[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 10 commits: share/debian-edu-config/tools/kerberos-kdc-init: Update kdc.conf content.
WolfgangSchweer
gitlab at salsa.debian.org
Fri Nov 8 19:41:42 GMT 2019
WolfgangSchweer pushed to branch master at Debian Edu / debian-edu-config
Commits:
7e4fd28f by Wolfgang Schweer at 2019-11-08T18:46:10Z
share/debian-edu-config/tools/kerberos-kdc-init: Update kdc.conf content.
This change is needed to fix Kerberos setup (atm broken in bullseye).
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
7868aa9c by Wolfgang Schweer at 2019-11-08T18:56:01Z
Add policy file share/firefox-esr/distribution/policies.json
This makes sure that the Debian-Edu_rootCA.crt file gets installed as trusted
certificate at first launch of firefox-esr and thunderbird. The policy is valid
for both firefox-esr and thunderbird as of version 68.2.x (thunderbird still
needs to migrate to bullseye, tested with sid version).
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
ecbce8c2 by Wolfgang Schweer at 2019-11-08T19:09:29Z
Drop share/debian-edu-config/{installs.ini,profiles.ini,profiles.ini.ff}
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
591a910f by Wolfgang Schweer at 2019-11-08T19:14:43Z
Adjust related tool 'ldap-tools/ldap-debian-edu-install'.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
e04e4c25 by Wolfgang Schweer at 2019-11-08T19:15:37Z
Adjust related tool 'ldap-tools/ldap-debian-edu-install'.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
8f964f7a by Wolfgang Schweer at 2019-11-08T19:16:35Z
Adjust related tool 'share/debian-edu-config/tools/gosa-create'.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
4553b61a by Wolfgang Schweer at 2019-11-08T19:18:11Z
Adjust related tool 'share/debian-edu-config/tools/update-cert-dbs'.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
44def547 by Wolfgang Schweer at 2019-11-08T19:19:09Z
Adjust Makefile.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
ed12af30 by Wolfgang Schweer at 2019-11-08T19:30:36Z
Add changelog entries for Kerberos and root certificate related commits.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
2e16bba6 by Wolfgang Schweer at 2019-11-08T19:40:02Z
d/changelog: Improve wording.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
11 changed files:
- Makefile
- debian/changelog
- ldap-tools/ldap-debian-edu-install
- − share/debian-edu-config/installs.ini
- − share/debian-edu-config/profiles.ini
- − share/debian-edu-config/profiles.ini.ff
- share/debian-edu-config/tools/create-user-nssdb
- share/debian-edu-config/tools/gosa-create
- share/debian-edu-config/tools/kerberos-kdc-init
- share/debian-edu-config/tools/update-cert-dbs
- + share/firefox-esr/distribution/policies.json
Changes:
=====================================
Makefile
=====================================
@@ -343,6 +343,7 @@ install: install-testsuite
share/debian-edu-config/tools/install-task-pkgs \
share/debian-edu-config/ltspfs-mounter-kde \
share/debian-edu-config/squid.resolvconf \
+ share/firefox-esr/distribution/policies.json \
share/ltsp/get-ldap-ltsp-config \
share/initramfs-tools/scripts/nfs-bottom/before-ltsp \
; do \
@@ -376,9 +377,6 @@ install: install-testsuite
share/debian-edu-config/sslCA.cnf \
share/debian-edu-config/v3.cnf \
share/debian-edu-config/v3CA.cnf \
- share/debian-edu-config/installs.ini \
- share/debian-edu-config/profiles.ini \
- share/debian-edu-config/profiles.ini.ff \
share/debian-edu-config/debian-edu.addmachine.template \
share/debian-edu-config/debian-edu.ldapscripts.passwd \
share/debian-edu-config/passwords_stub.dat \
=====================================
debian/changelog
=====================================
@@ -1,3 +1,27 @@
+debian-edu-config (2.11.9) UNRELEASED; urgency=medium
+
+ * share/debian-edu-config/tools/kerberos-kdc-init:
+ - Update kdc.conf content from template shipped with the krb5-kdc package.
+ This fixes the recently broken Kerberos setup.
+ * Replace ugly workaround for rootCA certificate integration (both firefox-esr
+ and thunderbird as of version 68.2.0esr) with a $home independent setup:
+ - Add policy file share/firefox-esr/distribution/policies.json.
+ This makes sure that the Debian-Edu_rootCA.crt file gets installed as
+ trusted certificate for firefox-esr and thunderbird.
+ The policy also forces the Debian Edu startpage to be shown (instead of
+ the Firefox one) at first launch; the Firefox privacy page is available
+ via a second tab.
+ - Drop share/debian-edu-config/{installs.ini,profiles.ini,profiles.ini.ff}.
+ These files are no longer required.
+ - Adjust related tools:
+ + share/debian-edu-config/tools/gosa-create
+ + share/debian-edu-config/tools/create-user-nssdb
+ + share/debian-edu-config/tools/update-cert-dbs
+ + ldap-tools/ldap-debian-edu-install
+ - Adjust Makefile.
+
+ -- Wolfgang Schweer <wschweer at arcor.de> Fri, 08 Nov 2019 19:50:17 +0100
+
debian-edu-config (2.11.8) unstable; urgency=medium
[ Wolfgang Schweer ]
=====================================
ldap-tools/ldap-debian-edu-install
=====================================
@@ -523,21 +523,12 @@ if [ true = "$RESTARTSLAPD" ] && [ -z "$SLAPPIDS" ] ; then
service slapd start
fi
-# Create both dbm and sql nssdb files for first user.
+# Create PKI nssdb files for first user.
if [ -x /usr/bin/certutil ] ; then
- mkdir -p /skole/tjener/home0/"$FIRSTUSERNAME"/.mozilla/firefox/debian-edu.default
- chmod -R 700 /skole/tjener/home0/"$FIRSTUSERNAME"/.mozilla/firefox/debian-edu.default
- cp /usr/share/debian-edu-config/profiles.ini.ff /skole/tjener/home0/"$FIRSTUSERNAME"/.mozilla/firefox/profiles.ini
- cp /usr/share/debian-edu-config/installs.ini /skole/tjener/home0/"$FIRSTUSERNAME"/.mozilla/firefox/installs.ini
- mkdir -p /skole/tjener/home0/"$FIRSTUSERNAME"/.thunderbird/debian-edu.default
- chmod -R 700 /skole/tjener/home0/"$FIRSTUSERNAME"/.thunderbird/debian-edu.default
- cp /usr/share/debian-edu-config/profiles.ini /skole/tjener/home0/"$FIRSTUSERNAME"/.thunderbird
mkdir -p /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
chmod -R 700 /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
- certutil -A -d dbm:/skole/tjener/home0/"$FIRSTUSERNAME"/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
- certutil -A -d dbm:/skole/tjener/home0/"$FIRSTUSERNAME"/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
certutil -A -d sql:/skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
chown -R 1000:1000 /skole/tjener/home0/"$FIRSTUSERNAME"/
- echo "info: created dbm and sql nssdb files for first-user"
+ echo "info: created PKI nssdb files for first-user"
fi
=====================================
share/debian-edu-config/installs.ini deleted
=====================================
@@ -1,4 +0,0 @@
-[3B6073811A6ABF12]
-Default=debian-edu.default
-Locked=1
-
=====================================
share/debian-edu-config/profiles.ini deleted
=====================================
@@ -1,7 +0,0 @@
-[General]
-StartWithLastProfile=1
-
-[Profile0]
-Name=default
-IsRelative=1
-Path=debian-edu.default
=====================================
share/debian-edu-config/profiles.ini.ff deleted
=====================================
@@ -1,13 +0,0 @@
-[Profile0]
-Name=debian-edu
-IsRelative=1
-Path=debian-edu.default
-
-[General]
-StartWithLastProfile=1
-Version=2
-
-[Install3B6073811A6ABF12]
-Default=debian-edu.default
-Locked=1
-
=====================================
share/debian-edu-config/tools/create-user-nssdb
=====================================
@@ -2,29 +2,24 @@
set -e
-BASE_HOME=/skole/tjener/home0
-for i in $(ls /skole/tjener/home0/ | grep -v lost+found) ; do
- if [ -d $BASE_HOME/$i/.mozilla/firefox/debian-edu.default ] ; then
- su - $i sh -c 'certutil -A -d dbm:$HOME/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
- fi
- if [ -d $BASE_HOME/$i/.thunderbird/debian-edu.default ] ; then
- su - $i sh -c 'certutil -A -d dbm:$HOME/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
- else
- mkdir -p $BASE_HOME/$i/.thunderbird/debian-edu.default
- chmod -R 700 $BASE_HOME/$i/.thunderbird/debian-edu.default
- chown -R $i:$i $BASE_HOME/$i/.thunderbird/debian-edu.default
- cp /usr/share/debian-edu-config/profiles.ini $BASE_HOME/$i/.thunderbird
- certutil -A -d dbm:$BASE_HOME/$i/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
- fi
- if [ -d $BASE_HOME/$i/.pki/nssdb ] ; then
- su - $i sh -c 'certutil -A -d sql:$HOME/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
+BASE_HOME=/skole/tjener
+for dir in "$BASE_HOME"/*/*; do
+ # Skip if not a directory
+ test -d "$dir" || continue
+
+ # Extract username and check existence
+ username=${dir##*/}
+ id "$username" >/dev/null 2>&1 || continue
+
+ if [ -d "$dir/.pki/nssdb" ] ; then
+ su - $username sh -c 'certutil -A -d sql:$HOME/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
else
- mkdir -p $BASE_HOME/$i/.pki/nssdb
- chmod -R 700 $BASE_HOME/$i/.pki/nssdb
- chown -R $i:$i $BASE_HOME/$i/.pki/nssdb
- certutil -A -d sql:$BASE_HOME/$i/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
+ mkdir -p $dir/.pki/nssdb
+ chmod -R 700 $dir/.pki/nssdb
+ chown -R $i:$i $dir/.pki/nssdb
+ certutil -A -d sql:$dir/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
fi
- logger -t create-user-nssdb -p notice Both dbm and sql nssdb files created in \'$BASE_HOME/$i\'.
+ logger -t create-user-nssdb -p notice PKI nssdb files created in $dir.
done
exit 0
=====================================
share/debian-edu-config/tools/gosa-create
=====================================
@@ -38,19 +38,10 @@ while read KEY VALUE ; do
nscd -i passwd || true
nscd -i group || true
fi
- mkdir -p $HOMEDIR/.mozilla/firefox/debian-edu.default
- chmod -R 700 $HOMEDIR/.mozilla/firefox/debian-edu.default
- mkdir -p $HOMEDIR/.thunderbird/debian-edu.default
- chmod -R 700 $HOMEDIR/.thunderbird/debian-edu.default
mkdir -p $HOMEDIR/.pki/nssdb
chmod -R 700 $HOMEDIR/.pki/nssdb
- cp /usr/share/debian-edu-config/profiles.ini.ff $HOMEDIR/.mozilla/firefox/profiles.ini
- cp /usr/share/debian-edu-config/installs.ini $HOMEDIR/.mozilla/firefox/installs.ini
- cp /usr/share/debian-edu-config/profiles.ini $HOMEDIR/.thunderbird
- certutil -A -d dbm:$HOMEDIR/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
- certutil -A -d dbm:$HOMEDIR/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
certutil -A -d sql:$HOMEDIR/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
- logger -t gosa-create -p notice Both dbm and sql nssdb files created in \'$HOMEDIR\'.
+ logger -t gosa-create -p notice PKI nssdb files created in \'$HOMEDIR\'.
chown -R $USERID:$GROUPID $HOMEDIR
kadmin.local -q "add_principal -policy users -randkey -x \"$USERDN\" $USERID"
logger -t gosa-create -p notice Home directory \'$HOMEDIR\' and principal \'$USERID\' created.
=====================================
share/debian-edu-config/tools/kerberos-kdc-init
=====================================
@@ -121,13 +121,7 @@ mit_kerberos() {
fi
cat > /etc/krb5.conf <<EOF
[libdefaults]
- ## FIXME: setting enctypes still needed due to #521878#24
-# allow_weak_crypto = true
- permitted_enctypes = des-cbc-crc rc4-hmac des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
default_realm = INTERN
-# Should probably use this in [libdefaults] to look up servers in DNS:
-# dns_lookup_realm = false
-# dns_lookup_kdc = true
[realms]
INTERN = {
@@ -172,6 +166,7 @@ mit_kerberos_kdc() {
[realms]
INTERN = {
+ database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = $STASHFILE
@@ -179,7 +174,6 @@ mit_kerberos_kdc() {
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
- supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
EOF
=====================================
share/debian-edu-config/tools/update-cert-dbs
=====================================
@@ -1,6 +1,6 @@
#!/bin/bash
#
-# Update both dbm (old style) and sql type nssdb files in users' homedirs.
+# Update PKI nssdb files in users' homedirs.
#
set -e
@@ -12,18 +12,10 @@ for dir in "$BASE_HOME"/*/*; do
# Extract username and check existence
username=${dir##*/}
- id "$username" >/dev/null || continue
+ id "$username" >/dev/null 2>&1 || continue
- if [ -d "$dir/.mozilla/firefox/debian-edu.default" ] ; then
- su - $username sh -c 'certutil -A -d sql:$HOME/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
- su - $username sh -c 'certutil -A -d dbm:$HOME/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
- fi
- if [ -d "$dir/.thunderbird/debian-edu.default" ] ; then
- su - $username sh -c 'certutil -A -d sql:$HOME/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
- su - $username sh -c 'certutil -A -d dbm:$HOME/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
- fi
if [ -d "$dir/.pki/nssdb" ] ; then
su - $username sh -c 'certutil -A -d sql:$HOME/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
fi
- logger -t update-cert-dbs "Updated nssdb files for user $username in $dir"
+ logger -t update-cert-dbs "Updated PKI nssdb files for user $username in $dir"
done
=====================================
share/firefox-esr/distribution/policies.json
=====================================
@@ -0,0 +1,12 @@
+{
+ "policies": {
+ "Certificates": {
+ "ImportEnterpriseRoots": true,
+ "Install": [
+ "/etc/ssl/certs/Debian-Edu_rootCA.crt"
+ ]
+ },
+ "NewTabPage": false,
+ "OverrideFirstRunPage": ""
+ }
+}
\ No newline at end of file
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/cfd1eca02a274e0b23da0b8a73e4bd784d067df2...2e16bba68600855b156c6e52c790fc829d282c2b
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/cfd1eca02a274e0b23da0b8a73e4bd784d067df2...2e16bba68600855b156c6e52c790fc829d282c2b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20191108/797a1ddc/attachment-0001.html>
More information about the debian-edu-commits
mailing list