Package: debian-edu-install
Version: 2.12.8
The minimum partition sizes are no longer up-to-date for bookworm and
later and should be updated based on the actual current installations.
--
Guido Berhoerster
Package: debian-edu-config
Version: 2.12.32
ntp has been replaced with ntpsec in bookworm, the configuration has to
be adapted to a different path and syntax.
--
Guido Berhoerster
END files promise (/var/lib/samba/usershares)
After installation the directory ownership is still the package default:
$ ls -ld /var/lib/samba/usershares/
drwxrwx--T 2 root sambashare 4096 22. Jun 08:17 /var/lib/samba/usershares/
The problem seems to be that the students group is define
dbname = "icingadb"
username = "icinga2"
password = "v64nhbe27dfBjR3T"
charset = ""
use_ssl = "0"
--
Guido Berhoerster
oadConfig() confirms
that the backends ($backends) configuration is actually empty, i.e. that
no backends are defined in the configuration (see
https://github.com/Icinga/icingaweb2/blob/v2.11.4/modules/monitoring/library/Monitoring/Backend/MonitoringBackend.php#L160
for context).
--
Guido Berhoerster
Even after creating a database for icingaweb and recreating the
configuration using the setup module I am getting the same error.
Related support forum post:
https://community.icinga.com/t/no-backend-has-been-configured-after-initial-setup/12245
--
Guido Berhoerster
t seems to have been added correctly and is
configured as expected via DHCP.
--
Guido Berhoerster
') für Modul posixAccount nicht ausführen!
--
Guido Berhoerster
uid lease 10.0.16.22 for
client 00:16:3e:22:7b:5e is duplicate on intern
2023-06-28T11:19:42.898709+02:00 tjener dhcpd[1368]: DHCPREQUEST for 10.0.0.2
(10.0.2.2) from 00:16:3e:22:7b:5e via eth0
2023-06-28T11:19:42.898830+02:00 tjener dhcpd[1368]: DHCPACK on 10.0.0.2 to
00:16:3e:22:7b:5e via eth0
The postcreate command error might be related to bug #1039698.
--
Guido Berhoerster
run
before ldapserver. So putting the icinga bundle after ldapserver might fix the
availability of the group via LDAP. However, this still needs testing.
--
Guido Berhoerster
uot;posixAccount"
2. the group "students is a "posixGroup" and requires a "memberUid"
instead of a "member" attribute
@Daniel: Could you please look into fixing this in gosa?
--
Guido Berhoerster
es_validated'
Q: ".../cf-agent" -f /":
error: Method 'cfe_internal_update_policy_cpv' failed in some repairs
Jul 17 12:55:43 tjener.intern cf-agent[3722]: CFEngine(agent) R: Built-in
failsafe policy triggered
It seems that the agent tries to contact the server using
the IPv6 loopback address which does not seem to be allowed
by the configuration.
--
Guido Berhoerster
/2b22a5550089bab108177a41254f3f9de07eb20c/include/class_plugin.inc#L1612).
However I don't see any changes in git blame since 2016, not sure why
this used to work in bullseye.
--
Guido Berhoerster
ib/cfengine3/inputs/cfe_internal/update/update_policy.cf' near line 229
Q: ".../cf-agent" -f /":
error: Comment is 'Check whether a validation stamp is available for a new
policy update to reduce the distributed load'
Q: ".../cf-agent" -f /":
error: Errors encountered when actuating files promise
'/var/lib/cfengine3/inputs/cf_promises_validated'
Q: ".../cf-agent" -f /":
error: Method 'cfe_internal_update_policy_cpv' failed in some repairs
Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) R: Built-in
failsafe policy triggered
--
Guido Berhoerster
On a related note, these error only shows up when cf-agent is run by cf-execd.
Invoking it manually works fine.
--
Guido Berhoerster
ectClass: gosaUserTemplate
objectClass: posixAccount
objectClass: shadowAccount
sn: NewStudent
givenName: NewStudent
uid: newstudent
cn: NewStudent NewStudent
homeDirectory: /skole/tjener/home0/%uid
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
gecos: NewStudent NewStudent
--
Guido Berhoerster
des Benutzers Max Mustermann
gidNumber: 1003
objectClass: top
objectClass: posixGroup
--
Guido Berhoerster
: pam_ldap(lightdm:auth):
Authentication failure; user=mamus
--
Guido Berhoerster
more easily see the attached script, it is
invoked as follows:
debian-edu-add-user.sh 1010 afoo Alice Foo
in order to create an example user afoo with the uid/gid 1010.
--
Guido Berhoerster
debian-edu-add-user.sh
Description: application/shellscript
"." or the fully qualified hostname
cannot be determined
--
Guido Berhoerster
create entries with fully qualified hostnames
under ou=workstations,ou=systems,dc=skole,dc=skolelinux,dc=no the script
could also be adapted to skip qualifying the hostname if it contains a ".".
--
Guido Berhoerster
correctly at least.
Note to self: testing this required adding the workstation with
gosa on the server, as well as running copy-host-keytab and
manually removing Debian-Edu_rootCA.crt on the workstation with
a reboot afterwards.
--
Guido Berhoerster
Package: debian-edu-config
Version: 2.12.33
Running ldap-createuser-krb5 in order to create a user as recommended
in the documentation does not work and returns a LDAP error, e.g.
$ /usr/bin/ldap-createuser-krb5 gber 'Guido Berhoerster,,,'
error: unable to find sambaDomain LDAP objec
.2]
I'm not sure whether this is another problem in gosa or if the LDAP user is
still missing something.
--
Guido Berhoerster
otLogin yes
--
Guido Berhoerster
Package: debian-edu-config
Version: 2.12.33
debian-edu-restart-services is based around sysvinit, directly
looks into /etc/rc*.d/ and tries to kill services which haven't
been stopped successfully by itself. On systemd-based systems
it should use systemd facilities instead.
--
Guido Berhoerster
irst and then rebase the
diff on top of develop since the latter is the base of our package but has
truncated git history.
--
Guido Berhoerster
On Fri, 21 Jul 2023 11:34:21 +0200 Guido Berhoerster
wrote:
> I must have done something wrong before, with the newstudent
> template applied gosa creates the following on bullseye, which
> looks more correct/as expected:
I just noticed that a "posixUser" class is only add
On Mon, 31 Jul 2023 13:37:17 +0200 Guido Berhoerster
wrote:
> I've fixed and improved ldap-createuser-krb5 based on the template users,
> gosa behavior in bullseye, the gosa-create script as well as above
> suggestion so that it can now be used to create student/teacher which can
On Thu, 20 Jul 2023 11:25:09 +0200 Guido Berhoerster
wrote:
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) TRUST
> FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(a
Package: debian-edu-config
Version: 2.12.33
The debian-edu-config additions to the cups configuration
remove access by root via the SystemGroup setting, this
e.g. disallows root to cancel all jobs and causes
debian-edu-cups-queue-autoflush.service to fail.
--
Guido Berhoerster
ne should be. Right now it is
inconsistent,depening on whether systemd is installed
or not, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043353
--
Guido Berhoerster
iptables to the minimal installation
Suggestions?
--
Guido Berhoerster
Am 10.08.23 um 13:59 schrieb Mike Gabriel:
> On Do 10 Aug 2023 11:46:21 UTC, Guido Berhoerster wrote:
>
>> Package: debian-edu-config
>> Version: 2.12.33
>>
>> Setting up a router following the documentation at
>> https://wiki.debian.org/DebianEdu/Documentati
and delete the new configuration again (see
attachment).
IMHO a reasonable solution would be to present a warning at the
beginning, then bring down/flush the interfaces which are to be
configured, and remove their configuration stanzas from
/etc/network/interfaces.
--
Guido Berhoerster
uif
seems to have been added.
--
Guido Berhoerster
-edu-ltsp-install is invoked with a --desktop argument
which then defaults to Xfce.
--
Guido Berhoerster
retrieve lower fileattr (sbin/init, err=-6)
mv: can't rename '/root/sbin/init': No such device or address
LTSP command failed: mv /root/sbin/init /root/sbin/init.ltsp
Aborting ltsp
LTSP boot error! Enable DEBUG_SHELL to troubleshoot!
--
Guido Berhoerster
On Tue, 15 Aug 2023 10:33:03 +0200 Guido Berhoerster
wrote:
> The cause is apparently that during installation
> debian-edu-ltsp-install is invoked with a --desktop argument
> which then defaults to Xfce.
The above should read "without a --desktop argument", however that is
On Tue, 15 Aug 2023 10:42:05 +0200 Guido Berhoerster
wrote:
> [ 12.587974] overlayfs: failed to retrieve lower fileattr (sbin/init,
> err=-6)
> mv: can't rename '/root/sbin/init': No such device or address
The actual problem is that rename(2) fails with ENXIO as o
e
default values (I suppose not locked down since enviroment variables
are also overridable by the user?) which can be achieved with dconf
system databases (see
https://help.gnome.org/admin/system-admin-guide/stable/dconf-custom-defaults.html.en).
--
Guido Berhoerster
On Wed, 28 Jun 2023 13:36:04 +0200 Guido Berhoerster
wrote:
> Package: debian-edu-config
> Version: 2.12.32
>
> After adding a workstation (hostname: "ws01.intern") as shown in
> https://jenkins.debian.net/userContent/debian-edu-doc/debian-edu-doc-en/debian-e
up the /tmp or root partition depending on disk size and
partition scheme.
Furthermore, the script will create the tar file following the same naming
scheme /tmp/sitesummary-.tar.gz which in the absence of kernel symlink
protection allows for symlink attacks.
--
Guido Berhoerster
ould then be invoked both
by a native systemd service file and a sysv init script.
Thanks a lot,
--
Guido Berhoerster
-edu-config/tools/fetch-rootca-cert#L28).
Isn't this already the TOFU behavior you suggest?
--
Guido Berhoerster
On 06.09.23 15:49, Holger Levsen wrote:
On Wed, Sep 06, 2023 at 08:54:06AM +0200, Guido Berhoerster wrote:
My goal is to factor out most of the init script contents to a separate
script in /usr/share/debian-edu-config which could then be invoked both
by a native systemd service file and a sysv
Am 06.09.23 um 08:54 schrieb Guido Berhoerster:
> while working debian-edu-install I noticed the
> "report-errors"/"report-success" actions in the xdebian-edu-firstboot
> init script and I haven't been able to figure out from where they are
> supposed to
ould mail logging be local-only?
--
Guido Berhoerster
edu-update-netblock: 116: iptables: not found
/usr/sbin/debian-edu-update-netblock: 117: iptables: not found
/usr/sbin/debian-edu-update-netblock: 118: iptables: not found
--
Guido Berhoerster
iler→·shared/mailname→string→·postoffice.intern
--
Guido Berhoerster
On Fri, 8 Sep 2023 11:44:00 +0200 Guido Berhoerster
wrote:
> debian-edu-fai installs currently prefers nullmailer over exim4. However,
> both the mailname and remote are not configured correctly so that mail
> cannot be delivered.
>
> /etc/mailname contains:
>
> postoffice
On Fri, 8 Sep 2023 13:42:24 +0200 Guido Berhoerster
wrote:
> This is caused by debian-edu-fai in the DEBIAN/40-misc script:
>
> ainsl -a /etc/mailname ${HOSTNAME}
>
> which appends to the file rather than overwriting it.
It is also not clear why ${HOSTNAME} is used here rather
logged
through syslog. This would be suitable for the portable profile as well.
Suggestions?
--
Guido Berhoerster
https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html#ratelimit-interval
--
Guido Berhoerster
limits it would be convenient to include the mail logs
there in order to enforce a log size limit.
--
Guido Berhoerster
: ./ldap-server: search fail before flodding the LDAP server with 1200
connections
error: ./ldap-server: search fail after flodding the LDAP server with 1200
connections
error: ./rdp-server: xrdp service is not listening on 3389/tcp.
--
Guido Berhoerster
On Wed, 13 Sep 2023 13:03:45 +0200 Guido Berhoerster
wrote:
> error: ./filesystems: Using ext2 on /boot
This seems bogus, there should be an exception for boot.
> error: ./ldap-client: Missing /skole mount point in ldap
> error: ./ldap-client: Missing tjener mount point in ldap
> e
On Thu, 14 Sep 2023 10:57:32 +0200 Petter Reinholdtsen wrote:
> [Guido Berhoerster]
> >> error: ./ldap-client: Not only one PAM module of krb5, ldap and sss is
> >> enabled
> >
> > /etc/pam.d/common-auth contains:
> >
> > …
> >
e: Attempting to find an auth method to match sam_ignoredomain
[2023/09/19 14:04:01.342820, 5] ../../source3/auth/auth.c:451(load_auth_module)
load_auth_module: auth method sam_ignoredomain has a valid init
[2023/09/19 14:04:01.342873, 5]
../../auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC mechanism spnego
[2023/09/19 14:04:01.342936, 1]
../../auth/gensec/spnego.c:1341(gensec_spnego_server_negTokenInit_step)
gensec_spnego_server_negTokenInit_step: Could not find a suitable mechtype in
NEG_TOKEN_INIT
[2023/09/19 14:04:01.342972, 5]
../../auth/gensec/gensec.c:534(gensec_update_done)
gensec_update_done: spnego[0x5618c5c0b850]: NT_STATUS_INVALID_PARAMETER
--
Guido Berhoerster
.
There are two possible solutions:
- a shorter maximum delay
- stop using anacron and rely on systemd timers which support random delays
--
Guido Berhoerster
resulting in fatal errors.
--
Guido Berhoerster
Am 21.09.23 um 12:02 schrieb Petter Reinholdtsen:
> [Guido Berhoerster]
>> When logging in with LightDM the first login always fails due to a
>> discrepancy between the the home directory obtained from LDAP via
>> getpwent() and the newly created home directory. Specifically,
correct home directory.
If you want to test, you need to rebuild lightdm with the patch from
https://github.com/canonical/lightdm/pull/323 and change the
libpam-mklocaluser pam-config priority.
The latter is necessary for other display managers as well.
--
Guido Berhoerster
internal defaults
and create local users with UID/GID 1000 and higher.
In addition to systemd, polkitd now also uses a UID above 499, on a main
server with MATE desktop I have the following UIDs above 499:
995 polkitd
997 systemd-timesync
998 systemd-network
--
Guido Berhoerster
On Fri, 22 Sep 2023 13:57:09 +0200 Guido Berhoerster
wrote:
> In addition to systemd, polkitd now also uses a UID above 499, on a main
> server with MATE desktop I have the following UIDs above 499:
>
> 995 polkitd
> 997 systemd-timesync
> 998 systemd-network
Regardin
The changes in debian-edu-config, debian-edu-install, and pam-mklocaluser
should cover new installations, but how should upgrades be handled?
--
Guido Berhoerster
s 'root'.
>
> The problem is that subsequent to that, I saw that the MIT folks
> decided to always issue a PAC, just without the LOGON_INFO
> component. Samba doesn't do well with that, and a fix is needed both
> in this code an in winbindd to change the test from 'has a PAC' to 'has a
PAC with LOGON_INFO'.
(see https://lists.samba.org/archive/samba/2023-April/244999.html)
So if we don't want to set up a AD DC we will probably not be able to use
Kerberos authentication with our current setup.
--
Guido Berhoerster
effort to change existing
master keys. However, it is possible to upgrade them if desired.
See
https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html#the-database-master-key
for details.
--
Guido Berhoerster
solely on gosa to enforce
password complexity or if we want to configure all of the above so each
one enforces the common policy on its own?
In case of the former, what about the gosa option to have the user
change his password on the next login?
--
Guido Berhoerster
n
multiple copies.
However I'm wondering why the package is set up the way it is, couldn't
we rename debian-edu-artwork to debian-edu-artwork-common, make the
theme subpackages require that and turn debian-edu-artwork into a
virtual package provided by each theme subpackage?
--
Guido Berhoerster
,
however for trixie we should reconsider the dependencies, i.e. use a
common approach where the current debian-edu-artwork is renamed to
debian-edu-artwork-common and each subpackage provides a virtual package
debian-edu-artwork and depends on debian-edu-artwork-common.
--
Guido Berhoerster
ian-edu-config/-/merge_requests/28
The fix is only applicable for unstable and cannot be backported to bookworm.
--
Guido Berhoerster
upgrade the old hook fetch-ldap-cert will be left behind and
lead to errors because the init script it tries to start no longer exists.
The old hook should probably be removed by a maintainer script.
--
Guido Berhoerster
74 matches
Mail list logo
