[debian-edu-commits] [Git][debian-edu/debian-edu-config][bullseye] 3 commits: debian/debian-edu-config.{postinst, postrm}: Create non-privileged debian-edu...
Mike Gabriel (@sunweaver)
gitlab at salsa.debian.org
Sun Mar 20 20:19:48 GMT 2022
Mike Gabriel pushed to branch bullseye at Debian Edu / debian-edu-config
Commits:
bccd2aab by Mike Gabriel at 2022-03-20T21:08:53+01:00
debian/debian-edu-config.{postinst,postrm}: Create non-privileged debian-edu system user account on Debian Edu mainserver (for distribution of host keytabs to diskless workstations aka LTSP fat clients).
- - - - -
0f3b32f3 by Mike Gabriel at 2022-03-20T21:18:48+01:00
d/debian-edu-config.postinst: Amend adduser call, lintian complains about quotes being used.
- - - - -
98eafea7 by Mike Gabriel at 2022-03-20T21:18:56+01:00
share/debian-edu-config/tools/: Add new update-dlw-krb5-keytabs script and call it (with delay) from gosa-modify-host hook script. (Closes: #613167, #1002018).
- - - - -
6 changed files:
- debian/debian-edu-config.postinst
- debian/debian-edu-config.postrm
- share/debian-edu-config/tools/gosa-create-host
- share/debian-edu-config/tools/gosa-modify-host
- share/debian-edu-config/tools/gosa-remove-host
- + share/debian-edu-config/tools/update-dlw-krb5-keytabs
Changes:
=====================================
debian/debian-edu-config.postinst
=====================================
@@ -178,6 +178,24 @@ configure)
fi
fi
+ # On Debian Edu main servers create a debian-edu system user account with
+ # limit privileges for publishing host keytabs to diskless workstation (this
+ # is the initial use case. Further use cases might pop up later.
+ if [ -s /etc/debian-edu/config ] && grep -Eq "(Main-Server)" /etc/debian-edu/config ; then
+ if ! getent 'passwd' 'debian-edu' >'/dev/null'; then
+ echo 'Creating debian-edu user.' >&2
+ adduser --system --home /var/lib/debian-edu \
+ --disabled-password --shell /bin/sh \
+ --group debian-edu
+ else
+ echo 'User debian-edu already exists.' >&2
+ # make sure all settings are appropriate
+ if [ "$(id -gn 'debian-edu')" != 'debian-edu' ]; then
+ usermod --gid 'debian-edu' 'debian-edu'
+ fi
+ fi
+ fi
+
# silence dovecot's message: if you have trouble with authentication failures,
# enable auth_debug setting. See http://wiki.dovecot.org/WhyDoesItNotWork
# This message goes away after the first successful login.
=====================================
debian/debian-edu-config.postrm
=====================================
@@ -25,6 +25,11 @@ case "$1" in
fi
;;
purge)
+ # remove user/group debian-edu from system
+ getent passwd debian-edu 1>/dev/null && deluser debian-edu
+ getent group debian-edu 1>/dev/null && delgroup debian-edu
+ rm -Rf /var/lib/debian-edu
+
# Generated in the postinst
rm -f /etc/default/enable-nat
if [ ! -s /var/lib/dovecot/auth_success ] ; then
=====================================
share/debian-edu-config/tools/gosa-create-host
=====================================
@@ -57,7 +57,16 @@ while read KEY VALUE ; do
esac
done
+# During creation of a host, we should ideally call update-dlw-krb5-keytabs
+# here already. However, it is not possible to add a NIS netgroup tab to a
+# GOsa² system before the system object (and the additional DNS bits) has/have
+# been created. So, calling the update-dlw-krb5-keytabs script
+# makes no sense here...
+
+# FIXME: And: it would be really helpful to have POST-action hooks available for
+# NIS netgroups... In case people don't edit hosts individually, but prefer
+# mass-adding hosts to the diskless-workstation-hosts NIS netgroup.
+
/usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
exit 0
-
=====================================
share/debian-edu-config/tools/gosa-modify-host
=====================================
@@ -21,6 +21,11 @@ if ! LANG=C kadmin.local -q "get_principal nfs/$HOST.intern" 2>/dev/null | grep
logger -t gosa-modify-host -p notice Krb5 service principal \'nfs/$HOST.intern\' created and added to host-specific keytab file.
fi
+# call DLW keytabs' update script (delay execution for 2s because GOsa² needs
+# to write the NIS netgroup information first (this hook gets called between
+# saving the host object to LDAP, but before updating the NIS netgroup settings).
+( sleep 2; /usr/share/debian-edu-config/tools/update-dlw-krb5-keytabs ${@} 1>/dev/null 2>/dev/null) &
+
# update services:
/usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
=====================================
share/debian-edu-config/tools/gosa-remove-host
=====================================
@@ -24,4 +24,8 @@ fi
# update services:
/usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
+# Call DLW keytabs' update script for cleaning up
+# the DLW krb5 keytab collection for this host
+/usr/share/debian-edu-config/tools/update-dlw-krb5-keytabs ${@}
+
exit 0
=====================================
share/debian-edu-config/tools/update-dlw-krb5-keytabs
=====================================
@@ -0,0 +1,168 @@
+#!/bin/bash
+
+set -e
+
+# Copyright (C) 2016 by Mike Gabriel <mike.gabriel at it-zukunft-schule.de>
+
+# This script is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This script is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the
+# Free Software Foundation, Inc.,
+# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# This script updates the krb5 host keytabs for a list of given hosts
+# in /var/lib/debian-edu/dlw-keytabs for all hosts that are members
+# in the NIS netgroup 'diskless-workstation-hosts'.
+#
+# The host keytab files are stored with read permissions for the
+# debian-edu system user.
+#
+# In a diskless workstation chroot (aka LTSP fat client), make sure
+# that the diskless system can copy over its own host keytab file
+# via
+#
+# scp debian-edu at tjener.intern:/var/lib/debian-edu/dlw-keytabs/$HOSTNAME.keytab /etc/krb5.keytab
+#
+# This line can be put into /etc/rc.local, for exmample. SSH private
+# and public key files need to be in place correctly to make this
+# work.
+#
+# This provides the possibility to use NFSv4 and Kerberos krb5i
+# authentication from a diskless machine against the NFS server
+# on the Debian Edu mainserver.
+
+DOMAIN="intern"
+
+SPECIAL_USER="debian-edu"
+SPECIAL_GROUP="${SPECIAL_USER}"
+
+DLW_KRB5_KEYTABS_DIR="/var/lib/debian-edu/dlw-keytabs"
+
+# Clear caching daemon's NIS netgroup cache (this assures an LDAP re-lookup).
+nscd -i netgroup
+DLW_HOSTS_NETGROUP=$(netgroup diskless-workstation-hosts | grep -E "\.${DOMAIN}$")
+
+# Do some sanity checks...
+if [ "$(id -u)" != "0" ]; then
+ echo "ERROR: This script must be run as super-user root"
+ exit 1
+elif ! getent passwd ${SPECIALUSER} 1>/dev/null; then
+ echo "ERROR: This script requires the debian-edu system user account"
+ exit 1
+elif ! getent group ${SPECIAL_GROUP} 1>/dev/null; then
+ echo "ERROR: This script requires the debian-edu system group"
+ exit 1
+elif [ -z "${DLW_HOSTS_NETGROUP}" ]; then
+
+ # FIXME: differentiate between diskless-workstation-hosts not present or empty!
+
+ echo "NOTICE: NIS netgroup 'diskless-workstation-hosts' not found. Nothing to do."
+ exit 0
+fi
+
+DLW_HOSTS=""
+
+# obtain DLW_HOSTS from NIS Netgroup or from the command line
+if [ -z "${1}" ]; then
+ DLW_HOSTS="${DLW_HOSTS_NETGROUP}"
+else
+ logger -t update-dlw-krb5-keytabs -p notice "Called with command line: ${@}"
+
+ while [ -n "${1}" ]; do
+ if echo ${DLW_HOSTS_NETGROUP} | grep -q "${1}.${DOMAIN}"; then
+ DLW_HOSTS="${DLW_HOSTS} ${1}.${DOMAIN}"
+ else
+ echo "WARNING: Host ${1} not a diskless workstation"
+ logger -t update-dlw-krb5-keytabs -p warning "Host '${1}' is not a diskless workstation."
+ fi
+ shift
+ done
+fi
+
+mkdir -p "${DLW_KRB5_KEYTABS_DIR}"
+chown "root:${SPECIAL_USER}" "${DLW_KRB5_KEYTABS_DIR}"
+chmod 0710 "${DLW_KRB5_KEYTABS_DIR}"
+
+for dlw_host in ${DLW_HOSTS}; do
+
+ DLW_KRB5_KEYTAB="${DLW_KRB5_KEYTABS_DIR}/${dlw_host}.keytab"
+
+ host_found="false"
+ ldap_cn=$(echo ${dlw_host} | cut -d"." -f1)
+
+ ldap_host=""
+
+ while read KEY VALUE; do
+ case "$KEY" in
+ dn:)
+ ldap_host=""
+ ;;
+ cn:)
+ ldap_host="$VALUE"
+ if [ "${ldap_host}.${DOMAIN}" = "${dlw_host}" ]; then
+ host_found="true"
+ else
+ continue
+ fi
+
+ if LANG=C kadmin.local -q "get_principal host/${dlw_host}" 2>/dev/null | grep -q "^Principal: host/${dlw_host}@.*" &&
+ LANG=C kadmin.local -q "get_principal nfs/${dlw_host}" 2>/dev/null | grep -q "^Principal: nfs/${dlw_host}@.*" ; then
+
+ kadmin.local -q "ktadd -k ${DLW_KRB5_KEYTAB}.new host/${dlw_host}"
+ kadmin.local -q "ktadd -k ${DLW_KRB5_KEYTAB}.new nfs/${dlw_host}"
+
+ chown "root:${SPECIAL_USER}" "${DLW_KRB5_KEYTAB}.new"
+ chmod 0640 "${DLW_KRB5_KEYTAB}.new"
+ mv -v "${DLW_KRB5_KEYTAB}.new" "${DLW_KRB5_KEYTAB}"
+ cp -av "${DLW_KRB5_KEYTAB}" "${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
+ else
+ echo "WARNING: Diskless workstation '${dlw_host}' is missing a host (host/${dlw_host}) or service (nfs/${dlw_host}) principal in the Kerberos database."
+ logger -t update-dlw-krb5-keytabs -p warning "Diskless workstation '${dlw_host}' is missing a host (host/${dlw_host}) or service (nfs/${dlw_host}) principal in the Kerberos database."
+ fi
+ break
+ ;;
+ *)
+ ;;
+ esac
+ done <<< `ldapsearch -xLLL "(&(cn=$ldap_cn)(|(objectClass=GOHard)(objectClass=ipHost)))" cn 2>/dev/null | perl -p00e 's/\r?\n //g'`
+
+ if [ "$host_found" != "true" ]; then
+
+ # if we land here, three things might have happened:
+ #
+ # 1. this script is called from gosa-remove-host (and we need to clean up the keytab file)
+ # 2. this script has been called with a wrong hostname (one that does not exist in LDAP)
+ # 3. this script has found a DLW entry in NIS netgroup 'diskless-workstation-hosts' that
+ # does not exist in LDAP (any more). Manual tidying up is required in that case.
+
+ if [ -f "${DLW_KRB5_KEYTAB}" ]; then
+ logger -t update-dlw-krb5-keytabs -p info "Cleaning up DLW keytab file of host '${dlw_host}'."
+ rm -v "${DLW_KRB5_KEYTAB}"
+ rm -v "${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
+ elif [ -f "${DLW_KRB5_KEYTAB/.${DOMAIN}/}" ]; then
+ logger -t update-dlw-krb5-keytabs -p info "Cleaning up leftover DLW keytab file of host '${dlw_host}' (without domain part)."
+ rm -v "${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
+ else
+
+ echo "WARNING: Hostname '${dlw_host}' listed in NIS netgorup 'diskless-workstation-hosts', but not found as a host entry in Debian Edu LDAP."
+ logger -t update-dlw-krb5-keytabs -p warning "Hostname '${dlw_host}' listed in NIS netgorup 'diskless-workstation-hosts', but not found as a host entry in Debian Edu LDAP."
+
+ fi
+
+ fi
+
+done
+
+# FIXME: count updated files / hosts
+logger -t update-dlw-krb5-keytabs -p notice "Diskless workstation Krb5 keytab files updated."
+
+exit 0
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/144cb5d48243542eaff34f987849c7882e523f75...98eafea7eacd9b9e8a462499864b2fada8844368
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/144cb5d48243542eaff34f987849c7882e523f75...98eafea7eacd9b9e8a462499864b2fada8844368
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20220320/fb95df75/attachment-0001.htm>
More information about the debian-edu-commits
mailing list