[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 8 commits: Adjust cf3/cf.samba

Wolfgang Schweer gitlab at salsa.debian.org
Sat Oct 24 21:59:26 BST 2020



Wolfgang Schweer pushed to branch master at Debian Edu / debian-edu-config


Commits:
e962b218 by Wolfgang Schweer at 2020-10-24T22:30:53+02:00
Adjust cf3/cf.samba

Use 'students' instead of 'sambashare' for the group ownership of the
/var/lib/samba/usershares/ directory.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
ae2e4d5b by Wolfgang Schweer at 2020-10-24T22:36:05+02:00
Drop code used to add sambashare group membership from various files

share/debian-edu-config/tools/kerberos-kdc-init
share/debian-edu-config/tools/edu-ldap-from-scratch
share/debian-edu-config/tools/gosa-create
share/debian-edu-config/tools/gosa-sync

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
a6aac01b by Wolfgang Schweer at 2020-10-24T22:39:01+02:00
Remove Samba account along with POSIX account removal

Adjust share/debian-edu-config/tools/gosa-remove.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
92ab819c by Wolfgang Schweer at 2020-10-24T22:41:45+02:00
Improve order of entries and comments in Samba related files

Adjust etc/samba/smb-debian-edu.conf and share/debian-edu-config/smb.conf.edu-site

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
4e23301d by Wolfgang Schweer at 2020-10-24T22:47:20+02:00
ldap-bootstrap/gosa.ldif: Add the first user to the 'students' group

This way all users belonging to the 'teachers' group will also be members of the
'students' group.

Also clean up the file from Samba related entries.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
a2644f72 by Wolfgang Schweer at 2020-10-24T22:51:10+02:00
Cleanup files from no longer needed Samba related entries

ldap-bootstrap/netgroup.ldif
ldap-bootstrap/root.ldif
share/debian-edu-config/gosa.conf.template

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
a11e722f by Wolfgang Schweer at 2020-10-24T22:53:25+02:00
debian/control: Move libpam-python from Recommends to Suggests

Raise this back to Depends once the libpam-python package has been ported to
Python 3.

Hopefully this change will fix the src:debian-edu autopkgtest, see bug #967194
for details.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
43cfacd3 by Wolfgang Schweer at 2020-10-24T22:56:44+02:00
Add changelog entries for last commits

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -


14 changed files:

- cf3/cf.samba
- debian/changelog
- debian/control
- etc/samba/smb-debian-edu.conf
- ldap-bootstrap/gosa.ldif
- ldap-bootstrap/netgroup.ldif
- ldap-bootstrap/root.ldif
- share/debian-edu-config/gosa.conf.template
- share/debian-edu-config/smb.conf.edu-site
- share/debian-edu-config/tools/edu-ldap-from-scratch
- share/debian-edu-config/tools/gosa-create
- share/debian-edu-config/tools/gosa-remove
- share/debian-edu-config/tools/gosa-sync
- share/debian-edu-config/tools/kerberos-kdc-init


Changes:

=====================================
cf3/cf.samba
=====================================
@@ -11,7 +11,7 @@ files:
 
     "$(usershares_file)"
       create => "true",
-      perms => mog("1770","root","sambashare");
+      perms => mog("1770","root","students");
 
     "/etc/samba/smb.conf"
       link_from => ln_s("/etc/samba/smb-debian-edu.conf"),


=====================================
debian/changelog
=====================================
@@ -1,3 +1,35 @@
+debian-edu-config (2.11.33) UNRELEASED; urgency=medium
+
+  * Don't mix LDAP and system groups to enable Samba usershares, use the already
+    existing LDAP group 'students'. Thanks to Mike Gabriel for the hint.
+    Adjust related files and configuration:
+    - ldap-bootstrap/gosa.ldif: Add the first user to the 'students' group. This
+      way all users belonging to the 'teachers' group will also be 'students'.
+    - cf3/cf.samba: Use 'students' instead of 'sambashare' for the group
+      ownership of the /var/lib/samba/usershares/ directory.
+      (Running 'chown root:teachers /var/lib/samba/usershares' would disable
+      usershares for 'students'; this needs to be documented in the manual.)
+    - Drop code used to add sambashare group membership from:
+      + share/debian-edu-config/tools/kerberos-kdc-init,
+      + share/debian-edu-config/tools/edu-ldap-from-scratch,
+      + share/debian-edu-config/tools/gosa-create and
+      + share/debian-edu-config/tools/gosa-sync.
+  * Remove Samba account along with POSIX account removal:
+    - Adjust share/debian-edu-config/tools/gosa-remove.
+  * Improve order of entries and comments in Samba related files:
+    - Adjust etc/samba/smb-debian-edu.conf and
+      share/debian-edu-config/smb.conf.edu-site.
+  * Cleanup files from no longer needed Samba related entries:
+    - ldap-bootstrap/netgroup.ldif,
+    - ldap-bootstrap/root.ldif,
+    - ldap-bootstrap/gosa.ldif and
+    - share/debian-edu-config/gosa.conf.template
+  * debian/control: Move libpam-python from Recommends to Suggests (until the
+    package has been ported to Python3) to fix the src:debian-edu autopkgtest.
+    See bug #967194 for details.
+
+ -- Wolfgang Schweer <wschweer at arcor.de>  Thu, 22 Oct 2020 10:07:49 +0200
+
 debian-edu-config (2.11.32) unstable; urgency=medium
 
   [ Mike Gabriel ]


=====================================
debian/control
=====================================
@@ -62,11 +62,11 @@ Depends: ${misc:Depends},
          wget,
 Recommends: binutils,
             libnotify-bin,
-            libpam-python,
             lsof,
             memtest86+,
             resolvconf,
-            syslinux
+            syslinux,
+Suggests: libpam-python,
 Description: Configuration files for Debian Edu (Skolelinux) systems
  Installs cfengine config files to be used by the machines set up as part
  of the Debian Edu (Skolelinux) network. Debian Edu is a Debian Pure Blend.


=====================================
etc/samba/smb-debian-edu.conf
=====================================
@@ -1,7 +1,15 @@
 #
-# Debian Edu specific configuration file for the Samba suite.
-#
-#
+# Debian Edu specific configuration file for the Samba suite,
+# based upon the default smb.conf file for the Bullseye release.
+
+# Wolfgang Schweer <wschweer at arcor.de>
+# Last edited: 2020-10-21
+
+# NOTE: Don't edit this file. If you want to change settings, copy
+# /usr/share/debian-edu-config/smb.conf.edu-site to the /etc/samba dir.
+# All entries in /etc/samba/smb.conf.edu-site will override the
+# settings found in this file.
+
 # This is the main Samba configuration file. You should read the
 # smb.conf(5) manual page in order to understand the options listed
 # here. Samba has a huge number of configurable options most of which
@@ -14,10 +22,33 @@
 #  - When commented with "#", the proposed setting is the default
 #    behaviour of Samba but the option is considered important
 #    enough to be mentioned here.
-#
-# NOTE: Whenever you modify this file you should run the command
-# "testparm" to check that you have not made any basic syntactic
-# errors.
+
+#======================= Share Definitions =======================
+# NOTE: [homes] appears before [global] to allow the override file
+# take effect
+
+[homes]
+   comment = Home Directories
+   browseable = no
+
+# By default, the home directories are exported read-only. Change the
+# next parameter to 'no' if you want to be able to write to them.
+   read only = yes
+
+# File creation mask is set to 0700 for security reasons. If you want to
+# create files with group=rw permissions, set next parameter to 0775.
+   create mask = 0700
+
+# Directory creation mask is set to 0700 for security reasons. If you want to
+# create dirs. with group=rw permissions, set next parameter to 0775.
+   directory mask = 0700
+
+# By default, \\server\username shares can be connected to by anyone
+# with access to the samba server.
+# The following parameter makes sure that only "username" can connect
+# to \\server\username
+# This might need tweaking when using external authentication schemes
+   valid users = %S
 
 #======================= Global Settings =======================
 
@@ -71,21 +102,22 @@
 # running "samba-tool domain provision" to wipe databases and create a
 # new domain.
    server role = standalone server
-
+   server string = Debian Edu Samba server (version: %v, protocol: %R)
    obey pam restrictions = yes
 
 # This boolean parameter controls whether Samba attempts to sync the Unix
 # password with the SMB password when the encrypted SMB password in the
 # passdb is changed.
+# NOTE: For Debian Edu, this is set to 'no' (sync happens via GOsa²).
    unix password sync = no
 
 # This option controls how unsuccessful authentication attempts are mapped
 # to anonymous connections
    map to guest = bad user
 
-############ Printing ############
+############ Debian Edu specific printing ############
 
-# Disable sharing of printers (Windows clients can use CUPS via IPP)
+# Disable sharing of printers (All clients can use CUPS via IPP)
 #
     load printers = no
     printing = bsd
@@ -110,35 +142,8 @@
    usershare allow guests = yes
 # but only if they own the file
    usershare owner only = yes
-# also, enforce settings via template
-   usershare template share = template
 
-# Give sites the option to add custom configuration directives
+# Give sites the option to add / change configuration directives
 # in the dedicated /etc/samba/smb.conf.edu-site file.
 #
    include = /etc/samba/smb.conf.edu-site
-
-#======================= Share Definitions =======================
-
-[homes]
-   comment = Home Directories
-   browseable = no
-
-# By default, the home directories are exported read-only. Change the
-# next parameter to 'no' if you want to be able to write to them.
-   read only = yes
-
-# File creation mask is set to 0700 for security reasons. If you want to
-# create files with group=rw permissions, set next parameter to 0775.
-   create mask = 0700
-
-# Directory creation mask is set to 0700 for security reasons. If you want to
-# create dirs. with group=rw permissions, set next parameter to 0775.
-   directory mask = 0700
-
-# By default, \\server\username shares can be connected to by anyone
-# with access to the samba server.
-# The following parameter makes sure that only "username" can connect
-# to \\server\username
-# This might need tweaking when using external authentication schemes
-   valid users = %S


=====================================
ldap-bootstrap/gosa.ldif
=====================================
@@ -97,7 +97,7 @@ cn: admin-role
 dn: cn=jradmin-role,ou=aclroles,dc=skole,dc=skolelinux,dc=no
 objectClass: top
 objectClass: gosaRole
-gosaAclTemplate: 0:sub::users/user;cmdrw,users/password;rw,users/posixAccount;r,users/sambaAccount;r,groups/group;cmdr#description;w#memberUid;rw
+gosaAclTemplate: 0:sub::users/user;cmdrw,users/password;rw,users/posixAccount;r,groups/group;cmdr#description;w#memberUid;rw
 description: limited administrative permissions
 cn: jradmin-role
 
@@ -167,6 +167,7 @@ description: group of all students
 gidNumber: 10004
 memberUid: newstudent
 memberUid: newteacher
+memberUid: $FIRSTUSERNAME
 
 ## predefine template newstudent:
 dn: uid=newstudent,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no


=====================================
ldap-bootstrap/netgroup.ldif
=====================================
@@ -15,12 +15,6 @@ objectClass: nisNetgroup
 description: All workstations
 cn: workstation-hosts
 
-dn: cn=winstation-hosts,ou=netgroup,dc=skole,dc=skolelinux,dc=no
-objectClass: top
-objectClass: nisNetgroup
-description: All MS Windows workstations
-cn: winstation-hosts
-
 dn: cn=ltsp-server-hosts,ou=netgroup,dc=skole,dc=skolelinux,dc=no
 objectClass: top
 objectClass: nisNetgroup
@@ -44,7 +38,6 @@ memberNisNetgroup: ltsp-server-hosts
 memberNisNetgroup: printer-hosts
 memberNisNetgroup: server-hosts
 memberNisNetgroup: workstation-hosts
-memberNisNetgroup: winstation-hosts
 
 dn: cn=shutdown-at-night-hosts,ou=netgroup,dc=skole,dc=skolelinux,dc=no
 objectClass: top


=====================================
ldap-bootstrap/root.ldif
=====================================
@@ -29,7 +29,7 @@ dc: skole
 ou: skole
 o: skole.skolelinux.no
 labeledURI: https://www/ LDAP for Debian Edu/Skolelinux
-gosaAclEntry: 0:psub:$GOSAADMINSDN64:all;cmdrw,department/department;cmdrw,department/domain;r,department/organization;r,department/dcObject;r,department/country;r,department/DynamicLdapGroup;r,users/posixAccount;#shadowLastChange;r#gotoLastSystemLogin;r#mustchangepassword;r#shadowMin;r#shadowMax;r#shadowWarning;r#shadowInactive;r#shadowExpire;r#sshPublicKey;r#accessTo;r,users/sambaAccount;#AllowLoginOnTerminalServer;r#InheritClientConfig;r#sambaKickoffTime;r#enforcePasswordChange;r#cannotChangePassword;r#noPasswordRequired;r#passwordNeverExpires;r#temporaryDisabled;r#sambaLogonHours;r#sambaUserWorkstations;r
+gosaAclEntry: 0:psub:$GOSAADMINSDN64:all;cmdrw,department/department;cmdrw,department/domain;r,department/organization;r,department/dcObject;r,department/country;r,department/DynamicLdapGroup;r,users/posixAccount;#shadowLastChange;r#gotoLastSystemLogin;r#mustchangepassword;r#shadowMin;r#shadowMax;r#shadowWarning;r#shadowInactive;r#shadowExpire;r#sshPublicKey;r#accessTo;r
 gosaAclEntry: 1:psub:$TEACHERSDN64:users/user;r
 gosaAclEntry: 2:psub:Kg==:users/user;sr#personalTitle;w#academicTitle;w#dateOfBirth;w#gender;w#preferredLanguage;w#userPicture;w#homePostalAddress;w#homePhone;w#labeledURI;w,users/password;srw
 gosaAclEntry: 3:role:$ADMINROLEDN64:
@@ -62,11 +62,6 @@ dn: ou=printers,ou=systems,dc=skole,dc=skolelinux,dc=no
 objectClass: organizationalUnit
 ou: printers
 
-dn: ou=winstations,ou=systems,dc=skole,dc=skolelinux,dc=no
-objectClass: top
-objectClass: organizationalUnit
-ou: winstations
-
 dn: ou=group,dc=skole,dc=skolelinux,dc=no
 objectClass: top
 objectClass: organizationalUnit


=====================================
share/debian-edu-config/gosa.conf.template
=====================================
@@ -37,7 +37,7 @@
 
       <!-- This long ACL list is required to exclude the users menu entry when only 
             'viewFaxEntries' permissions are set -->
-      <plugin acl="users/netatalk,users/environment,users/posixAccount,users/kolabAccount,users/phpscheduleitAccount,users/oxchangeAccount,users/proxyAccount,users/connectivity,users/pureftpdAccount,users/phpgwAccount,users/opengwAccount,users/pptpAccount,users/intranetAccount,users/webdavAccount,users/nagiosAccount,users/sambaAccount,users/groupware,users/mailAccount,users/user,users/scalixAccount,users/password,users/gofaxAccount,users/phoneAccount,users/Groupware" 
+      <plugin acl="users/netatalk,users/environment,users/posixAccount,users/kolabAccount,users/phpscheduleitAccount,users/oxchangeAccount,users/proxyAccount,users/connectivity,users/pureftpdAccount,users/phpgwAccount,users/opengwAccount,users/pptpAccount,users/intranetAccount,users/webdavAccount,users/nagiosAccount,users/groupware,users/mailAccount,users/user,users/scalixAccount,users/password,users/gofaxAccount,users/phoneAccount,users/Groupware"
               class="userManagement" />
       <plugin acl="groups" class="groupManagement" />
       <plugin acl="roles" class="roleManagement" />
@@ -74,7 +74,7 @@
 
   <!-- These entries will be rendered on the path navigator -->
   <pathMenu>
-      <plugin acl="users/netatalk:self,users/environment:self,users/posixAccount:self,users/kolabAccount:self,users/phpscheduleitAccount:self,users/oxchangeAccount:self,users/proxyAccount:self,users/connectivity:self,users/pureftpdAccount:self,users/phpgwAccount:self,users/opengwAccount:self,users/pptpAccount:self,users/intranetAccount:self, users/webdavAccount:self,users/nagiosAccount:self,users/sambaAccount:self,users/mailAccount:self,users/groupware, users/user:self,users/scalixAccount:self,users/gofaxAccount:self,users/phoneAccount:self,users/Groupware:self" class="MyAccount" />
+      <plugin acl="users/netatalk:self,users/environment:self,users/posixAccount:self,users/kolabAccount:self,users/phpscheduleitAccount:self,users/oxchangeAccount:self,users/proxyAccount:self,users/connectivity:self,users/pureftpdAccount:self,users/phpgwAccount:self,users/opengwAccount:self,users/pptpAccount:self,users/intranetAccount:self, users/webdavAccount:self,users/nagiosAccount:self,users/mailAccount:self,users/groupware, users/user:self,users/scalixAccount:self,users/gofaxAccount:self,users/phoneAccount:self,users/Groupware:self" class="MyAccount" />
       <plugin acl="users/password:self" class="password"
               postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync '%dn'"
               postlock="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-lock-user '%dn'"


=====================================
share/debian-edu-config/smb.conf.edu-site
=====================================
@@ -1,5 +1,22 @@
-# Please note that settings put in here override those in smb-debian-edu.conf
+### Please note that settings put in here override those in smb-debian-edu.conf ###
+
+# NOTE: Whenever you modify this file you should run the command
+# 'testparm' to check that you have not made any basic syntactic
+# errors.
+
+[global]
 # Uncomment to allow Samba network browsing.
 # Easier for users if usershares are used, but potentially insecure!
-
 ;   server min protocol = NT1
+
+# For usershares it is possible to enforce settings via a template file.
+# The template file needs to be generated, see 'man net' for details.
+;   usershare template share = template
+
+[homes]
+# Uncomment if home directories should be writable.
+;   writable = yes
+
+# Uncomment to use other than default (0700 in both cases) permissions
+;   create mask = 0644
+;   directory mask = 0755


=====================================
share/debian-edu-config/tools/edu-ldap-from-scratch
=====================================
@@ -42,10 +42,6 @@ if [ -d /skole/tjener/home0/"$1" ] ; then
     rm -rf /skole/tjener/home0/"$1"
 fi
 
-# rm Samba related stuff
-if id $1 | grep -q sambashare ; then
-    gpasswd -d $1 sambashare
-fi
 if pdbedit -L -v $1 >/dev/null 2>&1 ; then
     pdbedit -x $1
 fi


=====================================
share/debian-edu-config/tools/gosa-create
=====================================
@@ -45,8 +45,6 @@ while read KEY VALUE ; do
             chown -R $USERID:$GROUPID $HOMEDIR
             kadmin.local -q "add_principal -policy users -randkey -x \"$USERDN\" $USERID"
             logger -t gosa-create -p notice Home directory \'$HOMEDIR\' and principal \'$USERID\' created.
-            usermod -a -G sambashare $USERID
-            logger -t gosa-create -p notice added \'$USERID\' to group sambashare.
 ## send a welcome-email:
             cat << EOF | /usr/lib/sendmail $USERID
 Subject: Welcome to the mail-system


=====================================
share/debian-edu-config/tools/gosa-remove
=====================================
@@ -38,7 +38,7 @@ if [ -d /var/mail/$USERID ]; then
 	rmdir /var/mail/$USERID
 fi
 
-## rename home directory and delete principal:
+## rename home directory, delete principal and samba account:
 HOME=`dirname $HOMEDIR`
 RM_HOMEDIR="$HOME/rm_"`date "+%Y%m%d"`"_"`basename $HOMEDIR`
 mv $HOMEDIR $RM_HOMEDIR
@@ -47,7 +47,8 @@ chown root:root $RM_HOMEDIR
 chmod go-rwx $RM_HOMEDIR
 
 kadmin.local -q "delete_principal $USERID"
-logger -t gosa-remove -p notice Home directory \'$HOMEDIR\' marked for deletion and principal \'$USERID\' removed.
+pdbedit -x -u $USERID > /dev/null
+logger -t gosa-remove -p notice Home directory \'$HOMEDIR\' marked for deletion, samba account and principal \'$USERID\' removed.
 
 for DIR in `find $HOME -maxdepth 1 -type d -regextype posix-egrep -regex ".*/rm_[0-9]{8}_[^/]+"` ; do
     RMDATE=`echo $DIR | sed "s/.*rm_\([0-9]\{8\}\)_.*/\1/"`


=====================================
share/debian-edu-config/tools/gosa-sync
=====================================
@@ -44,16 +44,17 @@ IAM=`ldapwhoami -x -Z -y "$TMPFILE" -D "$USERDN" 2>/dev/null || true`
 
 # Escapes " because kadmin needs to use double quotes:
 EUSERPASSWORD="$(cat $TMPFILE | sed -e 's/\"/\\\"/g')"
+SAMBAPASSWORD=$EUSERPASSWORD
 
 if [ "$IAM" = "dn:$USERDN" ] ; then
-	(echo $TMPFILE; echo $TMPFILE) | smbpasswd -a -s $USERID
-	logger -t gosa-sync -p notice "Sucessfully added Samba acount for '$USERID'."
     cat > "$TMPFILE" <<EOF
 change_password -pw "$EUSERPASSWORD" $USERID
 EOF
 	RET=$((cat "$TMPFILE" | kadmin.local 1> /dev/null) 2>&1)
 	if [ -z "$RET" ] ; then
 		logger -t gosa-sync -p notice "Sucessfully changed kerberos password for '$USERID'."
+		(echo $SAMBAPASSWORD; echo $SAMBAPASSWORD) | smbpasswd -a -s $USERID
+		logger -t gosa-sync -p notice "Sucessfully added Samba acount for '$USERID'."
 	else
 		logger -t gosa-sync -p warning "$RET"
 		echo "$RET"


=====================================
share/debian-edu-config/tools/kerberos-kdc-init
=====================================
@@ -262,7 +262,6 @@ firstuser_post() {
 firstuser_samba() {
     echo "Adding Samba account for '$FIRSTUSERNAME'"
     (echo $FIRSTUSERPWD; echo $FIRSTUSERPWD) | smbpasswd -a -s $FIRSTUSERNAME
-    gpasswd -a $FIRSTUSERNAME sambashare > /dev/null
 }
 
 ## check if there is no kdc yet:



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/5f5962df7e337b07aed2ff34bfca2fbd07a5d127...43cfacd358939eefbcb5dc308f5be79e9a5b3e64

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/5f5962df7e337b07aed2ff34bfca2fbd07a5d127...43cfacd358939eefbcb5dc308f5be79e9a5b3e64
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20201024/531156b8/attachment-0001.html>


More information about the debian-edu-commits mailing list