Debian Bug report logs - #613167
kerberized nfs4 mounting

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: submit@bugs.debian.org

Subject: kerberized nfs4 mounting

Date: Sun, 13 Feb 2011 13:37:10 +0100

[Message part 1 (text/plain, inline)]

package: debian-edu-config
severity: wishlist

Hi,

to ease maintainance (no more adding of workstations to be able to access home 
shares) and to improve security, it would be desirable to use kerberized nfs4 
mounting. 

This bug is for tracking this issue, ie by documenting the needed steps.

It's a wishlist feature and we can certainly release squeeze without. (It 
needs some time to implement and test properly.)


cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 613167@bugs.debian.org (full text, mbox, reply):

From: "Andreas B. Mundt" <andi.mundt@web.de>

To: 613167@bugs.debian.org

Subject: /etc/hosts on Diskless Clients

Date: Wed, 16 Feb 2011 15:46:32 +0100

Hi,

to get Diskless Clients work with Kerberos we first have to find a way
to modify the entires in /etc/hosts.

Currently, there is an entry: 

10.0.2.2   server  

which spoils Kerberos (error messages about for example
ldap/server@INTERN service tickets not being available). 

I tried to find a way to change this by editing a variable in
lts.conf, but without success (the same after considering 'man
lts.conf').

Any help or pointers are appreciated,

    Andi

Message #15 received at 613167@bugs.debian.org (full text, mbox, reply):

From: Wolfgang Schweer <schweer@cityweb.de>

To: 613167@bugs.debian.org

Subject: Re: Bug#613167: /etc/hosts on Diskless Clients

Date: Wed, 16 Feb 2011 21:59:44 +0100

[Message part 1 (text/plain, inline)]

On Mi, 16 Feb 2011, Andreas B. Mundt wrote:

> to get Diskless Clients work with Kerberos we first have to find a way
> to modify the entires in /etc/hosts.
> 
> Currently, there is an entry: 
> 
> 10.0.2.2   server  
  
This entry is supposed to be written by /usr/share/ltsp/screen.d/ldm 
(inside the chroot - by default /opt/ltsp/i386)

Wolfgang

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 613167@bugs.debian.org (full text, mbox, reply):

From: "Andreas B. Mundt" <andi.mundt@web.de>

To: 613167@bugs.debian.org

Cc: debian-edu@lists.debian.org

Subject: Re: Bug#613167: /etc/hosts on Diskless Clients

Date: Fri, 18 Feb 2011 17:03:47 +0100

X-Debbugs-Cc: vagrant@debian.org

Hi,

On Wed, Feb 16, 2011 at 09:59:44PM +0100, Wolfgang Schweer wrote:
> On Mi, 16 Feb 2011, Andreas B. Mundt wrote:
> 
> > to get Diskless Clients work with Kerberos we first have to find a way
> > to modify the entires in /etc/hosts.
> > 
> > Currently, there is an entry: 
> > 
> > 10.0.2.2   server  
>   
> This entry is supposed to be written by /usr/share/ltsp/screen.d/ldm 
> (inside the chroot - by default /opt/ltsp/i386)

Thanks for the pointer. With its help I found the following:

The 'server' looks like being hardcoded in the function configure_resolver()
defined in:  

     /opt/ltsp/i386/usr/share/ltsp/ltsp-init-common

Any ideas how to modify that entry easily?

Regards

	Andi

Message #25 received at 613167@bugs.debian.org (full text, mbox, reply):

From: Wolfgang Schweer <schweer@cityweb.de>

To: 613167@bugs.debian.org

Subject: Re: Bug#613167: /etc/hosts on Diskless Clients

Date: Fri, 18 Feb 2011 19:02:01 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Fr, 18 Feb 2011, Andreas B. Mundt wrote:

> The 'server' looks like being hardcoded in the function configure_resolver()
> defined in:  
> 
>      /opt/ltsp/i386/usr/share/ltsp/ltsp-init-common

maybe this way (not sure, if SERVER_NAME is used already):

replace »$SERVER server« by »$SERVER ${SERVER_NAME:-"server"}« in
ltsp-init-common.

then set SERVER_NAME in lts.conf

(if getltscfg is called SERVER_NAME will be taken out of lts.conf and
exported)

for testing set PILLE_PALLE=something in lts.conf and execute
»getltscfg -a« after entering the chroot using »ltsp-chroot«
 
Wolfgang

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 613167@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@freegeek.org>

To: 613167@bugs.debian.org, debian-edu@lists.debian.org

Subject: Re: Bug#613167: /etc/hosts on Diskless Clients

Date: Fri, 18 Feb 2011 10:12:31 -0800

clone 613167 -1
reassign -1 ltsp-client-core
found -1 5.1.10-2
thanks

On Fri, Feb 18, 2011 at 05:03:47PM +0100, Andreas B. Mundt wrote:
> On Wed, Feb 16, 2011 at 09:59:44PM +0100, Wolfgang Schweer wrote:
> > On Mi, 16 Feb 2011, Andreas B. Mundt wrote:
> > 
> > > to get Diskless Clients work with Kerberos we first have to find a way
> > > to modify the entires in /etc/hosts.
> > > 
> > > Currently, there is an entry: 
> > > 
> > > 10.0.2.2   server  
> >   
> > This entry is supposed to be written by /usr/share/ltsp/screen.d/ldm 
> > (inside the chroot - by default /opt/ltsp/i386)

that's a different, but nearly identical, problem...
 
> Thanks for the pointer. With its help I found the following:
> 
> The 'server' looks like being hardcoded in the function configure_resolver()
> defined in:  
> 
>      /opt/ltsp/i386/usr/share/ltsp/ltsp-init-common
> 
> Any ideas how to modify that entry easily?

there is no good way to do this, unfortunately. gah. sorry about that. for
years, LTSP development assumed DNS would not available, and this is clearly a
poor assumption.

live well,
  vagrant

Message #37 received at 613167@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: 613167@bugs.debian.org

Subject: Re: Bug#613167: /etc/hosts on Diskless Clients

Date: Sat, 19 Feb 2011 12:39:24 +0100

[Message part 1 (text/plain, inline)]

On Freitag, 18. Februar 2011, Andreas B. Mundt wrote:
>      /opt/ltsp/i386/usr/share/ltsp/ltsp-init-common
> Any ideas how to modify that entry easily?

we could dpkg-divert from it....

[signature.asc (application/pgp-signature, inline)]

Message #44 received at 613167@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: 613988@bugs.debian.org, 613167@bugs.debian.org

Subject: /etc/hosts not a problem on Debian Edu diskless workstations

Date: Sat, 04 Jun 2011 15:36:38 +0200

[Message part 1 (text/plain, inline)]

When setting up a test installation of Debian Edu squeeze at end of  
April there definitely had to be done some fixes still, but none of  
them addressed

  /etc/hostname
  /etc/hosts

For kerberized NFSv4 (on diskless workstations) you have to

(a)
tweak /etc/default/nfs-common and add the line

RPCGSSDOPTS=-n

(b)
make sure that the diskless workstations is set up as a Kerberos  
client, including the

  [libdefaults]
  allow_weak_crypto = true

line...

Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Message #49 received at 613167@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: 613167@bugs.debian.org

Subject: Diskless Workstations not using kerberized NFSv4 for homes currently

Date: Thu, 18 Aug 2011 10:52:18 +0200

[Message part 1 (text/plain, inline)]

Hi all,

is it intended that current diskless workstations in Skolelinux do not  
use kerberized NFSv4?

The mount point on my diskless workstation is:

tjener.intern:/home0 on /skole/tjener/home0 type nfs4  
(rw,nosuid,nodev,tcp,rsize=32768,wsize=32768,pgrp=2283,timeout=300,minproto=5,indirect)

There should actually be a sec=krb5{|i|p} there... (recommending ,,i'').

???

Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Message #54 received at 613167@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: debian-edu@lists.debian.org

Cc: 613167@bugs.debian.org

Subject: Re: Bug#613167: Diskless Workstations not using kerberized NFSv4 for homes currently

Date: Fri, 19 Aug 2011 20:12:17 +0200

[Message part 1 (text/plain, inline)]

Hi Andi,

On Fr 19 Aug 2011 17:41:00 CEST "Andreas B. Mundt" wrote:

> user debian-edu@lists.debian.org
> usertag 638157 + debian-edu
> thanks
>
>
> On Thu, Aug 18, 2011 at 10:52:18AM +0200, Mike Gabriel wrote:
>> Hi all,
>>
>> is it intended that current diskless workstations in Skolelinux do
>> not use kerberized NFSv4?
>>
>
> Hi,
>
> it looks like kerberization does not work with current nfs-utils, see
> <URL: http://bugs.debian.org/638157>.  Hopefully this can be fixed in
> a point release, the patch doesn't look very invasive ...
>
> Best regards,
>
>      Andi

This is weird as I am using kerberization on squeeze root servers...  
However, I use sec=krb5p...

I will test that at my customer's on Monday. Maybe sec=krb5i works.  
krb5p is to CPU intensive for many open files...

Greets,
Mike



-- 

DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Message #61 received at 613167-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 613167-close@bugs.debian.org

Subject: Bug#613167: fixed in debian-edu-config 2.12.16

Date: Fri, 04 Feb 2022 12:18:53 +0000

Source: debian-edu-config
Source-Version: 2.12.16
Done: Mike Gabriel <sunweaver@debian.org>

We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 613167@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated debian-edu-config package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 04 Feb 2022 13:06:25 +0100
Source: debian-edu-config
Architecture: source
Version: 2.12.16
Distribution: unstable
Urgency: medium
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Closes: 613167 815042 971780 1003560 1003727 1004605 1004949
Changes:
 debian-edu-config (2.12.16) unstable; urgency=medium
 .
   [ Wolfgang Schweer ]
   * etc/exim4/exim-ldap-server-v4.conf: Accept incoming mail from internal
     network sent to root@<mynetwork-names>. (Closes: #1003727).
 .
   [ Mike Gabriel ]
   * share/glib-2.0/schemas/31_debian-edu+mate.gschema.override: Add various
     long-term-used MATE settings overrides (some from Ubuntu MATE).
   * MATE screensaver: Offer "logout user" button on screensaver dialog after
     40min of inactivity and allow other users to salvage a workstation from
     an idle user (session).
   * share/debian-edu-config/tools/setup-freeradius-server: Fix integer
     comparison in run-by-root check. Script was not executable fully (not even
     as root).
   * etc/apache2/mods-available/debian-edu-userdir.conf:
     - White-space cleanup (tabs and spaces mixed).
     - CVE-2021-20001: Disable built-in PHP engine.
     - Add warning to not re-enable PHP interpretation in user dirs (with
       reference to our README).
   * README.public_html_with_PHP-CGI+suExec.md:
     - Provide documentation on how to enable suExec support in Apache2 userdirs
       (i.e. ~/public_html).
   * debian/NEWS:
     + Add file, inform about PHP being disabled in Apache2 user directories.
   * debian/debian-edu-config.fetch-ldap-cert: Drop retrieval of
     Debian-Edu_rootCA from this script. This now is the task of the
     fetch-rootca-cert script. (Closes: #971780).
   * debian/debian-edu-config.fetch-rootca-cert: Ensure proper symlinking of
     Debian-Edu_rootCA.crt in /usr/local/share/ca-certificates/ to
     Debian-Edu_rootCA.crt in /etc/ssl/ca-certificates. Forced symlinking is
     required, because earlier versions of the fetch-ldap-cert init script put
     Debian-Edu_rootCA.crt into /etc/ssl/ca-certificates/ as a file. Forced
     symlinking replaces files by the wanted symlink. The -n option (no-
     dereference) is required to make sure we don't follow any already existing
     symlink. (This relates to #971780).
   * Support krb5i on Diskless Workstations (aka LTSP FAT Clients):
     - ldap-bootstrap/netgroup.ldif: Add diskless-workstation-hosts NIS netgroup
       during LDAP bootstrap.
     - debian/debian-edu-config.{postinst,postrm}: Create non-privileged
       debian-edu system user account on Debian Edu mainserver (for distribution
       of host keytabs to diskless workstations aka LTSP fat clients).
     - share/debian-edu-config/tools/: Add new update-dlw-krb5-keytabs script and
       call it (with delay) from gosa-modify-host and gosa-remove-host hook
       scripts.
     - (Closes: #613167).
   * debian/control:
     + Add D: adduser.
   * share/debian-edu-config/tools/update-proxy-from-wpad:
     - Fix typo (wrong protocol) in APT proxy config creation.
     - Create a Debian Edu specific proxy configuration in /etc/apt/apt.conf.d/
       named 03debian-edu-config rather than meddling with /etc/apt/apt.conf
       directly. Clean up any earlier meddling from apt.conf, as well. (Closes:
       #1003560).
   * share/debian-edu-config/tools/setup-roaming: Assure libsss-sudo is installed
     on Roaming Workstation. (Closes: #1004605).
   * share/debian-edu-config/tools/gosa-remove: Capture removals of GOsa² user
     templates and ignore them. (Closes: #815042).
   * ldap-schemas/: Update schema files from Debian's latest GOsa² list of
     schemas. (Closes: #1004949).
   * debian/debian-edu-config.postinst:
     + Replace calling 'service' by calling 'invoke-rc.d'. Thanks, lintian.
   * debian/debian-edu-config.lintian-overrides:
     + Adjust line number references in lintian overrides.
Checksums-Sha1:
 6ed120541428866a14733a5ac2a5c58500c9e3cc 2055 debian-edu-config_2.12.16.dsc
 d080c10d9261cd18837f2c19cd61d5f7fa451a58 351112 debian-edu-config_2.12.16.tar.xz
 b56416142a84f156688288f541ce963e8bc5e96b 6154 debian-edu-config_2.12.16_source.buildinfo
Checksums-Sha256:
 899766505c5b371dbbe6df4be66e049fd6ea4aa6eeed1602a3ca8c035543fcb1 2055 debian-edu-config_2.12.16.dsc
 6272b2cae49fbba1861183e720a7fe403a06ce48745637cecf9ad2f4ccf42780 351112 debian-edu-config_2.12.16.tar.xz
 768846b410f2f2de480ea4b62b2fc9341a5bf03dff0b69ce73f0f928ae7bc604 6154 debian-edu-config_2.12.16_source.buildinfo
Files:
 9df213918d9c2076626573941c46126c 2055 misc optional debian-edu-config_2.12.16.dsc
 94409d0d282285832f1e3e53897288e7 351112 misc optional debian-edu-config_2.12.16.tar.xz
 0590af982bfb07a63592b0d03822f71c 6154 misc optional debian-edu-config_2.12.16_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmH9FtcVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxjxQP/1Qo7Y7gKBXK1nBK5xH6gYTbrgqg
4WRlgjOicBuhFGQdF1N7kU65tCmRwJjiROzbBzRQpETO/ZNRjBWsZ99JvqNfeKid
ai8deyzGQtTXa+jUyXJRXGXWyUOaadnGoYW8qtefW2qJ6OZi3zpYpQv5cn4XoQT/
O3nXZDgS73bOz1aLMOnPbnp/Ke7NmuXOCG1D6PeuMKdLko42hb9tOc4t4kQObIDw
QrgSCfmmgZ6e6TXZ5vAk8kKqHMNbRI4FX66vnOdWY+IfzHpVkocyYiGXgwDjrbxc
j9V1nQK1UYpJg3WB4FRvj9a3OF6PXjj0xU3tAjOFCDeH7DDX0gvjzunw9Rd2yUAY
EO0bcsSDOHVM0mkCfejhEE4uKEiAJ51P17MPvRXYITLh/WOuV9uZXrjjswrcjHhY
JH1ExeoL3UpIyEcatuBT2E/t3Fya1P20zxMuOidRtAZsokUi1l/YxiuwLiSFDb4U
xcmFKXQB9FAdUALk5oGYm2YVKSycTpayT3Vr4SylAojlU4y3zoF1PNKDPzWOyjGU
jp2XCZdgLromeTQYIZ5G7bz9tYCseHdMB6v9/xQBaNUzZI/hhiYWPl3LBiFhuqld
3+AgKcEG9bU8307xQ8NPu41p/h4MwNTMtlPDTAl18IndpsrqtU55TzD8zH/RsUVn
jCDWuU5sTqCC0k9x
=vphn
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.