[debian-edu-commits] [Git][debian-edu/debian-edu-config][personal/gber/cf-serverd-config] 18 commits: share/debian-edu-config/tools/gosa-remove: Fix kadmin.local, Use '-force' to...
Mike Gabriel (@sunweaver)
gitlab at salsa.debian.org
Mon Aug 7 15:19:11 BST 2023
Mike Gabriel pushed to branch personal/gber/cf-serverd-config at Debian Edu / debian-edu-config
Commits:
df38e13d by Daniel Teichmann at 2023-07-25T18:06:37+02:00
share/debian-edu-config/tools/gosa-remove: Fix kadmin.local, Use '-force' to disable interaction via stdin.
- - - - -
98b9a05d by Guido Berhoerster at 2023-07-31T12:52:49+02:00
ldap-createuser-krb5: Fix user creation
Remove Samba NT4 domain support, add samba user using smbpasswd.
Add root CA for new users (copied from gosa-create).
Closes: #1042456
- - - - -
ec303a6a by Guido Berhoerster at 2023-08-07T11:05:58+02:00
ldap-createuser-krb5: fix new UID/GID selection
Exclude special users (UID/GID >= 10000) when looking for the highest UID/GID.
- - - - -
83a921a4 by Guido Berhoerster at 2023-08-07T11:06:43+02:00
ldap-createuser-krb5: add CLI options for uid/gid/department
Also ensure script is run as root.
- - - - -
3c671914 by Guido Berhoerster at 2023-08-07T11:06:43+02:00
ldap-createuser-krb5: Add additional attributes based on template users
- - - - -
25c911dd by Guido Berhoerster at 2023-08-07T11:06:43+02:00
ldap-createuser-krb5: add support for additional groups
- - - - -
dffca0f4 by Guido Berhoerster at 2023-08-07T11:06:43+02:00
ldap-createuser-krb5: send welcome email in order to create maildir
Without this the maildir in /var/mail/<user> will not exist and Dovecot will
refuse to let the user log in as it cannot create this directory.
- - - - -
a037063a by Guido Berhoerster at 2023-08-07T15:04:46+02:00
ldap-createuser-krb5: set LDAP password when creating users
This allows users to use gosa to change their password.
- - - - -
39890c47 by Guido Berhoerster at 2023-08-07T14:08:25+00:00
Add systemd services for configuring Chromium/Firefox from LDAP
Factor out logic from init script into separate script which are then called
from both the init script and systemd services.
- - - - -
085be419 by Guido Berhoerster at 2023-08-07T14:08:25+00:00
Add systemd service enabling NAT for thin clients
- - - - -
d8d40e3d by Guido Berhoerster at 2023-08-07T14:08:25+00:00
Add systemd service for fetching the RootCA file from the main server
- - - - -
a06fb0d8 by Guido Berhoerster at 2023-08-07T14:08:25+00:00
Drop init script for fetching LDAP SSL public key from legacy main servers
This drops support for clients running behind a main server based on DebianEdu
stretch (closes: #1030116).
- - - - -
90dec108 by Guido Berhoerster at 2023-08-07T14:08:25+00:00
Update debian/rules for init scripts and systemd services
Closes: #1039166
- - - - -
67ea7417 by Guido Berhoerster at 2023-08-07T14:11:55+00:00
Generate a random password for the icinga/icingaweb databases
Closes: #1040015
- - - - -
69cd4c75 by Guido Berhoerster at 2023-08-07T14:13:47+00:00
update-dlw-krb5-keytabs: Handle missing/empty diskless-workstation-hosts
The "set -e" makes the shell exit with status 1 immediately without any message
if the grep in the subshell does not match anything. This in turn makes scripts
like gosa-remove-host fail without any error message. Exit gracefully with a
message and exit status 0 if diskless-workstation-hosts netgroup is
missing/empty.
- - - - -
e9f9ab68 by Guido Berhoerster at 2023-08-07T14:15:21+00:00
Followup fixes for ntpsec transition
Explicitly install the ntpsec package instead of the transitional ntp package.
Update comments accordingly.
Remove non-existent editline_ntp promise.
- - - - -
7bf138c3 by Guido Berhoerster at 2023-08-07T14:16:56+00:00
Add systemd support to debian-edu-restart-services
This uses a list of service units which was compiled on a main server + ltsp
installation. Uses stop and start to force restart reverse-dependencies. It
also makes sure that drop in files are recognized. Closes: #1042940
- - - - -
9dd3f55f by Guido Berhoerster at 2023-08-07T14:18:53+00:00
cf3/promises.cf: fix typo and allow connections from localhost and network
- - - - -
21 changed files:
- Makefile
- cf3/cf.ntp
- cf3/promises.cf
- debian/debian-edu-config.chromium-ldapconf
- + debian/debian-edu-config.chromium-ldapconf.service
- + debian/debian-edu-config.enable-nat.service
- − debian/debian-edu-config.fetch-ldap-cert
- debian/debian-edu-config.fetch-rootca-cert
- + debian/debian-edu-config.fetch-rootca-cert.service
- debian/debian-edu-config.firefox-ldapconf
- + debian/debian-edu-config.firefox-ldapconf.service
- debian/rules
- ldap-tools/ldap-createuser-krb5
- sbin/debian-edu-restart-services
- + share/debian-edu-config/tools/chromium-ldapconf
- share/debian-edu-config/tools/edu-icinga-setup
- + share/debian-edu-config/tools/fetch-rootca-cert
- + share/debian-edu-config/tools/firefox-ldapconf
- share/debian-edu-config/tools/gosa-remove
- + share/debian-edu-config/tools/nat
- share/debian-edu-config/tools/update-dlw-krb5-keytabs
Changes:
=====================================
Makefile
=====================================
@@ -321,6 +321,10 @@ install: install-testsuite
share/debian-edu-config/tools/copy-host-keytab \
share/debian-edu-config/tools/improve-desktop-l10n \
share/debian-edu-config/tools/install-task-pkgs \
+ share/debian-edu-config/tools/chromium-ldapconf \
+ share/debian-edu-config/tools/firefox-ldapconf \
+ share/debian-edu-config/tools/nat \
+ share/debian-edu-config/tools/fetch-rootca-cert \
; do \
$(INSTALL) $$f $(DESTDIR)/usr/$$f ; \
done
=====================================
cf3/cf.ntp
=====================================
@@ -2,10 +2,10 @@ bundle agent ntp
{
# Use custom ntp configuration for networked clients (package systemd-timesyncd
# is installed by default). On the internal ntp server (default: 'tjener'), the
-# ntp package is installed.
+# ntpsec package is installed.
# Keep systemd-timesyncd default settings for roaming workstations.
-# Note: In case the ntp package is installed, the conflicting systemd-timesyncd
-# package gets removed (but not purged).
+# Note: In case the ntpsec package is installed, the conflicting
+# systemd-timesyncd package gets removed (but not purged).
vars:
@@ -24,10 +24,10 @@ files:
commands:
- # Make sure ntp gets installed
+ # Make sure ntpsec gets installed
debian.server.installation::
- "/usr/bin/apt-get install -y ntp"
+ "/usr/bin/apt-get install -y ntpsec"
contain => in_shell;
}
=====================================
cf3/promises.cf
=====================================
@@ -8,9 +8,9 @@
body server control
# Debian Edu specific
{
- allowconnects => { "10.0.0.0.0/8" };
- allowallconnects => { "10.0.0.0.0/8" };
- trustkeysfrom => { "10.0.0.0.0/8" };
+ allowconnects => { "127.0.0.1", "::1", "10.0.0.0/8" };
+ allowallconnects => { "127.0.0.1", "::1", "10.0.0.0/8" };
+ trustkeysfrom => { "10.0.0.0/8" };
maxconnections => "15";
denybadclocks => "false";
allowusers => { "root" };
@@ -53,7 +53,6 @@ body common control
ldapclient,
desktop,
ntp,
- editline_ntp,
squid,
sshd,
syslog,
=====================================
debian/debian-edu-config.chromium-ldapconf
=====================================
@@ -20,31 +20,9 @@ set -e
. /lib/lsb/init-functions
-if [ -e /etc/debian-edu/config ] ; then
- . /etc/debian-edu/config
-fi
-
-do_start() {
- # Skip this on LTSP chroots
- if [ -e /etc/ltsp_chroot ] ; then
- return
- fi
-
- # Only networked profiles use LDAP
- if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
- /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
- fi
-
- if echo "$PROFILE" | grep -q LTSP-Server && [ -d /opt/ltsp ] ; then
- for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
- chroot $ltsp_chroot /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
- done
- fi
-}
-
case "$1" in
start)
- do_start
+ /usr/share/debian-edu-config/tools/chromium-ldapconf
;;
stop)
;;
=====================================
debian/debian-edu-config.chromium-ldapconf.service
=====================================
@@ -0,0 +1,12 @@
+[Unit]
+Description=Update firefox configuration from LDAP
+After=network-online.target remote-fs.target nss-lookup.target slapd.service fetch-ldap-cert.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/firefox-ldapconf
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
=====================================
debian/debian-edu-config.enable-nat.service
=====================================
@@ -0,0 +1,14 @@
+[Unit]
+Description=Enables NAT for clients in the thin clients network
+After=remote-fs.target network-online.target
+Wants=remote-fs.target
+ConditionFileIsExecutable=/usr/sbin/iptables
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/nat enable
+ExecStop=/usr/share/debian-edu-config/tools/nat disable
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
=====================================
debian/debian-edu-config.fetch-ldap-cert deleted
=====================================
@@ -1,135 +0,0 @@
-#!/bin/sh
-### BEGIN INIT INFO
-# Provides: fetch-ldap-cert
-# Required-Start: $local_fs $remote_fs
-# Required-Stop: $local_fs $remote_fs
-# Should-Start: $network $syslog $named slapd
-# Default-Start: 2 3 4 5
-# Default-Stop:
-# Short-Description: Fetch LDAP SSL public key from the server
-# Description:
-# Start before krb5-kdc to give slapd time to become operational
-# before krb5-kdc try to connect to the LDAP server as a workaround
-# for #589915.
-# X-Start-Before: isc-dhcp-server krb5-kdc nslcd
-### END INIT INFO
-#
-# Author: Petter Reinholdtsen <pere at hungry.com>
-# Date: 2007-06-09
-#
-# Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
-# Date: 2022-01-06
-
-###
-### FIXME: Legacy init script for Debian Edu clients.
-###
-### --- Remove for Debian Edu bookworm+1 ---
-###
-### Warning: Removing this script will drop support for clients running
-### against Debian Edu main servers based on Debian Edu stretch and
-### earlier.
-###
-
-set -e
-
-. /lib/lsb/init-functions
-
-CERTFILE=/etc/ssl/certs/debian-edu-server.crt
-
-do_start() {
-
- # Locate LDAP server
- LDAPSERVER=$(debian-edu-ldapserver)
- LDAPPORT=636 # ldaps
- ERROR=false
-
- ###
- ### PHASE 1: LDAP server cert retrieval
- ###
-
- if ( [ ! -f $CERTFILE ] || [ ! -f $ROOTCACRT ] ) && [ -f /etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
-
- # LDAP server host not known/found, bailing out...
- if [ -z "$LDAPSERVER" ] ; then
- msg="Failed to locate LDAP server"
- log_action_begin_msg "$msg"
- log_action_end_msg 1
- logger -t fetch-ldap-cert "$msg."
- return 1
- fi
-
- [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
-
- # Fetch LDAP certificate from the Debian Edu main server (i.e. from the LDAP server)
- /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
- chmod 644 $CERTFILE.new
-
- if test -s $CERTFILE.new ; then
- mv $CERTFILE.new $CERTFILE
- [ "$VERBOSE" != no ] && log_action_end_msg 0
- logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
- else
- # We obviously have failed in some way if the CERTFILE.new is empty (zero size).
- # Something went wrong, if we end up here...
- rm -f $CERTFILE.new
- log_action_end_msg 1
- logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
- ERROR=true
- fi
-
- fi
-
- ###
- ### PHASE 2: Deploy the obtained CERTFILE to LTSP chroots, if any are present.
- ###
-
- if [ -d /opt/ltsp ] && [ "$ERROR" = "false" ]; then
-
- # Loop over all to be found LTSP chroots...
- for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
-
- if [ ! -d $ltsp_chroot/etc/ssl/certs/ ]; then
- # likely not a chroot dir, skipping...
- continue
- fi
-
- # Only install the CERTFILE into this chroot, if not already present...
- if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then
-
- # Copy the obtained CERTFILE into the LTSP chroot (containing the LDAP server's
- # certificate.
- log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
- [ "$VERBOSE" != no ] &&
- if test -s $CERTFILE; then
- cp $CERTFILE $ltsp_chroot$CERTFILE
- [ "$VERBOSE" != no ] && log_action_end_msg 0
- else
- log_action_end_msg 1
- ERROR=true
- fi
- fi
-
- done
- fi
-
- if [ "$ERROR" = "true" ]; then
- return 1
- fi
-}
-
-case "$1" in
- start)
- do_start
- ;;
- stop)
- ;;
- restart|force-reload)
- ;;
- *)
- echo "Usage: $0 {start|stop|restart|force-reload}"
- exit 2
-esac
-
-exit 0
=====================================
debian/debian-edu-config.fetch-rootca-cert
=====================================
@@ -19,68 +19,10 @@ set -e
. /lib/lsb/init-functions
-if [ -r /etc/debian-edu/config ] ; then
- . /etc/debian-edu/config
-fi
-
-BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
-ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
-LOCALCACRT=/usr/local/share/ca-certificates/Debian-Edu_rootCA.crt
-
-do_start() {
-
- ERROR=false
-
- # Remove no longer used certificate file
- rm -f $BUNDLECRT
-
- # RootCA cert retrieval (avoid execution on the main server, things are in place)
- if echo "$PROFILE" | egrep -q 'Main-Server' ; then
- logger -t fetch-rootca-cert "Running on the main server, exiting."
- exit 0
- fi
- if [ ! -f $LOCALCACRT ] || [ ! -s $LOCALCACRT ] ; then
- # Since Debian Edu 10, the RootCA file is distributed
- # over http (always via the host serving www.intern, by default: TJENER)
- #
- # We do an availability check for the webserver first, to provide proper
- # error reporting (see below). So, the following check merely discovers,
- # if the webserver is online at all.
- if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
- # Now let's see if the webserver has the "Debian Edu RootCA" file.
- # This has been the case for Debian Edu main servers (TJENER) since
- # Debian Edu 10.1.
- if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
- grep -q CERTIFICATE $LOCALCACRT ; then
- # Make rootCA certificate available in /etc/ssl/certs/
- ln -nsf $LOCALCACRT $ROOTCACRT
- # Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
- update-ca-certificates
- logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
- else
- # Drop $ROOTCACRT and $LOCALCACRT files, as they probably only contain some
- # 404 http error message in html.
- rm -f $LOCALCACRT
- rm -f $ROOTCACRT
- logger -t fetch-rootca-cert "Failed to fetch rootCA certificate from www.intern."
- fi
- else
- # Report an error, if www.intern is down http-wise. This can happen and is probably
- # a temporary problem that needs an admin to fix it.
- log_action_end_msg 1
- logger -t fetch-rootca-cert "Failed to connect to www.intern, maybe the web server is down."
- ERROR=true
- fi
- fi
-
- if $ERROR; then
- return 1
- fi
-}
-
case "$1" in
start)
- do_start
+ /usr/share/debian-edu-config/tools/fetch-rootca-cert
+ exit $?
;;
stop)
;;
=====================================
debian/debian-edu-config.fetch-rootca-cert.service
=====================================
@@ -0,0 +1,13 @@
+[Unit]
+Description=Fetch Debian Edu rootCA certificate from the main server
+After=remote-fs.target network-online.target
+Before=nslcd.service
+Wants=remote-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/fetch-rootca-cert
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
=====================================
debian/debian-edu-config.firefox-ldapconf
=====================================
@@ -20,31 +20,9 @@ set -e
. /lib/lsb/init-functions
-if [ -e /etc/debian-edu/config ] ; then
- . /etc/debian-edu/config
-fi
-
-do_start() {
- # Skip this on LTSP chroots
- if [ -e /etc/ltsp_chroot ] ; then
- return
- fi
-
- # Only networked profiles use LDAP
- if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
- /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
- fi
-
- if echo "$PROFILE" | grep -q LTSP-Server && [ -d /opt/ltsp ] ; then
- for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
- chroot $ltsp_chroot /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
- done
- fi
-}
-
case "$1" in
start)
- do_start
+ /usr/share/debian-edu-config/tools/firefox-ldapconf
;;
stop)
;;
=====================================
debian/debian-edu-config.firefox-ldapconf.service
=====================================
@@ -0,0 +1,12 @@
+[Unit]
+Description=Update firefox configuration from LDAP
+After=network-online.target remote-fs.target nss-lookup.target slapd.service fetch-ldap-cert.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/firefox-ldapconf
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
=====================================
debian/rules
=====================================
@@ -10,13 +10,18 @@ override_dh_auto_install:
override_dh_installinit:
# Start it after 15bind9 and 19slapd
- dh_installinit --init-script fetch-ldap-cert -r --no-start
dh_installinit --init-script fetch-rootca-cert -r --no-start
# Start it after 15bind9, 19slapd and 95fetch-ldap-cert, and add some to be sure
dh_installinit --init-script firefox-ldapconf -r --no-start
dh_installinit --init-script chromium-ldapconf -r --no-start
dh_installinit --init-script enable-nat --no-start
+override_dh_installsystemd:
+ dh_installsystemd --no-start --name chromium-ldapconf
+ dh_installsystemd --no-start --name enable-nat
+ dh_installsystemd --no-start --name fetch-rootca-cert
+ dh_installsystemd --no-start --name firefox-ldapconf
+
override_dh_installman:
dh_installman
help2man -N -n "ldap-add-host-to-netgroup - Adds a host as a member in the given netgroup" \
=====================================
ldap-tools/ldap-createuser-krb5
=====================================
@@ -5,26 +5,74 @@
# users at the same time to LDAP, as the uid and gid values will
# conflict.
-# The samba related attributes are described in
-# <URL: http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/#htoc43 >
-
set -e
+function usage {
+ cat >&2 <<EOF
+Usage: $0 [-u uid] [-g gid] [-G group[,group]...] [-d department] <username> <gecos>
+ Create a user with a personal group and configure its kerberos
+ principal.
+EOF
+}
+
+if [[ $(id -u) -ne 0 ]]; then
+ printf "error: this script needs to be run as root\n" >&2
+ exit 1
+fi
+
+NEWUID=
+NEWGID=
+ADDITIONAL_GROUPS=
+DEPT=
+while getopts "d:hg:G:u:" arg; do
+ case $arg in
+ d)
+ DEPT="${OPTARG}"
+ ;;
+ g)
+ NEWGID="${OPTARG}"
+ ;;
+ G)
+ ADDITIONAL_GROUPS="${OPTARG}"
+ ;;
+ u)
+ NEWUID="${OPTARG}"
+ ;;
+ h)
+ usage
+ exit 0
+ ;;
+ *)
+ usage
+ exit 2
+ esac
+done
+shift $((OPTIND - 1))
+
USERNAME="$1"
+
# posixAccount only accept ASCII in the gecos attribute. Make sure
# any non-ascii characters are converted apprpropriately.
GECOS="$(echo $2 | iconv -t ASCII//TRANSLIT)"
-if [ -z "$USERNAME" -o -z "$GECOS" ] ; then
- echo "Usage: $0 <username> <gecos>"
- echo
- echo " Create a user with a personal group and configure its kerberos"
- echo " principal."
+if [[ $# -ne 2 || -z "$USERNAME" || -z "$GECOS" ]]; then
+ usage
exit 1
fi
-# Put users in first gosaDepartment
-BASE=$(ldapsearch -x "(objectClass=gosaDepartment)" 2>/dev/null | perl -p0e 's/\n //g' | awk '/^dn: / {print $2}' | sort | head -1)
+read -rs -p "new password: " PASSWORD
+read -rs -p "confirm password: " CONFIRM
+if [[ "${CONFIRM}" != "${PASSWORD}" ]]; then
+ echo "passwords do not match" >&2
+ exit 1
+fi
+
+if [[ -n $DEPT ]]; then
+ BASE="$(ldapsearch -x -LLL -o ldif-wrap=no "(&(objectClass=gosaDepartment)(ou:dn:=${DEPT}))" 2>/dev/null | awk '/^dn: / {print $2}' | sort | head -1)"
+else
+ # Put users in first gosaDepartment
+ BASE=$(ldapsearch -x -LLL -o ldif-wrap=no "(objectClass=gosaDepartment)" 2>/dev/null | awk '/^dn: / {print $2}' | sort | head -1)
+fi
if [ -z "$BASE" ] ; then
BASE="$(debian-edu-ldapserver -b)"
@@ -39,44 +87,10 @@ ADMINUSER="admin";
admindn=$(ldapsearch -x "(&(cn=$ADMINUSER)(objectClass=simpleSecurityObject))" 2>/dev/null | perl -p0e 's/\n //g' | awk '/^dn: / {print $2}')
HOMEDIR=/skole/tjener/home0/$USERNAME
-SMBHOMEPATH="\\\\tjener.intern\\$USERNAME"
KRB5DOMAIN=INTERN
-SAMBADOMAIN=SKOLELINUX
PWLASTCHANGE=$(( $(date +%s) / (60 * 60 * 24) ))
-# Find last UID/GID
-SAMBASID=`net getlocalsid $HOSTNAME 2>/dev/null | awk '{ print $6; }'`
-
-if [ -z "$SAMBASID" ] ; then
- echo "error: unable to fetch Samba SID"
- exit 1
-fi
-
-SAMBADOMAINDN=$(ldapsearch -x -s sub \
- "(&(objectclass=sambaDomain)(sambaDomainName=$SAMBADOMAIN))" \
- dn 2>/dev/null | perl -p0e 's/\n //g' | \
- awk '/^dn: / { print $2}')
-
-if [ -z "$SAMBADOMAINDN" ] ; then
- echo "error: unable to find sambaDomain LDAP object"
- exit 1
-fi
-
-SAMBARID=$(ldapsearch -s base -b "$SAMBADOMAINDN" -x \
- sambaNextRid 2>/dev/null | perl -p0e 's/\n //g' | \
- awk '/^sambaNextRid: / { print $2}')
-
-if [ -z "$SAMBARID" ] ; then
- echo "error: unable to find sambaNextRid LDAP attribute in $SAMBADOMAINDN"
- exit 1
-fi
-
-NEXTRID=$(( $SAMBARID + 1 ))
-
-LASTID=$(ldapsearch -s sub -x \
- '(|(objectclass=posixaccount)(objectclass=posixgroup))' \
- uidnumber gidnumber 2>/dev/null | perl -p0e 's/\n //g' | \
- awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')
+LASTID="$(ldapsearch -x -LLL -o ldif-wrap=no '(|(&(objectclass=posixaccount)(uidNumber>=1000)(uidNumber<=10000))(&(objectclass=posixgroup)(gidNumber>=1000)(gidNumber<=10000)))' uidnumber gidnumber 2>/dev/null | awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')"
# If no ID was found, use LASTID=1000-1 to get uid/gid=1000
if [ -z "$LASTID" ] ; then
@@ -92,6 +106,8 @@ if [ -z "$NEWGID" ] ; then
ldif="$ldif
dn: cn=$USERNAME,$GROUPBASE
+changetype: add
+objectClass: top
objectClass: posixGroup
cn: $USERNAME
description: Private group of user $USERNAME
@@ -99,21 +115,26 @@ gidNumber: $NEWGID
"
fi
+USER_PASSWORD="$(slappasswd -h '{CRYPT}' -c '$y$j9T$%.16s$' -T /dev/stdin <<<"${PASSWORD}")"
+
ldif="$ldif
dn: uid=$USERNAME,$USERBASE
+changetype: add
+objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
+objectClass: gosaAccount
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krbPrincipalAux
-objectClass: sambaSamAccount
+objectClass: krbTicketPolicyAux
sn: $GECOS
givenName: $GECOS
uid: $USERNAME
cn: $GECOS
-userPassword: {SSHA}N0T$3T4N0W
+userPassword: $USER_PASSWORD
homeDirectory: $HOMEDIR
loginShell: /bin/bash
uidNumber: $NEWUID
@@ -123,30 +144,67 @@ shadowLastChange: $PWLASTCHANGE
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
-sambaSID: $SAMBASID-$SAMBARID
-sambaAcctFlags: [U]
-sambaHomePath: SMBHOMEPATH
+krbPwdPolicyReference: cn=users,cn=${KRB5DOMAIN},cn=kerberos,$(debian-edu-ldapserver -b)
krbPrincipalName: $USERNAME@$KRB5DOMAIN
"
-# Update samba RIN
-ldif="$ldif
-dn: $SAMBADOMAINDN
+oIFS="${IFS}"
+IFS=","
+set -- $ADDITIONAL_GROUPS
+IFS="${oIFS}"
+for group; do
+ group_dn="$(ldapsearch -x -LLL -o ldif-wrap=no "(&(objectClass=posixGroup)(cn=$group))" '')"
+ if [ -z "${group_dn}" ]; then
+ echo "group not found: ${group}" >&2
+ continue
+ fi
+ ldif="$ldif
+
+$group_dn
changetype: modify
-replace: sambaNextRid
-sambaNextRid: $NEXTRID
+add: memberUid
+memberUid: $USERNAME
"
+done
echo "$ldif"
-if echo "$ldif" | ldapadd -ZZ -D "$admindn" -W -v -x ; then
+if echo "$ldif" | ldapmodify -ZZ -D "$admindn" -W -v -x ; then
# Set the kerberos password
- kadmin.local -q "change_password $USERNAME@$KRB5DOMAIN"
+ kadmin.local <<EOF
+change_password $USERNAME@$KRB5DOMAIN
+${PASSWORD}
+${PASSWORD}
+EOF
# Create home directory
if [ ! -d $HOMEDIR ] ; then
- cp -r /etc/skel $HOMEDIR
- chown -R $NEWUID:$NEWGID $HOMEDIR
+ cp -r /etc/skel $HOMEDIR
+ mkdir -p $HOMEDIR/.pki/nssdb
+ chmod -R 700 $HOMEDIR/.pki/nssdb
+ certutil -A -d sql:$HOMEDIR/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
+ chown -R $NEWUID:$NEWGID $HOMEDIR
fi
+
+ # add Samba user
+ smbpasswd -a -n -s $USERNAME
+
+ # Send welcome mail in order to create maildir for dovecot
+ /usr/lib/sendmail "${USERNAME}@postoffice.intern" <<EOF
+Subject: Welcome to the mail-system
+
+Hello $GECOS,
+
+welcome to the mail-system.
+
+Your userID is $USERNAME, and your email address is:
+
+ $USERNAME at postoffice.intern
+
+Regards,
+
+ Debian-Edu SysAdmin
+
+EOF
fi
=====================================
sbin/debian-edu-restart-services
=====================================
@@ -5,63 +5,116 @@
set -e
-echo "info: Stopping services in sequence."
-for ALL in /etc/rc1.d/K* ; do
- if [ -h $ALL ] ; then
- SERVICE=$(basename $(readlink $ALL))
- else
- SERVICE=$(basename $ALL)
- fi
- echo "info: Stopping $SERVICE"
- $ALL stop || /bin/true
-done
+sysvinit_restart_services () {
+ echo "info: Stopping services in sequence."
+ for ALL in /etc/rc1.d/K* ; do
+ if [ -h $ALL ] ; then
+ SERVICE=$(basename $(readlink $ALL))
+ else
+ SERVICE=$(basename $ALL)
+ fi
+ echo "info: Stopping $SERVICE"
+ $ALL stop || /bin/true
+ done
-for service in \
- slapd \
- rpcbind \
- apache \
- ;
- do
- if [ "$(pidof $service)" ] ; then
- echo "info: '$service' still running, sending HUP."
- pkill $service || /bin/true
- fi
-done
+ for service in \
+ slapd \
+ rpcbind \
+ apache \
+ ;
+ do
+ if [ "$(pidof $service)" ] ; then
+ echo "info: '$service' still running, sending HUP."
+ pkill $service || /bin/true
+ fi
+ done
-echo "info: Checking what's still running"
-ps aux | while read LINE ; do
- echo "info: $LINE"
-done
+ echo "info: Checking what's still running"
+ ps aux | while read LINE ; do
+ echo "info: $LINE"
+ done
-for service in \
- slapd \
- rpcbind \
- apache \
- ;
- do
- if [ "$(pidof $service)" ] ; then
- echo "info: '$service' still running, sending KILL."
- pkill -9 $service || /bin/true
- fi
-done
+ for service in \
+ slapd \
+ rpcbind \
+ apache \
+ ;
+ do
+ if [ "$(pidof $service)" ] ; then
+ echo "info: '$service' still running, sending KILL."
+ pkill -9 $service || /bin/true
+ fi
+ done
+
+ echo "info: Checking what's still running"
+ ps aux | while read LINE ; do
+ echo "info: $LINE"
+ done
+
+ echo "Info: Restarting networking"
+ /etc/init.d/networking restart || /bin/true
-echo "info: Checking what's still running"
-ps aux | while read LINE ; do
- echo "info: $LINE"
-done
+ echo "info: Starting services in sequence."
+ for ALL in /etc/rc2.d/S* ; do
+ if [ -h $ALL ] ; then
+ SERVICE=$(basename $(readlink $ALL))
+ else
+ SERVICE=$(basename $ALL)
+ fi
+ echo "info: Starting $SERVICE"
+ $ALL start || /bin/true
+ done
+}
-echo "Info: Restarting networking"
-/etc/init.d/networking restart || /bin/true
+systemd_restart_services () {
+ systemctl daemon-reload
+
+ systemctl restart networking.service
+
+ for service in \
+ apache2.service \
+ cups.service \
+ dovecot.service \
+ exim4.service \
+ icinga2.service \
+ inetd.service \
+ isc-dhcp-server.service \
+ krb5-admin-server.service \
+ krb5-kdc.service \
+ ltsp.service \
+ mariadb.service \
+ munin-node.service \
+ munin.service \
+ nagios-nrpe-server.service \
+ named.service \
+ nfs-server.service \
+ nmbd.service \
+ nscd.service \
+ nslcd.service \
+ ntpsec.service \
+ rsyslog.service \
+ sitesummary-client.service \
+ slapd.service \
+ smbd.service \
+ squid.service \
+ sudo-ldap.service \
+ tftpd-hpa.service \
+ x2goserver.service \
+ xrdp.service \
+ xrdp-sesman.service
+ do
+ if systemctl is-active --quiet $service; then
+ active="$active $service"
+ fi
+ done
+ systemctl stop $active || true
+ systemctl start $active
+}
-echo "info: Starting services in sequence."
-for ALL in /etc/rc2.d/S* ; do
- if [ -h $ALL ] ; then
- SERVICE=$(basename $(readlink $ALL))
- else
- SERVICE=$(basename $ALL)
- fi
- echo "info: Starting $SERVICE"
- $ALL start || /bin/true
-done
+if [ -e /run/systemd/system/ ]; then
+ systemd_restart_services
+else
+ sysvinit_restart_services
+fi
exit 0
=====================================
share/debian-edu-config/tools/chromium-ldapconf
=====================================
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Update Chromium configuration from LDAP
+#
+
+if [ -e /etc/debian-edu/config ] ; then
+ . /etc/debian-edu/config
+fi
+
+# Only networked profiles use LDAP
+case $PROFILE in
+ *Main-Server*|*Workstation*|*LTSP-Server*|*Thin-Client-Server*|*Minimal*)
+ /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
+ ;;
+esac
+
+case $PROFILE in
+ *LTSP-Server*)
+ if [ -d /opt/ltsp ]; then
+ find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d -exec chroot {} /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage \;
+ fi
+ ;;
+esac
=====================================
share/debian-edu-config/tools/edu-icinga-setup
=====================================
@@ -34,6 +34,11 @@ FIRSTUSERNAME="$RET"
# run 'mysql_secure_installation'.)
setup_icinga() {
+ # Generate random password (alphanumeric ASCII characters only in order
+ # to avoid problems with quoting below)
+ password="$(LC_ALL=C tr -cd '[:alnum:]' < /dev/urandom | dd bs=1 count=16 2>/dev/null)"
+ [ -n "${password}" ] || exit 1
+
# Delete anonymous users
mysql -e "DELETE FROM mysql.user WHERE User='';"
# Ensure the root user can not log in remotely
@@ -55,7 +60,7 @@ setup_icinga() {
GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE
ON icingadb.*
TO 'icinga2'@'localhost'
- IDENTIFIED BY 'v64nhbe27dfBjR3T';
+ IDENTIFIED BY '${password}';
FLUSH PRIVILEGES;
"
# Install the MySQL schema required for the Icinga 2 database
@@ -63,7 +68,7 @@ setup_icinga() {
# Adjust the Icinga 2 MySQL IDO configuration
#sed -i "/user/ s%icinga2%$FIRSTUSERNAME%" "/etc/icinga2/features-available/ido-mysql.conf"
- sed -i "/password/ s%\".*\"%\"v64nhbe27dfBjR3T\"%" "/etc/icinga2/features-available/ido-mysql.conf"
+ sed -i "/password/s/.*/ password = \"${password}\",/" /etc/icinga2/features-available/ido-mysql.conf
sed -i '/database/ s%icinga2%icingadb%' /etc/icinga2/features-available/ido-mysql.conf
# Enable ido-mysql feature
@@ -75,7 +80,7 @@ setup_icinga() {
GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE
ON icingaweb2.*
TO 'icingaweb2'@'localhost'
- IDENTIFIED BY 'v64nhbe27dfBjR3T';
+ IDENTIFIED BY '${password}';
FLUSH PRIVILEGES;
"
# Install the MySQL schema required for the Icinga Web 2 database
@@ -147,7 +152,7 @@ setup_icinga() {
port = ""
dbname = "icingaweb2"
username = "icingaweb2"
- password = "v64nhbe27dfBjR3T"
+ password = "${password}"
charset = ""
use_ssl = "0"
@@ -158,7 +163,7 @@ setup_icinga() {
port = ""
dbname = "icingadb"
username = "icinga2"
- password = "v64nhbe27dfBjR3T"
+ password = "${password}"
charset = ""
use_ssl = "0"
EOF
=====================================
share/debian-edu-config/tools/fetch-rootca-cert
=====================================
@@ -0,0 +1,60 @@
+#!/bin/sh
+#
+# Fetches Debian Edu rootCA certificate from the main server
+#
+# Author: Wolfgang Schweer, <wschweer at arcor.de>
+# Date: 2020-02-14
+#
+
+if [ -r /etc/debian-edu/config ] ; then
+ . /etc/debian-edu/config
+fi
+
+BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
+ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
+LOCALCACRT=/usr/local/share/ca-certificates/Debian-Edu_rootCA.crt
+
+# Remove no longer used certificate file
+rm -f $BUNDLECRT
+
+# RootCA cert retrieval (avoid execution on the main server, things are in place)
+case $PROFILE in
+*Main-Server*)
+ logger -t fetch-rootca-cert "Running on the main server, exiting."
+ exit 0
+ ;;
+esac
+
+if [ ! -f $LOCALCACRT ] || [ ! -s $LOCALCACRT ] ; then
+ # Since Debian Edu 10, the RootCA file is distributed
+ # over http (always via the host serving www.intern, by default: TJENER)
+ #
+ # We do an availability check for the webserver first, to provide proper
+ # error reporting (see below). So, the following check merely discovers,
+ # if the webserver is online at all.
+ if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
+ # Now let's see if the webserver has the "Debian Edu RootCA" file.
+ # This has been the case for Debian Edu main servers (TJENER) since
+ # Debian Edu 10.1.
+ if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
+ grep -q CERTIFICATE $LOCALCACRT ; then
+ # Make rootCA certificate available in /etc/ssl/certs/
+ ln -nsf $LOCALCACRT $ROOTCACRT
+ # Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
+ update-ca-certificates
+ logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
+ else
+ # Drop $ROOTCACRT and $LOCALCACRT files, as they probably only contain some
+ # 404 http error message in html.
+ rm -f $LOCALCACRT
+ rm -f $ROOTCACRT
+ logger -t fetch-rootca-cert "Failed to fetch rootCA certificate from www.intern."
+ fi
+ else
+ # Report an error, if www.intern is down http-wise. This can happen and is probably
+ # a temporary problem that needs an admin to fix it.
+ log_action_end_msg 1
+ logger -t fetch-rootca-cert "Failed to connect to www.intern, maybe the web server is down."
+ exit 1
+ fi
+fi
=====================================
share/debian-edu-config/tools/firefox-ldapconf
=====================================
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Update Firefox configuration from LDAP
+#
+
+if [ -e /etc/debian-edu/config ] ; then
+ . /etc/debian-edu/config
+fi
+
+# Only networked profiles use LDAP
+case $PROFILE in
+ *Main-Server*|*Workstation*|*LTSP-Server*|*Thin-Client-Server*|*Minimal*)
+ /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
+ ;;
+esac
+
+case $PROFILE in
+ *LTSP-Server*)
+ if [ -d /opt/ltsp ]; then
+ find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d -exec chroot {} /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage \;
+ fi
+ ;;
+esac
=====================================
share/debian-edu-config/tools/gosa-remove
=====================================
@@ -52,7 +52,7 @@ mv $HOMEDIR $RM_HOMEDIR
chown root:root $RM_HOMEDIR
chmod go-rwx $RM_HOMEDIR
-kadmin.local -q "delete_principal $USERID"
+kadmin.local -q "delete_principal -force $USERID"
pdbedit -x -u $USERID > /dev/null
logger -t gosa-remove -p notice Home directory \'$HOMEDIR\' marked for deletion, samba account and principal \'$USERID\' removed.
=====================================
share/debian-edu-config/tools/nat
=====================================
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+IPTABLES=/usr/sbin/iptables
+
+NETWORK_TO_NAT=
+OUTSIDE_IF=eth0
+
+[ -x $IPTABLES ] || exit 1
+
+# Only enable by default if LTSP is installed
+if [ -e /srv/ltsp ] ; then
+ NETWORK_TO_NAT="192.168.0.0/24"
+fi
+
+if [ -f /etc/default/enable-nat ] ; then
+ . /etc/default/enable-nat
+fi
+
+# Bail out if no network is configured
+[ -n "$NETWORK_TO_NAT" ] || exit 0
+
+case $1 in
+enable)
+ # Exit if already enabled
+ $IPTABLES -t nat -n -L POSTROUTING | \
+ awk -v net="$NETWORK_TO_NAT" '
+ NR > 2 && $1 == "MASQUERADE" && $4 == net {
+ found=1
+ exit
+ }
+ END {
+ exit(!found)
+ }' && exit 0
+
+ $IPTABLES -t nat -A POSTROUTING -s "$NETWORK_TO_NAT" -o "$OUTSIDE_IF" -j MASQUERADE
+
+ # Enable IP-forwarding if it isn't enabled already.
+ sysctl -wq net.ipv4.ip_forward=1
+ ;;
+disable)
+ $IPTABLES -F -t nat
+ ;;
+*)
+ printf 'usage: %s [enable|disable]\n' "$(basename "$0")" >&2
+ exit 1
+ ;;
+esac
=====================================
share/debian-edu-config/tools/update-dlw-krb5-keytabs
=====================================
@@ -49,7 +49,7 @@ DLW_KRB5_KEYTABS_DIR="/var/lib/debian-edu/dlw-keytabs"
# Clear caching daemon's NIS netgroup cache (this assures an LDAP re-lookup).
nscd -i netgroup
-DLW_HOSTS_NETGROUP=$(netgroup diskless-workstation-hosts | grep -E "\.${DOMAIN}$")
+DLW_HOSTS_NETGROUP="$(netgroup diskless-workstation-hosts | grep -E "\.${DOMAIN}$")" || true
# Do some sanity checks...
if [ "$(id -u)" != "0" ]; then
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/6bb8e794f36e86f7ae8a9a438ae821ad951ec91f...9dd3f55ff479aa5e93f3cda5a70e2faa32a36801
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/6bb8e794f36e86f7ae8a9a438ae821ad951ec91f...9dd3f55ff479aa5e93f3cda5a70e2faa32a36801
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230807/3289f5f4/attachment-0001.htm>
More information about the debian-edu-commits
mailing list