[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 5 commits: debian/debian-edu-config.fetch-ldap-cert: Drop retrieval of Debian-Edu_rootCA...
Mike Gabriel (@sunweaver)
gitlab at salsa.debian.org
Sun Jan 30 20:41:11 GMT 2022
Mike Gabriel pushed to branch master at Debian Edu / debian-edu-config
Commits:
95a44839 by Mike Gabriel at 2022-01-30T20:26:57+01:00
debian/debian-edu-config.fetch-ldap-cert: Drop retrieval of Debian-Edu_rootCA from this script. This now is the task of the fetch-rootca-cert script. (Closes: #971780).
- - - - -
88868764 by Mike Gabriel at 2022-01-30T20:38:51+01:00
debian/debian-edu-config.fetch-rootca-cert: Ensure proper symlinking of Debian-Edu_rootCA.crt in /usr/local/share/ca-certificates/ to Debian-Edu_rootCA.crt in /etc/ssl/ca-certificates. Forced symlink is required, because earlier versions of the fetch-ldap-cert init script put Debian-Edu_rootCA.crt into /etc/ssl/ca-certificates/ as a file. Forced symlinking replaces files by the wanted symlink. The -n option (no-dereference) is required to make sure we don't follow any already existing symlink. (This related to #971780).
- - - - -
015611ca by Mike Gabriel at 2022-01-30T20:43:42+01:00
ldap-bootstrap/netgroup.ldif: Add diskless-workstation-hosts NIS netgroup during LDAP bootstrap.
- - - - -
0e1df64b by Mike Gabriel at 2022-01-30T20:45:36+01:00
debian/debian-edu-config.{postinst,postrm}: Create non-privileged debian-edu system user account on Debian Edu mainserver (for distribution of host keytabs to diskless workstations aka LTSP fat clients).
- - - - -
4306f4d3 by Mike Gabriel at 2022-01-30T21:10:44+01:00
share/debian-edu-config/tools/: Add new update-dlw-krb5-keytabs script and call it (with delay) from gosa-modify-host hook script.
- - - - -
10 changed files:
- debian/changelog
- debian/debian-edu-config.fetch-ldap-cert
- debian/debian-edu-config.fetch-rootca-cert
- debian/debian-edu-config.postinst
- debian/debian-edu-config.postrm
- ldap-bootstrap/netgroup.ldif
- share/debian-edu-config/tools/gosa-create-host
- share/debian-edu-config/tools/gosa-modify-host
- share/debian-edu-config/tools/gosa-remove-host
- + share/debian-edu-config/tools/update-dlw-krb5-keytabs
Changes:
=====================================
debian/changelog
=====================================
@@ -21,6 +21,17 @@ debian-edu-config (2.12.16) UNRELEASED; urgency=medium
* README.public_html_with_PHP-CGI+suExec.md:
- Provide documentation on how to enable suExec support in https userdirs
(i.e. ~/public_html).
+ * debian/debian-edu-config.fetch-ldap-cert: Drop retrieval of
+ Debian-Edu_rootCA from this script. This now is the task of the
+ fetch-rootca-cert script. (Closes: #971780).
+ * debian/debian-edu-config.fetch-rootca-cert: Ensure proper symlinking of
+ Debian-Edu_rootCA.crt in /usr/local/share/ca-certificates/ to
+ Debian-Edu_rootCA.crt in /etc/ssl/ca-certificates. Forced symlink is
+ required, because earlier versions of the fetch-ldap-cert init script put
+ Debian-Edu_rootCA.crt into /etc/ssl/ca-certificates/ as a file. Forced
+ symlinking replaces files by the wanted symlink. The -n option (no-
+ dereference) is required to make sure we don't follow any already existing
+ symlink. (This related to #971780).
-- Mike Gabriel <sunweaver at debian.org> Fri, 14 Jan 2022 22:21:27 +0100
=====================================
debian/debian-edu-config.fetch-ldap-cert
=====================================
@@ -16,14 +16,25 @@
#
# Author: Petter Reinholdtsen <pere at hungry.com>
# Date: 2007-06-09
+#
+# Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
+# Date: 2022-01-06
+
+###
+### FIXME: Legacy init script for Debian Edu clients.
+###
+### --- Remove for Debian Edu bookworm+1 ---
+###
+### Warning: Removing this script will drop support for clients running
+### against Debian Edu main servers based on Debian Edu stretch and
+### earlier.
+###
set -e
. /lib/lsb/init-functions
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
-BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
-ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
do_start() {
@@ -33,7 +44,7 @@ do_start() {
ERROR=false
###
- ### PHASE 1: RootCA / bundle-cert / LDAP server cert retrieval
+ ### PHASE 1: LDAP server cert retrieval
###
if ( [ ! -f $CERTFILE ] || [ ! -f $ROOTCACRT ] ) && [ -f /etc/nslcd.conf ] &&
@@ -50,116 +61,21 @@ do_start() {
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
- # do an openssl connect to the LDAP server, and check whether its certificate
- # has been issued by the "Debian Edu RootCA", if not we are likely dealing with a
- # pre-Debian Edu 10 (aka buster) TJENER or with some other non-Debian-Edu LDAP
- # server.
- if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep -q "Debian Edu RootCA" ; then
-
- # Since Debian Edu 10, the LDAP certificate (or the RootCA file) is distributed
- # over http (always via the host serving www.intern, by default: TJENER)
- #
- # We do an availability check for the webserver first, to provide proper
- # error reporting (see below). So, the following check merely discovers,
- # if the webserver is online at all.
- if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
-
- # Now let's see if the webserver has the "Debian Edu RootCA" file.
- # This has been the case for Debian Edu main servers (TJENER) since
- # Debian Edu 10.1.
- if curl -fk https://www.intern/Debian-Edu_rootCA.crt 1> $ROOTCACRT 2>/dev/null && \
-
- grep -q CERTIFICATE $ROOTCACRT ; then
-
- # Obtained a RootCA-verified version of the LDAP server's server certificate.
- gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null 1>/dev/null 2>/dev/null
- logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern."
-
- # If the host previously had got the BUNDLECERT file installed,
- # we make sure here to have it removed. From now on, the LTSP chroot
- # can operate on the ROOTCACRT file and the BUNDLECERT will never get
- # update anymore once the ROOTCACRT is available on www.intern.
- rm -f $BUNDLECRT
- else
-
- # If there is no Debian Edu RootCA available on www.intern, fallback to
- # debian-edu-bundle.crt download (an approach done by a Debian Edu 10.0
- # main server (aka TJENER) only and changed to RootCA provisioning in
- # in Debian Edu 10.1.
-
- # Drop the ROOTCACRT file, as it probably only contains some 404 http
- # error message in html.
- rm -f $ROOTCACRT
-
- # So, now let's see if the webserver has the "debian-edu-bundle.crt"
- # file. If so (and no Debian Edu RootCA file), then we are likely dealing
- # with a Debian Edu 10.0 main server.
- if curl -fk https://www.intern/debian-edu-bundle.crt 1> $BUNDLECRT 2>/dev/null && \
- grep -q CERTIFICATE $BUNDLECRT ; then
-
- # Obtained a self-verified version of the LDAP server's server certificate.
- # (The BUNDLECERT file should already contain the LDAP server's certificate,
- # so having this cert file should allow us to successfully and "verified'ly"
- # connect to the LDAP server and let us retrieve that very same certificate).
- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null 1>/dev/null 2>/dev/null
- logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
- else
-
- # We should never get here... If we do anyway, then something went
- # terribly wrong or the www.intern servicing server is misconfigured.
-
- # Drop the ROOTCACRT file, as it probably only contains some 404 http
- # error message in html.
- rm -f $BUNDLECRT
-
- logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern."
- fi
-
- fi
-
- else
-
- # Report an error, if www.intern is down http-wise. This can happen and is probably
- # a temporary problem that needs an admin to fix it.
- log_action_end_msg 1
- logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down."
- ERROR=true
-
- fi
-
- else
-
- # Fallback: Fetch LDAP certificate from a pre-Debian-Edu-10 (aka buster) LDAP server
- # (or some non-Debian-Edu LDAP server)
- /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
- chmod 644 $CERTFILE.new
- logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate."
+ # Fetch LDAP certificate from the Debian Edu main server (i.e. from the LDAP server)
+ /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
+ chmod 644 $CERTFILE.new
- # FIXME: Add some error handling here:
- # - LDAP server down
- # - what-not-else...
-
- fi
-
- # By now, we should have obtained the LDAP server's CERTFILE (verified in two cases (10.0 or 10.1 TJENER),
- # simply downloaded from the LDAP server itself in the third case (pre-10.0 TJENER)
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
- if [ -f $BUNDLECRT ] || [ -f $ROOTCACRT ] ; then
- logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
- else
- logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
- fi
+ logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
else
-
- # We obviously have failed in some other way, if the CERTFILE.new is empty (zero size)
- # Again, something went awfully wrong, if we end up here...
+ # We obviously have failed in some way if the CERTFILE.new is empty (zero size).
+ # Something went wrong, if we end up here...
rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
ERROR=true
-
fi
fi
@@ -168,7 +84,7 @@ do_start() {
### PHASE 2: Deploy the obtained CERTFILE to LTSP chroots, if any are present.
###
- if [ -d /opt/ltsp ] ; then
+ if [ -d /opt/ltsp ] && [ "$ERROR" = "false" ]; then
# Loop over all to be found LTSP chroots...
for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
@@ -195,58 +111,10 @@ do_start() {
fi
fi
- if [ ! -f $ltsp_chroot$ROOTCACRT ]; then
-
- if test -e $ROOTCACRT; then
-
- # If we retrieved it, we also copy the obtained ROOTCACRT into the LTSP chroot
- # (containing the self-built rootCA of the Debian Edu site).
- log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot "
- if test -s $ROOTCACRT; then
-
- # If the chroot previously had got the BUNDLECERT file installed,
- # we should make sure here to have it removed. From now on, the LTSP chroot
- # can operate on the ROOTCACRT file and the BUNDLECERT will never get
- # update anymore once the ROOTCACRT is available on www.intern.
- rm -f $ltsp_chroot$BUNDLECRT
- cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
- [ "$VERBOSE" != no ] && log_action_end_msg 0
-
- else
- log_action_end_msg 1
- ERROR=true
- fi
-
- fi
-
- fi
-
- if [ ! -f $ltsp_chroot$BUNDLECRT ] && [ ! -f $ltsp_chroot$ROOTCACRT ]; then
-
- if test -e $BUNDLECRT; then
- # If we talked to a Debian Edu 10.0 main server (aka TJENER) above, then we
- # don't have the ROOTCACRT. We copy the BUNDLECRT file into the LTSP chroot
- # instead (containing all certificates ever issued for the Debian Edu site).
- # This is just a fallback, in fact, we need the Debian Edu RootCA.
-
- # If you end up here, then please upgrade your Debian Edu 10.0 server to a
- # a newer version (Debian Edu 10.1 and beyond).
- log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot "
- if test -s $BUNDLECRT; then
- cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
- [ "$VERBOSE" != no ] && log_action_end_msg 0
- else
- log_action_end_msg 1
- ERROR=true
- fi
- fi
-
- fi
-
done
fi
- if $ERROR; then
+ if [ "$ERROR" = "true" ]; then
return 1
fi
}
@@ -263,4 +131,5 @@ case "$1" in
echo "Usage: $0 {start|stop|restart|force-reload}"
exit 2
esac
+
exit 0
=====================================
debian/debian-edu-config.fetch-rootca-cert
=====================================
@@ -53,7 +53,7 @@ do_start() {
if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
grep -q CERTIFICATE $LOCALCACRT ; then
# Make rootCA certificate available in /etc/ssl/certs/
- ln -s $LOCALCACRT $ROOTCACRT
+ ln -nsf $LOCALCACRT $ROOTCACRT
# Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
update-ca-certificates
logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
=====================================
debian/debian-edu-config.postinst
=====================================
@@ -131,6 +131,24 @@ configure)
fi
fi
+ # On Debian Edu main servers create a debian-edu system user account with
+ # limit privileges for publishing host keytabs to diskless workstation (this
+ # is the initial use case. Further use cases might pop up later.
+ if [ -s /etc/debian-edu/config ] && grep -Eq "(Main-Server)" /etc/debian-edu/config ; then
+ if ! getent 'passwd' 'debian-edu' >'/dev/null'; then
+ echo 'Creating debian-edu user.' >&2
+ adduser --system --home '/var/lib/debian-edu' \
+ --disabled-password --shell '/bin/sh' \
+ --group 'debian-edu'
+ else
+ echo 'User debian-edu already exists.' >&2
+ # make sure all settings are appropriate
+ if [ "$(id -gn 'debian-edu')" != 'debian-edu' ]; then
+ usermod --gid 'debian-edu' 'debian-edu'
+ fi
+ fi
+ fi
+
# silence dovecot's message: if you have trouble with authentication failures,
# enable auth_debug setting. See http://wiki.dovecot.org/WhyDoesItNotWork
# This message goes away after the first successful login.
=====================================
debian/debian-edu-config.postrm
=====================================
@@ -19,6 +19,11 @@ case "$1" in
fi
;;
purge)
+ # remove user/group debian-edu from system
+ getent passwd debian-edu 1>/dev/null && deluser debian-edu
+ getent group debian-edu 1>/dev/null && delgroup debian-edu
+ rm -Rf /var/lib/debian-edu
+
# Generated in the postinst
rm -f /etc/default/enable-nat
if [ ! -s /var/lib/dovecot/auth_success ] ; then
=====================================
ldap-bootstrap/netgroup.ldif
=====================================
@@ -15,6 +15,12 @@ objectClass: nisNetgroup
description: All workstations
cn: workstation-hosts
+dn: cn=diskless-workstation-hosts,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+description: All diskless workstations
+cn: diskless-workstation-hosts
+
dn: cn=ltsp-server-hosts,ou=netgroup,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: nisNetgroup
=====================================
share/debian-edu-config/tools/gosa-create-host
=====================================
@@ -57,7 +57,16 @@ while read KEY VALUE ; do
esac
done
+# During creation of a host, we should ideally call update-dlw-krb5-keytabs
+# here already. However, it is not possible to add a NIS netgroup tab to a
+# GOsa² system before the system object (and the additional DNS bits) has/have
+# been created. So, calling the update-dlw-krb5-keytabs script
+# makes no sense here...
+
+# FIXME: And: it would be really helpful to have POST-action hooks available for
+# NIS netgroups... In case people don't edit hosts individually, but prefer
+# mass-adding hosts to the diskless-workstation-hosts NIS netgroup.
+
/usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
exit 0
-
=====================================
share/debian-edu-config/tools/gosa-modify-host
=====================================
@@ -21,6 +21,11 @@ if ! LANG=C kadmin.local -q "get_principal nfs/$HOST.intern" 2>/dev/null | grep
logger -t gosa-modify-host -p notice Krb5 service principal \'nfs/$HOST.intern\' created and added to host-specific keytab file.
fi
+# call DLW keytabs' update script (delay execution for 2s because GOsa² needs
+# to write the NIS netgroup information first (this hook gets called between
+# saving the host object to LDAP, but before updating the NIS netgroup settings).
+( sleep 2; /usr/share/debian-edu-config/tools/update-dlw-krb5-keytabs ${@} 1>/dev/null 2>/dev/null) &
+
# update services:
/usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
=====================================
share/debian-edu-config/tools/gosa-remove-host
=====================================
@@ -24,4 +24,8 @@ fi
# update services:
/usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
+# Call DLW keytabs' update script for cleaning up
+# the DLW krb5 keytab collection for this host
+/usr/share/debian-edu-config/tools/update-dlw-krb5-keytabs ${@}
+
exit 0
=====================================
share/debian-edu-config/tools/update-dlw-krb5-keytabs
=====================================
@@ -0,0 +1,168 @@
+#!/bin/bash
+
+set -e
+
+# Copyright (C) 2016 by Mike Gabriel <mike.gabriel at it-zukunft-schule.de>
+
+# This script is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This script is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the
+# Free Software Foundation, Inc.,
+# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# This script updates the krb5 host keytabs for a list of given hosts
+# in /var/lib/debian-edu/dlw-keytabs for all hosts that are members
+# in the NIS netgroup 'diskless-workstation-hosts'.
+#
+# The host keytab files are stored with read permissions for the
+# debian-edu system user.
+#
+# In a diskless workstation chroot (aka LTSP fat client), make sure
+# that the diskless system can copy over its own host keytab file
+# via
+#
+# scp debian-edu at tjener.intern:/var/lib/debian-edu/dlw-keytabs/$HOSTNAME.keytab /etc/krb5.keytab
+#
+# This line can be put into /etc/rc.local, for exmample. SSH private
+# and public key files need to be in place correctly to make this
+# work.
+#
+# This provides the possibility to use NFSv4 and Kerberos krb5i
+# authentication from a diskless machine against the NFS server
+# on the Debian Edu mainserver.
+
+DOMAIN="intern"
+
+SPECIAL_USER="debian-edu"
+SPECIAL_GROUP="${SPECIAL_USER}"
+
+DLW_KRB5_KEYTABS_DIR="/var/lib/debian-edu/dlw-keytabs"
+
+# Clear caching daemon's NIS netgroup cache (this assures an LDAP re-lookup).
+nscd -i netgroup
+DLW_HOSTS_NETGROUP=$(netgroup diskless-workstation-hosts | grep -E "\.${DOMAIN}$")
+
+# Do some sanity checks...
+if [ "$(id -u)" != "0" ]; then
+ echo "ERROR: This script must be run as super-user root"
+ exit 1
+elif ! getent passwd ${SPECIALUSER} 1>/dev/null; then
+ echo "ERROR: This script requires the debian-edu system user account"
+ exit 1
+elif ! getent group ${SPECIAL_GROUP} 1>/dev/null; then
+ echo "ERROR: This script requires the debian-edu system group"
+ exit 1
+elif [ -z "${DLW_HOSTS_NETGROUP}" ]; then
+
+ # FIXME: differentiate between diskless-workstation-hosts not present or empty!
+
+ echo "NOTICE: NIS netgroup 'diskless-workstation-hosts' not found. Nothing to do."
+ exit 0
+fi
+
+DLW_HOSTS=""
+
+# obtain DLW_HOSTS from NIS Netgroup or from the command line
+if [ -z "${1}" ]; then
+ DLW_HOSTS="${DLW_HOSTS_NETGROUP}"
+else
+ logger -t update-dlw-krb5-keytabs -p notice "Called with command line: ${@}"
+
+ while [ -n "${1}" ]; do
+ if echo ${DLW_HOSTS_NETGROUP} | grep -q "${1}.${DOMAIN}"; then
+ DLW_HOSTS="${DLW_HOSTS} ${1}.${DOMAIN}"
+ else
+ echo "WARNING: Host ${1} not a diskless workstation"
+ logger -t update-dlw-krb5-keytabs -p warning "Host '${1}' is not a diskless workstation."
+ fi
+ shift
+ done
+fi
+
+mkdir -p "${DLW_KRB5_KEYTABS_DIR}"
+chown "root:${SPECIAL_USER}" "${DLW_KRB5_KEYTABS_DIR}"
+chmod 0710 "${DLW_KRB5_KEYTABS_DIR}"
+
+for dlw_host in ${DLW_HOSTS}; do
+
+ DLW_KRB5_KEYTAB="${DLW_KRB5_KEYTABS_DIR}/${dlw_host}.keytab"
+
+ host_found="false"
+ ldap_cn=$(echo ${dlw_host} | cut -d"." -f1)
+
+ ldap_host=""
+
+ while read KEY VALUE; do
+ case "$KEY" in
+ dn:)
+ ldap_host=""
+ ;;
+ cn:)
+ ldap_host="$VALUE"
+ if [ "${ldap_host}.${DOMAIN}" = "${dlw_host}" ]; then
+ host_found="true"
+ else
+ continue
+ fi
+
+ if LANG=C kadmin.local -q "get_principal host/${dlw_host}" 2>/dev/null | grep -q "^Principal: host/${dlw_host}@.*" &&
+ LANG=C kadmin.local -q "get_principal nfs/${dlw_host}" 2>/dev/null | grep -q "^Principal: nfs/${dlw_host}@.*" ; then
+
+ kadmin.local -q "ktadd -k ${DLW_KRB5_KEYTAB}.new host/${dlw_host}"
+ kadmin.local -q "ktadd -k ${DLW_KRB5_KEYTAB}.new nfs/${dlw_host}"
+
+ chown "root:${SPECIAL_USER}" "${DLW_KRB5_KEYTAB}.new"
+ chmod 0640 "${DLW_KRB5_KEYTAB}.new"
+ mv -v "${DLW_KRB5_KEYTAB}.new" "${DLW_KRB5_KEYTAB}"
+ cp -av "${DLW_KRB5_KEYTAB}" "${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
+ else
+ echo "WARNING: Diskless workstation '${dlw_host}' is missing a host (host/${dlw_host}) or service (nfs/${dlw_host}) principal in the Kerberos database."
+ logger -t update-dlw-krb5-keytabs -p warning "Diskless workstation '${dlw_host}' is missing a host (host/${dlw_host}) or service (nfs/${dlw_host}) principal in the Kerberos database."
+ fi
+ break
+ ;;
+ *)
+ ;;
+ esac
+ done <<< `ldapsearch -xLLL "(&(cn=$ldap_cn)(|(objectClass=GOHard)(objectClass=ipHost)))" cn 2>/dev/null | perl -p00e 's/\r?\n //g'`
+
+ if [ "$host_found" != "true" ]; then
+
+ # if we land here, three things might have happened:
+ #
+ # 1. this script is called from gosa-remove-host (and we need to clean up the keytab file)
+ # 2. this script has been called with a wrong hostname (one that does not exist in LDAP)
+ # 3. this script has found a DLW entry in NIS netgroup 'diskless-workstation-hosts' that
+ # does not exist in LDAP (any more). Manual tidying up is required in that case.
+
+ if [ -f "${DLW_KRB5_KEYTAB}" ]; then
+ logger -t update-dlw-krb5-keytabs -p info "Cleaning up DLW keytab file of host '${dlw_host}'."
+ rm -v "${DLW_KRB5_KEYTAB}"
+ rm -v "${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
+ elif [ -f "${DLW_KRB5_KEYTAB/.${DOMAIN}/}" ]; then
+ logger -t update-dlw-krb5-keytabs -p info "Cleaning up leftover DLW keytab file of host '${dlw_host}' (without domain part)."
+ rm -v "${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
+ else
+
+ echo "WARNING: Hostname '${dlw_host}' listed in NIS netgorup 'diskless-workstation-hosts', but not found as a host entry in Debian Edu LDAP."
+ logger -t update-dlw-krb5-keytabs -p warning "Hostname '${dlw_host}' listed in NIS netgorup 'diskless-workstation-hosts', but not found as a host entry in Debian Edu LDAP."
+
+ fi
+
+ fi
+
+done
+
+# FIXME: count updated files / hosts
+logger -t update-dlw-krb5-keytabs -p notice "Diskless workstation Krb5 keytab files updated."
+
+exit 0
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/df6734b44c7bdc903e28a4b7a45a1be2501d8b4d...4306f4d3e165642e2b8cce12599d3d6895caed77
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/df6734b44c7bdc903e28a4b7a45a1be2501d8b4d...4306f4d3e165642e2b8cce12599d3d6895caed77
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20220130/2057ba34/attachment-0001.htm>
More information about the debian-edu-commits
mailing list