[debian-edu-commits] debian-edu/ 02/06: Remove outdated winbind related configuration files and tools.
Wolfgang Schweer
schweer-guest at moszumanska.debian.org
Thu Mar 22 12:40:09 UTC 2018
This is an automated email from the git hooks/post-receive script.
schweer-guest pushed a commit to branch master
in repository debian-edu-config.
commit 919e3f331d54d31e82690de91467fac04cdc0858
Author: Wolfgang Schweer <wschweer at arcor.de>
Date: Tue Mar 20 16:12:25 2018 +0100
Remove outdated winbind related configuration files and tools.
- etc/samba/smb-winbind-debian-edu.conf
- doc/debian-edu-winbind
- share/debian-edu-config/tools/debian-edu-winbind
tools/setup-ad-clients is available since a long time to place it.
---
doc/debian-edu-winbind | 145 ---------------------
etc/samba/smb-winbind-debian-edu.conf | 24 ----
share/debian-edu-config/tools/debian-edu-winbind | 156 -----------------------
3 files changed, 325 deletions(-)
diff --git a/doc/debian-edu-winbind b/doc/debian-edu-winbind
deleted file mode 100644
index 0dcb8eb..0000000
--- a/doc/debian-edu-winbind
+++ /dev/null
@@ -1,145 +0,0 @@
-How to use Winbind authentication with Debian-edu
--------------------------------------------------
-
-$Id$
-
-What is Winbind authentication
-------------------------------
-Winbind authentication is a methode of using a Windows Domain Controller
-running Active Directory (AD) for authentication, instead of LDAP which is
-used in a normal Debian-edu installation.
-
-What makes Winbind differ from LDAP
------------------------------------
-Although AD is based on LDAP, it is not straight forward to use Active
-Directory as a ldapserver. There used to be some addon for AD to make it
-work like a normal LDAP-server, and make it possible for Unix-clients to
-authenticate against it, but this addon is no longer availible/maintained.
-
-
-How Winbind authentication works
---------------------------------
-The term winbind authentication is maybe the wrong term. What is actually
-involved here is
- krb5 - Kerberos, used to authenticate against AD
- winbind - Used to fetch user info from AD
- pammount - Mount home/workdirectories from Windows File-server
- samba - What glues everything together
-
-The machine to use Winbind authentication has to become a member of the
-AD-controlled domain. This is done by "Joining" the domain. Then the
-workstation can fetch the userlist, and enumerate the users. When the user
-logs in, the username and password is checked against the AD, and if
-permitted, the homedir is created locally on the workstation. After the
-homedir is created locally a defined set of folders are mounted from the
-windows fileserver. These folders are only availible when the user is
-logged in. when the user logs out, the mounted folders are unmounted, and
-only the locally created directory remains.
-
-Configuration files for Winbind authentication
-----------------------------------------------
-In debian-edu-config, there are some predefined configuration files for
-using winbind authentication. These all have "-winbind-debian-edu" as part
-of their names. Some of them are just softlinked into place, others are
-templates with placeholders for domainname, authentication servers and
-such.
-
-Configurationfiles for pam (used as is):
- /etc/pam.d/common-account-winbind-debian-edu
- /etc/pam.d/common-auth-winbind-debian-edu
- /etc/pam.d/common-password-winbind-debian-edu
- /etc/pam.d/common-session-winbind-debian-edu
-
-Template for samba configuration:
- /etc/samba/smb-winbind-debian-edu.conf
-Template for pammount configuration:
- /etc/security/pam_mount-winbind-debian-edu.conf
-Template for Kerberos configuration:
- /etc/krb5-winbind-debian-edu.conf
-
-The templates have placeholders for the following variables:
- DOMAIN - the domain for the Windows/samba network
- HOSTNAME - hostname to be used for the client, will be autodetected if not
- specified
- REALM - Kerberos realm used in AD
- PWSERVER - The AD server that the clients authenticate against
- HDSERVER - Server that holds the homedirectories.
-
-Preparing for setting up winbind authentication
------------------------------------------------
-Use a sarge based debian-edu installation CD.
-There is 2 packages involved,
- debian-edu-config - holds the configurationfiles/templates
- debian-edu-install - fetches the correct packages necesarry to get the
- winbind authentication working
-Versions needed:
- debian-edu-config >= 0.397+svn2912
- debian-edu-install >= 0.645+svn2888
-
-There are a few things that needs to be set up correctly in the network.
-* Working NTP-server - Kerberos is picky about this.
-* DHCP and DNS - It's important that the client can lookup the authentication
-server. If you use Lessdisks-based workstation, it's also important that the
-gateway for the lessdisks-clients are resolved. For a normal debian-edu
-installation, the gateway for the lessdisks workstation should be
-ltspserver, and the ip of this should be 192.168.0.254. Please check this
-for your installation
-
-Setting up winbind authentication
----------------------------------
-Install a Debian-edu workstation or Thin client server. After the
-installation is done run the script to set authentication
- /usr/lib/debian-edu-install/debian-edu-winbind
-
-the script takes some parameters
- -d DOMAIN - your Windows domain
- -r REALM - your Kerberos realm
- -pw PWSERVER - name of your password Server
- -home HOMESERVER - name of your home server
- -u ADMIN - Username of Administrator
- -host HOSTNAME - (optional) Samba name for the host
-
-For a (maybe not so) typical school, the full command line would be
- /usr/lib/debian-edu-install/debian-edu-winbind \
- -d SKOLE \
- -r LAN.SKOLE.VGS.NO \
- -pw elevfs1.lan.skole.vgs.no \
- -home elevfs1.lan.skole.vgs.no \
- -u Administrator
-
-
-If you want to set up Diskless workstations, you need to first install a
-Thin client server, and then run the installation script for
-debian-edu-lessdisks:
- /usr/lib/debian-edu-install/debian-edu-lessdisks ws
-
-then before setting up winbind authentication, you would have to mount the
-cdrom manually
- mount /media/cdrom
-and then remount the cdrom inside the lessdisks chroot
- mount --bind /media/cdrom /var/lib/lessdisks/mirrors/archives/default
-
-then you may run the winbind script:
- lessdisks-chroot -- /usr/lib/debian-edu-install/debian-edu-winbind \
- -d SKOLE \
- -r LAN.SKOLE.VGS.NO \
- -pw elevfs1.lan.skole.vgs.no \
- -home elevfs1.lan.skole.vgs.no \
- -u Administrator
-
-
-Error checking
---------------
-Things that have gone wrong before:
-- The clock is wrong - make sure the ntp-services is set up correctly. For
- now, sarge depends upon an external ntp-server (pool.ntp.org), but should
- be fixed so that it would use a local server (ntp). For a diskless
- workstation installation, both the server where the installation is
- performed, and the diskless client should be checked
-- wrong domain name - please be sure to use the complete domain name. Test
- using "host server" should give you some help.
-- gateway for diskless clients. Debian-edu uses ltspserver as the gateway
- for the thin client network. this must resolv. It may be sufficient to
- just edit /etc/hosts on the ltsp-server
-
-
diff --git a/etc/samba/smb-winbind-debian-edu.conf b/etc/samba/smb-winbind-debian-edu.conf
deleted file mode 100644
index 8e60e0c..0000000
--- a/etc/samba/smb-winbind-debian-edu.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-[global]
- workgroup = %%DOMAIN%%
- netbios name = %%HOSTNAME%%
- winbind separator = #
- idmap uid = 10000-20000
- idmap gid = 10000-20000
- winbind enum users = yes
- winbind enum groups = yes
- winbind use default domain = yes
- security = ads
- encrypt passwords = true
- realm = %%REALM%%
- password server = %%PWSERVER%%
- template shell = /bin/bash
- client use spnego = yes
- dos charset = 850
-
-[homes]
- guest ok = no
- read only = no
- create mode = 0664
- directory mode = 0775
-
-
diff --git a/share/debian-edu-config/tools/debian-edu-winbind b/share/debian-edu-config/tools/debian-edu-winbind
deleted file mode 100755
index 7259ff0..0000000
--- a/share/debian-edu-config/tools/debian-edu-winbind
+++ /dev/null
@@ -1,156 +0,0 @@
-#!/bin/bash
-#
-# $Id$
-# A Script to install packages and configure debian-edu to authenticate
-# against a Microsoft Windows Active Directory Server.
-#
-
-set -e
-
-# Set some defaults
-DOMAIN=
-REALM=
-PWSERVER=
-HDSERVER=
-ADMIN=
-HOSTNAME=
-HIDDENHOME="$"
-
-while [ $# -gt 0 ] ; do
- case $1 in
- -d) DOMAIN=$2 ; shift ;;
- -r) REALM=$2 ; shift ;;
- -pw) PWSERVER=$2 ; shift ;;
- -home) HOMESERVER=$2 ; shift ;;
- -u) ADMIN=$2 ; shift ;;
- -host) HOSTNAME=$2 ; shift ;;
- -visiblehome) HIDDENHOME="" ;;
- esac
- shift
-done
-
-#Normally pwServer and homeServer is the same - so try to set both if
-#only one is given.
-if [ -z "$PWSERVER" ] ; then
- PWSERVER=$HOMESERVER
-fi
-
-if [ -z "$HOMESERVER" ] ; then
- HOMESERVER=$PWSERVER
-fi
-
-if [ -z "$DOMAIN" -o -z "$REALM" -o -z "$PWSERVER" -o -z "$HOMESERVER" -o -z "$ADMIN" ] ; then
- cat << EOF 1>&2
-You need to specify some variables:
- DOMAIN - your Windows domain
- REALM - your Kerberos realm
- PWSERVER - name of your password Server
- HOMESERVER - name of your home server
- ADMIN - Username of Administrator
- HOSTNAME - (optional) Samba name for the host
-
- specify -visiblehome if your homedirs are public visible
-
-example:
- $0 -d DOMAIN \\
- -r DOMAIN.REALM.ORG \\
- -pw SERVER.DOMAIN.REALM.ORG \\
- -home SERVER.DOMAIN.REALM.ORG \\
- -u ADMIN \\
- -host HOSTNAME \\
- -visiblehome
-
-EOF
- exit 9
-fi
-
-FAILURE=
-if ! host $PWSERVER 1>/dev/null 2>&1 ; then
- echo "Unable to resolv passwordserver $PWSERVER"
- FAILURE=TRUE
-fi
-
-if ! host $HOMESERVER 1>/dev/null 2>&1 ; then
- echo "Unable to resolv server for homedirectories $HOMESERVER"
- FAILURE=TRUE
-fi
-
-NTPSERVERS=
-if [ -f /etc/default/ntpdate ] ; then
- eval $(grep ^NTPSERVERS= /etc/default/ntpdate)
-elif [ -f /etc/default/ntp-servers ] ; then
- eval $(grep ^NTPSERVERS= /etc/default/ntp-servers)
-fi
-
-if [ -z "$NTPSERVERS" ] ; then
- echo "No ntp-server defined"
- FAILURE=TRUE
-else
- for NTPSERVER in $NTPSERVERS ; do
- if ! host $NTPSERVER 1>/dev/null 2>&1 ; then
- echo "Unable to resolv ntp-server $NTPSERVER"
- FAILURE=TRUE
- fi
- done
-fi
-
-if [ "$FAILURE" ] ; then
- echo "Something failed, Aborting installation ...."
- /bin/false
-fi
-
-# Set umask for creating safe temporary files
-umask 022
-
-mkdir -p /home/$DOMAIN
-
-DEBIAN_FRONTEND=noninteractive apt-get -qy install \
- winbind \
- krb5-user \
- samba \
- smbfs \
- libpam-mount \
-
-case "$LANG" in
- nb*|nn*|no*)
- CHARSET=iso8859-1
- CODEPAGE=cp850
- ;;
-esac
-
-# Replace existing files with configured files for winbind
-for CONF in /etc/samba/smb /etc/security/pam_mount /etc/krb5 ; do
- if [ -f $CONF.conf -a ! -f $CONF.conf-org ] ; then
- mv $CONF.conf $CONF.conf-org
- fi
- rm -f $CONF.conf
- sed -e "s/%%HDSERVER%%/$HOMESERVER/g" \
- -e "s/%%DOMAIN%%/$DOMAIN/g" \
- -e "s/%%REALM%%/$REALM/g" \
- -e "s/%%PWSERVER%%/$PWSERVER/g" \
- -e "s/%%HOSTNAME%%/$HOSTNAME/g" \
- -e "s/%%CHARSET%%/${CHARSET:+,iocharset=$CHARSET}/g" \
- -e "s/%%CODEPAGE%%/${CODEPAGE:+,codepage=$CODEPAGE}/g" \
- -e "s/%%HIDDENHOME%%/${HIDDENHOME:+$HIDDENHOME}/g" \
- $CONF-winbind-debian-edu.conf > $CONF.conf
-done
-
-# Replace existing files with configured files for winbind
-for CONF in /etc/pam.d/common-auth \
- /etc/pam.d/common-account \
- /etc/pam.d/common-session \
- /etc/pam.d/common-password ; do
- if [ -f $CONF -a ! -f $CONF-org ] ; then
- mv $CONF $CONF-org
- fi
- rm -f $CONF.conf
- ln -s $CONF-winbind-debian-edu $CONF
-done
-
-# Replace ldap in nsswitch.conf with winbind
-cp /etc/nsswitch.conf /etc/nsswitch.conf-org
-sed -e 's/ldap/winbind/g' /etc/nsswitch.conf-org > /etc/nsswitch.conf
-
-# Add the machine to the net account
-net ads join -U $ADMIN
-
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/debian-edu-config.git
More information about the debian-edu-commits
mailing list