[debian-edu-commits] debian-edu/ 02/06: Remove outdated winbind related configuration files and tools.

Wolfgang Schweer schweer-guest at moszumanska.debian.org
Thu Mar 22 12:40:09 UTC 2018


This is an automated email from the git hooks/post-receive script.

schweer-guest pushed a commit to branch master
in repository debian-edu-config.

commit 919e3f331d54d31e82690de91467fac04cdc0858
Author: Wolfgang Schweer <wschweer at arcor.de>
Date:   Tue Mar 20 16:12:25 2018 +0100

    Remove outdated winbind related configuration files and tools.
    
     - etc/samba/smb-winbind-debian-edu.conf
     - doc/debian-edu-winbind
     - share/debian-edu-config/tools/debian-edu-winbind
     tools/setup-ad-clients is available since a long time to place it.
---
 doc/debian-edu-winbind                           | 145 ---------------------
 etc/samba/smb-winbind-debian-edu.conf            |  24 ----
 share/debian-edu-config/tools/debian-edu-winbind | 156 -----------------------
 3 files changed, 325 deletions(-)

diff --git a/doc/debian-edu-winbind b/doc/debian-edu-winbind
deleted file mode 100644
index 0dcb8eb..0000000
--- a/doc/debian-edu-winbind
+++ /dev/null
@@ -1,145 +0,0 @@
-How to use Winbind authentication with Debian-edu
--------------------------------------------------
-
-$Id$
-
-What is Winbind authentication
-------------------------------
-Winbind authentication is a methode of using a Windows Domain Controller
-running Active Directory (AD) for authentication, instead of LDAP which is
-used in a normal Debian-edu installation.
-
-What makes Winbind differ from LDAP
------------------------------------
-Although AD is based on LDAP, it is not straight forward to use Active
-Directory as a ldapserver. There used to be some addon for AD to make it
-work like a normal LDAP-server, and make it possible for Unix-clients to
-authenticate against it, but this addon is no longer availible/maintained.
-
-
-How Winbind authentication works
---------------------------------
-The term winbind authentication is maybe the wrong term. What is actually
-involved here is
- krb5 - Kerberos, used to authenticate against AD
- winbind - Used to fetch user info from AD
- pammount - Mount home/workdirectories from Windows File-server
- samba - What glues everything together
-
-The machine to use Winbind authentication has to become a member of the
-AD-controlled domain. This is done by "Joining" the domain. Then the
-workstation can fetch the userlist, and enumerate the users. When the user
-logs in, the username and password is checked against the AD, and if
-permitted, the homedir is created locally on the workstation. After the
-homedir is created locally a defined set of folders are mounted from the
-windows fileserver. These folders are only availible when the user is
-logged in. when the user logs out, the mounted folders are unmounted, and
-only the locally created directory remains.
-
-Configuration files for Winbind authentication
-----------------------------------------------
-In debian-edu-config, there are some predefined configuration files for
-using winbind authentication. These all have "-winbind-debian-edu" as part
-of their names. Some of them are just softlinked into place, others are
-templates with placeholders for domainname, authentication servers and
-such.
-
-Configurationfiles for pam (used as is):
- /etc/pam.d/common-account-winbind-debian-edu
- /etc/pam.d/common-auth-winbind-debian-edu
- /etc/pam.d/common-password-winbind-debian-edu
- /etc/pam.d/common-session-winbind-debian-edu
-
-Template for samba configuration:
- /etc/samba/smb-winbind-debian-edu.conf
-Template for pammount configuration:
- /etc/security/pam_mount-winbind-debian-edu.conf
-Template for Kerberos configuration:
- /etc/krb5-winbind-debian-edu.conf
-
-The templates have placeholders for the following variables:
- DOMAIN - the domain for the Windows/samba network
- HOSTNAME - hostname to be used for the client, will be autodetected if not
-            specified
- REALM - Kerberos realm used in AD
- PWSERVER - The AD server that the clients authenticate against
- HDSERVER - Server that holds the homedirectories. 
-
-Preparing for setting up winbind authentication
------------------------------------------------
-Use a sarge based debian-edu installation CD. 
-There is 2 packages involved, 
- debian-edu-config - holds the configurationfiles/templates
- debian-edu-install - fetches the correct packages necesarry to get the
-                      winbind authentication working
-Versions needed: 
- debian-edu-config >= 0.397+svn2912
- debian-edu-install >= 0.645+svn2888
-
-There are a few things that needs to be set up correctly in the network. 
-* Working NTP-server - Kerberos is picky about this. 
-* DHCP and DNS - It's important that the client can lookup the authentication
-server. If you use Lessdisks-based workstation, it's also important that the
-gateway for the lessdisks-clients are resolved. For a normal debian-edu
-installation, the gateway for the lessdisks workstation should be
-ltspserver, and the ip of this should be 192.168.0.254. Please check this
-for your installation
-
-Setting up winbind authentication
----------------------------------
-Install a Debian-edu workstation or Thin client server. After the
-installation is done run the script to set authentication
- /usr/lib/debian-edu-install/debian-edu-winbind
-
-the script takes some parameters
- -d DOMAIN        - your Windows domain
- -r REALM         - your Kerberos realm
- -pw PWSERVER     - name of your password Server
- -home HOMESERVER - name of your home server
- -u ADMIN         - Username of Administrator
- -host HOSTNAME   - (optional) Samba name for the host
-
-For a (maybe not so) typical school, the full command line would be
- /usr/lib/debian-edu-install/debian-edu-winbind \
-                            -d SKOLE \
-			    -r LAN.SKOLE.VGS.NO \
-			    -pw elevfs1.lan.skole.vgs.no \
-			    -home elevfs1.lan.skole.vgs.no \
-			    -u Administrator
-
-			    
-If you want to set up Diskless workstations, you need to first install a
-Thin client server, and then run the installation script for
-debian-edu-lessdisks:
- /usr/lib/debian-edu-install/debian-edu-lessdisks ws
-
-then before setting up winbind authentication, you would have to mount the
-cdrom manually
- mount /media/cdrom
-and then remount the cdrom inside the lessdisks chroot
- mount --bind /media/cdrom /var/lib/lessdisks/mirrors/archives/default
-
-then you may run the winbind script:
- lessdisks-chroot -- /usr/lib/debian-edu-install/debian-edu-winbind \ 
-                            -d SKOLE \
-			    -r LAN.SKOLE.VGS.NO \
-			    -pw elevfs1.lan.skole.vgs.no \
-			    -home elevfs1.lan.skole.vgs.no \
-			    -u Administrator
-
-
-Error checking
---------------
-Things that have gone wrong before: 
-- The clock is wrong - make sure the ntp-services is set up correctly. For
-  now, sarge depends upon an external ntp-server (pool.ntp.org), but should
-  be fixed so that it would use a local server (ntp). For a diskless
-  workstation installation, both the server where the installation is
-  performed, and the diskless client should be checked
-- wrong domain name - please be sure to use the complete domain name. Test
-  using "host server" should give you some help.
-- gateway for diskless clients. Debian-edu uses ltspserver as the gateway
-  for the thin client network. this must resolv. It may be sufficient to
-  just edit /etc/hosts on the ltsp-server
-
-
diff --git a/etc/samba/smb-winbind-debian-edu.conf b/etc/samba/smb-winbind-debian-edu.conf
deleted file mode 100644
index 8e60e0c..0000000
--- a/etc/samba/smb-winbind-debian-edu.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-[global]
-  workgroup = %%DOMAIN%%
-  netbios name = %%HOSTNAME%%
-  winbind separator = #
-  idmap uid = 10000-20000
-  idmap gid = 10000-20000
-  winbind enum users = yes
-  winbind enum groups = yes
-  winbind use default domain = yes
-  security = ads
-  encrypt passwords = true
-  realm = %%REALM%%
-  password server = %%PWSERVER%%
-  template shell = /bin/bash
-  client use spnego = yes
-  dos charset = 850
-
-[homes]
-  guest ok = no
-  read only = no
-  create mode = 0664
-  directory mode = 0775
-
-
diff --git a/share/debian-edu-config/tools/debian-edu-winbind b/share/debian-edu-config/tools/debian-edu-winbind
deleted file mode 100755
index 7259ff0..0000000
--- a/share/debian-edu-config/tools/debian-edu-winbind
+++ /dev/null
@@ -1,156 +0,0 @@
-#!/bin/bash
-#
-# $Id$
-# A Script to install packages and configure debian-edu to authenticate
-# against a Microsoft Windows Active Directory Server.
-# 
-
-set -e 
-
-# Set some defaults
-DOMAIN=
-REALM=
-PWSERVER=
-HDSERVER=
-ADMIN=
-HOSTNAME=
-HIDDENHOME="$"
-
-while [ $# -gt 0 ] ; do 
-  case $1 in 
-    -d) DOMAIN=$2 ; shift ;;
-    -r) REALM=$2 ; shift ;;
-    -pw) PWSERVER=$2 ; shift ;;
-    -home) HOMESERVER=$2 ; shift ;;
-    -u) ADMIN=$2 ; shift ;;
-    -host) HOSTNAME=$2 ; shift ;;
-    -visiblehome) HIDDENHOME="" ;; 
-  esac
-  shift 
-done
-
-#Normally pwServer and homeServer is the same - so try to set both if
-#only one is given.
-if [ -z "$PWSERVER" ] ; then 
-  PWSERVER=$HOMESERVER
-fi
-
-if [ -z "$HOMESERVER" ] ; then 
-  HOMESERVER=$PWSERVER
-fi
-
-if [ -z "$DOMAIN" -o -z "$REALM" -o -z "$PWSERVER" -o -z "$HOMESERVER" -o -z "$ADMIN" ] ; then 
-  cat << EOF 1>&2
-You need to specify some variables:
-  DOMAIN     - your Windows domain 
-  REALM      - your Kerberos realm
-  PWSERVER   - name of your password Server 
-  HOMESERVER - name of your home server
-  ADMIN      - Username of Administrator
-  HOSTNAME   - (optional) Samba name for the host
-
-  specify -visiblehome if your homedirs are public visible
-  
-example: 
-  $0 -d DOMAIN \\
-     -r DOMAIN.REALM.ORG \\
-     -pw SERVER.DOMAIN.REALM.ORG \\
-     -home SERVER.DOMAIN.REALM.ORG \\
-     -u ADMIN \\
-     -host HOSTNAME \\
-     -visiblehome
-
-EOF
-  exit 9
-fi
-
-FAILURE=
-if ! host $PWSERVER 1>/dev/null 2>&1 ; then 
-  echo "Unable to resolv passwordserver $PWSERVER"
-  FAILURE=TRUE
-fi
-
-if ! host $HOMESERVER 1>/dev/null 2>&1 ; then 
-  echo "Unable to resolv server for homedirectories $HOMESERVER"
-  FAILURE=TRUE
-fi
-
-NTPSERVERS=
-if [ -f /etc/default/ntpdate ] ; then 
-  eval $(grep ^NTPSERVERS= /etc/default/ntpdate)
-elif [ -f /etc/default/ntp-servers ] ; then 
-  eval $(grep ^NTPSERVERS= /etc/default/ntp-servers)
-fi
-
-if [ -z "$NTPSERVERS" ] ; then 
-  echo "No ntp-server defined"
-  FAILURE=TRUE
-else
-  for NTPSERVER in $NTPSERVERS ; do 
-    if ! host $NTPSERVER 1>/dev/null 2>&1 ; then 
-      echo "Unable to resolv ntp-server $NTPSERVER"
-      FAILURE=TRUE
-    fi
-  done
-fi    
-  
-if [ "$FAILURE" ] ; then 
-  echo "Something failed, Aborting installation ...."
-  /bin/false
-fi
-
-# Set umask for creating safe temporary files
-umask 022
-
-mkdir -p /home/$DOMAIN
-
-DEBIAN_FRONTEND=noninteractive apt-get -qy install \
-		winbind \
-                krb5-user \
-		samba \
-		smbfs \
-		libpam-mount \
-
-case "$LANG" in 
-  nb*|nn*|no*)
-    CHARSET=iso8859-1
-    CODEPAGE=cp850
-    ;;
-esac
-
-# Replace existing files with configured files for winbind
-for CONF in /etc/samba/smb /etc/security/pam_mount /etc/krb5 ; do 
-  if [ -f $CONF.conf -a ! -f $CONF.conf-org ] ; then 
-    mv $CONF.conf $CONF.conf-org
-  fi
-  rm -f $CONF.conf
-  sed -e "s/%%HDSERVER%%/$HOMESERVER/g" \
-      -e "s/%%DOMAIN%%/$DOMAIN/g" \
-      -e "s/%%REALM%%/$REALM/g" \
-      -e "s/%%PWSERVER%%/$PWSERVER/g" \
-      -e "s/%%HOSTNAME%%/$HOSTNAME/g" \
-      -e "s/%%CHARSET%%/${CHARSET:+,iocharset=$CHARSET}/g" \
-      -e "s/%%CODEPAGE%%/${CODEPAGE:+,codepage=$CODEPAGE}/g" \
-      -e "s/%%HIDDENHOME%%/${HIDDENHOME:+$HIDDENHOME}/g" \
-      $CONF-winbind-debian-edu.conf > $CONF.conf
-done
-
-# Replace existing files with configured files for winbind
-for CONF in /etc/pam.d/common-auth \
-            /etc/pam.d/common-account \
-	    /etc/pam.d/common-session \
-	    /etc/pam.d/common-password ; do 
-  if [ -f $CONF -a ! -f $CONF-org ] ; then 
-    mv $CONF $CONF-org
-  fi
-  rm -f $CONF.conf
-  ln -s $CONF-winbind-debian-edu $CONF
-done
-
-# Replace ldap in nsswitch.conf with winbind
-cp /etc/nsswitch.conf /etc/nsswitch.conf-org
-sed -e 's/ldap/winbind/g' /etc/nsswitch.conf-org > /etc/nsswitch.conf 
-
-# Add the machine to the net account
-net ads join -U $ADMIN
-

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/debian-edu-config.git



More information about the debian-edu-commits mailing list