+ overrides for ntp, the ntpsec systemd unit has an ordering dependency
+ on nss-lookup.target equivalent to the "$named" facility.
+ * Set up database for icingaweb2
+ Starting with version 2.11 user preferences must be stored in the DB.
+ * Fix permissions issue preventing icingaweb2 from reading the backend config
+ The /etc/icingaweb2/modules directory ends up with "drwxrwSrwx" permissions,
+ missing the "x" bit preventing icingaweb2 from reading the monitoring backend
+ configuration in /etc/icingaweb2/modules/monitoring/. Instead of adjusting
+ single files and directories, enforce sensible permissions on all directories
+ and configuration files. Closes: #1039475.
+
+ -- Mike Gabriel <sunweaver@debian.org> Sat, 01 Jul 2023 05:41:56 +0200
+
debian-edu-config (2.12.32) unstable; urgency=medium
* debian-edu-ltsp-install: fix failure with absent BD iso images. Patch
diff -Nru debian-edu-config-2.12.32/debian/control debian-edu-config-2.12.40~deb12u1/debian/control
--- debian-edu-config-2.12.32/debian/control 2023-03-27 20:40:24.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/debian/control 2023-09-27 22:34:54.000000000 +0200
@@ -5,7 +5,6 @@
Uploaders: Petter Reinholdtsen <pere@debian.org>,
Holger Levsen <holger@debian.org>,
Mike Gabriel <sunweaver@debian.org>,
- Wolfgang Schweer <wschweer@arcor.de>,
Dominik George <natureshadow@debian.org>,
Standards-Version: 4.6.2
Rules-Requires-Root: no
@@ -30,6 +29,7 @@
education-tasks,
fping,
gnutls-bin,
+ iptables,
isenkram-cli,
ldap-utils,
libconfig-inifiles-perl,
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.chromium-ldapconf debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.chromium-ldapconf
--- debian-edu-config-2.12.32/debian/debian-edu-config.chromium-ldapconf 2019-02-12 15:00:02.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.chromium-ldapconf 2023-09-27 22:34:54.000000000 +0200
@@ -20,31 +20,9 @@
. /lib/lsb/init-functions
-if [ -e /etc/debian-edu/config ] ; then
- . /etc/debian-edu/config
-fi
-
-do_start() {
- # Skip this on LTSP chroots
- if [ -e /etc/ltsp_chroot ] ; then
- return
- fi
-
- # Only networked profiles use LDAP
- if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
- /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
- fi
-
- if echo "$PROFILE" | grep -q LTSP-Server && [ -d /opt/ltsp ] ; then
- for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
- chroot $ltsp_chroot /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
- done
- fi
-}
-
case "$1" in
start)
- do_start
+ /usr/share/debian-edu-config/tools/chromium-ldapconf
;;
stop)
;;
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.chromium-ldapconf.service debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.chromium-ldapconf.service
--- debian-edu-config-2.12.32/debian/debian-edu-config.chromium-ldapconf.service 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.chromium-ldapconf.service 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,12 @@
+[Unit]
+Description=Update firefox configuration from LDAP
+After=network-online.target remote-fs.target nss-lookup.target slapd.service fetch-ldap-cert.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/firefox-ldapconf
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.cron.daily debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.cron.daily
--- debian-edu-config-2.12.32/debian/debian-edu-config.cron.daily 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.cron.daily 2023-09-27 22:34:54.000000000 +0200
@@ -3,12 +3,9 @@
PATH=/bin:/usr/bin:/sbin:/usr/sbin
export PATH
-[ -x /usr/bin/innetgr ] || exit 0
+[ -d /run/systemd/system ] && exit 0
-# Automatically flush print queues every night if the
-# host is a member of the cups-queue-autoflush-hosts netgroup.
-for hostname in "$(uname -n)" "$(hostname -s)" ; do
- if innetgr -h $hostname cups-queue-autoflush-hosts ; then
- /usr/share/debian-edu-config/tools/cups-queue-autoflush
- fi
-done
+# regularly run CUPS Queue autoflush if configured via netgroups
+if [ -x /usr/libexec/debian-edu-config/debian-edu-cups-queue-autoflush-for-netgroup-hosts ]; then
+ exec /usr/libexec/debian-edu-config/debian-edu-cups-queue-autoflush-for-netgroup-hosts
+fi
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.cron.hourly debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.cron.hourly
--- debian-edu-config-2.12.32/debian/debian-edu-config.cron.hourly 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.cron.hourly 2023-09-27 22:34:54.000000000 +0200
@@ -3,21 +3,14 @@
PATH=/bin:/usr/bin:/sbin:/usr/sbin
export PATH
-[ -x /usr/bin/innetgr ] || exit 0
+[ -d /run/systemd/system ] && exit 0
-for hostname in "$(uname -n)" "$(hostname -s)" ; do
+# regularly run fsautoresize if configured via netgroups
+if [ -x /usr/libexec/debian-edu-config/debian-edu-fsautoresize-for-netgroup-hosts ]; then
+ /usr/libexec/debian-edu-config/debian-edu-fsautoresize-for-netgroup-hosts
+fi
- # Automatically extend full LVM volumes if the host is a member of
- # the fsautoresize-hosts netgroup.
- if [ -x /usr/sbin/debian-edu-fsautoresize ] &&
- innetgr -h $hostname fsautoresize-hosts ; then
- debian-edu-fsautoresize -n
- fi
-
- # Automatically restart disabled print queues every hour if the
- # host is a member of the cups-queue-autoreenable-hosts netgroup.
- if [ -x /usr/share/debian-edu-config/tools/cups-queue-autoreenable ] &&
- innetgr -h $hostname cups-queue-autoreenable-hosts ; then
- /usr/share/debian-edu-config/tools/cups-queue-autoreenable
- fi
-done
+# regularly run CUPS Queue autoreenable if configured via netgroups
+if [ -x /usr/libexec/debian-edu-config/debian-edu-cups-queue-autoreenable-for-netgroup-hosts ]; then
+ /usr/libexec/debian-edu-config/debian-edu-cups-queue-autoreenable-for-netgroup-hosts
+fi
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-cups-queue-autoflush.service debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.debian-edu-cups-queue-autoflush.service
--- debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-cups-queue-autoflush.service 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.debian-edu-cups-queue-autoflush.service 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,6 @@
+[Unit]
+Description=Auto-flush CUPS queues on hosts configured via the cups-queue-autoflush-hosts netgroup.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/debian-edu-config/debian-edu-cups-queue-autoflush-for-netgroup-hosts
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-cups-queue-autoflush.timer debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.debian-edu-cups-queue-autoflush.timer
--- debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-cups-queue-autoflush.timer 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.debian-edu-cups-queue-autoflush.timer 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run debian-edu-cups-queue-autoflush.service every day.
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=1d
+
+[Install]
+WantedBy=timers.target
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-cups-queue-autoreenable.service debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.debian-edu-cups-queue-autoreenable.service
--- debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-cups-queue-autoreenable.service 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.debian-edu-cups-queue-autoreenable.service 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,6 @@
+[Unit]
+Description=Auto-reenable CUPS queues on hosts configured via the cups-queue-autoreenable-hosts netgroup.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/debian-edu-config/debian-edu-cups-queue-autoreenable-for-netgroup-hosts
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-cups-queue-autoreenable.timer debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.debian-edu-cups-queue-autoreenable.timer
--- debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-cups-queue-autoreenable.timer 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.debian-edu-cups-queue-autoreenable.timer 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run debian-edu-cups-queue-autoreenable.service every hour.
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=1h
+
+[Install]
+WantedBy=timers.target
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-fsautoresize.service debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.debian-edu-fsautoresize.service
--- debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-fsautoresize.service 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.debian-edu-fsautoresize.service 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,6 @@
+[Unit]
+Description=Run fsautoresize regularly on hosts configured via the fsautoresize-hosts netgroup.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/debian-edu-config/debian-edu-fsautoresize-for-netgroup-hosts
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-fsautoresize.timer debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.debian-edu-fsautoresize.timer
--- debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-fsautoresize.timer 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.debian-edu-fsautoresize.timer 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run debian-edu-fsautoresize.service every hour.
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=1h
+
+[Install]
+WantedBy=timers.target
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-update-netblock.service debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.debian-edu-update-netblock.service
--- debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-update-netblock.service 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.debian-edu-update-netblock.service 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,6 @@
+[Unit]
+Description=Update netblock according to netblock-hosts netgroup configuration.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/debian-edu-update-netblock auto
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-update-netblock.timer debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.debian-edu-update-netblock.timer
--- debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-update-netblock.timer 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.debian-edu-update-netblock.timer 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run debian-edu-update-netblock.service every 5 minutes
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=5min
+
+[Install]
+WantedBy=timers.target
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.enable-nat.service debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.enable-nat.service
--- debian-edu-config-2.12.32/debian/debian-edu-config.enable-nat.service 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.enable-nat.service 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,14 @@
+[Unit]
+Description=Enables NAT for clients in the thin clients network
+After=remote-fs.target network-online.target
+Wants=remote-fs.target
+ConditionFileIsExecutable=/usr/sbin/iptables
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/nat enable
+ExecStop=/usr/share/debian-edu-config/tools/nat disable
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.fetch-ldap-cert debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.fetch-ldap-cert
--- debian-edu-config-2.12.32/debian/debian-edu-config.fetch-ldap-cert 2023-01-30 14:36:07.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.fetch-ldap-cert 1970-01-01 01:00:00.000000000 +0100
@@ -1,135 +0,0 @@
-#!/bin/sh
-### BEGIN INIT INFO
-# Provides: fetch-ldap-cert
-# Required-Start: $local_fs $remote_fs
-# Required-Stop: $local_fs $remote_fs
-# Should-Start: $network $syslog $named slapd
-# Default-Start: 2 3 4 5
-# Default-Stop:
-# Short-Description: Fetch LDAP SSL public key from the server
-# Description:
-# Start before krb5-kdc to give slapd time to become operational
-# before krb5-kdc try to connect to the LDAP server as a workaround
-# for #589915.
-# X-Start-Before: isc-dhcp-server krb5-kdc nslcd
-### END INIT INFO
-#
-# Author: Petter Reinholdtsen <pere@hungry.com>
-# Date: 2007-06-09
-#
-# Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
-# Date: 2022-01-06
-
-###
-### FIXME: Legacy init script for Debian Edu clients.
-###
-### --- Remove for Debian Edu bookworm+1 ---
-###
-### Warning: Removing this script will drop support for clients running
-### against Debian Edu main servers based on Debian Edu stretch and
-### earlier.
-###
-
-set -e
-
-. /lib/lsb/init-functions
-
-CERTFILE=/etc/ssl/certs/debian-edu-server.crt
-
-do_start() {
-
- # Locate LDAP server
- LDAPSERVER=$(debian-edu-ldapserver)
- LDAPPORT=636 # ldaps
- ERROR=false
-
- ###
- ### PHASE 1: LDAP server cert retrieval
- ###
-
- if ( [ ! -f $CERTFILE ] || [ ! -f $ROOTCACRT ] ) && [ -f /etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
-
- # LDAP server host not known/found, bailing out...
- if [ -z "$LDAPSERVER" ] ; then
- msg="Failed to locate LDAP server"
- log_action_begin_msg "$msg"
- log_action_end_msg 1
- logger -t fetch-ldap-cert "$msg."
- return 1
- fi
-
- [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
-
- # Fetch LDAP certificate from the Debian Edu main server (i.e. from the LDAP server)
- /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
- chmod 644 $CERTFILE.new
-
- if test -s $CERTFILE.new ; then
- mv $CERTFILE.new $CERTFILE
- [ "$VERBOSE" != no ] && log_action_end_msg 0
- logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
- else
- # We obviously have failed in some way if the CERTFILE.new is empty (zero size).
- # Something went wrong, if we end up here...
- rm -f $CERTFILE.new
- log_action_end_msg 1
- logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
- ERROR=true
- fi
-
- fi
-
- ###
- ### PHASE 2: Deploy the obtained CERTFILE to LTSP chroots, if any are present.
- ###
-
- if [ -d /opt/ltsp ] && [ "$ERROR" = "false" ]; then
-
- # Loop over all to be found LTSP chroots...
- for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
-
- if [ ! -d $ltsp_chroot/etc/ssl/certs/ ]; then
- # likely not a chroot dir, skipping...
- continue
- fi
-
- # Only install the CERTFILE into this chroot, if not already present...
- if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then
-
- # Copy the obtained CERTFILE into the LTSP chroot (containing the LDAP server's
- # certificate.
- log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
- [ "$VERBOSE" != no ] &&
- if test -s $CERTFILE; then
- cp $CERTFILE $ltsp_chroot$CERTFILE
- [ "$VERBOSE" != no ] && log_action_end_msg 0
- else
- log_action_end_msg 1
- ERROR=true
- fi
- fi
-
- done
- fi
-
- if [ "$ERROR" = "true" ]; then
- return 1
- fi
-}
-
-case "$1" in
- start)
- do_start
- ;;
- stop)
- ;;
- restart|force-reload)
- ;;
- *)
- echo "Usage: $0 {start|stop|restart|force-reload}"
- exit 2
-esac
-
-exit 0
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.fetch-rootca-cert debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.fetch-rootca-cert
--- debian-edu-config-2.12.32/debian/debian-edu-config.fetch-rootca-cert 2022-02-13 09:44:28.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.fetch-rootca-cert 2023-09-27 22:34:54.000000000 +0200
@@ -19,68 +19,10 @@
. /lib/lsb/init-functions
-if [ -r /etc/debian-edu/config ] ; then
- . /etc/debian-edu/config
-fi
-
-BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
-ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
-LOCALCACRT=/usr/local/share/ca-certificates/Debian-Edu_rootCA.crt
-
-do_start() {
-
- ERROR=false
-
- # Remove no longer used certificate file
- rm -f $BUNDLECRT
-
- # RootCA cert retrieval (avoid execution on the main server, things are in place)
- if echo "$PROFILE" | egrep -q 'Main-Server' ; then
- logger -t fetch-rootca-cert "Running on the main server, exiting."
- exit 0
- fi
- if [ ! -f $LOCALCACRT ] || [ ! -s $LOCALCACRT ] ; then
- # Since Debian Edu 10, the RootCA file is distributed
- # over http (always via the host serving www.intern, by default: TJENER)
- #
- # We do an availability check for the webserver first, to provide proper
- # error reporting (see below). So, the following check merely discovers,
- # if the webserver is online at all.
- if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
- # Now let's see if the webserver has the "Debian Edu RootCA" file.
- # This has been the case for Debian Edu main servers (TJENER) since
- # Debian Edu 10.1.
- if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
- grep -q CERTIFICATE $LOCALCACRT ; then
- # Make rootCA certificate available in /etc/ssl/certs/
- ln -nsf $LOCALCACRT $ROOTCACRT
- # Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
- update-ca-certificates
- logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
- else
- # Drop $ROOTCACRT and $LOCALCACRT files, as they probably only contain some
- # 404 http error message in html.
- rm -f $LOCALCACRT
- rm -f $ROOTCACRT
- logger -t fetch-rootca-cert "Failed to fetch rootCA certificate from www.intern."
- fi
- else
- # Report an error, if www.intern is down http-wise. This can happen and is probably
- # a temporary problem that needs an admin to fix it.
- log_action_end_msg 1
- logger -t fetch-rootca-cert "Failed to connect to www.intern, maybe the web server is down."
- ERROR=true
- fi
- fi
-
- if $ERROR; then
- return 1
- fi
-}
-
case "$1" in
start)
- do_start
+ /usr/share/debian-edu-config/tools/fetch-rootca-cert
+ exit $?
;;
stop)
;;
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.fetch-rootca-cert.service debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.fetch-rootca-cert.service
--- debian-edu-config-2.12.32/debian/debian-edu-config.fetch-rootca-cert.service 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.fetch-rootca-cert.service 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,13 @@
+[Unit]
+Description=Fetch Debian Edu rootCA certificate from the main server
+After=remote-fs.target network-online.target
+Before=nslcd.service
+Wants=remote-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/fetch-rootca-cert
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.firefox-ldapconf debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.firefox-ldapconf
--- debian-edu-config-2.12.32/debian/debian-edu-config.firefox-ldapconf 2017-05-30 15:56:28.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.firefox-ldapconf 2023-09-27 22:34:54.000000000 +0200
@@ -20,31 +20,9 @@
. /lib/lsb/init-functions
-if [ -e /etc/debian-edu/config ] ; then
- . /etc/debian-edu/config
-fi
-
-do_start() {
- # Skip this on LTSP chroots
- if [ -e /etc/ltsp_chroot ] ; then
- return
- fi
-
- # Only networked profiles use LDAP
- if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
- /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
- fi
-
- if echo "$PROFILE" | grep -q LTSP-Server && [ -d /opt/ltsp ] ; then
- for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
- chroot $ltsp_chroot /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
- done
- fi
-}
-
case "$1" in
start)
- do_start
+ /usr/share/debian-edu-config/tools/firefox-ldapconf
;;
stop)
;;
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.firefox-ldapconf.service debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.firefox-ldapconf.service
--- debian-edu-config-2.12.32/debian/debian-edu-config.firefox-ldapconf.service 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.firefox-ldapconf.service 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,12 @@
+[Unit]
+Description=Update firefox configuration from LDAP
+After=network-online.target remote-fs.target nss-lookup.target slapd.service fetch-ldap-cert.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/firefox-ldapconf
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.lintian-overrides debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.lintian-overrides
--- debian-edu-config-2.12.32/debian/debian-edu-config.lintian-overrides 2023-01-30 14:31:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.lintian-overrides 2023-09-27 22:34:54.000000000 +0200
@@ -5,39 +5,20 @@
debian-edu-config: debconf-is-not-a-registry [usr/share/debian-edu-config/tools/edu-icinga-setup:24]
debian-edu-config: debconf-is-not-a-registry [usr/share/debian-edu-config/tools/kerberos-kdc-init:31]
debian-edu-config: debconf-is-not-a-registry [usr/share/debian-edu-config/tools/run-at-firstboot:11]
-debian-edu-config: missing-systemd-service-for-init.d-script chromium-ldapconf [etc/init.d/chromium-ldapconf]
-debian-edu-config: missing-systemd-service-for-init.d-script enable-nat [etc/init.d/enable-nat]
-debian-edu-config: missing-systemd-service-for-init.d-script fetch-ldap-cert [etc/init.d/fetch-ldap-cert]
-debian-edu-config: missing-systemd-service-for-init.d-script fetch-rootca-cert [etc/init.d/fetch-rootca-cert]
-debian-edu-config: missing-systemd-service-for-init.d-script firefox-ldapconf [etc/init.d/firefox-ldapconf]
debian-edu-config: init.d-script-does-not-implement-status-option [etc/init.d/chromium-ldapconf]
-debian-edu-config: init.d-script-does-not-implement-status-option [etc/init.d/fetch-ldap-cert]
debian-edu-config: init.d-script-does-not-implement-status-option [etc/init.d/fetch-rootca-cert]
debian-edu-config: init.d-script-does-not-implement-status-option [etc/init.d/firefox-ldapconf]
debian-edu-config: possibly-insecure-handling-of-tmp-files-in-maintainer-script $TMPDIR/all.ldif [postinst:177]
debian-edu-config: possibly-insecure-handling-of-tmp-files-in-maintainer-script $TMPDIR/all.ldif [postinst:182]
debian-edu-config: possibly-insecure-handling-of-tmp-files-in-maintainer-script $TMPDIR/all.ldif [postinst:184]
-debian-edu-config: unused-debconf-template debian-edu-config/first-user-fullname [templates:471]
-debian-edu-config: unused-debconf-template debian-edu-config/first-user-name [templates:465]
-debian-edu-config: unused-debconf-template debian-edu-config/first-user-password [templates:477]
+debian-edu-config: unused-debconf-template debian-edu-config/first-user-fullname [templates:491]
+debian-edu-config: unused-debconf-template debian-edu-config/first-user-name [templates:485]
+debian-edu-config: unused-debconf-template debian-edu-config/first-user-password [templates:497]
debian-edu-config: unused-debconf-template debian-edu-config/kdc-password [templates:71]
-debian-edu-config: unused-debconf-template debian-edu-config/kdc-password-again [templates:148]
-debian-edu-config: unused-debconf-template debian-edu-config/kdc-password-empty [templates:227]
-debian-edu-config: unused-debconf-template debian-edu-config/kdc-password-mismatch [templates:188]
-debian-edu-config: unused-debconf-template debian-edu-config/ldap-password [templates:268]
-debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-again [templates:345]
-debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-empty [templates:424]
-debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-mismatch [templates:385]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/sbin/update-hostname-from-ip:117]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/sbin/update-hostname-from-ip:122]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/sbin/update-hostname-from-ip:124]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/sbin/update-hostname-from-ip:127]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/sbin/update-hostname-from-ip:128]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/share/debian-edu-config/d-i/pre-pkgsel:182]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/share/debian-edu-config/d-i/pre-pkgsel:183]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/share/debian-edu-config/d-i/pre-pkgsel:184]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/share/debian-edu-config/d-i/pre-pkgsel:198]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/share/debian-edu-config/tools/gosa-create:32]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/share/debian-edu-config/tools/gosa-remove:34]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/share/debian-edu-config/tools/gosa-remove:38]
-debian-edu-config: bash-term-in-posix-shell '$UID' [usr/share/debian-edu-config/tools/kerberos-kdc-init:253]
+debian-edu-config: unused-debconf-template debian-edu-config/kdc-password-again [templates:152]
+debian-edu-config: unused-debconf-template debian-edu-config/kdc-password-empty [templates:235]
+debian-edu-config: unused-debconf-template debian-edu-config/kdc-password-mismatch [templates:194]
+debian-edu-config: unused-debconf-template debian-edu-config/ldap-password [templates:278]
+debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-again [templates:359]
+debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-empty [templates:442]
+debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-mismatch [templates:401]
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.maintscript debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.maintscript
--- debian-edu-config-2.12.32/debian/debian-edu-config.maintscript 2022-04-25 17:19:14.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.maintscript 2023-09-27 22:34:54.000000000 +0200
@@ -2,3 +2,4 @@
rm_conffile /share/debian-edu-config/debian-edu.ldapscripts.passwd 2.12.5
rm_conffile /etc/cfengine3/debian-edu/cf.ldapscripts 2.12.5
dir_to_symlink /etc/debian-edu/host-keytabs /var/lib/debian-edu/host-keytabs 2.12.17
+rm_conffile /etc/init.d/fetch-ldap-cert 2.12.33
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.postinst debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.postinst
--- debian-edu-config-2.12.32/debian/debian-edu-config.postinst 2022-06-13 12:36:44.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.postinst 2023-09-27 22:34:54.000000000 +0200
@@ -94,9 +94,9 @@
# start the enable-nat init script if we have a ltspserver
-if [ -f /etc/debian-edu/config ] && egrep -q "(LTSP-Server|Thin-Client-Server)" /etc/debian-edu/config ; then
+if [ -f /etc/debian-edu/config ] && grep -Eq "(LTSP-Server|Thin-Client-Server)" /etc/debian-edu/config ; then
if ! grep -q Main-Server /etc/debian-edu/config ; then
- if [ -x "`which invoke-rc.d 2>/dev/null`" ] ; then
+ if command -v invoke-rc.d >/dev/null; then
invoke-rc.d enable-nat start || exit $?
else
/etc/init.d/enable-nat start || exit $?
@@ -197,6 +197,13 @@
rmdir /etc/smbldap-tools
fi
fi
+ # Unregister init script fetch-ldap-cert
+ if dpkg --compare-versions "$2" le "2.12.33"; then
+ update-rc.d -f fetch-ldap-cert remove
+ fi
+
+ # Update dconf databases
+ command -v dconf >/dev/null && dconf update
;;
esac
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.postrm debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.postrm
--- debian-edu-config-2.12.32/debian/debian-edu-config.postrm 2022-02-13 09:44:28.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.postrm 2023-09-27 22:34:54.000000000 +0200
@@ -5,8 +5,9 @@
case "$1" in
remove)
# Calling the init script during removal
- if [ -x "/etc/init.d/enable-nat" ] ; then
- if [ -x "`which invoke-rc.d 2>/dev/null`" ] ; then
+ if systemctl list-unit-files -q enable-nat >/dev/null 2>&1 || \
+ [ -x "/etc/init.d/enable-nat" ] ; then
+ if command -v invoke-rc.d >/dev/null ; then
invoke-rc.d enable-nat stop || exit $?
else
/etc/init.d/enable-nat stop || exit $?
@@ -17,6 +18,9 @@
rm -rf /var/lib/cfengine3/inputs/
mkdir /var/lib/cfengine3/inputs/
fi
+
+ # Update dconf databases
+ command -v dconf >/dev/null && dconf update
;;
purge)
# remove user/group debian-edu from system
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.prerm debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.prerm
--- debian-edu-config-2.12.32/debian/debian-edu-config.prerm 2022-04-25 17:19:14.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/debian/debian-edu-config.prerm 2023-09-27 22:34:54.000000000 +0200
@@ -5,7 +5,8 @@
case "$1" in
remove)
# Calling the init script during removal
- if [ -x "/etc/init.d/enable-nat" ] ; then
+ if systemctl list-unit-files -q enable-nat >/dev/null 2>&1 || \
+ [ -x "/etc/init.d/enable-nat" ] ; then
if command -v invoke-rc.d >/dev/null ; then
invoke-rc.d enable-nat stop || exit $?
else
diff -Nru debian-edu-config-2.12.32/debian/dirs debian-edu-config-2.12.40~deb12u1/debian/dirs
--- debian-edu-config-2.12.32/debian/dirs 2022-04-25 17:19:14.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/debian/dirs 2023-09-27 22:34:54.000000000 +0200
@@ -5,6 +5,11 @@
etc/chromium/policies/managed
etc/cron.d
etc/cups
+etc/dconf
+etc/dconf/profile
+etc/dconf/db
+etc/dconf/db/local.d
+etc/dconf/db/site.d
etc/debian-edu
etc/default
etc/exports.d
diff -Nru debian-edu-config-2.12.32/debian/rules debian-edu-config-2.12.40~deb12u1/debian/rules
--- debian-edu-config-2.12.32/debian/rules 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/rules 2023-09-27 22:34:54.000000000 +0200
@@ -10,13 +10,22 @@
override_dh_installinit:
# Start it after 15bind9 and 19slapd
- dh_installinit --init-script fetch-ldap-cert -r --no-start
dh_installinit --init-script fetch-rootca-cert -r --no-start
# Start it after 15bind9, 19slapd and 95fetch-ldap-cert, and add some to be sure
dh_installinit --init-script firefox-ldapconf -r --no-start
dh_installinit --init-script chromium-ldapconf -r --no-start
dh_installinit --init-script enable-nat --no-start
+override_dh_installsystemd:
+ dh_installsystemd --no-start --name chromium-ldapconf
+ dh_installsystemd --no-start --name enable-nat
+ dh_installsystemd --no-start --name fetch-rootca-cert
+ dh_installsystemd --no-start --name firefox-ldapconf
+ dh_installsystemd --no-start --name debian-edu-fsautoresize
+ dh_installsystemd --no-start --name debian-edu-update-netblock
+ dh_installsystemd --no-start --name debian-edu-cups-queue-autoflush
+ dh_installsystemd --no-start --name debian-edu-cups-queue-autoreenable
+
override_dh_installman:
dh_installman
help2man -N -n "ldap-add-host-to-netgroup - Adds a host as a member in the given netgroup" \
diff -Nru debian-edu-config-2.12.32/debian/tests/configure-edu-gateway debian-edu-config-2.12.40~deb12u1/debian/tests/configure-edu-gateway
--- debian-edu-config-2.12.32/debian/tests/configure-edu-gateway 2021-12-02 16:12:39.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/tests/configure-edu-gateway 1970-01-01 01:00:00.000000000 +0100
@@ -1,14 +0,0 @@
-#!/bin/sh
-set -e
-
-export LC_ALL=C
-export PROFILE=Minimal
-export DESKTOP=none
-
-echo
-echo "Install Debian Edu chroot using profile $PROFILE, then run a script"
-echo "to turn this minimal system into a dedicated gateway."
-echo
-cd $AUTOPKGTEST_TMP
-PROFILE=$PROFILE DESKTOP=$DESKTOP /usr/share/debian-edu-config/tools/debian-edu-bless
-/usr/share/debian-edu-config/tools/configure-edu-gateway --firewall no
diff -Nru debian-edu-config-2.12.32/debian/tests/control debian-edu-config-2.12.40~deb12u1/debian/tests/control
--- debian-edu-config-2.12.32/debian/tests/control 2021-12-02 16:12:39.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/debian/tests/control 2023-09-27 22:34:54.000000000 +0200
@@ -1,3 +1,3 @@
-Tests: install-task-pkgs, improve-desktop-l10n, configure-edu-gateway
+Tests: install-task-pkgs, improve-desktop-l10n
Depends: debian-edu-install, education-common, locales
Restrictions: needs-root allow-stderr
diff -Nru debian-edu-config-2.12.32/etc/cups/cups-files-debian-edu.conf debian-edu-config-2.12.40~deb12u1/etc/cups/cups-files-debian-edu.conf
--- debian-edu-config-2.12.32/etc/cups/cups-files-debian-edu.conf 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/etc/cups/cups-files-debian-edu.conf 2023-09-27 22:34:54.000000000 +0200
@@ -1,4 +1,4 @@
-SystemGroup lpadmin printer-admins
+SystemGroup root lpadmin printer-admins
AccessLog /var/log/cups/access_log
ErrorLog /var/log/cups/error_log
PageLog /var/log/cups/page_log
diff -Nru debian-edu-config-2.12.32/etc/dconf/profile/user debian-edu-config-2.12.40~deb12u1/etc/dconf/profile/user
--- debian-edu-config-2.12.32/etc/dconf/profile/user 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/etc/dconf/profile/user 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,3 @@
+user-db:user
+system-db:local
+system-db:site
diff -Nru debian-edu-config-2.12.32/etc/dhcp/dhclient-exit-hooks.d/fetch-ldap-cert debian-edu-config-2.12.40~deb12u1/etc/dhcp/dhclient-exit-hooks.d/fetch-ldap-cert
--- debian-edu-config-2.12.32/etc/dhcp/dhclient-exit-hooks.d/fetch-ldap-cert 2014-12-01 14:47:49.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/etc/dhcp/dhclient-exit-hooks.d/fetch-ldap-cert 1970-01-01 01:00:00.000000000 +0100
@@ -1,25 +0,0 @@
-#!/bin/sh
-# Make sure LDAP certificate is downloaded when the network become
-# available, if the init.d script failed to fetch it at boot.
-
-if [ -r /etc/debian-edu/config ] ; then
- . /etc/debian-edu/config
-fi
-
-if [ false = "$DHCP_FETCH_LDAP_CERT" ] ; then
- exit 0
-fi
-
-# Avoid dependency loop by not calling init.d script when dhclient is
-# called by init.d/networking. Workaround for BTS issue #754218.
-if [ -d /run/systemd/system ]; then
- systemctl list-jobs | grep -q network.target && exit 0
-fi
-
-case $reason in
- BOUND|RENEW|REBIND|REBOOT)
- /etc/init.d/fetch-ldap-cert start
- ;;
- EXPIRE|FAIL|RELEASE|STOP)
- ;;
-esac
diff -Nru debian-edu-config-2.12.32/etc/dhcp/dhclient-exit-hooks.d/fetch-rootca-cert debian-edu-config-2.12.40~deb12u1/etc/dhcp/dhclient-exit-hooks.d/fetch-rootca-cert
--- debian-edu-config-2.12.32/etc/dhcp/dhclient-exit-hooks.d/fetch-rootca-cert 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/etc/dhcp/dhclient-exit-hooks.d/fetch-rootca-cert 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,21 @@
+#!/bin/sh
+# Make sure the DebianEdu root certificate is downloaded when the network
+# becomes available, if the init system service failed to fetch it at boot.
+
+if [ -r /etc/debian-edu/config ] ; then
+ . /etc/debian-edu/config
+fi
+
+# Avoid dependency loop by not calling init system service when dhclient is
+# called by init.d/networking. Workaround for BTS issue #754218.
+if [ -d /run/systemd/system ]; then
+ systemctl list-jobs | grep -q network.target && exit 0
+fi
+
+case $reason in
+ BOUND|RENEW|REBIND|REBOOT)
+ /usr/share/debian-edu-config/tools/fetch-rootca-cert
+ ;;
+ EXPIRE|FAIL|RELEASE|STOP)
+ ;;
+esac
diff -Nru debian-edu-config-2.12.32/etc/dhcp/dhclient-exit-hooks.d/hostname debian-edu-config-2.12.40~deb12u1/etc/dhcp/dhclient-exit-hooks.d/hostname
--- debian-edu-config-2.12.32/etc/dhcp/dhclient-exit-hooks.d/hostname 2017-05-30 15:56:28.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/etc/dhcp/dhclient-exit-hooks.d/hostname 2023-09-27 22:34:54.000000000 +0200
@@ -19,10 +19,10 @@
. /etc/debian-edu/config
fi
-if echo "$PROFILE" | egrep -q 'Main-Server|Roaming-Workstation|Standalone' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server|Roaming-Workstation|Standalone' ; then
exit 0
else
- if echo "$PROFILE" | egrep -q 'Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
+ if echo "$PROFILE" | grep -Eq 'Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
:
fi
fi
diff -Nru debian-edu-config-2.12.32/etc/dhcp/dhcpd-debian-edu.conf debian-edu-config-2.12.40~deb12u1/etc/dhcp/dhcpd-debian-edu.conf
--- debian-edu-config-2.12.32/etc/dhcp/dhcpd-debian-edu.conf 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/etc/dhcp/dhcpd-debian-edu.conf 2023-09-27 22:34:54.000000000 +0200
@@ -1,5 +1,5 @@
lease-file-name "/var/lib/dhcp/dhcpd.leases";
-ldap-server "ldap";
+ldap-server "ldap.intern";
ldap-port 389;
ldap-base-dn "dc=skole,dc=skolelinux,dc=no";
ldap-dhcp-server-cn "tjener";
diff -Nru debian-edu-config-2.12.32/etc/exim4/exim-ldap-client-v4.conf debian-edu-config-2.12.40~deb12u1/etc/exim4/exim-ldap-client-v4.conf
--- debian-edu-config-2.12.32/etc/exim4/exim-ldap-client-v4.conf 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/etc/exim4/exim-ldap-client-v4.conf 2023-09-27 22:34:54.000000000 +0200
@@ -13,6 +13,10 @@
LOCALHOST = 127.0.0.1/8
+# intentialnally empty (the default value) in order to prevent
+# constant warning messages in the log file
+keep_environment =
+
# These options specify the Access Control Lists (ACLs) that
# are used for incoming SMTP messages - after the RCPT and DATA
# commands, respectively.
diff -Nru debian-edu-config-2.12.32/etc/ifplugd/ifplugd.action debian-edu-config-2.12.40~deb12u1/etc/ifplugd/ifplugd.action
--- debian-edu-config-2.12.32/etc/ifplugd/ifplugd.action 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/etc/ifplugd/ifplugd.action 2023-09-27 22:34:54.000000000 +0200
@@ -30,13 +30,11 @@
$WHEREAMI --syslog --run_from ifplugd --hint $1,$2
else
if [ "$2" = "up" ]; then
- [ -x /etc/init.d/wlan ] && /etc/init.d/wlan up $1
/sbin/ifup $1
exit $?
elif [ "$2" = "down" ]; then
/sbin/ifdown $1
sleep 5
- [ -x /etc/init.d/wlan ] && /etc/init.d/wlan down $1
exit $?
fi
fi
diff -Nru debian-edu-config-2.12.32/etc/insserv/overrides/ntp debian-edu-config-2.12.40~deb12u1/etc/insserv/overrides/ntp
--- debian-edu-config-2.12.32/etc/insserv/overrides/ntp 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/etc/insserv/overrides/ntp 1970-01-01 01:00:00.000000000 +0100
@@ -1,10 +0,0 @@
-# BTS #585772
-### BEGIN INIT INFO
-# Provides: ntp
-# Required-Start: $network $remote_fs $syslog
-# Required-Stop: $network $remote_fs $syslog
-# Should-Start: $named
-# Default-Start: 2 3 4 5
-# Default-Stop:
-# Short-Description: Start NTP daemon
-### END INIT INFO
diff -Nru debian-edu-config-2.12.32/etc/ldap/rootDSE-debian-edu.ldif debian-edu-config-2.12.40~deb12u1/etc/ldap/rootDSE-debian-edu.ldif
--- debian-edu-config-2.12.32/etc/ldap/rootDSE-debian-edu.ldif 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/etc/ldap/rootDSE-debian-edu.ldif 2023-09-27 22:34:54.000000000 +0200
@@ -1,5 +1,5 @@
# This entry is available using
-# ldapsearch -LLL -h ldap -s base -b '' -x '*' +
+# ldapsearch -LLL -H ldap://ldap -s base -b '' -x '*' +
dn:
objectClass: labeledURIObject
labeledURI: http://www.skolelinux.org/ LDAP for Debian Edu/Skolelinux
diff -Nru debian-edu-config-2.12.32/etc/ntpsec/ntp.d/debian-edu.conf debian-edu-config-2.12.40~deb12u1/etc/ntpsec/ntp.d/debian-edu.conf
--- debian-edu-config-2.12.32/etc/ntpsec/ntp.d/debian-edu.conf 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/etc/ntpsec/ntp.d/debian-edu.conf 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,2 @@
+server 127.127.1.0 #local clock as fallback
+refclock local stratum 10 #not disciplined
diff -Nru debian-edu-config-2.12.32/etc/X11/Xsession.d/09debian-edu-missing-home debian-edu-config-2.12.40~deb12u1/etc/X11/Xsession.d/09debian-edu-missing-home
--- debian-edu-config-2.12.32/etc/X11/Xsession.d/09debian-edu-missing-home 2017-05-30 15:56:28.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/etc/X11/Xsession.d/09debian-edu-missing-home 2023-09-27 22:34:54.000000000 +0200
@@ -4,7 +4,7 @@
# Should not run on Main-Server, Roaming-Workstation and Standalone
if [ -r /etc/debian-edu/config ] ; then
. /etc/debian-edu/config
- if echo "$PROFILE" | egrep -q 'Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
+ if echo "$PROFILE" | grep -Eq 'Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
if [ ! -d $HOME -o / = "$HOME" ] ; then
cat <<EOF | \
xmessage -buttons Understood:0 -timeout 30 -center -file -
diff -Nru debian-edu-config-2.12.32/ldap-bootstrap/firstuser.ldif debian-edu-config-2.12.40~deb12u1/ldap-bootstrap/firstuser.ldif
--- debian-edu-config-2.12.32/ldap-bootstrap/firstuser.ldif 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/ldap-bootstrap/firstuser.ldif 2023-09-27 22:34:54.000000000 +0200
@@ -15,8 +15,8 @@
userPassword: $FIRSTUSERPWDHASH
homeDirectory: /skole/tjener/home0/$FIRSTUSERNAME
loginShell: /bin/bash
-uidNumber: 1000
-gidNumber: 1000
+uidNumber: 2000
+gidNumber: 2000
gecos: $FIRSTUSERGECOS
shadowLastChange: 14818
@@ -25,4 +25,4 @@
objectClass: posixGroup
cn: $FIRSTUSERNAME
description: Group of user $FIRSTUSERNAME
-gidNumber: 1000
+gidNumber: 2000
diff -Nru debian-edu-config-2.12.32/ldap-bootstrap/gosa.ldif debian-edu-config-2.12.40~deb12u1/ldap-bootstrap/gosa.ldif
--- debian-edu-config-2.12.32/ldap-bootstrap/gosa.ldif 2023-02-06 21:22:13.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/ldap-bootstrap/gosa.ldif 2023-09-27 22:34:54.000000000 +0200
@@ -126,6 +126,13 @@
memberUid: $FIRSTUSERNAME
+################### Incoming Arp Devices ##############
+
+dn: ou=incoming,dc=skole,dc=skolelinux,dc=no
+objectClass: organizationalUnit
+ou: incoming
+
+
################### Templates ########################
# Groups and user templates for teachers and students
diff -Nru debian-edu-config-2.12.32/ldap-bootstrap/root.ldif debian-edu-config-2.12.40~deb12u1/ldap-bootstrap/root.ldif
--- debian-edu-config-2.12.32/ldap-bootstrap/root.ldif 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/ldap-bootstrap/root.ldif 2023-11-30 08:36:09.000000000 +0100
@@ -29,7 +29,7 @@
ou: skole
o: skole.skolelinux.no
labeledURI: https://www/ LDAP for Debian Edu/Skolelinux
-gosaAclEntry: 0:psub:$GOSAADMINSDN64:all;cmdrw,department/department;cmdrw,department/domain;r,department/organization;r,department/dcObject;r,department/country;r,department/DynamicLdapGroup;r,users/posixAccount;#shadowLastChange;r#gotoLastSystemLogin;r#mustchangepassword;r#shadowMin;r#shadowMax;r#shadowWarning;r#shadowInactive;r#shadowExpire;r#sshPublicKey;r#accessTo;r
+gosaAclEntry: 0:psub:$GOSAADMINSDN64:all/all;cmdrw,department/department;cmdrw,department/domain;r,department/organization;r,department/dcObject;r,department/country;r,department/DynamicLdapGroup;r,users/posixAccount;#shadowLastChange;r#gotoLastSystemLogin;r#mustchangepassword;r#shadowMin;r#shadowMax;r#shadowWarning;r#shadowInactive;r#shadowExpire;r#sshPublicKey;r#accessTo;r
gosaAclEntry: 1:psub:$TEACHERSDN64:users/user;r
gosaAclEntry: 2:psub:Kg==:users/user;sr#personalTitle;w#academicTitle;w#dateOfBirth;w#gender;w#preferredLanguage;w#userPicture;w#homePostalAddress;w#homePhone;w#labeledURI;w,users/password;srw
gosaAclEntry: 3:role:$ADMINROLEDN64:
diff -Nru debian-edu-config-2.12.32/ldap-tools/ldap-createuser-krb5 debian-edu-config-2.12.40~deb12u1/ldap-tools/ldap-createuser-krb5
--- debian-edu-config-2.12.32/ldap-tools/ldap-createuser-krb5 2023-01-30 14:31:55.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/ldap-tools/ldap-createuser-krb5 2023-09-27 22:34:54.000000000 +0200
@@ -5,26 +5,75 @@
# users at the same time to LDAP, as the uid and gid values will
# conflict.
-# The samba related attributes are described in
-# <URL: http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/#htoc43 >
-
set -e
+function usage {
+ cat >&2 <<EOF
+Usage: $0 [-u uid] [-g gid] [-G group[,group]...] [-d department] <username> <gecos>
+ Create a user with a personal group and configure its kerberos
+ principal.
+EOF
+}
+
+if [[ $(id -u) -ne 0 ]]; then
+ printf "error: this script needs to be run as root\n" >&2
+ exit 1
+fi
+
+NEWUID=
+NEWGID=
+ADDITIONAL_GROUPS=
+DEPT=
+while getopts "d:hg:G:u:" arg; do
+ case $arg in
+ d)
+ DEPT="${OPTARG}"
+ ;;
+ g)
+ NEWGID="${OPTARG}"
+ ;;
+ G)
+ ADDITIONAL_GROUPS="${OPTARG}"
+ ;;
+ u)
+ NEWUID="${OPTARG}"
+ ;;
+ h)
+ usage
+ exit 0
+ ;;
+ *)
+ usage
+ exit 2
+ esac
+done
+shift $((OPTIND - 1))
+
USERNAME="$1"
+
# posixAccount only accept ASCII in the gecos attribute. Make sure
# any non-ascii characters are converted apprpropriately.
GECOS="$(echo $2 | iconv -t ASCII//TRANSLIT)"
-if [ -z "$USERNAME" -o -z "$GECOS" ] ; then
- echo "Usage: $0 <username> <gecos>"
- echo
- echo " Create a user with a personal group and configure its kerberos"
- echo " principal."
+if [[ $# -ne 2 || -z "$USERNAME" || -z "$GECOS" ]]; then
+ usage
exit 1
fi
-# Put users in first gosaDepartment
-BASE=$(ldapsearch -x "(objectClass=gosaDepartment)" 2>/dev/null | perl -p0e 's/\n //g' | awk '/^dn: / {print $2}' | sort | head -1)
+read -rs -p "new user password: " PASSWORD
+echo
+read -rs -p "confirm password: " CONFIRM
+if [[ "${CONFIRM}" != "${PASSWORD}" ]]; then
+ echo "passwords do not match" >&2
+ exit 1
+fi
+
+if [[ -n $DEPT ]]; then
+ BASE="$(ldapsearch -x -LLL -o ldif-wrap=no "(&(objectClass=gosaDepartment)(ou:dn:=${DEPT}))" 2>/dev/null | awk '/^dn: / {print $2}' | sort | head -1)"
+else
+ # Put users in first gosaDepartment
+ BASE=$(ldapsearch -x -LLL -o ldif-wrap=no "(objectClass=gosaDepartment)" 2>/dev/null | awk '/^dn: / {print $2}' | sort | head -1)
+fi
if [ -z "$BASE" ] ; then
BASE="$(debian-edu-ldapserver -b)"
@@ -39,48 +88,14 @@
admindn=$(ldapsearch -x "(&(cn=$ADMINUSER)(objectClass=simpleSecurityObject))" 2>/dev/null | perl -p0e 's/\n //g' | awk '/^dn: / {print $2}')
HOMEDIR=/skole/tjener/home0/$USERNAME
-SMBHOMEPATH="\\\\tjener.intern\\$USERNAME"
KRB5DOMAIN=INTERN
-SAMBADOMAIN=SKOLELINUX
PWLASTCHANGE=$(( $(date +%s) / (60 * 60 * 24) ))
-# Find last UID/GID
-SAMBASID=`net getlocalsid $HOSTNAME 2>/dev/null | awk '{ print $6; }'`
-
-if [ -z "$SAMBASID" ] ; then
- echo "error: unable to fetch Samba SID"
- exit 1
-fi
-
-SAMBADOMAINDN=$(ldapsearch -x -s sub \
- "(&(objectclass=sambaDomain)(sambaDomainName=$SAMBADOMAIN))" \
- dn 2>/dev/null | perl -p0e 's/\n //g' | \
- awk '/^dn: / { print $2}')
-
-if [ -z "$SAMBADOMAINDN" ] ; then
- echo "error: unable to find sambaDomain LDAP object"
- exit 1
-fi
-
-SAMBARID=$(ldapsearch -s base -b "$SAMBADOMAINDN" -x \
- sambaNextRid 2>/dev/null | perl -p0e 's/\n //g' | \
- awk '/^sambaNextRid: / { print $2}')
+LASTID="$(ldapsearch -x -LLL -o ldif-wrap=no '(|(&(objectclass=posixaccount)(uidNumber>=2000)(uidNumber<=10000))(&(objectclass=posixgroup)(gidNumber>=2000)(gidNumber<=10000)))' uidnumber gidnumber 2>/dev/null | awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')"
-if [ -z "$SAMBARID" ] ; then
- echo "error: unable to find sambaNextRid LDAP attribute in $SAMBADOMAINDN"
- exit 1
-fi
-
-NEXTRID=$(( $SAMBARID + 1 ))
-
-LASTID=$(ldapsearch -s sub -x \
- '(|(objectclass=posixaccount)(objectclass=posixgroup))' \
- uidnumber gidnumber 2>/dev/null | perl -p0e 's/\n //g' | \
- awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')
-
-# If no ID was found, use LASTID=1000-1 to get uid/gid=1000
+# If no ID was found, use LASTID=2000-1 to get uid/gid=2000
if [ -z "$LASTID" ] ; then
- LASTID=999
+ LASTID=1999
fi
NEWUID=$(( $LASTID + 1 ))
@@ -92,6 +107,8 @@
ldif="$ldif
dn: cn=$USERNAME,$GROUPBASE
+changetype: add
+objectClass: top
objectClass: posixGroup
cn: $USERNAME
description: Private group of user $USERNAME
@@ -99,21 +116,26 @@
"
fi
+USER_PASSWORD="$(slappasswd -h '{CRYPT}' -c '$y$j9T$%.16s$' -T /dev/stdin <<<"${PASSWORD}")"
+
ldif="$ldif
dn: uid=$USERNAME,$USERBASE
+changetype: add
+objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
+objectClass: gosaAccount
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krbPrincipalAux
-objectClass: sambaSamAccount
+objectClass: krbTicketPolicyAux
sn: $GECOS
givenName: $GECOS
uid: $USERNAME
cn: $GECOS
-userPassword: {SSHA}N0T$3T4N0W
+userPassword: $USER_PASSWORD
homeDirectory: $HOMEDIR
loginShell: /bin/bash
uidNumber: $NEWUID
@@ -123,30 +145,67 @@
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
-sambaSID: $SAMBASID-$SAMBARID
-sambaAcctFlags: [U]
-sambaHomePath: SMBHOMEPATH
+krbPwdPolicyReference: cn=users,cn=${KRB5DOMAIN},cn=kerberos,$(debian-edu-ldapserver -b)
krbPrincipalName: $USERNAME@$KRB5DOMAIN
"
-# Update samba RIN
-ldif="$ldif
-dn: $SAMBADOMAINDN
+oIFS="${IFS}"
+IFS=","
+set -- $ADDITIONAL_GROUPS
+IFS="${oIFS}"
+for group; do
+ group_dn="$(ldapsearch -x -LLL -o ldif-wrap=no "(&(objectClass=posixGroup)(cn=$group))" '')"
+ if [ -z "${group_dn}" ]; then
+ echo "group not found: ${group}" >&2
+ continue
+ fi
+ ldif="$ldif
+
+$group_dn
changetype: modify
-replace: sambaNextRid
-sambaNextRid: $NEXTRID
+add: memberUid
+memberUid: $USERNAME
"
+done
echo "$ldif"
-if echo "$ldif" | ldapadd -ZZ -D "$admindn" -W -v -x ; then
+if echo "$ldif" | ldapmodify -ZZ -D "$admindn" -W -v -x ; then
# Set the kerberos password
- kadmin.local -q "change_password $USERNAME@$KRB5DOMAIN"
+ kadmin.local <<EOF
+change_password $USERNAME@$KRB5DOMAIN
+${PASSWORD}
+${PASSWORD}
+EOF
# Create home directory
if [ ! -d $HOMEDIR ] ; then
- cp -r /etc/skel $HOMEDIR
- chown -R $NEWUID:$NEWGID $HOMEDIR
+ cp -r /etc/skel $HOMEDIR
+ mkdir -p $HOMEDIR/.pki/nssdb
+ chmod -R 700 $HOMEDIR/.pki/nssdb
+ certutil -A -d sql:$HOMEDIR/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
+ chown -R $NEWUID:$NEWGID $HOMEDIR
fi
+
+ # add Samba user
+ smbpasswd -a -n -s $USERNAME
+
+ # Send welcome mail in order to create maildir for dovecot
+ /usr/lib/sendmail "${USERNAME}@postoffice.intern" <<EOF
+Subject: Welcome to the mail-system
+
+Hello $GECOS,
+
+welcome to the mail-system.
+
+Your userID is $USERNAME, and your email address is:
+
+ $USERNAME@postoffice.intern
+
+Regards,
+
+ Debian-Edu SysAdmin
+
+EOF
fi
diff -Nru debian-edu-config-2.12.32/ldap-tools/ldap-debian-edu-install debian-edu-config-2.12.40~deb12u1/ldap-tools/ldap-debian-edu-install
--- debian-edu-config-2.12.32/ldap-tools/ldap-debian-edu-install 2022-10-17 21:55:44.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/ldap-tools/ldap-debian-edu-install 2023-09-27 22:34:54.000000000 +0200
@@ -363,7 +363,7 @@
mkdir -p /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
chmod -R 700 /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
certutil -A -d sql:/skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
- chown -R 1000:1000 /skole/tjener/home0/"$FIRSTUSERNAME"/
+ chown -R 2000:2000 /skole/tjener/home0/"$FIRSTUSERNAME"/
echo "info: created PKI nssdb files for first-user"
fi
diff -Nru debian-edu-config-2.12.32/libexec/debian-edu-cups-queue-autoflush-for-netgroup-hosts debian-edu-config-2.12.40~deb12u1/libexec/debian-edu-cups-queue-autoflush-for-netgroup-hosts
--- debian-edu-config-2.12.32/libexec/debian-edu-cups-queue-autoflush-for-netgroup-hosts 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/libexec/debian-edu-cups-queue-autoflush-for-netgroup-hosts 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+[ -x /usr/bin/innetgr ] || exit 0
+
+for hostname in "$(uname -n)" "$(hostname -s)" ; do
+
+ # Automatically flush print queues every night if the
+ # host is a member of the cups-queue-autoflush-hosts netgroup.
+ if innetgr -h $hostname cups-queue-autoflush-hosts ; then
+ exec /usr/share/debian-edu-config/tools/cups-queue-autoflush
+ fi
+
+done
diff -Nru debian-edu-config-2.12.32/libexec/debian-edu-cups-queue-autoreenable-for-netgroup-hosts debian-edu-config-2.12.40~deb12u1/libexec/debian-edu-cups-queue-autoreenable-for-netgroup-hosts
--- debian-edu-config-2.12.32/libexec/debian-edu-cups-queue-autoreenable-for-netgroup-hosts 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/libexec/debian-edu-cups-queue-autoreenable-for-netgroup-hosts 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+[ -x /usr/bin/innetgr ] || exit 0
+
+for hostname in "$(uname -n)" "$(hostname -s)" ; do
+
+ # Automatically restart disabled print queues every hour if the
+ # host is a member of the cups-queue-autoreenable-hosts netgroup.
+ if [ -x /usr/share/debian-edu-config/tools/cups-queue-autoreenable ] &&
+ innetgr -h $hostname cups-queue-autoreenable-hosts ; then
+ exec /usr/share/debian-edu-config/tools/cups-queue-autoreenable
+ fi
+
+done
diff -Nru debian-edu-config-2.12.32/libexec/debian-edu-fsautoresize-for-netgroup-hosts debian-edu-config-2.12.40~deb12u1/libexec/debian-edu-fsautoresize-for-netgroup-hosts
--- debian-edu-config-2.12.32/libexec/debian-edu-fsautoresize-for-netgroup-hosts 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/libexec/debian-edu-fsautoresize-for-netgroup-hosts 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+[ -x /usr/bin/innetgr ] || exit 0
+
+for hostname in "$(uname -n)" "$(hostname -s)" ; do
+
+ # Automatically extend full LVM volumes if the host is a member of
+ # the fsautoresize-hosts netgroup.
+ if [ -x /usr/sbin/debian-edu-fsautoresize ] &&
+ innetgr -h $hostname fsautoresize-hosts ; then
+ exec debian-edu-fsautoresize -n
+ fi
+
+done
diff -Nru debian-edu-config-2.12.32/Makefile debian-edu-config-2.12.40~deb12u1/Makefile
--- debian-edu-config-2.12.32/Makefile 2022-04-25 17:19:14.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/Makefile 2023-09-27 22:34:54.000000000 +0200
@@ -1,11 +1,15 @@
PACKAGE = debian-edu-config
+NULL =
+
PROGS = \
debian-edu-ldapserver \
update-ini-file \
- debian-edu-copy-pki
+ debian-edu-copy-pki \
+ $(NULL)
-SPROGS = debian-edu-fsautoresize \
+SPROGS = \
+ debian-edu-fsautoresize \
debian-edu-ltsp-chroot \
debian-edu-ltsp-install \
debian-edu-ltsp-initrd \
@@ -14,31 +18,41 @@
debian-edu-restart-services \
debian-edu-test-install \
debian-edu-update-netblock \
- update-hostname-from-ip
-
-INSTALL = install -D -p -m 755
-INSTALL_DATA= install -D -p -m 644
+ update-hostname-from-ip \
+ $(NULL)
-prefix = /usr/local
-sysconfdir = /etc
-cf3dir = $(sysconfdir)/cfengine3/debian-edu
-bindir = $(prefix)/bin
-sbindir = $(prefix)/sbin
-docdir = $(prefix)/share/doc/$(PACKAGE)
-mandir = $(prefix)/share/man
-ldapdir = $(sysconfdir)/ldap
+LIBEXECPROGS = \
+ debian-edu-cups-queue-autoflush-for-netgroup-hosts \
+ debian-edu-cups-queue-autoreenable-for-netgroup-hosts \
+ debian-edu-fsautoresize-for-netgroup-hosts \
+ $(NULL)
+
+INSTALL = install -D -p -m 755
+INSTALL_DATA = install -D -p -m 644
+
+prefix = /usr/local
+sysconfdir = /etc
+cf3dir = $(sysconfdir)/cfengine3/debian-edu
+bindir = $(prefix)/bin
+sbindir = $(prefix)/sbin
+docdir = $(prefix)/share/doc/$(PACKAGE)
+mandir = $(prefix)/share/man
+ldapdir = $(sysconfdir)/ldap
slbackupphpdir = $(sysconfdir)/slbackup-php
-schemadir = $(ldapdir)/schema
-dhcpdir = $(sysconfdir)/dhcp
-libdir = /usr/lib
-pkglibdir = $(libdir)/debian-edu-config
-vardir = /var
-wwwdir = /etc/debian-edu/www
+schemadir = $(ldapdir)/schema
+dhcpdir = $(sysconfdir)/dhcp
+libdir = /usr/lib
+pkglibdir = $(libdir)/debian-edu-config
+libexecdir = /usr/libexec
+pkglibexecdir = $(libexecdir)/debian-edu-config
+vardir = /var
+wwwdir = /etc/debian-edu/www
CF3FILES = \
cf.adduser \
cf.apache2 \
+ cf.cfengine3 \
cf.cups \
cf.desktop-networked \
cf.dhcpserver \
@@ -54,6 +68,7 @@
cf.ldapserver \
cf.ldapclient \
cf.bind \
+ cf.pam \
cf.pxeinstall \
cf.ntp \
cf.samba \
@@ -64,7 +79,8 @@
cf.xrdp \
cf.icinga \
edu.cf \
- promises.cf
+ promises.cf \
+ $(NULL)
# Files to install in /etc/
SYSCONFFILES = \
@@ -80,6 +96,7 @@
X11/Xsession.d/09debian-edu-missing-home \
X11/Xsession.d/10debian-edu-one-login-per-host \
X11/Xsession.d/55lightdm_gtk-greeter-rc \
+ dconf/profile/user \
debian-edu/nightkill.conf \
debian-edu/pxeinstall.conf \
default/munin-node \
@@ -98,7 +115,6 @@
filesystems \
firefox-esr/debian-edu.js \
php/apache2/php-debian-edu.ini \
- insserv/overrides/ntp \
ldap/rootDSE-debian-edu.ldif \
ldap/slapd-debian-edu-mdb.conf \
samba/smb-debian-edu.conf \
@@ -130,18 +146,21 @@
nagios3/debian-edu/service_templates.cfg \
nagios3/debian-edu/timeperiods.cfg \
munin/debian-edu-munin-node.conf \
- polkit-1/localauthority.conf.d/80-edu-admin.conf
+ polkit-1/localauthority.conf.d/80-edu-admin.conf \
+ ntpsec/ntp.d/debian-edu.conf \
+ $(NULL)
SYSCONFSCRIPTS = \
dhcp/dhclient-exit-hooks.d/autofs-reload \
dhcp/dhclient-exit-hooks.d/wpad-proxy-update \
- dhcp/dhclient-exit-hooks.d/fetch-ldap-cert \
+ dhcp/dhclient-exit-hooks.d/fetch-rootca-cert \
dhcp/dhclient-exit-hooks.d/hostname \
mklocaluser.d/20-debian-edu-config \
shutdown-at-night/clients-generator \
resolvconf/update.d/bind-debian-edu \
wicd/scripts/preconnect/set_wireless_mac_from_eth0 \
- X11/Xsession-debian-edu
+ X11/Xsession-debian-edu \
+ $(NULL)
SCHEMAS = \
autofs-debian-edu.schema \
@@ -162,7 +181,8 @@
gosa-samba3.schema \
gofax.schema \
goserver.schema \
- goto-mime.schema
+ goto-mime.schema \
+ $(NULL)
LDIFS = \
root.ldif \
@@ -175,7 +195,8 @@
krb5.ldif \
ltsp.ldif \
gosa.ldif \
- gosa-server.ldif
+ gosa-server.ldif \
+ $(NULL)
LDAPPROGRAMS = \
ldap-add-host-to-netgroup \
@@ -183,7 +204,8 @@
ldap-createuser-krb5 \
ldap2netgroup \
ldap-debian-edu-install \
- sitesummary2ldapdhcp
+ sitesummary2ldapdhcp \
+ $(NULL)
WWWFILES = \
index.html.ca \
@@ -204,10 +226,12 @@
index.html.zh-tw \
skl-ren_css.css \
logo-trans.png \
- wpad.dat
+ wpad.dat \
+ $(NULL)
LIBFILES = \
thunderbird/distribution/policies.json \
+ $(NULL)
all:
$(MAKE) -C www
@@ -219,6 +243,7 @@
install -d $(DESTDIR)$(ldapdir)
install -d $(DESTDIR)$(dhcpdir)
install -d $(DESTDIR)$(libdir)
+ install -d $(DESTDIR)$(pkglibexecdir)
# program's manpages are autodetected.
set -e ; for prog in $(PROGS); do \
@@ -237,6 +262,10 @@
fi \
done
+ set -e ; for libexecprog in $(LIBEXECPROGS); do \
+ $(INSTALL) libexec/$$libexecprog $(DESTDIR)$(pkglibexecdir) ; \
+ done
+
$(INSTALL_DATA) README $(DESTDIR)$(docdir)/README
$(INSTALL_DATA) README.public_html_with_PHP-CGI+suExec.md $(DESTDIR)$(docdir)/README.public_html_with_PHP-CGI+suExec.md
@@ -263,7 +292,6 @@
share/debian-edu-config/killer.cron \
share/debian-edu-config/tools/passwd \
share/debian-edu-config/tools/clean-up-host-keytabs \
- share/debian-edu-config/tools/configure-edu-gateway \
share/debian-edu-config/tools/create-debian-edu-certs \
share/debian-edu-config/tools/create-server-cert \
share/debian-edu-config/tools/cups-queue-autoflush \
@@ -321,6 +349,10 @@
share/debian-edu-config/tools/copy-host-keytab \
share/debian-edu-config/tools/improve-desktop-l10n \
share/debian-edu-config/tools/install-task-pkgs \
+ share/debian-edu-config/tools/chromium-ldapconf \
+ share/debian-edu-config/tools/firefox-ldapconf \
+ share/debian-edu-config/tools/nat \
+ share/debian-edu-config/tools/fetch-rootca-cert \
; do \
$(INSTALL) $$f $(DESTDIR)/usr/$$f ; \
done
@@ -330,6 +362,7 @@
set -e ; for f in \
share/debian-edu-config/avahi.smb.service \
share/debian-edu-config/rsyslog-collector \
+ share/debian-edu-config/rsyslog-filters \
share/debian-edu-config/smb.conf.edu-site \
share/debian-edu-config/firefox-networked-prefs.js \
share/debian-edu-config/squid.conf \
@@ -387,9 +420,9 @@
$(INSTALL_DATA) $$f $(DESTDIR)/usr/$$f ; \
done
- install -d $(DESTDIR)$(pkglibdir)/testsuite
+ install -d $(DESTDIR)$(pkglibexecdir)/testsuite
set -e ; for test in testsuite/* ; do \
- $(INSTALL) $$test $(DESTDIR)$(pkglibdir)/$$test; \
+ $(INSTALL) $$test $(DESTDIR)$(pkglibexecdir)/$$test; \
done
diff -Nru debian-edu-config-2.12.32/README debian-edu-config-2.12.40~deb12u1/README
--- debian-edu-config-2.12.32/README 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/README 2023-09-27 22:34:54.000000000 +0200
@@ -277,7 +277,7 @@
- use _ldap._tcp SRV record to find LDAP server
- use ldap "root" object to find LDAP tree info (like AD
defaultNamingContext attribute)
- "ldapsearch -x -s base -h $server -b '' -x '*'"
+ "ldapsearch -x -s base -H ldap://$server -b '' -x '*'"
- subnet three with relevant information? AD have subtree
"CN=Subnets,CN=Sites,CN=Configuration,$base" with objectClass=subnet
objects.
diff -Nru debian-edu-config-2.12.32/sbin/debian-edu-ltsp-install debian-edu-config-2.12.40~deb12u1/sbin/debian-edu-ltsp-install
--- debian-edu-config-2.12.32/sbin/debian-edu-ltsp-install 2023-03-27 20:36:55.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/sbin/debian-edu-ltsp-install 2023-09-27 22:34:54.000000000 +0200
@@ -22,6 +22,35 @@
set -e
+select_desktop () {
+ # select the first found desktop as the default, based on what x2goclient
+ # (src/onmainwindow.cpp) and x2goserver (x2goserver/bin/x2goruncommand)
+ # support
+ if [ -x /usr/bin/startxfce4 ]; then # from xfce4-session
+ echo XFCE
+ # FIXME x2goclient and x2goserver (x2goruncommand) in Debian only support
+ # startkde which does not exist any more (#955128)
+ #elif [ -x /usr/bin/startplasma-x11 ]; then # from plasma-workspace
+ # echo KDE
+ elif [ -x /usr/bin/gnome-session ]; then # from gnome-session-bin
+ echo GNOME
+ elif [ -x /usr/bin/mate-session ]; then # from mate-session
+ echo MATE
+ elif [ -x /usr/bin/startlxde ]; then # from openbox-lxde-session
+ echo LXDE
+ elif [ -x /usr/bin/startlxqt ]; then # from lxqt-session
+ echo LXQT
+ elif [ -x /usr/bin/cinnamon-session-cinnamon2d ]; then # from cinnamon
+ echo CINNAMON
+ elif [ -x /usr/bin/openbox-session ]; then # from openbox
+ echo OPENBOX
+ elif [ -x /usr/bin/icewm-session ]; then # from icewm
+ echo ICEWM
+ else
+ echo XFCE
+ fi
+}
+
# usage
if [ -z "$1" ] ; then
echo "Use $0 -h or $0 --help for more information"
@@ -33,7 +62,7 @@
Usage information:
-debian-edu-ltsp-install --arch <amd64|i386> --dist <stable|testing|sid> --dns_server <10.0.2.2|dns server ip> --diskless_workstation <yes|no> --thin_type <bare|display|desktop> --dlw <yes|no> --img <yes|no> --desktop <xfce|cinnamon|gnome|kde|lxde|lxqt|mate|none>
+debian-edu-ltsp-install --arch <amd64|i386> --dist <stable|testing|sid> --dns_server <10.0.2.2|dns server ip> --diskless_workstation <yes|no> --thin_type <bare|display|desktop> --dlw <yes|no> --img <yes|no> --desktop <xfce|cinnamon|gnome|kde|lxde|lxqt|mate|none> --x2go_desktop <xfce|cinnamon|gnome|kde|lxde|lxqt|mate|openbox|icewm>
Turn a Debian Edu workstation into an LTSP server for both diskless
workstations and thin clients.
@@ -54,6 +83,11 @@
Other values: cinnamon, gnome, kde, lxde, lxqt, mate.
(And 'none' for modular installations - also useful for testing).
+--x2go_desktop takes effect for X2Go thin client setup, default is any
+ of the installed desktop environments
+ Other values: cinnamon, gnome, kde, lxde, lxqt, mate, openbox,
+ icewm
+
--thin_type has no default value. These are available:
bare: preconfigured x2go client running via 'startx' as user 'thin' with sound and
client side mass storage support.
@@ -100,6 +134,7 @@
dlw="no"
img="yes"
desktop="xfce"
+x2go_desktop="$(select_desktop)"
while [ $# -gt 0 ] ; do
case "$1" in
@@ -111,6 +146,9 @@
--dlw) dlw="$2" ; shift ;;
--img) img="$2" ; shift ;;
--desktop) desktop="$2" ; shift ;;
+ --x2go_dektop)
+ x2go_desktop="$(printf '%s\n' "$2" | tr '[:lower:]' '[:upper:]')"
+ shift ;;
--version) echo $version; exit 0 ;;
esac
shift
@@ -364,7 +402,7 @@
[default]
autologin=false
clipboard=both
-command=XFCE
+command=$x2go_desktop
defsndport=true
directrdp=false
directrdpsettings=
diff -Nru debian-edu-config-2.12.32/sbin/debian-edu-pxeinstall debian-edu-config-2.12.40~deb12u1/sbin/debian-edu-pxeinstall
--- debian-edu-config-2.12.32/sbin/debian-edu-pxeinstall 2023-02-26 10:08:55.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/sbin/debian-edu-pxeinstall 2023-09-27 22:34:54.000000000 +0200
@@ -247,7 +247,7 @@
choose-mirror-bin mirror/http/directory string /debian
EOF
else
- debconf-get-selections --installer | egrep -w 'mirror/http/mirror|mirror/country|mirror/protocol|mirror/http/hostname|mirror/http/directory|mirror/ftp/hostname|mirror/ftp/directory' | sort
+ debconf-get-selections --installer | grep -Ew 'mirror/http/mirror|mirror/country|mirror/protocol|mirror/http/hostname|mirror/http/directory|mirror/ftp/hostname|mirror/ftp/directory' | sort
fi
# Make it easier to have local overrides and still be able to
diff -Nru debian-edu-config-2.12.32/sbin/debian-edu-restart-services debian-edu-config-2.12.40~deb12u1/sbin/debian-edu-restart-services
--- debian-edu-config-2.12.32/sbin/debian-edu-restart-services 2017-05-30 15:56:28.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/sbin/debian-edu-restart-services 2023-09-27 22:34:54.000000000 +0200
@@ -5,63 +5,116 @@
set -e
-echo "info: Stopping services in sequence."
-for ALL in /etc/rc1.d/K* ; do
- if [ -h $ALL ] ; then
- SERVICE=$(basename $(readlink $ALL))
- else
- SERVICE=$(basename $ALL)
- fi
- echo "info: Stopping $SERVICE"
- $ALL stop || /bin/true
-done
-
-for service in \
- slapd \
- rpcbind \
- apache \
- ;
+sysvinit_restart_services () {
+ echo "info: Stopping services in sequence."
+ for ALL in /etc/rc1.d/K* ; do
+ if [ -h $ALL ] ; then
+ SERVICE=$(basename $(readlink $ALL))
+ else
+ SERVICE=$(basename $ALL)
+ fi
+ echo "info: Stopping $SERVICE"
+ $ALL stop || /bin/true
+ done
+
+ for service in \
+ slapd \
+ rpcbind \
+ apache \
+ ;
+ do
+ if [ "$(pidof $service)" ] ; then
+ echo "info: '$service' still running, sending HUP."
+ pkill $service || /bin/true
+ fi
+ done
+
+ echo "info: Checking what's still running"
+ ps aux | while read LINE ; do
+ echo "info: $LINE"
+ done
+
+ for service in \
+ slapd \
+ rpcbind \
+ apache \
+ ;
+ do
+ if [ "$(pidof $service)" ] ; then
+ echo "info: '$service' still running, sending KILL."
+ pkill -9 $service || /bin/true
+ fi
+ done
+
+ echo "info: Checking what's still running"
+ ps aux | while read LINE ; do
+ echo "info: $LINE"
+ done
+
+ echo "Info: Restarting networking"
+ /etc/init.d/networking restart || /bin/true
+
+ echo "info: Starting services in sequence."
+ for ALL in /etc/rc2.d/S* ; do
+ if [ -h $ALL ] ; then
+ SERVICE=$(basename $(readlink $ALL))
+ else
+ SERVICE=$(basename $ALL)
+ fi
+ echo "info: Starting $SERVICE"
+ $ALL start || /bin/true
+ done
+}
+
+systemd_restart_services () {
+ systemctl daemon-reload
+
+ systemctl restart networking.service
+
+ for service in \
+ apache2.service \
+ cups.service \
+ dovecot.service \
+ exim4.service \
+ icinga2.service \
+ inetd.service \
+ isc-dhcp-server.service \
+ krb5-admin-server.service \
+ krb5-kdc.service \
+ ltsp.service \
+ mariadb.service \
+ munin-node.service \
+ munin.service \
+ nagios-nrpe-server.service \
+ named.service \
+ nfs-server.service \
+ nmbd.service \
+ nscd.service \
+ nslcd.service \
+ ntpsec.service \
+ rsyslog.service \
+ sitesummary-client.service \
+ slapd.service \
+ smbd.service \
+ squid.service \
+ sudo-ldap.service \
+ tftpd-hpa.service \
+ x2goserver.service \
+ xrdp.service \
+ xrdp-sesman.service
do
- if [ "$(pidof $service)" ] ; then
- echo "info: '$service' still running, sending HUP."
- pkill $service || /bin/true
- fi
-done
-
-echo "info: Checking what's still running"
-ps aux | while read LINE ; do
- echo "info: $LINE"
-done
-
-for service in \
- slapd \
- rpcbind \
- apache \
- ;
- do
- if [ "$(pidof $service)" ] ; then
- echo "info: '$service' still running, sending KILL."
- pkill -9 $service || /bin/true
- fi
-done
-
-echo "info: Checking what's still running"
-ps aux | while read LINE ; do
- echo "info: $LINE"
-done
-
-echo "Info: Restarting networking"
-/etc/init.d/networking restart || /bin/true
-
-echo "info: Starting services in sequence."
-for ALL in /etc/rc2.d/S* ; do
- if [ -h $ALL ] ; then
- SERVICE=$(basename $(readlink $ALL))
- else
- SERVICE=$(basename $ALL)
- fi
- echo "info: Starting $SERVICE"
- $ALL start || /bin/true
-done
+ if systemctl is-active --quiet $service; then
+ active="$active $service"
+ fi
+ done
+ systemctl stop $active || true
+ systemctl start $active
+}
+
+if [ -e /run/systemd/system/ ]; then
+ systemd_restart_services
+else
+ sysvinit_restart_services
+fi
exit 0
diff -Nru debian-edu-config-2.12.32/sbin/debian-edu-test-install debian-edu-config-2.12.40~deb12u1/sbin/debian-edu-test-install
--- debian-edu-config-2.12.32/sbin/debian-edu-test-install 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/sbin/debian-edu-test-install 2023-09-27 22:34:54.000000000 +0200
@@ -5,7 +5,7 @@
# Make sure strings and dates have predictable format
LC_ALL=C
-basedir=/usr/lib/debian-edu-config/testsuite
+basedir=/usr/libexec/debian-edu-config/testsuite
cd $basedir
diff -Nru debian-edu-config-2.12.32/sbin/update-hostname-from-ip debian-edu-config-2.12.40~deb12u1/sbin/update-hostname-from-ip
--- debian-edu-config-2.12.32/sbin/update-hostname-from-ip 2022-04-25 17:19:14.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/sbin/update-hostname-from-ip 2023-09-27 22:34:54.000000000 +0200
@@ -110,22 +110,22 @@
fi
if [ "$IP" ] ; then
- HOSTNAME=$(ip2hostname $IP)
+ MY_HOSTNAME=$(ip2hostname $IP)
SOURCE="reverse DNS of $IP"
fi
-if $USEMAC && [ -z "$HOSTNAME" ] ; then
- HOSTNAME=$(ether2hostname $MAC)
+if $USEMAC && [ -z "$MY_HOSTNAME" ] ; then
+ MY_HOSTNAME=$(ether2hostname $MAC)
SOURCE="hardware MAC address"
fi
-if [ "$HOSTNAME" ]; then
+if [ "$MY_HOSTNAME" ]; then
if $onlyprint ; then
- echo $HOSTNAME
+ echo $MY_HOSTNAME
else
# Already got the correct host name?
- if [ "$HOSTNAME" != "$(uname -n)" ] ; then
- sethostname "$HOSTNAME" "$SOURCE"
+ if [ "$MY_HOSTNAME" != "$(uname -n)" ] ; then
+ sethostname "$MY_HOSTNAME" "$SOURCE"
fi
fi
else
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/d-i/finish-install debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/d-i/finish-install
--- debian-edu-config-2.12.32/share/debian-edu-config/d-i/finish-install 2023-02-15 15:13:06.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/d-i/finish-install 2023-09-27 22:34:54.000000000 +0200
@@ -135,7 +135,7 @@
mountpoints="$(grep " /target" /proc/mounts | cut -d" " -f2 | sed s%/target%%g)"
LANG=C chroot /target fuser -mv $mountpoints 2>&1 | sed 's/^/info: /'
-if LANG=C chroot /target fuser -mv $mountpoints 2>&1 | egrep -qv 'USER|mount |Cannot open ' ; then
+if LANG=C chroot /target fuser -mv $mountpoints 2>&1 | grep -Eqv 'USER|mount |Cannot open ' ; then
log "error: some processes blocking d-i from umounting /target/"
fi
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/d-i/pre-pkgsel debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/d-i/pre-pkgsel
--- debian-edu-config-2.12.32/share/debian-edu-config/d-i/pre-pkgsel 2023-02-13 16:25:44.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/d-i/pre-pkgsel 2023-11-30 08:36:09.000000000 +0100
@@ -25,7 +25,7 @@
fi
# Default hostname is 'localhost'
- HOSTNAME=localhost
+ MY_HOSTNAME=localhost
# Default DNS server is tjener.intern
NAMESERVER=10.0.2.2
@@ -55,7 +55,7 @@
autoeth1=""
DNSDOMAIN=
MAILNAME=
- HOSTNAME=
+ MY_HOSTNAME=
eth0uuid=$(chroot /target uuid)
mkdir -p /target/etc/NetworkManager/system-connections
cat > /target/etc/NetworkManager/system-connections/eth0 <<EOF
@@ -80,7 +80,7 @@
autoeth1=""
DNSDOMAIN=
MAILNAME=
- HOSTNAME=
+ MY_HOSTNAME=
;;
Workstation)
# Use this unless Server also was choosen.
@@ -94,7 +94,7 @@
Main-Server)
# Override for workstations combining as servers
eth0=10.0.2.2:255.0.0.0:10.255.255.255:10.0.0.1
- HOSTNAME=tjener.intern
+ MY_HOSTNAME=tjener.intern
NAMESERVER=127.0.0.1
autoeth0="auto eth0"
;;
@@ -121,12 +121,6 @@
auto lo
iface lo inet loopback
EOF
- if [ "$DNSDOMAIN" ] && [ "$NAMESERVER" = "127.0.0.1" ] ; then
- cat >> $interfaces <<EOF
- dns-search $DNSDOMAIN
- dns-nameservers $NAMESERVER
-EOF
- fi
for interface in eth0 eth1 ; do
eval "ifinfo=\$$interface"
@@ -159,6 +153,12 @@
gateway $gateway
EOF
fi
+ if [ "$DNSDOMAIN" ] && [ "$NAMESERVER" = "127.0.0.1" ] ; then
+ cat >> $interfaces <<EOF
+ dns-search $DNSDOMAIN
+ dns-nameservers $NAMESERVER
+EOF
+ fi
cat >> $interfaces <<EOF
# The commented lines below is to be used if a DHCP server is in use
#iface $interface inet dhcp
@@ -179,9 +179,9 @@
echo "ff02::3 ip6-allhosts"
) > /target/etc/hosts
- if [ ! -z "$HOSTNAME" ] ; then
- echo "$HOSTNAME" > /target/etc/hostname
- in-target /bin/hostname "$HOSTNAME"
+ if [ ! -z "$MY_HOSTNAME" ] ; then
+ echo "$MY_HOSTNAME" > /target/etc/hostname
+ in-target /bin/hostname "$MY_HOSTNAME"
fi
# Update hostname based on reverse DNS entry of current IP or
@@ -195,7 +195,7 @@
# Avoid hardcoding entries on the clients, to make sure IP address
# range can be changed on the clients by changing DHCP
# configuration on the server.
- if [ "tjener.intern" = "$HOSTNAME" ] ; then
+ if [ "tjener.intern" = "$MY_HOSTNAME" ] ; then
(
echo
echo "10.0.2.2 tjener.intern tjener"
@@ -269,8 +269,8 @@
create_initial_localadmin_user() {
LOCAL_USER_ID="localadmin"
LOCAL_USER_GECOS="Local Administrator"
- LOCAL_USER_UIDNUMBER="500"
- LOCAL_USER_PRIMGIDNUMBER="500"
+ LOCAL_USER_UIDNUMBER="1000"
+ LOCAL_USER_PRIMGIDNUMBER="1000"
LOCAL_USER_INGROUPS="$LOCAL_USER_INGROUPS adm sudo"
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/gosa.conf.template debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/gosa.conf.template
--- debian-edu-config-2.12.32/share/debian-edu-config/gosa.conf.template 2023-02-06 10:30:29.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/gosa.conf.template 2023-11-30 08:36:09.000000000 +0100
@@ -346,7 +346,7 @@
sendCompressedOutput="true"
modificationDetectionAttribute="entryCSN"
language=""
- theme="default"
+ theme="classic"
sessionLifetime="7200"
templateCompileDirectory="/var/spool/gosa"
debugLevel="0"
@@ -361,8 +361,8 @@
userRDN="ou=people"
groupRDN="ou=group"
netgroupRDN="ou=netgroup"
- gidNumberBase="1000"
- uidNumberBase="1000"
+ gidNumberBase="2000"
+ uidNumberBase="2000"
loginAttribute="uid"
timezone="Etc/UTC"
honourUnitTags="false"
@@ -376,7 +376,7 @@
mailUserCreation=""
mailFolderCreation=""
imapTimeout="10"
- ldapTLS="true"
+ ldapTLS="false"
honourIvbbAttributes="false"
enableSnapshots="false"
snapshotBase="ou=snapshots,dc=skole,dc=skolelinux,dc=no"
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/pam-nopwdchange.py debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/pam-nopwdchange.py
--- debian-edu-config-2.12.32/share/debian-edu-config/pam-nopwdchange.py 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/pam-nopwdchange.py 2023-09-27 22:34:54.000000000 +0200
@@ -30,7 +30,7 @@
user = pamh.get_user(None)
userinfo = pwd.getpwnam(user)
uid = userinfo[2]
- if 1000 <= uid:
+ if 2000 <= uid:
text = "\nPlease visit https://www/gosa to change your password for Debian Edu / Skolelinux. Thanks!\n"
msg = pamh.Message(pamh.PAM_TEXT_INFO, text)
pamh.conversation(msg)
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/rsyslog-filters debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/rsyslog-filters
--- debian-edu-config-2.12.32/share/debian-edu-config/rsyslog-filters 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/rsyslog-filters 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,2 @@
+# discard excessive nullmailer logging (#1003728)
+:programname, isequal, "nullmailer-send" stop
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/chromium-ldapconf debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/chromium-ldapconf
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/chromium-ldapconf 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/chromium-ldapconf 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Update Chromium configuration from LDAP
+#
+
+if [ -e /etc/debian-edu/config ] ; then
+ . /etc/debian-edu/config
+fi
+
+# Only networked profiles use LDAP
+case $PROFILE in
+ *Main-Server*|*Workstation*|*LTSP-Server*|*Thin-Client-Server*|*Minimal*)
+ /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
+ ;;
+esac
+
+case $PROFILE in
+ *LTSP-Server*)
+ if [ -d /opt/ltsp ]; then
+ find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d -exec chroot {} /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage \;
+ fi
+ ;;
+esac
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/configure-edu-gateway debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/configure-edu-gateway
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/configure-edu-gateway 2021-12-02 16:12:39.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/configure-edu-gateway 1970-01-01 01:00:00.000000000 +0100
@@ -1,111 +0,0 @@
-#!/bin/sh
-#
-# Configure a Debian Edu system with 'Minimal' profile' to act as as gateway.
-
-# The configuration below applies to a Debian Edu machine in the internal
-# backbone network with two NICs, the eth0 interface attached to an existing
-# router and the eth1 one attached to the backbone network 10.0.0.0/8.
-#
-# Author/Copyright: Wolfgang Schweer <wschweer@arcor.de>
-# Licence: GPL2+
-# first edited: 2020-04-17
-# last edited: 2021-10-22
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-
-set -e
-
-# usage
-if [ -z "$1" ] ; then
- echo "Use $0 -h or $0 --help for more information"
- exit 0
-fi
-
-if [ "$1" = "-h" ] || [ "$1" = "--help" ] ; then
- cat <<EOF
-
-Usage information:
-
-$0 --firewall <yes|no>
-
-Turn a Debian Edu system with profile 'Minimal' into a gateway.
-
-'$0 --firewall no' configures this system as gateway.
-
-'$0 --firewall yes' installs the 'shorewall' package in addition and
- configures this system also as a firewall.
- See https://shorewall.org/two-interface.htm#System for detailed information.
-EOF
- exit 0
-fi
-
-# Prevent to do this more than one time
-if ! grep -Eq 10.0.0.0 /etc/default/enable-nat ; then
- sed -i 's/auto eth0/auto eth0 eth1/' /etc/network/interfaces
- sed -i '/eth1/ s/dhcp/static/' /etc/network/interfaces
- sed -i '/post-up/d' /etc/network/interfaces
- echo 'address 10.0.0.1' >> /etc/network/interfaces
- echo 'dns-nameservers 10.0.2.2' >> /etc/network/interfaces
- echo 'dns-domain intern' >> /etc/network/interfaces
- hostname -b gateway
- hostname > /etc/hostname
- rm -f /etc/dhcp/dhclient-exit-hooks.d/hostname
- rm -f /etc/dhcp/dhclient-exit-hooks.d/wpad-proxy-update
- rm -f /etc/dhcp/dhclient-exit-hooks.d/fetch-ldap-cert
- rm -f /etc/network/if-up.d/wpad-proxy-update
- sed -i 's/domain-name,//' /etc/dhcp/dhclient-debian-edu.conf
- sed -i 's/domain-search,//' /etc/dhcp/dhclient-debian-edu.conf
- sed -i 's#NAT=#NAT="10.0.0.0/8"#' /etc/default/enable-nat
- echo ""
- echo "The system has been configured as gateway."
- echo ""
-else
- echo ""
- echo "The system has already been configured as gateway."
- echo ""
-fi
-
-# Optionally install, configure, enable and start shorewall.
-if [ "yes" = "$2" ] && [ ! -d /etc/shorewall ] ; then
- echo ""
- echo "Now setting up shorewall like requested."
- echo ""
- if grep -q / /etc/debian_version ; then
- dist=$(cat /etc/debian_version | cut -d/ -f1)
- else
- dist=$(lsb_release -sc)
- fi
- if egrep -q '^deb cdrom:' /etc/apt/sources.list ; then
- sed -i 's/deb cdrom/#deb cdrom/' /etc/apt/sources.list
- echo "deb http://deb.debian.org/debian $dist main" >> /etc/apt/sources.list
- fi
- apt update
- apt -yq install shorewall
- for i in interfaces policy rules snat stoppedrules zones ; do
- cp /usr/share/doc/shorewall/examples/two-interfaces/$i /etc/shorewall
- done
- echo "NET_IF=eth0" >> /etc/shorewall/params
- echo "NET_OPTIONS=routefilter,norfc1918" >> /etc/shorewall/params
- systemctl enable shorewall
- systemctl start shorewall
-fi
-
-# Give feedback
-if [ -e /etc/shorewall/snat ] ; then
- echo ""
- echo "Shorewall has been configured for the two-interfaces setup on this system."
- echo ""
- echo "See https://shorewall.org/two-interface.htm#System for detailed information."
- echo ""
-fi
-echo
-echo "Configuration finished. Please reboot the system to activate the changes."
-echo
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/edu-icinga-setup debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/edu-icinga-setup
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/edu-icinga-setup 2021-12-02 16:12:39.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/edu-icinga-setup 2023-09-27 22:34:54.000000000 +0200
@@ -34,6 +34,11 @@
# run 'mysql_secure_installation'.)
setup_icinga() {
+ # Generate random password (alphanumeric ASCII characters only in order
+ # to avoid problems with quoting below)
+ password="$(LC_ALL=C tr -cd '[:alnum:]' < /dev/urandom | dd bs=1 count=16 2>/dev/null)"
+ [ -n "${password}" ] || exit 1
+
# Delete anonymous users
mysql -e "DELETE FROM mysql.user WHERE User='';"
# Ensure the root user can not log in remotely
@@ -55,7 +60,7 @@
GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE
ON icingadb.*
TO 'icinga2'@'localhost'
- IDENTIFIED BY 'v64nhbe27dfBjR3T';
+ IDENTIFIED BY '${password}';
FLUSH PRIVILEGES;
"
# Install the MySQL schema required for the Icinga 2 database
@@ -63,12 +68,24 @@
# Adjust the Icinga 2 MySQL IDO configuration
#sed -i "/user/ s%icinga2%$FIRSTUSERNAME%" "/etc/icinga2/features-available/ido-mysql.conf"
- sed -i "/password/ s%\".*\"%\"v64nhbe27dfBjR3T\"%" "/etc/icinga2/features-available/ido-mysql.conf"
+ sed -i "/password/s/.*/ password = \"${password}\",/" /etc/icinga2/features-available/ido-mysql.conf
sed -i '/database/ s%icinga2%icingadb%' /etc/icinga2/features-available/ido-mysql.conf
# Enable ido-mysql feature
icinga2 feature enable ido-mysql
+ # Create Icinga Web 2 database
+ mysql <<< "
+ CREATE DATABASE icingaweb2;
+ GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE
+ ON icingaweb2.*
+ TO 'icingaweb2'@'localhost'
+ IDENTIFIED BY '${password}';
+ FLUSH PRIVILEGES;
+ "
+ # Install the MySQL schema required for the Icinga Web 2 database
+ mysql icingaweb2 < /usr/share/icingaweb2/schema/mysql.schema.sql
+
# Add icinga2 configuration files (content gathered from manual setup procedure)
#
# authentication.ini
@@ -82,12 +99,13 @@
domain = ""
resource = "icingaweb_ldap"
EOF
+
# config.ini
cat <<- EOF > /etc/icingaweb2/config.ini
[global]
show_stacktraces = "1"
show_application_state_messages = "1"
- config_backend = "ini"
+ config_resource = "icingaweb_db"
[logging]
log = "file"
@@ -127,6 +145,17 @@
bind_pw = ""
timeout = "5"
+ [icingaweb_db]
+ type = "db"
+ db = "mysql"
+ host = "localhost"
+ port = ""
+ dbname = "icingaweb2"
+ username = "icingaweb2"
+ password = "${password}"
+ charset = ""
+ use_ssl = "0"
+
[icinga_ido]
type = "db"
db = "mysql"
@@ -134,7 +163,7 @@
port = ""
dbname = "icingadb"
username = "icinga2"
- password = "v64nhbe27dfBjR3T"
+ password = "${password}"
charset = ""
use_ssl = "0"
EOF
@@ -165,11 +194,8 @@
EOF
# Adjusts rights to get the web interface working
- chmod 660 /etc/icingaweb2/*.ini
- chmod g+rwx /etc/icingaweb2/enabledModules/
- chmod g+rwx /etc/icingaweb2/modules/monitoring/
- chmod o+x /etc/icingaweb2/modules/monitoring/
- chmod 660 /etc/icingaweb2/modules/monitoring/*.ini
+ find /etc/icingaweb2/ -type f -name '*.ini' -exec chmod 660 {} +
+ find /etc/icingaweb2/ -type d -exec chmod 775 {} +
# Create icingaweb2 log directory
mkdir -p /var/log/icingaweb2/
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/fetch-rootca-cert debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/fetch-rootca-cert
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/fetch-rootca-cert 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/fetch-rootca-cert 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,68 @@
+#!/bin/sh
+#
+# Fetches Debian Edu rootCA certificate from the main server
+#
+# Author: Wolfgang Schweer, <wschweer@arcor.de>
+# Date: 2020-02-14
+#
+
+if [ -r /etc/debian-edu/config ] ; then
+ . /etc/debian-edu/config
+fi
+
+BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
+ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
+LOCALCACRT=/usr/local/share/ca-certificates/Debian-Edu_rootCA.crt
+
+# Remove no longer used certificate file
+rm -f $BUNDLECRT
+
+# RootCA cert retrieval (avoid execution on the main server, things are in place)
+case $PROFILE in
+*Main-Server*)
+ logger -t fetch-rootca-cert "Running on the main server, exiting."
+ exit 0
+ ;;
+esac
+
+if [ -f $LOCALCACRT ] && [ -s $LOCALCACRT ] ; then
+ # The cert file already exists, nothing to do.
+ exit 0
+fi
+
+if [ -z "$(dig +short A www.intern)" ] ; then
+ # If the main server is not resolvable, we are not part of a DebianEdu
+ # network, no need to report an error.
+ exit 0
+fi
+
+# Since Debian Edu 10, the RootCA file is distributed
+# over http (always via the host serving www.intern, by default: TJENER)
+#
+# We do an availability check for the webserver first, to provide proper
+# error reporting (see below). So, the following check merely discovers,
+# if the webserver is online at all.
+if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
+ # Now let's see if the webserver has the "Debian Edu RootCA" file.
+ # This has been the case for Debian Edu main servers (TJENER) since
+ # Debian Edu 10.1.
+ if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
+ grep -q CERTIFICATE $LOCALCACRT ; then
+ # Make rootCA certificate available in /etc/ssl/certs/
+ ln -nsf $LOCALCACRT $ROOTCACRT
+ # Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
+ update-ca-certificates
+ logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
+ else
+ # Drop $ROOTCACRT and $LOCALCACRT files, as they probably only contain some
+ # 404 http error message in html.
+ rm -f $LOCALCACRT
+ rm -f $ROOTCACRT
+ logger -t fetch-rootca-cert "Failed to fetch rootCA certificate from www.intern."
+ fi
+else
+ # Report an error, if www.intern is down http-wise. This can happen and is probably
+ # a temporary problem that needs an admin to fix it.
+ logger -t fetch-rootca-cert "Failed to connect to www.intern, maybe the web server is down."
+ exit 1
+fi
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/firefox-ldapconf debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/firefox-ldapconf
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/firefox-ldapconf 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/firefox-ldapconf 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Update Firefox configuration from LDAP
+#
+
+if [ -e /etc/debian-edu/config ] ; then
+ . /etc/debian-edu/config
+fi
+
+# Only networked profiles use LDAP
+case $PROFILE in
+ *Main-Server*|*Workstation*|*LTSP-Server*|*Thin-Client-Server*|*Minimal*)
+ /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
+ ;;
+esac
+
+case $PROFILE in
+ *LTSP-Server*)
+ if [ -d /opt/ltsp ]; then
+ find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d -exec chroot {} /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage \;
+ fi
+ ;;
+esac
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/goodbye-user-session debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/goodbye-user-session
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/goodbye-user-session 2022-02-13 09:44:28.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/goodbye-user-session 2023-09-27 22:34:54.000000000 +0200
@@ -16,7 +16,7 @@
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-if [ $EUID -ge 500 ]; then
+if [ $EUID -ge 1000 ]; then
# safety net for well-known browsers
pkill -TERM -u "${LOGNAME}" x-www-browser
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/gosa-create debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/gosa-create
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/gosa-create 2021-03-30 13:17:37.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/gosa-create 2023-09-27 22:34:54.000000000 +0200
@@ -12,7 +12,7 @@
## directory already exists. In both cases nothing should happen.
PREFIX=/skole
-HOSTNAME=$(hostname -s)
+MY_HOSTNAME=$(hostname -s)
USERID=$1
#FIXME Change this ldap search to only find new users, to not slow down as more users are added.
@@ -29,7 +29,7 @@
gidNumber:) GROUPID="$VALUE" ;;
"")
test "$HOMEDIR" || continue
- echo "$HOMEDIR" | grep -q "^$PREFIX/$HOSTNAME" || continue
+ echo "$HOMEDIR" | grep -q "^$PREFIX/$MY_HOSTNAME" || continue
test -e "$HOMEDIR" && continue
cp -r /etc/skel $HOMEDIR
if type nscd > /dev/null 2>&1 ; then
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/gosa-remove debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/gosa-remove
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/gosa-remove 2022-02-13 09:44:28.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/gosa-remove 2023-09-27 22:34:54.000000000 +0200
@@ -28,14 +28,14 @@
[ -d $HOMEDIR ] || exit 1
PREFIX=/skole
-HOSTNAME=$(hostname -s)
+MY_HOSTNAME=$(hostname -s)
# Obviously a user template was removed. Ignoring.
-echo "$HOMEDIR" | egrep -q "^$PREFIX/$HOSTNAME.*/%uid" && exit 0
+echo "$HOMEDIR" | grep -Eq "^$PREFIX/$MY_HOSTNAME.*/%uid" && exit 0
# An LDAP user that did not have their home at a place we manage with this script
# has been removed. This should not happen. Exiting with error.
-echo "$HOMEDIR" | egrep -q "^$PREFIX/$HOSTNAME.*$USERID" || exit 1
+echo "$HOMEDIR" | grep -Eq "^$PREFIX/$MY_HOSTNAME.*$USERID" || exit 1
## move mail directory to home directory
if [ -d /var/mail/$USERID ]; then
@@ -52,7 +52,7 @@
chown root:root $RM_HOMEDIR
chmod go-rwx $RM_HOMEDIR
-kadmin.local -q "delete_principal $USERID"
+kadmin.local -q "delete_principal -force $USERID"
pdbedit -x -u $USERID > /dev/null
logger -t gosa-remove -p notice Home directory \'$HOMEDIR\' marked for deletion, samba account and principal \'$USERID\' removed.
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/kerberos-kdc-init debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/kerberos-kdc-init
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/kerberos-kdc-init 2021-04-26 23:38:21.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/kerberos-kdc-init 2023-09-27 22:34:54.000000000 +0200
@@ -248,9 +248,9 @@
cp -r /etc/skel $HOMEDIR
# Must use uid/gid as NSS is not able to connect to LDAP yet
- UID=1000
- GID=1000
- chown -R $UID:$GID $HOMEDIR
+ FIRSTUSERUID=2000
+ FIRSTUSERGID=2000
+ chown -R $FIRSTUSERUID:$FIRSTUSERGID $HOMEDIR
pwlen=$(echo -n "$FIRSTUSERPWD" | wc -c)
echo "Creating Kerberos principal for $USERDN (password length $pwlen)"
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/nat debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/nat
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/nat 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/nat 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+IPTABLES=/usr/sbin/iptables
+
+NETWORK_TO_NAT=
+OUTSIDE_IF=eth0
+
+[ -x $IPTABLES ] || exit 1
+
+# Only enable by default if LTSP is installed
+if [ -e /srv/ltsp ] ; then
+ NETWORK_TO_NAT="192.168.0.0/24"
+fi
+
+if [ -f /etc/default/enable-nat ] ; then
+ . /etc/default/enable-nat
+fi
+
+# Bail out if no network is configured
+[ -n "$NETWORK_TO_NAT" ] || exit 0
+
+case $1 in
+enable)
+ # Exit if already enabled
+ $IPTABLES -t nat -n -L POSTROUTING | \
+ awk -v net="$NETWORK_TO_NAT" '
+ NR > 2 && $1 == "MASQUERADE" && $4 == net {
+ found=1
+ exit
+ }
+ END {
+ exit(!found)
+ }' && exit 0
+
+ $IPTABLES -t nat -A POSTROUTING -s "$NETWORK_TO_NAT" -o "$OUTSIDE_IF" -j MASQUERADE
+
+ # Enable IP-forwarding if it isn't enabled already.
+ sysctl -wq net.ipv4.ip_forward=1
+ ;;
+disable)
+ $IPTABLES -F -t nat
+ ;;
+*)
+ printf 'usage: %s [enable|disable]\n' "$(basename "$0")" >&2
+ exit 1
+ ;;
+esac
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/preseed-sitesummary debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/preseed-sitesummary
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/preseed-sitesummary 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/preseed-sitesummary 2023-09-27 22:34:54.000000000 +0200
@@ -27,7 +27,7 @@
if ping -c2 sitesummary > /dev/null 2>&1 ; then
sitesummaryserver=$(getent hosts sitesummary | awk '{print $2}')
else
- host=$(LC_ALL=C host -N 2 -t SRV _sitesummary._tcp | egrep -v '^;|NXDOMAIN|SERVFAIL' | awk '{print $NF}' | head -1)
+ host=$(LC_ALL=C host -N 2 -t SRV _sitesummary._tcp | grep -Ev '^;|NXDOMAIN|SERVFAIL' | awk '{print $NF}' | head -1)
if [ "$host" ] && ping -c2 "$host" ; then
sitesummaryserver=$(echo $host | sed 's/\.$//')
fi
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/setup-ad-client debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/setup-ad-client
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/setup-ad-client 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/setup-ad-client 2023-09-27 22:34:54.000000000 +0200
@@ -7,7 +7,7 @@
# See if we can find an Active Directory LDAP server.
lookup_ad_server() {
dnsdomain="$1"
- adserver=$(host -N 2 -t SRV _ldap._tcp.$dnsdomain | egrep -v 'NXDOMAIN|^;' | awk '{print $NF}' | head -1)
+ adserver=$(host -N 2 -t SRV _ldap._tcp.$dnsdomain | grep -Ev 'NXDOMAIN|^;' | awk '{print $NF}' | head -1)
if [ "$adserver" ] ; then
echo $adserver | sed 's/\.$//'
fi
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/setup-freeradius-server debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/setup-freeradius-server
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/setup-freeradius-server 2022-02-13 09:44:28.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/setup-freeradius-server 2023-09-27 22:34:54.000000000 +0200
@@ -115,31 +115,75 @@
service freeradius stop
# Generate freeRADIUS specific CA and server certificates and make them available.
-chmod +x bootstrap
-PASSWORD="$(pwgen -1)"
+PASSWORD="$(pwgen -1 16)"
-for i in *.cnf xpextensions ; do
- sed -i "s#whatever#$PASSWORD#g" $i
- sed -i 's#FR#NO#g' $i
- sed -i 's#Example Inc.#Debian Edu#g' $i
- sed -i 's#admin@example.org#postmaster@postoffice.intern#g' $i
- sed -i 's#user@example.org#user@postoffice.intern#g' $i
- sed -i 's#example.org/example#intern/intern#g' $i
- sed -i 's#example.com/example#intern/intern#g' $i
- sed -i 's#Example S#Debian Edu freeRADIUS S#g' $i
- sed -i 's#Example C#Debian Edu freeRADIUS C#g' $i
- sed -i 's#*example.com#*intern#g' $i
- sed -i 's#radius.example.com#freeradius.intern#g' $i
- sed -i 's#= 60#= 3650#g' $i
- sed -i 's#Example Inner S#Debian Edu freeRADIUS Inner S#g' $i
-done
-
-sed -i "s#whatever#$PASSWORD#g" ../mods-available/eap
-sed -i 's#ssl-cert-snakeoil.pem#freeradius-server.crt#' ../mods-available/eap
-sed -i 's#ssl-cert-snakeoil.key#freeradius-server.key#' ../mods-available/eap
-sed -i 's#ca-certificates.crt#freeradius-ca.crt#' ../mods-available/eap
+update-ini-file ca.cnf req input_password "${PASSWORD}"
+update-ini-file client.cnf req input_password "${PASSWORD}"
+update-ini-file inner-server.cnf req input_password "${PASSWORD}"
+update-ini-file server.cnf req input_password "${PASSWORD}"
+
+update-ini-file ca.cnf req output_password "${PASSWORD}"
+update-ini-file client.cnf req output_password "${PASSWORD}"
+update-ini-file inner-server.cnf req output_password "${PASSWORD}"
+update-ini-file server.cnf req output_password "${PASSWORD}"
+
+update-ini-file ca.cnf certificate_authority countryName NO
+update-ini-file client.cnf client countryName NO
+update-ini-file inner-server.cnf server countryName NO
+update-ini-file server.cnf server countryName NO
+
+update-ini-file ca.cnf certificate_authority organizationName "Debian Edu"
+update-ini-file client.cnf client organizationName "Debian Edu"
+update-ini-file inner-server.cnf server organizationName "Debian Edu"
+update-ini-file server.cnf server organizationName "Debian Edu"
+
+update-ini-file xpextensions xpclient_ext crlDistributionPoints URI:http://www.intern/intern_ca.crl
+update-ini-file xpextensions xpserver_ext crlDistributionPoints URI:http://www.intern/intern_ca.crl
+update-ini-file ca.cnf CA_default crlDistributionPoints URI:http://www.intern/intern_ca.crl
+update-ini-file ca.cnf v3_ca crlDistributionPoints URI:http://www.intern/intern_ca.crl
+
+update-ini-file ca.cnf certificate_authority emailAddress postmaster@postoffice.intern
+update-ini-file inner-server.cnf server emailAddress postmaster@postoffice.intern
+update-ini-file server.cnf server emailAddress postmaster@postoffice.intern
+
+update-ini-file client.cnf client commonName user@postoffice.intern
+update-ini-file client.cnf client emailAddress user@postoffice.intern
+
+update-ini-file ca.cnf certificate_authority commonName '"Debian Edu freeRADIUS Certificate Authority"'
+update-ini-file server.cnf server commonName freeradius.intern
+
+update-ini-file server.cnf alt_names DNS.1 freeradius.intern
+
+update-ini-file ca.cnf CA_default default_days 3650
+update-ini-file client.cnf CA_default default_days 3650
+update-ini-file inner-server.cnf CA_default default_days 3650
+update-ini-file server.cnf CA_default default_days 3650
+
+update-ini-file inner-server.cnf server commonName '"Debian Edu freeRADIUS Inner Server Certificate"'
+
+grep -q '^[[:blank:]]*subjectAltName[[:blank:]=]' xpextensions || cat >>xpextensions <<'EOF'
+
+subjectAltName = @alt_names
+
+# This should be a host name of the RADIUS server.
+# Note that the host name is exchanged in EAP *before*
+# the user machine has network access. So the host name
+# here doesn't really have to match anything in DNS.
+[alt_names]
+DNS.1 = freeradius.intern
+
+# NAIRealm from RFC 7585
+otherName.0 = 1.3.6.1.5.5.7.8.8;FORMAT:UTF8,UTF8:*.intern
+EOF
+
+sed -i \
+ -e "/^[[:blank:]]*private_key_password[[:blank:]=]/s#=.*#= $PASSWORD#g" \
+ -e '/^[[:blank:]]*certificate_file[[:blank:]=]/s#=.*#= /etc/ssl/certs/freeradius-server.crt#g' \
+ -e '/^[[:blank:]]*private_key_file[[:blank:]=]/s#=.*#= /etc/ssl/private/freeradius-server.key#g' \
+ -e '/^[[:blank:]]*ca_file[[:blank:]=]/s#=.*#= /etc/ssl/certs/freeradius-ca.crt#g' \
+ ../mods-available/eap
-./bootstrap
+sh ./bootstrap
chmod 644 dh server.crt server.pem ca.pem ca.der
chmod 640 server.key
@@ -157,8 +201,6 @@
# Cleanup the certs dir.
make clean
-chmod -x bootstrap
-
# Start the configured freeRADIUS service and give some feedback.
service freeradius start
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/show-welcome-webpage debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/show-welcome-webpage
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/show-welcome-webpage 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/show-welcome-webpage 2023-09-27 22:34:54.000000000 +0200
@@ -14,7 +14,7 @@
fi
if [ "$GETDEFAULTHOMEPAGE" ] &&
- echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
+ echo "$PROFILE" | grep -Eq 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
if [ "$GETDEFAULTHOMEPAGE" = "http://www/" ] || [ "$GETDEFAULTHOMEPAGE" = "https://www/" ] ; then
for lang in $(echo $LANGCODE | tr : " "); do
if wget -q -O /dev/null ${GETDEFAULTHOMEPAGE}index.html.$lang ; then
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/sssd-generate-config debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/sssd-generate-config
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/sssd-generate-config 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/sssd-generate-config 2023-09-27 22:34:54.000000000 +0200
@@ -14,7 +14,7 @@
if ping -c2 ldap.$domain > /dev/null 2>&1; then
echo ldap://ldap.$domain
else
- host=$(host -N 2 -t SRV _ldap._tcp.$domain | egrep -v 'NXDOMAIN|^;' | awk '{print $NF}' | head -1)
+ host=$(host -N 2 -t SRV _ldap._tcp.$domain | grep -Ev 'NXDOMAIN|^;' | awk '{print $NF}' | head -1)
if [ "$host" ] ; then
echo ldap://$host | sed 's/\.$//'
fi
@@ -33,7 +33,7 @@
if ldapsearch -LLL -H $ldapuri -x -b "$context" -s sub -z 1 \
'(|(objectClass=posixAccount)(objectclass=posixGroup))' 2>&1 | \
perl -p0e 's/\n //g' | \
- egrep -q '^dn:|^Administrative limit exceeded' ; then
+ grep -Eq '^dn:|^Administrative limit exceeded' ; then
echo $context
return
fi
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/update-dlw-krb5-keytabs debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/update-dlw-krb5-keytabs
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/update-dlw-krb5-keytabs 2022-02-13 09:44:28.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/update-dlw-krb5-keytabs 2023-09-27 22:34:54.000000000 +0200
@@ -49,7 +49,7 @@
# Clear caching daemon's NIS netgroup cache (this assures an LDAP re-lookup).
nscd -i netgroup
-DLW_HOSTS_NETGROUP=$(netgroup diskless-workstation-hosts | grep -E "\.${DOMAIN}$")
+DLW_HOSTS_NETGROUP="$(netgroup diskless-workstation-hosts | grep -E "\.${DOMAIN}$")" || true
# Do some sanity checks...
if [ "$(id -u)" != "0" ]; then
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/update-proxy-from-wpad debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/update-proxy-from-wpad
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/update-proxy-from-wpad 2022-04-25 17:19:14.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/update-proxy-from-wpad 2023-09-27 22:34:54.000000000 +0200
@@ -96,6 +96,29 @@
fi
}
+update_dconf() {
+ proxy_host="${http_proxy#*://}"
+ proxy_port="${proxy_host##*:}"
+ proxy_host="${proxy_host%:*}"
+ cat >/etc/dconf/db/site.d/50-proxy <<EOF
+[system/proxy/http]
+host='${proxy_host}'
+port=${proxy_port}
+enabled=true
+
+[system/proxy/https]
+host='${proxy_host}'
+port=${proxy_port}
+enabled=true
+
+[system/proxy/ftp]
+host='${proxy_host}'
+port=${proxy_port}
+enabled=true
+EOF
+ dconf update
+}
+
if [ -r /etc/debian-edu/config ] ; then
. /etc/debian-edu/config
fi
@@ -116,11 +139,13 @@
update_apt_conf
- # Do not set proxy in /etc/environment for machines that move around,
- # as the value will be wrong when arriving at a new network.
- if echo "$PROFILE" | egrep -q 'Roaming-Workstation|Standalone' ; then
- :
- else
+ # Do not set proxy in /etc/environment and dconf for machines that
+ # move around, # as the value will be wrong when arriving at a new
+ # network.
+ case $PROFILE in
+ *Roaming-Workstation*|*Standalone*) ;;
+ *)
update_etc_environment
- fi
+ update_dconf
+ esac
fi
diff -Nru debian-edu-config-2.12.32/testsuite/automount debian-edu-config-2.12.40~deb12u1/testsuite/automount
--- debian-edu-config-2.12.32/testsuite/automount 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/testsuite/automount 2023-09-27 22:34:54.000000000 +0200
@@ -12,7 +12,7 @@
# Automount is not used on the Main-Server, Roaming workstation and
# Standalone profiles.
-if echo "$PROFILE" | egrep -q 'Main-Server|Roaming-Workstation|Standalone' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server|Roaming-Workstation|Standalone' ; then
exit 0
fi
diff -Nru debian-edu-config-2.12.32/testsuite/dhcpd debian-edu-config-2.12.40~deb12u1/testsuite/dhcpd
--- debian-edu-config-2.12.32/testsuite/dhcpd 2019-02-15 11:58:02.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/testsuite/dhcpd 2023-09-27 22:34:54.000000000 +0200
@@ -7,7 +7,7 @@
fi
# Only main-server and thin-client server profiles run dhcpd
-if echo "$PROFILE" | egrep -q 'Main-Server|LTSP-Server' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server|LTSP-Server' ; then
:
else
exit 0
diff -Nru debian-edu-config-2.12.32/testsuite/filesystems debian-edu-config-2.12.40~deb12u1/testsuite/filesystems
--- debian-edu-config-2.12.32/testsuite/filesystems 2014-10-12 12:51:32.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/testsuite/filesystems 2023-09-27 22:34:54.000000000 +0200
@@ -1,58 +1,65 @@
#!/bin/sh
#
-# Check that we are using ext3, not ext2
+# Check that we are using ext3/4 filesystems with expected options
if test -r /etc/debian-edu/config ; then
. /etc/debian-edu/config
fi
-LANG=C
-export LANG
+LC_ALL=C
+export LC_ALL
-awk "/ext2/ { print \"error: $0: Using ext2 on\",\$2 }" /proc/mounts
-awk "/ext3|ext4/ { print \"success: $0: Using ext3 on\",\$2 }" /proc/mounts
+scriptname="$0"
-# Check if the filesystems on the mountpoints support acls
-for f in `grep 'ext' /proc/mounts|awk '{print $1}'`; do
- if [ `chacl -l $f | grep 'cannot get'` ]; then
- echo "error: $0: $f doesn't support acls"
- else
- echo "success: $0: $f supports acls"
- fi
-done
-
-# Make sure all ext3/ext4 mount points are online resizable
-for p in `(df -Pt ext3 2>/dev/null;df -Pt ext4 2>/dev/null) | grep -v ^Filesystem |awk '{print $1}'`; do
- if tune2fs -l $p| grep features | grep -q resize_inode ; then
- :
- else
- echo "error: $0: Missing resize_inode in ext3/ext4 fs $p"
- fi
-done
+while read -r line; do
+ set -- $line
+ case $3 in
+ ext2)
+ if [ $2 != '/boot' ]; then
+ printf 'error: %s: Using ext2 on %s\n' "${scriptname}" "$1"
+ fi
+ ;;
+ ext3|ext4)
+ printf 'success: %s: Using ext3/4 on %s\n' "${scriptname}" "$1"
+
+ # Check if the filesystems on the mountpoints support acls
+ if chacl -l "$1" >/dev/null 2>&1; then
+ printf "success: %s: %s supports acls\n" "${scriptname}" "$1"
+ else
+ printf "error: %s: %s doesn't support acls\n" "${scriptname}" "$1"
+ fi
+
+ # Make sure all ext3/ext4 mount points are online resizable
+ if ! tune2fs -l "$1" | grep -q '^Filesystem features:.* resize_inode'; then
+ printf 'error: %s: Missing resize_inode in ext3/ext4 fs %s\n' "${scriptname}" "$2"
+ fi
+ ;;
+ esac
+done </proc/mounts
-if echo "$PROFILE" | grep -q Main-Server ; then
+case $PROFILE in
+*Main-Server*)
# Make sure autofs do not hide the real file systems
if [ -d /skole/tjener/home0/lost+found ] ; then
- echo "success: $0: Found lost+found in /skole/tjener/home0/"
+ printf 'success: %s: Found lost+found in /skole/tjener/home0/\n' "${scriptname}"
else
- echo "error: $0: No lost+found in /skole/tjener/home0/. Blocked by autofs?"
+ printf 'error: %s: No lost+found in /skole/tjener/home0/. Blocked by autofs?\n' "${scriptname}"
fi
# Make sure home0 and backup have acl and user_xattr enabled. See
# if bug #638822 is present or not.
for dir in /skole/tjener/home0 /skole/backup; do
- dev="$(LC_ALL=C df -P /var/log|awk '/%/ {print $1}')"
- for opt in acl user_xattr ; do
- if LC_ALL=C tune2fs -l "$dev" | \
- grep 'Default mount' | \
- grep -qw $opt ; then
- echo "success: $0: Found option $opt in $dir."
- else
- echo "error: $0: Did not find option $opt in $dir."
- fi
- done
+ dev="$(findmnt -T "${dir}" -n -o SOURCE)"
+ for opt in acl user_xattr; do
+ if tune2fs -l "${dev}" | grep -q "^Default mount options:.* ${opt}"; then
+ printf "success: %s: Found option %s in %s.\n" "${scriptname}" "${opt}" "${dir}"
+ else
+ printf "error: %s: Did not find option %s in %s.\n" "${scriptname}" "${opt}" "${dir}"
+ fi
+ done
done
-fi
+ ;;
+esac
# Report too full file systems. Should have at least 20% free to
# avoid warning from Nagios, preferably between 20% and 25%.
diff -Nru debian-edu-config-2.12.32/testsuite/hardware debian-edu-config-2.12.40~deb12u1/testsuite/hardware
--- debian-edu-config-2.12.32/testsuite/hardware 2017-05-30 15:56:28.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/testsuite/hardware 2023-09-27 22:34:54.000000000 +0200
@@ -33,7 +33,7 @@
fi
done
-disks=`cat /proc/partitions|egrep 'ide|scsi'|awk '{print $4}'|grep '/disc'|sed 's%^%/dev/%'`
+disks=`cat /proc/partitions|grep -E 'ide|scsi'|awk '{print $4}'|grep '/disc'|sed 's%^%/dev/%'`
for disk in $disks ; do
/sbin/hdparm -i $disk 2>&1 | sed "s%^%info: $0: hdparm: %"
done
diff -Nru debian-edu-config-2.12.32/testsuite/ldap-client debian-edu-config-2.12.40~deb12u1/testsuite/ldap-client
--- debian-edu-config-2.12.32/testsuite/ldap-client 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/testsuite/ldap-client 2023-09-27 22:34:54.000000000 +0200
@@ -16,7 +16,7 @@
fi
# Only networked profiles use LDAP
-if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
:
else
exit 0
@@ -24,13 +24,20 @@
RESULT=0
-# Locate LDAP server dynamically, by looking up SRV records. The -N 2
+# Locate LDAP server dynamically, by looking up SRV records. The +ndots=2
# argument is tested and found to work with the debian package
# bind9-host, and not with the host package.
-ldap_servers=$(host -N 2 -t srv _ldap._tcp | rev | awk '/VRS/ {print $1}' | cut -d. -f2- | rev)
-# Cut the list to one server as we do not handle redundant servers at
-# the moment.
-ldap_server=$(echo $ldap_servers | awk '{print $1}')
+ldap_server_port="$(dig +search +ndots=2 +short _ldap._tcp srv | awk '
+(t == "") || ($1 < prio) {
+ prio = $1
+ t = $4
+ sub(/\.$/,"",t)
+ p = $3
+}
+END { if (t != "") printf("%s:%d", t, p) }
+')"
+ldap_server="${ldap_server_port%:*}"
+ldap_server_uri="ldap://${ldap_server_port}"
# Test if LDAP server is reachable
if ping -c1 $ldap_server > /dev/null 2>&1 ; then
@@ -39,6 +46,7 @@
error "Dynamically located LDAP server '$ldap_server' is not pingable, continuing tests using DNS alias ldap."
# Autodetection failed, use hardcoded DNS name for the rest of the tests
ldap_server=ldap.intern
+ ldap_server_uri="ldap://${ldap_server}"
fi
for file in nslcd.conf ; do
@@ -51,7 +59,7 @@
done
# Verify that NSS is properly configured for netgroups in LDAP.
-if egrep -q '^netgroup: +nis *.* +(ldap|sss)$' /etc/nsswitch.conf ; then
+if grep -Eq '^netgroup: +nis *.* +(ldap|sss)$' /etc/nsswitch.conf ; then
success "NSS netgroup setting is correct in /etc/nsswitch.conf"
else
error "NSS netgroup setting is wrong in /etc/nsswitch.conf"
@@ -60,7 +68,7 @@
SERVICES="nslcd"
# Roaming workstations use sssd for caching, and not nscd
-if echo "$PROFILE" | egrep -q 'Roaming-Workstation' ; then
+if echo "$PROFILE" | grep -Eq 'Roaming-Workstation' ; then
SERVICES="$SERVICES sssd"
else
ls -l /var/cache/nscd/ | sed "s/^/info: nscd cache: /"
@@ -68,11 +76,13 @@
SERVICES="$SERVICES nscd"
fi
-host -a -t srv _ldap._tcp | sed "s/^/info: SRV record from DNS: /"
-host -a "$ldap_server" | sed "s/^/info: LDAP server from DNS: /"
+printf 'info: SRV record from DNS: '
+dig +search +ndots=2 +noall +answer +nocomments _ldap._tcp srv
+printf 'info: LDAP server from DNS: '
+dig +noall +answer +nocomments "$ldap_server"
if [ -f /etc/nslcd.conf ] ; then
- if egrep -q "^uri (ldap|$ldap_server)" /etc/nslcd.conf ; then
+ if grep -Eq "^uri (ldap|$ldap_server)" /etc/nslcd.conf ; then
:
else
error "ldap/ldap.conf misses definition of HOST ldap"
@@ -116,13 +126,13 @@
if [ -x /usr/bin/ldapsearch ] ; then
namingContexts="$(
- ldapsearch -s base -h $ldap_server -b '' -x '*' '+' | \
+ ldapsearch -s base -H "${ldap_server_uri}" -b '' -x '*' '+' | \
awk '/^namingContexts:/ {print $2}' | head -1
)"
echo info: $0: LDAP rootDSE namingContext: $namingContexts
LDAP_MOUNTS="$(
- ldapsearch -LLL -h $ldap_server -b $namingContexts \
+ ldapsearch -LLL -H "${ldap_server_uri}" -b $namingContexts \
-x '(objectClass=automount)' |\
grep "^cn:" | while read attr val; do
echo "$val"
@@ -137,10 +147,10 @@
# Try a search using TLS too
group=admins
- if ldapsearch -ZZ -LLL -h $ldap_server -b $namingContexts \
+ if ldapsearch -ZZ -LLL -H "${ldap_server_uri}" -b $namingContexts \
-x "(&(cn=$group)(objectclass=posixGroup))" >/dev/null 2>&1 ; then
success "TLS search on $ldap_server for cn=$group returned OK exit code."
- elif ldapsearch -ZZ -LLL -h ldap.intern -b $namingContexts \
+ elif ldapsearch -ZZ -LLL -H ldap://ldap.intern -b $namingContexts \
-x "(&(cn=$group)(objectclass=posixGroup))" >/dev/null 2>&1 ; then
success "TLS search on ldap.intern for cn=$group returned OK exit code."
else
@@ -162,10 +172,10 @@
error "Missing LDAP certificate $pubcert"
fi
-if [ 1 -eq $(grep -v '^#' /etc/pam.d/common-auth | egrep 'pam_krb5.so|pam_ldap.so|pam_sss.so' | wc -l) ] ; then
+if [ 1 -eq $(grep -v '^#' /etc/pam.d/common-auth | grep -Ec 'pam_krb5.so|pam_ldap.so|pam_sss.so') ] ; then
success "Only one PAM module of krb5, ldap and sss is enabled"
else
- error "Not only one PAM module of krb5, ldap and sss is enabled"
+ error "More than one PAM module of krb5, ldap and sss is enabled"
fi
# Make sure winbind PAM module isn't active
diff -Nru debian-edu-config-2.12.32/testsuite/ldap-server debian-edu-config-2.12.40~deb12u1/testsuite/ldap-server
--- debian-edu-config-2.12.32/testsuite/ldap-server 2023-01-30 14:33:11.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/testsuite/ldap-server 2023-09-27 22:34:54.000000000 +0200
@@ -73,11 +73,11 @@
# limit (32768) file descriptors were tried but required incresing
# file-max, took very long and caused very high load on the server
# during testing.
-ldap_server=ldap
+ldap_server_uri=ldap
limit=1200
ulimit -n 2048
-if ldapsearch -s base -h $ldap_server -b '' -x '*' '+' > /dev/null 2>&1 ; then
+if ldapsearch -s base -H "ldap://$ldap_server" -b '' -x '*' '+' > /dev/null 2>&1 ; then
echo "success: $0: search work before flodding the LDAP server with $limit connections."
else
echo "error: $0: search fail before flodding the LDAP server with $limit connections"
@@ -86,7 +86,7 @@
perl -MNet::LDAP -e "sleep(5); my @c; for my \$n (0 .. $limit) { \$c[\$n] = Net::LDAP->new('ldap://$ldap_server', onerror => undef); my \$root = \$c[\$n]->root_dse() if \$c[\$n]; } sleep(5);"
-if ldapsearch -s base -h $ldap_server -b '' -x '*' '+' > /dev/null 2>&1 ; then
+if ldapsearch -s base -H "ldap://$ldap_server" -b '' -x '*' '+' > /dev/null 2>&1 ; then
echo "success: $0: search work after flodding the LDAP server with $limit connections."
else
echo "error: $0: search fail after flodding the LDAP server with $limit connections"
diff -Nru debian-edu-config-2.12.32/testsuite/locale debian-edu-config-2.12.40~deb12u1/testsuite/locale
--- debian-edu-config-2.12.32/testsuite/locale 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/testsuite/locale 2023-09-27 22:34:54.000000000 +0200
@@ -4,7 +4,7 @@
echo "info: $0: install locale: '$LANG' '$LANGUAGE'"
-env|egrep 'LC|LANG' | sed "s%^%info: $0: install env: %"
+env|grep -E 'LC|LANG' | sed "s%^%info: $0: install env: %"
locale | sed "s%^%info: $0: locale: %"
locale charmap | sed "s%^%info: $0: locale charmap: %"
diff -Nru debian-edu-config-2.12.32/testsuite/ntp debian-edu-config-2.12.40~deb12u1/testsuite/ntp
--- debian-edu-config-2.12.32/testsuite/ntp 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/testsuite/ntp 2023-09-27 22:34:54.000000000 +0200
@@ -7,7 +7,7 @@
fi
# Only networked profiles use NTP
-if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
:
else
exit 0
diff -Nru debian-edu-config-2.12.32/testsuite/rdp-server debian-edu-config-2.12.40~deb12u1/testsuite/rdp-server
--- debian-edu-config-2.12.32/testsuite/rdp-server 2017-05-30 15:56:28.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/testsuite/rdp-server 2023-09-27 22:34:54.000000000 +0200
@@ -9,7 +9,7 @@
fi
# Only LTSP-Server profiles provide RDP
-if echo "$PROFILE" | egrep -q 'LTSP-Server' ; then
+if echo "$PROFILE" | grep -Eq 'LTSP-Server' ; then
:
else
exit 0
diff -Nru debian-edu-config-2.12.32/testsuite/samba debian-edu-config-2.12.40~deb12u1/testsuite/samba
--- debian-edu-config-2.12.32/testsuite/samba 2021-12-02 16:12:39.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/testsuite/samba 2023-09-27 22:34:54.000000000 +0200
@@ -11,7 +11,7 @@
fi
# Only Main-Server install samba
-if echo "$PROFILE" | egrep -q 'Main-Server' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server' ; then
:
else
exit 0
diff -Nru debian-edu-config-2.12.32/testsuite/sudo debian-edu-config-2.12.40~deb12u1/testsuite/sudo
--- debian-edu-config-2.12.32/testsuite/sudo 2019-02-23 17:22:21.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/testsuite/sudo 2023-09-27 22:34:54.000000000 +0200
@@ -7,7 +7,7 @@
fi
# Standalone profile do not use LDAP based sudo
-if echo "$PROFILE" | egrep -q 'Standalone' ; then
+if echo "$PROFILE" | grep -Eq 'Standalone' ; then
exit 0
fi
diff -Nru debian-edu-config-2.12.32/testsuite/webcache debian-edu-config-2.12.40~deb12u1/testsuite/webcache
--- debian-edu-config-2.12.32/testsuite/webcache 2022-04-25 17:19:14.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/testsuite/webcache 2023-09-27 22:34:54.000000000 +0200
@@ -7,7 +7,7 @@
fi
# Only networked profiles use squid
-if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
:
else
exit 0
@@ -37,7 +37,7 @@
# Wait for 10 seconds
HEADOPTS="-t 10"
-if echo "$PROFILE" | egrep -q 'Main-Server' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server' ; then
# Test that the binary exist
if test -x /usr/sbin/squid ; then
echo "success: $0: Binary /usr/sbin/squid is present."
@@ -52,7 +52,7 @@
exit 1
fi
- if egrep -q '^refresh_pattern \(Release\|Package\(.gz\)\*\)$' /etc/squid/squid.conf
+ if grep -Eq '^refresh_pattern \(Release\|Package\(.gz\)\*\)$' /etc/squid/squid.conf
then
echo "error: $0: squid typo causing APT problem is present (#591839)."
else
diff -Nru debian-edu-config-2.12.32/testsuite/webserver debian-edu-config-2.12.40~deb12u1/testsuite/webserver
--- debian-edu-config-2.12.32/testsuite/webserver 2019-02-23 17:22:21.000000000 +0100
+++ debian-edu-config-2.12.40~deb12u1/testsuite/webserver 2023-09-27 22:34:54.000000000 +0200
@@ -9,7 +9,7 @@
fi
# Only networked profiles should have the https certificates
-if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
:
else
exit 0
diff -Nru debian-edu-config-2.12.32/testsuite/workstation debian-edu-config-2.12.40~deb12u1/testsuite/workstation
--- debian-edu-config-2.12.32/testsuite/workstation 2017-05-30 15:56:28.000000000 +0200
+++ debian-edu-config-2.12.40~deb12u1/testsuite/workstation 2023-09-27 22:34:54.000000000 +0200
@@ -7,7 +7,7 @@
fi
# Only Workstation profiles use squid
-if echo "$PROFILE" | egrep -q 'Workstation|Roaming-Workstation|LTSP-Server' ; then
+if echo "$PROFILE" | grep -Eq 'Workstation|Roaming-Workstation|LTSP-Server' ; then
:
else
exit 0
--- End Message ---