[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 8 commits: Adjust cf3/cf.samba
Wolfgang Schweer
gitlab at salsa.debian.org
Sat Oct 24 21:59:26 BST 2020
Wolfgang Schweer pushed to branch master at Debian Edu / debian-edu-config
Commits:
e962b218 by Wolfgang Schweer at 2020-10-24T22:30:53+02:00
Adjust cf3/cf.samba
Use 'students' instead of 'sambashare' for the group ownership of the
/var/lib/samba/usershares/ directory.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
ae2e4d5b by Wolfgang Schweer at 2020-10-24T22:36:05+02:00
Drop code used to add sambashare group membership from various files
share/debian-edu-config/tools/kerberos-kdc-init
share/debian-edu-config/tools/edu-ldap-from-scratch
share/debian-edu-config/tools/gosa-create
share/debian-edu-config/tools/gosa-sync
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
a6aac01b by Wolfgang Schweer at 2020-10-24T22:39:01+02:00
Remove Samba account along with POSIX account removal
Adjust share/debian-edu-config/tools/gosa-remove.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
92ab819c by Wolfgang Schweer at 2020-10-24T22:41:45+02:00
Improve order of entries and comments in Samba related files
Adjust etc/samba/smb-debian-edu.conf and share/debian-edu-config/smb.conf.edu-site
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
4e23301d by Wolfgang Schweer at 2020-10-24T22:47:20+02:00
ldap-bootstrap/gosa.ldif: Add the first user to the 'students' group
This way all users belonging to the 'teachers' group will also be members of the
'students' group.
Also clean up the file from Samba related entries.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
a2644f72 by Wolfgang Schweer at 2020-10-24T22:51:10+02:00
Cleanup files from no longer needed Samba related entries
ldap-bootstrap/netgroup.ldif
ldap-bootstrap/root.ldif
share/debian-edu-config/gosa.conf.template
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
a11e722f by Wolfgang Schweer at 2020-10-24T22:53:25+02:00
debian/control: Move libpam-python from Recommends to Suggests
Raise this back to Depends once the libpam-python package has been ported to
Python 3.
Hopefully this change will fix the src:debian-edu autopkgtest, see bug #967194
for details.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
43cfacd3 by Wolfgang Schweer at 2020-10-24T22:56:44+02:00
Add changelog entries for last commits
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
14 changed files:
- cf3/cf.samba
- debian/changelog
- debian/control
- etc/samba/smb-debian-edu.conf
- ldap-bootstrap/gosa.ldif
- ldap-bootstrap/netgroup.ldif
- ldap-bootstrap/root.ldif
- share/debian-edu-config/gosa.conf.template
- share/debian-edu-config/smb.conf.edu-site
- share/debian-edu-config/tools/edu-ldap-from-scratch
- share/debian-edu-config/tools/gosa-create
- share/debian-edu-config/tools/gosa-remove
- share/debian-edu-config/tools/gosa-sync
- share/debian-edu-config/tools/kerberos-kdc-init
Changes:
=====================================
cf3/cf.samba
=====================================
@@ -11,7 +11,7 @@ files:
"$(usershares_file)"
create => "true",
- perms => mog("1770","root","sambashare");
+ perms => mog("1770","root","students");
"/etc/samba/smb.conf"
link_from => ln_s("/etc/samba/smb-debian-edu.conf"),
=====================================
debian/changelog
=====================================
@@ -1,3 +1,35 @@
+debian-edu-config (2.11.33) UNRELEASED; urgency=medium
+
+ * Don't mix LDAP and system groups to enable Samba usershares, use the already
+ existing LDAP group 'students'. Thanks to Mike Gabriel for the hint.
+ Adjust related files and configuration:
+ - ldap-bootstrap/gosa.ldif: Add the first user to the 'students' group. This
+ way all users belonging to the 'teachers' group will also be 'students'.
+ - cf3/cf.samba: Use 'students' instead of 'sambashare' for the group
+ ownership of the /var/lib/samba/usershares/ directory.
+ (Running 'chown root:teachers /var/lib/samba/usershares' would disable
+ usershares for 'students'; this needs to be documented in the manual.)
+ - Drop code used to add sambashare group membership from:
+ + share/debian-edu-config/tools/kerberos-kdc-init,
+ + share/debian-edu-config/tools/edu-ldap-from-scratch,
+ + share/debian-edu-config/tools/gosa-create and
+ + share/debian-edu-config/tools/gosa-sync.
+ * Remove Samba account along with POSIX account removal:
+ - Adjust share/debian-edu-config/tools/gosa-remove.
+ * Improve order of entries and comments in Samba related files:
+ - Adjust etc/samba/smb-debian-edu.conf and
+ share/debian-edu-config/smb.conf.edu-site.
+ * Cleanup files from no longer needed Samba related entries:
+ - ldap-bootstrap/netgroup.ldif,
+ - ldap-bootstrap/root.ldif,
+ - ldap-bootstrap/gosa.ldif and
+ - share/debian-edu-config/gosa.conf.template
+ * debian/control: Move libpam-python from Recommends to Suggests (until the
+ package has been ported to Python3) to fix the src:debian-edu autopkgtest.
+ See bug #967194 for details.
+
+ -- Wolfgang Schweer <wschweer at arcor.de> Thu, 22 Oct 2020 10:07:49 +0200
+
debian-edu-config (2.11.32) unstable; urgency=medium
[ Mike Gabriel ]
=====================================
debian/control
=====================================
@@ -62,11 +62,11 @@ Depends: ${misc:Depends},
wget,
Recommends: binutils,
libnotify-bin,
- libpam-python,
lsof,
memtest86+,
resolvconf,
- syslinux
+ syslinux,
+Suggests: libpam-python,
Description: Configuration files for Debian Edu (Skolelinux) systems
Installs cfengine config files to be used by the machines set up as part
of the Debian Edu (Skolelinux) network. Debian Edu is a Debian Pure Blend.
=====================================
etc/samba/smb-debian-edu.conf
=====================================
@@ -1,7 +1,15 @@
#
-# Debian Edu specific configuration file for the Samba suite.
-#
-#
+# Debian Edu specific configuration file for the Samba suite,
+# based upon the default smb.conf file for the Bullseye release.
+
+# Wolfgang Schweer <wschweer at arcor.de>
+# Last edited: 2020-10-21
+
+# NOTE: Don't edit this file. If you want to change settings, copy
+# /usr/share/debian-edu-config/smb.conf.edu-site to the /etc/samba dir.
+# All entries in /etc/samba/smb.conf.edu-site will override the
+# settings found in this file.
+
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
@@ -14,10 +22,33 @@
# - When commented with "#", the proposed setting is the default
# behaviour of Samba but the option is considered important
# enough to be mentioned here.
-#
-# NOTE: Whenever you modify this file you should run the command
-# "testparm" to check that you have not made any basic syntactic
-# errors.
+
+#======================= Share Definitions =======================
+# NOTE: [homes] appears before [global] to allow the override file
+# take effect
+
+[homes]
+ comment = Home Directories
+ browseable = no
+
+# By default, the home directories are exported read-only. Change the
+# next parameter to 'no' if you want to be able to write to them.
+ read only = yes
+
+# File creation mask is set to 0700 for security reasons. If you want to
+# create files with group=rw permissions, set next parameter to 0775.
+ create mask = 0700
+
+# Directory creation mask is set to 0700 for security reasons. If you want to
+# create dirs. with group=rw permissions, set next parameter to 0775.
+ directory mask = 0700
+
+# By default, \\server\username shares can be connected to by anyone
+# with access to the samba server.
+# The following parameter makes sure that only "username" can connect
+# to \\server\username
+# This might need tweaking when using external authentication schemes
+ valid users = %S
#======================= Global Settings =======================
@@ -71,21 +102,22 @@
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
-
+ server string = Debian Edu Samba server (version: %v, protocol: %R)
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
+# NOTE: For Debian Edu, this is set to 'no' (sync happens via GOsa²).
unix password sync = no
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
-############ Printing ############
+############ Debian Edu specific printing ############
-# Disable sharing of printers (Windows clients can use CUPS via IPP)
+# Disable sharing of printers (All clients can use CUPS via IPP)
#
load printers = no
printing = bsd
@@ -110,35 +142,8 @@
usershare allow guests = yes
# but only if they own the file
usershare owner only = yes
-# also, enforce settings via template
- usershare template share = template
-# Give sites the option to add custom configuration directives
+# Give sites the option to add / change configuration directives
# in the dedicated /etc/samba/smb.conf.edu-site file.
#
include = /etc/samba/smb.conf.edu-site
-
-#======================= Share Definitions =======================
-
-[homes]
- comment = Home Directories
- browseable = no
-
-# By default, the home directories are exported read-only. Change the
-# next parameter to 'no' if you want to be able to write to them.
- read only = yes
-
-# File creation mask is set to 0700 for security reasons. If you want to
-# create files with group=rw permissions, set next parameter to 0775.
- create mask = 0700
-
-# Directory creation mask is set to 0700 for security reasons. If you want to
-# create dirs. with group=rw permissions, set next parameter to 0775.
- directory mask = 0700
-
-# By default, \\server\username shares can be connected to by anyone
-# with access to the samba server.
-# The following parameter makes sure that only "username" can connect
-# to \\server\username
-# This might need tweaking when using external authentication schemes
- valid users = %S
=====================================
ldap-bootstrap/gosa.ldif
=====================================
@@ -97,7 +97,7 @@ cn: admin-role
dn: cn=jradmin-role,ou=aclroles,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: gosaRole
-gosaAclTemplate: 0:sub::users/user;cmdrw,users/password;rw,users/posixAccount;r,users/sambaAccount;r,groups/group;cmdr#description;w#memberUid;rw
+gosaAclTemplate: 0:sub::users/user;cmdrw,users/password;rw,users/posixAccount;r,groups/group;cmdr#description;w#memberUid;rw
description: limited administrative permissions
cn: jradmin-role
@@ -167,6 +167,7 @@ description: group of all students
gidNumber: 10004
memberUid: newstudent
memberUid: newteacher
+memberUid: $FIRSTUSERNAME
## predefine template newstudent:
dn: uid=newstudent,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no
=====================================
ldap-bootstrap/netgroup.ldif
=====================================
@@ -15,12 +15,6 @@ objectClass: nisNetgroup
description: All workstations
cn: workstation-hosts
-dn: cn=winstation-hosts,ou=netgroup,dc=skole,dc=skolelinux,dc=no
-objectClass: top
-objectClass: nisNetgroup
-description: All MS Windows workstations
-cn: winstation-hosts
-
dn: cn=ltsp-server-hosts,ou=netgroup,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: nisNetgroup
@@ -44,7 +38,6 @@ memberNisNetgroup: ltsp-server-hosts
memberNisNetgroup: printer-hosts
memberNisNetgroup: server-hosts
memberNisNetgroup: workstation-hosts
-memberNisNetgroup: winstation-hosts
dn: cn=shutdown-at-night-hosts,ou=netgroup,dc=skole,dc=skolelinux,dc=no
objectClass: top
=====================================
ldap-bootstrap/root.ldif
=====================================
@@ -29,7 +29,7 @@ dc: skole
ou: skole
o: skole.skolelinux.no
labeledURI: https://www/ LDAP for Debian Edu/Skolelinux
-gosaAclEntry: 0:psub:$GOSAADMINSDN64:all;cmdrw,department/department;cmdrw,department/domain;r,department/organization;r,department/dcObject;r,department/country;r,department/DynamicLdapGroup;r,users/posixAccount;#shadowLastChange;r#gotoLastSystemLogin;r#mustchangepassword;r#shadowMin;r#shadowMax;r#shadowWarning;r#shadowInactive;r#shadowExpire;r#sshPublicKey;r#accessTo;r,users/sambaAccount;#AllowLoginOnTerminalServer;r#InheritClientConfig;r#sambaKickoffTime;r#enforcePasswordChange;r#cannotChangePassword;r#noPasswordRequired;r#passwordNeverExpires;r#temporaryDisabled;r#sambaLogonHours;r#sambaUserWorkstations;r
+gosaAclEntry: 0:psub:$GOSAADMINSDN64:all;cmdrw,department/department;cmdrw,department/domain;r,department/organization;r,department/dcObject;r,department/country;r,department/DynamicLdapGroup;r,users/posixAccount;#shadowLastChange;r#gotoLastSystemLogin;r#mustchangepassword;r#shadowMin;r#shadowMax;r#shadowWarning;r#shadowInactive;r#shadowExpire;r#sshPublicKey;r#accessTo;r
gosaAclEntry: 1:psub:$TEACHERSDN64:users/user;r
gosaAclEntry: 2:psub:Kg==:users/user;sr#personalTitle;w#academicTitle;w#dateOfBirth;w#gender;w#preferredLanguage;w#userPicture;w#homePostalAddress;w#homePhone;w#labeledURI;w,users/password;srw
gosaAclEntry: 3:role:$ADMINROLEDN64:
@@ -62,11 +62,6 @@ dn: ou=printers,ou=systems,dc=skole,dc=skolelinux,dc=no
objectClass: organizationalUnit
ou: printers
-dn: ou=winstations,ou=systems,dc=skole,dc=skolelinux,dc=no
-objectClass: top
-objectClass: organizationalUnit
-ou: winstations
-
dn: ou=group,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: organizationalUnit
=====================================
share/debian-edu-config/gosa.conf.template
=====================================
@@ -37,7 +37,7 @@
<!-- This long ACL list is required to exclude the users menu entry when only
'viewFaxEntries' permissions are set -->
- <plugin acl="users/netatalk,users/environment,users/posixAccount,users/kolabAccount,users/phpscheduleitAccount,users/oxchangeAccount,users/proxyAccount,users/connectivity,users/pureftpdAccount,users/phpgwAccount,users/opengwAccount,users/pptpAccount,users/intranetAccount,users/webdavAccount,users/nagiosAccount,users/sambaAccount,users/groupware,users/mailAccount,users/user,users/scalixAccount,users/password,users/gofaxAccount,users/phoneAccount,users/Groupware"
+ <plugin acl="users/netatalk,users/environment,users/posixAccount,users/kolabAccount,users/phpscheduleitAccount,users/oxchangeAccount,users/proxyAccount,users/connectivity,users/pureftpdAccount,users/phpgwAccount,users/opengwAccount,users/pptpAccount,users/intranetAccount,users/webdavAccount,users/nagiosAccount,users/groupware,users/mailAccount,users/user,users/scalixAccount,users/password,users/gofaxAccount,users/phoneAccount,users/Groupware"
class="userManagement" />
<plugin acl="groups" class="groupManagement" />
<plugin acl="roles" class="roleManagement" />
@@ -74,7 +74,7 @@
<!-- These entries will be rendered on the path navigator -->
<pathMenu>
- <plugin acl="users/netatalk:self,users/environment:self,users/posixAccount:self,users/kolabAccount:self,users/phpscheduleitAccount:self,users/oxchangeAccount:self,users/proxyAccount:self,users/connectivity:self,users/pureftpdAccount:self,users/phpgwAccount:self,users/opengwAccount:self,users/pptpAccount:self,users/intranetAccount:self, users/webdavAccount:self,users/nagiosAccount:self,users/sambaAccount:self,users/mailAccount:self,users/groupware, users/user:self,users/scalixAccount:self,users/gofaxAccount:self,users/phoneAccount:self,users/Groupware:self" class="MyAccount" />
+ <plugin acl="users/netatalk:self,users/environment:self,users/posixAccount:self,users/kolabAccount:self,users/phpscheduleitAccount:self,users/oxchangeAccount:self,users/proxyAccount:self,users/connectivity:self,users/pureftpdAccount:self,users/phpgwAccount:self,users/opengwAccount:self,users/pptpAccount:self,users/intranetAccount:self, users/webdavAccount:self,users/nagiosAccount:self,users/mailAccount:self,users/groupware, users/user:self,users/scalixAccount:self,users/gofaxAccount:self,users/phoneAccount:self,users/Groupware:self" class="MyAccount" />
<plugin acl="users/password:self" class="password"
postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync '%dn'"
postlock="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-lock-user '%dn'"
=====================================
share/debian-edu-config/smb.conf.edu-site
=====================================
@@ -1,5 +1,22 @@
-# Please note that settings put in here override those in smb-debian-edu.conf
+### Please note that settings put in here override those in smb-debian-edu.conf ###
+
+# NOTE: Whenever you modify this file you should run the command
+# 'testparm' to check that you have not made any basic syntactic
+# errors.
+
+[global]
# Uncomment to allow Samba network browsing.
# Easier for users if usershares are used, but potentially insecure!
-
; server min protocol = NT1
+
+# For usershares it is possible to enforce settings via a template file.
+# The template file needs to be generated, see 'man net' for details.
+; usershare template share = template
+
+[homes]
+# Uncomment if home directories should be writable.
+; writable = yes
+
+# Uncomment to use other than default (0700 in both cases) permissions
+; create mask = 0644
+; directory mask = 0755
=====================================
share/debian-edu-config/tools/edu-ldap-from-scratch
=====================================
@@ -42,10 +42,6 @@ if [ -d /skole/tjener/home0/"$1" ] ; then
rm -rf /skole/tjener/home0/"$1"
fi
-# rm Samba related stuff
-if id $1 | grep -q sambashare ; then
- gpasswd -d $1 sambashare
-fi
if pdbedit -L -v $1 >/dev/null 2>&1 ; then
pdbedit -x $1
fi
=====================================
share/debian-edu-config/tools/gosa-create
=====================================
@@ -45,8 +45,6 @@ while read KEY VALUE ; do
chown -R $USERID:$GROUPID $HOMEDIR
kadmin.local -q "add_principal -policy users -randkey -x \"$USERDN\" $USERID"
logger -t gosa-create -p notice Home directory \'$HOMEDIR\' and principal \'$USERID\' created.
- usermod -a -G sambashare $USERID
- logger -t gosa-create -p notice added \'$USERID\' to group sambashare.
## send a welcome-email:
cat << EOF | /usr/lib/sendmail $USERID
Subject: Welcome to the mail-system
=====================================
share/debian-edu-config/tools/gosa-remove
=====================================
@@ -38,7 +38,7 @@ if [ -d /var/mail/$USERID ]; then
rmdir /var/mail/$USERID
fi
-## rename home directory and delete principal:
+## rename home directory, delete principal and samba account:
HOME=`dirname $HOMEDIR`
RM_HOMEDIR="$HOME/rm_"`date "+%Y%m%d"`"_"`basename $HOMEDIR`
mv $HOMEDIR $RM_HOMEDIR
@@ -47,7 +47,8 @@ chown root:root $RM_HOMEDIR
chmod go-rwx $RM_HOMEDIR
kadmin.local -q "delete_principal $USERID"
-logger -t gosa-remove -p notice Home directory \'$HOMEDIR\' marked for deletion and principal \'$USERID\' removed.
+pdbedit -x -u $USERID > /dev/null
+logger -t gosa-remove -p notice Home directory \'$HOMEDIR\' marked for deletion, samba account and principal \'$USERID\' removed.
for DIR in `find $HOME -maxdepth 1 -type d -regextype posix-egrep -regex ".*/rm_[0-9]{8}_[^/]+"` ; do
RMDATE=`echo $DIR | sed "s/.*rm_\([0-9]\{8\}\)_.*/\1/"`
=====================================
share/debian-edu-config/tools/gosa-sync
=====================================
@@ -44,16 +44,17 @@ IAM=`ldapwhoami -x -Z -y "$TMPFILE" -D "$USERDN" 2>/dev/null || true`
# Escapes " because kadmin needs to use double quotes:
EUSERPASSWORD="$(cat $TMPFILE | sed -e 's/\"/\\\"/g')"
+SAMBAPASSWORD=$EUSERPASSWORD
if [ "$IAM" = "dn:$USERDN" ] ; then
- (echo $TMPFILE; echo $TMPFILE) | smbpasswd -a -s $USERID
- logger -t gosa-sync -p notice "Sucessfully added Samba acount for '$USERID'."
cat > "$TMPFILE" <<EOF
change_password -pw "$EUSERPASSWORD" $USERID
EOF
RET=$((cat "$TMPFILE" | kadmin.local 1> /dev/null) 2>&1)
if [ -z "$RET" ] ; then
logger -t gosa-sync -p notice "Sucessfully changed kerberos password for '$USERID'."
+ (echo $SAMBAPASSWORD; echo $SAMBAPASSWORD) | smbpasswd -a -s $USERID
+ logger -t gosa-sync -p notice "Sucessfully added Samba acount for '$USERID'."
else
logger -t gosa-sync -p warning "$RET"
echo "$RET"
=====================================
share/debian-edu-config/tools/kerberos-kdc-init
=====================================
@@ -262,7 +262,6 @@ firstuser_post() {
firstuser_samba() {
echo "Adding Samba account for '$FIRSTUSERNAME'"
(echo $FIRSTUSERPWD; echo $FIRSTUSERPWD) | smbpasswd -a -s $FIRSTUSERNAME
- gpasswd -a $FIRSTUSERNAME sambashare > /dev/null
}
## check if there is no kdc yet:
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/5f5962df7e337b07aed2ff34bfca2fbd07a5d127...43cfacd358939eefbcb5dc308f5be79e9a5b3e64
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/5f5962df7e337b07aed2ff34bfca2fbd07a5d127...43cfacd358939eefbcb5dc308f5be79e9a5b3e64
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20201024/531156b8/attachment-0001.html>
More information about the debian-edu-commits
mailing list