[debian-edu-commits] [Git][debian-edu/debian-edu-config][bullseye] Move /etc/debian-edu/host-keytabs/* to /var/lib/debian-edu/host-keytabs/ and...
Mike Gabriel (@sunweaver)
gitlab at salsa.debian.org
Tue Mar 22 08:56:53 GMT 2022
Mike Gabriel pushed to branch bullseye at Debian Edu / debian-edu-config
Commits:
cbc752c0 by Mike Gabriel at 2022-03-22T09:25:31+01:00
Move /etc/debian-edu/host-keytabs/* to /var/lib/debian-edu/host-keytabs/ and replace directory /etc/debian-edu/host-keytabs by a symlink. (Closes: #1002019).
- - - - -
13 changed files:
- debian/changelog
- debian/debian-edu-config.links
- debian/debian-edu-config.maintscript
- debian/debian-edu-config.postinst
- debian/debian-edu-config.preinst
- debian/debian-edu-config.prerm
- debian/dirs
- share/debian-edu-config/tools/clean-up-host-keytabs
- share/debian-edu-config/tools/copy-host-keytab
- share/debian-edu-config/tools/edu-ldap-from-scratch
- share/debian-edu-config/tools/gosa-create-host
- share/debian-edu-config/tools/gosa-modify-host
- share/debian-edu-config/tools/gosa-remove-host
Changes:
=====================================
debian/changelog
=====================================
@@ -53,6 +53,9 @@ debian-edu-config (2.11.56+deb11u4) UNRELEASED; urgency=medium
#1006362).
- Silence stderr output if the artwork theme lacks a plymouth subfolder.
This can be silently ignored and should not trouble Debian Edu admins.
+ * Move /etc/debian-edu/host-keytabs/* to /var/lib/debian-edu/host-keytabs/
+ and replace directory /etc/debian-edu/host-keytabs by a symlink. (Closes:
+ #1002019).
-- Mike Gabriel <sunweaver at debian.org> Fri, 14 Dec 2021 22:21:50 +0100
=====================================
debian/debian-edu-config.links
=====================================
@@ -1,3 +1,2 @@
usr/share/debian-edu-config/tools/ldapdump.sh etc/slbackup/pre.d/ldapdump.sh
etc/debian-edu/www/index.html.nb-no etc/debian-edu/www/index.html.no
-
=====================================
debian/debian-edu-config.maintscript
=====================================
@@ -4,4 +4,4 @@ rm_conffile /etc/desktop-profiles/debian-edu-config.listing 2.10.22
rm_conffile /etc/apt/apt.conf.d/90squid 2.10.36
rm_conffile /etc/ltspfs/mounter.d/edu-notify 2.11.16
rm_conffile /etc/cfengine3/debian-edu/cf.tftpd 2.11.16
-
+dir_to_symlink /etc/debian-edu/host-keytabs /var/lib/debian-edu/host-keytabs 2.11.56+deb11u3
=====================================
debian/debian-edu-config.postinst
=====================================
@@ -182,6 +182,7 @@ configure)
# limit privileges for publishing host keytabs to diskless workstation (this
# is the initial use case. Further use cases might pop up later.
if [ -s /etc/debian-edu/config ] && grep -Eq "(Main-Server)" /etc/debian-edu/config ; then
+
if ! getent 'passwd' 'debian-edu' >'/dev/null'; then
echo 'Creating debian-edu user.' >&2
adduser --system --home /var/lib/debian-edu \
@@ -194,6 +195,13 @@ configure)
usermod --gid 'debian-edu' 'debian-edu'
fi
fi
+
+ # Assure that permissions of /var/lib/debian-edu/ are appropriate
+ if [ -d /var/lib/debian-edu/ ]; then
+ chown debian-edu:debian-edu /var/lib/debian-edu/
+ chmod 0755 /var/lib/debian-edu/
+ fi
+
fi
# silence dovecot's message: if you have trouble with authentication failures,
@@ -284,6 +292,14 @@ if [ -h /etc/exim4/exim4.conf ] && [ -x /etc/init.d/exim4 ] ; then
fi
fi
+# On the main-server, point from the old keytab location /etc/debian-edu/host-keytabs to the new
+# keytab location at /var/lib/debian-edu/host-keytabs...
+if grep -q Main-Server /etc/debian-edu/config; then
+ if [ ! -e /etc/debian-edu/host-keytabs ] && [ -d /var/lib/debian-edu/host-keytabs ]; then
+ ln -s /var/lib/debian-edu/host-keytabs /etc/debian-edu/host-keytabs
+ fi
+fi
+
# Register all changes done by this postinst script
if which etckeeper > /dev/null ; then
etckeeper commit "end of debian-edu-config postinst" || true
=====================================
debian/debian-edu-config.preinst
=====================================
@@ -44,6 +44,19 @@ upgrade)
if dpkg --compare-versions "$2" le "2.11.16" ; then
rm -rf /etc/ltspfs
fi
+
+ # Move .keytab files from /etc/debian-edu/host-keytabs to
+ # /var/lib/debian-edu/host-keytabs before dpkg-maintscript-helper moves
+ # the /etc/debian-edu/host-keytabs dir and replaces it by a symlink...
+ # We have to move the .keytab files manually, because they are not owned
+ # by debian-edu-config.
+ if dpkg --compare-versions "$2" le "2.11.56+deb11u4"; then
+ if [ -d /etc/debian-edu/host-keytabs ] && find /etc/debian-edu/host-keytabs/* 1>/dev/null 2>/dev/null; then
+ mkdir -p /var/lib/debian-edu/host-keytabs/
+ mv /etc/debian-edu/host-keytabs/*.keytab /var/lib/debian-edu/host-keytabs/
+ fi
+ fi
+
;;
esac
=====================================
debian/debian-edu-config.prerm
=====================================
@@ -16,6 +16,11 @@ case "$1" in
rm /usr/share/pam-configs/edu-nopwdchange
fi
pam-auth-update --package --remove edu-group edu-umask
+
+ # drop /etc/debian-edu/host-keytabs symlink
+ if [ -h /etc/debian-edu/host-keytabs ]; then
+ rm /etc/debian-edu/host-keytabs
+ fi
;;
esac
=====================================
debian/dirs
=====================================
@@ -6,7 +6,6 @@ etc/chromium/policies/managed
etc/cron.d
etc/cups
etc/debian-edu
-etc/debian-edu/host-keytabs
etc/default
etc/exports.d
etc/firefox-esr
@@ -26,3 +25,4 @@ usr/share/debian-edu-config/tools
usr/share/doc/debian-edu-config
usr/share/man
usr/share/man/man8
+var/lib/debian-edu/host-keytabs
=====================================
share/debian-edu-config/tools/clean-up-host-keytabs
=====================================
@@ -18,7 +18,7 @@
# Free Software Foundation, Inc.,
# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
-# This script cleans up /etc/debian-edu/host-keytabs/. It looks into TJENER's
+# This script cleans up /var/lib/debian-edu/host-keytabs/. It looks into TJENER's
# LDAP tree (objectClass=dhcpHost) and removes all keytab files (and host
# principals) that don't have a dhcpHost object (anymore).
#
@@ -47,12 +47,12 @@ hosts[$num_hosts+1]=tjener
printf -v hosts_str -- ',,%q' "${hosts[@]}"
hosts_str=$(echo $hosts_str | tr 'A-Z' 'a-z')
-for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed 's#.intern.keytab##') ; do
+for i in $(basename -a /var/lib/debian-edu/host-keytabs/* | sed 's#.intern.keytab##') ; do
match_value=$(echo $i | tr 'A-Z' 'a-z')
if [[ ! "${hosts_str},," =~ ",,$match_value,," ]]; then
kadmin.local delprinc host/$i.intern at INTERN || true
kadmin.local delprinc nfs/$i.intern at INTERN || true
- rm /etc/debian-edu/host-keytabs/$i.intern.keytab
+ rm /var/lib/debian-edu/host-keytabs/$i.intern.keytab
fi
done
=====================================
share/debian-edu-config/tools/copy-host-keytab
=====================================
@@ -1,4 +1,4 @@
#!/bin/sh
set -e
kinit
-scp tjener:/etc/debian-edu/host-keytabs/$(hostname -s).intern.keytab /etc/krb5.keytab
+scp tjener:/var/lib/debian-edu/host-keytabs/$(hostname -s).intern.keytab /etc/krb5.keytab
=====================================
share/debian-edu-config/tools/edu-ldap-from-scratch
=====================================
@@ -53,7 +53,7 @@ rm -rf /var/lib/ldap/*
if [ -e /etc/krb5kdc/stash ] ; then
rm /etc/krb5kdc/stash
rm /etc/krb5.keyt*
- rm -f /etc/debian-edu/host-keytabs/*.*
+ rm -f /var/lib/debian-edu/host-keytabs/*.*
fi
ldap-debian-edu-install
# send mail to first user (initialize /var/mail/<first-user uid>);
=====================================
share/debian-edu-config/tools/gosa-create-host
=====================================
@@ -49,8 +49,8 @@ while read KEY VALUE ; do
logger -t gosa-create-host -p notice Krb5 principal \'host/$FQDN\' created.
kadmin.local -q "add_principal -policy hosts -randkey nfs/$FQDN"
logger -t gosa-create-host -p notice Krb5 principal \'nfs/$FQDN\' created.
- kadmin.local -q "ktadd -k /etc/debian-edu/host-keytabs/$FQDN.keytab host/$FQDN"
- kadmin.local -q "ktadd -k /etc/debian-edu/host-keytabs/$FQDN.keytab nfs/$FQDN"
+ kadmin.local -q "ktadd -k /var/lib/debian-edu/host-keytabs/$FQDN.keytab host/$FQDN"
+ kadmin.local -q "ktadd -k /var/lib/debian-edu/host-keytabs/$FQDN.keytab nfs/$FQDN"
logger -t gosa-create-host -p notice Krb5 keytab file for \'$FQDN\' created.
fi
;;
=====================================
share/debian-edu-config/tools/gosa-modify-host
=====================================
@@ -12,12 +12,12 @@ HOST="$1"
# by the gosa-host-create hook script.
if ! LANG=C kadmin.local -q "get_principal host/$HOST.intern" 2>/dev/null | grep -q "^Principal: host/$HOST.intern at .*"; then
kadmin.local -q "add_principal -policy hosts -randkey host/$HOST.intern"
- kadmin.local -q "ktadd -k /etc/debian-edu/host-keytabs/$HOST.intern.keytab host/$HOST.intern"
+ kadmin.local -q "ktadd -k /var/lib/debian-edu/host-keytabs/$HOST.intern.keytab host/$HOST.intern"
logger -t gosa-modify-host -p notice Krb5 host principal \'host/$HOST.intern\' created and added to host-specific keytab file.
fi
if ! LANG=C kadmin.local -q "get_principal nfs/$HOST.intern" 2>/dev/null | grep -q "^Principal: nfs/$HOST.intern at .*"; then
kadmin.local -q "add_principal -policy hosts -randkey nfs/$HOST.intern"
- kadmin.local -q "ktadd -k /etc/debian-edu/host-keytabs/$HOST.intern.keytab nfs/$HOST.intern"
+ kadmin.local -q "ktadd -k /var/lib/debian-edu/host-keytabs/$HOST.intern.keytab nfs/$HOST.intern"
logger -t gosa-modify-host -p notice Krb5 service principal \'nfs/$HOST.intern\' created and added to host-specific keytab file.
fi
=====================================
share/debian-edu-config/tools/gosa-remove-host
=====================================
@@ -6,7 +6,7 @@ set -ex
## Make sure that malicious execution cannot hurt.
##
## This script removes the host and nfs principals for hosts removed with gosa.
-## It also removes the host specific keytab file (tjener:/etc/$fqdn.keytab).
+## It also removes the host specific keytab file (tjener:/var/lib/debian-edu/$fqdn.keytab).
HOST="$1"
@@ -16,7 +16,7 @@ if $(kadmin.local listprincs | grep -q $HOST) ; then
for i in $(kadmin.local listprincs | grep $HOST) ; do
kadmin.local delprinc $i
done
- rm /etc/debian-edu/host-keytabs/$(ls -l /etc/debian-edu/host-keytabs | grep $HOST | awk '{print $9}')
+ rm /var/lib/debian-edu/host-keytabs/$(ls -l /var/lib/debian-edu/host-keytabs | grep $HOST | awk '{print $9}')
logger -t gosa-remove-host -p notice Krb5 principals and keytab file for host \'$HOST\' removed.
fi
#
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/cbc752c03e3641f614473ced6d4b491dada564ba
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/cbc752c03e3641f614473ced6d4b491dada564ba
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20220322/cb3a0ba6/attachment-0001.htm>
More information about the debian-edu-commits
mailing list