[debian-lan-devel] When I shoot myself in the foot with a softupdate

Julien Lambot jlambot at gmail.com
Fri Jul 12 15:42:46 UTC 2013


Hello List
Hi Andreas

I'm working on the update of debian-lan version 0.12
The release that I installed was the one available around end of April.

The recommendation you gave earlier were already helpful. Some scripts are
already slightly modified to include a "DLUpdate=true" environment variable
to allow executing fai -Nv softupdate correctly.
This currently concerns the following files

fai/config/scripts/LDAP_CLIENT/10-ldap.conf
fai/config/scripts/LDAP_CLIENT/20-nslcd.conf
fai/config/scripts/DNS_SERVER/10-zones
fai/config/scripts/FAISERVER/10-config
fai/config/scripts/FAISERVER/40-dhcp

and also
fai/config/files/etc/rc.local/FAISERVER
to allow the rebuild of /srv/nfsroot and /opt/live/

Though, during the update process I'm facing an issue with Kerberos, slapd
and nslcd, which I still can't correctly identify.
This translate into the fact that the session is opened and directly closed
on the workstation.
The krb5.keytab of the workstation was correctly transfered. However it
seems to remain an inconsistency in Kerberos.
I still have to test the fix for fai/config/scripts/DNS_SERVER/10-zones in
the logs hereafter (which might be the cause of the problem, indeed)

from kdc.log
Jul 12 16:06:14 mainserver krb5kdc[2847](info): preauth
(encrypted_timestamp) verify failure: Decrypt integrity check failed

from daemon.log
Jul 12 16:04:55 mainserver nslcd[2904]: [52255a]
<passwd="nfs/workstation00.intern"> request denied by validnames option
Jul 12 16:04:55 workstation00 rpc.idmapd[1564]: nss_getpwnam: name 'nobody'
does not map into domain 'intern'
Jul 12 16:04:55 mainserver nslcd[2904]: [9cf92e] <passwd=10001>
ldap_start_tls_s() failed (uri=ldap://ldap): Connect error: (unknown error
code)
Jul 12 16:04:55 mainserver nslcd[2904]: [9cf92e] <passwd=10001> failed to
bind to LDAP server ldap://ldap: Connect error: (unknown error code)
Jul 12 16:04:55 mainserver nslcd[2904]: [9cf92e] <passwd=10001> no
available LDAP server found: Connect error
Jul 12 16:04:55 mainserver nslcd[2904]: [ed7263] <group=10001> no available
LDAP server found: Server is unavailable
Jul 12 16:04:55 mainserver nslcd[2904]: [dcc233] <passwd="thome"> no
available LDAP server found: Server is unavailable
Jul 12 16:04:55 mainserver rpc.gssd[1856]: ERROR: Cannot determine realm
for numeric host address while getting realm(s) for host '10.0.1.100'
Jul 12 16:04:55 mainserver rpc.gssd[1856]: ERROR:
gssd_refresh_krb5_machine_credential: no usable keytab entry found in
keytab /etc/krb5.keytab for connection with host 10.0.1.100
Jul 12 16:04:55 mainserver rpc.gssd[1856]: ERROR: No credentials found for
connection to server 10.0.1.100
Jul 12 16:04:56 workstation00 acpid: client 2349[0:0] has disconnected
Jul 12 16:04:56 workstation00 acpid: client connected from 2957[0:0]
Jul 12 16:04:56 workstation00 acpid: 1 client rule loaded
Jul 12 16:05:58 mainserver nslcd[2904]: [efd79f] <group/member="munin">
ldap_start_tls_s() failed (uri=ldap://ldap): Connect error: (unknown error
code)
Jul 12 16:05:58 mainserver nslcd[2904]: [efd79f] <group/member="munin">
failed to bind to LDAP server ldap://ldap: Connect error: (unknown error
code)
Jul 12 16:05:58 mainserver nslcd[2904]: [efd79f] <group/member="munin"> no
available LDAP server found: Connect error
Jul 12 16:05:58 mainserver nslcd[2904]: [efd79f] <group/member="munin"> no
available LDAP server found: Server is unavailable
Jul 12 16:07:16 mainserver named[2260]: dumping master file:
/etc/bind/tmp-chk8P8Qjz0: open: permission denied
Jul 12 16:08:34 workstation00 nslcd[2461]: [3c9869] <passwd="thome">
(re)loading /etc/nsswitch.conf
Jul 12 16:08:58 mainserver named[2260]: dumping master file:
/etc/bind/tmp-nNiyCzorJU: open: permission denied
Jul 12 16:14:27 mainserver nslcd[2904]: [a7c4c9] <group/member="openldap">
ldap_start_tls_s() failed (uri=ldap://ldap): Connect error: (unknown error
code)
Jul 12 16:14:27 mainserver nslcd[2904]: [a7c4c9] <group/member="openldap">
failed to bind to LDAP server ldap://ldap: Connect error: (unknown error
code)
Jul 12 16:14:27 mainserver nslcd[2904]: [a7c4c9] <group/member="openldap">
no available LDAP server found: Connect error
Jul 12 16:14:27 mainserver nslcd[2904]: [a7c4c9] <group/member="openldap">
no available LDAP server found: Server is unavailable

Thereby, since there is a change in slapd certificates location, there was
an issue with TLS wich is mostly fixed (within ldap.conf, slapd.conf and
nslcd.conf.)
I can successfully execute the following command (as root and without
kerberos ticket)
ldapsearch -x -b "dc=intern" -H 'ldap://ldap/' -ZZ
but I can't do a kinit for root. This results in :
root at mainserver:/var/log# kinit
Password for root at INTERN:
kinit: Password incorrect while getting initial credentials

Any hint would be greatly appreciated.


On the other side of the force :)
If we look at the above, updating from one release to another is not an
easy process.
Could we consider to put a "debian-lan.release" containing the release tag
in /etc in order to ease the updates. This file could then be tested by the
scripts for the necessary updates.
I suppose there should be a good way to use some git features to create
patches or simply add checks in the scripts. I'm a beginner on the git
part, so any advise is welcome.
What would be your preference?
How can I provide you with the corrections I already implemented within my
git repo.
In a clue:
I made a copy of my current install's configuration, created a repository
(say: DLCustomer)
I cloned the current branch in another repository (say: debian-lan) and
compared the first one with this one
Then, all changes have been made in a branch DLCustomer/DLupdates.


For the record:
The files that were changed between the two releases are:
fai/config/class/50-host-classes
fai/config/class/CLIENT_A.var
fai/config/class/DEBIAN.var
fai/config/class/FAIBASE.var
fai/config/class/ROAMING.var
fai/config/class/SERVER_A.var
fai/config/disk_config/ROAMING
fai/config/files/etc/apt/sources.list/CLIENT_A
fai/config/files/etc/apt/sources.list/SERVER_A
fai/config/files/etc/fai/apt/sources.list/SERVER_A
fai/config/files/etc/fai/nfsroot.conf/SERVER_A
fai/config/files/etc/ldap/autofs.ldif/SERVER_A
fai/config/files/etc/ldap/slapd.conf/GOSA
fai/config/files/etc/ldap/slapd.conf/SERVER_A
fai/config/files/etc/ldap/ssl/slapd-cert.cnf/SERVER_A
fai/config/files/etc/rc.local/FAISERVER
fai/config/files/etc/sssd/sssd.conf/ROAMING
fai/config/files/usr/local/sbin/add2gosa/GOSA
fai/config/files/usr/local/sbin/debian-lan/SERVER_A
fai/config/files/usr/local/sbin/dhcpd-keytab/SERVER_A
fai/config/files/usr/share/libpam-script/pam_script_auth/DISKLESS_CLIENT
fai/config/files/usr/share/libpam-script/pam_script_auth/ROAMING
fai/config/files/var/www/index.html/GOSA
fai/config/hooks/install.DEFAULT.source
fai/config/hooks/savelog.LAST.source
fai/config/package_config/CLIENT_A
fai/config/package_config/DEBIAN
fai/config/package_config/DESKTOP
fai/config/package_config/EDU
fai/config/package_config/FIREWALL
fai/config/package_config/GERMAN
fai/config/package_config/ROAMING
fai/config/scripts/CLIENT_A/20-misc
fai/config/scripts/DISKLESS_CLIENT/30-nfs4_krb5
fai/config/scripts/DNS_SERVER/10-zones
fai/config/scripts/FAIBASE/20-removable_media
fai/config/scripts/FAISERVER/10-config
fai/config/scripts/FAISERVER/20-configspace
fai/config/scripts/FAISERVER/40-dhcp
fai/config/scripts/FIREWALL/10-config
fai/config/scripts/LDAP_CLIENT/10-ldap.conf
fai/config/scripts/LDAP_CLIENT/20-nslcd.conf
fai/config/scripts/LDAP_CLIENT/30-certificate
fai/config/scripts/LDAP_SERVER/10-mkslapdcert
fai/config/scripts/MAIL_SERVER/30-certs
fai/config/scripts/NFS_SERVER/10-config
fai/config/scripts/NTP_SERVER/10-ntp.conf
fai/config/scripts/PROXY/10-config
fai/config/scripts/ROAMING/10-home_nfs4_krb5
fai/config/scripts/ROAMING/20-sssd_fstab
fai/config/scripts/SERVER_A/10-misc
fai/config/scripts/SERVER_A/30-forwarding
fai/config/scripts/SERVER_A/50-apache
fai/config/scripts/SERVER_A/60-APTrepo_server
fai/config/scripts/SERVER_A/65-APTrepo_client
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/debian-lan-devel/attachments/20130712/ad281fe8/attachment.html>


More information about the debian-lan-devel mailing list