[debian-edu-commits] [Git][debian-edu/debian-edu-config][bullseye] 3 commits: debian/debian-edu-config.{postinst, postrm}: Create non-privileged debian-edu...

Mike Gabriel (@sunweaver) gitlab at salsa.debian.org
Sun Mar 20 20:19:48 GMT 2022



Mike Gabriel pushed to branch bullseye at Debian Edu / debian-edu-config


Commits:
bccd2aab by Mike Gabriel at 2022-03-20T21:08:53+01:00
debian/debian-edu-config.{postinst,postrm}: Create non-privileged debian-edu system user account on Debian Edu mainserver (for distribution of host keytabs to diskless workstations aka LTSP fat clients).

- - - - -
0f3b32f3 by Mike Gabriel at 2022-03-20T21:18:48+01:00
d/debian-edu-config.postinst: Amend adduser call, lintian complains about quotes being used.

- - - - -
98eafea7 by Mike Gabriel at 2022-03-20T21:18:56+01:00
share/debian-edu-config/tools/: Add new update-dlw-krb5-keytabs script and call it (with delay) from gosa-modify-host hook script. (Closes: #613167, #1002018).

- - - - -


6 changed files:

- debian/debian-edu-config.postinst
- debian/debian-edu-config.postrm
- share/debian-edu-config/tools/gosa-create-host
- share/debian-edu-config/tools/gosa-modify-host
- share/debian-edu-config/tools/gosa-remove-host
- + share/debian-edu-config/tools/update-dlw-krb5-keytabs


Changes:

=====================================
debian/debian-edu-config.postinst
=====================================
@@ -178,6 +178,24 @@ configure)
 		fi
 	fi
 
+	# On Debian Edu main servers create a debian-edu system user account with
+	# limit privileges for publishing host keytabs to diskless workstation (this
+	# is the initial use case. Further use cases might pop up later.
+	if [ -s /etc/debian-edu/config ] && grep -Eq "(Main-Server)" /etc/debian-edu/config ; then
+	    if ! getent 'passwd' 'debian-edu' >'/dev/null'; then
+		echo 'Creating debian-edu user.' >&2
+		adduser --system --home /var/lib/debian-edu \
+		        --disabled-password --shell /bin/sh \
+		        --group debian-edu
+	    else
+		echo 'User debian-edu already exists.' >&2
+		# make sure all settings are appropriate
+		if [ "$(id -gn 'debian-edu')" != 'debian-edu' ]; then
+		    usermod --gid 'debian-edu' 'debian-edu'
+		fi
+	    fi
+	fi
+
     # silence dovecot's message: if you have trouble with authentication failures,
     # enable auth_debug setting. See http://wiki.dovecot.org/WhyDoesItNotWork
     # This message goes away after the first successful login.


=====================================
debian/debian-edu-config.postrm
=====================================
@@ -25,6 +25,11 @@ case "$1" in
 	fi
 	;;
     purge)
+	# remove user/group debian-edu from system
+	getent passwd debian-edu 1>/dev/null && deluser debian-edu
+	getent group debian-edu 1>/dev/null && delgroup debian-edu
+	rm -Rf /var/lib/debian-edu
+
 	# Generated in the postinst
 	rm -f /etc/default/enable-nat
 	if [ ! -s /var/lib/dovecot/auth_success ] ; then


=====================================
share/debian-edu-config/tools/gosa-create-host
=====================================
@@ -57,7 +57,16 @@ while read KEY VALUE ; do
 	esac
 done
 
+# During creation of a host, we should ideally call update-dlw-krb5-keytabs
+# here already. However, it is not possible to add a NIS netgroup tab to a
+# GOsa² system before the system object (and the additional DNS bits) has/have
+# been created. So, calling the update-dlw-krb5-keytabs script
+# makes no sense here...
+
+# FIXME: And: it would be really helpful to have POST-action hooks available for
+# NIS netgroups... In case people don't edit hosts individually, but prefer
+# mass-adding hosts to the diskless-workstation-hosts NIS netgroup.
+
 /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
 
 exit 0
-


=====================================
share/debian-edu-config/tools/gosa-modify-host
=====================================
@@ -21,6 +21,11 @@ if ! LANG=C kadmin.local -q "get_principal nfs/$HOST.intern" 2>/dev/null  | grep
 	logger -t gosa-modify-host -p notice Krb5 service principal \'nfs/$HOST.intern\' created and added to host-specific keytab file.
 fi
 
+# call DLW keytabs' update script (delay execution for 2s because GOsa² needs
+# to write the NIS netgroup information first (this hook gets called between
+# saving the host object to LDAP, but before updating the NIS netgroup settings).
+( sleep 2; /usr/share/debian-edu-config/tools/update-dlw-krb5-keytabs ${@} 1>/dev/null 2>/dev/null) &
+
 # update services:
 /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
 


=====================================
share/debian-edu-config/tools/gosa-remove-host
=====================================
@@ -24,4 +24,8 @@ fi
 # update services:
 /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
 
+# Call DLW keytabs' update script for cleaning up
+# the DLW krb5 keytab collection for this host
+/usr/share/debian-edu-config/tools/update-dlw-krb5-keytabs ${@}
+
 exit 0


=====================================
share/debian-edu-config/tools/update-dlw-krb5-keytabs
=====================================
@@ -0,0 +1,168 @@
+#!/bin/bash
+
+set -e
+
+# Copyright (C) 2016 by Mike Gabriel <mike.gabriel at it-zukunft-schule.de>
+
+# This script is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This script is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the
+# Free Software Foundation, Inc.,
+# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# This script updates the krb5 host keytabs for a list of given hosts
+# in /var/lib/debian-edu/dlw-keytabs for all hosts that are members
+# in the NIS netgroup 'diskless-workstation-hosts'.
+#
+# The host keytab files are stored with read permissions for the
+# debian-edu system user.
+#
+# In a diskless workstation chroot (aka LTSP fat client), make sure
+# that the diskless system can copy over its own host keytab file
+# via
+#
+#     scp debian-edu at tjener.intern:/var/lib/debian-edu/dlw-keytabs/$HOSTNAME.keytab /etc/krb5.keytab
+#
+# This line can be put into /etc/rc.local, for exmample. SSH private
+# and public key files need to be in place correctly to make this
+# work.
+#
+# This provides the possibility to use NFSv4 and Kerberos krb5i
+# authentication from a diskless machine against the NFS server
+# on the Debian Edu mainserver.
+
+DOMAIN="intern"
+
+SPECIAL_USER="debian-edu"
+SPECIAL_GROUP="${SPECIAL_USER}"
+
+DLW_KRB5_KEYTABS_DIR="/var/lib/debian-edu/dlw-keytabs"
+
+# Clear caching daemon's NIS netgroup cache (this assures an LDAP re-lookup).
+nscd -i netgroup
+DLW_HOSTS_NETGROUP=$(netgroup diskless-workstation-hosts | grep -E "\.${DOMAIN}$")
+
+# Do some sanity checks...
+if [ "$(id -u)" != "0" ]; then
+	echo "ERROR: This script must be run as super-user root"
+	exit 1
+elif ! getent passwd ${SPECIALUSER} 1>/dev/null; then
+	echo "ERROR: This script requires the debian-edu system user account"
+	exit 1
+elif ! getent group ${SPECIAL_GROUP} 1>/dev/null; then
+	echo "ERROR: This script requires the debian-edu system group"
+	exit 1
+elif [ -z "${DLW_HOSTS_NETGROUP}" ]; then
+
+	# FIXME: differentiate between diskless-workstation-hosts not present or empty!
+
+	echo "NOTICE: NIS netgroup 'diskless-workstation-hosts' not found. Nothing to do."
+	exit 0
+fi
+
+DLW_HOSTS=""
+
+# obtain DLW_HOSTS from NIS Netgroup or from the command line
+if [ -z "${1}" ]; then
+	DLW_HOSTS="${DLW_HOSTS_NETGROUP}"
+else
+	logger -t update-dlw-krb5-keytabs -p notice "Called with command line: ${@}"
+
+	while [ -n "${1}" ]; do
+		if echo ${DLW_HOSTS_NETGROUP} | grep -q "${1}.${DOMAIN}"; then
+			DLW_HOSTS="${DLW_HOSTS} ${1}.${DOMAIN}"
+		else
+			echo "WARNING: Host ${1} not a diskless workstation"
+			logger -t update-dlw-krb5-keytabs -p warning "Host '${1}' is not a diskless workstation."
+		fi
+		shift
+	done
+fi
+
+mkdir -p "${DLW_KRB5_KEYTABS_DIR}"
+chown "root:${SPECIAL_USER}" "${DLW_KRB5_KEYTABS_DIR}"
+chmod 0710 "${DLW_KRB5_KEYTABS_DIR}"
+
+for dlw_host in ${DLW_HOSTS}; do
+
+	DLW_KRB5_KEYTAB="${DLW_KRB5_KEYTABS_DIR}/${dlw_host}.keytab"
+
+	host_found="false"
+	ldap_cn=$(echo ${dlw_host} | cut -d"." -f1)
+
+	ldap_host=""
+
+	while read KEY VALUE; do
+		case "$KEY" in
+			dn:)
+				ldap_host=""
+				;;
+			cn:)
+				ldap_host="$VALUE"
+				if [ "${ldap_host}.${DOMAIN}" = "${dlw_host}" ]; then
+					host_found="true"
+				else
+					continue
+				fi
+
+				if LANG=C kadmin.local -q "get_principal host/${dlw_host}" 2>/dev/null  | grep -q "^Principal: host/${dlw_host}@.*" &&
+				   LANG=C kadmin.local -q "get_principal nfs/${dlw_host}" 2>/dev/null  | grep -q "^Principal: nfs/${dlw_host}@.*" ; then
+
+					kadmin.local -q "ktadd -k ${DLW_KRB5_KEYTAB}.new host/${dlw_host}"
+					kadmin.local -q "ktadd -k ${DLW_KRB5_KEYTAB}.new nfs/${dlw_host}"
+
+					chown "root:${SPECIAL_USER}" "${DLW_KRB5_KEYTAB}.new"
+					chmod 0640 "${DLW_KRB5_KEYTAB}.new"
+					mv -v "${DLW_KRB5_KEYTAB}.new" "${DLW_KRB5_KEYTAB}"
+					cp -av "${DLW_KRB5_KEYTAB}" "${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
+				else
+					echo "WARNING: Diskless workstation '${dlw_host}' is missing a host (host/${dlw_host}) or service (nfs/${dlw_host}) principal in the Kerberos database."
+					logger -t update-dlw-krb5-keytabs -p warning "Diskless workstation '${dlw_host}' is missing a host (host/${dlw_host}) or service (nfs/${dlw_host}) principal in the Kerberos database."
+				fi
+				break
+				;;
+			*)
+				;;
+		esac
+	done <<< `ldapsearch -xLLL "(&(cn=$ldap_cn)(|(objectClass=GOHard)(objectClass=ipHost)))" cn 2>/dev/null | perl -p00e 's/\r?\n //g'`
+
+	if [ "$host_found" != "true" ]; then
+
+		# if we land here, three things might have happened:
+		#
+		#   1. this script is called from gosa-remove-host (and we need to clean up the keytab file)
+		#   2. this script has been called with a wrong hostname (one that does not exist in LDAP)
+		#   3. this script has found a DLW entry in NIS netgroup 'diskless-workstation-hosts' that
+		#      does not exist in LDAP (any more). Manual tidying up is required in that case.
+
+		if [ -f "${DLW_KRB5_KEYTAB}" ]; then
+			logger -t update-dlw-krb5-keytabs -p info "Cleaning up DLW keytab file of host '${dlw_host}'."
+			rm -v "${DLW_KRB5_KEYTAB}"
+			rm -v "${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
+		elif [ -f "${DLW_KRB5_KEYTAB/.${DOMAIN}/}" ]; then
+			logger -t update-dlw-krb5-keytabs -p info "Cleaning up leftover DLW keytab file of host '${dlw_host}' (without domain part)."
+			rm -v "${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
+		else
+
+			echo "WARNING: Hostname '${dlw_host}' listed in NIS netgorup 'diskless-workstation-hosts', but not found as a host entry in Debian Edu LDAP."
+			logger -t update-dlw-krb5-keytabs -p warning "Hostname '${dlw_host}' listed in NIS netgorup 'diskless-workstation-hosts', but not found as a host entry in Debian Edu LDAP."
+
+		fi
+
+	fi
+
+done
+
+# FIXME: count updated files / hosts
+logger -t update-dlw-krb5-keytabs -p notice "Diskless workstation Krb5 keytab files updated."
+
+exit 0



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/144cb5d48243542eaff34f987849c7882e523f75...98eafea7eacd9b9e8a462499864b2fada8844368

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/144cb5d48243542eaff34f987849c7882e523f75...98eafea7eacd9b9e8a462499864b2fada8844368
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20220320/fb95df75/attachment-0001.htm>


More information about the debian-edu-commits mailing list