[debian-edu-commits] [Git][debian-edu/debian-edu-config][personal/gber/cf-serverd-config] 18 commits: share/debian-edu-config/tools/gosa-remove: Fix kadmin.local, Use '-force' to...

Mike Gabriel (@sunweaver) gitlab at salsa.debian.org
Mon Aug 7 15:19:11 BST 2023



Mike Gabriel pushed to branch personal/gber/cf-serverd-config at Debian Edu / debian-edu-config


Commits:
df38e13d by Daniel Teichmann at 2023-07-25T18:06:37+02:00
share/debian-edu-config/tools/gosa-remove: Fix kadmin.local, Use '-force' to disable interaction via stdin.

- - - - -
98b9a05d by Guido Berhoerster at 2023-07-31T12:52:49+02:00
ldap-createuser-krb5: Fix user creation

Remove Samba NT4 domain support, add samba user using smbpasswd.
Add root CA for new users (copied from gosa-create).
Closes: #1042456

- - - - -
ec303a6a by Guido Berhoerster at 2023-08-07T11:05:58+02:00
ldap-createuser-krb5: fix new UID/GID selection

Exclude special users (UID/GID >= 10000) when looking for the highest UID/GID.

- - - - -
83a921a4 by Guido Berhoerster at 2023-08-07T11:06:43+02:00
ldap-createuser-krb5: add CLI options for uid/gid/department

Also ensure script is run as root.

- - - - -
3c671914 by Guido Berhoerster at 2023-08-07T11:06:43+02:00
ldap-createuser-krb5: Add additional attributes based on template users

- - - - -
25c911dd by Guido Berhoerster at 2023-08-07T11:06:43+02:00
ldap-createuser-krb5: add support for additional groups

- - - - -
dffca0f4 by Guido Berhoerster at 2023-08-07T11:06:43+02:00
ldap-createuser-krb5: send welcome email in order to create maildir

Without this the maildir in /var/mail/<user> will not exist and Dovecot will
refuse to let the user log in as it cannot create this directory.

- - - - -
a037063a by Guido Berhoerster at 2023-08-07T15:04:46+02:00
ldap-createuser-krb5: set LDAP password when creating users

This allows users to use gosa to change their password.

- - - - -
39890c47 by Guido Berhoerster at 2023-08-07T14:08:25+00:00
Add systemd services for configuring Chromium/Firefox from LDAP

Factor out logic from init script into separate script which are then called
from both the init script and systemd services.

- - - - -
085be419 by Guido Berhoerster at 2023-08-07T14:08:25+00:00
Add systemd service enabling NAT for thin clients

- - - - -
d8d40e3d by Guido Berhoerster at 2023-08-07T14:08:25+00:00
Add systemd service for fetching the RootCA file from the main server

- - - - -
a06fb0d8 by Guido Berhoerster at 2023-08-07T14:08:25+00:00
Drop init script for fetching LDAP SSL public key from legacy main servers

This drops support for clients running behind a main server based on DebianEdu
stretch (closes: #1030116).

- - - - -
90dec108 by Guido Berhoerster at 2023-08-07T14:08:25+00:00
Update debian/rules for init scripts and systemd services

Closes: #1039166

- - - - -
67ea7417 by Guido Berhoerster at 2023-08-07T14:11:55+00:00
Generate a random password for the icinga/icingaweb databases

Closes: #1040015

- - - - -
69cd4c75 by Guido Berhoerster at 2023-08-07T14:13:47+00:00
update-dlw-krb5-keytabs: Handle missing/empty diskless-workstation-hosts

The "set -e" makes the shell exit with status 1 immediately without any message
if the grep in the subshell does not match anything. This in turn makes scripts
like gosa-remove-host fail without any error message.  Exit gracefully with a
message and exit status 0 if diskless-workstation-hosts netgroup is
missing/empty.

- - - - -
e9f9ab68 by Guido Berhoerster at 2023-08-07T14:15:21+00:00
Followup fixes for ntpsec transition

Explicitly install the ntpsec package instead of the transitional ntp package.
Update comments accordingly.
Remove non-existent editline_ntp promise.

- - - - -
7bf138c3 by Guido Berhoerster at 2023-08-07T14:16:56+00:00
Add systemd support to debian-edu-restart-services

This uses a list of service units which was compiled on a main server + ltsp
installation. Uses stop and start to force restart reverse-dependencies. It
also makes sure that drop in files are recognized. Closes: #1042940

- - - - -
9dd3f55f by Guido Berhoerster at 2023-08-07T14:18:53+00:00
cf3/promises.cf: fix typo and allow connections from localhost and network

- - - - -


21 changed files:

- Makefile
- cf3/cf.ntp
- cf3/promises.cf
- debian/debian-edu-config.chromium-ldapconf
- + debian/debian-edu-config.chromium-ldapconf.service
- + debian/debian-edu-config.enable-nat.service
- − debian/debian-edu-config.fetch-ldap-cert
- debian/debian-edu-config.fetch-rootca-cert
- + debian/debian-edu-config.fetch-rootca-cert.service
- debian/debian-edu-config.firefox-ldapconf
- + debian/debian-edu-config.firefox-ldapconf.service
- debian/rules
- ldap-tools/ldap-createuser-krb5
- sbin/debian-edu-restart-services
- + share/debian-edu-config/tools/chromium-ldapconf
- share/debian-edu-config/tools/edu-icinga-setup
- + share/debian-edu-config/tools/fetch-rootca-cert
- + share/debian-edu-config/tools/firefox-ldapconf
- share/debian-edu-config/tools/gosa-remove
- + share/debian-edu-config/tools/nat
- share/debian-edu-config/tools/update-dlw-krb5-keytabs


Changes:

=====================================
Makefile
=====================================
@@ -321,6 +321,10 @@ install: install-testsuite
 		share/debian-edu-config/tools/copy-host-keytab \
 		share/debian-edu-config/tools/improve-desktop-l10n \
 		share/debian-edu-config/tools/install-task-pkgs \
+		share/debian-edu-config/tools/chromium-ldapconf \
+		share/debian-edu-config/tools/firefox-ldapconf \
+		share/debian-edu-config/tools/nat \
+		share/debian-edu-config/tools/fetch-rootca-cert \
 	; do \
 		$(INSTALL) $$f $(DESTDIR)/usr/$$f ; \
 	done


=====================================
cf3/cf.ntp
=====================================
@@ -2,10 +2,10 @@ bundle agent ntp
 {
 # Use custom ntp configuration for networked clients (package systemd-timesyncd
 # is installed by default). On the internal ntp server (default: 'tjener'), the
-# ntp package is installed.
+# ntpsec package is installed.
 # Keep systemd-timesyncd default settings for roaming workstations.
-# Note: In case the ntp package is installed, the conflicting systemd-timesyncd
-# package gets removed (but not purged).
+# Note: In case the ntpsec package is installed, the conflicting
+# systemd-timesyncd package gets removed (but not purged).
 
 vars:
 
@@ -24,10 +24,10 @@ files:
 
 commands:
 
-  # Make sure ntp gets installed
+  # Make sure ntpsec gets installed
 
   debian.server.installation::
 
-    "/usr/bin/apt-get install -y ntp"
+    "/usr/bin/apt-get install -y ntpsec"
       contain => in_shell;
 }


=====================================
cf3/promises.cf
=====================================
@@ -8,9 +8,9 @@
 body server control
 # Debian Edu specific
 {
-      allowconnects         => { "10.0.0.0.0/8" };
-      allowallconnects      => { "10.0.0.0.0/8" };
-      trustkeysfrom         => { "10.0.0.0.0/8" };
+      allowconnects         => { "127.0.0.1", "::1", "10.0.0.0/8" };
+      allowallconnects      => { "127.0.0.1", "::1", "10.0.0.0/8" };
+      trustkeysfrom         => { "10.0.0.0/8" };
       maxconnections        => "15";
       denybadclocks         => "false";
       allowusers            => { "root" };
@@ -53,7 +53,6 @@ body common control
                           ldapclient,
                           desktop,
                           ntp,
-                          editline_ntp,
                           squid,
                           sshd,
                           syslog,


=====================================
debian/debian-edu-config.chromium-ldapconf
=====================================
@@ -20,31 +20,9 @@ set -e
 
 . /lib/lsb/init-functions
 
-if [ -e /etc/debian-edu/config ] ; then
-    . /etc/debian-edu/config
-fi
-
-do_start() {
-    # Skip this on LTSP chroots
-    if [ -e /etc/ltsp_chroot ] ; then
-        return
-    fi
-
-    # Only networked profiles use LDAP
-    if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
-	/usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
-    fi
-
-    if echo "$PROFILE" | grep -q LTSP-Server  && [ -d /opt/ltsp ] ; then
-	for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
-	    chroot $ltsp_chroot /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
-	done
-    fi
-}
-
 case "$1" in
     start)
-	do_start
+	/usr/share/debian-edu-config/tools/chromium-ldapconf
 	;;
     stop)
 	;;


=====================================
debian/debian-edu-config.chromium-ldapconf.service
=====================================
@@ -0,0 +1,12 @@
+[Unit]
+Description=Update firefox configuration from LDAP
+After=network-online.target remote-fs.target nss-lookup.target slapd.service fetch-ldap-cert.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/firefox-ldapconf
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target


=====================================
debian/debian-edu-config.enable-nat.service
=====================================
@@ -0,0 +1,14 @@
+[Unit]
+Description=Enables NAT for clients in the thin clients network
+After=remote-fs.target network-online.target
+Wants=remote-fs.target
+ConditionFileIsExecutable=/usr/sbin/iptables
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/nat enable
+ExecStop=/usr/share/debian-edu-config/tools/nat disable
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target


=====================================
debian/debian-edu-config.fetch-ldap-cert deleted
=====================================
@@ -1,135 +0,0 @@
-#!/bin/sh
-### BEGIN INIT INFO
-# Provides:          fetch-ldap-cert
-# Required-Start:    $local_fs $remote_fs
-# Required-Stop:     $local_fs $remote_fs
-# Should-Start:      $network $syslog $named slapd
-# Default-Start:     2 3 4 5
-# Default-Stop:
-# Short-Description: Fetch LDAP SSL public key from the server
-# Description:
-#   Start before krb5-kdc to give slapd time to become operational
-#   before krb5-kdc try to connect to the LDAP server as a workaround
-#   for #589915.
-# X-Start-Before:    isc-dhcp-server krb5-kdc nslcd
-### END INIT INFO
-#
-# Author: Petter Reinholdtsen <pere at hungry.com>
-# Date:   2007-06-09
-#
-# Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
-# Date:   2022-01-06
-
-###
-### FIXME: Legacy init script for Debian Edu clients.
-###
-###        --- Remove for Debian Edu bookworm+1 ---
-###
-###        Warning: Removing this script will drop support for clients running
-###        against Debian Edu main servers based on Debian Edu stretch and
-###        earlier.
-###
-
-set -e
-
-. /lib/lsb/init-functions
-
-CERTFILE=/etc/ssl/certs/debian-edu-server.crt
-
-do_start() {
-
-	# Locate LDAP server
-	LDAPSERVER=$(debian-edu-ldapserver)
-	LDAPPORT=636 # ldaps
-	ERROR=false
-
-	###
-	### PHASE 1: LDAP server cert retrieval
-	###
-
-	if ( [ ! -f $CERTFILE ] || [ ! -f $ROOTCACRT ] ) && [ -f /etc/nslcd.conf ] &&
-	    grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
-
-		# LDAP server host not known/found, bailing out...
-		if [ -z "$LDAPSERVER" ] ; then
-			msg="Failed to locate LDAP server"
-			log_action_begin_msg "$msg"
-			log_action_end_msg 1
-			logger -t fetch-ldap-cert "$msg."
-			return 1
-		fi
-
-		[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
-
-		# Fetch LDAP certificate from the Debian Edu main server (i.e. from the LDAP server)
-		/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
-		chmod 644 $CERTFILE.new
-
-		if test -s $CERTFILE.new ; then
-			mv $CERTFILE.new $CERTFILE
-			[ "$VERBOSE" != no ] && log_action_end_msg 0
-			logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
-		else
-			# We obviously have failed in some way if the CERTFILE.new is empty (zero size).
-			# Something went wrong, if we end up here...
-			rm -f $CERTFILE.new
-			log_action_end_msg 1
-			logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
-			ERROR=true
-		fi
-
-	fi
-
-	###
-	### PHASE 2: Deploy the obtained CERTFILE to LTSP chroots, if any are present.
-	###
-
-	if [ -d /opt/ltsp ] && [ "$ERROR" = "false" ]; then
-
-		# Loop over all to be found LTSP chroots...
-		for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
-
-			if [ ! -d $ltsp_chroot/etc/ssl/certs/ ]; then
-				# likely not a chroot dir, skipping...
-				continue
-			fi
-
-			# Only install the CERTFILE into this chroot, if not already present...
-			if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] &&
-			    grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then
-
-				# Copy the obtained CERTFILE into the LTSP chroot (containing the LDAP server's
-				# certificate.
-				log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
-				[ "$VERBOSE" != no ] &&
-				if test -s $CERTFILE; then
-					cp $CERTFILE $ltsp_chroot$CERTFILE
-					[ "$VERBOSE" != no ] && log_action_end_msg 0
-				else
-					log_action_end_msg 1
-					ERROR=true
-				fi
-			fi
-
-		done
-	fi
-
-	if [ "$ERROR" = "true" ]; then
-		return 1
-	fi
-}
-
-case "$1" in
-	start)
-		do_start
-		;;
-	stop)
-		;;
-	restart|force-reload)
-		;;
-	*)
-		echo "Usage: $0 {start|stop|restart|force-reload}"
-		exit 2
-esac
-
-exit 0


=====================================
debian/debian-edu-config.fetch-rootca-cert
=====================================
@@ -19,68 +19,10 @@ set -e
 
 . /lib/lsb/init-functions
 
-if [ -r /etc/debian-edu/config ] ; then
-	. /etc/debian-edu/config
-fi
-
-BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
-ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
-LOCALCACRT=/usr/local/share/ca-certificates/Debian-Edu_rootCA.crt
-
-do_start() {
-
-	ERROR=false
-
-	# Remove no longer used certificate file
-	rm -f $BUNDLECRT
-
-	# RootCA cert retrieval (avoid execution on the main server, things are in place)
-	if echo "$PROFILE" | egrep -q 'Main-Server' ; then
-		logger -t fetch-rootca-cert "Running on the main server, exiting."
-		exit 0
-	fi
-	if [ ! -f $LOCALCACRT ] || [ ! -s $LOCALCACRT ] ; then
-		# Since Debian Edu 10, the RootCA file is distributed
-		# over http (always via the host serving www.intern, by default: TJENER)
-		#
-		# We do an availability check for the webserver first, to provide proper
-		# error reporting (see below). So, the following check merely discovers,
-		# if the webserver is online at all.
-		if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
-			# Now let's see if the webserver has the "Debian Edu RootCA" file.
-			# This has been the case for Debian Edu main servers (TJENER) since
-			# Debian Edu 10.1.
-			if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
-				grep -q CERTIFICATE $LOCALCACRT ; then
-				# Make rootCA certificate available in /etc/ssl/certs/
-				ln -nsf $LOCALCACRT $ROOTCACRT
-				# Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
-				update-ca-certificates
-				logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
-			else
-				# Drop $ROOTCACRT and $LOCALCACRT files, as they probably only contain some
-				# 404 http error message in html.
-				rm -f $LOCALCACRT
-				rm -f $ROOTCACRT
-				logger -t fetch-rootca-cert "Failed to fetch rootCA certificate from www.intern."
-			fi
-		else
-			# Report an error, if www.intern is down http-wise. This can happen and is probably
-			# a temporary problem that needs an admin to fix it.
-			log_action_end_msg 1
-			logger -t fetch-rootca-cert "Failed to connect to www.intern, maybe the web server is down."
-			ERROR=true
-		fi
-	fi
-
-	if $ERROR; then
-		return 1
-	fi
-}
-
 case "$1" in
 	start)
-		do_start
+		/usr/share/debian-edu-config/tools/fetch-rootca-cert
+		exit $?
 		;;
 	stop)
 		;;


=====================================
debian/debian-edu-config.fetch-rootca-cert.service
=====================================
@@ -0,0 +1,13 @@
+[Unit]
+Description=Fetch Debian Edu rootCA certificate from the main server
+After=remote-fs.target network-online.target
+Before=nslcd.service
+Wants=remote-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/fetch-rootca-cert
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target


=====================================
debian/debian-edu-config.firefox-ldapconf
=====================================
@@ -20,31 +20,9 @@ set -e
 
 . /lib/lsb/init-functions
 
-if [ -e /etc/debian-edu/config ] ; then
-    . /etc/debian-edu/config
-fi
-
-do_start() {
-    # Skip this on LTSP chroots
-    if [ -e /etc/ltsp_chroot ] ; then
-        return
-    fi
-
-    # Only networked profiles use LDAP
-    if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
-	/usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
-    fi
-
-    if echo "$PROFILE" | grep -q LTSP-Server  && [ -d /opt/ltsp ] ; then
-	for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
-	    chroot $ltsp_chroot /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
-	done
-    fi
-}
-
 case "$1" in
     start)
-	do_start
+	/usr/share/debian-edu-config/tools/firefox-ldapconf
 	;;
     stop)
 	;;


=====================================
debian/debian-edu-config.firefox-ldapconf.service
=====================================
@@ -0,0 +1,12 @@
+[Unit]
+Description=Update firefox configuration from LDAP
+After=network-online.target remote-fs.target nss-lookup.target slapd.service fetch-ldap-cert.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/firefox-ldapconf
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target


=====================================
debian/rules
=====================================
@@ -10,13 +10,18 @@ override_dh_auto_install:
 
 override_dh_installinit:
 	# Start it after 15bind9 and 19slapd
-	dh_installinit --init-script fetch-ldap-cert -r --no-start
 	dh_installinit --init-script fetch-rootca-cert -r --no-start
 	# Start it after 15bind9, 19slapd and 95fetch-ldap-cert, and add some to be sure
 	dh_installinit --init-script firefox-ldapconf -r --no-start
 	dh_installinit --init-script chromium-ldapconf -r --no-start
 	dh_installinit --init-script enable-nat --no-start
 
+override_dh_installsystemd:
+	dh_installsystemd --no-start --name chromium-ldapconf
+	dh_installsystemd --no-start --name enable-nat
+	dh_installsystemd --no-start --name fetch-rootca-cert
+	dh_installsystemd --no-start --name firefox-ldapconf
+
 override_dh_installman:
 	dh_installman
 	help2man -N -n "ldap-add-host-to-netgroup - Adds a host as a member in the given netgroup" \


=====================================
ldap-tools/ldap-createuser-krb5
=====================================
@@ -5,26 +5,74 @@
 # users at the same time to LDAP, as the uid and gid values will
 # conflict.
 
-# The samba related attributes are described in
-# <URL: http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/#htoc43 >
-
 set -e
 
+function usage {
+    cat >&2 <<EOF
+Usage: $0 [-u uid] [-g gid] [-G group[,group]...] [-d department] <username> <gecos>
+  Create a user with a personal group and configure its kerberos
+  principal.
+EOF
+}
+
+if [[ $(id -u) -ne 0 ]]; then
+    printf "error: this script needs to be run as root\n" >&2
+    exit 1
+fi
+
+NEWUID=
+NEWGID=
+ADDITIONAL_GROUPS=
+DEPT=
+while getopts "d:hg:G:u:" arg; do
+    case $arg in
+    d)
+        DEPT="${OPTARG}"
+        ;;
+    g)
+        NEWGID="${OPTARG}"
+        ;;
+    G)
+        ADDITIONAL_GROUPS="${OPTARG}"
+        ;;
+    u)
+        NEWUID="${OPTARG}"
+        ;;
+    h)
+        usage
+        exit 0
+        ;;
+    *)
+        usage
+        exit 2
+    esac
+done
+shift $((OPTIND - 1))
+
 USERNAME="$1"
+
 # posixAccount only accept ASCII in the gecos attribute.  Make sure
 # any non-ascii characters are converted apprpropriately.
 GECOS="$(echo $2 | iconv -t ASCII//TRANSLIT)"
 
-if [ -z "$USERNAME" -o -z "$GECOS" ] ; then 
-    echo "Usage: $0 <username> <gecos>"
-    echo
-    echo "  Create a user with a personal group and configure its kerberos"
-    echo "  principal."
+if [[ $# -ne 2 || -z "$USERNAME" || -z "$GECOS" ]]; then
+    usage
     exit 1
 fi
 
-# Put users in first gosaDepartment
-BASE=$(ldapsearch -x "(objectClass=gosaDepartment)" 2>/dev/null | perl -p0e 's/\n //g' | awk '/^dn: / {print $2}' | sort | head -1)
+read -rs -p "new password: " PASSWORD
+read -rs -p "confirm password: " CONFIRM
+if [[ "${CONFIRM}" != "${PASSWORD}" ]]; then
+    echo "passwords do not match" >&2
+    exit 1
+fi
+
+if [[ -n $DEPT ]]; then
+    BASE="$(ldapsearch -x -LLL -o ldif-wrap=no "(&(objectClass=gosaDepartment)(ou:dn:=${DEPT}))" 2>/dev/null | awk '/^dn: / {print $2}' | sort | head -1)"
+else
+    # Put users in first gosaDepartment
+    BASE=$(ldapsearch -x -LLL -o ldif-wrap=no "(objectClass=gosaDepartment)" 2>/dev/null | awk '/^dn: / {print $2}' | sort | head -1)
+fi
 
 if [ -z "$BASE" ] ; then
     BASE="$(debian-edu-ldapserver -b)"
@@ -39,44 +87,10 @@ ADMINUSER="admin";
 admindn=$(ldapsearch -x "(&(cn=$ADMINUSER)(objectClass=simpleSecurityObject))" 2>/dev/null | perl -p0e 's/\n //g' | awk '/^dn: / {print $2}')
 
 HOMEDIR=/skole/tjener/home0/$USERNAME
-SMBHOMEPATH="\\\\tjener.intern\\$USERNAME"
 KRB5DOMAIN=INTERN
-SAMBADOMAIN=SKOLELINUX
 PWLASTCHANGE=$(( $(date +%s) / (60 * 60 * 24) ))
 
-# Find last UID/GID
-SAMBASID=`net getlocalsid $HOSTNAME 2>/dev/null | awk '{ print $6; }'`
-
-if [ -z "$SAMBASID" ] ; then
-    echo "error: unable to fetch Samba SID"
-    exit 1
-fi
-
-SAMBADOMAINDN=$(ldapsearch -x -s sub \
-    "(&(objectclass=sambaDomain)(sambaDomainName=$SAMBADOMAIN))" \
-    dn 2>/dev/null | perl -p0e 's/\n //g' | \
-    awk '/^dn: / { print $2}')
-
-if [ -z "$SAMBADOMAINDN" ] ; then
-    echo "error: unable to find sambaDomain LDAP object"
-    exit 1
-fi
-
-SAMBARID=$(ldapsearch -s base -b "$SAMBADOMAINDN" -x \
-    sambaNextRid 2>/dev/null | perl -p0e 's/\n //g' | \
-    awk '/^sambaNextRid: / { print $2}')
-
-if [ -z "$SAMBARID" ] ; then
-    echo "error: unable to find sambaNextRid LDAP attribute in $SAMBADOMAINDN"
-    exit 1
-fi
-
-NEXTRID=$(( $SAMBARID + 1 ))
-
-LASTID=$(ldapsearch -s sub -x \
-    '(|(objectclass=posixaccount)(objectclass=posixgroup))' \
-    uidnumber gidnumber 2>/dev/null | perl -p0e 's/\n //g' | \
-    awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')
+LASTID="$(ldapsearch -x -LLL -o ldif-wrap=no '(|(&(objectclass=posixaccount)(uidNumber>=1000)(uidNumber<=10000))(&(objectclass=posixgroup)(gidNumber>=1000)(gidNumber<=10000)))' uidnumber gidnumber 2>/dev/null | awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')"
 
 # If no ID was found, use LASTID=1000-1 to get uid/gid=1000
 if [ -z "$LASTID" ] ; then
@@ -92,6 +106,8 @@ if [ -z "$NEWGID" ] ; then
     ldif="$ldif
 
 dn: cn=$USERNAME,$GROUPBASE
+changetype: add
+objectClass: top
 objectClass: posixGroup
 cn: $USERNAME
 description: Private group of user $USERNAME
@@ -99,21 +115,26 @@ gidNumber: $NEWGID
 "
 fi
 
+USER_PASSWORD="$(slappasswd -h '{CRYPT}' -c '$y$j9T$%.16s$' -T /dev/stdin <<<"${PASSWORD}")"
+
 ldif="$ldif
 
 dn: uid=$USERNAME,$USERBASE
+changetype: add
+objectClass: top
 objectClass: person
 objectClass: organizationalPerson
 objectClass: inetOrgPerson
+objectClass: gosaAccount
 objectClass: posixAccount
 objectClass: shadowAccount
 objectClass: krbPrincipalAux
-objectClass: sambaSamAccount
+objectClass: krbTicketPolicyAux
 sn: $GECOS
 givenName: $GECOS
 uid: $USERNAME
 cn: $GECOS
-userPassword: {SSHA}N0T$3T4N0W
+userPassword: $USER_PASSWORD
 homeDirectory: $HOMEDIR
 loginShell: /bin/bash
 uidNumber: $NEWUID
@@ -123,30 +144,67 @@ shadowLastChange: $PWLASTCHANGE
 shadowMin: 0
 shadowMax: 99999
 shadowWarning: 7
-sambaSID: $SAMBASID-$SAMBARID
-sambaAcctFlags: [U]
-sambaHomePath: SMBHOMEPATH
+krbPwdPolicyReference: cn=users,cn=${KRB5DOMAIN},cn=kerberos,$(debian-edu-ldapserver -b)
 krbPrincipalName: $USERNAME@$KRB5DOMAIN
 "
 
-# Update samba RIN
-ldif="$ldif
-dn: $SAMBADOMAINDN
+oIFS="${IFS}"
+IFS=","
+set -- $ADDITIONAL_GROUPS
+IFS="${oIFS}"
+for group; do
+    group_dn="$(ldapsearch -x -LLL -o ldif-wrap=no "(&(objectClass=posixGroup)(cn=$group))" '')"
+    if [ -z "${group_dn}" ]; then
+        echo "group not found: ${group}" >&2
+        continue
+    fi
+    ldif="$ldif
+
+$group_dn
 changetype: modify
-replace: sambaNextRid
-sambaNextRid: $NEXTRID
+add: memberUid
+memberUid: $USERNAME
 "
+done
 
 echo "$ldif"
 
-if echo "$ldif" | ldapadd -ZZ -D "$admindn" -W -v -x ; then
+if echo "$ldif" | ldapmodify -ZZ -D "$admindn" -W -v -x ; then
 
     # Set the kerberos password
-    kadmin.local -q "change_password $USERNAME@$KRB5DOMAIN"
+    kadmin.local <<EOF
+change_password $USERNAME@$KRB5DOMAIN
+${PASSWORD}
+${PASSWORD}
+EOF
 
     # Create home directory
     if [ ! -d $HOMEDIR ] ; then
-	cp -r /etc/skel $HOMEDIR
-	chown -R $NEWUID:$NEWGID $HOMEDIR
+        cp -r /etc/skel $HOMEDIR
+        mkdir -p $HOMEDIR/.pki/nssdb
+        chmod -R 700 $HOMEDIR/.pki/nssdb
+        certutil  -A -d sql:$HOMEDIR/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
+        chown -R $NEWUID:$NEWGID $HOMEDIR
     fi
+
+    # add Samba user
+    smbpasswd -a -n -s $USERNAME
+
+    # Send welcome mail in order to create maildir for dovecot
+    /usr/lib/sendmail "${USERNAME}@postoffice.intern" <<EOF
+Subject: Welcome to the mail-system
+
+Hello $GECOS,
+
+welcome to the mail-system.
+
+Your userID is $USERNAME, and your email address is:
+
+    $USERNAME at postoffice.intern
+
+Regards,
+
+    Debian-Edu SysAdmin
+
+EOF
 fi


=====================================
sbin/debian-edu-restart-services
=====================================
@@ -5,63 +5,116 @@
 
 set -e 
 
-echo "info: Stopping services in sequence."
-for ALL in /etc/rc1.d/K* ; do 
-  if [ -h $ALL ] ; then 
-    SERVICE=$(basename $(readlink $ALL))
-  else
-    SERVICE=$(basename $ALL)
-  fi
-  echo "info: Stopping $SERVICE"
-  $ALL stop || /bin/true
-done
+sysvinit_restart_services () {
+    echo "info: Stopping services in sequence."
+    for ALL in /etc/rc1.d/K* ; do 
+      if [ -h $ALL ] ; then 
+        SERVICE=$(basename $(readlink $ALL))
+      else
+        SERVICE=$(basename $ALL)
+      fi
+      echo "info: Stopping $SERVICE"
+      $ALL stop || /bin/true
+    done
 
-for service in \
-    slapd \
-    rpcbind \
-    apache \
-    ;
-    do
-  if [ "$(pidof $service)" ] ; then
-      echo "info: '$service' still running, sending HUP."
-      pkill $service || /bin/true
-  fi
-done
+    for service in \
+        slapd \
+        rpcbind \
+        apache \
+        ;
+        do
+      if [ "$(pidof $service)" ] ; then
+          echo "info: '$service' still running, sending HUP."
+          pkill $service || /bin/true
+      fi
+    done
 
-echo "info: Checking what's still running"
-ps aux | while read LINE ; do 
-  echo "info: $LINE"
-done
+    echo "info: Checking what's still running"
+    ps aux | while read LINE ; do 
+      echo "info: $LINE"
+    done
 
-for service in \
-    slapd \
-    rpcbind \
-    apache \
-    ;
-    do
-  if [ "$(pidof $service)" ] ; then
-      echo "info: '$service' still running, sending KILL."
-      pkill -9 $service || /bin/true
-  fi
-done
+    for service in \
+        slapd \
+        rpcbind \
+        apache \
+        ;
+        do
+      if [ "$(pidof $service)" ] ; then
+          echo "info: '$service' still running, sending KILL."
+          pkill -9 $service || /bin/true
+      fi
+    done
+
+    echo "info: Checking what's still running"
+    ps aux | while read LINE ; do 
+      echo "info: $LINE"
+    done
+
+    echo "Info: Restarting networking"
+    /etc/init.d/networking restart || /bin/true
 
-echo "info: Checking what's still running"
-ps aux | while read LINE ; do 
-  echo "info: $LINE"
-done
+    echo "info: Starting services in sequence."
+    for ALL in /etc/rc2.d/S* ; do 
+      if [ -h $ALL ] ; then 
+        SERVICE=$(basename $(readlink $ALL))
+      else
+        SERVICE=$(basename $ALL)
+      fi
+      echo "info: Starting $SERVICE"
+      $ALL start || /bin/true
+    done
+}
 
-echo "Info: Restarting networking"
-/etc/init.d/networking restart || /bin/true
+systemd_restart_services () {
+    systemctl daemon-reload
+
+    systemctl restart networking.service
+
+    for service in \
+        apache2.service \
+        cups.service \
+        dovecot.service \
+        exim4.service \
+        icinga2.service \
+        inetd.service \
+        isc-dhcp-server.service \
+        krb5-admin-server.service \
+        krb5-kdc.service \
+        ltsp.service \
+        mariadb.service \
+        munin-node.service \
+        munin.service \
+        nagios-nrpe-server.service \
+        named.service \
+        nfs-server.service \
+        nmbd.service \
+        nscd.service \
+        nslcd.service \
+        ntpsec.service \
+        rsyslog.service \
+        sitesummary-client.service \
+        slapd.service \
+        smbd.service \
+        squid.service \
+        sudo-ldap.service \
+        tftpd-hpa.service \
+        x2goserver.service \
+        xrdp.service \
+        xrdp-sesman.service
+    do
+        if systemctl is-active --quiet $service; then
+            active="$active $service"
+        fi
+    done
+    systemctl stop $active || true
+    systemctl start $active
+}
 
-echo "info: Starting services in sequence."
-for ALL in /etc/rc2.d/S* ; do 
-  if [ -h $ALL ] ; then 
-    SERVICE=$(basename $(readlink $ALL))
-  else
-    SERVICE=$(basename $ALL)
-  fi
-  echo "info: Starting $SERVICE"
-  $ALL start || /bin/true
-done
+if [ -e /run/systemd/system/ ]; then
+    systemd_restart_services
+else
+    sysvinit_restart_services
+fi
 
 exit 0


=====================================
share/debian-edu-config/tools/chromium-ldapconf
=====================================
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Update Chromium configuration from LDAP
+#
+
+if [ -e /etc/debian-edu/config ] ; then
+    . /etc/debian-edu/config
+fi
+
+# Only networked profiles use LDAP
+case $PROFILE in
+    *Main-Server*|*Workstation*|*LTSP-Server*|*Thin-Client-Server*|*Minimal*)
+        /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
+        ;;
+esac
+
+case $PROFILE in
+    *LTSP-Server*)
+        if [ -d /opt/ltsp ]; then
+            find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d -exec chroot {} /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage \;
+        fi
+        ;;
+esac


=====================================
share/debian-edu-config/tools/edu-icinga-setup
=====================================
@@ -34,6 +34,11 @@ FIRSTUSERNAME="$RET"
 # run 'mysql_secure_installation'.)
 
 setup_icinga() {
+	# Generate random password (alphanumeric ASCII characters only in order
+	# to avoid problems with quoting below)
+	password="$(LC_ALL=C tr -cd '[:alnum:]' < /dev/urandom | dd bs=1 count=16 2>/dev/null)"
+	[ -n "${password}" ] || exit 1
+
 	# Delete anonymous users
 	mysql -e "DELETE FROM mysql.user WHERE User='';"
 	# Ensure the root user can not log in remotely
@@ -55,7 +60,7 @@ setup_icinga() {
 	GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE
 	ON icingadb.*
 	TO 'icinga2'@'localhost'
-	IDENTIFIED BY 'v64nhbe27dfBjR3T';
+	IDENTIFIED BY '${password}';
 	FLUSH PRIVILEGES;
 	"
 	# Install the MySQL schema required for the Icinga 2 database
@@ -63,7 +68,7 @@ setup_icinga() {
 
 	# Adjust the Icinga 2 MySQL IDO configuration
 	#sed -i "/user/ s%icinga2%$FIRSTUSERNAME%" "/etc/icinga2/features-available/ido-mysql.conf"
-	sed -i "/password/ s%\".*\"%\"v64nhbe27dfBjR3T\"%" "/etc/icinga2/features-available/ido-mysql.conf"
+	sed -i "/password/s/.*/  password = \"${password}\",/" /etc/icinga2/features-available/ido-mysql.conf
 	sed -i '/database/ s%icinga2%icingadb%' /etc/icinga2/features-available/ido-mysql.conf
 
 	# Enable ido-mysql feature
@@ -75,7 +80,7 @@ setup_icinga() {
 	GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE
 	ON icingaweb2.*
 	TO 'icingaweb2'@'localhost'
-	IDENTIFIED BY 'v64nhbe27dfBjR3T';
+	IDENTIFIED BY '${password}';
 	FLUSH PRIVILEGES;
 	"
 	# Install the MySQL schema required for the Icinga Web 2 database
@@ -147,7 +152,7 @@ setup_icinga() {
 	port = ""
 	dbname = "icingaweb2"
 	username = "icingaweb2"
-	password = "v64nhbe27dfBjR3T"
+	password = "${password}"
 	charset = ""
 	use_ssl = "0"
 
@@ -158,7 +163,7 @@ setup_icinga() {
 	port = ""
 	dbname = "icingadb"
 	username = "icinga2"
-	password = "v64nhbe27dfBjR3T"
+	password = "${password}"
 	charset = ""
 	use_ssl = "0"
 	EOF


=====================================
share/debian-edu-config/tools/fetch-rootca-cert
=====================================
@@ -0,0 +1,60 @@
+#!/bin/sh
+#
+# Fetches Debian Edu rootCA certificate from the main server
+#
+# Author: Wolfgang Schweer, <wschweer at arcor.de>
+# Date:   2020-02-14
+#
+
+if [ -r /etc/debian-edu/config ] ; then
+    . /etc/debian-edu/config
+fi
+
+BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
+ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
+LOCALCACRT=/usr/local/share/ca-certificates/Debian-Edu_rootCA.crt
+
+# Remove no longer used certificate file
+rm -f $BUNDLECRT
+
+# RootCA cert retrieval (avoid execution on the main server, things are in place)
+case $PROFILE in
+*Main-Server*)
+    logger -t fetch-rootca-cert "Running on the main server, exiting."
+    exit 0
+    ;;
+esac
+
+if [ ! -f $LOCALCACRT ] || [ ! -s $LOCALCACRT ] ; then
+    # Since Debian Edu 10, the RootCA file is distributed
+    # over http (always via the host serving www.intern, by default: TJENER)
+    #
+    # We do an availability check for the webserver first, to provide proper
+    # error reporting (see below). So, the following check merely discovers,
+    # if the webserver is online at all.
+    if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
+        # Now let's see if the webserver has the "Debian Edu RootCA" file.
+        # This has been the case for Debian Edu main servers (TJENER) since
+        # Debian Edu 10.1.
+        if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
+            grep -q CERTIFICATE $LOCALCACRT ; then
+            # Make rootCA certificate available in /etc/ssl/certs/
+            ln -nsf $LOCALCACRT $ROOTCACRT
+            # Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
+            update-ca-certificates
+            logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
+        else
+            # Drop $ROOTCACRT and $LOCALCACRT files, as they probably only contain some
+            # 404 http error message in html.
+            rm -f $LOCALCACRT
+            rm -f $ROOTCACRT
+            logger -t fetch-rootca-cert "Failed to fetch rootCA certificate from www.intern."
+        fi
+    else
+        # Report an error, if www.intern is down http-wise. This can happen and is probably
+        # a temporary problem that needs an admin to fix it.
+        log_action_end_msg 1
+        logger -t fetch-rootca-cert "Failed to connect to www.intern, maybe the web server is down."
+        exit 1
+    fi
+fi


=====================================
share/debian-edu-config/tools/firefox-ldapconf
=====================================
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Update Firefox configuration from LDAP
+#
+
+if [ -e /etc/debian-edu/config ] ; then
+    . /etc/debian-edu/config
+fi
+
+# Only networked profiles use LDAP
+case $PROFILE in
+    *Main-Server*|*Workstation*|*LTSP-Server*|*Thin-Client-Server*|*Minimal*)
+        /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
+        ;;
+esac
+
+case $PROFILE in
+    *LTSP-Server*)
+        if [ -d /opt/ltsp ]; then
+            find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d -exec chroot {} /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage \;
+        fi
+        ;;
+esac


=====================================
share/debian-edu-config/tools/gosa-remove
=====================================
@@ -52,7 +52,7 @@ mv $HOMEDIR $RM_HOMEDIR
 chown root:root $RM_HOMEDIR
 chmod go-rwx $RM_HOMEDIR
 
-kadmin.local -q "delete_principal $USERID"
+kadmin.local -q "delete_principal -force $USERID"
 pdbedit -x -u $USERID > /dev/null
 logger -t gosa-remove -p notice Home directory \'$HOMEDIR\' marked for deletion, samba account and principal \'$USERID\' removed.
 


=====================================
share/debian-edu-config/tools/nat
=====================================
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+IPTABLES=/usr/sbin/iptables
+
+NETWORK_TO_NAT=
+OUTSIDE_IF=eth0
+
+[ -x $IPTABLES ] || exit 1
+
+# Only enable by default if LTSP is installed
+if [ -e /srv/ltsp ] ; then
+    NETWORK_TO_NAT="192.168.0.0/24"
+fi
+
+if [ -f /etc/default/enable-nat ] ; then
+    . /etc/default/enable-nat
+fi
+
+# Bail out if no network is configured
+[ -n "$NETWORK_TO_NAT" ] || exit 0
+
+case $1 in
+enable)
+    # Exit if already enabled
+    $IPTABLES -t nat -n -L POSTROUTING | \
+        awk -v net="$NETWORK_TO_NAT" '
+        NR > 2 && $1 == "MASQUERADE" && $4 == net {
+            found=1
+            exit
+        }
+        END {
+            exit(!found)
+        }' && exit 0
+
+    $IPTABLES -t nat -A POSTROUTING -s "$NETWORK_TO_NAT" -o "$OUTSIDE_IF" -j MASQUERADE
+
+    # Enable IP-forwarding if it isn't enabled already.
+    sysctl -wq net.ipv4.ip_forward=1
+    ;;
+disable)
+    $IPTABLES -F -t nat
+    ;;
+*)
+    printf 'usage: %s [enable|disable]\n' "$(basename "$0")" >&2
+    exit 1
+    ;;
+esac


=====================================
share/debian-edu-config/tools/update-dlw-krb5-keytabs
=====================================
@@ -49,7 +49,7 @@ DLW_KRB5_KEYTABS_DIR="/var/lib/debian-edu/dlw-keytabs"
 
 # Clear caching daemon's NIS netgroup cache (this assures an LDAP re-lookup).
 nscd -i netgroup
-DLW_HOSTS_NETGROUP=$(netgroup diskless-workstation-hosts | grep -E "\.${DOMAIN}$")
+DLW_HOSTS_NETGROUP="$(netgroup diskless-workstation-hosts | grep -E "\.${DOMAIN}$")" || true
 
 # Do some sanity checks...
 if [ "$(id -u)" != "0" ]; then



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/6bb8e794f36e86f7ae8a9a438ae821ad951ec91f...9dd3f55ff479aa5e93f3cda5a70e2faa32a36801

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/6bb8e794f36e86f7ae8a9a438ae821ad951ec91f...9dd3f55ff479aa5e93f3cda5a70e2faa32a36801
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230807/3289f5f4/attachment-0001.htm>


More information about the debian-edu-commits mailing list