[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 10 commits: share/debian-edu-config/tools/kerberos-kdc-init: Update kdc.conf content.

WolfgangSchweer gitlab at salsa.debian.org
Fri Nov 8 19:41:42 GMT 2019



WolfgangSchweer pushed to branch master at Debian Edu / debian-edu-config


Commits:
7e4fd28f by Wolfgang Schweer at 2019-11-08T18:46:10Z
share/debian-edu-config/tools/kerberos-kdc-init: Update kdc.conf content.

This change is needed to fix Kerberos setup (atm broken in bullseye).

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
7868aa9c by Wolfgang Schweer at 2019-11-08T18:56:01Z
Add policy file share/firefox-esr/distribution/policies.json

This makes sure that the Debian-Edu_rootCA.crt file gets installed as trusted
certificate at first launch of firefox-esr and thunderbird. The policy is valid
for both firefox-esr and thunderbird as of version 68.2.x (thunderbird still
needs to migrate to bullseye, tested with sid version).

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
ecbce8c2 by Wolfgang Schweer at 2019-11-08T19:09:29Z
Drop share/debian-edu-config/{installs.ini,profiles.ini,profiles.ini.ff}

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
591a910f by Wolfgang Schweer at 2019-11-08T19:14:43Z
Adjust related tool 'ldap-tools/ldap-debian-edu-install'.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
e04e4c25 by Wolfgang Schweer at 2019-11-08T19:15:37Z
Adjust related tool 'ldap-tools/ldap-debian-edu-install'.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
8f964f7a by Wolfgang Schweer at 2019-11-08T19:16:35Z
Adjust related tool 'share/debian-edu-config/tools/gosa-create'.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
4553b61a by Wolfgang Schweer at 2019-11-08T19:18:11Z
Adjust related tool 'share/debian-edu-config/tools/update-cert-dbs'.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
44def547 by Wolfgang Schweer at 2019-11-08T19:19:09Z
Adjust Makefile.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
ed12af30 by Wolfgang Schweer at 2019-11-08T19:30:36Z
Add changelog entries for Kerberos and root certificate related commits.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
2e16bba6 by Wolfgang Schweer at 2019-11-08T19:40:02Z
d/changelog: Improve wording.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -


11 changed files:

- Makefile
- debian/changelog
- ldap-tools/ldap-debian-edu-install
- − share/debian-edu-config/installs.ini
- − share/debian-edu-config/profiles.ini
- − share/debian-edu-config/profiles.ini.ff
- share/debian-edu-config/tools/create-user-nssdb
- share/debian-edu-config/tools/gosa-create
- share/debian-edu-config/tools/kerberos-kdc-init
- share/debian-edu-config/tools/update-cert-dbs
- + share/firefox-esr/distribution/policies.json


Changes:

=====================================
Makefile
=====================================
@@ -343,6 +343,7 @@ install: install-testsuite
 		share/debian-edu-config/tools/install-task-pkgs \
 		share/debian-edu-config/ltspfs-mounter-kde \
 		share/debian-edu-config/squid.resolvconf \
+		share/firefox-esr/distribution/policies.json \
 		share/ltsp/get-ldap-ltsp-config \
 		share/initramfs-tools/scripts/nfs-bottom/before-ltsp \
 	; do \
@@ -376,9 +377,6 @@ install: install-testsuite
 		share/debian-edu-config/sslCA.cnf \
 		share/debian-edu-config/v3.cnf \
 		share/debian-edu-config/v3CA.cnf \
-		share/debian-edu-config/installs.ini \
-		share/debian-edu-config/profiles.ini \
-		share/debian-edu-config/profiles.ini.ff \
 		share/debian-edu-config/debian-edu.addmachine.template \
 		share/debian-edu-config/debian-edu.ldapscripts.passwd \
 		share/debian-edu-config/passwords_stub.dat \


=====================================
debian/changelog
=====================================
@@ -1,3 +1,27 @@
+debian-edu-config (2.11.9) UNRELEASED; urgency=medium
+
+  * share/debian-edu-config/tools/kerberos-kdc-init:
+    - Update kdc.conf content from template shipped with the krb5-kdc package.
+      This fixes the recently broken Kerberos setup.
+  * Replace ugly workaround for rootCA certificate integration (both firefox-esr
+    and thunderbird as of version 68.2.0esr) with a $home independent setup:
+    - Add policy file share/firefox-esr/distribution/policies.json.
+      This makes sure that the Debian-Edu_rootCA.crt file gets installed as
+      trusted certificate for firefox-esr and thunderbird.
+      The policy also forces the Debian Edu startpage to be shown (instead of
+      the Firefox one) at first launch; the Firefox privacy page is available
+      via a second tab.
+    - Drop share/debian-edu-config/{installs.ini,profiles.ini,profiles.ini.ff}.
+      These files are no longer required.
+    - Adjust related tools:
+      + share/debian-edu-config/tools/gosa-create
+      + share/debian-edu-config/tools/create-user-nssdb
+      + share/debian-edu-config/tools/update-cert-dbs
+      + ldap-tools/ldap-debian-edu-install
+    - Adjust Makefile.
+
+ -- Wolfgang Schweer <wschweer at arcor.de>  Fri, 08 Nov 2019 19:50:17 +0100
+
 debian-edu-config (2.11.8) unstable; urgency=medium
 
   [ Wolfgang Schweer ]


=====================================
ldap-tools/ldap-debian-edu-install
=====================================
@@ -523,21 +523,12 @@ if [ true = "$RESTARTSLAPD" ] && [ -z "$SLAPPIDS" ] ; then
   service slapd start
 fi
 
-# Create both dbm and sql nssdb files for first user.
+# Create PKI nssdb files for first user.
 if [ -x /usr/bin/certutil ] ; then
-  mkdir -p /skole/tjener/home0/"$FIRSTUSERNAME"/.mozilla/firefox/debian-edu.default
-  chmod -R 700 /skole/tjener/home0/"$FIRSTUSERNAME"/.mozilla/firefox/debian-edu.default
-  cp /usr/share/debian-edu-config/profiles.ini.ff /skole/tjener/home0/"$FIRSTUSERNAME"/.mozilla/firefox/profiles.ini
-  cp /usr/share/debian-edu-config/installs.ini /skole/tjener/home0/"$FIRSTUSERNAME"/.mozilla/firefox/installs.ini
-  mkdir -p /skole/tjener/home0/"$FIRSTUSERNAME"/.thunderbird/debian-edu.default
-  chmod -R 700 /skole/tjener/home0/"$FIRSTUSERNAME"/.thunderbird/debian-edu.default
-  cp /usr/share/debian-edu-config/profiles.ini /skole/tjener/home0/"$FIRSTUSERNAME"/.thunderbird
   mkdir -p /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
   chmod -R 700 /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
-  certutil  -A -d dbm:/skole/tjener/home0/"$FIRSTUSERNAME"/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
-  certutil  -A -d dbm:/skole/tjener/home0/"$FIRSTUSERNAME"/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
   certutil  -A -d sql:/skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
   chown -R 1000:1000 /skole/tjener/home0/"$FIRSTUSERNAME"/
-  echo "info: created dbm and sql nssdb files for first-user"
+  echo "info: created PKI nssdb files for first-user"
 fi
 


=====================================
share/debian-edu-config/installs.ini deleted
=====================================
@@ -1,4 +0,0 @@
-[3B6073811A6ABF12]
-Default=debian-edu.default
-Locked=1
-


=====================================
share/debian-edu-config/profiles.ini deleted
=====================================
@@ -1,7 +0,0 @@
-[General]
-StartWithLastProfile=1
-
-[Profile0]
-Name=default
-IsRelative=1
-Path=debian-edu.default


=====================================
share/debian-edu-config/profiles.ini.ff deleted
=====================================
@@ -1,13 +0,0 @@
-[Profile0]
-Name=debian-edu
-IsRelative=1
-Path=debian-edu.default
-
-[General]
-StartWithLastProfile=1
-Version=2
-
-[Install3B6073811A6ABF12]
-Default=debian-edu.default
-Locked=1
-


=====================================
share/debian-edu-config/tools/create-user-nssdb
=====================================
@@ -2,29 +2,24 @@
 
 set -e
 
-BASE_HOME=/skole/tjener/home0
-for i in $(ls /skole/tjener/home0/ | grep -v lost+found) ; do
-    if [ -d $BASE_HOME/$i/.mozilla/firefox/debian-edu.default ] ; then
-        su - $i sh -c 'certutil  -A -d dbm:$HOME/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
-    fi
-    if [ -d $BASE_HOME/$i/.thunderbird/debian-edu.default ] ; then
-        su - $i sh -c 'certutil  -A -d dbm:$HOME/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
-    else
-        mkdir -p $BASE_HOME/$i/.thunderbird/debian-edu.default
-        chmod -R 700 $BASE_HOME/$i/.thunderbird/debian-edu.default
-        chown -R $i:$i $BASE_HOME/$i/.thunderbird/debian-edu.default
-        cp /usr/share/debian-edu-config/profiles.ini $BASE_HOME/$i/.thunderbird
-        certutil  -A -d dbm:$BASE_HOME/$i/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
-    fi
-    if [ -d $BASE_HOME/$i/.pki/nssdb ] ; then
-        su - $i sh -c 'certutil  -A -d sql:$HOME/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
+BASE_HOME=/skole/tjener
+for dir in "$BASE_HOME"/*/*; do
+    # Skip if not a directory
+    test -d "$dir" || continue
+
+    # Extract username and check existence
+    username=${dir##*/}
+    id "$username" >/dev/null 2>&1 || continue
+
+    if [ -d "$dir/.pki/nssdb" ] ; then
+        su - $username sh -c 'certutil  -A -d sql:$HOME/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
     else
-        mkdir -p $BASE_HOME/$i/.pki/nssdb
-        chmod -R 700 $BASE_HOME/$i/.pki/nssdb
-        chown -R $i:$i $BASE_HOME/$i/.pki/nssdb
-        certutil  -A -d sql:$BASE_HOME/$i/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
+        mkdir -p $dir/.pki/nssdb
+        chmod -R 700 $dir/.pki/nssdb
+        chown -R $i:$i $dir/.pki/nssdb
+        certutil  -A -d sql:$dir/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
     fi
-    logger -t create-user-nssdb -p notice Both dbm and sql nssdb files created in \'$BASE_HOME/$i\'.
+    logger -t create-user-nssdb -p notice PKI nssdb files created in $dir.
 done
 
 exit 0


=====================================
share/debian-edu-config/tools/gosa-create
=====================================
@@ -38,19 +38,10 @@ while read KEY VALUE ; do
                 nscd -i passwd || true
                 nscd -i group || true
             fi
-            mkdir -p $HOMEDIR/.mozilla/firefox/debian-edu.default
-            chmod -R 700 $HOMEDIR/.mozilla/firefox/debian-edu.default
-            mkdir -p $HOMEDIR/.thunderbird/debian-edu.default
-            chmod -R 700 $HOMEDIR/.thunderbird/debian-edu.default
             mkdir -p $HOMEDIR/.pki/nssdb
             chmod -R 700 $HOMEDIR/.pki/nssdb
-            cp /usr/share/debian-edu-config/profiles.ini.ff $HOMEDIR/.mozilla/firefox/profiles.ini
-            cp /usr/share/debian-edu-config/installs.ini $HOMEDIR/.mozilla/firefox/installs.ini
-            cp /usr/share/debian-edu-config/profiles.ini $HOMEDIR/.thunderbird
-            certutil  -A -d dbm:$HOMEDIR/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
-            certutil  -A -d dbm:$HOMEDIR/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
             certutil  -A -d sql:$HOMEDIR/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
-            logger -t gosa-create -p notice Both dbm and sql nssdb files created in \'$HOMEDIR\'.
+            logger -t gosa-create -p notice PKI nssdb files created in \'$HOMEDIR\'.
             chown -R $USERID:$GROUPID $HOMEDIR
             kadmin.local -q "add_principal -policy users -randkey -x \"$USERDN\" $USERID"
             logger -t gosa-create -p notice Home directory \'$HOMEDIR\' and principal \'$USERID\' created.


=====================================
share/debian-edu-config/tools/kerberos-kdc-init
=====================================
@@ -121,13 +121,7 @@ mit_kerberos() {
     fi
     cat > /etc/krb5.conf <<EOF
 [libdefaults]
-        ## FIXME: setting enctypes still needed due to #521878#24
-#       allow_weak_crypto = true
-        permitted_enctypes = des-cbc-crc rc4-hmac des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
         default_realm = INTERN
-# Should probably use this in [libdefaults] to look up servers in DNS:
-#        dns_lookup_realm = false
-#        dns_lookup_kdc = true
 
 [realms]
         INTERN = {
@@ -172,6 +166,7 @@ mit_kerberos_kdc() {
 
 [realms]
     INTERN = {
+        database_name = /var/lib/krb5kdc/principal
         admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
         acl_file = /etc/krb5kdc/kadm5.acl
         key_stash_file = $STASHFILE
@@ -179,7 +174,6 @@ mit_kerberos_kdc() {
         max_life = 10h 0m 0s
         max_renewable_life = 7d 0h 0m 0s
         master_key_type = des3-hmac-sha1
-        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
         default_principal_flags = +preauth
     }
 EOF


=====================================
share/debian-edu-config/tools/update-cert-dbs
=====================================
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Update both dbm (old style) and sql type nssdb files in users' homedirs.
+# Update PKI nssdb files in users' homedirs.
 #
 
 set -e
@@ -12,18 +12,10 @@ for dir in "$BASE_HOME"/*/*; do
 
     # Extract username and check existence
     username=${dir##*/}
-    id "$username" >/dev/null || continue
+    id "$username" >/dev/null 2>&1 || continue
 
-    if [ -d "$dir/.mozilla/firefox/debian-edu.default" ] ; then
-        su - $username sh -c 'certutil  -A -d sql:$HOME/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
-        su - $username sh -c 'certutil  -A -d dbm:$HOME/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
-    fi
-    if [ -d "$dir/.thunderbird/debian-edu.default" ] ; then
-        su - $username sh -c 'certutil  -A -d sql:$HOME/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
-        su - $username sh -c 'certutil  -A -d dbm:$HOME/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
-    fi
     if [ -d "$dir/.pki/nssdb" ] ; then
         su - $username sh -c 'certutil  -A -d sql:$HOME/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
     fi
-    logger -t update-cert-dbs "Updated nssdb files for user $username in $dir"
+    logger -t update-cert-dbs "Updated PKI nssdb files for user $username in $dir"
 done


=====================================
share/firefox-esr/distribution/policies.json
=====================================
@@ -0,0 +1,12 @@
+{
+  "policies": {
+    "Certificates": {
+      "ImportEnterpriseRoots": true,
+      "Install": [
+        "/etc/ssl/certs/Debian-Edu_rootCA.crt"
+      ]
+    },
+    "NewTabPage": false,
+    "OverrideFirstRunPage": ""
+  }
+}
\ No newline at end of file



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/cfd1eca02a274e0b23da0b8a73e4bd784d067df2...2e16bba68600855b156c6e52c790fc829d282c2b

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/cfd1eca02a274e0b23da0b8a73e4bd784d067df2...2e16bba68600855b156c6e52c790fc829d282c2b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20191108/797a1ddc/attachment-0001.html>


More information about the debian-edu-commits mailing list