[debian-edu-commits] [Git][debian-edu/debian-edu-config][bullseye] Move /etc/debian-edu/host-keytabs/* to /var/lib/debian-edu/host-keytabs/ and...

Mike Gabriel (@sunweaver) gitlab at salsa.debian.org
Tue Mar 22 08:56:53 GMT 2022



Mike Gabriel pushed to branch bullseye at Debian Edu / debian-edu-config


Commits:
cbc752c0 by Mike Gabriel at 2022-03-22T09:25:31+01:00
Move /etc/debian-edu/host-keytabs/* to /var/lib/debian-edu/host-keytabs/ and replace directory /etc/debian-edu/host-keytabs by a symlink. (Closes: #1002019).

- - - - -


13 changed files:

- debian/changelog
- debian/debian-edu-config.links
- debian/debian-edu-config.maintscript
- debian/debian-edu-config.postinst
- debian/debian-edu-config.preinst
- debian/debian-edu-config.prerm
- debian/dirs
- share/debian-edu-config/tools/clean-up-host-keytabs
- share/debian-edu-config/tools/copy-host-keytab
- share/debian-edu-config/tools/edu-ldap-from-scratch
- share/debian-edu-config/tools/gosa-create-host
- share/debian-edu-config/tools/gosa-modify-host
- share/debian-edu-config/tools/gosa-remove-host


Changes:

=====================================
debian/changelog
=====================================
@@ -53,6 +53,9 @@ debian-edu-config (2.11.56+deb11u4) UNRELEASED; urgency=medium
       #1006362).
     - Silence stderr output if the artwork theme lacks a plymouth subfolder.
       This can be silently ignored and should not trouble Debian Edu admins.
+  * Move /etc/debian-edu/host-keytabs/* to /var/lib/debian-edu/host-keytabs/
+    and replace directory /etc/debian-edu/host-keytabs by a symlink. (Closes:
+    #1002019).
 
  -- Mike Gabriel <sunweaver at debian.org>  Fri, 14 Dec 2021 22:21:50 +0100
 


=====================================
debian/debian-edu-config.links
=====================================
@@ -1,3 +1,2 @@
 usr/share/debian-edu-config/tools/ldapdump.sh etc/slbackup/pre.d/ldapdump.sh
 etc/debian-edu/www/index.html.nb-no etc/debian-edu/www/index.html.no
-


=====================================
debian/debian-edu-config.maintscript
=====================================
@@ -4,4 +4,4 @@ rm_conffile /etc/desktop-profiles/debian-edu-config.listing 2.10.22
 rm_conffile /etc/apt/apt.conf.d/90squid 2.10.36
 rm_conffile /etc/ltspfs/mounter.d/edu-notify 2.11.16
 rm_conffile /etc/cfengine3/debian-edu/cf.tftpd 2.11.16
-
+dir_to_symlink /etc/debian-edu/host-keytabs /var/lib/debian-edu/host-keytabs 2.11.56+deb11u3


=====================================
debian/debian-edu-config.postinst
=====================================
@@ -182,6 +182,7 @@ configure)
 	# limit privileges for publishing host keytabs to diskless workstation (this
 	# is the initial use case. Further use cases might pop up later.
 	if [ -s /etc/debian-edu/config ] && grep -Eq "(Main-Server)" /etc/debian-edu/config ; then
+
 	    if ! getent 'passwd' 'debian-edu' >'/dev/null'; then
 		echo 'Creating debian-edu user.' >&2
 		adduser --system --home /var/lib/debian-edu \
@@ -194,6 +195,13 @@ configure)
 		    usermod --gid 'debian-edu' 'debian-edu'
 		fi
 	    fi
+
+	    # Assure that permissions of /var/lib/debian-edu/ are appropriate
+	    if [ -d /var/lib/debian-edu/ ]; then
+		chown debian-edu:debian-edu /var/lib/debian-edu/
+		chmod 0755 /var/lib/debian-edu/
+	    fi
+
 	fi
 
     # silence dovecot's message: if you have trouble with authentication failures,
@@ -284,6 +292,14 @@ if [ -h /etc/exim4/exim4.conf ] && [ -x /etc/init.d/exim4 ] ; then
 	fi
 fi
 
+# On the main-server, point from the old keytab location /etc/debian-edu/host-keytabs to the new
+# keytab location at /var/lib/debian-edu/host-keytabs...
+if grep -q Main-Server /etc/debian-edu/config; then
+	if [ ! -e /etc/debian-edu/host-keytabs ] && [ -d /var/lib/debian-edu/host-keytabs ]; then
+		ln -s /var/lib/debian-edu/host-keytabs /etc/debian-edu/host-keytabs
+	fi
+fi
+
 # Register all changes done by this postinst script
 if which etckeeper > /dev/null ; then
     etckeeper commit "end of debian-edu-config postinst" || true


=====================================
debian/debian-edu-config.preinst
=====================================
@@ -44,6 +44,19 @@ upgrade)
     if dpkg --compare-versions "$2" le "2.11.16" ; then
         rm -rf /etc/ltspfs
     fi
+
+    # Move .keytab files from /etc/debian-edu/host-keytabs to
+    # /var/lib/debian-edu/host-keytabs before dpkg-maintscript-helper moves
+    # the /etc/debian-edu/host-keytabs dir and replaces it by a symlink...
+    # We have to move the .keytab files manually, because they are not owned
+    # by debian-edu-config.
+    if dpkg --compare-versions "$2" le "2.11.56+deb11u4"; then
+        if [ -d /etc/debian-edu/host-keytabs ] && find /etc/debian-edu/host-keytabs/* 1>/dev/null 2>/dev/null; then
+            mkdir -p /var/lib/debian-edu/host-keytabs/
+            mv /etc/debian-edu/host-keytabs/*.keytab /var/lib/debian-edu/host-keytabs/
+        fi
+    fi
+
     ;;
 esac
 


=====================================
debian/debian-edu-config.prerm
=====================================
@@ -16,6 +16,11 @@ case "$1" in
 	    rm /usr/share/pam-configs/edu-nopwdchange
 	fi
 	pam-auth-update --package --remove edu-group edu-umask
+
+	# drop /etc/debian-edu/host-keytabs symlink
+	if [ -h /etc/debian-edu/host-keytabs ]; then
+	    rm /etc/debian-edu/host-keytabs
+	fi
 	;;
 esac
 


=====================================
debian/dirs
=====================================
@@ -6,7 +6,6 @@ etc/chromium/policies/managed
 etc/cron.d
 etc/cups
 etc/debian-edu
-etc/debian-edu/host-keytabs
 etc/default
 etc/exports.d
 etc/firefox-esr
@@ -26,3 +25,4 @@ usr/share/debian-edu-config/tools
 usr/share/doc/debian-edu-config
 usr/share/man
 usr/share/man/man8
+var/lib/debian-edu/host-keytabs


=====================================
share/debian-edu-config/tools/clean-up-host-keytabs
=====================================
@@ -18,7 +18,7 @@
 # Free Software Foundation, Inc.,
 # 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
 
-# This script cleans up /etc/debian-edu/host-keytabs/. It looks into TJENER's
+# This script cleans up /var/lib/debian-edu/host-keytabs/. It looks into TJENER's
 # LDAP tree (objectClass=dhcpHost) and removes all keytab files (and host
 # principals) that don't have a dhcpHost object (anymore).
 #
@@ -47,12 +47,12 @@ hosts[$num_hosts+1]=tjener
 printf -v hosts_str -- ',,%q' "${hosts[@]}"
 hosts_str=$(echo $hosts_str | tr 'A-Z' 'a-z')
 
-for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed 's#.intern.keytab##') ; do
+for i in $(basename -a /var/lib/debian-edu/host-keytabs/* | sed 's#.intern.keytab##') ; do
 	match_value=$(echo $i | tr 'A-Z' 'a-z')
 	if [[ ! "${hosts_str},," =~ ",,$match_value,," ]]; then
 		kadmin.local delprinc host/$i.intern at INTERN || true
 		kadmin.local delprinc nfs/$i.intern at INTERN || true
-		rm /etc/debian-edu/host-keytabs/$i.intern.keytab
+		rm /var/lib/debian-edu/host-keytabs/$i.intern.keytab
 	fi
 done
 


=====================================
share/debian-edu-config/tools/copy-host-keytab
=====================================
@@ -1,4 +1,4 @@
 #!/bin/sh
 set -e
 kinit
-scp tjener:/etc/debian-edu/host-keytabs/$(hostname -s).intern.keytab /etc/krb5.keytab
+scp tjener:/var/lib/debian-edu/host-keytabs/$(hostname -s).intern.keytab /etc/krb5.keytab


=====================================
share/debian-edu-config/tools/edu-ldap-from-scratch
=====================================
@@ -53,7 +53,7 @@ rm -rf /var/lib/ldap/*
 if [ -e /etc/krb5kdc/stash ] ; then
     rm /etc/krb5kdc/stash
     rm /etc/krb5.keyt*
-    rm -f /etc/debian-edu/host-keytabs/*.*
+    rm -f /var/lib/debian-edu/host-keytabs/*.*
 fi
 ldap-debian-edu-install
 # send mail to first user (initialize /var/mail/<first-user uid>);


=====================================
share/debian-edu-config/tools/gosa-create-host
=====================================
@@ -49,8 +49,8 @@ while read KEY VALUE ; do
 			    logger -t gosa-create-host -p notice Krb5 principal \'host/$FQDN\' created.
 			    kadmin.local -q "add_principal -policy hosts -randkey nfs/$FQDN"
 			    logger -t gosa-create-host -p notice Krb5 principal \'nfs/$FQDN\' created.
-			    kadmin.local -q "ktadd -k /etc/debian-edu/host-keytabs/$FQDN.keytab host/$FQDN"
-			    kadmin.local -q "ktadd -k /etc/debian-edu/host-keytabs/$FQDN.keytab nfs/$FQDN"
+			    kadmin.local -q "ktadd -k /var/lib/debian-edu/host-keytabs/$FQDN.keytab host/$FQDN"
+			    kadmin.local -q "ktadd -k /var/lib/debian-edu/host-keytabs/$FQDN.keytab nfs/$FQDN"
 			    logger -t gosa-create-host -p notice Krb5 keytab file for \'$FQDN\' created.
 			fi
 			;;


=====================================
share/debian-edu-config/tools/gosa-modify-host
=====================================
@@ -12,12 +12,12 @@ HOST="$1"
 # by the gosa-host-create hook script.
 if ! LANG=C kadmin.local -q "get_principal host/$HOST.intern" 2>/dev/null  | grep -q "^Principal: host/$HOST.intern at .*"; then
 	kadmin.local -q "add_principal -policy hosts -randkey host/$HOST.intern"
-	kadmin.local -q "ktadd -k /etc/debian-edu/host-keytabs/$HOST.intern.keytab host/$HOST.intern"
+	kadmin.local -q "ktadd -k /var/lib/debian-edu/host-keytabs/$HOST.intern.keytab host/$HOST.intern"
 	logger -t gosa-modify-host -p notice Krb5 host principal \'host/$HOST.intern\' created and added to host-specific keytab file.
 fi
 if ! LANG=C kadmin.local -q "get_principal nfs/$HOST.intern" 2>/dev/null  | grep -q "^Principal: nfs/$HOST.intern at .*"; then
 	kadmin.local -q "add_principal -policy hosts -randkey nfs/$HOST.intern"
-	kadmin.local -q "ktadd -k /etc/debian-edu/host-keytabs/$HOST.intern.keytab nfs/$HOST.intern"
+	kadmin.local -q "ktadd -k /var/lib/debian-edu/host-keytabs/$HOST.intern.keytab nfs/$HOST.intern"
 	logger -t gosa-modify-host -p notice Krb5 service principal \'nfs/$HOST.intern\' created and added to host-specific keytab file.
 fi
 


=====================================
share/debian-edu-config/tools/gosa-remove-host
=====================================
@@ -6,7 +6,7 @@ set -ex
 ## Make sure that malicious execution cannot hurt.
 ##
 ## This script removes the host and nfs principals for hosts removed with gosa.
-## It also removes the host specific keytab file (tjener:/etc/$fqdn.keytab).
+## It also removes the host specific keytab file (tjener:/var/lib/debian-edu/$fqdn.keytab).
 
 
 HOST="$1"
@@ -16,7 +16,7 @@ if $(kadmin.local listprincs | grep -q $HOST) ; then
     for i in $(kadmin.local listprincs | grep $HOST) ; do
         kadmin.local delprinc $i
     done
-    rm /etc/debian-edu/host-keytabs/$(ls -l /etc/debian-edu/host-keytabs | grep $HOST | awk '{print $9}')
+    rm /var/lib/debian-edu/host-keytabs/$(ls -l /var/lib/debian-edu/host-keytabs | grep $HOST | awk '{print $9}')
     logger -t gosa-remove-host -p notice Krb5 principals and keytab file for host \'$HOST\' removed.
 fi
 #



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/cbc752c03e3641f614473ced6d4b491dada564ba

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/cbc752c03e3641f614473ced6d4b491dada564ba
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20220322/cb3a0ba6/attachment-0001.htm>


More information about the debian-edu-commits mailing list