[debian-edu-commits] [Git][debian-edu/debian-edu-config][personal/gber/system-trusted-certs] 35 commits: fix main server network setup. Closes: #1055647.

Mike Gabriel (@sunweaver) gitlab at salsa.debian.org
Sun Jun 1 21:17:29 BST 2025



Mike Gabriel pushed to branch personal/gber/system-trusted-certs at Debian Edu / debian-edu-config


Commits:
e009a76e by Wolfgang Schweer at 2023-11-09T17:36:48+01:00
fix main server network setup. Closes: #1055647.

- - - - -
c17d09f5 by Holger Levsen at 2023-11-10T16:43:01+01:00
release as 2.12.38

Signed-off-by: Holger Levsen <holger at layer-acht.org>

- - - - -
35da6ea0 by Mike Gabriel at 2023-11-19T09:56:08+01:00
ldap-bootstrap/root.ldif: Fix gosaAclEntry of BaseDN object.

- - - - -
159edd3e by Mike Gabriel at 2023-11-19T10:03:08+01:00
release as 2.12.39

Signed-off-by: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>

- - - - -
5e0dd63d by Mike Gabriel at 2023-11-19T10:07:00+01:00
Start 2.12.40 development.

d/changelog entries will be written on release using the git commit
messages.

Use 'gbp dch --since 2.12.39' to write d/changelog entries since that
last release.

Gbp-Dch: ignore

- - - - -
02181b04 by Mike Gabriel at 2023-11-30T08:32:13+01:00
share/debian-edu-config/gosa.conf.template: Deploy GOsæ² based on its classic theming, the Materialize CSS theme is too immature to be used in production.

- - - - -
82def362 by Mike Gabriel at 2023-11-30T08:34:17+01:00
release as 2.12.40

Signed-off-by: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>

- - - - -
6d95e627 by Mike Gabriel at 2023-11-30T08:59:57+01:00
d/changelog: typo fix in upload stanza of 2.12.40

- - - - -
17b6730c by Guido Berhoerster at 2023-12-01T14:20:47+01:00
gosa-sync: Decode the user password which GOsa substitutes base64 encoded

This fixes a bug where the user password could not be set or changed.

- - - - -
efdd9bfd by Mike Gabriel at 2023-12-01T21:49:08+01:00
release as 2.12.41

- - - - -
32d38f7a by Mike Gabriel at 2023-12-09T08:14:07+01:00
share/debian-edu-config/tools/update-proxy-from-wpad: Ignore missing dconf command. (Closes: #1057777).

This might happen on main-server installations without
a desktop environment installed.

- - - - -
a09e5939 by Mike Gabriel at 2023-12-09T08:17:12+01:00
release as 2.12.42

- - - - -
569574ca by Holger Levsen at 2023-12-25T11:33:09+01:00
Start 2.12.43 development.

d/changelog entries will be written on release
using the git commit messages.

Use 'gbp dch --since 2.12.42'
to write d/changelog entries since that last release.

Gbp-Dch: ignore
Signed-off-by: Holger Levsen <holger at layer-acht.org>

- - - - -
f9545b61 by Holger Levsen at 2023-12-25T11:34:42+01:00
d/changelog: add missing Closes: for #1021688, #1024033 and #1039461 in previous entries.

Signed-off-by: Holger Levsen <holger at layer-acht.org>

- - - - -
e912fcec by Holger Levsen at 2023-12-25T11:43:42+01:00
d/changelog: fix too long line in previous entry.

Signed-off-by: Holger Levsen <holger at layer-acht.org>

- - - - -
af351fcd by Holger Levsen at 2023-12-25T11:56:59+01:00
release as 2.12.43

Signed-off-by: Holger Levsen <holger at layer-acht.org>

- - - - -
abfd8575 by Mike Gabriel at 2024-01-31T15:05:33+01:00
share/debian-edu-config/tools/wpad-extract: Update IP of www.debian.org.

- - - - -
014c4f95 by Mike Gabriel at 2024-01-31T15:05:33+01:00
share/debian-edu-config/tools/wpad-extract: Don't use the proxy for accessing wpad.

- - - - -
cfbbee50 by Mike Gabriel at 2024-01-31T15:05:33+01:00
share/debian-edu-config/tools/fetch-rootca-cert: Don't use the proxy for accessing wwww.intern.

- - - - -
cf1531c2 by Mike Gabriel at 2024-01-31T15:06:26+01:00
debian/debian-edu-config.maintscript: Remove stray /etc/dhcp/dhclient-exit-hooks.d/fetch-ldap-cert. Should have been removed with 2.12.34 already. (Closes: #1061560).

- - - - -
d190aa94 by Mike Gabriel at 2024-01-31T15:06:37+01:00
debian/debian-edu-config.maintscript: Use prio-version version numbers as recommended on the dpkg-maintscript-helper man page (the current upload version suffixed by '~').

- - - - -
a673e678 by Mike Gabriel at 2024-01-31T15:13:23+01:00
release 2.12.44

Signed-off-by: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>

- - - - -
a3832476 by Mike Gabriel at 2024-07-25T09:20:30+02:00
share/debian-edu-config/tools/gosa-sync: From password TMPFILE, strip newline character from end-of-file.

 The LDAP whoami call for verifying the correctness of the passed-in
 user password requires a password file without trailing newline
 to succeed.

- - - - -
71f6b389 by Mike Gabriel at 2024-07-25T09:41:20+02:00
share/debian-edu-config/gosa.conf.template: Various white-space fixes.

- - - - -
94e83f4a by Mike Gabriel at 2024-07-25T09:47:40+02:00
Don't (single-)quote placeholders in plugin hooks. GOsa² will add single- quotes around placeholder variables when generating hook commands. Esp. when using single quotes around placeholders, they will be duplicated and thus eliminate eacher other. This problem occurred for users with space characters in their DN while changing the user's password. (The hook would only operate on a partial DN string, split at first space char occurrence in the DN string).

- - - - -
ed9e2e94 by Mike Gabriel at 2024-07-25T09:54:15+02:00
release 2.12.45

Signed-off-by: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>

- - - - -
9978c9c8 by Frans Spiesschaert at 2024-12-21T12:38:09+01:00
remove unnecessary article

- - - - -
963af5c4 by Frans Spiesschaert at 2024-12-21T14:07:23+01:00
no longer give exim4 a reason to complain about "tainted search query is not properly quoted"

- - - - -
b4618325 by Frans Spiesschaert at 2024-12-21T14:17:32+01:00
remove extra space

- - - - -
fc0f918d by Holger Levsen at 2025-03-05T13:06:57+01:00
Remove myself from uploaders. It was a pleasure and an honor!

Signed-off-by: Holger Levsen <holger at layer-acht.org>

- - - - -
498829f1 by Holger Levsen at 2025-03-05T13:10:30+01:00
release as 2.12.46

Signed-off-by: Holger Levsen <holger at layer-acht.org>

- - - - -
e6225544 by Mike Gabriel at 2025-06-01T22:08:33+02:00
debian/control: Add to D: field: bind9-dnsutils. The 'dig' utility is required by fetch-rootca-cert script and various test scripts.

- - - - -
1373cfcc by Mike Gabriel at 2025-06-01T22:08:33+02:00
debian/control: Drop from D: field: libproxy1-plugin-*. All of them are transitional packages and libproxy has been replaced by libpacparser1 (using its pactester tool) ages ago. (Closes: #1064900).

- - - - -
608af78c by Guido Berhoerster at 2025-06-01T20:17:24+00:00
Make libnssckbi.so consumers trust system root certificate store

Add debian-edu-config-p11-kit-nssckbi subpackage which contains a diversion for
libnssckbi.so and replaces it with symlink to p11-kit-trust.so in order to work
around #704180. Note that it is important to keep the renamed file outside of
/usr/lib/<arch>/ in order to prevent ldconfig from overwriting the symlink.

- - - - -
909c45c1 by Guido Berhoerster at 2025-06-01T20:17:24+00:00
Stop adding the DebianEdu root CA to NSS shared database

NSS consumers like Firefox, Thunderbird, Chromium should use the system trusted
root CA store via p11-kit (Closes: #926388).

- - - - -


29 changed files:

- Makefile
- − bin/debian-edu-copy-pki
- debian/changelog
- debian/control
- + debian/debian-edu-config-p11-kit-nssckbi.links
- + debian/debian-edu-config-p11-kit-nssckbi.postrm.in
- + debian/debian-edu-config-p11-kit-nssckbi.preinst.in
- debian/debian-edu-config.lintian-overrides
- debian/debian-edu-config.maintscript
- debian/rules
- etc/exim4/exim-ldap-server-v4.conf
- ldap-bootstrap/root.ldif
- ldap-tools/ldap-createuser-krb5
- ldap-tools/ldap-debian-edu-install
- − lib/thunderbird/distribution/policies.json
- sbin/debian-edu-ltsp-install
- sbin/debian-edu-pxeinstall
- share/debian-edu-config/d-i/pre-pkgsel
- share/debian-edu-config/gosa.conf.template
- share/debian-edu-config/tools/create-debian-edu-certs
- − share/debian-edu-config/tools/create-user-nssdb
- share/debian-edu-config/tools/fetch-rootca-cert
- share/debian-edu-config/tools/gosa-create
- share/debian-edu-config/tools/gosa-sync
- − share/debian-edu-config/tools/update-cert-dbs
- share/debian-edu-config/tools/update-proxy-from-wpad
- share/debian-edu-config/tools/wpad-extract
- share/firefox-esr/distribution/policies.json
- − share/man/man1/debian-edu-copy-pki.1


Changes:

=====================================
Makefile
=====================================
@@ -5,7 +5,6 @@ NULL =
 PROGS = \
 	debian-edu-ldapserver \
 	update-ini-file \
-	debian-edu-copy-pki \
 	$(NULL)
 
 SPROGS = \
@@ -229,10 +228,6 @@ WWWFILES = \
 	wpad.dat \
 	$(NULL)
 
-LIBFILES = \
-	thunderbird/distribution/policies.json \
-	$(NULL)
-
 all:
 	$(MAKE) -C www
 
@@ -282,10 +277,6 @@ install: install-testsuite
 		$(INSTALL) etc/$$file $(DESTDIR)$(sysconfdir)/$$file; \
 	done
 
-	set -e ; for file in $(LIBFILES) ; do \
-		$(INSTALL_DATA) lib/$$file $(DESTDIR)$(libdir)/$$file; \
-	done
-
 	set -e ; for f in \
 		share/debian-edu-config/d-i/finish-install \
 		share/debian-edu-config/d-i/pre-pkgsel \
@@ -335,7 +326,6 @@ install: install-testsuite
 		share/debian-edu-config/tools/sssd-generate-config \
 		share/debian-edu-config/tools/squid-update-cachedir \
 		share/debian-edu-config/tools/subnet-change \
-		share/debian-edu-config/tools/update-cert-dbs \
 		share/debian-edu-config/tools/update-dlw-krb5-keytabs \
 		share/debian-edu-config/tools/update-firefox-homepage \
 		share/debian-edu-config/tools/update-chromium-homepage \
@@ -345,7 +335,6 @@ install: install-testsuite
 		share/debian-edu-config/tools/exim4-create-environment \
 		share/debian-edu-config/tools/edu-ldap-from-scratch \
 		share/debian-edu-config/tools/edu-icinga-setup \
-		share/debian-edu-config/tools/create-user-nssdb \
 		share/debian-edu-config/tools/copy-host-keytab \
 		share/debian-edu-config/tools/improve-desktop-l10n \
 		share/debian-edu-config/tools/install-task-pkgs \


=====================================
bin/debian-edu-copy-pki deleted
=====================================
@@ -1,23 +0,0 @@
-#!/bin/sh
-#
-# On a roaming workstation, the local user's home directory is missing the .pki
-# directory causing a question about the self-signed Debian Edu web server
-# certificate if Chromium is used.
-# Upon first login, a user can open a terminal window and execute this command
-# to copy the whole PKI directory from the main server. 
-
-# schweer, 2020-12-08
-
-set -e
-if [ -e /etc/debian-edu/config ] ; then
-	. /etc/debian-edu/config
-fi
-
-if ! echo "$PROFILE" | grep -Eq 'Roaming-Workstation' ; then
-		echo "This isn't a roaming workstation, nothing done."
-	else
-		if [ ! -d $HOME/.pki ] ; then
-			scp -rq $USER at tjener:~/.pki $HOME
-			echo "The PKI files have been copied from the main server."
-		fi
-fi


=====================================
debian/changelog
=====================================
@@ -1,9 +1,101 @@
-debian-edu-config (2.12.38) UNRELEASED; urgency=medium
+debian-edu-config (2.12.46) unstable; urgency=medium
 
-  * Start 2.12.38 development. d/changelog entries will be written on
-    release using the git commit messages.
+  [ Holger Levsen ]
+  * Team upload.
+  * Remove myself from uploaders as discussed during FOSDEM. It was a pleasure
+    and an honor!
+
+  [ Frans Spiesschaert ]
+  * sbin/debian-edu-pxeinstall:
+    - remove unnecessary article.
+    - remove extra space.
+  * etc/exim4/exim-ldap-server-v4.conf: no longer give exim4 a reason to
+    complain about "tainted search query is not properly quoted".
+
+ -- Holger Levsen <holger at debian.org>  Wed, 05 Mar 2025 13:08:19 +0100
+
+debian-edu-config (2.12.45) unstable; urgency=medium
+
+  * share/debian-edu-config/tools/gosa-sync:
+    + From password TMPFILE, strip newline character from end-of-file.
+      The LDAP whoami call for verifying the correctness of the passed-in
+      user password requires a password file without trailing newline
+      to succeed.
+  * share/debian-edu-config/gosa.conf.template:
+    + Various white-space fixes.
+    + Don't (single-)quote placeholders in plugin hooks. GOsa² will add single-
+      quotes around placeholder variables when generating hook commands. Esp.
+      when using single quotes around placeholders, they will be duplicated
+      and thus eliminate eacher other. This problem occurred for users
+      with space characters in their DN while changing the user's password.
+      (The hook would only operate on a partial DN string, split at first
+      space char occurrence in the DN string).
+
+ -- Mike Gabriel <sunweaver at debian.org>  Thu, 25 Jul 2024 09:52:14 +0200
+
+debian-edu-config (2.12.44) unstable; urgency=medium
+
+  * share/debian-edu-config/tools/wpad-extract:
+    + Update IP of www.debian.org.
+    + Don't use the proxy for accessing wpad.
+  * share/debian-edu-config/tools/fetch-rootca-cert:
+    + Don't use the proxy for accessing wwww.intern.
+  * debian/debian-edu-config.maintscript:
+    + Remove stray /etc/dhcp/dhclient-exit-hooks.d/fetch-ldap-cert. Should have
+      been removed with 2.12.34 already. (Closes: #1061560).
+    + Use <prior-version> version numbers as recommended on the
+      dpkg-maintscript-helper man page (the current upload version suffixed
+      by '~').
+
+ -- Mike Gabriel <sunweaver at debian.org>  Wed, 31 Jan 2024 15:07:09 +0100
+
+debian-edu-config (2.12.43) unstable; urgency=medium
+
+  [ Holger Levsen ]
+  * d/changelog:
+    - add missing Closes: for #1021688, #1024033 and #1039461 in previous
+      entries to ease future debugging.
+    - fix too long line in previous entry.
+
+ -- Holger Levsen <holger at debian.org>  Mon, 25 Dec 2023 11:56:02 +0100
+
+debian-edu-config (2.12.42) unstable; urgency=medium
+
+  * share/debian-edu-config/tools/update-proxy-from-wpad: Ignore missing dconf
+    command. (Closes: #1057777). It might be missing on main-server
+    installations where no desktop environment is installed.
+
+ -- Mike Gabriel <sunweaver at debian.org>  Sat, 09 Dec 2023 08:15:45 +0100
+
+debian-edu-config (2.12.41) unstable; urgency=medium
+
+  [ Guido Berhoerster ]
+  * gosa-sync: Decode the user password which GOsa substitutes base64 encoded.
+    This fixes a bug where the user password could not be set or changed.
+    (related to #1052159).
+
+ -- Mike Gabriel <sunweaver at debian.org>  Fri, 01 Dec 2023 21:44:38 +0100
+
+debian-edu-config (2.12.40) unstable; urgency=medium
+
+  * share/debian-edu-config/gosa.conf.template:
+    + Deploy GOsa² based on its classic theming, the Materialize CSS theme is
+      too immature to be used in production.
+
+ -- Mike Gabriel <sunweaver at debian.org>  Thu, 30 Nov 2023 08:32:34 +0100
+
+debian-edu-config (2.12.39) unstable; urgency=medium
+
+  * ldap-bootstrap/root.ldif: Fix gosaAclEntry of BaseDN object.
+
+ -- Mike Gabriel <sunweaver at debian.org>  Sun, 19 Nov 2023 09:56:39 +0100
+
+debian-edu-config (2.12.38) unstable; urgency=medium
+
+  [ Wolfgang Schweer ]
+  * Fix main server network setup. Closes: #1055647.
 
- -- Mike Gabriel <sunweaver at debian.org>  Sat, 09 Sep 2023 23:08:48 +0200
+ -- Holger Levsen <holger at debian.org>  Fri, 10 Nov 2023 16:42:11 +0100
 
 debian-edu-config (2.12.37) unstable; urgency=medium
 
@@ -203,6 +295,12 @@ debian-edu-config (2.12.33) unstable; urgency=medium
     configuration in /etc/icingaweb2/modules/monitoring/. Instead of adjusting
     single files and directories, enforce sensible permissions on all directories
     and configuration files. Closes: #1039475.
+  * cf3/cf.samba: fix samba usershares permissions:
+    Setting the group ownership of /var/lib/samba/usershares/ to "students" fails
+    during the installation because this group is defined in LDAP and the slapd is
+    not running at the time the samba promise bundle is evaluated.  Thus use the
+    numeric GID instead.  The group is defined in
+    ldap-bootstrap/{samba.ldif,gosa.ldif}.  Closes: #1039461.
 
  -- Mike Gabriel <sunweaver at debian.org>  Sat, 01 Jul 2023 05:41:56 +0200
 
@@ -280,7 +378,7 @@ debian-edu-config (2.12.25) unstable; urgency=medium
 
   [ Wolfgang Schweer ]
   * sbin/debian-edu-ltsp-install: Install firefox-esr l10n package conditionally
-    in case the minidesktop thin client type has been chosen.
+    in case the minidesktop thin client type has been chosen. Closes: #1024033.
 
  -- Holger Levsen <holger at debian.org>  Sun, 13 Nov 2022 14:57:03 +0100
 
@@ -307,7 +405,7 @@ debian-edu-config (2.12.23) unstable; urgency=medium
     desktop environment is used during an installation including the Main server
     or LTSP server profile. (In these cases, ConnMan as the preferred LXQt
     network manager doesn't work well with the Debian Edu specific way network
-    interfaces are set up.)
+    interfaces are set up.) Closes: #1021688.
 
  -- Holger Levsen <holger at debian.org>  Mon, 17 Oct 2022 21:56:43 +0200
 


=====================================
debian/control
=====================================
@@ -3,7 +3,6 @@ Section: misc
 Priority: optional
 Maintainer: Debian Edu Developers <debian-edu at lists.debian.org>
 Uploaders: Petter Reinholdtsen <pere at debian.org>,
-           Holger Levsen <holger at debian.org>,
            Mike Gabriel <sunweaver at debian.org>,
            Dominik George <natureshadow at debian.org>,
 Standards-Version: 4.6.2
@@ -22,9 +21,11 @@ Architecture: all
 Depends: ${misc:Depends},
          adduser,
          bind9-host,
+         bind9-dnsutils,
          cfengine3,
          debconf-utils,
          debian-edu-artwork,
+         debian-edu-config-p11-kit-nssckbi,
          e2fsprogs,
          education-tasks,
          fping,
@@ -42,9 +43,6 @@ Depends: ${misc:Depends},
          libnss3-tools,
          libpacparser1,
          libpam-python (>= 1.1.0~git20220701.1d4e111-0.3~),
-         libproxy1-plugin-kconfig,
-         libproxy1-plugin-webkit,
-         libproxy1-plugin-networkmanager,
          libsitesummary-perl,
          libterm-readkey-perl,
          libtext-unaccent-perl,
@@ -71,3 +69,12 @@ Recommends: binutils,
 Description: Configuration files for Debian Edu (Skolelinux) systems
  Installs cfengine config files to be used by the machines set up as part
  of the Debian Edu (Skolelinux) network. Debian Edu is a Debian Pure Blend.
+
+Package: debian-edu-config-p11-kit-nssckbi
+Architecture: any
+Depends: ${misc:Depends},
+         p11-kit-modules,
+Description: Configuration files for Debian Edu (Skolelinux) systems -- NSS system trust store
+ This package makes NSS trust the system certificates and trust policy provided
+ by ca-certificates including certificates installed by the system
+ administrator.


=====================================
debian/debian-edu-config-p11-kit-nssckbi.links
=====================================
@@ -0,0 +1 @@
+usr/lib/${DEB_HOST_MULTIARCH}/pkcs11/p11-kit-trust.so usr/lib/${DEB_HOST_MULTIARCH}/libnssckbi.so


=====================================
debian/debian-edu-config-p11-kit-nssckbi.postrm.in
=====================================
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+if [ "$1" = "remove" ] || [ "$1" = "abort-install" ] || [ "$1" = "disappear" ]; then
+    dpkg-divert --package debian-edu-config-p11-kit-nssckbi --remove \
+        --rename \
+        --divert /usr/lib/@DEB_HOST_MULTIARCH at _libnssckbi.so_libnss3 \
+        /usr/lib/@DEB_HOST_MULTIARCH@/libnssckbi.so || exit 1
+fi
+
+#DEBHELPER#


=====================================
debian/debian-edu-config-p11-kit-nssckbi.preinst.in
=====================================
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then
+    # add diversion for libnssckbi.so and replace with p11-kit-trust.so
+    dpkg-divert --package debian-edu-config-p11-kit-nssckbi --add \
+        --rename \
+        --divert /usr/lib/@DEB_HOST_MULTIARCH at _libnssckbi.so_libnss3 \
+        /usr/lib/@DEB_HOST_MULTIARCH@/libnssckbi.so || exit 1
+fi
+
+#DEBHELPER#


=====================================
debian/debian-edu-config.lintian-overrides
=====================================
@@ -22,3 +22,4 @@ debian-edu-config: unused-debconf-template debian-edu-config/ldap-password [temp
 debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-again [templates:359]
 debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-empty [templates:442]
 debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-mismatch [templates:401]
+debian-edu-config: diversion-for-unknown-file * [postinst:213]


=====================================
debian/debian-edu-config.maintscript
=====================================
@@ -1,5 +1,6 @@
-rm_conffile /share/debian-edu-config/debian-edu.addmachine.template 2.12.5
-rm_conffile /share/debian-edu-config/debian-edu.ldapscripts.passwd 2.12.5
-rm_conffile /etc/cfengine3/debian-edu/cf.ldapscripts 2.12.5
-dir_to_symlink /etc/debian-edu/host-keytabs /var/lib/debian-edu/host-keytabs 2.12.17
-rm_conffile /etc/init.d/fetch-ldap-cert 2.12.33
+rm_conffile /share/debian-edu-config/debian-edu.addmachine.template 2.12.6~
+rm_conffile /share/debian-edu-config/debian-edu.ldapscripts.passwd 2.12.6~
+rm_conffile /etc/cfengine3/debian-edu/cf.ldapscripts 2.12.6~
+dir_to_symlink /etc/debian-edu/host-keytabs /var/lib/debian-edu/host-keytabs 2.12.18~
+rm_conffile /etc/init.d/fetch-ldap-cert 2.12.34~
+rm_conffile /etc/dhcp/dhclient-exit-hooks.d/fetch-ldap-cert 2.12.44~


=====================================
debian/rules
=====================================
@@ -1,11 +1,17 @@
 #!/usr/bin/make -f
 
 DESTDIR=`pwd`/debian/debian-edu-config
+SUBSTFILES = \
+		debian/debian-edu-config-p11-kit-nssckbi.preinst \
+		debian/debian-edu-config-p11-kit-nssckbi.postrm
+
+debian/%: debian/%.in
+	sed 's/@DEB_HOST_MULTIARCH@/$(DEB_HOST_MULTIARCH)/g' <$< >$@
 
 %:
 	dh $@
 
-override_dh_auto_install:
+override_dh_auto_install: $(SUBSTFILES)
 	$(MAKE) install prefix=/usr DESTDIR=$(DESTDIR)
 
 override_dh_installinit:
@@ -40,3 +46,7 @@ override_dh_installman:
 		--help-option="-h" \
 		--no-discard-stderr debian/debian-edu-config/usr/bin/ldap-createuser-krb5 \
 		> debian/debian-edu-config/usr/share/man/man1/ldap-createuser-krb5.1
+
+override_dh_auto_clean:
+	dh_auto_clean
+	-rm -f $(SUBSTFILES)


=====================================
etc/exim4/exim-ldap-server-v4.conf
=====================================
@@ -316,7 +316,7 @@ root:
 ldapuser:
   driver = accept
   check_local_user
-  condition = ${if eq {}{${lookup ldap {ldap://LDAPSERVER/LDAPBASE?uid?sub?(uid=${local_part})}}}{no}{yes}}
+  condition = ${if eq {}{${lookup ldap {ldap://LDAPSERVER/LDAPBASE?uid?sub?(uid=${quote_ldap_dn:${local_part}})}}}{no}{yes}}
   cannot_route_message = Recipent ${local_part} unknown.
   retry_use_local_part
   transport = ldap_delivery


=====================================
ldap-bootstrap/root.ldif
=====================================
@@ -29,7 +29,7 @@ dc: skole
 ou: skole
 o: skole.skolelinux.no
 labeledURI: https://www/ LDAP for Debian Edu/Skolelinux
-gosaAclEntry: 0:psub:$GOSAADMINSDN64:all;cmdrw,department/department;cmdrw,department/domain;r,department/organization;r,department/dcObject;r,department/country;r,department/DynamicLdapGroup;r,users/posixAccount;#shadowLastChange;r#gotoLastSystemLogin;r#mustchangepassword;r#shadowMin;r#shadowMax;r#shadowWarning;r#shadowInactive;r#shadowExpire;r#sshPublicKey;r#accessTo;r
+gosaAclEntry: 0:psub:$GOSAADMINSDN64:all/all;cmdrw,department/department;cmdrw,department/domain;r,department/organization;r,department/dcObject;r,department/country;r,department/DynamicLdapGroup;r,users/posixAccount;#shadowLastChange;r#gotoLastSystemLogin;r#mustchangepassword;r#shadowMin;r#shadowMax;r#shadowWarning;r#shadowInactive;r#shadowExpire;r#sshPublicKey;r#accessTo;r
 gosaAclEntry: 1:psub:$TEACHERSDN64:users/user;r
 gosaAclEntry: 2:psub:Kg==:users/user;sr#personalTitle;w#academicTitle;w#dateOfBirth;w#gender;w#preferredLanguage;w#userPicture;w#homePostalAddress;w#homePhone;w#labeledURI;w,users/password;srw
 gosaAclEntry: 3:role:$ADMINROLEDN64:


=====================================
ldap-tools/ldap-createuser-krb5
=====================================
@@ -182,9 +182,6 @@ EOF
     # Create home directory
     if [ ! -d $HOMEDIR ] ; then
         cp -r /etc/skel $HOMEDIR
-        mkdir -p $HOMEDIR/.pki/nssdb
-        chmod -R 700 $HOMEDIR/.pki/nssdb
-        certutil  -A -d sql:$HOMEDIR/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
         chown -R $NEWUID:$NEWGID $HOMEDIR
     fi
 


=====================================
ldap-tools/ldap-debian-edu-install
=====================================
@@ -357,13 +357,3 @@ SLAPPIDS=$(pidof slapd || /bin/true)
 if [ true = "$RESTARTSLAPD" ] && [ -z "$SLAPPIDS" ] ; then
   service slapd start
 fi
-
-# Create PKI nssdb files for first user.
-if [ -x /usr/bin/certutil ] ; then
-  mkdir -p /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
-  chmod -R 700 /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
-  certutil  -A -d sql:/skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
-  chown -R 2000:2000 /skole/tjener/home0/"$FIRSTUSERNAME"/
-  echo "info: created PKI nssdb files for first-user"
-fi
-


=====================================
lib/thunderbird/distribution/policies.json deleted
=====================================
@@ -1,11 +0,0 @@
-{
-  "policies": {
-    "Certificates": {
-      "ImportEnterpriseRoots": true,
-      "Install": [
-        "/etc/ssl/certs/Debian-Edu_rootCA.crt"
-      ]
-    }
-  }
-}
-


=====================================
sbin/debian-edu-ltsp-install
=====================================
@@ -531,12 +531,6 @@ debootstrap --arch="$arch" --no-check-gpg --variant=minbase --include=sitesummar
 		cat <<EOF > /srv/ltsp/x2go-"$thin_type"-"$arch"/usr/share/firefox-esr/distribution/policies.json
 {
   "policies": {
-    "Certificates": {
-      "ImportEnterpriseRoots": true,
-      "Install": [
-        "/etc/ssl/certs/Debian-Edu_rootCA.crt"
-      ]
-    },
     "NewTabPage": false,
     "OverrideFirstRunPage": "",
     "SearchEngines": {


=====================================
sbin/debian-edu-pxeinstall
=====================================
@@ -342,7 +342,7 @@ config
 goto start
 
 :shell
-echo Type 'exit' to get the back to the menu
+echo Type 'exit' to get back to the menu
 shell
 goto start
 


=====================================
share/debian-edu-config/d-i/pre-pkgsel
=====================================
@@ -121,12 +121,6 @@ EOF
 auto lo
 iface lo inet loopback
 EOF
-    if [ "$DNSDOMAIN" ] && [ "$NAMESERVER" = "127.0.0.1" ] ; then
-	cat >> $interfaces <<EOF
-    dns-search $DNSDOMAIN
-    dns-nameservers $NAMESERVER
-EOF
-    fi
 
     for interface in eth0 eth1 ; do
 	eval "ifinfo=\$$interface"
@@ -159,6 +153,12 @@ EOF
     gateway $gateway
 EOF
 		fi
+	    if [ "$DNSDOMAIN" ] && [ "$NAMESERVER" = "127.0.0.1" ] ; then
+			cat >> $interfaces <<EOF
+    dns-search $DNSDOMAIN
+    dns-nameservers $NAMESERVER
+EOF
+	    fi
 		cat >> $interfaces <<EOF
 # The commented lines below is to be used if a DHCP server is in use
 #iface $interface inet dhcp


=====================================
share/debian-edu-config/gosa.conf.template
=====================================
@@ -41,7 +41,7 @@
               class="userManagement" />
       <plugin acl="groups" class="groupManagement" />
       <plugin acl="roles" class="roleManagement" />
-      <plugin acl="acl"  class="aclManagement" />
+      <plugin acl="acl" class="aclManagement" />
       <plugin acl="ogroups" class="ogroupManagement" />
       <plugin acl="sudo" class="sudoManagement" />
       <plugin acl="netgroup" class="netgroupManagement" />
@@ -56,14 +56,14 @@
 
     <!-- Section to enable addon plugins -->
     <section name="Addons">
-      <plugin acl="all/all"  class="propertyEditor" />
+      <plugin acl="all/all" class="propertyEditor" />
       <plugin acl="server/rSyslogServer" class="rsyslog" />
 <!--      <plugin acl="mailqueue" class="mailqueue" />-->
       <plugin acl="users/viewFaxEntries:self,users/viewFaxEntries" class="faxreport" />
       <plugin acl="users/viewFonEntries:self,users/viewFonEntries" class="fonreport" />
       <plugin acl="ldapmanager" class="ldif" />
       <plugin acl="schoolmanager" class="schoolmgr" />
-      <plugin acl="pwreset" class="pwreset"/>
+      <plugin acl="pwreset" class="pwreset" />
     </section>
   </menu>
 
@@ -76,9 +76,9 @@
   <pathMenu>
       <plugin acl="users/netatalk:self,users/environment:self,users/posixAccount:self,users/kolabAccount:self,users/phpscheduleitAccount:self,users/oxchangeAccount:self,users/proxyAccount:self,users/connectivity:self,users/pureftpdAccount:self,users/phpgwAccount:self,users/opengwAccount:self,users/pptpAccount:self,users/intranetAccount:self, users/webdavAccount:self,users/nagiosAccount:self,users/mailAccount:self,users/groupware, users/user:self,users/scalixAccount:self,users/gofaxAccount:self,users/phoneAccount:self,users/Groupware:self" class="MyAccount" />
       <plugin acl="users/password:self" class="password"
-              postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync '%dn'"
-              postlock="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-lock-user '%dn'"
-              postunlock="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-unlock-user '%dn'" />
+              postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"
+              postlock="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-lock-user %dn"
+              postunlock="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-unlock-user %dn" />
   </pathMenu>
 
 
@@ -279,7 +279,7 @@
 
   <!-- Connectivity plugins -->
   <connectivity>
-    <tab class='kolabAccount' />
+    <tab class="kolabAccount" />
     <tab class="proxyAccount" />
     <tab class="pureftpdAccount" />
     <tab class="webdavAccount" />
@@ -346,7 +346,7 @@
     sendCompressedOutput="true"
     modificationDetectionAttribute="entryCSN"
     language=""
-    theme="default"
+    theme="classic"
     sessionLifetime="7200"
     templateCompileDirectory="/var/spool/gosa"
     debugLevel="0"


=====================================
share/debian-edu-config/tools/create-debian-edu-certs
=====================================
@@ -78,13 +78,6 @@ generate() {
     logger -t create-debian-edu-certs "Certs with both .crt and .pem extension made available in /etc/debian-edu/www."
 }
 
-update_nssdb() {
-    # Update dbm and sql certificate and key databases in homedirs.
-    echo "Now updating the nssdb files for all user accounts..."
-    /usr/share/debian-edu-config/tools/update-cert-dbs
-    echo "The nssdb files for all user accounts have been updated"
-}
-
 if [ "$1" = "--force-overwrite" ] ; then
     generate
     echo "Reloading / restarting related services; this will take some time..."
@@ -94,11 +87,9 @@ if [ "$1" = "--force-overwrite" ] ; then
     service dovecot restart
     service nslcd stop
     service nslcd start
-    update_nssdb
 else
     if [ ! -f $CA_CERT ] || [ ! -f $CA_KEY ]; then
         generate
-        update_nssdb
     else
         echo "Certificates and keys already exist, nothing to do!"
         echo "Call $0 with param '--force-overwrite' if new ones should be generated."


=====================================
share/debian-edu-config/tools/create-user-nssdb deleted
=====================================
@@ -1,25 +0,0 @@
-#!/bin/sh
-
-set -e
-
-BASE_HOME=/skole/tjener
-for dir in "$BASE_HOME"/*/*; do
-    # Skip if not a directory
-    test -d "$dir" || continue
-
-    # Extract username and check existence
-    username=${dir##*/}
-    id "$username" >/dev/null 2>&1 || continue
-
-    if [ -d "$dir/.pki/nssdb" ] ; then
-        su - $username sh -c 'certutil  -A -d sql:$HOME/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
-    else
-        mkdir -p $dir/.pki/nssdb
-        chmod -R 700 $dir/.pki/nssdb
-        chown -R $i:$i $dir/.pki/nssdb
-        certutil  -A -d sql:$dir/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
-    fi
-    logger -t create-user-nssdb -p notice PKI nssdb files created in $dir.
-done
-
-exit 0


=====================================
share/debian-edu-config/tools/fetch-rootca-cert
=====================================
@@ -10,6 +10,12 @@ if [ -r /etc/debian-edu/config ] ; then
     . /etc/debian-edu/config
 fi
 
+# Don't use the proxy for accesing www.intern
+if [ -n "${no_proxy}" ]; then
+        no_proxy="${no_proxy},"
+fi
+export no_proxy="${no_proxy}www.intern"
+
 BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
 ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
 LOCALCACRT=/usr/local/share/ca-certificates/Debian-Edu_rootCA.crt


=====================================
share/debian-edu-config/tools/gosa-create
=====================================
@@ -38,10 +38,6 @@ while read KEY VALUE ; do
                 nscd -i passwd || true
                 nscd -i group || true
             fi
-            mkdir -p $HOMEDIR/.pki/nssdb
-            chmod -R 700 $HOMEDIR/.pki/nssdb
-            certutil  -A -d sql:$HOMEDIR/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
-            logger -t gosa-create -p notice PKI nssdb files created in \'$HOMEDIR\'.
             chown -R $USERID:$GROUPID $HOMEDIR
             kadmin.local -q "add_principal -policy users -randkey -x \"$USERDN\" $USERID"
             logger -t gosa-create -p notice Home directory \'$HOMEDIR\' and principal \'$USERID\' created.


=====================================
share/debian-edu-config/tools/gosa-sync
=====================================
@@ -33,12 +33,11 @@ fi
 TMPFILE=$(mktemp)
 trap "rm -f $TMPFILE" ERR SIGHUP SIGINT SIGTERM
 
-cat <<EOF | tr -d "\n" > "$TMPFILE"
+base64 -d - <<EOF > "$TMPFILE"
 $USERPASSWORD
 EOF
-
-# remove escapes from the password added by GOsa²...
-sed -i $TMPFILE  -e 's/\\//g'
+# strip newline from EOF
+perl -i -pe 'chomp if eof' "$TMPFILE"
 
 # check the password in $TMPfile against LDAP...
 IAM=`ldapwhoami -x -Z -y "$TMPFILE" -D "$USERDN" 2>/dev/null || true`


=====================================
share/debian-edu-config/tools/update-cert-dbs deleted
=====================================
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# Update PKI nssdb files in users' homedirs.
-#
-
-set -e
-
-BASE_HOME=/skole/tjener
-for dir in "$BASE_HOME"/*/*; do
-    # Skip if not a directory
-    test -d "$dir" || continue
-
-    # Extract username and check existence
-    username=${dir##*/}
-    id "$username" >/dev/null 2>&1 || continue
-
-    if [ -d "$dir/.pki/nssdb" ] ; then
-        su - $username sh -c 'certutil  -A -d sql:$HOME/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
-    fi
-    logger -t update-cert-dbs "Updated PKI nssdb files for user $username in $dir"
-done


=====================================
share/debian-edu-config/tools/update-proxy-from-wpad
=====================================
@@ -97,6 +97,13 @@ update_apt_conf() {
 }
 
 update_dconf() {
+	if ! command -v dconf >/dev/null; then
+		# If the dconf command is not install, let's ignore it.
+		# This might happen on main-server installations without
+		# a desktop environment installed.
+		return 0
+	fi
+
 	proxy_host="${http_proxy#*://}"
 	proxy_port="${proxy_host##*:}"
 	proxy_host="${proxy_host%:*}"


=====================================
share/debian-edu-config/tools/wpad-extract
=====================================
@@ -7,10 +7,16 @@
 
 # This version uses pactester from package libpacparser1.
 
+# Don't use the proxy for accesing wpad
+if [ -n "${no_proxy}" ]; then
+        no_proxy="${no_proxy},"
+fi
+export no_proxy="${no_proxy}wpad"
+
 # Look up one of the www.debian.org IP addresses to avoid hanging on
 # DNS if the skolelinux machines are not connected to the Internet.
 proxy_url=$(curl -s http://wpad/wpad.dat | pactester -p - \
-            -u http://130.89.148.14 | awk '{print $2}' | cut -d';' -f1)
+            -u http://130.89.148.77 | awk '{print $2}' | cut -d';' -f1)
 
 if [ "$proxy_url" ]; then
 	echo "http://$proxy_url"


=====================================
share/firefox-esr/distribution/policies.json
=====================================
@@ -1,11 +1,5 @@
 {
   "policies": {
-    "Certificates": {
-      "ImportEnterpriseRoots": true,
-      "Install": [
-        "/etc/ssl/certs/Debian-Edu_rootCA.crt"
-      ]
-    },
     "NewTabPage": false,
     "OverrideFirstRunPage": "",
     "SearchEngines": {


=====================================
share/man/man1/debian-edu-copy-pki.1 deleted
=====================================
@@ -1,15 +0,0 @@
-.TH DEBIAN-EDU-COPY-PKI 1 "December 2020" "Debian Edu" "Debian Edu User Tools"
-
-.SH NAME
-debian-edu-copy-pki - copy user's PKI files from the Debian Edu main server
-
-.SH SYNOPSIS
-.B debian-edu-copy-pki
-
-.SH DESCRIPTION
-This script is useful on roaming workstations. The user's "$HOME/.pki" directory on the main server is copied to the local home directory.
-.TP
-This way, all programs relying on the PKI infrastructure (like e.g. Chromium) will accept Debian Edu self signed certificates.
-
-.SH AUTHORS
-Debian Edu Team, https://blends.debian.org/edu



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/4b63838ab777314d4611195f0be58c29203b8f1a...909c45c1bbc30a57ab510ed9eb2c4aa80375c6d9

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/4b63838ab777314d4611195f0be58c29203b8f1a...909c45c1bbc30a57ab510ed9eb2c4aa80375c6d9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20250601/f0307ccd/attachment-0001.htm>


More information about the debian-edu-commits mailing list